C#: Re-factor DapperCommandDefinitionMethodCallSqlExpr to use the new API.

michaelnebel · michaelnebel · commit 5ea6cea894d9 · 2023-04-17T11:38:36.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
@@ -52,23 +52,24 @@ class IDbCommandConstructionSqlExpr extends SqlExpr, ObjectCreation {
 class DapperCommandDefinitionMethodCallSqlExpr extends SqlExpr, ObjectCreation {
   DapperCommandDefinitionMethodCallSqlExpr() {
     this.getObjectType() instanceof Dapper::CommandDefinitionStruct and
-    exists(Conf c | c.hasFlow(DataFlow::exprNode(this), _))
+    DapperCommandDefinitionMethodCallSql::flow(DataFlow::exprNode(this), _)
   }
 
   override Expr getSql() { result = this.getArgumentForName("commandText") }
 }
 
-private class Conf extends DataFlow4::Configuration {
-  Conf() { this = "DapperCommandDefinitionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node node) {
+private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
     node.asExpr().(ObjectCreation).getObjectType() instanceof Dapper::CommandDefinitionStruct
   }
 
-  override predicate isSink(DataFlow::Node node) {
+  predicate isSink(DataFlow::Node node) {
     exists(MethodCall mc |
       mc.getTarget() = any(Dapper::SqlMapperClass c).getAQueryMethod() and
       node.asExpr() = mc.getArgumentForName("command")
     )
   }
 }
+
+private module DapperCommandDefinitionMethodCallSql =
+  DataFlow::Global<DapperCommandDefitionMethodCallSqlConfig>;

Original file line number	Diff line number	Diff line change
`@@ -52,23 +52,24 @@ class IDbCommandConstructionSqlExpr extends SqlExpr, ObjectCreation {`
`52`	`52`	`class DapperCommandDefinitionMethodCallSqlExpr extends SqlExpr, ObjectCreation {`
`53`	`53`	`DapperCommandDefinitionMethodCallSqlExpr() {`
`54`	`54`	`this.getObjectType() instanceof Dapper::CommandDefinitionStruct and`
`55`		`- exists(Conf c \| c.hasFlow(DataFlow::exprNode(this), _))`
	`55`	`+ DapperCommandDefinitionMethodCallSql::flow(DataFlow::exprNode(this), _)`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`override Expr getSql() { result = this.getArgumentForName("commandText") }`
`59`	`59`	`}`
`60`	`60`
`61`		`-private class Conf extends DataFlow4::Configuration {`
`62`		`- Conf() { this = "DapperCommandDefinitionFlowConfig" }`
`63`		`-`
`64`		`- override predicate isSource(DataFlow::Node node) {`
	`61`	`+private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::ConfigSig {`
	`62`	`+ predicate isSource(DataFlow::Node node) {`
`65`	`63`	`node.asExpr().(ObjectCreation).getObjectType() instanceof Dapper::CommandDefinitionStruct`
`66`	`64`	`}`
`67`	`65`
`68`		`- override predicate isSink(DataFlow::Node node) {`
	`66`	`+ predicate isSink(DataFlow::Node node) {`
`69`	`67`	`exists(MethodCall mc \|`
`70`	`68`	`mc.getTarget() = any(Dapper::SqlMapperClass c).getAQueryMethod() and`
`71`	`69`	`node.asExpr() = mc.getArgumentForName("command")`
`72`	`70`	`)`
`73`	`71`	`}`
`74`	`72`	`}`
	`73`	`+`
	`74`	`+private module DapperCommandDefinitionMethodCallSql =`
	`75`	`+ DataFlow::Global<DapperCommandDefitionMethodCallSqlConfig>;`