Decouple GrovyInjection.qll to reuse the taint tracking configuration

Author: atorralba

java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql

@@ -11,27 +11,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.GroovyInjection
+import semmle.code.java.security.GroovyInjectionQuery
 import DataFlow::PathGraph
 
-/**
- * A taint-tracking configuration for unsafe user input
- * that is used to evaluate a Groovy expression.
- */
-class GroovyInjectionConfig extends TaintTracking::Configuration {
-  GroovyInjectionConfig() { this = "GroovyInjectionConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, GroovyInjectionConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Groovy Injection from $@.", source.getNode(),

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -99,7 +99,7 @@ private module Frameworks {
   private import semmle.code.java.security.JexlInjectionSinkModels
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.XPath
-  private import semmle.code.java.security.GroovyInjection
+  private import semmle.code.java.security.GroovyInjectionSinkModels
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Jdbc
   private import semmle.code.java.frameworks.SpringJdbc

java/ql/src/semmle/code/java/security/GroovyInjection.qll renamed to java/ql/src/semmle/code/java/security/GroovyInjectionQuery.qll

@@ -3,6 +3,8 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 
 /** A data flow sink for Groovy expression injection vulnerabilities. */
@@ -25,47 +27,6 @@ private class DefaultGroovyInjectionSink extends GroovyInjectionSink {
   DefaultGroovyInjectionSink() { sinkNode(this, "groovy") }
 }
 
-private class DefaultLdapInjectionSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        // Signatures are specified to exclude sinks of the type `File`
-        "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy",
-        "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy",
-        "groovy.util;Eval;false;me;(String);;Argument[0];groovy",
-        "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy",
-        "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy",
-        "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy",
-        "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy",
-        "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy",
-        "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy",
-        "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy",
-        "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy",
-        "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy",
-        "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy",
-        "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[-1];groovy"
-      ]
-  }
-}
-
 /** A set of additional taint steps to consider when taint tracking Groovy related data flows. */
 private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionAdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
@@ -76,6 +37,22 @@ private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionA
   }
 }
 
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to evaluate a Groovy expression.
+ */
+class GroovyInjectionConfig extends TaintTracking::Configuration {
+  GroovyInjectionConfig() { this = "GroovyInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
+  }
+}
+
 /**
  * Holds if `fromNode` to `toNode` is a dataflow step from a tainted string to
  * a `GroovyCodeSource` instance by calling `new GroovyCodeSource(tainted, ...)`.

java/ql/src/semmle/code/java/security/GroovyInjectionSinkModels.qll

@@ -0,0 +1,44 @@
+/** Provides sink models relating to Groovy injection vulnerabilities. */
+
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class DefaultLdapInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // Signatures are specified to exclude sinks of the type `File`
+        "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy",
+        "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy",
+        "groovy.util;Eval;false;me;(String);;Argument[0];groovy",
+        "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy",
+        "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy",
+        "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy",
+        "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy",
+        "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy",
+        "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy",
+        "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy",
+        "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy",
+        "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy",
+        "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy",
+        "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[-1];groovy"
+      ]
+  }
+}

java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql

@@ -1,29 +1,19 @@
 import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.GroovyInjection
+import semmle.code.java.security.GroovyInjectionQuery
 import TestUtilities.InlineExpectationsTest
 
-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "test:cwe:groovy-injection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
-  }
-}
-
 class HasGroovyInjectionTest extends InlineExpectationsTest {
   HasGroovyInjectionTest() { this = "HasGroovyInjectionTest" }
 
   override string getARelevantTag() { result = "hasGroovyInjection" }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasGroovyInjection" and
-    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+    exists(DataFlow::Node src, DataFlow::Node sink, GroovyInjectionConfig conf |
+      conf.hasFlow(src, sink)
+    |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""