Share TaintedFormatString between Ruby and JS

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll

@@ -3,10 +3,13 @@
  * format injections, as well as extension points for adding your own.
  */
 
-import javascript
-import semmle.javascript.security.dataflow.DOM
-
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * format injections, as well as extension points for adding your own.
+ */
 module TaintedFormatString {
+  import TaintedFormatStringSpecific
+
   /**
    * A data flow source for format injections.
    */
@@ -23,9 +26,7 @@ module TaintedFormatString {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /** A source of remote user input, considered as a flow source for format injection. */
-  class RemoteSource extends Source {
-    RemoteSource() { this instanceof RemoteFlowSource }
-  }
+  class RemoteSource extends Source instanceof RemoteFlowSource { }
 
   /**
    * A format argument to a printf-like function, considered as a flow sink for format injection.

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll

@@ -8,9 +8,7 @@
  * `TaintedFormatStringCustomizations` should be imported instead.
  */
 
-import javascript
-import semmle.javascript.security.dataflow.DOM
-import TaintedFormatStringCustomizations::TaintedFormatString
+private import TaintedFormatStringCustomizations::TaintedFormatString
 
 /**
  * A taint-tracking configuration for format injections.

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringSpecific.qll

@@ -0,0 +1,6 @@
+/**
+ * Provides JS-specific imports needed for `TaintedFormatStringQuery` and `TaintedFormatStringCustomizations`.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DOM