feat(go): Query updates to param modules

Author: GeekMasher

go/src/security/CWE-078/CommandInjection.ql

@@ -13,27 +13,31 @@
 
 import go
 import semmle.go.security.CommandInjection
-import DataFlow::PathGraph
 import semmle.go.security.FlowSources
 
-//Override CommandInjection::Configuration to use the in-use sources
-class InUseCommandInjectionConfiguration extends CommandInjection::Configuration {
-  override predicate isSource(DataFlow::Node node) {
+module FlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
     exists(UntrustedFlowSource source, Function function, DataFlow::CallNode callNode |
       source.asExpr() = node.asExpr() and
-
       source.(DataFlow::ExprNode).asExpr().getEnclosingFunction() = function.getFuncDecl() and
       (
         // function is called directly
         callNode.getACallee() = function.getFuncDecl()
-
+        or
         // function is passed to another function to be called
-        or callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
-      )      
+        callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
+      )
     )
   }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(CommandInjection::Sink s | sink = s | not s.doubleDashIsSanitizing())
+  }
 }
 
- from InUseCommandInjectionConfiguration cfg, CommandInjection::DoubleDashSanitizingConfiguration cfg2, DataFlow::PathNode source, DataFlow::PathNode sink
- where (cfg.hasFlowPath(source, sink) or cfg2.hasFlowPath(source, sink))
- select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(), "user-provided value"
+module Flow = TaintTracking::Global<FlowConfig>;
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(),
+  "user-provided value"