diff --git a/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql b/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql index 711abdb2f33..e4310a68e8f 100644 --- a/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql +++ b/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql @@ -16,7 +16,6 @@ import python import semmle.python.dataflow.new.DataFlow import semmle.python.ApiGraphs import semmle.python.dataflow.new.TaintTracking -import DataFlow::PathGraph class PredictableResultSource extends DataFlow::Node { PredictableResultSource() { @@ -40,14 +39,12 @@ class TokenAssignmentValueSink extends DataFlow::Node { } } -class TokenBuiltFromUuidConfig extends TaintTracking::Configuration { - TokenBuiltFromUuidConfig() { this = "TokenBuiltFromUuidConfig" } +private module TokenBuiltFromUUIDConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource } - override predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource } + predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink } - override predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink } - - override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { + predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { exists(DataFlow::CallCfgNode call | call = API::builtin("str").getACall() and nodeFrom = call.getArg(0) and @@ -56,6 +53,11 @@ class TokenBuiltFromUuidConfig extends TaintTracking::Configuration { } } -from DataFlow::PathNode source, DataFlow::PathNode sink, TokenBuiltFromUuidConfig config -where config.hasFlowPath(source, sink) +/** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */ +module TokenBuiltFromUUIDFlow = TaintTracking::Global; + +import TokenBuiltFromUUIDFlow::PathGraph + +from TokenBuiltFromUUIDFlow::PathNode source, TokenBuiltFromUUIDFlow::PathNode sink +where TokenBuiltFromUUIDFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"