C#: Re-factor InsecureSqlConnection to use the new API.

michaelnebel · michaelnebel · commit 73ddc0530a93 · 2023-04-17T11:38:37.000+02:00
diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
@@ -11,23 +11,21 @@
  */
 
 import csharp
-import DataFlow::PathGraph
+import InsecureSqlConnection::PathGraph
 
 /**
  * A data flow configuration for tracking strings passed to `SqlConnection[StringBuilder]` instances.
  */
-class TaintTrackingConfiguration extends DataFlow::Configuration {
-  TaintTrackingConfiguration() { this = "TaintTrackingConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
+module InsecureSqlConnectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     exists(string s | s = source.asExpr().(StringLiteral).getValue().toLowerCase() |
       s.matches("%encrypt=false%")
       or
       not s.matches("%encrypt=%")
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(ObjectCreation oc |
       oc.getRuntimeArgument(0) = sink.asExpr() and
       (
@@ -39,8 +37,13 @@ class TaintTrackingConfiguration extends DataFlow::Configuration {
   }
 }
 
-from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
-where c.hasFlowPath(source, sink)
+/**
+ * A data flow configuration for tracking strings passed to `SqlConnection[StringBuilder]` instances.
+ */
+module InsecureSqlConnection = DataFlow::Global<InsecureSqlConnectionConfig>;
+
+from InsecureSqlConnection::PathNode source, InsecureSqlConnection::PathNode sink
+where InsecureSqlConnection::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ flows to this SQL connection and does not specify `Encrypt=True`.", source.getNode(),
   "Connection string"
