Merge pull request #368 from sauyon/xpath-fix

Update XPathExpressionString to match the Range pattern

ql/src/semmle/go/frameworks/XPath.qll

@@ -6,12 +6,25 @@ import go
 
 /** Provides classes for working with XPath-related APIs. */
 module XPath {
+  /**
+   * A data-flow node whose string value is interpreted as (part of) an XPath expression.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `XPath::XPathExpressionString::Range` instead.
+   */
+  class XPathExpressionString extends DataFlow::Node {
+    XPathExpressionString::Range self;
+
+    XPathExpressionString() { this = self }
+  }
+
   /** Provides classes for working with XPath expression strings. */
   module XPathExpressionString {
     /**
      * A data-flow node whose string value is interpreted as (part of) an XPath expression.
      *
-     * Extend this class to model new APIs.
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XPath::XPathExpressionString` instead.
      */
     abstract class Range extends DataFlow::Node { }
 

ql/src/semmle/go/security/XPathInjectionCustomizations.qll

@@ -36,6 +36,6 @@ module XPathInjection {
 
   /** An XPath expression string, considered as a taint sink for XPath injection. */
   class XPathExpressionStringAsSink extends Sink {
-    XPathExpressionStringAsSink() { this instanceof XPath::XPathExpressionString::Range }
+    XPathExpressionStringAsSink() { this instanceof XPath::XPathExpressionString }
   }
 }