Swift: Rewrite PathInjection to use DataFlow::ConfigSig

2025-12-24 04:36:35 +01:00 · 2023-04-03 16:48:44 +02:00
parent 97575807df
commit cb8568f6fd
3 changed files with 28 additions and 8 deletions
--- a/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll
@@ -13,7 +13,7 @@ private import codeql.swift.security.PathInjectionExtensions
 /**
 * A taint-tracking configuration for path injection vulnerabilities.
 */
-class PathInjectionConfiguration extends TaintTracking::Configuration {
+deprecated class PathInjectionConfiguration extends TaintTracking::Configuration {
  PathInjectionConfiguration() { this = "PathInjectionConfiguration" }

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -28,3 +28,25 @@ class PathInjectionConfiguration extends TaintTracking::Configuration {
    any(PathInjectionAdditionalTaintStep s).step(node1, node2)
  }
 }
+
+/**
+ * A taint-tracking configuration for path injection vulnerabilities.
+ */
+module PathInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof PathInjectionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof PathInjectionSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(PathInjectionAdditionalTaintStep s).step(node1, node2)
+  }
+}
+
+/**
+ * Detect taint flow of path injection vulnerabilities.
+ */
+module PathInjectionFlow = TaintTracking::Global<PathInjectionConfig>;
--- a/swift/ql/src/queries/Security/CWE-022/PathInjection.ql
+++ b/swift/ql/src/queries/Security/CWE-022/PathInjection.ql
@@ -17,9 +17,9 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.PathInjectionQuery
-import DataFlow::PathGraph
+import PathInjectionFlow::PathGraph

-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(PathInjectionConfiguration c).hasFlowPath(source, sink)
+from PathInjectionFlow::PathNode source, PathInjectionFlow::PathNode sink
+where PathInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
  "user-provided value"
--- a/swift/ql/test/query-tests/Security/CWE-022/PathInjectionTest.ql
+++ b/swift/ql/test/query-tests/Security/CWE-022/PathInjectionTest.ql
@@ -10,10 +10,8 @@ class PathInjectionTest extends InlineExpectationsTest {
  override string getARelevantTag() { result = "hasPathInjection" }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(
-      PathInjectionConfiguration config, DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr
-    |
-      config.hasFlow(source, sink) and
+    exists(DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr |
+      PathInjectionFlow::flow(source, sink) and
      sinkExpr = sink.asExpr() and
      location = sinkExpr.getLocation() and
      element = sinkExpr.toString() and