Refactor CWE-089 Sql queries

2025-12-21 03:06:31 +01:00 · 2023-03-15 16:07:16 -04:00
parent e6e974a752
commit ae57807359
2 changed files with 22 additions and 20 deletions
--- a/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
@@ -25,28 +25,27 @@ class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
  }
 }
-class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configuration {
+private module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
-  UncontrolledStringBuilderSourceFlowConfig() {
+  predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
    this = "SqlConcatenated::UncontrolledStringBuilderSourceFlowConfig"
  }
-  override predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
-  override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
+  predicate isBarrier(DataFlow::Node node) {
  override predicate isSanitizer(DataFlow::Node node) {
    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
  }
 }
 module UncontrolledStringBuilderSourceFlow =
  TaintTracking::Make<UncontrolledStringBuilderSourceFlowConfig>;
 from QueryInjectionSink query, Expr uncontrolled
 where
  (
    builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
    or
-    exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf |
+    exists(StringBuilderVar sbv |
      uncontrolledStringBuilderQuery(sbv, uncontrolled) and
-      conf.hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query)
+      UncontrolledStringBuilderSourceFlow::hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query)
    )
  ) and
  not queryTaintedBy(query, _, _)
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -15,26 +15,29 @@
 import semmle.code.java.Expr
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.SqlInjectionQuery
 import DataFlow::PathGraph
-class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configuration {
+private module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
-  LocalUserInputToQueryInjectionFlowConfig() { this = "LocalUserInputToQueryInjectionFlowConfig" }
+  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
-  override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
+  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
-  override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
+  predicate isBarrier(DataFlow::Node node) {
  override predicate isSanitizer(DataFlow::Node node) {
    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
  }
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
  }
 }
 module LocalUserInputToQueryInjectionFlow =
  TaintTracking::Make<LocalUserInputToQueryInjectionFlowConfig>;
 import LocalUserInputToQueryInjectionFlow::PathGraph
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, LocalUserInputToQueryInjectionFlowConfig conf
+  LocalUserInputToQueryInjectionFlow::PathNode source,
-where conf.hasFlowPath(source, sink)
+  LocalUserInputToQueryInjectionFlow::PathNode sink
 where LocalUserInputToQueryInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
  "user-provided value"