Make DsnInjection use new API

owen-mc · owen-mc · commit 39762da5e03c · 2023-08-10T15:49:31.000+01:00
diff --git a/go/ql/src/experimental/CWE-74/DsnInjection.ql b/go/ql/src/experimental/CWE-74/DsnInjection.ql
@@ -10,13 +10,13 @@
  */
 
 import go
-import DataFlow::PathGraph
 import DsnInjectionCustomizations
+import DsnInjectionFlow::PathGraph
 
 /** An untrusted flow source taken as a source for the `DsnInjection` taint-flow configuration. */
 private class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
 
-from DsnInjection cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from DsnInjectionFlow::PathNode source, DsnInjectionFlow::PathNode sink
+where DsnInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Data-Source Name is built using $@.", source.getNode(),
   "untrusted user input"
diff --git a/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll b/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll
@@ -1,14 +1,17 @@
 /** Provides a taint-tracking model to reason about Data-Source name injection vulnerabilities. */
 
 import go
-import DataFlow::PathGraph
 import semmle.go.dataflow.barrierguardutil.RegexpCheck
 
 /** A source for `DsnInjection` taint-flow configuration. */
 abstract class Source extends DataFlow::Node { }
 
-/** A taint-tracking configuration to reason about Data Source Name injection vulnerabilities. */
-class DsnInjection extends TaintTracking::Configuration {
+/**
+ * DEPRECATED: Use `DsnInjectionFlow` instead.
+ *
+ *  A taint-tracking configuration to reason about Data Source Name injection vulnerabilities.
+ */
+deprecated class DsnInjection extends TaintTracking::Configuration {
   DsnInjection() { this = "DsnInjection" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof Source }
@@ -25,6 +28,20 @@ class DsnInjection extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node node) { node instanceof RegexpCheckBarrier }
 }
 
+private module DsnInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Function f | f.hasQualifiedName("database/sql", "Open") |
+      sink = f.getACall().getArgument(1)
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof RegexpCheckBarrier }
+}
+
+module DsnInjectionFlow = TaintTracking::Global<DsnInjectionConfig>;
+
 /** A model of a function which decodes or unmarshals a tainted input, propagating taint from any argument to either the method receiver or return value. */
 private class DecodeFunctionModel extends TaintTracking::FunctionModel {
   DecodeFunctionModel() {
diff --git a/go/ql/src/experimental/CWE-74/DsnInjectionLocal.ql b/go/ql/src/experimental/CWE-74/DsnInjectionLocal.ql
@@ -10,15 +10,15 @@
  */
 
 import go
-import DataFlow::PathGraph
 import DsnInjectionCustomizations
+import DsnInjectionFlow::PathGraph
 
-/** An argument passed via the command line taken as a source for the `DsnInjection` taint-flow configuration. */
+/** An argument passed via the command line taken as a source for the `DsnInjectionFlow` taint-flow. */
 private class OsArgsSource extends Source {
   OsArgsSource() { this = any(Variable c | c.hasQualifiedName("os", "Args")).getARead() }
 }
 
-from DsnInjection cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from DsnInjectionFlow::PathNode source, DsnInjectionFlow::PathNode sink
+where DsnInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
   "user-provided value"
