Refactor PartialPathTraversal

Author: egregius313

java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll

@@ -7,11 +7,13 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 
 /**
+ * DEPRECATED: Use `PartialPathTraversalFromRemoteFlow` instead.
+ *
  * A taint-tracking configuration for unsafe user input
  * that is used to validate against path traversal, but is insufficient
  * and remains vulnerable to Partial Path Traversal.
  */
-class PartialPathTraversalFromRemoteConfig extends TaintTracking::Configuration {
+deprecated class PartialPathTraversalFromRemoteConfig extends TaintTracking::Configuration {
   PartialPathTraversalFromRemoteConfig() { this = "PartialPathTraversalFromRemoteConfig" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
@@ -20,3 +22,20 @@ class PartialPathTraversalFromRemoteConfig extends TaintTracking::Configuration
     any(PartialPathTraversalMethodAccess ma).getQualifier() = node.asExpr()
   }
 }
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to validate against path traversal, but is insufficient
+ * and remains vulnerable to Partial Path Traversal.
+ */
+private module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node node) {
+    any(PartialPathTraversalMethodAccess ma).getQualifier() = node.asExpr()
+  }
+}
+
+/** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
+module PartialPathTraversalFromRemoteFlow =
+  TaintTracking::Global<PartialPathTraversalFromRemoteConfig>;

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql

@@ -11,10 +11,12 @@
  */
 
 import semmle.code.java.security.PartialPathTraversalQuery
-import DataFlow::PathGraph
+import PartialPathTraversalFromRemoteFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(PartialPathTraversalFromRemoteConfig config).hasFlowPath(source, sink)
+from
+  PartialPathTraversalFromRemoteFlow::PathNode source,
+  PartialPathTraversalFromRemoteFlow::PathNode sink
+where PartialPathTraversalFromRemoteFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@.",
   source, "user-supplied data"

java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.ql

@@ -1,21 +1,24 @@
 import java
-import TestUtilities.InlineFlowTest
+import TestUtilities.InlineExpectationsTest
 import semmle.code.java.security.PartialPathTraversalQuery
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class TestRemoteSource extends RemoteFlowSource {
   TestRemoteSource() { this.asParameter().hasName(["dir", "path"]) }
 
   override string getSourceType() { result = "TestSource" }
 }
 
-class Test extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+class Test extends InlineExpectationsTest {
+  Test() { this = "PartialPathTraversalFromRemoteTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
 
-  override TaintTracking::Configuration getTaintFlowConfig() {
-    result instanceof PartialPathTraversalFromRemoteConfig
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node sink | PartialPathTraversalFromRemoteFlow::flowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
   }
 }