Skip to content

Commit 045936b

Browse files
owen-mcowen-mc
committed
Make PamAuthBypass use new API
1 parent cfc4a6a commit 045936b

1 file changed

Lines changed: 13 additions & 13 deletions

File tree

go/ql/src/experimental/CWE-285/PamAuthBypass.ql

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -33,34 +33,34 @@ class PamStartFunc extends Function {
3333
PamStartFunc() { this.hasQualifiedName("github.com/msteinert/pam", ["StartFunc", "Start"]) }
3434
}
3535

36-
class PamStartToAcctMgmtConfig extends TaintTracking::Configuration {
37-
PamStartToAcctMgmtConfig() { this = "PAM auth bypass (Start to AcctMgmt)" }
38-
39-
override predicate isSource(DataFlow::Node source) {
36+
// PAM auth bypass (Start to AcctMgmt)
37+
module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig {
38+
predicate isSource(DataFlow::Node source) {
4039
exists(PamStartFunc p | p.getACall().getResult(0) = source)
4140
}
4241

43-
override predicate isSink(DataFlow::Node sink) {
42+
predicate isSink(DataFlow::Node sink) {
4443
exists(PamAcctMgmt p | p.getACall().getReceiver() = sink)
4544
}
4645
}
4746

48-
class PamStartToAuthenticateConfig extends TaintTracking::Configuration {
49-
PamStartToAuthenticateConfig() { this = "PAM auth bypass (Start to Authenticate)" }
47+
module PamStartToAcctMgmtFlow = TaintTracking::Global<PamStartToAcctMgmtConfig>;
5048

51-
override predicate isSource(DataFlow::Node source) {
49+
// PAM auth bypass (Start to Authenticate)
50+
module PamStartToAuthenticateConfig implements DataFlow::ConfigSig {
51+
predicate isSource(DataFlow::Node source) {
5252
exists(PamStartFunc p | p.getACall().getResult(0) = source)
5353
}
5454

55-
override predicate isSink(DataFlow::Node sink) {
55+
predicate isSink(DataFlow::Node sink) {
5656
exists(PamAuthenticate p | p.getACall().getReceiver() = sink)
5757
}
5858
}
5959

60-
from
61-
PamStartToAcctMgmtConfig acctMgmtConfig, PamStartToAuthenticateConfig authConfig,
62-
DataFlow::Node source, DataFlow::Node sink
60+
module PamStartToAuthenticateFlow = TaintTracking::Global<PamStartToAuthenticateConfig>;
61+
62+
from DataFlow::Node source, DataFlow::Node sink
6363
where
6464
not isInTestFile(source.asExpr()) and
65-
(authConfig.hasFlow(source, sink) and not acctMgmtConfig.hasFlow(source, _))
65+
(PamStartToAuthenticateFlow::flow(source, sink) and not PamStartToAcctMgmtFlow::flow(source, _))
6666
select source, "This Pam transaction may not be secure."

0 commit comments

Comments
 (0)