Refactor PermissiveDotRegexQuery

egregius313 · egregius313 · commit 597949dbfe88 · 2023-04-12T20:37:36.000-04:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
@@ -93,14 +93,12 @@ private class CompileRegexSink extends DataFlow::ExprNode {
 /**
  * A data flow configuration for regular expressions that include permissive dots.
  */
-private class PermissiveDotRegexConfig extends DataFlow2::Configuration {
-  PermissiveDotRegexConfig() { this = "PermissiveDotRegex::PermissiveDotRegexConfig" }
+private module PermissiveDotRegexConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
 
-  override predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
+  predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
 
-  override predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
-
-  override predicate isBarrier(DataFlow2::Node node) {
+  predicate isBarrier(DataFlow2::Node node) {
     exists(
       MethodAccess ma, Field f // Pattern.compile(PATTERN, Pattern.DOTALL)
     |
@@ -113,19 +111,19 @@ private class PermissiveDotRegexConfig extends DataFlow2::Configuration {
   }
 }
 
+private module PermissiveDotRegexFlow = DataFlow::Global<PermissiveDotRegexConfig>;
+
 /**
  * A taint-tracking configuration for untrusted user input used to match regular expressions
  * that include permissive dots.
  */
-class MatchRegexConfiguration extends TaintTracking::Configuration {
-  MatchRegexConfiguration() { this = "PermissiveDotRegex::MatchRegexConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
+module MatchRegexConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     sourceNode(source, "uri-path") or // Servlet uri source
     source instanceof SpringUriInputParameterSource // Spring uri source
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     sink instanceof MatchRegexSink and
     exists(
       Guard guard, Expr se, Expr ce // used in a condition to control url redirect, which is a typical security enforcement
@@ -145,7 +143,7 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
       ) and
       guard.controls(se.getBasicBlock(), true)
     ) and
-    exists(MethodAccess ma | any(PermissiveDotRegexConfig conf2).hasFlowToExpr(ma.getArgument(0)) |
+    exists(MethodAccess ma | PermissiveDotRegexFlow::flowToExpr(ma.getArgument(0)) |
       // input.matches(regexPattern)
       ma.getMethod() instanceof StringMatchMethod and
       ma.getQualifier() = sink.asExpr()
@@ -165,6 +163,8 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
   }
 }
 
+module MatchRegexFlow = TaintTracking::Global<MatchRegexConfig>;
+
 /**
  * A data flow sink representing a string being matched against a regular expression.
  */
