Java: Refactor FragmentInjection.

Author: aschackmull

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -6,10 +6,12 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.FragmentInjection
 
 /**
+ * DEPRECATED: Use `FragmentInjectionFlow` instead.
+ *
  * A taint-tracking configuration for unsafe user input
  * that is used to create Android fragments dynamically.
  */
-class FragmentInjectionTaintConf extends TaintTracking::Configuration {
+deprecated class FragmentInjectionTaintConf extends TaintTracking::Configuration {
   FragmentInjectionTaintConf() { this = "FragmentInjectionTaintConf" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -20,3 +22,19 @@ class FragmentInjectionTaintConf extends TaintTracking::Configuration {
     any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
   }
 }
+
+private module FragmentInjectionTaintConf implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
+  }
+}
+
+/**
+ * Taint-tracking flow for unsafe user input
+ * that is used to create Android fragments dynamically.
+ */
+module FragmentInjectionTaintFlow = TaintTracking::Make<FragmentInjectionTaintConf>;

java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql

@@ -13,10 +13,10 @@
 
 import java
 import semmle.code.java.security.FragmentInjectionQuery
-import DataFlow::PathGraph
+import FragmentInjectionTaintFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(FragmentInjectionTaintConf conf).hasFlowPath(source, sink)
+from FragmentInjectionTaintFlow::PathNode source, FragmentInjectionTaintFlow::PathNode sink
+where FragmentInjectionTaintFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "Fragment depends on a $@, which may allow a malicious application to bypass access controls.",
   source.getNode(), "user-provided value"

java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.ql

@@ -2,14 +2,10 @@ import java
 import semmle.code.java.security.FragmentInjectionQuery
 import TestUtilities.InlineFlowTest
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class Test extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
 
-  override TaintTracking::Configuration getTaintFlowConfig() {
-    result instanceof FragmentInjectionTaintConf
+  override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
+    FragmentInjectionTaintFlow::hasFlow(src, sink)
   }
 }