Merge pull request github#12419 from hvitved/ruby/stored-xss-config-rewrite

Ruby: Rewrite Stored XSS query to use new data flow interface

Author: hvitved

ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll

@@ -16,9 +16,11 @@ module StoredXss {
   import XSS::StoredXss
 
   /**
+   * DEPRECATED.
+   *
    * A taint-tracking configuration for reasoning about Stored XSS.
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "StoredXss" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -38,6 +40,23 @@ module StoredXss {
       isAdditionalXssTaintStep(node1, node2)
     }
   }
+
+  /**
+   * A taint-tracking configuration for reasoning about Stored XSS.
+   */
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      isAdditionalXssTaintStep(node1, node2)
+    }
+  }
+
+  import TaintTracking::Make<Config>
 }
 
 /** DEPRECATED: Alias for StoredXss */

ruby/ql/lib/codeql/ruby/security/XSS.qll

@@ -4,7 +4,6 @@
 
 private import codeql.ruby.AST
 private import codeql.ruby.DataFlow
-private import codeql.ruby.DataFlow2
 private import codeql.ruby.CFG
 private import codeql.ruby.Concepts
 private import codeql.ruby.Frameworks
@@ -291,20 +290,18 @@ private module OrmTracking {
   /**
    * A data flow configuration to track flow from finder calls to field accesses.
    */
-  class Configuration extends DataFlow2::Configuration {
-    Configuration() { this = "OrmTracking" }
-
-    override predicate isSource(DataFlow2::Node source) { source instanceof OrmInstantiation }
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof OrmInstantiation }
 
     // Select any call receiver and narrow down later
-    override predicate isSink(DataFlow2::Node sink) {
-      sink = any(DataFlow2::CallNode c).getReceiver()
-    }
+    predicate isSink(DataFlow::Node sink) { sink = any(DataFlow::CallNode c).getReceiver() }
 
-    override predicate isAdditionalFlowStep(DataFlow2::Node node1, DataFlow2::Node node2) {
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
       Shared::isAdditionalXssFlowStep(node1, node2)
     }
   }
+
+  import DataFlow::Make<Config>
 }
 
 /** Provides default sources, sinks and sanitizers for detecting stored cross-site scripting (XSS) vulnerabilities. */
@@ -333,10 +330,10 @@ module StoredXss {
   /** DEPRECATED: Alias for isAdditionalXssTaintStep */
   deprecated predicate isAdditionalXSSTaintStep = isAdditionalXssTaintStep/2;
 
-  private class OrmFieldAsSource extends Source instanceof DataFlow2::CallNode {
+  private class OrmFieldAsSource extends Source instanceof DataFlow::CallNode {
     OrmFieldAsSource() {
-      exists(OrmTracking::Configuration subConfig, DataFlow2::CallNode subSrc |
-        subConfig.hasFlow(subSrc, this.getReceiver()) and
+      exists(DataFlow::CallNode subSrc |
+        OrmTracking::hasFlow(subSrc, this.getReceiver()) and
         subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName())
       )
     }

ruby/ql/src/queries/security/cwe-079/StoredXSS.ql

@@ -14,9 +14,9 @@
 
 import codeql.ruby.AST
 import codeql.ruby.security.StoredXSSQuery
-import DataFlow::PathGraph
+import StoredXss::PathGraph
 
-from StoredXss::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from StoredXss::PathNode source, StoredXss::PathNode sink
+where StoredXss::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Stored cross-site scripting vulnerability due to $@.",
   source.getNode(), "stored value"