Refactor JndiInjection

Author: egregius313

java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll

@@ -7,9 +7,11 @@ import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.security.JndiInjection
 
 /**
+ * DEPRECATED: Use `JndiInjectionFlow` instead.
+ *
  * A taint-tracking configuration for unvalidated user input that is used in JNDI lookup.
  */
-class JndiInjectionFlowConfig extends TaintTracking::Configuration {
+deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration {
   JndiInjectionFlowConfig() { this = "JndiInjectionFlowConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -27,14 +29,32 @@ class JndiInjectionFlowConfig extends TaintTracking::Configuration {
   }
 }
 
+/**
+ * A taint-tracking configuration for unvalidated user input that is used in JNDI lookup.
+ */
+private module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(JndiInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/** Tracks flow of unvalidated user input that is used in JNDI lookup */
+module JndiInjectionFlow = TaintTracking::Make<JndiInjectionFlowConfig>;
+
 /**
  * A method that does a JNDI lookup when it receives a `SearchControls` argument with `setReturningObjFlag` = `true`
  */
 private class UnsafeSearchControlsSink extends JndiInjectionSink {
   UnsafeSearchControlsSink() {
-    exists(UnsafeSearchControlsConf conf, MethodAccess ma |
-      conf.hasFlowTo(DataFlow::exprNode(ma.getAnArgument()))
-    |
+    exists(MethodAccess ma | UnsafeSearchControlsFlow::hasFlowToExpr(ma.getAnArgument()) |
       this.asExpr() = ma.getArgument(0)
     )
   }
@@ -44,14 +64,14 @@ private class UnsafeSearchControlsSink extends JndiInjectionSink {
  * Find flows between a `SearchControls` object with `setReturningObjFlag` = `true`
  * and an argument of an `LdapOperations.search` or `DirContext.search` call.
  */
-private class UnsafeSearchControlsConf extends DataFlow2::Configuration {
-  UnsafeSearchControlsConf() { this = "UnsafeSearchControlsConf" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof UnsafeSearchControls }
+private module UnsafeSearchControlsConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof UnsafeSearchControls }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeSearchControlsArgument }
+  predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeSearchControlsArgument }
 }
 
+private module UnsafeSearchControlsFlow = DataFlow::Make<UnsafeSearchControlsConfig>;
+
 /**
  * An argument of type `SearchControls` of an `LdapOperations.search` or `DirContext.search` call.
  */

java/ql/src/Security/CWE/CWE-074/JndiInjection.ql

@@ -13,9 +13,9 @@
 
 import java
 import semmle.code.java.security.JndiInjectionQuery
-import DataFlow::PathGraph
+import JndiInjectionFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, JndiInjectionFlowConfig conf
-where conf.hasFlowPath(source, sink)
+from JndiInjectionFlow::PathNode source, JndiInjectionFlow::PathNode sink
+where JndiInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "JNDI lookup might include name from $@.", source.getNode(),
   "this user input"

java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql

@@ -9,7 +9,7 @@ class HasJndiInjectionTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasJndiInjection" and
-    exists(DataFlow::Node sink, JndiInjectionFlowConfig conf | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink | JndiInjectionFlow::hasFlowTo(sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""