Add XPathInjectionQuery

egregius313 · egregius313 · commit c2b6a3f4e0e4 · 2023-05-04T10:14:59.000-04:00
diff --git a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -2,4 +2,5 @@
 category: minorAnalysis
 ---
 * Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
+* Added the `XPathInjectionQuery.qll` library to provide the `XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
 * Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll
@@ -0,0 +1,19 @@
+/** Provides taint-tracking flow to reason about XPath injection queries. */
+
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.XPath
+
+/**
+ * A taint-tracking configuration for reasoning about XPath injection vulnerabilities.
+ */
+module XPathInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+}
+
+/**
+ * Taint-tracking flow for XPath injection vulnerabilities.
+ */
+module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
@@ -12,18 +12,7 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.XPath
-
-module XPathInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
-}
-
-module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
-
+import semmle.code.java.security.XPathInjectionQuery
 import XPathInjectionFlow::PathGraph
 
 from XPathInjectionFlow::PathNode source, XPathInjectionFlow::PathNode sink
diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql
@@ -1,25 +1,15 @@
 import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.XPath
+import semmle.code.java.security.XPathInjectionQuery
 import TestUtilities.InlineExpectationsTest
 
-module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
-}
-
-module Flow = TaintTracking::Global<Config>;
-
 class HasXPathInjectionTest extends InlineExpectationsTest {
   HasXPathInjectionTest() { this = "HasXPathInjectionTest" }
 
   override string getARelevantTag() { result = "hasXPathInjection" }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasXPathInjection" and
-    exists(DataFlow::Node sink | Flow::flowTo(sink) |
+    exists(DataFlow::Node sink | XPathInjectionFlow::flowTo(sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""
