Refactor Security.CWE.CWE-134.ExternallyControlledFormatString

2025-12-24 04:36:35 +01:00 · 2023-03-15 13:39:19 -04:00
parent ac223ea57f
commit d34dbbc96f
2 changed files with 27 additions and 21 deletions
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
@@ -13,25 +13,29 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.StringFormat
 import DataFlow::PathGraph
-class ExternallyControlledFormatStringConfig extends TaintTracking::Configuration {
+module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
-  ExternallyControlledFormatStringConfig() { this = "ExternallyControlledFormatStringConfig" }
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) {
  override predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(StringFormat formatCall).getFormatArgument()
  }
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
    node.getType() instanceof NumericType or node.getType() instanceof BooleanType
  }
 }
 module ExternallyControlledFormatStringFlow =
  TaintTracking::Make<ExternallyControlledFormatStringConfig>;
 import ExternallyControlledFormatStringFlow::PathGraph
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall,
+  ExternallyControlledFormatStringFlow::PathNode source,
-  ExternallyControlledFormatStringConfig conf
+  ExternallyControlledFormatStringFlow::PathNode sink, StringFormat formatCall
-where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument()
+where
  ExternallyControlledFormatStringFlow::hasFlowPath(source, sink) and
  sink.getNode().asExpr() = formatCall.getFormatArgument()
 select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
  source.getNode(), "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
@@ -13,23 +13,25 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.StringFormat
 import DataFlow::PathGraph
-class ExternallyControlledFormatStringLocalConfig extends TaintTracking::Configuration {
+private module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
-  ExternallyControlledFormatStringLocalConfig() {
+  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
    this = "ExternallyControlledFormatStringLocalConfig"
  }
-  override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
+  predicate isSink(DataFlow::Node sink) {
  override predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(StringFormat formatCall).getFormatArgument()
  }
 }
 module ExternallyControlledFormatStringLocalFlow =
  TaintTracking::Make<ExternallyControlledFormatStringLocalConfig>;
 import ExternallyControlledFormatStringLocalFlow::PathGraph
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall,
+  ExternallyControlledFormatStringLocalFlow::PathNode source,
-  ExternallyControlledFormatStringLocalConfig conf
+  ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall
-where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument()
+where
  ExternallyControlledFormatStringLocalFlow::hasFlowPath(source, sink) and
  sink.getNode().asExpr() = formatCall.getFormatArgument()
 select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
  source.getNode(), "user-provided value"