Decouple OgnlInjection.qll to reuse the taint tracking configuration

java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql

@@ -11,29 +11,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.OgnlInjection
+import semmle.code.java.security.OgnlInjectionQuery
 import DataFlow::PathGraph
 
-/**
- * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
- */
-class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
-  OgnlInjectionFlowConfig() { this = "OgnlInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, OgnlInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "OGNL expression might include input from $@.",