Moved configuration from XPath.qll back to XPath Injection query

2026-05-01 11:45:14 +02:00 · 2021-04-27 12:03:03 +02:00
parent ee269fbc69
commit d739a8cac2
3 changed files with 17 additions and 10 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
@@ -15,6 +15,14 @@ import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 import semmle.code.java.security.XPath

+class XPathInjectionConfiguration extends TaintTracking::Configuration {
+  XPathInjectionConfiguration() { this = "XPathInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, XPathInjectionConfiguration c
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -55,11 +55,4 @@ class XPathInjectionSink extends DataFlow::ExprNode {
  XPathInjectionSink() { exists(XPathSink sink | this.getExpr() = sink.getSink()) }
 }

-/** A configuration that tracks data from a remote input source to a XPath evaluation sink. */
-class XPathInjectionConfiguration extends TaintTracking::Configuration {
-  XPathInjectionConfiguration() { this = "XPathInjection" }

-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
-}
--- a/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
@@ -4,6 +4,14 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.XPath
 import TestUtilities.InlineExpectationsTest

+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "test:xml:xpathinjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+}
+
 class HasXPathInjectionTest extends InlineExpectationsTest {
  HasXPathInjectionTest() { this = "HasXPathInjectionTest" }

@@ -11,9 +19,7 @@ class HasXPathInjectionTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasXPathInjection" and
-    exists(DataFlow::Node src, DataFlow::Node sink, XPathInjectionConfiguration conf |
-      conf.hasFlow(src, sink)
-    |
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
      sink.getLocation() = location and
      element = sink.toString() and
      value = ""