Make StackTraceExposure use new API

owen-mc · owen-mc · commit 2d3d21d07457 · 2023-08-10T15:49:40.000+01:00
diff --git a/go/ql/src/Security/CWE-209/StackTraceExposure.ql b/go/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -15,7 +15,6 @@
 
 import go
 import semmle.go.security.InsecureFeatureFlag::InsecureFeatureFlag
-import DataFlow::PathGraph
 
 /**
  * A flag indicating the program is in debug or development mode, or that stack
@@ -48,18 +47,16 @@ class DebugStackFunction extends Function {
  * A taint-tracking configuration that looks for stack traces being written to
  * an HTTP response body without an intervening debug- or development-mode conditional.
  */
-class StackTraceExposureConfig extends TaintTracking::Configuration {
-  StackTraceExposureConfig() { this = "StackTraceExposureConfig" }
-
-  override predicate isSource(DataFlow::Node node) {
-    node.(DataFlow::PostUpdateNode).getPreUpdateNode() =
+module StackTraceExposureConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.(DataFlow::PostUpdateNode).getPreUpdateNode() =
       any(StackFunction f).getACall().getArgument(0) or
-    node = any(DebugStackFunction f).getACall().getResult()
+    source = any(DebugStackFunction f).getACall().getResult()
   }
 
-  override predicate isSink(DataFlow::Node node) { node instanceof Http::ResponseBody }
+  predicate isSink(DataFlow::Node sink) { sink instanceof Http::ResponseBody }
 
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     // Sanitise everything controlled by an is-debug-mode check.
     // Imprecision: I don't try to guess which arm of a branch is intended
     // to mean debug mode, and which is production mode.
@@ -71,8 +68,12 @@ class StackTraceExposureConfig extends TaintTracking::Configuration {
   }
 }
 
-from StackTraceExposureConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+module StackTraceExposureFlow = TaintTracking::Global<StackTraceExposureConfig>;
+
+import StackTraceExposureFlow::PathGraph
+
+from StackTraceExposureFlow::PathNode source, StackTraceExposureFlow::PathNode sink
+where StackTraceExposureFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "HTTP response depends on $@ and may be exposed to an external user.", source.getNode(),
   "stack trace information"
