Move ReplaceAll sanitizer to shared code

owen-mc · owen-mc · commit 2b1a7898d9b6 · 2023-01-18T15:12:52.000Z
diff --git a/go/ql/lib/semmle/go/StringOps.qll b/go/ql/lib/semmle/go/StringOps.qll
@@ -162,6 +162,52 @@ module StringOps {
     }
   }
 
+  /**
+   * An expression that is equivalent to `strings.ReplaceAll(s, old, new)`.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `StringOps::ReplaceAll::Range` instead.
+   */
+  class ReplaceAll extends DataFlow::Node instanceof ReplaceAll::Range {
+    /**
+     * Gets the `old` in `strings.ReplaceAll(s, old, new)`.
+     */
+    string getReplacedString() { result = super.getReplacedString() }
+  }
+
+  /** Provides predicates and classes for working with prefix checks. */
+  module ReplaceAll {
+    /**
+     * An expression that is equivalent to `strings.ReplaceAll(s, old, new)`.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models, extend
+     * `StringOps::ReplaceAll` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /**
+       * Gets the `old` in `strings.ReplaceAll(s, old, new)`.
+       */
+      abstract string getReplacedString();
+    }
+
+    /**
+     * A call to `strings.ReplaceAll`  or `strings.Replace` with a negative `n`
+     * so that all instances are replaced.
+     */
+    private class StringsReplaceAll extends Range, DataFlow::CallNode {
+      StringsReplaceAll() {
+        exists(string name | this.getTarget().hasQualifiedName("strings", name) |
+          name = "ReplaceAll"
+          or
+          name = "Replace" and
+          this.getArgument(3).getNumericValue() < 0
+        )
+      }
+
+      override string getReplacedString() { result = this.getArgument(1).getStringValue() }
+    }
+  }
+
   /** Provides predicates and classes for working with Printf-style formatters. */
   module Formatting {
     /**
diff --git a/go/ql/lib/semmle/go/security/StringBreakCustomizations.qll b/go/ql/lib/semmle/go/security/StringBreakCustomizations.qll
@@ -84,24 +84,13 @@ module StringBreak {
   }
 
   /**
-   * A call to `strings.Replace` or `strings.ReplaceAll`, considered as a sanitizer
-   * for unsafe quoting.
+   * An expression that is equivalent to `strings.ReplaceAll(s, old, new)`,
+   * considered as a sanitizer for unsafe quoting.
    */
-  class ReplaceSanitizer extends Sanitizer {
+  class ReplaceSanitizer extends Sanitizer, StringOps::ReplaceAll {
     Quote quote;
 
-    ReplaceSanitizer() {
-      exists(string name, DataFlow::CallNode call |
-        this = call and
-        call.getTarget().hasQualifiedName("strings", name) and
-        call.getArgument(1).getStringValue().matches("%" + quote + "%")
-      |
-        name = "Replace" and
-        call.getArgument(3).getNumericValue() < 0
-        or
-        name = "ReplaceAll"
-      )
-    }
+    ReplaceSanitizer() { this.getReplacedString().matches("%" + quote + "%") }
 
     override Quote getQuote() { result = quote }
   }
