From 9c8081429efa917cf121e35f7491a6d8b0a4f440 Mon Sep 17 00:00:00 2001
From: Ed Minnix <egregius313@github.com>
Date: Wed, 12 Apr 2023 09:03:40 -0400
Subject: [PATCH] Re-Add `SensitiveResultReceiverConf` as deprecated

---
 .../security/SensitiveResultReceiverQuery.qll | 31 ++++++++++++++-----
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll
index 4e3f93a1ea5b6..3603651be699b 100644
--- a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll
@@ -1,7 +1,8 @@
 /** Definitions for the sensitive result receiver query. */
 
 import java
-import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.SensitiveActions
 
@@ -31,6 +32,25 @@ private predicate untrustedResultReceiverSend(DataFlow::Node src, ResultReceiver
   UntrustedResultReceiverFlow::flow(src, DataFlow::exprNode(call.getReceiver()))
 }
 
+deprecated private class SensitiveResultReceiverConf extends TaintTracking::Configuration {
+  SensitiveResultReceiverConf() { this = "SensitiveResultReceiverConf" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(ResultReceiverSendCall call |
+      untrustedResultReceiverSend(_, call) and
+      node.asExpr() = call.getSentData()
+    )
+  }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    super.allowImplicitRead(node, c)
+    or
+    this.isSink(node)
+  }
+}
+
 module SensitiveResultReceiverConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
 
@@ -54,13 +74,8 @@ module SensitiveResultReceiverFlow = TaintTracking::Global<SensitiveResultReceiv
 deprecated predicate sensitiveResultReceiver(
   DataFlow::PathNode src, DataFlow::PathNode sink, DataFlow::Node recSrc
 ) {
-  exists(
-    ResultReceiverSendCall call, SensitiveResultReceiverFlow::PathNode srrSrc,
-    SensitiveResultReceiverFlow::PathNode srrSink
-  |
-    src.getNode() = srrSrc.getNode() and sink.getNode() = srrSink.getNode()
-  |
-    SensitiveResultReceiverFlow::flowPath(srrSrc, srrSink) and
+  exists(ResultReceiverSendCall call |
+    any(SensitiveResultReceiverConf c).hasFlowPath(src, sink) and
     sink.getNode().asExpr() = call.getSentData() and
     untrustedResultReceiverSend(recSrc, call)
   )