Ruby: port queries to ConfigSig-style

asgerf · asgerf · commit 89bd00a4ecbc · 2023-10-11T10:06:19.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll
@@ -11,7 +11,23 @@ private import HttpToFileAccessCustomizations::HttpToFileAccess
 /**
  * A taint tracking configuration for writing user-controlled data to files.
  */
-class Configuration extends TaintTracking::Configuration {
+module HttpToFileAccessConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint tracking for writing user-controlled data to files.
+ */
+module HttpToFileAccessFlow = TaintTracking::Global<HttpToFileAccessConfig>;
+
+/**
+ * DEPRECATED. Use the `HttpToFileAccessFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "HttpToFileAccess" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
diff --git a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll
@@ -13,7 +13,23 @@ private import TaintedFormatStringCustomizations::TaintedFormatString
 /**
  * A taint-tracking configuration for format injections.
  */
-class Configuration extends TaintTracking::Configuration {
+module TaintedFormatStringConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint-tracking for format injections.
+ */
+module TaintedFormatStringFlow = TaintTracking::Global<TaintedFormatStringConfig>;
+
+/**
+ * DEPRECATED. Use the `TaintedFormatStringFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "TaintedFormatString" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
diff --git a/ruby/ql/src/queries/security/cwe-134/TaintedFormatString.ql b/ruby/ql/src/queries/security/cwe-134/TaintedFormatString.ql
@@ -13,9 +13,9 @@
 import codeql.ruby.AST
 import codeql.ruby.DataFlow
 import codeql.ruby.security.TaintedFormatStringQuery
-import DataFlow::PathGraph
+import TaintedFormatStringFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from TaintedFormatStringFlow::PathNode source, TaintedFormatStringFlow::PathNode sink
+where TaintedFormatStringFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Format string depends on a $@.", source.getNode(),
   "user-provided value"
diff --git a/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql b/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql
@@ -13,10 +13,10 @@
 
 import codeql.ruby.AST
 import codeql.ruby.DataFlow
-import codeql.ruby.DataFlow::DataFlow::PathGraph
 import codeql.ruby.security.HttpToFileAccessQuery
+import HttpToFileAccessFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from HttpToFileAccessFlow::PathNode source, HttpToFileAccessFlow::PathNode sink
+where HttpToFileAccessFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Write to file system depends on $@.", source.getNode(),
   "untrusted data"
