Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C#: Remove Stored variants of queries #15629

Draft
wants to merge 18 commits into
base: main
Choose a base branch
from
Draft

C#: Remove Stored variants of queries #15629

wants to merge 18 commits into from
+210 −257

Conversation

egregius313
Copy link
Contributor

@egregius313 egregius313 commented Feb 15, 2024
edited

This is a follow-up to #15419. This removes the Stored variants of queries, as the results are now accessible by using the local threat model.

The affected queries are:

  • cs/stored-command-line-injection
  • cs/web/stored-xss
  • cs/stored-ldap-injection
  • cs/xml/stored-xpath-injection

This branch is currently based on #15419 in order to properly in the DCA run. The changes specific to this PR can be found here: 10077ba..780e034

@egregius313
Deprecated direct use of RemoteFlowSource and use `ThreatModelFlowS…
1a452c9 
…ource` instead
@egregius313
Deprecate direct uses of RemoteFlowSource and replace with `ThreatM…
9493adf 
…odelFlowSource`
@egregius313
Change note
e82712f
@egregius313
Move getSourceType to SourceNode
24f2fef
@egregius313
Refactor to using SourceNode::getSourceType
98ea6ca
@egregius313
Refactor to using ThreatModelFlowSource
9f76993
@egregius313
Refactor to using ThreatModelFlowSource
399be2c
@egregius313
Refactor to using ThreatModelFlowSource
fb7433f
@egregius313
Remove unnecessary flowsources.Remote imports
aa1621c 
Since `FlowSources` now re-exports `Remote`, these can be safely removed.
@egregius313
Change note changes to mention local sources as well
2eb8af3
@egregius313
Update change note date
f150cb6
@egregius313
Add references to changed queries in change note
9195cc8
@egregius313
Refactor to use ThreatModelFlowSource
47543fb
@egregius313
Remove commented out code
2e0cb4d
@egregius313
Add threat-model configuration for UncontrolledFormatString test
11d43c0
@egregius313
Remove stored variants of queries
10077ba
@egregius313
Change note
1dceb87
@egregius313 egregius313 requested a review from a team as a code owner February 15, 2024 22:41
@github-actions GitHub Actions
Copy link
Contributor

QHelp previews:

@egregius313 egregius313 marked this pull request as draft February 16, 2024 04:19
michaelnebel
michaelnebel reviewed Feb 16, 2024
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to get rid of these queries.
We also need to

  • Remove the query cs/second-order-sql-injection.
  • Remove the query tests for all the deleted queries.

csharp/ql/src/change-notes/2024-03-11-remove-stored-query-variants.md Outdated
---
category: majorAnalysis
---
* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `stored` threat model in your threat model settings.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

settings -> configuration

csharp/ql/src/change-notes/2024-03-11-remove-stored-query-variants.md
@@ -1,5 +1,5 @@
---
category: majorAnalysis
---
* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `stored` threat model in your threat model settings.
* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `local` threat model in your threat model settings.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

local -> file and database. If local is added, other local sources will be added as well. We can recommend as a part of the change note to use local instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C# documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@egregius313 @michaelnebel