Refactor CWE-209/StackTraceExposure

egregius313 · egregius313 · commit de6959c688d0 · 2023-03-20T12:26:54.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -120,22 +120,20 @@ class GetMessageFlowSource extends MethodAccess {
   }
 }
 
-class GetMessageFlowSourceToHttpResponseSinkFlowConfig extends TaintTracking::Configuration {
-  GetMessageFlowSourceToHttpResponseSinkFlowConfig() {
-    this = "StackTraceExposure::GetMessageFlowSourceToHttpResponseSinkFlowConfig"
-  }
-
-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource }
+private module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
 }
 
+module GetMessageFlowSourceToHttpResponseSinkFlow =
+  TaintTracking::Make<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
+
 /**
  * A call to `getMessage()` that then flows to a servlet response.
  */
 predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
-  any(GetMessageFlowSourceToHttpResponseSinkFlowConfig conf)
-      .hasFlow(DataFlow::exprNode(getMessage), externalExpr)
+  GetMessageFlowSourceToHttpResponseSinkFlow::hasFlow(DataFlow::exprNode(getMessage), externalExpr)
 }
 
 from Expr externalExpr, Expr errorInformation
