Decouple OgnlInjection.qll to reuse the taint tracking configuration

atorralba · atorralba · commit 3259ead9465f · 2021-07-20T17:21:10.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql b/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
@@ -11,29 +11,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.OgnlInjection
+import semmle.code.java.security.OgnlInjectionQuery
 import DataFlow::PathGraph
 
-/**
- * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
- */
-class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
-  OgnlInjectionFlowConfig() { this = "OgnlInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, OgnlInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "OGNL expression might include input from $@.",
diff --git a/java/ql/src/semmle/code/java/security/OgnlInjection.qll b/java/ql/src/semmle/code/java/security/OgnlInjection.qll
@@ -1,8 +1,8 @@
 /** Provides classes to reason about OGNL injection vulnerabilities. */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A data flow sink for unvalidated user input that is used in OGNL EL evaluation.
diff --git a/java/ql/src/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/src/semmle/code/java/security/OgnlInjectionQuery.qll
@@ -0,0 +1,24 @@
+/** Provides taint tracking configurations to be used in OGNL injection queries. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.OgnlInjection
+
+/**
+ * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
+ */
+class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
+  OgnlInjectionFlowConfig() { this = "OgnlInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql
@@ -1,29 +1,17 @@
 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.OgnlInjection
+import semmle.code.java.security.OgnlInjectionQuery
 import TestUtilities.InlineExpectationsTest
 
-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "qltest:cwe:ognl-injection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
-  }
-}
-
 class OgnlInjectionTest extends InlineExpectationsTest {
   OgnlInjectionTest() { this = "HasOgnlInjection" }
 
   override string getARelevantTag() { result = "hasOgnlInjection" }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasOgnlInjection" and
-    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+    exists(DataFlow::Node src, DataFlow::Node sink, OgnlInjectionFlowConfig conf |
+      conf.hasFlow(src, sink)
+    |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""
diff --git a/java/ql/test/query-tests/security/CWE-917/options b/java/ql/test/query-tests/security/CWE-917/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22`