Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d528c84

Browse files
egregius313egregius313
committed
Refactor XQueryInjection.ql
1 parent e7cbd49 commit d528c84

1 file changed

Lines changed: 12 additions & 9 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,17 +14,15 @@
1414
import java
1515
import semmle.code.java.dataflow.FlowSources
1616
import XQueryInjectionLib
17-
import DataFlow::PathGraph
17+
import XQueryInjectionFlow::PathGraph
1818

1919
/**
2020
* A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
2121
*/
22-
class XQueryInjectionConfig extends TaintTracking::Configuration {
23-
XQueryInjectionConfig() { this = "XQueryInjectionConfig" }
22+
module XQueryInjectionConfig implements DataFlow::ConfigSig {
23+
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
2424

25-
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
26-
27-
override predicate isSink(DataFlow::Node sink) {
25+
predicate isSink(DataFlow::Node sink) {
2826
sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or
2927
sink.asExpr() = any(XQueryExecuteCall xec).getExecuteQueryArgument() or
3028
sink.asExpr() = any(XQueryExecuteCommandCall xecc).getExecuteCommandArgument()
@@ -33,12 +31,17 @@ class XQueryInjectionConfig extends TaintTracking::Configuration {
3331
/**
3432
* Holds if taint from the input `pred` to a `prepareExpression` call flows to the returned prepared expression `succ`.
3533
*/
36-
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
34+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
3735
exists(XQueryParserCall parser | pred.asExpr() = parser.getInput() and succ.asExpr() = parser)
3836
}
3937
}
4038

41-
from DataFlow::PathNode source, DataFlow::PathNode sink, XQueryInjectionConfig conf
42-
where conf.hasFlowPath(source, sink)
39+
/**
40+
* Taint-tracking flow from remote sources, through an XQuery parser, to its eventual execution.
41+
*/
42+
module XQueryInjectionFlow = TaintTracking::Global<XQueryInjectionConfig>;
43+
44+
from XQueryInjectionFlow::PathNode source, XQueryInjectionFlow::PathNode sink
45+
where XQueryInjectionFlow::flowPath(source, sink)
4346
select sink.getNode(), source, sink, "XQuery query might include code from $@.", source.getNode(),
4447
"this user input"

0 commit comments

Comments
 (0)