Introduce TaintedPathAdditionalTaintStep

Use separate configurations for tainted path and tainted path local again.

Author: atorralba

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -29,7 +29,7 @@ predicate containsDotDotSanitizer(Guard g, Expr e, boolean branch) {
   )
 }
 
-class TaintedPathConfig extends TaintedPathCommonConfig {
+class TaintedPathConfig extends TaintTracking::Configuration {
   TaintedPathConfig() { this = "TaintedPathConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -48,6 +48,10 @@ class TaintedPathConfig extends TaintedPathCommonConfig {
     or
     node = DataFlow::BarrierGuard<containsDotDotSanitizer/3>::getABarrierNode()
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(TaintedPathAdditionalTaintStep s).step(n1, n2)
+  }
 }
 
 /**

java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll

@@ -6,13 +6,19 @@ import java
 import semmle.code.java.controlflow.Guards
 import semmle.code.java.security.PathCreation
 import semmle.code.java.frameworks.Networking
-import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.DataFlow
 
-abstract class TaintedPathCommonConfig extends TaintTracking::Configuration {
-  bindingset[this]
-  TaintedPathCommonConfig() { any() }
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to tainted path flow configurations.
+ */
+class TaintedPathAdditionalTaintStep extends Unit {
+  abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
+}
 
-  final override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+private class DefaultTaintedPathAdditionalTaintStep extends TaintedPathAdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
     exists(Argument a |
       a = n1.asExpr() and
       a.getCall() = n2.asExpr() and

java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql

@@ -19,14 +19,18 @@ import semmle.code.java.security.PathCreation
 import DataFlow::PathGraph
 import TaintedPathCommon
 
-class TaintedPathLocalConfig extends TaintedPathCommonConfig {
+class TaintedPathLocalConfig extends TaintTracking::Configuration {
   TaintedPathLocalConfig() { this = "TaintedPathLocalConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   override predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(PathCreation p).getAnInput()
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(TaintedPathAdditionalTaintStep s).step(n1, n2)
+  }
 }
 
 from

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected

@@ -9,16 +9,11 @@ edges
 | Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
 | Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
 | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:26:97:26 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:23:98:23 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:29:99:29 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:32:100:32 | t : String |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:41:101:41 | t : String |
-| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:33 | new URI(...) |
-| Test.java:98:23:98:23 | t : String | Test.java:98:12:98:33 | new URI(...) |
-| Test.java:99:29:99:29 | t : String | Test.java:99:12:99:33 | new URI(...) |
-| Test.java:100:32:100:32 | t : String | Test.java:100:12:100:45 | new URI(...) |
-| Test.java:101:41:101:41 | t : String | Test.java:101:12:101:54 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -35,15 +30,10 @@ nodes
 | Test.java:90:26:90:29 | temp | semmle.label | temp |
 | Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:97:12:97:33 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:97:26:97:26 | t : String | semmle.label | t : String |
 | Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:98:23:98:23 | t : String | semmle.label | t : String |
 | Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:99:29:99:29 | t : String | semmle.label | t : String |
 | Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:100:32:100:32 | t : String | semmle.label | t : String |
 | Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:101:41:101:41 | t : String | semmle.label | t : String |
 subpaths
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |