Skip to content

Commit e60e1a2

Browse files
egregius313egregius313
committed
Refactor Security.CWE.CWE-022.TaintedPathLocal
1 parent dce81cf commit e60e1a2

File tree

1 file changed

+12
-11
lines changed

1 file changed

+12
-11
lines changed

java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -18,32 +18,33 @@ import semmle.code.java.dataflow.FlowSources
1818
private import semmle.code.java.dataflow.ExternalFlow
1919
import semmle.code.java.security.PathCreation
2020
import semmle.code.java.security.PathSanitizer
21-
import DataFlow::PathGraph
2221
import TaintedPathCommon
2322

24-
class TaintedPathLocalConfig extends TaintTracking::Configuration {
25-
TaintedPathLocalConfig() { this = "TaintedPathLocalConfig" }
23+
private module TaintedPathLocalConfig implements DataFlow::ConfigSig {
24+
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
2625

27-
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
28-
29-
override predicate isSink(DataFlow::Node sink) {
26+
predicate isSink(DataFlow::Node sink) {
3027
sink.asExpr() = any(PathCreation p).getAnInput()
3128
or
3229
sinkNode(sink, "create-file")
3330
}
3431

35-
override predicate isSanitizer(DataFlow::Node sanitizer) {
32+
predicate isBarrier(DataFlow::Node sanitizer) {
3633
sanitizer.getType() instanceof BoxedType or
3734
sanitizer.getType() instanceof PrimitiveType or
3835
sanitizer.getType() instanceof NumberType or
3936
sanitizer instanceof PathInjectionSanitizer
4037
}
4138

42-
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
39+
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
4340
any(TaintedPathAdditionalTaintStep s).step(n1, n2)
4441
}
4542
}
4643

44+
module TaintedPathLocalFlow = TaintTracking::Make<TaintedPathLocalConfig>;
45+
46+
import TaintedPathLocalFlow::PathGraph
47+
4748
/**
4849
* Gets the data-flow node at which to report a path ending at `sink`.
4950
*
@@ -52,13 +53,13 @@ class TaintedPathLocalConfig extends TaintTracking::Configuration {
5253
* continue to report there; otherwise we report directly at `sink`.
5354
*/
5455
DataFlow::Node getReportingNode(DataFlow::Node sink) {
55-
any(TaintedPathLocalConfig c).hasFlowTo(sink) and
56+
TaintedPathLocalFlow::hasFlowTo(sink) and
5657
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
5758
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
5859
else result = sink
5960
}
6061

61-
from DataFlow::PathNode source, DataFlow::PathNode sink, TaintedPathLocalConfig conf
62-
where conf.hasFlowPath(source, sink)
62+
from TaintedPathLocalFlow::PathNode source, TaintedPathLocalFlow::PathNode sink
63+
where TaintedPathLocalFlow::hasFlowPath(source, sink)
6364
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
6465
source.getNode(), "user-provided value"

0 commit comments

Comments
 (0)