Java: Refactor LogInjection

aschackmull · aschackmull · commit b14b95cd7956 · 2023-03-15T10:10:02.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll
@@ -5,9 +5,11 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.LogInjection
 
 /**
+ * DEPRECATED: Use `LogInjectionFlow` instead.
+ *
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
  */
-class LogInjectionConfiguration extends TaintTracking::Configuration {
+deprecated class LogInjectionConfiguration extends TaintTracking::Configuration {
   LogInjectionConfiguration() { this = "LogInjectionConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -20,3 +22,20 @@ class LogInjectionConfiguration extends TaintTracking::Configuration {
     any(LogInjectionAdditionalTaintStep c).step(node1, node2)
   }
 }
+
+private module LogInjectionConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof LogInjectionSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(LogInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/**
+ * Taint-tracking flow for tracking untrusted user input used in log entries.
+ */
+module LogInjectionFlow = TaintTracking::Make<LogInjectionConfiguration>;
diff --git a/java/ql/src/Security/CWE/CWE-117/LogInjection.ql b/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
@@ -13,9 +13,9 @@
 
 import java
 import semmle.code.java.security.LogInjectionQuery
-import DataFlow::PathGraph
+import LogInjectionFlow::PathGraph
 
-from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
+where LogInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
   "user-provided value"
diff --git a/java/ql/test/query-tests/security/CWE-117/LogInjectionTest.ql b/java/ql/test/query-tests/security/CWE-117/LogInjectionTest.ql
@@ -2,20 +2,16 @@ import java
 import semmle.code.java.security.LogInjectionQuery
 import TestUtilities.InlineFlowTest
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 private class TestSource extends RemoteFlowSource {
   TestSource() { this.asExpr().(MethodAccess).getMethod().hasName("source") }
 
   override string getSourceType() { result = "test source" }
 }
 
 private class LogInjectionTest extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
 
-  override TaintTracking::Configuration getTaintFlowConfig() {
-    result instanceof LogInjectionConfiguration
+  override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
+    LogInjectionFlow::hasFlow(src, sink)
   }
 }
