Move UrlRedirectSink into importable library

rvermeulen · rvermeulen · commit 170be9ffe8f2 · 2020-07-08T16:47:51.000+02:00
- The `UrlRedirect` class is renamed to `ServletUrlRedirect`.
- Abstract class `UrlRedirectSink` is defined that can be imported and
used to customise CWE-601 via Customizations.qll
diff --git a/java/ql/src/Security/CWE/CWE-601/ServletUrlRedirect.qll b/java/ql/src/Security/CWE/CWE-601/ServletUrlRedirect.qll
@@ -1,12 +1,13 @@
 import java
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.UrlRedirect
 
 /**
- * A URL redirection sink.
+ * A Servlet URL redirection sink.
  */
-class UrlRedirectSink extends DataFlow::ExprNode {
-  UrlRedirectSink() {
+class ServletUrlRedirectSink extends UrlRedirectSink {
+  ServletUrlRedirectSink() {
     exists(MethodAccess ma |
       ma.getMethod() instanceof HttpServletResponseSendRedirectMethod and
       this.asExpr() = ma.getArgument(0)
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import UrlRedirect
+import ServletUrlRedirect
 import DataFlow::PathGraph
 
 class UrlRedirectConfig extends TaintTracking::Configuration {
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import UrlRedirect
+import ServletUrlRedirect
 import DataFlow::PathGraph
 
 class UrlRedirectLocalConfig extends TaintTracking::Configuration {
diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll
@@ -0,0 +1,5 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+
+/** A URL redirection sink */
+abstract class UrlRedirectSink extends DataFlow::ExprNode { }
