Refactor CWE-089 Sql queries

2025-12-21 03:06:31 +01:00 · 2023-03-15 16:07:16 -04:00
parent e6e974a752
commit ae57807359
2 changed files with 22 additions and 20 deletions
--- a/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
@@ -25,28 +25,27 @@ class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
  }
 }

-class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configuration {
-  UncontrolledStringBuilderSourceFlowConfig() {
-    this = "SqlConcatenated::UncontrolledStringBuilderSourceFlowConfig"
-  }
+private module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }

-  override predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }

-  override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
  }
 }

+module UncontrolledStringBuilderSourceFlow =
+  TaintTracking::Make<UncontrolledStringBuilderSourceFlowConfig>;
+
 from QueryInjectionSink query, Expr uncontrolled
 where
  (
    builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
    or
-    exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf |
+    exists(StringBuilderVar sbv |
      uncontrolledStringBuilderQuery(sbv, uncontrolled) and
-      conf.hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query)
+      UncontrolledStringBuilderSourceFlow::hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query)
    )
  ) and
  not queryTaintedBy(query, _, _)
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -15,26 +15,29 @@
 import semmle.code.java.Expr
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.SqlInjectionQuery
-import DataFlow::PathGraph

-class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configuration {
-  LocalUserInputToQueryInjectionFlowConfig() { this = "LocalUserInputToQueryInjectionFlowConfig" }
+private module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

-  override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
+  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }

-  override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
  }

-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
  }
 }

+module LocalUserInputToQueryInjectionFlow =
+  TaintTracking::Make<LocalUserInputToQueryInjectionFlowConfig>;
+
+import LocalUserInputToQueryInjectionFlow::PathGraph
+
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, LocalUserInputToQueryInjectionFlowConfig conf
-where conf.hasFlowPath(source, sink)
+  LocalUserInputToQueryInjectionFlow::PathNode source,
+  LocalUserInputToQueryInjectionFlow::PathNode sink
+where LocalUserInputToQueryInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
  "user-provided value"