JS: split RegExpInjection.qll

javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjection.qll

@@ -1,25 +1,16 @@
 /**
- * Provides a taint-tracking configuration for reasoning about untrusted user input used to construct
- * regular expressions.
+ * Provides a taint-tracking configuration for reasoning about
+ * untrusted user input used to construct regular expressions.
+ *
+ * Note, for performance reasons: only import this file if
+ * `RegExpInjection::Configuration` is needed, otherwise
+ * `RegExpInjectionCustomizations` should be imported instead.
  */
 
 import javascript
 
 module RegExpInjection {
-  /**
-   * A data flow source for untrusted user input used to construct regular expressions.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for untrusted user input used to construct regular expressions.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for untrusted user input used to construct regular expressions.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import RegExpInjectionCustomizations::RegExpInjection
 
   /**
    * A taint-tracking configuration for untrusted user input used to construct regular expressions.
@@ -36,35 +27,4 @@ module RegExpInjection {
       node instanceof Sanitizer
     }
   }
-
-  /**
-   * A source of remote user input, considered as a flow source for regular
-   * expression injection.
-   */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * The source string of a regular expression.
-   */
-  class RegularExpressionSourceAsSink extends Sink {
-    RegularExpressionSourceAsSink() { isInterpretedAsRegExp(this) }
-  }
-
-  /**
-   * A call to a function whose name suggests that it escapes regular
-   * expression meta-characters.
-   */
-  class RegExpSanitizationCall extends Sanitizer, DataFlow::ValueNode {
-    RegExpSanitizationCall() {
-      exists(string calleeName, string sanitize, string regexp |
-        calleeName = astNode.(CallExpr).getCalleeName() and
-        sanitize = "(?:escape|saniti[sz]e)" and
-        regexp = "regexp?"
-      |
-        calleeName.regexpMatch("(?i)(" + sanitize + regexp + ")" + "|(" + regexp + sanitize + ")")
-      )
-    }
-  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll

@@ -0,0 +1,55 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * untrusted user input used to construct regular expressions, as well
+ * as extension points for adding your own.
+ */
+
+import javascript
+
+module RegExpInjection {
+  /**
+   * A data flow source for untrusted user input used to construct regular expressions.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for untrusted user input used to construct regular expressions.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for untrusted user input used to construct regular expressions.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source for regular
+   * expression injection.
+   */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * The source string of a regular expression.
+   */
+  class RegularExpressionSourceAsSink extends Sink {
+    RegularExpressionSourceAsSink() { isInterpretedAsRegExp(this) }
+  }
+
+  /**
+   * A call to a function whose name suggests that it escapes regular
+   * expression meta-characters.
+   */
+  class RegExpSanitizationCall extends Sanitizer, DataFlow::ValueNode {
+    RegExpSanitizationCall() {
+      exists(string calleeName, string sanitize, string regexp |
+        calleeName = astNode.(CallExpr).getCalleeName() and
+        sanitize = "(?:escape|saniti[sz]e)" and
+        regexp = "regexp?"
+      |
+        calleeName.regexpMatch("(?i)(" + sanitize + regexp + ")" + "|(" + regexp + sanitize + ")")
+      )
+    }
+  }
+}