Python: Move experimental LDAPInsecureAuth to new dataflow API

Author: RasmusWL

python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql

@@ -12,9 +12,9 @@
 
 // determine precision above
 import python
-import DataFlow::PathGraph
+import LDAPInsecureAuthFlow::PathGraph
 import experimental.semmle.python.security.LDAPInsecureAuth
 
-from LdapInsecureAuthConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from LDAPInsecureAuthFlow::PathNode source, LDAPInsecureAuthFlow::PathNode sink
+where LDAPInsecureAuthFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This LDAP host is authenticated insecurely."

python/ql/src/experimental/semmle/python/security/LDAPInsecureAuth.qll

@@ -88,10 +88,8 @@ class LdapStringVar extends BinaryExpr {
 /**
  * A taint-tracking configuration for detecting LDAP insecure authentications.
  */
-class LdapInsecureAuthConfig extends TaintTracking::Configuration {
-  LdapInsecureAuthConfig() { this = "LDAPInsecureAuthConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
+private module LDAPInsecureAuthConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource or
     source.asExpr() instanceof LdapFullHost or
     source.asExpr() instanceof LdapBothStrings or
@@ -100,7 +98,10 @@ class LdapInsecureAuthConfig extends TaintTracking::Configuration {
     source.asExpr() instanceof LdapStringVar
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
   }
 }
+
+/** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */
+module LDAPInsecureAuthFlow = TaintTracking::Global<LDAPInsecureAuthConfig>;