Refactor Revocation checking

2025-12-23 04:06:37 +01:00 · 2023-04-12 13:04:53 -04:00
parent 380888e446
commit ccdd9bce33
2 changed files with 9 additions and 9 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
@@ -13,8 +13,8 @@

 import java
 import RevocationCheckingLib
-import DataFlow::PathGraph
+import DisabledRevocationCheckingFlow::PathGraph

-from DataFlow::PathNode source, DataFlow::PathNode sink, DisabledRevocationCheckingConfig config
-where config.hasFlowPath(source, sink)
+from DisabledRevocationCheckingFlow::PathNode source, DisabledRevocationCheckingFlow::PathNode sink
+where DisabledRevocationCheckingFlow::flowPath(source, sink)
 select source.getNode(), source, sink, "This disables revocation checking."
--- a/java/ql/src/experimental/Security/CWE/CWE-299/RevocationCheckingLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-299/RevocationCheckingLib.qll
@@ -5,16 +5,16 @@ import DataFlow
 /**
 * A taint-tracking configuration for disabling revocation checking.
 */
-class DisabledRevocationCheckingConfig extends TaintTracking::Configuration {
-  DisabledRevocationCheckingConfig() { this = "DisabledRevocationCheckingConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(BooleanLiteral b | b.getBooleanValue() = false | source.asExpr() = b)
+module DisabledRevocationCheckingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().(BooleanLiteral).getBooleanValue() = false
  }

-  override predicate isSink(DataFlow::Node sink) { sink instanceof SetRevocationEnabledSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof SetRevocationEnabledSink }
 }

+module DisabledRevocationCheckingFlow = TaintTracking::Global<DisabledRevocationCheckingConfig>;
+
 /**
 * A sink that disables revocation checking,
 * i.e. calling `PKIXParameters.setRevocationEnabled(false)`