Remove CSV sinks; make imports private

atorralba · atorralba · commit 6bf1e87bbe38 · 2021-09-27T11:40:47.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql b/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
@@ -12,6 +12,7 @@
 
 import java
 import semmle.code.java.security.SpelInjectionQuery
+import semmle.code.java.dataflow.DataFlow
 import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, SpelInjectionConfig conf
diff --git a/java/ql/src/semmle/code/java/security/SpelInjection.qll b/java/ql/src/semmle/code/java/security/SpelInjection.qll
@@ -1,25 +1,13 @@
 /** Provides classes to reason about SpEL injection attacks. */
 
 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.ExternalFlow
-import semmle.code.java.frameworks.spring.SpringExpression
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.frameworks.spring.SpringExpression
 
 /** A data flow sink for unvalidated user input that is used to construct SpEL expressions. */
 abstract class SpelExpressionEvaluationSink extends DataFlow::ExprNode { }
 
-private class SpelExpressionEvaluationModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "org.springframework.expression;Expression;true;getValue;;;Argument[-1];spel",
-        "org.springframework.expression;Expression;true;getValueTypeDescriptor;;;Argument[-1];spel",
-        "org.springframework.expression;Expression;true;getValueType;;;Argument[-1];spel",
-        "org.springframework.expression;Expression;true;setValue;;;Argument[-1];spel"
-      ]
-  }
-}
-
 /**
  * A unit class for adding additional taint steps.
  *
diff --git a/java/ql/src/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/src/semmle/code/java/security/SpelInjectionQuery.qll
@@ -1,10 +1,10 @@
 /** Provides taint tracking and dataflow configurations to be used in SpEL injection queries. */
 
 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.frameworks.spring.SpringExpression
-import semmle.code.java.security.SpelInjection
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.frameworks.spring.SpringExpression
+private import semmle.code.java.security.SpelInjection
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -26,8 +26,8 @@ class SpelInjectionConfig extends TaintTracking::Configuration {
 private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink {
   DefaultSpelExpressionEvaluationSink() {
     exists(MethodAccess ma |
-      sinkNode(this, "spel") and
-      this.asExpr() = ma.getQualifier() and
+      ma.getMethod() instanceof ExpressionEvaluationMethod and
+      ma.getQualifier() = this.asExpr() and
       not exists(SafeEvaluationContextFlowConfig config |
         config.hasFlowTo(DataFlow::exprNode(ma.getArgument(0)))
       )
