Java: Fix tests and make modules private

aschackmull · aschackmull · commit e7f85673e93f · 2023-03-08T13:35:25.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
@@ -35,7 +35,7 @@ deprecated class RequestForgeryConfiguration extends TaintTracking::Configuratio
 /**
  * A taint-tracking configuration characterising request-forgery risks.
  */
-module RequestForgeryConfiguration implements DataFlow::ConfigSig {
+private module RequestForgeryConfiguration implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
     // Exclude results of remote HTTP requests: fetching something else based on that result
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -49,7 +49,7 @@ deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configurati
 }
 
 /** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */
-module SensitiveLoggerConfiguration implements DataFlow::ConfigSig {
+private module SensitiveLoggerConfiguration implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
 
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "logging") }
diff --git a/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.ql b/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.ql
@@ -2,14 +2,10 @@ import java
 import TestUtilities.InlineFlowTest
 import semmle.code.java.security.SensitiveLoggingQuery
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class HasFlowTest extends InlineFlowTest {
-  override DataFlow::Configuration getTaintFlowConfig() {
-    result instanceof SensitiveLoggerConfiguration
+  override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
+    SensitiveLoggerFlow::hasFlow(src, sink)
   }
 
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
 }
diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql b/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql
@@ -9,7 +9,8 @@ class HasFlowTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "SSRF" and
-    exists(RequestForgeryConfiguration conf, DataFlow::Node sink | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink |
+      RequestForgeryFlow::hasFlowTo(sink) and
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configurati`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`/** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */`
`52`		`-module SensitiveLoggerConfiguration implements DataFlow::ConfigSig {`
	`52`	`+private module SensitiveLoggerConfiguration implements DataFlow::ConfigSig {`
`53`	`53`	`predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }`
`54`	`54`
`55`	`55`	`predicate isSink(DataFlow::Node sink) { sinkNode(sink, "logging") }`