Refactor XXE files

egregius313 · egregius313 · commit 8cb5e7883274 · 2023-04-12T20:37:35.000-04:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXE.ql b/java/ql/src/experimental/Security/CWE/CWE-611/XXE.ql
@@ -14,18 +14,19 @@
 
 import java
 import XXELib
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
+import XxeFlow::PathGraph
 
-class XxeConfig extends TaintTracking::Configuration {
-  XxeConfig() { this = "XxeConfig" }
+module XxeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
-where conf.hasFlowPath(source, sink)
+module XxeFlow = TaintTracking::Global<XxeConfig>;
+
+from XxeFlow::PathNode source, XxeFlow::PathNode sink
+where XxeFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
   "user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXELib.qll b/java/ql/src/experimental/Security/CWE/CWE-611/XXELib.qll
@@ -52,9 +52,7 @@ class ValidatorValidate extends XmlParserCall {
 
   override Expr getSink() { result = this.getArgument(0) }
 
-  override predicate isSafe() {
-    exists(SafeValidatorFlowConfig svfc | svfc.hasFlowToExpr(this.getQualifier()))
-  }
+  override predicate isSafe() { SafeValidatorFlow::flowToExpr(this.getQualifier()) }
 }
 
 /** A `ParserConfig` specific to `Validator`. */
@@ -82,21 +80,21 @@ class SafeValidator extends VarAccess {
   }
 }
 
-private class SafeValidatorFlowConfig extends DataFlow3::Configuration {
-  SafeValidatorFlowConfig() { this = "SafeValidatorFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }
+private module SafeValidatorFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess ma |
       sink.asExpr() = ma.getQualifier() and
       ma.getMethod().getDeclaringType() instanceof Validator
     )
   }
 
-  override int fieldFlowBranchLimit() { result = 0 }
+  int fieldFlowBranchLimit() { result = 0 }
 }
 
+private module SafeValidatorFlow = DataFlow::Global<SafeValidatorFlowConfig>;
+
 /**
  * The classes `org.apache.commons.digester3.Digester`, `org.apache.commons.digester.Digester` or `org.apache.tomcat.util.digester.Digester`.
  */
@@ -121,9 +119,7 @@ class DigesterParse extends XmlParserCall {
 
   override Expr getSink() { result = this.getArgument(0) }
 
-  override predicate isSafe() {
-    exists(SafeDigesterFlowConfig sdfc | sdfc.hasFlowToExpr(this.getQualifier()))
-  }
+  override predicate isSafe() { SafeDigesterFlow::flowToExpr(this.getQualifier()) }
 }
 
 /** A `ParserConfig` that is specific to `Digester`. */
@@ -170,20 +166,20 @@ class SafeDigester extends VarAccess {
   }
 }
 
-private class SafeDigesterFlowConfig extends DataFlow4::Configuration {
-  SafeDigesterFlowConfig() { this = "SafeDigesterFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }
+private module SafeDigesterFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess ma |
       sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester
     )
   }
 
-  override int fieldFlowBranchLimit() { result = 0 }
+  int fieldFlowBranchLimit() { result = 0 }
 }
 
+private module SafeDigesterFlow = DataFlow::Global<SafeDigesterFlowConfig>;
+
 /** The class `java.beans.XMLDecoder`. */
 class XmlDecoder extends RefType {
   XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.ql b/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.ql
@@ -16,18 +16,19 @@
 
 import java
 import XXELib
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
+import XxeLocalFlow::PathGraph
 
-class XxeLocalConfig extends TaintTracking::Configuration {
-  XxeLocalConfig() { this = "XxeLocalConfig" }
+module XxeLocalConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
 
-  override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, XxeLocalConfig conf
-where conf.hasFlowPath(source, sink)
+module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
+
+from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink
+where XxeLocalFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
   "user input"

Original file line number	Diff line number	Diff line change
`@@ -52,9 +52,7 @@ class ValidatorValidate extends XmlParserCall {`
`52`	`52`
`53`	`53`	`override Expr getSink() { result = this.getArgument(0) }`
`54`	`54`
`55`		`- override predicate isSafe() {`
`56`		`- exists(SafeValidatorFlowConfig svfc \| svfc.hasFlowToExpr(this.getQualifier()))`
`57`		`- }`
	`55`	`+ override predicate isSafe() { SafeValidatorFlow::flowToExpr(this.getQualifier()) }`
`58`	`56`	`}`
`59`	`57`
`60`	`58`	/** A `ParserConfig` specific to `Validator`. */
`@@ -82,21 +80,21 @@ class SafeValidator extends VarAccess {`
`82`	`80`	`}`
`83`	`81`	`}`
`84`	`82`
`85`		`-private class SafeValidatorFlowConfig extends DataFlow3::Configuration {`
`86`		`- SafeValidatorFlowConfig() { this = "SafeValidatorFlowConfig" }`
`87`		`-`
`88`		`- override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }`
	`83`	`+private module SafeValidatorFlowConfig implements DataFlow::ConfigSig {`
	`84`	`+ predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }`
`89`	`85`
`90`		`- override predicate isSink(DataFlow::Node sink) {`
	`86`	`+ predicate isSink(DataFlow::Node sink) {`
`91`	`87`	`exists(MethodAccess ma \|`
`92`	`88`	`sink.asExpr() = ma.getQualifier() and`
`93`	`89`	`ma.getMethod().getDeclaringType() instanceof Validator`
`94`	`90`	`)`
`95`	`91`	`}`
`96`	`92`
`97`		`- override int fieldFlowBranchLimit() { result = 0 }`
	`93`	`+ int fieldFlowBranchLimit() { result = 0 }`
`98`	`94`	`}`
`99`	`95`
	`96`	`+private module SafeValidatorFlow = DataFlow::Global<SafeValidatorFlowConfig>;`
	`97`	`+`
`100`	`98`	`/**`
`101`	`99`	* The classes `org.apache.commons.digester3.Digester`, `org.apache.commons.digester.Digester` or `org.apache.tomcat.util.digester.Digester`.
`102`	`100`	`*/`
`@@ -121,9 +119,7 @@ class DigesterParse extends XmlParserCall {`
`121`	`119`
`122`	`120`	`override Expr getSink() { result = this.getArgument(0) }`
`123`	`121`
`124`		`- override predicate isSafe() {`
`125`		`- exists(SafeDigesterFlowConfig sdfc \| sdfc.hasFlowToExpr(this.getQualifier()))`
`126`		`- }`
	`122`	`+ override predicate isSafe() { SafeDigesterFlow::flowToExpr(this.getQualifier()) }`
`127`	`123`	`}`
`128`	`124`
`129`	`125`	/** A `ParserConfig` that is specific to `Digester`. */
`@@ -170,20 +166,20 @@ class SafeDigester extends VarAccess {`
`170`	`166`	`}`
`171`	`167`	`}`
`172`	`168`
`173`		`-private class SafeDigesterFlowConfig extends DataFlow4::Configuration {`
`174`		`- SafeDigesterFlowConfig() { this = "SafeDigesterFlowConfig" }`
`175`		`-`
`176`		`- override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }`
	`169`	`+private module SafeDigesterFlowConfig implements DataFlow::ConfigSig {`
	`170`	`+ predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }`
`177`	`171`
`178`		`- override predicate isSink(DataFlow::Node sink) {`
	`172`	`+ predicate isSink(DataFlow::Node sink) {`
`179`	`173`	`exists(MethodAccess ma \|`
`180`	`174`	`sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester`
`181`	`175`	`)`
`182`	`176`	`}`
`183`	`177`
`184`		`- override int fieldFlowBranchLimit() { result = 0 }`
	`178`	`+ int fieldFlowBranchLimit() { result = 0 }`
`185`	`179`	`}`
`186`	`180`
	`181`	`+private module SafeDigesterFlow = DataFlow::Global<SafeDigesterFlowConfig>;`
	`182`	`+`
`187`	`183`	/** The class `java.beans.XMLDecoder`. */
`188`	`184`	`class XmlDecoder extends RefType {`
`189`	`185`	`XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") }`