Refactor UnsafeReflection

egregius313 · egregius313 · commit 685a2043a88f · 2023-04-12T20:37:35.000-04:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
@@ -17,7 +17,7 @@ import UnsafeReflectionLib
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.controlflow.Guards
-import DataFlow::PathGraph
+import UnsafeReflectionFlow::PathGraph
 
 private predicate containsSanitizer(Guard g, Expr e, boolean branch) {
   g.(MethodAccess).getMethod().hasName("contains") and
@@ -31,14 +31,12 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) {
   branch = true
 }
 
-class UnsafeReflectionConfig extends TaintTracking::Configuration {
-  UnsafeReflectionConfig() { this = "UnsafeReflectionConfig" }
+module UnsafeReflectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     // Argument -> return of Class.forName, ClassLoader.loadClass
     exists(ReflectiveClassIdentifierMethodAccess rcimac |
       rcimac.getArgument(0) = pred.asExpr() and rcimac = succ.asExpr()
@@ -75,23 +73,25 @@ class UnsafeReflectionConfig extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node = DataFlow::BarrierGuard<containsSanitizer/3>::getABarrierNode() or
     node = DataFlow::BarrierGuard<equalsSanitizer/3>::getABarrierNode()
   }
 }
 
+module UnsafeReflectionFlow = TaintTracking::Global<UnsafeReflectionConfig>;
+
 private Expr getAMethodArgument(MethodAccess reflectiveCall) {
   result = reflectiveCall.(NewInstance).getAnArgument()
   or
   result = reflectiveCall.(MethodInvokeCall).getAnArgument()
 }
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeReflectionConfig conf,
+  UnsafeReflectionFlow::PathNode source, UnsafeReflectionFlow::PathNode sink,
   MethodAccess reflectiveCall
 where
-  conf.hasFlowPath(source, sink) and
+  UnsafeReflectionFlow::flowPath(source, sink) and
   sink.getNode().asExpr() = reflectiveCall.getQualifier() and
-  conf.hasFlowToExpr(getAMethodArgument(reflectiveCall))
+  UnsafeReflectionFlow::flowToExpr(getAMethodArgument(reflectiveCall))
 select sink.getNode(), source, sink, "Unsafe reflection of $@.", source.getNode(), "user input"
