Ruby: configsig rb/sensitive-get-query

alexrford · alexrford · commit df9173502ec3 · 2023-09-03T17:20:05.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll
@@ -2,9 +2,9 @@
  * Provides a taint-tracking configuration for detecting flow of query string
  * data to sensitive actions in GET query request handlers.
  *
- * Note, for performance reasons: only import this file if `Configuration` is
- * needed, otherwise `SensitiveGetQueryCustomizations` should be imported
- * instead.
+ * Note, for performance reasons: only import this file if
+ * `SensitiveGetQueryFlow` is needed, otherwise
+ * `SensitiveGetQueryCustomizations` should be imported instead.
  */
 
 private import ruby
@@ -13,19 +13,34 @@ private import codeql.ruby.TaintTracking
 /**
  * Provides a taint-tracking configuration for detecting flow of query string
  * data to sensitive actions in GET query request handlers.
+ * DEPRECATED: Use `SensitiveGetQueryFlow`
  */
-module SensitiveGetQuery {
+deprecated module SensitiveGetQuery {
   import SensitiveGetQueryCustomizations::SensitiveGetQuery
 
   /**
    * A taint-tracking configuration for reasoning about use of sensitive data
    * from a GET request query string.
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "SensitiveGetQuery" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
     override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
   }
 }
+
+private module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
+  import SensitiveGetQueryCustomizations::SensitiveGetQuery
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+}
+
+/**
+ * Taint-tracking for reasoning about use of sensitive data from a
+ *  GET request query string.
+ */
+module SensitiveGetQueryFlow = TaintTracking::Global<SensitiveGetQueryConfig>;
diff --git a/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql b/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql
@@ -13,9 +13,10 @@
 
 import ruby
 import codeql.ruby.security.SensitiveGetQueryQuery
+import codeql.ruby.security.SensitiveGetQueryCustomizations::SensitiveGetQuery
 import codeql.ruby.security.SensitiveActions
 
-from DataFlow::Node source, DataFlow::Node sink, SensitiveGetQuery::Configuration config
-where config.hasFlow(source, sink)
-select source, "$@ for GET requests uses query parameter as sensitive data.",
-  source.(SensitiveGetQuery::Source).getHandler(), "Route handler"
+from Source source, DataFlow::Node sink
+where SensitiveGetQueryFlow::flow(source, sink)
+select source, "$@ for GET requests uses query parameter as sensitive data.", source.getHandler(),
+  "Route handler"
