Python: Move experimental HeaderInjection to new dataflow API

RasmusWL · RasmusWL · commit d948e103fa43 · 2023-08-28T15:31:08.000+02:00
diff --git a/python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql b/python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql
@@ -14,9 +14,9 @@
 // determine precision above
 import python
 import experimental.semmle.python.security.injection.HTTPHeaders
-import DataFlow::PathGraph
+import HeaderInjectionFlow::PathGraph
 
-from HeaderInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from HeaderInjectionFlow::PathNode source, HeaderInjectionFlow::PathNode sink
+where HeaderInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This HTTP header is constructed from a $@.", source.getNode(),
   "user-provided value"
diff --git a/python/ql/src/experimental/semmle/python/security/injection/HTTPHeaders.qll b/python/ql/src/experimental/semmle/python/security/injection/HTTPHeaders.qll
@@ -7,14 +7,15 @@ import semmle.python.dataflow.new.RemoteFlowSources
 /**
  * A taint-tracking configuration for detecting HTTP Header injections.
  */
-class HeaderInjectionFlowConfig extends TaintTracking::Configuration {
-  HeaderInjectionFlowConfig() { this = "HeaderInjectionFlowConfig" }
+private module HeaderInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(HeaderDeclaration headerDeclaration |
       sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
     )
   }
 }
+
+/** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */
+module HeaderInjectionFlow = TaintTracking::Global<HeaderInjectionConfig>;
