Java: Refactor NumericCastTainted, NumericCastTaintedLocal

2025-12-16 16:53:25 +01:00 · 2023-03-07 10:42:00 +01:00
parent d4e6e77200
commit 4408482699
2 changed files with 21 additions and 23 deletions
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
@@ -15,19 +15,16 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import NumericCastCommon
-import DataFlow::PathGraph

-private class NumericCastFlowConfig extends TaintTracking::Configuration {
-  NumericCastFlowConfig() { this = "NumericCastTainted::RemoteUserInputToNumericNarrowingCastExpr" }
+module NumericCastFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }

-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and
    sink.asExpr() instanceof VarAccess
  }

-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
    boundedRead(node.asExpr()) or
    castCheck(node.asExpr()) or
    node.getType() instanceof SmallType or
@@ -37,12 +34,14 @@ private class NumericCastFlowConfig extends TaintTracking::Configuration {
  }
 }

-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, NumericNarrowingCastExpr exp,
-  NumericCastFlowConfig conf
+module NumericCastFlow = TaintTracking::Make<NumericCastFlowConfig>;
+
+import NumericCastFlow::PathGraph
+
+from NumericCastFlow::PathNode source, NumericCastFlow::PathNode sink, NumericNarrowingCastExpr exp
 where
  sink.getNode().asExpr() = exp.getExpr() and
-  conf.hasFlowPath(source, sink)
+  NumericCastFlow::hasFlowPath(source, sink)
 select exp, source, sink,
  "This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
@@ -15,20 +15,15 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import NumericCastCommon
-import DataFlow::PathGraph

-private class NumericCastFlowConfig extends TaintTracking::Configuration {
-  NumericCastFlowConfig() {
-    this = "NumericCastTaintedLocal::LocalUserInputToNumericNarrowingCastExpr"
-  }
+module NumericCastFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

-  override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr()
  }

-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
    boundedRead(node.asExpr()) or
    castCheck(node.asExpr()) or
    node.getType() instanceof SmallType or
@@ -37,13 +32,17 @@ private class NumericCastFlowConfig extends TaintTracking::Configuration {
  }
 }

+module NumericCastFlow = TaintTracking::Make<NumericCastFlowConfig>;
+
+import NumericCastFlow::PathGraph
+
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, NumericNarrowingCastExpr exp,
-  VarAccess tainted, NumericCastFlowConfig conf
+  NumericCastFlow::PathNode source, NumericCastFlow::PathNode sink, NumericNarrowingCastExpr exp,
+  VarAccess tainted
 where
  exp.getExpr() = tainted and
  sink.getNode().asExpr() = tainted and
-  conf.hasFlowPath(source, sink) and
+  NumericCastFlow::hasFlowPath(source, sink) and
  not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
 select exp, source, sink,
  "This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),