Refactor AndroidCertificatePinningQuery

egregius313 · egregius313 · commit 807588a031ff · 2023-03-24T09:47:50.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll
@@ -106,29 +106,29 @@ private class MissingPinningSink extends DataFlow::Node {
 }
 
 /** Configuration for finding uses of non trusted URLs. */
-private class UntrustedUrlConfig extends TaintTracking::Configuration {
-  UntrustedUrlConfig() { this = "UntrustedUrlConfig" }
-
-  override predicate isSource(DataFlow::Node node) {
+private module UntrustedUrlConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
     trustedDomain(_) and
     exists(string lit | lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() |
       lit.matches("%://%") and // it's a URL
       not exists(string dom | trustedDomain(dom) and lit.matches("%" + dom + "%"))
     )
   }
 
-  override predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }
+  predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }
 }
 
+private module UntrustedUrlFlow = TaintTracking::Make<UntrustedUrlConfig>;
+
 /** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
 predicate missingPinning(DataFlow::Node node, string domain) {
   isAndroid() and
   node instanceof MissingPinningSink and
   (
     not trustedDomain(_) and domain = ""
     or
-    exists(UntrustedUrlConfig conf, DataFlow::Node src |
-      conf.hasFlow(src, node) and
+    exists(DataFlow::Node src |
+      UntrustedUrlFlow::hasFlow(src, node) and
       domain = getDomain(src.asExpr())
     )
   )

Original file line number	Diff line number	Diff line change
`@@ -106,29 +106,29 @@ private class MissingPinningSink extends DataFlow::Node {`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`/** Configuration for finding uses of non trusted URLs. */`
`109`		`-private class UntrustedUrlConfig extends TaintTracking::Configuration {`
`110`		`- UntrustedUrlConfig() { this = "UntrustedUrlConfig" }`
`111`		`-`
`112`		`- override predicate isSource(DataFlow::Node node) {`
	`109`	`+private module UntrustedUrlConfig implements DataFlow::ConfigSig {`
	`110`	`+ predicate isSource(DataFlow::Node node) {`
`113`	`111`	`trustedDomain(_) and`
`114`	`112`	`exists(string lit \| lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() \|`
`115`	`113`	`lit.matches("%://%") and // it's a URL`
`116`	`114`	`not exists(string dom \| trustedDomain(dom) and lit.matches("%" + dom + "%"))`
`117`	`115`	`)`
`118`	`116`	`}`
`119`	`117`
`120`		`- override predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }`
	`118`	`+ predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }`
`121`	`119`	`}`
`122`	`120`
	`121`	`+private module UntrustedUrlFlow = TaintTracking::Make<UntrustedUrlConfig>;`
	`122`	`+`
`123`	`123`	/** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
`124`	`124`	`predicate missingPinning(DataFlow::Node node, string domain) {`
`125`	`125`	`isAndroid() and`
`126`	`126`	`node instanceof MissingPinningSink and`
`127`	`127`	`(`
`128`	`128`	`not trustedDomain(_) and domain = ""`
`129`	`129`	`or`
`130`		`- exists(UntrustedUrlConfig conf, DataFlow::Node src \|`
`131`		`- conf.hasFlow(src, node) and`
	`130`	`+ exists(DataFlow::Node src \|`
	`131`	`+ UntrustedUrlFlow::hasFlow(src, node) and`
`132`	`132`	`domain = getDomain(src.asExpr())`
`133`	`133`	`)`
`134`	`134`	`)`