Merge pull request #15756 from egregius313/egregius313/csharp/dataflo…

…w/threat-model/remove-addlocalsource C#: Remove `AddLocalSource` classes from queries
github · Mar 11, 2024 · 7fe378e · 7fe378e
2 parents 58f2777 + 3fdc7e9
commit 7fe378e
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 6 deletions.
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll
@@ -68,8 +68,6 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource
  */
 deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { }
 
-private class AddLocalSource extends Source instanceof LocalFlowSource { }
-
 /** A source supported by the current threat model. */
 class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
 

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll
@@ -67,8 +67,6 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource
  */
 deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { }
 
-private class AddLocalSource extends Source instanceof LocalFlowSource { }
-
 /** A source supported by the current threat model. */
 class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
 

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll
@@ -78,8 +78,6 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource
  */
 deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { }
 
-private class AddLocalSource extends Source instanceof LocalFlowSource { }
-
 /** A source supported by the current threat model. */
 class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
 

diff --git a/csharp/ql/src/change-notes/2024-03-06-remove-default-local-sources.md b/csharp/ql/src/change-notes/2024-03-06-remove-default-local-sources.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Data flow queries that track flow from *local* flow sources now use the current *threat model* configuration instead. This may lead to changes in the produced alerts if the threat model configuration only uses *remote* flow sources. The changed queries are `cs/code-injection`, `cs/resource-injection`, `cs/sql-injection`, and `cs/uncontrolled-format-string`.
+
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.ext.yml b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]