Make HostKeyCallbackAssignment use new API

owen-mc · owen-mc · commit fbd0c4edd0e5 · 2023-08-10T15:49:07.000+01:00
diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -11,7 +11,6 @@
  */
 
 import go
-import DataFlow::PathGraph
 
 /** The `ssh.InsecureIgnoreHostKey` function, which allows connecting to any host regardless of its host key. */
 class InsecureIgnoreHostKey extends Function {
@@ -55,45 +54,44 @@ class InsecureHostKeyCallbackFunc extends HostKeyCallbackFunc {
   }
 }
 
-/**
- * A data-flow configuration for identifying `HostKeyCallbackFunc` instances that reach `ClientConfig.HostKeyCallback` fields.
- */
-class HostKeyCallbackAssignmentConfig extends DataFlow::Configuration {
-  HostKeyCallbackAssignmentConfig() { this = "HostKeyCallbackAssignmentConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof HostKeyCallbackFunc }
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof HostKeyCallbackFunc }
 
   /**
    * Holds if `sink` is a value written by `write` to a field `ClientConfig.HostKeyCallback`.
    */
-  predicate writeIsSink(DataFlow::Node sink, Write write) {
+  additional predicate writeIsSink(DataFlow::Node sink, Write write) {
     exists(Field f |
       f.hasQualifiedName(CryptoSsh::packagePath(), "ClientConfig", "HostKeyCallback") and
       write.writesField(_, f, sink)
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { this.writeIsSink(sink, _) }
+  predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
 }
 
+module Flow = DataFlow::Global<Config>;
+
+import Flow::PathGraph
+
 /**
  * Holds if a secure host-check function reaches `sink` or another similar sink.
  *
  * A sink is considered similar if it writes to the same variable and field.
  */
-predicate hostCheckReachesSink(DataFlow::PathNode sink) {
-  exists(HostKeyCallbackAssignmentConfig config, DataFlow::PathNode source |
+predicate hostCheckReachesSink(Flow::PathNode sink) {
+  exists(Flow::PathNode source |
     not source.getNode() instanceof InsecureHostKeyCallbackFunc and
     (
-      config.hasFlowPath(source, sink)
+      Flow::flowPath(source, sink)
       or
       exists(
-        DataFlow::PathNode otherSink, Write sinkWrite, Write otherSinkWrite,
+        Flow::PathNode otherSink, Write sinkWrite, Write otherSinkWrite,
         SsaWithFields sinkAccessPath, SsaWithFields otherSinkAccessPath
       |
-        config.hasFlowPath(source, otherSink) and
-        config.writeIsSink(sink.getNode(), sinkWrite) and
-        config.writeIsSink(otherSink.getNode(), otherSinkWrite) and
+        Flow::flowPath(source, otherSink) and
+        Config::writeIsSink(sink.getNode(), sinkWrite) and
+        Config::writeIsSink(otherSink.getNode(), otherSinkWrite) and
         sinkWrite.writesField(sinkAccessPath.getAUse(), _, sink.getNode()) and
         otherSinkWrite.writesField(otherSinkAccessPath.getAUse(), _, otherSink.getNode()) and
         otherSinkAccessPath = sinkAccessPath.similar()
@@ -102,9 +100,9 @@ predicate hostCheckReachesSink(DataFlow::PathNode sink) {
   )
 }
 
-from HostKeyCallbackAssignmentConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+from Flow::PathNode source, Flow::PathNode sink
 where
-  config.hasFlowPath(source, sink) and
+  Flow::flowPath(source, sink) and
   source.getNode() instanceof InsecureHostKeyCallbackFunc and
   // Exclude cases where a good access-path function reaches the same or a similar sink
   // (these probably indicate optional host-checking)
