Split into customizations file

python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionCustomizations.qll

@@ -0,0 +1,49 @@
+/**
+ * Provides default sources, sinks, and sanitizers for detecting
+ * "HTTP Header injection" vulnerabilities, as well as extension
+ * points for adding your own.
+ */
+
+import python
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks, and sanitizers for detecting
+ * "HTTP Header injection" vulnerabilities, as well as extension
+ * points for adding your own.
+ */
+module HttpHeaderInjection {
+  /**
+   * A data flow source for "HTTP Header injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "HTTP Header injection" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A data flow sanitizer for "HTTP Header injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A HTTP header write, considered as a flow sink.
+   */
+  class HeaderWriteAsSink extends Sink {
+    HeaderWriteAsSink() {
+      exists(Http::Server::ResponseHeaderWrite headerDeclaration |
+        this in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
+      )
+    }
+  }
+}

python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll

@@ -3,22 +3,19 @@
  */
 
 import python
-private import semmle.python.Concepts
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.dataflow.new.RemoteFlowSources
+private import HttpHeaderInjectionCustomizations
 
 /**
  * A taint-tracking configuration for detecting HTTP Header injection vulnerabilities.
  */
 private module HeaderInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node node) { node instanceof HttpHeaderInjection::Source }
 
-  predicate isSink(DataFlow::Node sink) {
-    exists(Http::Server::ResponseHeaderWrite headerDeclaration |
-      sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
-    )
-  }
+  predicate isSink(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sanitizer }
 }
 
 /** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */