Refactor XsltInjection

Author: egregius313

java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll

@@ -7,9 +7,11 @@ import semmle.code.java.security.XmlParsers
 import semmle.code.java.security.XsltInjection
 
 /**
+ * DEPRECATED: Use `XsltInjectionFlow` instead.
+ *
  * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
  */
-class XsltInjectionFlowConfig extends TaintTracking::Configuration {
+deprecated class XsltInjectionFlowConfig extends TaintTracking::Configuration {
   XsltInjectionFlowConfig() { this = "XsltInjectionFlowConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -25,6 +27,28 @@ class XsltInjectionFlowConfig extends TaintTracking::Configuration {
   }
 }
 
+/**
+ * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
+ */
+private module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/**
+ * Tracks flow from unvalidated user input to XSLT transformation.
+ */
+module XsltInjectionFlow = TaintTracking::Make<XsltInjectionFlowConfig>;
+
 /**
  * A set of additional taint steps to consider when taint tracking XSLT related data flows.
  * These steps use data flow logic themselves.
@@ -46,39 +70,37 @@ private predicate newTransformerOrTemplatesStep(DataFlow::Node n1, DataFlow::Nod
     n2.asExpr() = ma and
     m.getDeclaringType() instanceof TransformerFactory and
     m.hasName(["newTransformer", "newTemplates"]) and
-    not exists(TransformerFactoryWithSecureProcessingFeatureFlowConfig conf |
-      conf.hasFlowToExpr(ma.getQualifier())
-    )
+    not TransformerFactoryWithSecureProcessingFeatureFlow::hasFlowToExpr(ma.getQualifier())
   )
 }
 
 /**
  * A data flow configuration for secure processing feature that is enabled on `TransformerFactory`.
  */
-private class TransformerFactoryWithSecureProcessingFeatureFlowConfig extends DataFlow2::Configuration
+private module TransformerFactoryWithSecureProcessingFeatureFlowConfig implements
+  DataFlow::ConfigSig
 {
-  TransformerFactoryWithSecureProcessingFeatureFlowConfig() {
-    this = "TransformerFactoryWithSecureProcessingFeatureFlowConfig"
-  }
-
-  override predicate isSource(DataFlow::Node src) {
+  predicate isSource(DataFlow::Node src) {
     exists(Variable v | v = src.asExpr().(VarAccess).getVariable() |
       exists(TransformerFactoryFeatureConfig config | config.getQualifier() = v.getAnAccess() |
         config.enables(configSecureProcessing())
       )
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess ma |
       sink.asExpr() = ma.getQualifier() and
       ma.getMethod().getDeclaringType() instanceof TransformerFactory
     )
   }
 
-  override int fieldFlowBranchLimit() { result = 0 }
+  int fieldFlowBranchLimit() { result = 0 }
 }
 
+private module TransformerFactoryWithSecureProcessingFeatureFlow =
+  DataFlow::Make<TransformerFactoryWithSecureProcessingFeatureFlowConfig>;
+
 /** A `ParserConfig` specific to `TransformerFactory`. */
 private class TransformerFactoryFeatureConfig extends ParserConfig {
   TransformerFactoryFeatureConfig() {

java/ql/src/Security/CWE/CWE-074/XsltInjection.ql

@@ -13,9 +13,9 @@
 
 import java
 import semmle.code.java.security.XsltInjectionQuery
-import DataFlow::PathGraph
+import XsltInjectionFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, XsltInjectionFlowConfig conf
-where conf.hasFlowPath(source, sink)
+from XsltInjectionFlow::PathNode source, XsltInjectionFlow::PathNode sink
+where XsltInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "XSLT transformation might include stylesheet from $@.",
   source.getNode(), "this user input"

java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql

@@ -11,7 +11,7 @@ class HasXsltInjectionTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasXsltInjection" and
-    exists(DataFlow::Node sink, XsltInjectionFlowConfig conf | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink | XsltInjectionFlow::hasFlowTo(sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""