Python: Move UnsafeDeserialization configuration to own file

RasmusWL · RasmusWL · commit 9ebe59d39380 · 2020-11-06T14:27:37.000+01:00
diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -12,25 +12,9 @@
  */
 
 import python
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-import semmle.python.Concepts
-import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.security.dataflow.UnsafeDeserialization
 import DataFlow::PathGraph
 
-class UnsafeDeserializationConfiguration extends TaintTracking::Configuration {
-  UnsafeDeserializationConfiguration() { this = "UnsafeDeserializationConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(Decoding d |
-      d.mayExecuteInput() and
-      sink = d.getAnInput()
-    )
-  }
-}
-
 from UnsafeDeserializationConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Deserializing of $@.", source.getNode(), "untrusted input"
diff --git a/python/ql/src/semmle/python/security/dataflow/UnsafeDeserialization.qll b/python/ql/src/semmle/python/security/dataflow/UnsafeDeserialization.qll
@@ -0,0 +1,27 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about arbitrary code execution
+ * vulnerabilities due to deserializing user-controlled data.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.Concepts
+import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * A taint-tracking configuration for reasoning about arbitrary code execution
+ * vulnerabilities due to deserializing user-controlled data.
+ */
+class UnsafeDeserializationConfiguration extends TaintTracking::Configuration {
+  UnsafeDeserializationConfiguration() { this = "UnsafeDeserializationConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(Decoding d |
+      d.mayExecuteInput() and
+      sink = d.getAnInput()
+    )
+  }
+}
