Refactor HardcodedCredentialsSourceCall

egregius313 · egregius313 · commit 735a7383c652 · 2023-04-13T23:06:16.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll
@@ -8,10 +8,12 @@ import semmle.code.java.dataflow.DataFlow2
 import HardcodedCredentials
 
 /**
+ * DEPRECATED: Use `HardcodedCredentialSourceCallFlow` instead.
+ *
  * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
  * it may be a credential, excluding those which flow on to other such insecure usage sites.
  */
-class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
+deprecated class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
   HardcodedCredentialSourceCallConfiguration() {
     this = "HardcodedCredentialSourceCallConfiguration"
   }
@@ -22,10 +24,28 @@ class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration
 }
 
 /**
+ * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
+ * it may be a credential, excluding those which flow on to other such insecure usage sites.
+ */
+module HardcodedCredentialSourceCallConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }
+
+  predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
+}
+
+/**
+ * Tracks hardcoded expressions flowing to a parameter whose name suggests
+ * it may be a credential, excluding those which flow on to other such insecure usage sites.
+ */
+module HardcodedCredentialSourceCallFlow = DataFlow::Global<HardcodedCredentialSourceCallConfig>;
+
+/**
+ * DEPRECATED: Use `HardcodedCredentialParameterSourceCallFlow` instead.
+ *
  * A data-flow configuration that tracks flow from an argument whose corresponding parameter name suggests
  * a credential, to an argument to a sensitive call.
  */
-class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
+deprecated class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
   HardcodedCredentialSourceCallConfiguration2() {
     this = "HardcodedCredentialSourceCallConfiguration2"
   }
@@ -35,17 +55,33 @@ class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configurati
   override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
 }
 
+/**
+ * A data-flow configuration that tracks flow from an argument whose corresponding parameter name suggests
+ * a credential, to an argument to a sensitive call.
+ */
+module HardcodedCredentialParameterSourceCallConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof CredentialsSourceSink }
+
+  predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
+}
+
+/**
+ * Tracks flow from an argument whose corresponding parameter name suggests
+ * a credential, to an argument to a sensitive call.
+ */
+module HardcodedCredentialParameterSourceCallFlow =
+  DataFlow::Global<HardcodedCredentialParameterSourceCallConfig>;
+
 /**
  * An argument to a call, where the parameter name corresponding
  * to the argument indicates that it may contain credentials, and
  * where this expression does not flow on to another `CredentialsSink`.
  */
 class FinalCredentialsSourceSink extends CredentialsSourceSink {
   FinalCredentialsSourceSink() {
-    not exists(HardcodedCredentialSourceCallConfiguration2 conf, CredentialsSink other |
-      this != other
-    |
-      conf.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(other))
+    not exists(CredentialsSink other | this != other |
+      HardcodedCredentialParameterSourceCallFlow::flow(DataFlow::exprNode(this),
+        DataFlow::exprNode(other))
     )
   }
 }
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
@@ -12,11 +12,11 @@
 
 import java
 import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
-import DataFlow::PathGraph
+import HardcodedCredentialSourceCallFlow::PathGraph
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink,
-  HardcodedCredentialSourceCallConfiguration conf
-where conf.hasFlowPath(source, sink)
+  HardcodedCredentialSourceCallFlow::PathNode source,
+  HardcodedCredentialSourceCallFlow::PathNode sink
+where HardcodedCredentialSourceCallFlow::flowPath(source, sink)
 select source.getNode(), source, sink, "Hard-coded value flows to $@.", sink.getNode(),
   "sensitive call"
diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql
@@ -9,9 +9,7 @@ class HardcodedCredentialsSourceCallTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "HardcodedCredentialsSourceCall" and
-    exists(DataFlow::Node sink, HardcodedCredentialSourceCallConfiguration conf |
-      conf.hasFlow(_, sink)
-    |
+    exists(DataFlow::Node sink | HardcodedCredentialSourceCallFlow::flow(_, sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""
