Merge pull request #193 from advanced-security/securingdev-java-cwe-611-dataflow-udpate-2

securingdev · web-flow · commit 731cae43f2d8 · 2023-08-25T10:34:19.000-04:00
Securingdev java CWE 611 dataflow
diff --git a/java/CWE-611/XXELocal.ql b/java/CWE-611/XXELocal.ql
@@ -20,21 +20,21 @@ import semmle.code.java.dataflow.TaintTracking2
 //import DataFlow::PathGraph
 import github.LocalSources
 
-class SafeSAXSourceFlowConfig extends TaintTracking2::Configuration {
-  SafeSAXSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
+module SafeSAXSourceFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }
 
-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(XmlParserCall parse).getSink()
   }
 
-  override int fieldFlowBranchLimit() { result = 0 }
+  int fieldFlowBranchLimit() { result = 0 }
 }
 
+module SafeSAXSourceFlow = TaintTracking::Global<SafeSAXSourceFlowConfig>;
+
 class UnsafeXxeSink extends DataFlow::ExprNode {
   UnsafeXxeSink() {
-    not exists(SafeSAXSourceFlowConfig safeSource | safeSource.hasFlowTo(this)) and
+    not SafeSAXSourceFlow::flowTo(this) and
     exists(XmlParserCall parse |
       parse.getSink() = this.getExpr() and
       not parse.isSafe()
@@ -43,7 +43,9 @@ class UnsafeXxeSink extends DataFlow::ExprNode {
 }
 
 module XXELocalConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
+  predicate isSource(DataFlow::Node source) { 
+    source instanceof LocalUserInput and
+    not exists(DataFlow::Node src | src.asExpr() instanceof SafeSaxSource)}
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
 }
