JS: split CommandInjection.qll

Author: Esben Sparre Andreasen

javascript/ql/src/semmle/javascript/security/dataflow/CommandInjection.qll

@@ -1,26 +1,16 @@
 /**
- * Provides a taint tracking configuration for reasoning about command-injection
- * vulnerabilities (CWE-078).
+ * Provides a taint tracking configuration for reasoning about
+ * command-injection vulnerabilities (CWE-078).
+ *
+ * Note, for performance reasons: only import this file if
+ * `CommandInjection::Configuration` is needed, otherwise
+ * `CommandInjectionCustomizations` should be imported instead.
  */
 
 import javascript
-import semmle.javascript.security.dataflow.RemoteFlowSources
 
 module CommandInjection {
-  /**
-   * A data flow source for command-injection vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for command-injection vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for command-injection vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import CommandInjectionCustomizations::CommandInjection
 
   /**
    * A taint-tracking configuration for reasoning about command-injection vulnerabilities.
@@ -45,18 +35,6 @@ module CommandInjection {
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
   }
 
-  /** A source of remote user input, considered as a flow source for command injection. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * A command argument to a function that initiates an operating system command.
-   */
-  class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {
-    SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }
-  }
-
   /**
    * Auxiliary data flow configuration for tracking string literals that look like they
    * may refer to an operating system shell, and array literals that may end up being

javascript/ql/src/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * command-injection vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+
+module CommandInjection {
+  /**
+   * A data flow source for command-injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for command-injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for command-injection vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for command injection. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * A command argument to a function that initiates an operating system command.
+   */
+  class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {
+    SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }
+  }
+
+}