Cleanup helper dataflow configuration

egregius313 · egregius313 · commit d4e2b8434892 · 2024-01-08T09:38:45.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
@@ -7,19 +7,16 @@ private import semmle.code.java.Maps
 private import semmle.code.java.JDK
 
 private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.getType() instanceof TypeProcessBuilder }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(MethodCall mc | mc.getQualifier() = node1.asExpr() and mc = node2.asExpr() |
+  predicate isSource(DataFlow::Node source) {
+    exists(MethodCall mc | mc = source.asExpr() |
       mc.getMethod().hasQualifiedName("java.lang", "ProcessBuilder", "environment")
     )
   }
 
   predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapPutCall mpc).getQualifier() }
 }
 
-private module ProcessBuilderEnvironmentFlow =
-  TaintTracking::Global<ProcessBuilderEnvironmentConfig>;
+private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;
 
 module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
@@ -28,7 +25,7 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
     sinkNode(sink, "environment-injection")
     or
     exists(MapPutCall mpc | mpc.getAnArgument() = sink.asExpr() |
-      ProcessBuilderEnvironmentFlow::flow(_, DataFlow::exprNode(mpc.getQualifier()))
+      ProcessBuilderEnvironmentFlow::flowToExpr(mpc.getQualifier())
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -7,19 +7,16 @@ private import semmle.code.java.Maps`
`7`	`7`	`private import semmle.code.java.JDK`
`8`	`8`
`9`	`9`	`private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {`
`10`		`- predicate isSource(DataFlow::Node source) { source.getType() instanceof TypeProcessBuilder }`
`11`		`-`
`12`		`- predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`13`		`- exists(MethodCall mc \| mc.getQualifier() = node1.asExpr() and mc = node2.asExpr() \|`
	`10`	`+ predicate isSource(DataFlow::Node source) {`
	`11`	`+ exists(MethodCall mc \| mc = source.asExpr() \|`
`14`	`12`	`mc.getMethod().hasQualifiedName("java.lang", "ProcessBuilder", "environment")`
`15`	`13`	`)`
`16`	`14`	`}`
`17`	`15`
`18`	`16`	`predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapPutCall mpc).getQualifier() }`
`19`	`17`	`}`
`20`	`18`
`21`		`-private module ProcessBuilderEnvironmentFlow =`
`22`		`- TaintTracking::Global<ProcessBuilderEnvironmentConfig>;`
	`19`	`+private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;`
`23`	`20`
`24`	`21`	`module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {`
`25`	`22`	`predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }`
`@@ -28,7 +25,7 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {`
`28`	`25`	`sinkNode(sink, "environment-injection")`
`29`	`26`	`or`
`30`	`27`	`exists(MapPutCall mpc \| mpc.getAnArgument() = sink.asExpr() \|`
`31`		`- ProcessBuilderEnvironmentFlow::flow(_, DataFlow::exprNode(mpc.getQualifier()))`
	`28`	`+ ProcessBuilderEnvironmentFlow::flowToExpr(mpc.getQualifier())`
`32`	`29`	`)`
`33`	`30`	`}`
`34`	`31`	`}`