Update to the Global/flow* api

egregius313 · egregius313 · commit 9bfb13b942a8 · 2023-03-27T12:26:18.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll
@@ -24,7 +24,7 @@ private module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
   }
 }
 
-module InsecureLdapUrlFlow = TaintTracking::Make<InsecureLdapUrlConfig>;
+module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;
 
 /**
  * A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.
@@ -40,7 +40,7 @@ private module BasicAuthConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
 }
 
-module BasicAuthFlow = DataFlow::Make<BasicAuthConfig>;
+module BasicAuthFlow = DataFlow::Global<BasicAuthConfig>;
 
 /**
  * A taint-tracking configuration for `ssl` configuration in LDAP authentication.
@@ -56,4 +56,4 @@ private module RequiresSslConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
 }
 
-module RequiresSslFlow = DataFlow::Make<RequiresSslConfig>;
+module RequiresSslFlow = DataFlow::Global<RequiresSslConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -18,8 +18,8 @@ import InsecureLdapUrlFlow::PathGraph
 
 from InsecureLdapUrlFlow::PathNode source, InsecureLdapUrlFlow::PathNode sink
 where
-  InsecureLdapUrlFlow::hasFlowPath(source, sink) and
-  BasicAuthFlow::hasFlowTo(sink.getNode()) and
-  not RequiresSslFlow::hasFlowTo(sink.getNode())
+  InsecureLdapUrlFlow::flowPath(source, sink) and
+  BasicAuthFlow::flowTo(sink.getNode()) and
+  not RequiresSslFlow::flowTo(sink.getNode())
 select sink.getNode(), source, sink, "Insecure LDAP authentication from $@.", source.getNode(),
   "LDAP connection string"
diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuthTest.ql b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuthTest.ql
@@ -9,9 +9,9 @@ class InsecureLdapAuthenticationTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasInsecureLdapAuth" and
-    exists(DataFlow::Node sink | InsecureLdapUrlFlow::hasFlowTo(sink) |
-      BasicAuthFlow::hasFlowTo(sink) and
-      not RequiresSslFlow::hasFlowTo(sink) and
+    exists(DataFlow::Node sink | InsecureLdapUrlFlow::flowTo(sink) |
+      BasicAuthFlow::flowTo(sink) and
+      not RequiresSslFlow::flowTo(sink) and
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ private module InsecureLdapUrlConfig implements DataFlow::ConfigSig {`
`24`	`24`	`}`
`25`	`25`	`}`
`26`	`26`
`27`		`-module InsecureLdapUrlFlow = TaintTracking::Make<InsecureLdapUrlConfig>;`
	`27`	`+module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;`
`28`	`28`
`29`	`29`	`/**`
`30`	`30`	* A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.
`@@ -40,7 +40,7 @@ private module BasicAuthConfig implements DataFlow::ConfigSig {`
`40`	`40`	`predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }`
`41`	`41`	`}`
`42`	`42`
`43`		`-module BasicAuthFlow = DataFlow::Make<BasicAuthConfig>;`
	`43`	`+module BasicAuthFlow = DataFlow::Global<BasicAuthConfig>;`
`44`	`44`
`45`	`45`	`/**`
`46`	`46`	* A taint-tracking configuration for `ssl` configuration in LDAP authentication.
`@@ -56,4 +56,4 @@ private module RequiresSslConfig implements DataFlow::ConfigSig {`
`56`	`56`	`predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }`
`57`	`57`	`}`
`58`	`58`
`59`		`-module RequiresSslFlow = DataFlow::Make<RequiresSslConfig>;`
	`59`	`+module RequiresSslFlow = DataFlow::Global<RequiresSslConfig>;`