Refactor to use ConditionalBypassQuery.qll

atorralba · atorralba · commit 1f7990d6bbb2 · 2021-09-14T13:16:09.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
@@ -0,0 +1,32 @@
+/**
+ * Provides classes to be used in queries related to vulnerabilities
+ * about unstrusted input being used in security decisions.
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.SensitiveActions
+import semmle.code.java.controlflow.Guards
+
+/**
+ * Holds if `ma` is controlled by the condition expression `e`.
+ */
+predicate conditionControlsMethod(MethodAccess ma, Expr e) {
+  exists(ConditionBlock cb, SensitiveExecutionMethod m, boolean cond |
+    ma.getMethod() = m and
+    cb.controls(ma.getBasicBlock(), cond) and
+    not cb.controls(m.getAReference().getBasicBlock(), cond.booleanNot()) and
+    e = cb.getCondition()
+  )
+}
+
+/**
+ * A taint tracking configuration for untrusted data flowing to sensitive conditions.
+ */
+class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
+  ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
+}
diff --git a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
@@ -13,33 +13,10 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.SensitiveActions
-import semmle.code.java.controlflow.Dominance
-import semmle.code.java.controlflow.Guards
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.ConditionalBypassQuery
 import DataFlow::PathGraph
 
-/**
- * Calls to a sensitive method that are controlled by a condition
- * on the given expression.
- */
-predicate conditionControlsMethod(MethodAccess m, Expr e) {
-  exists(ConditionBlock cb, SensitiveExecutionMethod def, boolean cond |
-    cb.controls(m.getBasicBlock(), cond) and
-    def = m.getMethod() and
-    not cb.controls(def.getAReference().getBasicBlock(), cond.booleanNot()) and
-    e = cb.getCondition()
-  )
-}
-
-class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
-  ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
-}
-
 from
   DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, Expr e,
   ConditionalBypassFlowConfig conf
