JS: split HttpToFileAccess.qll

2019-07-04 08:50:44 +02:00 · 2019-07-04 08:50:44 +02:00 · 1f54f3269d
--- a/javascript/ql/src/semmle/javascript/security/dataflow/HttpToFileAccess.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/HttpToFileAccess.qll
@ -1,25 +1,15 @@
 /**
 * Provides a taint tracking configuration for reasoning about writing user-controlled data to files.
+ *
+ * Note, for performance reasons: only import this file if
+ * `HttpToFileAccess::Configuration` is needed, otherwise
+ * `HttpToFileAccessCustomizations` should be imported instead.
 */

 import javascript
-import semmle.javascript.security.dataflow.RemoteFlowSources

 module HttpToFileAccess {
-  /**
-   * A data flow source for writing user-controlled data to files.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for writing user-controlled data to files.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for writing user-controlled data to files.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import HttpToFileAccessCustomizations::HttpToFileAccess

  /**
   * A taint tracking configuration for writing user-controlled data to files.
@ -36,14 +26,4 @@ module HttpToFileAccess {
      node instanceof Sanitizer
    }
  }
-
-  /** A source of remote user input, considered as a flow source for writing user-controlled data to files. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /** A sink that represents file access method (write, append) argument */
-  class FileAccessAsSink extends Sink {
-    FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll
@ -0,0 +1,35 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * writing user-controlled data to files, as well as extension points
+ * for adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+
+module HttpToFileAccess {
+  /**
+   * A data flow source for writing user-controlled data to files.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for writing user-controlled data to files.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for writing user-controlled data to files.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for writing user-controlled data to files. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /** A sink that represents file access method (write, append) argument */
+  class FileAccessAsSink extends Sink {
+    FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }
+  }
+}