Fix compilation errors

Author: Jami Cogswell

java/src/security/CWE-089/MyBatisCommonLib.qll

@@ -3,7 +3,6 @@
  */
 
 import java
-import semmle.code.xml.MyBatisMapperXML
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.MyBatis
 import semmle.code.java.frameworks.Properties

java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql

@@ -14,7 +14,7 @@
 import java
 import MyBatisCommonLib
 import MyBatisMapperXmlSqlInjectionLib
-import semmle.code.xml.MyBatisMapperXML
+import semmle.code.java.frameworks.MyBatis
 import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.Sanitizers
 import MyBatisMapperXmlSqlInjectionFlow::PathGraph

java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll

@@ -3,7 +3,7 @@
  */
 
 import java
-import semmle.code.xml.MyBatisMapperXML
+import semmle.code.java.frameworks.MyBatis
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.Properties
 

javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll

@@ -16,31 +16,30 @@
   * A taint tracking configuration for client-side request forgery.
   * Server side is disabled since this is in the browser, but the extra models can be enabled for extra coverage
   */
- class Configuration extends TaintTracking::Configuration {
-   Configuration() { this = "ClientSideRequestForgery" }
- 
-   override predicate isSource(DataFlow::Node source) {
+ module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
      exists(Source src |
        source = src and
        not src.isServerSide()
      ) or 
     source instanceof OnMessageExternal or source instanceof OnConnectExternal
    }
 
-   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-   override predicate isSanitizer(DataFlow::Node node) {
-     super.isSanitizer(node) or
+  predicate isBarrier(DataFlow::Node node) {
      node instanceof Sanitizer
    }
 
-   override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
+  predicate isBarrierOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
 
-   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
      isAdditionalRequestForgeryStep(pred, succ)
    }
   }
 
+  module ConfigFlow = TaintTracking::Global<Config>;
+
   class BrowserStep extends DataFlow::SharedFlowStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
       (exists (DataFlow::ParameterNode p |

javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll

@@ -9,15 +9,14 @@ private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::
 
 module BrowserInjection {
 
-  private import DataFlow::FlowLabel
   /**
    * A data flow source for Chrome API injection vulnerabilities.
    */
   abstract class Source extends DataFlow::Node { 
 
 
 
-    DataFlow::FlowLabel getFlowLabel() { result = "BrowserSource" }
+    string getFlowLabel() { result = "BrowserSource" }
   }
 
   /**

javascript/lib/browserextension/BrowserInjectionFieldQuery.qll

@@ -0,0 +1,47 @@
+ import javascript
+ private import browserextension.BrowserInjectionFieldCustomizations::BrowserInjection
+ private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom
+
+ //private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
+ //private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom
+
+ //private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
+
+   module Config implements DataFlow::ConfigSig {
+
+    predicate isSource(DataFlow::Node source) {
+       source instanceof Source
+     }
+
+    predicate isSink(DataFlow::Node sink) {
+       sink instanceof Sink
+     }
+
+    additional predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+       (pred = succ) and
+       ((pred instanceof Update and prop = ["url", "openerTabId"])
+       or
+       (pred instanceof DownloadsDangerous and prop = ["body", "conflictAction","filename", "url", "method"])
+       or
+       (pred instanceof Delete and prop = ["startTime", "endTime", "url"])
+       //or
+       //(pred instanceof SetContentSettings and succ instanceof SetContentSettings and prop = any(string s))
+       //or
+       //(pred instanceof GetContentSettings and succ instanceof GetContentSettings and prop = any(string s))
+        //(pred instanceof StorageSet and succ instanceof StorageSet and prop = any(string s))
+       //or
+       //(pred instanceof SearchHistory and prop = any(string s))
+       or
+       (pred instanceof GetCookie and prop = ["domain", "firstPartyDomain", "name", "url", "session", "path", "storeId"])
+       or
+       (pred instanceof UpdateBookmarks and prop= ["title", "url"])
+       or
+       (pred = succ and pred instanceof RemoveBrowsingData and prop = ["cookieStoreId", "hostnames", "originTypes", "since"])
+       or
+       (pred = succ and pred instanceof AddHistory and prop = ["url"])
+       or
+       (pred = succ and pred instanceof CreateWindows and prop = ["url"]))
+     }
+   }
+
+   module ConfigFlow = TaintTracking::Global<Config>;

javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll

@@ -8,15 +8,14 @@ private import browserextension.BrowserAPI
 
 module BrowserInjection {
 
-  private import DataFlow::FlowLabel
   /**
    * A data flow source for Chrome API injection vulnerabilities.
    */
   abstract class Source extends DataFlow::Node { 
 
 
 
-    DataFlow::FlowLabel getFlowLabel() { result = "BrowserSource" }
+    string getFlowLabel() { result = "BrowserSource" }
   }
 
   /**

javascript/lib/browserextension/CodeInjectionQuery.qll

@@ -17,30 +17,29 @@
  /**
   * A taint-tracking configuration for reasoning about code injection vulnerabilities.
   */
- class Configuration extends TaintTracking::Configuration {
-   Configuration() { this = "CodeInjection" }
+ module Config implements DataFlow::ConfigSig { 
+  predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source}
 
-   override predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source}
 
 
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink}
 
-   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink}
- 
-   override predicate isSanitizer(DataFlow::Node node) {
-     super.isSanitizer(node) or
+  predicate isBarrier(DataFlow::Node node) {
      node instanceof Sanitizer
    }
 
-   override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
+  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
      // HTML sanitizers are insufficient protection against code injection
      src = trg.(HtmlSanitizerCall).getInput()
    }
 
-   override predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  additional predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
      exists(ExecuteScript ess | ess = pred  and ess = succ and prop = ["file", "code"])
    }
  }
 
+ module ConfigFlow = TaintTracking::Global<Config>;
+
 //Browser Extension Models
 class ExecuteScriptSink extends Sink instanceof ExecuteScript{}
 class ExternalConnect1 extends Source instanceof OnConnectExternal{}

javascript/lib/ghsl/InsecureIV.qll

@@ -2,47 +2,41 @@ import semmle.javascript.dataflow.TaintTracking
 
 import ghsl.CommandLine
 
-class RandomTaintsSourceConfiguration extends TaintTracking::Configuration {
-    RandomTaintsSourceConfiguration() { this = "RandomTaintsSourceConfiguration" }
+module RandomTaintsSourceConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { isSecureRandom(source) }
 
-    override predicate isSource(DataFlow::Node source) {
-        isSecureRandom(source)
-    }
-
-    override predicate isSink(DataFlow::Node sink) {
-        not isSecureRandom(sink)
-    }
+  predicate isSink(DataFlow::Node sink) { not isSecureRandom(sink) }
 }
 
-class InsecureIVConfiguration extends TaintTracking::Configuration {
-    InsecureIVConfiguration() { this = "InsecureIVConfiguration" }
+module RandomTaintsSourceFlow = TaintTracking::Global<RandomTaintsSourceConfig>;
 
-    override predicate isSource(DataFlow::Node source) {
-        exists(Literal literal|literal.flow() = source)
-        or
-        source instanceof DataFlow::ArrayLiteralNode
-        or
-        source instanceof RemoteFlowSource
-        or
-        source instanceof FileSystemReadAccess
-        or
-        source instanceof DatabaseAccess
-        or
-        source instanceof CommandLineArgument
-        or
-        // an external function that is not a known source of randomness
-        (
-            source instanceof ExternalCallWithOutput
-            and not source instanceof CreateIVArgument
-            and not source instanceof SecureRandomSource
-        )
-    }
+module InsecureIVConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(Literal literal | literal.flow() = source)
+    or
+    source instanceof DataFlow::ArrayLiteralNode
+    or
+    source instanceof RemoteFlowSource
+    or
+    source instanceof FileSystemReadAccess
+    or
+    source instanceof DatabaseAccess
+    or
+    source instanceof CommandLineArgument
+    or
+    // an external function that is not a known source of randomness
+    (
+        source instanceof ExternalCallWithOutput
+        and not source instanceof CreateIVArgument
+        and not source instanceof SecureRandomSource
+    )
+  }
 
-    override predicate isSink(DataFlow::Node sink) {
-        sink instanceof CreateIVArgument
-    }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CreateIVArgument }
 }
 
+module InsecureIVFlow = TaintTracking::Global<InsecureIVConfig>;
+
 class ExternalCallWithOutput extends DataFlow::Node {
     CallExpr call;
 

javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql

@@ -16,9 +16,9 @@
 
  import javascript
  import browserextension.CodeInjectionQuery
- import DataFlow::PathGraph
+ import ConfigFlow::PathGraph
 
- from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
- where cfg.hasFlowPath(source, sink)
+ from ConfigFlow::PathNode source, ConfigFlow::PathNode sink
+ where ConfigFlow::flowPath(source, sink)
  select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.",
    source.getNode(), "user-provided value"