JS: split TaintedFormatString.qll

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 9e675d9973ae · 2019-07-04T22:42:55.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedFormatString.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedFormatString.qll
@@ -1,25 +1,18 @@
 /**
- * Provides a taint-tracking configuration for reasoning about format injections.
+ * Provides a taint-tracking configuration for reasoning about format
+ * injections.
+ *
+ *
+ * Note, for performance reasons: only import this file if
+ * `TaintedFormatString::Configuration` is needed, otherwise
+ * `TaintedFormatStringCustomizations` should be imported instead.
  */
 
 import javascript
 import semmle.javascript.security.dataflow.DOM
 
 module TaintedFormatString {
-  /**
-   * A data flow source for format injections.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for format injections.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for format injections.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import TaintedFormatStringCustomizations::TaintedFormatString
 
   /**
    * A taint-tracking configuration for format injections.
@@ -36,22 +29,4 @@ module TaintedFormatString {
       node instanceof Sanitizer
     }
   }
-
-  /** A source of remote user input, considered as a flow source for format injection. */
-  class RemoteSource extends Source {
-    RemoteSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * A format argument to a printf-like function, considered as a flow sink for format injection.
-   */
-  class FormatSink extends Sink {
-    FormatSink() {
-      exists(PrintfStyleCall printf |
-        this = printf.getFormatString() and
-        // exclude trivial case where there are no arguments to interpolate
-        exists(printf.getFormatArgument(_))
-      )
-    }
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll
@@ -0,0 +1,42 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * format injections, as well as extension points for adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DOM
+
+module TaintedFormatString {
+  /**
+   * A data flow source for format injections.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for format injections.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for format injections.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for format injection. */
+  class RemoteSource extends Source {
+    RemoteSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * A format argument to a printf-like function, considered as a flow sink for format injection.
+   */
+  class FormatSink extends Sink {
+    FormatSink() {
+      exists(PrintfStyleCall printf |
+        this = printf.getFormatString() and
+        // exclude trivial case where there are no arguments to interpolate
+        exists(printf.getFormatArgument(_))
+      )
+    }
+  }
+}
