Java: Refactor UnsafeContentUriResolution.

Author: aschackmull

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll

@@ -5,8 +5,12 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.UnsafeContentUriResolution
 
-/** A taint-tracking configuration to find paths from remote sources to content URI resolutions. */
-class UnsafeContentResolutionConf extends TaintTracking::Configuration {
+/**
+ * DEPRECATED: Use `UnsafeContentUriResolutionFlow` instead.
+ *
+ * A taint-tracking configuration to find paths from remote sources to content URI resolutions.
+ */
+deprecated class UnsafeContentResolutionConf extends TaintTracking::Configuration {
   UnsafeContentResolutionConf() { this = "UnsafeContentResolutionConf" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
@@ -21,3 +25,20 @@ class UnsafeContentResolutionConf extends TaintTracking::Configuration {
     any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
   }
 }
+
+private module UnsafeContentResolutionConf implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof ContentUriResolutionSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
+  }
+}
+
+/** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
+module UnsafeContentResolutionFlow = TaintTracking::Make<UnsafeContentResolutionConf>;

java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql

@@ -14,10 +14,10 @@
 
 import java
 import semmle.code.java.security.UnsafeContentUriResolutionQuery
-import DataFlow::PathGraph
+import UnsafeContentResolutionFlow::PathGraph
 
-from DataFlow::PathNode src, DataFlow::PathNode sink
-where any(UnsafeContentResolutionConf c).hasFlowPath(src, sink)
+from UnsafeContentResolutionFlow::PathNode src, UnsafeContentResolutionFlow::PathNode sink
+where UnsafeContentResolutionFlow::hasFlowPath(src, sink)
 select sink.getNode(), src, sink,
   "This ContentResolver method that resolves a URI depends on a $@.", src.getNode(),
   "user-provided value"

java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.ql

@@ -2,14 +2,10 @@ import java
 import TestUtilities.InlineFlowTest
 import semmle.code.java.security.UnsafeContentUriResolutionQuery
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class Test extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
 
-  override TaintTracking::Configuration getTaintFlowConfig() {
-    result instanceof UnsafeContentResolutionConf
+  override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
+    UnsafeContentResolutionFlow::hasFlow(src, sink)
   }
 }