Ruby: configsig rb/regex/badly-anchored-regexp

alexrford · alexrford · commit 04d3d043177f · 2023-09-03T17:20:05.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
@@ -3,7 +3,7 @@
  * missing full-anchored regular expressions.
  *
  * Note, for performance reasons: only import this file if
- * `MissingFullAnchor::Configuration` is needed, otherwise
+ * `MissingFullAnchorFlow` is needed, otherwise
  * `MissingFullAnchorCustomizations` should be imported instead.
  */
 
@@ -14,8 +14,9 @@ import MissingFullAnchorCustomizations::MissingFullAnchor
 /**
  * A taint tracking configuration for reasoning about
  * missing full-anchored regular expressions.
+ * DEPRECATED: Use `MissingFullAnchorFlow`
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "MissingFullAnchor" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -24,3 +25,16 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 }
+
+private module MissingFullAnchorConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint-tracking for reasoning about missing full-anchored regular expressions.
+ */
+module MissingFullAnchorFlow = TaintTracking::Global<MissingFullAnchorConfig>;
diff --git a/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql b/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql
@@ -12,10 +12,10 @@
  */
 
 import codeql.ruby.security.regexp.MissingFullAnchorQuery
-import DataFlow::PathGraph
+import MissingFullAnchorFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
-where config.hasFlowPath(source, sink) and sink.getNode() = sinkNode
+from MissingFullAnchorFlow::PathNode source, MissingFullAnchorFlow::PathNode sink, Sink sinkNode
+where MissingFullAnchorFlow::flowPath(source, sink) and sink.getNode() = sinkNode
 select sink, source, sink, "This value depends on $@, and is $@ against a $@.", source.getNode(),
   source.getNode().(Source).describe(), sinkNode.getCallNode(), "checked", sinkNode.getRegex(),
   "badly anchored regular expression"
