C#: Re-factor SymmetricKeyTaintTrackingConfiguration to use the new API.

michaelnebel · michaelnebel · commit 5278bbcaaa50 · 2023-03-29T13:19:56.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll
@@ -64,9 +64,11 @@ class SymmetricEncryptionCreateDecryptorSink extends SymmetricEncryptionKeySink
 }
 
 /**
+ * DEPRECATED: Use `SymmetricKey` instead.
+ *
  * Symmetric Key Data Flow configuration.
  */
-class SymmetricKeyTaintTrackingConfiguration extends TaintTracking::Configuration {
+deprecated class SymmetricKeyTaintTrackingConfiguration extends TaintTracking::Configuration {
   SymmetricKeyTaintTrackingConfiguration() { this = "SymmetricKeyTaintTracking" }
 
   /** Holds if the node is a key source. */
@@ -78,3 +80,22 @@ class SymmetricKeyTaintTrackingConfiguration extends TaintTracking::Configuratio
   /** Holds if the node is a key sanitizer. */
   override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }
 }
+
+/**
+ * Symmetric Key Data Flow configuration.
+ */
+private module SymmetricKeyConfig implements DataFlow::ConfigSig {
+  /** Holds if the node is a key source. */
+  predicate isSource(DataFlow::Node src) { src instanceof KeySource }
+
+  /** Holds if the node is a symmetric encryption key sink. */
+  predicate isSink(DataFlow::Node sink) { sink instanceof SymmetricEncryptionKeySink }
+
+  /** Holds if the node is a key sanitizer. */
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }
+}
+
+/**
+ * Symmetric Key Data Flow configuration.
+ */
+module SymmetricKey = TaintTracking::Global<SymmetricKeyConfig>;
diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql
@@ -15,7 +15,7 @@
 
 import csharp
 import semmle.code.csharp.security.cryptography.EncryptionKeyDataFlowQuery
-import DataFlow::PathGraph
+import SymmetricKey::PathGraph
 
 /**
  * The creation of a literal byte array.
@@ -38,10 +38,10 @@ class StringLiteralSource extends KeySource {
 }
 
 from
-  SymmetricKeyTaintTrackingConfiguration keyFlow, DataFlow::PathNode source,
-  DataFlow::PathNode sink, KeySource srcNode, SymmetricEncryptionKeySink sinkNode
+  SymmetricKey::PathNode source, SymmetricKey::PathNode sink, KeySource srcNode,
+  SymmetricEncryptionKeySink sinkNode
 where
-  keyFlow.hasFlowPath(source, sink) and
+  SymmetricKey::flowPath(source, sink) and
   source.getNode() = srcNode and
   sink.getNode() = sinkNode
 select sink.getNode(), source, sink,
