Move shared code to the lib folder and update qldoc

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.qhelp

@@ -6,12 +6,12 @@
 
 <overview>
 <p>External Control of File Name or Path, also called File Path Injection, is a vulnerability by which
-a file path is created using data from outside the application (such as the HTTP request, the database, or
-the filesystem). It allows an attacker to traverse through the filesystem and access arbitrary files.</p>
+a file path is created using data from outside the application (such as the HTTP request). It allows
+an attacker to traverse through the filesystem and access arbitrary files.</p>
 </overview>
 
 <recommendation>
-<p>Unsanitized user-provided data must not be used to construct the file path. In order to prevent File
+<p>Unsanitized user-provided data must not be used to construct file paths. In order to prevent File
 Path Injection, it is recommended to avoid concatenating user input directly into the file path. Instead, 
 user input should be checked against allowed or disallowed paths (for example, the path must be within
 <code>/user_content/</code> or must not be within <code>/internal</code>), ensuring that neither path

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -15,7 +15,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.PathCreation
 import JFinalController
-import PathSanitizer
+import experimental.semmle.code.java.PathSanitizer
 import DataFlow::PathGraph
 
 class InjectFilePathConfig extends TaintTracking::Configuration {

java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll

@@ -22,7 +22,7 @@ class SetSessionAttributeMethod extends Method {
   }
 }
 
-/** The request attribute getter method of `JFinalController`. */
+/** A request attribute getter method of `JFinalController`. */
 class GetRequestAttributeMethod extends Method {
   GetRequestAttributeMethod() {
     this.getName().matches("getAttr%") and
@@ -30,7 +30,7 @@ class GetRequestAttributeMethod extends Method {
   }
 }
 
-/** The request attribute setter method of `JFinalController`. */
+/** A request attribute setter method of `JFinalController`. */
 class SetRequestAttributeMethod extends Method {
   SetRequestAttributeMethod() {
     this.getName() = ["set", "setAttr"] and
@@ -38,7 +38,10 @@ class SetRequestAttributeMethod extends Method {
   }
 }
 
-/** Value step from the setter call to the getter call of a session or request attribute. */
+/**
+ * Value step from a setter call to a corresponding getter call relating to a
+ * session or request attribute.
+ */
 private class SetToGetAttributeStep extends AdditionalValueStep {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
     exists(MethodAccess gma, MethodAccess sma |
@@ -58,7 +61,7 @@ private class SetToGetAttributeStep extends AdditionalValueStep {
   }
 }
 
-/** Source model of remote flow source with `JFinal`. */
+/** Remote flow source models relating to `JFinal`. */
 private class JFinalControllerSource extends SourceModelCsv {
   override predicate row(string row) {
     row =