Create an extendable AdditionalTaintStep class in customizations

jorgectf · jorgectf · commit c5f30d99d5f0 · 2022-02-20T17:34:12.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjection.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjection.qll
@@ -22,7 +22,7 @@ module XmlEntityInjection {
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      ioAdditionalTaintStep(nodeFrom, nodeTo)
+      any(AdditionalTaintStep s).step(nodeFrom, nodeTo)
     }
   }
 
diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjectionCustomizations.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjectionCustomizations.qll
@@ -31,6 +31,20 @@ module XmlEntityInjection {
    */
   abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
 
+  /**
+   * A unit class for adding additional taint steps.
+   *
+   * Extend this class to add additional taint steps that should apply to `XmlEntityInjection`
+   * taint configuration.
+   */
+  class AdditionalTaintStep extends Unit {
+    /**
+     * Holds if the step from `nodeFrom` to `nodeTo` should be considered a taint
+     * step for `XmlEntityInjection` configuration.
+     */
+    abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+  }
+
   /**
    * A data flow sink for XML parsing libraries.
    *
@@ -85,11 +99,16 @@ module XmlEntityInjection {
    */
   class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
 
-  predicate ioAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::CallCfgNode ioCalls |
-      ioCalls = API::moduleImport("io").getMember(["StringIO", "BytesIO"]).getACall() and
-      nodeFrom = ioCalls.getArg(0) and
-      nodeTo = ioCalls
-    )
+  /**
+   * A taint step for `io`'s `StringIO` and `BytesIO` methods.
+   */
+  class IoAdditionalTaintStep extends AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(DataFlow::CallCfgNode ioCalls |
+        ioCalls = API::moduleImport("io").getMember(["StringIO", "BytesIO"]).getACall() and
+        nodeFrom = ioCalls.getArg(0) and
+        nodeTo = ioCalls
+      )
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ module XmlEntityInjection {`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`25`		`- ioAdditionalTaintStep(nodeFrom, nodeTo)`
	`25`	`+ any(AdditionalTaintStep s).step(nodeFrom, nodeTo)`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`