Refactor Security.CWE.CWE-094.InsecureBeanValidation

egregius313 · egregius313 · commit ac223ea57f56 · 2023-03-17T15:17:18.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -13,7 +13,6 @@
 import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow
 
 /**
@@ -56,14 +55,16 @@ class SetMessageInterpolatorCall extends MethodAccess {
  * Taint tracking BeanValidationConfiguration describing the flow of data from user input
  * to the argument of a method that builds constraint error messages.
  */
-class BeanValidationConfig extends TaintTracking::Configuration {
-  BeanValidationConfig() { this = "BeanValidationConfig" }
+private module BeanValidationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
 }
 
+module BeanValidationFlow = TaintTracking::Make<BeanValidationConfig>;
+
+import BeanValidationFlow::PathGraph
+
 /**
  * A bean validation sink, such as method `buildConstraintViolationWithTemplate`
  * declared on a subtype of `javax.validation.ConstraintValidatorContext`.
@@ -72,13 +73,13 @@ private class BeanValidationSink extends DataFlow::Node {
   BeanValidationSink() { sinkNode(this, "bean-validation") }
 }
 
-from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from BeanValidationFlow::PathNode source, BeanValidationFlow::PathNode sink
 where
   (
     not exists(SetMessageInterpolatorCall c)
     or
     exists(SetMessageInterpolatorCall c | not c.isSafe())
   ) and
-  cfg.hasFlowPath(source, sink)
+  BeanValidationFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
   source, "user-provided value"
