From ac223ea57f56fa3330981b83acf41832c2d296ba Mon Sep 17 00:00:00 2001
From: Ed Minnix <egregius313@github.com>
Date: Wed, 15 Mar 2023 13:33:01 -0400
Subject: [PATCH] Refactor Security.CWE.CWE-094.InsecureBeanValidation

---
 .../CWE/CWE-094/InsecureBeanValidation.ql       | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
index 2f8e11b207b..2e431f6fece 100644
--- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -13,7 +13,6 @@
 import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow
 
 /**
@@ -56,14 +55,16 @@ class SetMessageInterpolatorCall extends MethodAccess {
  * Taint tracking BeanValidationConfiguration describing the flow of data from user input
  * to the argument of a method that builds constraint error messages.
  */
-class BeanValidationConfig extends TaintTracking::Configuration {
-  BeanValidationConfig() { this = "BeanValidationConfig" }
+private module BeanValidationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
 }
 
+module BeanValidationFlow = TaintTracking::Make<BeanValidationConfig>;
+
+import BeanValidationFlow::PathGraph
+
 /**
  * A bean validation sink, such as method `buildConstraintViolationWithTemplate`
  * declared on a subtype of `javax.validation.ConstraintValidatorContext`.
@@ -72,13 +73,13 @@ private class BeanValidationSink extends DataFlow::Node {
   BeanValidationSink() { sinkNode(this, "bean-validation") }
 }
 
-from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from BeanValidationFlow::PathNode source, BeanValidationFlow::PathNode sink
 where
   (
     not exists(SetMessageInterpolatorCall c)
     or
     exists(SetMessageInterpolatorCall c | not c.isSafe())
   ) and
-  cfg.hasFlowPath(source, sink)
+  BeanValidationFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
   source, "user-provided value"