Python: Move experimental ZipSlip to new dataflow API

Author: RasmusWL

python/ql/src/experimental/Security/CWE-022/ZipSlip.ql

@@ -15,10 +15,10 @@
 
 import python
 import experimental.semmle.python.security.ZipSlip
-import DataFlow::PathGraph
+import ZipSlipFlow::PathGraph
 
-from ZipSlipConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
+where ZipSlipFlow::flowPath(source, sink)
 select source.getNode(), source, sink,
   "This unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
   "file system operation"

python/ql/src/experimental/semmle/python/security/ZipSlip.qll

@@ -4,10 +4,8 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
 
-class ZipSlipConfig extends TaintTracking::Configuration {
-  ZipSlipConfig() { this = "ZipSlipConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
+private module ZipSlipConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     (
       source =
         API::moduleImport("zipfile").getMember("ZipFile").getReturn().getMember("open").getACall() or
@@ -29,11 +27,14 @@ class ZipSlipConfig extends TaintTracking::Configuration {
     not source.getScope().getLocation().getFile().inStdlib()
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     (
       sink = any(CopyFile copyfile).getAPathArgument() or
       sink = any(CopyFile copyfile).getfsrcArgument()
     ) and
     not sink.getScope().getLocation().getFile().inStdlib()
   }
 }
+
+/** Global taint-tracking for detecting "zip slip" vulnerabilities. */
+module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;