Ruby: configsig rb/manually-checking-http-verb

Author: alexrford

ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql

@@ -15,7 +15,6 @@ import codeql.ruby.DataFlow
 import codeql.ruby.controlflow.CfgNodes
 import codeql.ruby.frameworks.ActionController
 import codeql.ruby.TaintTracking
-import DataFlow::PathGraph
 
 // any `request` calls in an action method
 class Request extends DataFlow::CallNode {
@@ -73,10 +72,8 @@ class RequestGet extends DataFlow::CallNode {
   }
 }
 
-class HttpVerbConfig extends TaintTracking::Configuration {
-  HttpVerbConfig() { this = "HttpVerbConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
+private module HttpVerbConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     source instanceof RequestMethod or
     source instanceof RequestRequestMethod or
     source instanceof RequestEnvMethod or
@@ -85,13 +82,17 @@ class HttpVerbConfig extends TaintTracking::Configuration {
     source instanceof RequestGet
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(ExprNodes::ConditionalExprCfgNode c | c.getCondition() = sink.asExpr()) or
     exists(ExprNodes::CaseExprCfgNode c | c.getValue() = sink.asExpr())
   }
 }
 
-from HttpVerbConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+private module HttpVerbFlow = TaintTracking::Global<HttpVerbConfig>;
+
+private import HttpVerbFlow::PathGraph
+
+from HttpVerbFlow::PathNode source, HttpVerbFlow::PathNode sink
+where HttpVerbFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods."