Make UnsafeUnzipSymlink use new API

owen-mc · owen-mc · commit a6177b3c9246 · 2023-08-10T15:49:20.000+01:00
diff --git a/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll b/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll
@@ -14,9 +14,11 @@ module UnsafeUnzipSymlink {
   import UnsafeUnzipSymlinkCustomizations::UnsafeUnzipSymlink
 
   /**
+   * DEPRECATED: Use `EvalSymlinksFlow` instead.
+   *
    * A taint-flow configuration tracking archive header fields flowing to a `path/filepath.EvalSymlinks` call.
    */
-  class EvalSymlinksConfiguration extends TaintTracking2::Configuration {
+  deprecated class EvalSymlinksConfiguration extends TaintTracking2::Configuration {
     EvalSymlinksConfiguration() { this = "Archive header field symlinks resolved" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof FilenameWithSymlinks }
@@ -33,18 +35,31 @@ module UnsafeUnzipSymlink {
     }
   }
 
+  // Archive header field symlinks resolved
+  private module EvalSymlinksConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof FilenameWithSymlinks }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof EvalSymlinksSink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof EvalSymlinksInvalidator }
+  }
+
+  private module EvalSymlinksFlow = TaintTracking::Global<EvalSymlinksConfig>;
+
   /**
    * Holds if `node` is an archive header field read that flows to a `path/filepath.EvalSymlinks` call.
    */
   private predicate symlinksEvald(DataFlow::Node node) {
-    exists(EvalSymlinksConfiguration c | c.hasFlow(getASimilarReadNode(node), _))
+    EvalSymlinksFlow::flow(getASimilarReadNode(node), _)
   }
 
   /**
+   * DEPRECATED: Use `Flow` instead.
+   *
    * A taint-flow configuration tracking archive header fields flowing to an `os.Symlink` call,
    * which never flow to a `path/filepath.EvalSymlinks` call.
    */
-  class SymlinkConfiguration extends TaintTracking::Configuration {
+  deprecated class SymlinkConfiguration extends TaintTracking::Configuration {
     SymlinkConfiguration() { this = "Unsafe unzipping of symlinks" }
 
     override predicate isSource(DataFlow::Node source) {
@@ -63,4 +78,17 @@ module UnsafeUnzipSymlink {
       guard instanceof SymlinkSanitizerGuard
     }
   }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+      source instanceof FilenameWithSymlinks and
+      not symlinksEvald(source)
+    }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof SymlinkSink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof SymlinkSanitizer }
+  }
+
+  module Flow = TaintTracking::Global<Config>;
 }
diff --git a/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql b/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
@@ -15,11 +15,11 @@
  */
 
 import go
-import DataFlow::PathGraph
-import semmle.go.security.UnsafeUnzipSymlink::UnsafeUnzipSymlink
+import semmle.go.security.UnsafeUnzipSymlink
+import UnsafeUnzipSymlink::Flow::PathGraph
 
-from SymlinkConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from UnsafeUnzipSymlink::Flow::PathNode source, UnsafeUnzipSymlink::Flow::PathNode sink
+where UnsafeUnzipSymlink::Flow::flowPath(source, sink)
 select source.getNode(), source, sink,
   "Unresolved path from an archive header, which may point outside the archive root, is used in $@.",
   sink.getNode(), "symlink creation"
