Move query-specific flag definitions into their respective .ql files

smowton · smowton · commit e89cd16cb16c · 2020-07-29T15:21:49.000+01:00
diff --git a/ql/src/Security/CWE-295/DisabledCertificateCheck.ql b/ql/src/Security/CWE-295/DisabledCertificateCheck.ql
@@ -36,6 +36,25 @@ predicate becomesPartOf(DataFlow::Node part, DataFlow::Node whole) {
   exists(Write w | w.writesField(whole.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, part))
 }
 
+/**
+ * Flags suggesting a deliberately insecure certificate setup.
+ */
+class InsecureCertificateFlag extends FlagKind {
+  InsecureCertificateFlag() { this = "insecureCertificate" }
+
+  bindingset[result]
+  override string getAFlagName() {
+    result.regexpMatch("(?i).*(selfCert|selfSign|validat|verif|trust).*")
+  }
+}
+
+/**
+ * Gets a control-flow node that represents a (likely) flag controlling an insecure certificate setup.
+ */
+ControlFlow::ConditionGuardNode getAnInsecureCertificateCheck() {
+  result.ensures(getAFlag(any(InsecureCertificateFlag f)).getANode(), _)
+}
+
 /**
  * Returns flag kinds relevant to this query: a generic security feature flag, or one
  * specifically controlling insecure certificate configuration.
diff --git a/ql/src/Security/CWE-327/InsecureTLS.ql b/ql/src/Security/CWE-327/InsecureTLS.ql
@@ -226,6 +226,28 @@ predicate isInsecureTlsCipherFlow(DataFlow::PathNode source, DataFlow::PathNode
   )
 }
 
+/**
+ * Flags suggesting support for an old or legacy TLS version.
+ *
+ * We accept 'intermediate' because it appears to be common for TLS users
+ * to define three profiles: modern, intermediate, legacy/old, perhaps based
+ * on https://wiki.mozilla.org/Security/Server_Side_TLS (though note the
+ * 'intermediate' used there would now pass muster according to this query)
+ */
+class LegacyTlsVersionFlag extends FlagKind {
+  LegacyTlsVersionFlag() { this = "legacyTlsVersion" }
+
+  bindingset[result]
+  override string getAFlagName() { result.regexpMatch("(?i).*(old|intermediate|legacy).*") }
+}
+
+/**
+ * Gets a control-flow node that represents a (likely) flag controlling TLS version selection.
+ */
+ControlFlow::ConditionGuardNode getALegacyTlsVersionCheck() {
+  result.ensures(getAFlag(any(LegacyTlsVersionFlag f)).getANode(), _)
+}
+
 /**
  * Returns flag kinds relevant to this query: a generic security feature flag, or one
  * specifically controlling TLS version selection.
diff --git a/ql/src/semmle/go/security/InsecureFeatureFlag.qll b/ql/src/semmle/go/security/InsecureFeatureFlag.qll
@@ -28,33 +28,6 @@ module InsecureFeatureFlag {
     override string getAFlagName() { result.regexpMatch("(?i).*(secure|(en|dis)able).*") }
   }
 
-  /**
-   * Flags suggesting support for an old or legacy TLS version.
-   *
-   * We accept 'intermediate' because it appears to be common for TLS users
-   * to define three profiles: modern, intermediate, legacy/old, perhaps based
-   * on https://wiki.mozilla.org/Security/Server_Side_TLS (though note the
-   * 'intermediate' used there would now pass muster according to this query)
-   */
-  class LegacyTlsVersionFlag extends FlagKind {
-    LegacyTlsVersionFlag() { this = "legacyTlsVersion" }
-
-    bindingset[result]
-    override string getAFlagName() { result.regexpMatch("(?i).*(old|intermediate|legacy).*") }
-  }
-
-  /**
-   * Flags suggesting a deliberately insecure certificate setup.
-   */
-  class InsecureCertificateFlag extends FlagKind {
-    InsecureCertificateFlag() { this = "insecureCertificate" }
-
-    bindingset[result]
-    override string getAFlagName() {
-      result.regexpMatch("(?i).*(selfCert|selfSign|validat|verif|trust).*")
-    }
-  }
-
   /** Gets a global value number representing a (likely) security flag. */
   GVN getAFlag(FlagKind flagKind) {
     // a call like `cfg.disableVerification()`
@@ -142,18 +115,4 @@ module InsecureFeatureFlag {
   ControlFlow::ConditionGuardNode getASecurityFeatureFlagCheck() {
     result.ensures(getAFlag(any(SecurityFeatureFlag f)).getANode(), _)
   }
-
-  /**
-   * Gets a control-flow node that represents a (likely) flag controlling TLS version selection.
-   */
-  ControlFlow::ConditionGuardNode getALegacyTlsVersionCheck() {
-    result.ensures(getAFlag(any(LegacyTlsVersionFlag f)).getANode(), _)
-  }
-
-  /**
-   * Gets a control-flow node that represents a (likely) flag controlling an insecure certificate setup.
-   */
-  ControlFlow::ConditionGuardNode getAnInsecureCertificateCheck() {
-    result.ensures(getAFlag(any(InsecureCertificateFlag f)).getANode(), _)
-  }
 }
