Refactor OgnlInjection

Author: egregius313

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

@@ -5,9 +5,11 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.OgnlInjection
 
 /**
+ * DEPRECATED: Use `OgnlInjectionFlow` instead.
+ *
  * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
  */
-class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
+deprecated class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
   OgnlInjectionFlowConfig() { this = "OgnlInjectionFlowConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -22,3 +24,23 @@ class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
     any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
   }
 }
+
+/**
+ * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
+ */
+private module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */
+module OgnlInjectionFlow = TaintTracking::Make<OgnlInjectionFlowConfig>;

java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql

@@ -13,9 +13,9 @@
 
 import java
 import semmle.code.java.security.OgnlInjectionQuery
-import DataFlow::PathGraph
+import OgnlInjectionFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, OgnlInjectionFlowConfig conf
-where conf.hasFlowPath(source, sink)
+from OgnlInjectionFlow::PathNode source, OgnlInjectionFlow::PathNode sink
+where OgnlInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "OGNL Expression Language statement depends on a $@.",
   source.getNode(), "user-provided value"

java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql

@@ -9,7 +9,7 @@ class OgnlInjectionTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasOgnlInjection" and
-    exists(DataFlow::Node sink, OgnlInjectionFlowConfig conf | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink | OgnlInjectionFlow::hasFlowTo(sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""