Refactor InsecureBasicAuth

egregius313 · egregius313 · commit fa2f0dbc3b51 · 2023-03-29T22:33:09.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll
@@ -6,10 +6,12 @@ import semmle.code.java.security.InsecureBasicAuth
 import semmle.code.java.dataflow.TaintTracking
 
 /**
+ * DEPRECATED: Use `InsecureBasicAuthFlow` instead.
+ *
  * A taint tracking configuration for the Basic authentication scheme
  * being used in HTTP connections.
  */
-class BasicAuthFlowConfig extends TaintTracking::Configuration {
+deprecated class BasicAuthFlowConfig extends TaintTracking::Configuration {
   BasicAuthFlowConfig() { this = "InsecureBasicAuth::BasicAuthFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof InsecureBasicAuthSource }
@@ -20,3 +22,22 @@ class BasicAuthFlowConfig extends TaintTracking::Configuration {
     any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
   }
 }
+
+/**
+ * A taint tracking configuration for the Basic authentication scheme
+ * being used in HTTP connections.
+ */
+private module BasicAuthFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof InsecureBasicAuthSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof InsecureBasicAuthSink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/**
+ * Tracks flow for the Basic authentication scheme being used in HTTP connections.
+ */
+module InsecureBasicAuthFlow = TaintTracking::Global<BasicAuthFlowConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql b/java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql
@@ -16,9 +16,9 @@
 
 import java
 import semmle.code.java.security.InsecureBasicAuthQuery
-import DataFlow::PathGraph
+import InsecureBasicAuthFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, BasicAuthFlowConfig config
-where config.hasFlowPath(source, sink)
+from InsecureBasicAuthFlow::PathNode source, InsecureBasicAuthFlow::PathNode sink
+where InsecureBasicAuthFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Insecure basic authentication from a $@.", source.getNode(),
   "HTTP URL"
diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql
@@ -9,7 +9,7 @@ class HasInsecureBasicAuthTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasInsecureBasicAuth" and
-    exists(DataFlow::Node sink, BasicAuthFlowConfig conf | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink | InsecureBasicAuthFlow::flowTo(sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""
