C#: Re-factor ExtertalApisQuery to use the new API.

michaelnebel · michaelnebel · commit d94b11b001ec · 2023-04-13T10:08:39.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
@@ -90,26 +90,38 @@ class ExternalApiDataNode extends DataFlow::Node {
 /** DEPRECATED: Alias for ExternalApiDataNode */
 deprecated class ExternalAPIDataNode = ExternalApiDataNode;
 
-/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
-class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
+/**
+ * DEPRECATED: Use `RemoteSourceToExternalApi` instead.
+ *
+ * A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
+ */
+deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
   UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }
 
+/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+}
+
+/** A module for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+module RemoteSourceToExternalApi = TaintTracking::Global<RemoteSourceToExternalApiConfig>;
+
 /** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
 deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  private UntrustedDataToExternalApiConfig c;
-
-  UntrustedExternalApiDataNode() { c.hasFlow(_, this) }
+  UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flow(_, this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
-  DataFlow::Node getAnUntrustedSource() { c.hasFlow(result, this) }
+  DataFlow::Node getAnUntrustedSource() { RemoteSourceToExternalApi::flow(result, this) }
 }
 
 /** DEPRECATED: Alias for UntrustedExternalApiDataNode */
diff --git a/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql b/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql
@@ -12,13 +12,13 @@
 import csharp
 import semmle.code.csharp.commons.QualifiedName
 import semmle.code.csharp.security.dataflow.ExternalAPIsQuery
-import DataFlow::PathGraph
+import RemoteSourceToExternalApi::PathGraph
 
 from
-  UntrustedDataToExternalApiConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  RemoteSourceToExternalApi::PathNode source, RemoteSourceToExternalApi::PathNode sink,
   string qualifier, string name
 where
-  config.hasFlowPath(source, sink) and
+  RemoteSourceToExternalApi::flowPath(source, sink) and
   sink.getNode().(ExternalApiDataNode).hasQualifiedName(qualifier, name)
 select sink, source, sink,
   "Call to " + getQualifiedName(qualifier, name) + " with untrusted data from $@.", source,
