11/** Provides default definitions to be used in XXE queries. */
22
33import java
4- private import semmle.code.java.dataflow.TaintTracking2
4+ private import semmle.code.java.dataflow.TaintTracking
55private import semmle.code.java.security.XmlParsers
66import semmle.code.java.security.Xxe
77
@@ -11,7 +11,7 @@ import semmle.code.java.security.Xxe
1111 */
1212private class DefaultXxeSink extends XxeSink {
1313 DefaultXxeSink ( ) {
14- not exists ( SafeSaxSourceFlowConfig safeSource | safeSource . hasFlowTo ( this ) ) and
14+ not SafeSaxSourceFlow :: flowTo ( this ) and
1515 exists ( XmlParserCall parse |
1616 parse .getSink ( ) = this .asExpr ( ) and
1717 not parse .isSafe ( )
@@ -22,14 +22,12 @@ private class DefaultXxeSink extends XxeSink {
2222/**
2323 * A taint-tracking configuration for safe XML readers used to parse XML documents.
2424 */
25- private class SafeSaxSourceFlowConfig extends TaintTracking2 :: Configuration {
26- SafeSaxSourceFlowConfig ( ) { this = "SafeSaxSourceFlowConfig" }
25+ private module SafeSaxSourceFlowConfig implements DataFlow :: ConfigSig {
26+ predicate isSource ( DataFlow :: Node src ) { src . asExpr ( ) instanceof SafeSaxSource }
2727
28- override predicate isSource ( DataFlow:: Node src ) { src .asExpr ( ) instanceof SafeSaxSource }
28+ predicate isSink ( DataFlow:: Node sink ) { sink .asExpr ( ) = any ( XmlParserCall parse ) . getSink ( ) }
2929
30- override predicate isSink ( DataFlow:: Node sink ) {
31- sink .asExpr ( ) = any ( XmlParserCall parse ) .getSink ( )
32- }
33-
34- override int fieldFlowBranchLimit ( ) { result = 0 }
30+ int fieldFlowBranchLimit ( ) { result = 0 }
3531}
32+
33+ private module SafeSaxSourceFlow = TaintTracking:: Global< SafeSaxSourceFlowConfig > ;
0 commit comments