Java: Refactor ResponseSplitting, ResponseSplittingLocal

aschackmull · aschackmull · commit c4cf2febfb5c · 2023-03-07T10:37:45.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -14,19 +14,16 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ResponseSplitting
-import DataFlow::PathGraph
 
-class ResponseSplittingConfig extends TaintTracking::Configuration {
-  ResponseSplittingConfig() { this = "ResponseSplittingConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
+module ResponseSplittingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
     not source instanceof SafeHeaderSplittingSource
   }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
 
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof PrimitiveType
     or
     node.getType() instanceof BoxedType
@@ -45,8 +42,12 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf
-where conf.hasFlowPath(source, sink)
+module ResponseSplitting = TaintTracking::Make<ResponseSplittingConfig>;
+
+import ResponseSplitting::PathGraph
+
+from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
+where ResponseSplitting::hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "This header depends on a $@, which may cause a response-splitting vulnerability.",
   source.getNode(), "user-provided value"
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -14,23 +14,24 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ResponseSplitting
-import DataFlow::PathGraph
 
-class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
-  ResponseSplittingLocalConfig() { this = "ResponseSplittingLocalConfig" }
+module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
+  predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof PrimitiveType or
     node.getType() instanceof BoxedType
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingLocalConfig conf
-where conf.hasFlowPath(source, sink)
+module ResponseSplitting = TaintTracking::Make<ResponseSplittingLocalConfig>;
+
+import ResponseSplitting::PathGraph
+
+from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
+where ResponseSplitting::hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "This header depends on a $@, which may cause a response-splitting vulnerability.",
   source.getNode(), "user-provided value"
