From 6bf1e87bbe389512725f247b249da81035cf66af Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 20 Jul 2021 14:52:02 +0200
Subject: [PATCH] Remove CSV sinks; make imports private

---
 .../src/Security/CWE/CWE-094/SpelInjection.ql  |  1 +
 .../code/java/security/SpelInjection.qll       | 18 +++---------------
 .../code/java/security/SpelInjectionQuery.qll  | 12 ++++++------
 3 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql b/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
index 586b265cc73..00f4ee785a4 100644
--- a/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
@@ -12,6 +12,7 @@
 
 import java
 import semmle.code.java.security.SpelInjectionQuery
+import semmle.code.java.dataflow.DataFlow
 import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, SpelInjectionConfig conf
diff --git a/java/ql/src/semmle/code/java/security/SpelInjection.qll b/java/ql/src/semmle/code/java/security/SpelInjection.qll
index 665224e8fab..d4554ef4b6b 100644
--- a/java/ql/src/semmle/code/java/security/SpelInjection.qll
+++ b/java/ql/src/semmle/code/java/security/SpelInjection.qll
@@ -1,25 +1,13 @@
 /** Provides classes to reason about SpEL injection attacks. */
 
 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.ExternalFlow
-import semmle.code.java.frameworks.spring.SpringExpression
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.frameworks.spring.SpringExpression
 
 /** A data flow sink for unvalidated user input that is used to construct SpEL expressions. */
 abstract class SpelExpressionEvaluationSink extends DataFlow::ExprNode { }
 
-private class SpelExpressionEvaluationModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "org.springframework.expression;Expression;true;getValue;;;Argument[-1];spel",
-        "org.springframework.expression;Expression;true;getValueTypeDescriptor;;;Argument[-1];spel",
-        "org.springframework.expression;Expression;true;getValueType;;;Argument[-1];spel",
-        "org.springframework.expression;Expression;true;setValue;;;Argument[-1];spel"
-      ]
-  }
-}
-
 /**
  * A unit class for adding additional taint steps.
  *
diff --git a/java/ql/src/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/src/semmle/code/java/security/SpelInjectionQuery.qll
index 98140baeb01..65a6d6df071 100644
--- a/java/ql/src/semmle/code/java/security/SpelInjectionQuery.qll
+++ b/java/ql/src/semmle/code/java/security/SpelInjectionQuery.qll
@@ -1,10 +1,10 @@
 /** Provides taint tracking and dataflow configurations to be used in SpEL injection queries. */
 
 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.frameworks.spring.SpringExpression
-import semmle.code.java.security.SpelInjection
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.frameworks.spring.SpringExpression
+private import semmle.code.java.security.SpelInjection
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -26,8 +26,8 @@ class SpelInjectionConfig extends TaintTracking::Configuration {
 private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink {
   DefaultSpelExpressionEvaluationSink() {
     exists(MethodAccess ma |
-      sinkNode(this, "spel") and
-      this.asExpr() = ma.getQualifier() and
+      ma.getMethod() instanceof ExpressionEvaluationMethod and
+      ma.getQualifier() = this.asExpr() and
       not exists(SafeEvaluationContextFlowConfig config |
         config.hasFlowTo(DataFlow::exprNode(ma.getArgument(0)))
       )