diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql index 942c5d25950..da5bc5372a4 100644 --- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql +++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql @@ -13,25 +13,29 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.StringFormat -import DataFlow::PathGraph -class ExternallyControlledFormatStringConfig extends TaintTracking::Configuration { - ExternallyControlledFormatStringConfig() { this = "ExternallyControlledFormatStringConfig" } +module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(StringFormat formatCall).getFormatArgument() } - override predicate isSanitizer(DataFlow::Node node) { + predicate isBarrier(DataFlow::Node node) { node.getType() instanceof NumericType or node.getType() instanceof BooleanType } } +module ExternallyControlledFormatStringFlow = + TaintTracking::Make; + +import ExternallyControlledFormatStringFlow::PathGraph + from - DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall, - ExternallyControlledFormatStringConfig conf -where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument() + ExternallyControlledFormatStringFlow::PathNode source, + ExternallyControlledFormatStringFlow::PathNode sink, StringFormat formatCall +where + ExternallyControlledFormatStringFlow::hasFlowPath(source, sink) and + sink.getNode().asExpr() = formatCall.getFormatArgument() select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.", source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql index 2cd3a0c29da..f418372647f 100644 --- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql +++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql @@ -13,23 +13,25 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.StringFormat -import DataFlow::PathGraph -class ExternallyControlledFormatStringLocalConfig extends TaintTracking::Configuration { - ExternallyControlledFormatStringLocalConfig() { - this = "ExternallyControlledFormatStringLocalConfig" - } +private module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(StringFormat formatCall).getFormatArgument() } } +module ExternallyControlledFormatStringLocalFlow = + TaintTracking::Make; + +import ExternallyControlledFormatStringLocalFlow::PathGraph + from - DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall, - ExternallyControlledFormatStringLocalConfig conf -where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument() + ExternallyControlledFormatStringLocalFlow::PathNode source, + ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall +where + ExternallyControlledFormatStringLocalFlow::hasFlowPath(source, sink) and + sink.getNode().asExpr() = formatCall.getFormatArgument() select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.", source.getNode(), "user-provided value"