Refactored to use CSV sink models

Author: atorralba

java/ql/src/Security/CWE/CWE-074/JndiInjection.ql

@@ -12,9 +12,28 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import JndiInjectionLib
+import semmle.code.java.security.JndiInjection
 import DataFlow::PathGraph
 
+/**
+ * A taint-tracking configuration for unvalidated user input that is used in JNDI lookup.
+ */
+class JndiInjectionFlowConfig extends TaintTracking::Configuration {
+  JndiInjectionFlowConfig() { this = "JndiInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(JndiInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, JndiInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "JNDI lookup might include name from $@.", source.getNode(),

java/ql/src/Security/CWE/CWE-074/JndiInjectionLib.qll

@@ -1,10 +1,5 @@
 import java
 
-/** The class `javax.naming.InitialContext`. */
-class TypeInitialContext extends Class {
-  TypeInitialContext() { this.hasQualifiedName("javax.naming", "InitialContext") }
-}
-
 /** The class `javax.naming.CompositeName`. */
 class TypeCompositeName extends Class {
   TypeCompositeName() { this.hasQualifiedName("javax.naming", "CompositeName") }
@@ -14,3 +9,25 @@ class TypeCompositeName extends Class {
 class TypeCompoundName extends Class {
   TypeCompoundName() { this.hasQualifiedName("javax.naming", "CompoundName") }
 }
+
+/** The class `javax.management.remote.rmi.RMIConnector`. */
+class TypeRMIConnector extends Class {
+  TypeRMIConnector() { this.hasQualifiedName("javax.management.remote.rmi", "RMIConnector") }
+}
+
+/** The class `javax.management.remote.JMXConnectorFactory`. */
+class TypeJMXConnectorFactory extends Class {
+  TypeJMXConnectorFactory() {
+    this.hasQualifiedName("javax.management.remote", "JMXConnectorFactory")
+  }
+}
+
+/** The class `javax.management.remote.JMXServiceURL`. */
+class TypeJMXServiceURL extends Class {
+  TypeJMXServiceURL() { this.hasQualifiedName("javax.management.remote", "JMXServiceURL") }
+}
+
+/** The interface `javax.naming.Context`. */
+class TypeNamingContext extends Interface {
+  TypeNamingContext() { this.hasQualifiedName("javax.naming", "Context") }
+}

java/ql/src/experimental/semmle/code/java/frameworks/Jndi.qll

@@ -82,6 +82,7 @@ private module Frameworks {
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.XPath
+  private import semmle.code.java.security.JndiInjection
 }
 
 private predicate sourceModelCsv(string row) {