diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql index b436c3ccabd..cc01d00cc98 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.SensitiveActions -import DataFlow::PathGraph +import SensitiveGetQueryFlow::PathGraph /** A variable that holds sensitive information judging by its name. */ class SensitiveInfoExpr extends Expr { @@ -59,22 +59,22 @@ class RequestGetParamSource extends DataFlow::ExprNode { } /** A taint configuration tracking flow from the `ServletRequest` of a GET request handler to an expression whose name suggests it holds security-sensitive data. */ -class SensitiveGetQueryConfiguration extends TaintTracking::Configuration { - SensitiveGetQueryConfiguration() { this = "SensitiveGetQueryConfiguration" } +module SensitiveGetQueryConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RequestGetParamSource } - override predicate isSource(DataFlow::Node source) { source instanceof RequestGetParamSource } - - override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveInfoExpr } + predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveInfoExpr } /** Holds if the node is in a servlet method other than `doGet`. */ - override predicate isSanitizer(DataFlow::Node node) { + predicate isBarrier(DataFlow::Node node) { isServletRequestMethod(node.getEnclosingCallable()) and not isGetServletMethod(node.getEnclosingCallable()) } } -from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfiguration c -where c.hasFlowPath(source, sink) +module SensitiveGetQueryFlow = TaintTracking::Global; + +from SensitiveGetQueryFlow::PathNode source, SensitiveGetQueryFlow::PathNode sink +where SensitiveGetQueryFlow::flowPath(source, sink) select sink.getNode(), source, sink, "$@ uses the GET request method to transmit sensitive information.", source.getNode(), "This request"