Make CommandInjection.qll use new API

The new `edges` and `nodes` sections in the .expected files are because
the PathGraph module was not imported in the tests before, and thus
these query predicates were not in scope.

Author: mbg

go/ql/lib/semmle/go/security/CommandInjection.qll

@@ -17,10 +17,12 @@ module CommandInjection {
   import CommandInjectionCustomizations::CommandInjection
 
   /**
+   * DEPRECATED: Use `Flow` instead.
+   *
    * A taint-tracking configuration for reasoning about command-injection vulnerabilities
    * with sinks which are not sanitized by `--`.
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "CommandInjection" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -39,6 +41,18 @@ module CommandInjection {
     }
   }
 
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) {
+      exists(Sink s | sink = s | not s.doubleDashIsSanitizing())
+    }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+  }
+
+  module Flow = TaintTracking::Global<Config>;
+
   private class ArgumentArrayWithDoubleDash extends DataFlow::Node {
     int doubleDashIndex;
 
@@ -79,10 +93,12 @@ module CommandInjection {
   }
 
   /**
+   * DEPRECATED: Use `DoubleDashSanitizingFlow` instead.
+   *
    * A taint-tracking configuration for reasoning about command-injection vulnerabilities
    * with sinks which are sanitized by `--`.
    */
-  class DoubleDashSanitizingConfiguration extends TaintTracking::Configuration {
+  deprecated class DoubleDashSanitizingConfiguration extends TaintTracking::Configuration {
     DoubleDashSanitizingConfiguration() { this = "CommandInjectionWithDoubleDashSanitizer" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -101,4 +117,17 @@ module CommandInjection {
       guard instanceof SanitizerGuard
     }
   }
+
+  private module DoubleDashSanitizingConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { exists(Sink s | sink = s | s.doubleDashIsSanitizing()) }
+
+    predicate isBarrier(DataFlow::Node node) {
+      node instanceof Sanitizer or
+      node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
+    }
+  }
+
+  module DoubleDashSanitizingFlow = TaintTracking::Global<DoubleDashSanitizingConfig>;
 }

go/ql/src/Security/CWE-078/CommandInjection.ql

@@ -13,11 +13,17 @@
 
 import go
 import semmle.go.security.CommandInjection
-import DataFlow::PathGraph
 
-from
-  CommandInjection::Configuration cfg, CommandInjection::DoubleDashSanitizingConfiguration cfg2,
-  DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink) or cfg2.hasFlowPath(source, sink)
+module Flow =
+  DataFlow::MergePathGraph<CommandInjection::Flow::PathNode,
+    CommandInjection::DoubleDashSanitizingFlow::PathNode, CommandInjection::Flow::PathGraph,
+    CommandInjection::DoubleDashSanitizingFlow::PathGraph>;
+
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where
+  CommandInjection::Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
+  CommandInjection::DoubleDashSanitizingFlow::flowPath(source.asPathNode2(), sink.asPathNode2())
 select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(),
   "user-provided value"

go/ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.expected

@@ -1,3 +1,33 @@
+edges
+| jsoniter.go:23:20:23:38 | call to getUntrustedBytes | jsoniter.go:27:17:27:30 | untrustedInput |
+| jsoniter.go:23:20:23:38 | call to getUntrustedBytes | jsoniter.go:31:21:31:34 | untrustedInput |
+| jsoniter.go:24:21:24:40 | call to getUntrustedString | jsoniter.go:35:27:35:41 | untrustedString |
+| jsoniter.go:24:21:24:40 | call to getUntrustedString | jsoniter.go:39:31:39:45 | untrustedString |
+| jsoniter.go:27:17:27:30 | untrustedInput | jsoniter.go:27:33:27:37 | &... |
+| jsoniter.go:27:33:27:37 | &... | jsoniter.go:28:15:28:24 | selection of field |
+| jsoniter.go:31:21:31:34 | untrustedInput | jsoniter.go:31:37:31:42 | &... |
+| jsoniter.go:31:37:31:42 | &... | jsoniter.go:32:15:32:25 | selection of field |
+| jsoniter.go:35:27:35:41 | untrustedString | jsoniter.go:35:44:35:49 | &... |
+| jsoniter.go:35:44:35:49 | &... | jsoniter.go:36:15:36:25 | selection of field |
+| jsoniter.go:39:31:39:45 | untrustedString | jsoniter.go:39:48:39:53 | &... |
+| jsoniter.go:39:48:39:53 | &... | jsoniter.go:40:15:40:25 | selection of field |
+nodes
+| jsoniter.go:23:20:23:38 | call to getUntrustedBytes | semmle.label | call to getUntrustedBytes |
+| jsoniter.go:24:21:24:40 | call to getUntrustedString | semmle.label | call to getUntrustedString |
+| jsoniter.go:27:17:27:30 | untrustedInput | semmle.label | untrustedInput |
+| jsoniter.go:27:33:27:37 | &... | semmle.label | &... |
+| jsoniter.go:28:15:28:24 | selection of field | semmle.label | selection of field |
+| jsoniter.go:31:21:31:34 | untrustedInput | semmle.label | untrustedInput |
+| jsoniter.go:31:37:31:42 | &... | semmle.label | &... |
+| jsoniter.go:32:15:32:25 | selection of field | semmle.label | selection of field |
+| jsoniter.go:35:27:35:41 | untrustedString | semmle.label | untrustedString |
+| jsoniter.go:35:44:35:49 | &... | semmle.label | &... |
+| jsoniter.go:36:15:36:25 | selection of field | semmle.label | selection of field |
+| jsoniter.go:39:31:39:45 | untrustedString | semmle.label | untrustedString |
+| jsoniter.go:39:48:39:53 | &... | semmle.label | &... |
+| jsoniter.go:40:15:40:25 | selection of field | semmle.label | selection of field |
+subpaths
+#select
 | jsoniter.go:28:15:28:24 | selection of field | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | jsoniter.go:28:15:28:24 | selection of field | This command depends on $@. | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | a user-provided value |
 | jsoniter.go:32:15:32:25 | selection of field | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | jsoniter.go:32:15:32:25 | selection of field | This command depends on $@. | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | a user-provided value |
 | jsoniter.go:36:15:36:25 | selection of field | jsoniter.go:24:21:24:40 | call to getUntrustedString | jsoniter.go:36:15:36:25 | selection of field | This command depends on $@. | jsoniter.go:24:21:24:40 | call to getUntrustedString | a user-provided value |

go/ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.ql

@@ -1,5 +1,6 @@
 import go
 import semmle.go.security.CommandInjection
+import CommandInjection::Flow::PathGraph
 
 class UntrustedFunction extends Function {
   UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedBytes"] }
@@ -9,7 +10,7 @@ class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
   UntrustedSource() { this = any(UntrustedFunction f).getACall() }
 }
 
-from CommandInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from CommandInjection::Flow::PathNode source, CommandInjection::Flow::PathNode sink
+where CommandInjection::Flow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
   "a user-provided value"

go/ql/test/library-tests/semmle/go/frameworks/Gorestful/gorestful.expected

@@ -1,3 +1,37 @@
+edges
+| gorestful.go:15:15:15:44 | call to QueryParameters | gorestful.go:15:15:15:47 | index expression |
+| gorestful.go:17:12:17:39 | call to BodyParameter | gorestful.go:18:15:18:17 | val |
+| gorestful.go:21:15:21:38 | call to PathParameters | gorestful.go:21:15:21:45 | index expression |
+| gorestful.go:23:21:23:24 | &... | gorestful.go:24:15:24:21 | selection of cmd |
+| gorestful_v2.go:15:15:15:44 | call to QueryParameters | gorestful_v2.go:15:15:15:47 | index expression |
+| gorestful_v2.go:17:12:17:39 | call to BodyParameter | gorestful_v2.go:18:15:18:17 | val |
+| gorestful_v2.go:21:15:21:38 | call to PathParameters | gorestful_v2.go:21:15:21:45 | index expression |
+| gorestful_v2.go:23:21:23:24 | &... | gorestful_v2.go:24:15:24:21 | selection of cmd |
+nodes
+| gorestful.go:15:15:15:44 | call to QueryParameters | semmle.label | call to QueryParameters |
+| gorestful.go:15:15:15:47 | index expression | semmle.label | index expression |
+| gorestful.go:16:15:16:43 | call to QueryParameter | semmle.label | call to QueryParameter |
+| gorestful.go:17:12:17:39 | call to BodyParameter | semmle.label | call to BodyParameter |
+| gorestful.go:18:15:18:17 | val | semmle.label | val |
+| gorestful.go:19:15:19:44 | call to HeaderParameter | semmle.label | call to HeaderParameter |
+| gorestful.go:20:15:20:42 | call to PathParameter | semmle.label | call to PathParameter |
+| gorestful.go:21:15:21:38 | call to PathParameters | semmle.label | call to PathParameters |
+| gorestful.go:21:15:21:45 | index expression | semmle.label | index expression |
+| gorestful.go:23:21:23:24 | &... | semmle.label | &... |
+| gorestful.go:24:15:24:21 | selection of cmd | semmle.label | selection of cmd |
+| gorestful_v2.go:15:15:15:44 | call to QueryParameters | semmle.label | call to QueryParameters |
+| gorestful_v2.go:15:15:15:47 | index expression | semmle.label | index expression |
+| gorestful_v2.go:16:15:16:43 | call to QueryParameter | semmle.label | call to QueryParameter |
+| gorestful_v2.go:17:12:17:39 | call to BodyParameter | semmle.label | call to BodyParameter |
+| gorestful_v2.go:18:15:18:17 | val | semmle.label | val |
+| gorestful_v2.go:19:15:19:44 | call to HeaderParameter | semmle.label | call to HeaderParameter |
+| gorestful_v2.go:20:15:20:42 | call to PathParameter | semmle.label | call to PathParameter |
+| gorestful_v2.go:21:15:21:38 | call to PathParameters | semmle.label | call to PathParameters |
+| gorestful_v2.go:21:15:21:45 | index expression | semmle.label | index expression |
+| gorestful_v2.go:23:21:23:24 | &... | semmle.label | &... |
+| gorestful_v2.go:24:15:24:21 | selection of cmd | semmle.label | selection of cmd |
+subpaths
+#select
 | gorestful.go:15:15:15:47 | index expression | gorestful.go:15:15:15:44 | call to QueryParameters | gorestful.go:15:15:15:47 | index expression | This command depends on $@. | gorestful.go:15:15:15:44 | call to QueryParameters | a user-provided value |
 | gorestful.go:16:15:16:43 | call to QueryParameter | gorestful.go:16:15:16:43 | call to QueryParameter | gorestful.go:16:15:16:43 | call to QueryParameter | This command depends on $@. | gorestful.go:16:15:16:43 | call to QueryParameter | a user-provided value |
 | gorestful.go:18:15:18:17 | val | gorestful.go:17:12:17:39 | call to BodyParameter | gorestful.go:18:15:18:17 | val | This command depends on $@. | gorestful.go:17:12:17:39 | call to BodyParameter | a user-provided value |

go/ql/test/library-tests/semmle/go/frameworks/Gorestful/gorestful.ql

@@ -1,7 +1,8 @@
 import go
 import semmle.go.security.CommandInjection
+import CommandInjection::Flow::PathGraph
 
-from CommandInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from CommandInjection::Flow::PathNode source, CommandInjection::Flow::PathNode sink
+where CommandInjection::Flow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
   "a user-provided value"