JS: split HardcodedCredentials.qll

javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll

@@ -1,27 +1,15 @@
 /**
- * Provides a data flow configuration for reasoning about hardcoded credentials.
+ * Provides a data flow configuration for reasoning about hardcoded
+ * credentials.
+ * Note, for performance reasons: only import this file if
+ * `HardcodedCredentials::Configuration` is needed, otherwise
+ * `HardcodedCredentialsCustomizations` should be imported instead.
  */
 
 import javascript
-private import semmle.javascript.security.SensitiveActions
 
 module HardcodedCredentials {
-  /**
-   * A data flow source for hardcoded credentials.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for hardcoded credentials.
-   */
-  abstract class Sink extends DataFlow::Node {
-    abstract string getKind();
-  }
-
-  /**
-   * A sanitizer for hardcoded credentials.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import HardcodedCredentialsCustomizations::HardcodedCredentials
 
   /**
    * A data flow tracking configuration for hardcoded credentials.
@@ -33,24 +21,4 @@ module HardcodedCredentials {
 
     override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
   }
-
-  /** A constant string, considered as a source of hardcoded credentials. */
-  class ConstantStringSource extends Source, DataFlow::ValueNode {
-    override ConstantString astNode;
-  }
-
-  /**
-   * A subclass of `Sink` that includes every `CredentialsExpr`
-   * as a credentials sink.
-   */
-  class DefaultCredentialsSink extends Sink, DataFlow::ValueNode {
-    override CredentialsExpr astNode;
-
-    DefaultCredentialsSink() {
-      // Don't flag an empty user name
-      not (astNode.getCredentialsKind() = "user name" and astNode.getStringValue() = "")
-    }
-
-    override string getKind() { result = astNode.getCredentialsKind() }
-  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll

@@ -0,0 +1,47 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * hardcoded credentials, as well as extension points for adding your
+ * own.
+ */
+
+import javascript
+private import semmle.javascript.security.SensitiveActions
+
+module HardcodedCredentials {
+  /**
+   * A data flow source for hardcoded credentials.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for hardcoded credentials.
+   */
+  abstract class Sink extends DataFlow::Node {
+    abstract string getKind();
+  }
+
+  /**
+   * A sanitizer for hardcoded credentials.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A constant string, considered as a source of hardcoded credentials. */
+  class ConstantStringSource extends Source, DataFlow::ValueNode {
+    override ConstantString astNode;
+  }
+
+  /**
+   * A subclass of `Sink` that includes every `CredentialsExpr`
+   * as a credentials sink.
+   */
+  class DefaultCredentialsSink extends Sink, DataFlow::ValueNode {
+    override CredentialsExpr astNode;
+
+    DefaultCredentialsSink() {
+      // Don't flag an empty user name
+      not (astNode.getCredentialsKind() = "user name" and astNode.getStringValue() = "")
+    }
+
+    override string getKind() { result = astNode.getCredentialsKind() }
+  }
+}