Swift: Rewrite PathInjection to use DataFlow::ConfigSig

jketema · jketema · commit cb8568f6fd30 · 2023-04-04T09:10:21.000+02:00
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll
@@ -13,7 +13,7 @@ private import codeql.swift.security.PathInjectionExtensions
 /**
  * A taint-tracking configuration for path injection vulnerabilities.
  */
-class PathInjectionConfiguration extends TaintTracking::Configuration {
+deprecated class PathInjectionConfiguration extends TaintTracking::Configuration {
   PathInjectionConfiguration() { this = "PathInjectionConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -28,3 +28,25 @@ class PathInjectionConfiguration extends TaintTracking::Configuration {
     any(PathInjectionAdditionalTaintStep s).step(node1, node2)
   }
 }
+
+/**
+ * A taint-tracking configuration for path injection vulnerabilities.
+ */
+module PathInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof PathInjectionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof PathInjectionSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(PathInjectionAdditionalTaintStep s).step(node1, node2)
+  }
+}
+
+/**
+ * Detect taint flow of path injection vulnerabilities.
+ */
+module PathInjectionFlow = TaintTracking::Global<PathInjectionConfig>;
diff --git a/swift/ql/src/queries/Security/CWE-022/PathInjection.ql b/swift/ql/src/queries/Security/CWE-022/PathInjection.ql
@@ -17,9 +17,9 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.PathInjectionQuery
-import DataFlow::PathGraph
+import PathInjectionFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(PathInjectionConfiguration c).hasFlowPath(source, sink)
+from PathInjectionFlow::PathNode source, PathInjectionFlow::PathNode sink
+where PathInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
   "user-provided value"
diff --git a/swift/ql/test/query-tests/Security/CWE-022/PathInjectionTest.ql b/swift/ql/test/query-tests/Security/CWE-022/PathInjectionTest.ql
@@ -10,10 +10,8 @@ class PathInjectionTest extends InlineExpectationsTest {
   override string getARelevantTag() { result = "hasPathInjection" }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(
-      PathInjectionConfiguration config, DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr
-    |
-      config.hasFlow(source, sink) and
+    exists(DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr |
+      PathInjectionFlow::flow(source, sink) and
       sinkExpr = sink.asExpr() and
       location = sinkExpr.getLocation() and
       element = sinkExpr.toString() and
