Merge pull request github#12808 from egregius313/egregius313/java/dataflow/refactor-experimental

Java: Refactor experimental queries to new DataFlow API

Author: egregius313

java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql

@@ -16,9 +16,10 @@
  */
 
 import java
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
-import DataFlow::PathGraph
+import Log4jInjectionFlow::PathGraph
 
 private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "log4j-injection" }
@@ -41,17 +42,20 @@ class Log4jInjectionSanitizer extends DataFlow::Node {
 /**
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
  */
-class Log4jInjectionConfiguration extends TaintTracking::Configuration {
-  Log4jInjectionConfiguration() { this = "Log4jInjectionConfiguration" }
+module Log4jInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Log4jInjectionSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof Log4jInjectionSanitizer }
 }
 
-from Log4jInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+/**
+ * Taint-tracking flow for tracking untrusted user input used in log entries.
+ */
+module Log4jInjectionFlow = TaintTracking::Global<Log4jInjectionConfig>;
+
+from Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink
+where Log4jInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(),
   "user-provided value"

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql

@@ -15,7 +15,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
-import DataFlow::PathGraph
+import RemoteUrlToOpenStreamFlow::PathGraph
 
 class UrlConstructor extends ClassInstanceExpr {
   UrlConstructor() { this.getConstructor().getDeclaringType() instanceof TypeUrl }
@@ -28,30 +28,32 @@ class UrlConstructor extends ClassInstanceExpr {
   }
 }
 
-class RemoteUrlToOpenStreamFlowConfig extends TaintTracking::Configuration {
-  RemoteUrlToOpenStreamFlowConfig() { this = "OpenStream::RemoteURLToOpenStreamFlowConfig" }
+module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess m |
       sink.asExpr() = m.getQualifier() and m.getMethod() instanceof UrlOpenStreamMethod
     )
     or
     sinkNode(sink, "url-open-stream")
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(UrlConstructor u |
       node1.asExpr() = u.stringArg() and
       node2.asExpr() = u
     )
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess call
+module RemoteUrlToOpenStreamFlow = TaintTracking::Global<RemoteUrlToOpenStreamFlowConfig>;
+
+from
+  RemoteUrlToOpenStreamFlow::PathNode source, RemoteUrlToOpenStreamFlow::PathNode sink,
+  MethodAccess call
 where
   sink.getNode().asExpr() = call.getQualifier() and
-  any(RemoteUrlToOpenStreamFlowConfig c).hasFlowPath(source, sink)
+  RemoteUrlToOpenStreamFlow::flowPath(source, sink)
 select call, source, sink,
   "URL on which openStream is called may have been constructed from remote source."

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -13,12 +13,13 @@
  */
 
 import java
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.PathCreation
 import JFinalController
 import semmle.code.java.security.PathSanitizer
-import DataFlow::PathGraph
+import InjectFilePathFlow::PathGraph
 
 private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "file-path-injection" }
@@ -47,24 +48,24 @@ class NormalizedPathNode extends DataFlow::Node {
   }
 }
 
-class InjectFilePathConfig extends TaintTracking::Configuration {
-  InjectFilePathConfig() { this = "InjectFilePathConfig" }
+module InjectFilePathConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(PathCreation p).getAnInput() and
     not sink instanceof NormalizedPathNode
   }
 
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
     or
     node instanceof PathInjectionSanitizer
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, InjectFilePathConfig conf
-where conf.hasFlowPath(source, sink)
+module InjectFilePathFlow = TaintTracking::Global<InjectFilePathConfig>;
+
+from InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink
+where InjectFilePathFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "External control of file name or path due to $@.",
   source.getNode(), "user-provided value"

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql

@@ -13,27 +13,24 @@
  */
 
 import java
-import DataFlow::PathGraph
 import MyBatisCommonLib
 import MyBatisAnnotationSqlInjectionLib
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import MyBatisAnnotationSqlInjectionFlow::PathGraph
 
-private class MyBatisAnnotationSqlInjectionConfiguration extends TaintTracking::Configuration {
-  MyBatisAnnotationSqlInjectionConfiguration() { this = "MyBatis annotation sql injection" }
+private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof MyBatisAnnotatedMethodCallArgument
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof PrimitiveType or
     node.getType() instanceof BoxedType or
     node.getType() instanceof NumberType
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodAccess ma |
       ma.getMethod().getDeclaringType() instanceof TypeObject and
       ma.getMethod().getName() = "toString" and
@@ -43,12 +40,15 @@ private class MyBatisAnnotationSqlInjectionConfiguration extends TaintTracking::
   }
 }
 
+private module MyBatisAnnotationSqlInjectionFlow =
+  TaintTracking::Global<MyBatisAnnotationSqlInjectionConfig>;
+
 from
-  MyBatisAnnotationSqlInjectionConfiguration cfg, DataFlow::PathNode source,
-  DataFlow::PathNode sink, IbatisSqlOperationAnnotation isoa, MethodAccess ma,
-  string unsafeExpression
+  MyBatisAnnotationSqlInjectionFlow::PathNode source,
+  MyBatisAnnotationSqlInjectionFlow::PathNode sink, IbatisSqlOperationAnnotation isoa,
+  MethodAccess ma, string unsafeExpression
 where
-  cfg.hasFlowPath(source, sink) and
+  MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and
   ma.getAnArgument() = sink.getNode().asExpr() and
   myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
   unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll

@@ -17,23 +17,23 @@ private predicate propertiesKey(DataFlow::Node prop, string key) {
 }
 
 /** A data flow configuration tracing flow from ibatis `Configuration.getVariables()` to a store into a `Properties` object. */
-private class PropertiesFlowConfig extends DataFlow2::Configuration {
-  PropertiesFlowConfig() { this = "PropertiesFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
+private module PropertiesFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
     exists(MethodAccess ma | ma.getMethod() instanceof IbatisConfigurationGetVariablesMethod |
       src.asExpr() = ma
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { propertiesKey(sink, _) }
+  predicate isSink(DataFlow::Node sink) { propertiesKey(sink, _) }
 }
 
+private module PropertiesFlow = DataFlow::Global<PropertiesFlowConfig>;
+
 /** Gets a `Properties` key that may map onto a Mybatis `Configuration` variable. */
 string getAMybatisConfigurationVariableKey() {
-  exists(PropertiesFlowConfig conf, DataFlow::Node n |
+  exists(DataFlow::Node n |
     propertiesKey(n, result) and
-    conf.hasFlowTo(n)
+    PropertiesFlow::flowTo(n)
   )
 }
 

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql

@@ -13,28 +13,24 @@
  */
 
 import java
-import DataFlow::PathGraph
 import MyBatisCommonLib
 import MyBatisMapperXmlSqlInjectionLib
 import semmle.code.xml.MyBatisMapperXML
 import semmle.code.java.dataflow.FlowSources
+import MyBatisMapperXmlSqlInjectionFlow::PathGraph
 
-private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::Configuration {
-  MyBatisMapperXmlSqlInjectionConfiguration() { this = "MyBatis mapper xml sql injection" }
+private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof MyBatisMapperMethodCallAnArgument
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof PrimitiveType or
     node.getType() instanceof BoxedType or
     node.getType() instanceof NumberType
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodAccess ma |
       ma.getMethod().getDeclaringType() instanceof TypeObject and
       ma.getMethod().getName() = "toString" and
@@ -44,11 +40,15 @@ private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::C
   }
 }
 
+private module MyBatisMapperXmlSqlInjectionFlow =
+  TaintTracking::Global<MyBatisMapperXmlSqlInjectionConfig>;
+
 from
-  MyBatisMapperXmlSqlInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
-  MyBatisMapperXmlElement mmxe, MethodAccess ma, string unsafeExpression
+  MyBatisMapperXmlSqlInjectionFlow::PathNode source,
+  MyBatisMapperXmlSqlInjectionFlow::PathNode sink, MyBatisMapperXmlElement mmxe, MethodAccess ma,
+  string unsafeExpression
 where
-  cfg.hasFlowPath(source, sink) and
+  MyBatisMapperXmlSqlInjectionFlow::flowPath(source, sink) and
   ma.getAnArgument() = sink.getNode().asExpr() and
   myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and
   unsafeExpression = getAMybatisXmlSetValue(mmxe) and

java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql

@@ -14,16 +14,15 @@
 import java
 import BeanShellInjection
 import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
+import semmle.code.java.dataflow.TaintTracking
+import BeanShellInjectionFlow::PathGraph
 
-class BeanShellInjectionConfig extends TaintTracking::Configuration {
-  BeanShellInjectionConfig() { this = "BeanShellInjectionConfig" }
+module BeanShellInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
+  predicate isAdditionalFlowStep(DataFlow::Node prod, DataFlow::Node succ) {
     exists(ClassInstanceExpr cie |
       cie.getConstructedType()
           .hasQualifiedName("org.springframework.scripting.support", "StaticScriptSource") and
@@ -42,7 +41,9 @@ class BeanShellInjectionConfig extends TaintTracking::Configuration {
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, BeanShellInjectionConfig conf
-where conf.hasFlowPath(source, sink)
+module BeanShellInjectionFlow = TaintTracking::Global<BeanShellInjectionConfig>;
+
+from BeanShellInjectionFlow::PathNode source, BeanShellInjectionFlow::PathNode sink
+where BeanShellInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "BeanShell injection from $@.", source.getNode(),
   "this user input"

java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql

@@ -13,9 +13,9 @@
 
 import java
 import InsecureDexLoading
-import DataFlow::PathGraph
+import InsecureDexFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureDexConfiguration conf
-where conf.hasFlowPath(source, sink)
+from InsecureDexFlow::PathNode source, InsecureDexFlow::PathNode sink
+where InsecureDexFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
   source.getNode(), "a value loaded from a world-writable source."

java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll

@@ -1,22 +1,21 @@
 import java
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 
 /**
  * A taint-tracking configuration detecting unsafe use of a
  * `DexClassLoader` by an Android app.
  */
-class InsecureDexConfiguration extends TaintTracking::Configuration {
-  InsecureDexConfiguration() { this = "Insecure Dex File Load" }
+module InsecureDexConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof InsecureDexSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof InsecureDexSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof InsecureDexSink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureDexSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    flowStep(pred, succ)
-  }
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { flowStep(pred, succ) }
 }
 
+module InsecureDexFlow = TaintTracking::Global<InsecureDexConfig>;
+
 /** A data flow source for insecure Dex class loading vulnerabilities. */
 abstract class InsecureDexSource extends DataFlow::Node { }
 

java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql

@@ -14,16 +14,15 @@
 import java
 import JShellInjection
 import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
+import semmle.code.java.dataflow.TaintTracking
+import JShellInjectionFlow::PathGraph
 
-class JShellInjectionConfiguration extends TaintTracking::Configuration {
-  JShellInjectionConfiguration() { this = "JShellInjectionConfiguration" }
+module JShellInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(SourceCodeAnalysisAnalyzeCompletionCall scaacc |
       scaacc.getArgument(0) = pred.asExpr() and scaacc = succ.asExpr()
     )
@@ -34,7 +33,9 @@ class JShellInjectionConfiguration extends TaintTracking::Configuration {
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, JShellInjectionConfiguration conf
-where conf.hasFlowPath(source, sink)
+module JShellInjectionFlow = TaintTracking::Global<JShellInjectionConfig>;
+
+from JShellInjectionFlow::PathNode source, JShellInjectionFlow::PathNode sink
+where JShellInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "JShell injection from $@.", source.getNode(),
   "this user input"