C#: Re-factor ExposureOfPrivateInformation to use the new API.

michaelnebel · michaelnebel · commit 483e5c5264a4 · 2023-03-29T13:19:56.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
@@ -23,6 +23,8 @@ abstract class Sink extends DataFlow::ExprNode { }
 abstract class Sanitizer extends DataFlow::ExprNode { }
 
 /**
+ * DEPRECATED: Use `ExposureOfPrivateInformation` instead.
+ *
  * A taint-tracking configuration for private information flowing unencrypted to an external location.
  */
 class TaintTrackingConfiguration extends TaintTracking::Configuration {
@@ -35,6 +37,22 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 }
 
+/**
+ * A taint-tracking configuration for private information flowing unencrypted to an external location.
+ */
+private module ExposureOfPrivateInformationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * A taint-tracking module for private information flowing unencrypted to an external location.
+ */
+module ExposureOfPrivateInformation = TaintTracking::Global<ExposureOfPrivateInformationConfig>;
+
 private class PrivateDataSource extends Source {
   PrivateDataSource() { this.getExpr() instanceof PrivateDataExpr }
 }
diff --git a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
@@ -13,10 +13,10 @@
 
 import csharp
 import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery
-import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
+import ExposureOfPrivateInformation::PathGraph
 
-from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
-where c.hasFlowPath(source, sink)
+from ExposureOfPrivateInformation::PathNode source, ExposureOfPrivateInformation::PathNode sink
+where ExposureOfPrivateInformation::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "Private data returned by $@ is written to an external location.", source.getNode(),
   source.getNode().toString()
