Refactor ConditionalBypass

Author: egregius313

java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll

@@ -37,9 +37,11 @@ private predicate endsWithStep(DataFlow::Node node1, DataFlow::Node node2) {
 }
 
 /**
+ * DEPRECATED: Use `ConditionalBypassFlow` instead.
+ *
  * A taint tracking configuration for untrusted data flowing to sensitive conditions.
  */
-class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
+deprecated class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
   ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -50,3 +52,18 @@ class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
     endsWithStep(node1, node2)
   }
 }
+
+module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    endsWithStep(node1, node2)
+  }
+}
+
+/**
+ * A taint tracking configuration for untrusted data flowing to sensitive conditions.
+ */
+module ConditionalBypassFlow = TaintTracking::Global<ConditionalBypassFlowConfig>;

java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql

@@ -15,15 +15,15 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.security.ConditionalBypassQuery
-import DataFlow::PathGraph
+import ConditionalBypassFlow::PathGraph
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, Expr e,
-  ConditionalBypassFlowConfig conf
+  ConditionalBypassFlow::PathNode source, ConditionalBypassFlow::PathNode sink, MethodAccess m,
+  Expr e
 where
   conditionControlsMethod(m, e) and
   sink.getNode().asExpr() = e and
-  conf.hasFlowPath(source, sink)
+  ConditionalBypassFlow::flowPath(source, sink)
 select m, source, sink,
   "Sensitive method may not be executed depending on a $@, which flows from $@.", e,
   "this condition", source.getNode(), "user-controlled value"

java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.ql

@@ -9,7 +9,7 @@ class ConditionalBypassTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasConditionalBypassTest" and
-    exists(DataFlow::Node sink, ConditionalBypassFlowConfig conf | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink | ConditionalBypassFlow::flowTo(sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""