C#: Re-factor XmlEntityInjection to use the new API.

michaelnebel · michaelnebel · commit e6be88b10e02 · 2023-04-13T14:28:27.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll
@@ -44,9 +44,11 @@ private class InsecureXmlSink extends Sink {
 abstract class Sanitizer extends DataFlow::Node { }
 
 /**
+ * DEPRECATED: Use `XmlEntityInjection` instead.
+ *
  * A taint-tracking configuration for untrusted user input used in XML processing.
  */
-class TaintTrackingConfiguration extends TaintTracking::Configuration {
+deprecated class TaintTrackingConfiguration extends TaintTracking::Configuration {
   TaintTrackingConfiguration() { this = "XMLInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -61,6 +63,36 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   }
 }
 
+/**
+ * A taint-tracking configuration for untrusted user input used in XML processing.
+ */
+private module XmlEntityInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * A taint-tracking module for untrusted user input used in XML processing.
+ */
+module XmlEntityInjection implements DataFlow::GlobalFlowSig {
+  import TaintTracking::Global<XmlEntityInjectionConfig> as Super
+  import Super
+
+  /**
+   * Holds if data can flow from `source` to `sink`.
+   *
+   * The corresponding paths are generated from the end-points and the graph
+   * included in the module `PathGraph`.
+   */
+  predicate flowPath(XmlEntityInjection::PathNode source, XmlEntityInjection::PathNode sink) {
+    Super::flowPath(source, sink) and
+    exists(sink.getNode().(Sink).getReason())
+  }
+}
+
 private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
 
 private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }
diff --git a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
@@ -14,10 +14,10 @@
 
 import csharp
 import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery
-import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
+import XmlEntityInjection::PathGraph
 
-from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
-where c.hasFlowPath(source, sink)
+from XmlEntityInjection::PathNode source, XmlEntityInjection::PathNode sink
+where XmlEntityInjection::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "This insecure XML processing depends on a $@ (" + sink.getNode().(Sink).getReason() + ").",
   source.getNode(), "user-provided value"
