Polish up configs

python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll

@@ -26,79 +26,38 @@ class UltraJsonLoadsCall extends DataFlow::CallCfgNode {
   DataFlow::Node getLoadNode() { result = this.getArg(0) }
 }
 
-// configs
-class XmlToDictParseConfig extends TaintTracking::Configuration {
-  XmlToDictParseConfig() { this = "XmlToDictParseConfig" }
+// better name?
+class JSONRelatedSink extends DataFlow::Node {
+  JSONRelatedSink() {
+    this = any(JsonLoadsCall jsonLoads).getLoadNode() or
+    this = any(XmlToDictParseCall jsonLoads).getParseNode() or
+    this = any(UltraJsonLoadsCall jsonLoads).getLoadNode()
+  }
+}
+
+class NoSQLInjectionConfig extends TaintTracking::Configuration {
+  NoSQLInjectionConfig() { this = "NoSQLInjectionConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(XmlToDictParseCall xmlToDictParse).getParseNode()
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JSONRelatedSink }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     sanitizer = any(NoSQLSanitizer noSQLSanitizer).getSanitizerNode()
   }
 }
 
-// Must be passed through json.loads(here) since otherwise it would be a string instead of a dict.
-class JsonLoadsConfig extends TaintTracking::Configuration {
-  JsonLoadsConfig() { this = "JsonLoadsConfig" }
+// I hate the name ObjectBuilderFunctionConfig so this can be renamed
+class ObjectBuilderFunctionConfig extends TaintTracking2::Configuration {
+  ObjectBuilderFunctionConfig() { this = "ObjectBuilderFunctionConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof JSONRelatedSink }
 
   override predicate isSink(DataFlow::Node sink) {
-    sink = any(JsonLoadsCall jsonLoads).getLoadNode()
+    sink = any(NoSQLQuery noSQLQuery).getQueryNode()
   }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     sanitizer = any(NoSQLSanitizer noSQLSanitizer).getSanitizerNode()
   }
 }
-
-// Must be passed through json.loads(here) since otherwise it would be a string instead of a dict.
-class UltraJsonLoadsConfig extends TaintTracking::Configuration {
-  UltraJsonLoadsConfig() { this = "UltraJsonLoadsConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(UltraJsonLoadsCall ultraCall).getLoadNode()
-  }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer = any(NoSQLSanitizer noSQLSanitizer).getSanitizerNode()
-  }
-}
-
-// This predicate should handle args passed to json, xmltodict, ujson, etc.
-class ObjectBuilderMethodArg extends DataFlow::Node {
-  ObjectBuilderMethodArg() {
-    this in [
-        any(JsonLoadsCall jsonLoads).getLoadNode(),
-        any(XmlToDictParseCall xmlToDictParse).getParseNode(),
-        any(UltraJsonLoadsCall ultraCall).getLoadNode()
-      ]
-  }
-}
-
-// I don't think this is possible, we should do something like this in the main query:
-/**
- * config1.hasFlowPath(source, sink) or config2.hasFlowPath(source, sink) or config3.hasFlowPath(source, sink)
- * where configs are variables declared from the configs in the list below.
- *
- * class ObjectBuilderMethod extends DataFlow::Node {
- *  ObjectBuilderMethod() { this in [JsonLoadsConfig, XmlToDictParseConfig, UltraJsonLoadsConfig] }
- *}
- */
-class NoSQLInjection extends TaintTracking::Configuration {
-  NoSQLInjection() { this = "NoSQLInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof ObjectBuilderMethodArg } // Will be JsonLoadsArg
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof MongoSinks }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer = any(NoSQLSanitizer noSQLSanitizer).getSanitizerNode()
-  }
-}