Java: Refactor IntentUriPermissionManipulation.

Author: aschackmull

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll

@@ -9,9 +9,11 @@ private import semmle.code.java.dataflow.DataFlow
 private import IntentUriPermissionManipulation
 
 /**
+ * DEPRECATED: Use `IntentUriPermissionManipulationFlow` instead.
+ *
  * A taint tracking configuration for user-provided Intents being returned to third party apps.
  */
-class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
+deprecated class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
   IntentUriPermissionManipulationConf() { this = "UriPermissionManipulationConf" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -32,3 +34,23 @@ class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
     any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
   }
 }
+
+private module IntentUriPermissionManipulationConf implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink }
+
+  predicate isBarrier(DataFlow::Node barrier) {
+    barrier instanceof IntentUriPermissionManipulationSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/**
+ * Taint tracking flow for user-provided Intents being returned to third party apps.
+ */
+module IntentUriPermissionManipulationFlow =
+  TaintTracking::Make<IntentUriPermissionManipulationConf>;

java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql

@@ -15,10 +15,12 @@
 import java
 import semmle.code.java.security.IntentUriPermissionManipulationQuery
 import semmle.code.java.dataflow.DataFlow
-import DataFlow::PathGraph
+import IntentUriPermissionManipulationFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(IntentUriPermissionManipulationConf c).hasFlowPath(source, sink)
+from
+  IntentUriPermissionManipulationFlow::PathNode source,
+  IntentUriPermissionManipulationFlow::PathNode sink
+where IntentUriPermissionManipulationFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "This Intent can be set with arbitrary flags from a $@, " +
     "and used to give access to internal content providers.", source.getNode(),

java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.ql

@@ -2,14 +2,10 @@ import java
 import TestUtilities.InlineFlowTest
 import semmle.code.java.security.IntentUriPermissionManipulationQuery
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class IntentUriPermissionManipulationTest extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
 
-  override TaintTracking::Configuration getTaintFlowConfig() {
-    result instanceof IntentUriPermissionManipulationConf
+  override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
+    IntentUriPermissionManipulationFlow::hasFlow(src, sink)
   }
 }