Refactor MyBatis queries

egregius313 · egregius313 · commit cb7391177d7c · 2023-04-12T20:37:35.000-04:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
@@ -13,27 +13,24 @@
  */
 
 import java
-import DataFlow::PathGraph
 import MyBatisCommonLib
 import MyBatisAnnotationSqlInjectionLib
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import MyBatisAnnotationSqlInjectionFlow::PathGraph
 
-private class MyBatisAnnotationSqlInjectionConfiguration extends TaintTracking::Configuration {
-  MyBatisAnnotationSqlInjectionConfiguration() { this = "MyBatis annotation sql injection" }
+private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof MyBatisAnnotatedMethodCallArgument
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof PrimitiveType or
     node.getType() instanceof BoxedType or
     node.getType() instanceof NumberType
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodAccess ma |
       ma.getMethod().getDeclaringType() instanceof TypeObject and
       ma.getMethod().getName() = "toString" and
@@ -43,12 +40,15 @@ private class MyBatisAnnotationSqlInjectionConfiguration extends TaintTracking::
   }
 }
 
+private module MyBatisAnnotationSqlInjectionFlow =
+  TaintTracking::Global<MyBatisAnnotationSqlInjectionConfig>;
+
 from
-  MyBatisAnnotationSqlInjectionConfiguration cfg, DataFlow::PathNode source,
-  DataFlow::PathNode sink, IbatisSqlOperationAnnotation isoa, MethodAccess ma,
-  string unsafeExpression
+  MyBatisAnnotationSqlInjectionFlow::PathNode source,
+  MyBatisAnnotationSqlInjectionFlow::PathNode sink, IbatisSqlOperationAnnotation isoa,
+  MethodAccess ma, string unsafeExpression
 where
-  cfg.hasFlowPath(source, sink) and
+  MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and
   ma.getAnArgument() = sink.getNode().asExpr() and
   myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
   unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll
@@ -17,23 +17,23 @@ private predicate propertiesKey(DataFlow::Node prop, string key) {
 }
 
 /** A data flow configuration tracing flow from ibatis `Configuration.getVariables()` to a store into a `Properties` object. */
-private class PropertiesFlowConfig extends DataFlow2::Configuration {
-  PropertiesFlowConfig() { this = "PropertiesFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
+private module PropertiesFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
     exists(MethodAccess ma | ma.getMethod() instanceof IbatisConfigurationGetVariablesMethod |
       src.asExpr() = ma
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { propertiesKey(sink, _) }
+  predicate isSink(DataFlow::Node sink) { propertiesKey(sink, _) }
 }
 
+private module PropertiesFlow = DataFlow::Global<PropertiesFlowConfig>;
+
 /** Gets a `Properties` key that may map onto a Mybatis `Configuration` variable. */
 string getAMybatisConfigurationVariableKey() {
-  exists(PropertiesFlowConfig conf, DataFlow::Node n |
+  exists(DataFlow::Node n |
     propertiesKey(n, result) and
-    conf.hasFlowTo(n)
+    PropertiesFlow::flowTo(n)
   )
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
@@ -13,28 +13,24 @@
  */
 
 import java
-import DataFlow::PathGraph
 import MyBatisCommonLib
 import MyBatisMapperXmlSqlInjectionLib
 import semmle.code.xml.MyBatisMapperXML
 import semmle.code.java.dataflow.FlowSources
+import MyBatisMapperXmlSqlInjectionFlow::PathGraph
 
-private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::Configuration {
-  MyBatisMapperXmlSqlInjectionConfiguration() { this = "MyBatis mapper xml sql injection" }
+private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof MyBatisMapperMethodCallAnArgument
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof PrimitiveType or
     node.getType() instanceof BoxedType or
     node.getType() instanceof NumberType
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodAccess ma |
       ma.getMethod().getDeclaringType() instanceof TypeObject and
       ma.getMethod().getName() = "toString" and
@@ -44,11 +40,15 @@ private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::C
   }
 }
 
+private module MyBatisMapperXmlSqlInjectionFlow =
+  TaintTracking::Global<MyBatisMapperXmlSqlInjectionConfig>;
+
 from
-  MyBatisMapperXmlSqlInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
-  MyBatisMapperXmlElement mmxe, MethodAccess ma, string unsafeExpression
+  MyBatisMapperXmlSqlInjectionFlow::PathNode source,
+  MyBatisMapperXmlSqlInjectionFlow::PathNode sink, MyBatisMapperXmlElement mmxe, MethodAccess ma,
+  string unsafeExpression
 where
-  cfg.hasFlowPath(source, sink) and
+  MyBatisMapperXmlSqlInjectionFlow::flowPath(source, sink) and
   ma.getAnArgument() = sink.getNode().asExpr() and
   myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and
   unsafeExpression = getAMybatisXmlSetValue(mmxe) and

Original file line number	Diff line number	Diff line change
`@@ -17,23 +17,23 @@ private predicate propertiesKey(DataFlow::Node prop, string key) {`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	/** A data flow configuration tracing flow from ibatis `Configuration.getVariables()` to a store into a `Properties` object. */
`20`		`-private class PropertiesFlowConfig extends DataFlow2::Configuration {`
`21`		`- PropertiesFlowConfig() { this = "PropertiesFlowConfig" }`
`22`		`-`
`23`		`- override predicate isSource(DataFlow::Node src) {`
	`20`	`+private module PropertiesFlowConfig implements DataFlow::ConfigSig {`
	`21`	`+ predicate isSource(DataFlow::Node src) {`
`24`	`22`	`exists(MethodAccess ma \| ma.getMethod() instanceof IbatisConfigurationGetVariablesMethod \|`
`25`	`23`	`src.asExpr() = ma`
`26`	`24`	`)`
`27`	`25`	`}`
`28`	`26`
`29`		`- override predicate isSink(DataFlow::Node sink) { propertiesKey(sink, _) }`
	`27`	`+ predicate isSink(DataFlow::Node sink) { propertiesKey(sink, _) }`
`30`	`28`	`}`
`31`	`29`
	`30`	`+private module PropertiesFlow = DataFlow::Global<PropertiesFlowConfig>;`
	`31`	`+`
`32`	`32`	/** Gets a `Properties` key that may map onto a Mybatis `Configuration` variable. */
`33`	`33`	`string getAMybatisConfigurationVariableKey() {`
`34`		`- exists(PropertiesFlowConfig conf, DataFlow::Node n \|`
	`34`	`+ exists(DataFlow::Node n \|`
`35`	`35`	`propertiesKey(n, result) and`
`36`		`- conf.hasFlowTo(n)`
	`36`	`+ PropertiesFlow::flowTo(n)`
`37`	`37`	`)`
`38`	`38`	`}`
`39`	`39`