Move ZipSlip configurations to Query.qll library

java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

@@ -13,48 +13,9 @@
  */
 
 import java
-import semmle.code.java.controlflow.Guards
-import semmle.code.java.dataflow.SSA
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.PathSanitizer
-private import semmle.code.java.dataflow.ExternalFlow
-
-/**
- * A method that returns the name of an archive entry.
- */
-class ArchiveEntryNameMethod extends Method {
-  ArchiveEntryNameMethod() {
-    exists(RefType archiveEntry |
-      archiveEntry.hasQualifiedName("java.util.zip", "ZipEntry") or
-      archiveEntry.hasQualifiedName("org.apache.commons.compress.archivers", "ArchiveEntry")
-    |
-      this.getDeclaringType().getAnAncestor() = archiveEntry and
-      this.hasName("getName")
-    )
-  }
-}
-
-module ZipSlipConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
-
-  predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
-}
-
-module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
-
+import semmle.code.java.security.ZipSlipQuery
 import ZipSlipFlow::PathGraph
 
-/**
- * A sink that represents a file creation, such as a file write, copy or move operation.
- */
-private class FileCreationSink extends DataFlow::Node {
-  FileCreationSink() { sinkNode(this, "create-file") }
-}
-
 from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
 where ZipSlipFlow::flowPath(source, sink)
 select source.getNode(), source, sink,