Merge pull request #14068 from RasmusWL/dataflow-config-refactor

Python: Use new dataflow API

python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll

@@ -16,9 +16,11 @@ private import semmle.python.dataflow.new.SensitiveDataSources
 import CleartextLoggingCustomizations::CleartextLogging
 
 /**
+ * DEPRECATED: Use `CleartextLoggingFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CleartextLogging" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,3 +33,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module CleartextLoggingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */
+module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;

python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll

@@ -16,9 +16,11 @@ private import semmle.python.dataflow.new.SensitiveDataSources
 import CleartextStorageCustomizations::CleartextStorage
 
 /**
+ * DEPRECATED: Use `CleartextStorageFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CleartextStorage" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,3 +33,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module CleartextStorageConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */
+module CleartextStorageFlow = TaintTracking::Global<CleartextStorageConfig>;

python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import CodeInjectionCustomizations::CodeInjection
 
 /**
+ * DEPRECATED: Use `CodeInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "code injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CodeInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module CodeInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "code injection" vulnerabilities. */
+module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import CommandInjectionCustomizations::CommandInjection
 
 /**
+ * DEPRECATED: Use `CommandInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "command injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CommandInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,17 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+/**
+ * A taint-tracking configuration for detecting "command injection" vulnerabilities.
+ */
+module CommandInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "command injection" vulnerabilities. */
+module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll

@@ -14,10 +14,12 @@ import semmle.python.dataflow.new.RemoteFlowSources
 import LdapInjectionCustomizations::LdapInjection
 
 /**
+ * DEPRECATED: Use `LdapInjectionDnFlow` module instead.
+ *
  * A taint-tracking configuration for detecting LDAP injection vulnerabilities
  * via the distinguished name (DN) parameter of an LDAP search.
  */
-class DnConfiguration extends TaintTracking::Configuration {
+deprecated class DnConfiguration extends TaintTracking::Configuration {
   DnConfiguration() { this = "LdapDnInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,11 +33,24 @@ class DnConfiguration extends TaintTracking::Configuration {
   }
 }
 
+private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
+}
+
+/** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
+module LdapInjectionDnFlow = TaintTracking::Global<LdapInjectionDnConfig>;
+
 /**
+ * DEPRECATED: Use `LdapInjectionFilterFlow` module instead.
+ *
  * A taint-tracking configuration for detecting LDAP injection vulnerabilities
  * via the filter parameter of an LDAP search.
  */
-class FilterConfiguration extends TaintTracking::Configuration {
+deprecated class FilterConfiguration extends TaintTracking::Configuration {
   FilterConfiguration() { this = "LdapFilterInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -48,3 +63,19 @@ class FilterConfiguration extends TaintTracking::Configuration {
     guard instanceof FilterSanitizerGuard
   }
 }
+
+private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
+}
+
+/** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
+module LdapInjectionFilterFlow = TaintTracking::Global<LdapInjectionFilterConfig>;
+
+/** Global taint-tracking for detecting "LDAP injection" vulnerabilities. */
+module LdapInjectionFlow =
+  DataFlow::MergePathGraph<LdapInjectionDnFlow::PathNode, LdapInjectionFilterFlow::PathNode,
+    LdapInjectionDnFlow::PathGraph, LdapInjectionFilterFlow::PathGraph>;

python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll

@@ -1,5 +1,5 @@
 /**
- * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
+ * Provides a taint-tracking configuration for tracking "log injection" vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
  * `LogInjection::Configuration` is needed, otherwise
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import LogInjectionCustomizations::LogInjection
 
 /**
+ * DEPRECATED: Use `LogInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "LogInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module LogInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "log injection" vulnerabilities. */
+module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import PamAuthorizationCustomizations::PamAuthorizationCustomizations
 
 /**
+ * DEPRECATED: Use `PamAuthorizationFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PamAuthorization" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof Source }
@@ -37,3 +39,28 @@ class Configuration extends TaintTracking::Configuration {
     exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
   }
 }
+
+private module PamAuthorizationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Models flow from a remotely supplied username field to a PAM `handle`.
+    // `retval = pam_start(service, username, byref(conv), byref(handle))`
+    exists(API::CallNode pamStart, DataFlow::Node handle, API::CallNode pointer |
+      pointer = API::moduleImport("ctypes").getMember(["pointer", "byref"]).getACall() and
+      pamStart = libPam().getMember("pam_start").getACall() and
+      pointer = pamStart.getArg(3) and
+      handle = pointer.getArg(0) and
+      pamStart.getArg(1) = node1 and
+      handle = node2
+    )
+    or
+    // Flow from handle to the authenticate call in the final step
+    exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
+  }
+}
+
+/** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */
+module PamAuthorizationFlow = TaintTracking::Global<PamAuthorizationConfig>;

python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll

@@ -13,6 +13,8 @@ import semmle.python.dataflow.new.TaintTracking
 import PathInjectionCustomizations::PathInjection
 
 /**
+ * DEPRECATED: Use `PathInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "path injection" vulnerabilities.
  *
  * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
@@ -25,7 +27,7 @@ import PathInjectionCustomizations::PathInjection
  *
  * Such checks are ineffective in the `NotNormalized` state.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PathInjection" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
@@ -74,3 +76,52 @@ class NotNormalized extends DataFlow::FlowState {
 class NormalizedUnchecked extends DataFlow::FlowState {
   NormalizedUnchecked() { this = "NormalizedUnchecked" }
 }
+
+/**
+ * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
+ * to track the requirement that a file path must be first normalized and then checked
+ * before it is safe to use.
+ *
+ * At sources, paths are assumed not normalized. At normalization points, they change
+ * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
+ * check of the prefix.
+ *
+ * Such checks are ineffective in the `NotNormalized` state.
+ */
+module PathInjectionConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowState;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof Source and state instanceof NotNormalized
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof Sink and
+    (
+      state instanceof NotNormalized or
+      state instanceof NormalizedUnchecked
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
+    node instanceof Path::PathNormalization and
+    state instanceof NotNormalized
+    or
+    node instanceof Path::SafeAccessCheck and
+    state instanceof NormalizedUnchecked
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
+  ) {
+    nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
+    stateFrom instanceof NotNormalized and
+    stateTo instanceof NormalizedUnchecked
+  }
+}
+
+/** Global taint-tracking for detecting "path injection" vulnerabilities. */
+module PathInjectionFlow = TaintTracking::GlobalWithState<PathInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll

@@ -6,7 +6,6 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.dataflow.new.DataFlow2
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.RemoteFlowSources

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import PolynomialReDoSCustomizations::PolynomialReDoS
 
 /**
+ * DEPRECATED: Use `PolynomialReDoSFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PolynomialReDoS" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */
+module PolynomialReDoSFlow = TaintTracking::Global<PolynomialReDoSConfig>;

python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import ReflectedXSSCustomizations::ReflectedXss
 
 /**
+ * DEPRECATED: Use `ReflectedXssFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "ReflectedXSS" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module ReflectedXssConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */
+module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;

python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll

@@ -1,5 +1,5 @@
 /**
- * Provides a taint-tracking configuration for detecting regular expression injection
+ * Provides a taint-tracking configuration for detecting "regular expression injection"
  * vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
@@ -13,9 +13,11 @@ import semmle.python.dataflow.new.TaintTracking
 import RegexInjectionCustomizations::RegexInjection
 
 /**
+ * DEPRECATED: Use `RegexInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "RegexInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -28,3 +30,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module RegexInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "regular expression injection" vulnerabilities. */
+module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll

@@ -13,6 +13,8 @@ import semmle.python.Concepts
 import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
 
 /**
+ * DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
  *
  * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
@@ -21,7 +23,7 @@ import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
  * You should use the `fullyControlledRequest` to only select results where all
  * URL parts are fully controlled.
  */
-class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
+deprecated class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
   FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -39,24 +41,51 @@ class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configura
   }
 }
 
+/**
+ * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
+ * See `PartialServerSideRequestForgery` for a variant without this requirement.
+ *
+ * You should use the `fullyControlledRequest` to only select results where all
+ * URL parts are fully controlled.
+ */
+private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Sanitizer
+    or
+    node instanceof FullUrlControlSanitizer
+  }
+}
+
+/**
+ * Global taint-tracking for detecting "Full server-side request forgery" vulnerabilities.
+ *
+ * You should use the `fullyControlledRequest` to only select results where all
+ * URL parts are fully controlled.
+ */
+module FullServerSideRequestForgeryFlow = TaintTracking::Global<FullServerSideRequestForgeryConfig>;
+
 /**
  * Holds if all URL parts of `request` is fully user controlled.
  */
 predicate fullyControlledRequest(Http::Client::Request request) {
-  exists(FullServerSideRequestForgeryConfiguration fullConfig |
-    forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
-      fullConfig.hasFlow(_, urlPart)
-    )
+  forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
+    FullServerSideRequestForgeryFlow::flow(_, urlPart)
   )
 }
 
 /**
+ * DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
  *
  * This configuration has results, even when the attacker does not have full control over the URL.
  * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
  */
-class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
+deprecated class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
   PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -69,3 +98,21 @@ class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Config
     guard instanceof SanitizerGuard
   }
 }
+
+/**
+ * This configuration has results, even when the attacker does not have full control over the URL.
+ * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
+ */
+private module PartialServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Global taint-tracking for detecting "partial server-side request forgery" vulnerabilities.
+ */
+module PartialServerSideRequestForgeryFlow =
+  TaintTracking::Global<PartialServerSideRequestForgeryConfig>;

python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import SqlInjectionCustomizations::SqlInjection
 
 /**
+ * DEPRECATED: Use `SqlInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "SQL injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "SqlInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module SqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "SQL injection" vulnerabilities. */
+module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import StackTraceExposureCustomizations::StackTraceExposure
 
 /**
+ * DEPRECATED: Use `StackTraceExposureFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "StackTraceExposure" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -36,3 +38,23 @@ class Configuration extends TaintTracking::Configuration {
     )
   }
 }
+
+private module StackTraceExposureConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  // A stack trace is accessible as the `__traceback__` attribute of a caught exception.
+  //  see https://docs.python.org/3/reference/datamodel.html#traceback-objects
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" |
+      nodeFrom = attr.getObject() and
+      nodeTo = attr
+    )
+  }
+}
+
+/** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */
+module StackTraceExposureFlow = TaintTracking::Global<StackTraceExposureConfig>;

python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll

@@ -1,5 +1,5 @@
 /**
- * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
+ * Provides a taint-tracking configuration for detecting "tar slip" vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
  * `TarSlip::Configuration` is needed, otherwise
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import TarSlipCustomizations::TarSlip
 
 /**
- * A taint-tracking configuration for detecting "command injection" vulnerabilities.
+ * DEPRECATED: Use `TarSlipFlow` module instead.
+ *
+ * A taint-tracking configuration for detecting "tar slip" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "TarSlip" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -23,3 +25,14 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 }
+
+private module TarSlipConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "tar slip" vulnerabilities. */
+module TarSlipFlow = TaintTracking::Global<TarSlipConfig>;

python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import UnsafeDeserializationCustomizations::UnsafeDeserialization
 
 /**
+ * DEPRECATED: Use `UnsafeDeserializationFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UnsafeDeserialization" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "code execution from deserialization" vulnerabilities. */
+module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;

python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll

@@ -14,9 +14,11 @@ private import CommandInjectionCustomizations::CommandInjection as CommandInject
 private import semmle.python.dataflow.new.BarrierGuards
 
 /**
+ * DEPRECATED: Use `UnsafeShellCommandConstructionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UnsafeShellCommandConstruction" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -33,3 +35,23 @@ class Configuration extends TaintTracking::Configuration {
     result instanceof DataFlow::FeatureHasSourceCallContext
   }
 }
+
+/**
+ * A taint-tracking configuration for detecting "shell command constructed from library input" vulnerabilities.
+ */
+module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof CommandInjection::Sanitizer // using all sanitizers from `py/command-injection`
+  }
+
+  // override to require the path doesn't have unmatched return steps
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+}
+
+/** Global taint-tracking for detecting "shell command constructed from library input" vulnerabilities. */
+module UnsafeShellCommandConstructionFlow =
+  TaintTracking::Global<UnsafeShellCommandConstructionConfig>;

python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import UrlRedirectCustomizations::UrlRedirect
 
 /**
+ * DEPRECATED: Use `UrlRedirectFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UrlRedirect" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module UrlRedirectConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "URL redirection" vulnerabilities. */
+module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;

python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll

@@ -24,10 +24,12 @@ module NormalHashFunction {
   import WeakSensitiveDataHashingCustomizations::NormalHashFunction
 
   /**
+   * DEPRECATED: Use `Flow` module instead.
+   *
    * A taint-tracking configuration for detecting use of a broken or weak
    * cryptographic hashing algorithm on sensitive data.
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "NormalHashFunction" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -44,6 +46,21 @@ module NormalHashFunction {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
   }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
+  }
+
+  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
+  module Flow = TaintTracking::Global<Config>;
 }
 
 /**
@@ -57,13 +74,15 @@ module ComputationallyExpensiveHashFunction {
   import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
 
   /**
+   * DEPRECATED: Use `Flow` module instead.
+   *
    * A taint-tracking configuration for detecting use of a broken or weak
    * cryptographic hashing algorithm on passwords.
    *
    * Passwords has stricter requirements on the hashing algorithm used (must be
    * computationally expensive to prevent brute-force attacks).
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "ComputationallyExpensiveHashFunction" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -80,4 +99,49 @@ module ComputationallyExpensiveHashFunction {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
   }
+
+  /**
+   * Passwords has stricter requirements on the hashing algorithm used (must be
+   * computationally expensive to prevent brute-force attacks).
+   */
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
+  }
+
+  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
+  module Flow = TaintTracking::Global<Config>;
+}
+
+/**
+ * Global taint-tracking for detecting both variants of "use of a broken or weak
+ * cryptographic hashing algorithm on sensitive data" vulnerabilities.
+ *
+ * See convenience predicates `normalHashFunctionFlowPath` and
+ * `computationallyExpensiveHashFunctionFlowPath`.
+ */
+module WeakSensitiveDataHashingFlow =
+  DataFlow::MergePathGraph<NormalHashFunction::Flow::PathNode,
+    ComputationallyExpensiveHashFunction::Flow::PathNode, NormalHashFunction::Flow::PathGraph,
+    ComputationallyExpensiveHashFunction::Flow::PathGraph>;
+
+/** Holds if data can flow from `source` to `sink` with `NormalHashFunction::Flow`. */
+predicate normalHashFunctionFlowPath(
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
+) {
+  NormalHashFunction::Flow::flowPath(source.asPathNode1(), sink.asPathNode1())
+}
+
+/** Holds if data can flow from `source` to `sink` with `ComputationallyExpensiveHashFunction::Flow`. */
+predicate computationallyExpensiveHashFunctionFlowPath(
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
+) {
+  ComputationallyExpensiveHashFunction::Flow::flowPath(source.asPathNode2(), sink.asPathNode2())
 }

python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import XmlBombCustomizations::XmlBomb
 
 /**
+ * DEPRECATED: Use `XmlBombFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "XmlBomb" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -26,3 +28,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module XmlBombConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "XML bomb" vulnerabilities. */
+module XmlBombFlow = TaintTracking::Global<XmlBombConfig>;

python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import XpathInjectionCustomizations::XpathInjection
 
 /**
+ * DEPRECATED: Use `XpathInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "Xpath Injection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module XpathInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "Xpath Injection" vulnerabilities. */
+module XpathInjectionFlow = TaintTracking::Global<XpathInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import XxeCustomizations::Xxe
 
 /**
+ * DEPRECATED: Use `XxeFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "Xxe" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -26,3 +28,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module XxeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "XML External Entity (XXE)" vulnerabilities. */
+module XxeFlow = TaintTracking::Global<XxeConfig>;

python/ql/src/Functions/ModificationOfParameterWithDefault.ql

@@ -13,11 +13,11 @@
 
 import python
 import semmle.python.functions.ModificationOfParameterWithDefault
-import DataFlow::PathGraph
+import ModificationOfParameterWithDefault::Flow::PathGraph
 
 from
-  ModificationOfParameterWithDefault::Configuration config, DataFlow::PathNode source,
-  DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+  ModificationOfParameterWithDefault::Flow::PathNode source,
+  ModificationOfParameterWithDefault::Flow::PathNode sink
+where ModificationOfParameterWithDefault::Flow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This expression mutates a $@.", source.getNode(),
   "default value"

python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll

@@ -167,8 +167,12 @@ class ExternalApiDataNode extends DataFlow::Node {
   }
 }
 
-/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
-class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
+/**
+ * DEPRECATED: Use `XmlBombFlow` module instead.
+ *
+ * A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
+ */
+deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
   UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -176,14 +180,21 @@ class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }
 
+private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+}
+
+/** Global taint-tracking from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
+
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { any(UntrustedDataToExternalApiConfig c).hasFlow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
-  DataFlow::Node getAnUntrustedSource() {
-    any(UntrustedDataToExternalApiConfig c).hasFlow(result, this)
-  }
+  DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
 }
 
 /** An external API which is used with untrusted data. */

python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql

@@ -11,14 +11,14 @@
 
 import python
 import ExternalAPIs
-import DataFlow::PathGraph
+import UntrustedDataToExternalApiFlow::PathGraph
 
 from
-  UntrustedDataToExternalApiConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  UntrustedDataToExternalApiFlow::PathNode source, UntrustedDataToExternalApiFlow::PathNode sink,
   ExternalApiUsedWithUntrustedData externalApi
 where
   sink.getNode() = externalApi.getUntrustedDataNode() and
-  config.hasFlowPath(source, sink)
+  UntrustedDataToExternalApiFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "Call to " + externalApi.toString() + " with untrusted data from $@.", source.getNode(),
   source.toString()

python/ql/src/Security/CWE-022/PathInjection.ql

@@ -18,9 +18,9 @@
 
 import python
 import semmle.python.security.dataflow.PathInjectionQuery
-import DataFlow::PathGraph
+import PathInjectionFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from PathInjectionFlow::PathNode source, PathInjectionFlow::PathNode sink
+where PathInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-022/TarSlip.ql

@@ -14,9 +14,9 @@
 
 import python
 import semmle.python.security.dataflow.TarSlipQuery
-import DataFlow::PathGraph
+import TarSlipFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from TarSlipFlow::PathNode source, TarSlipFlow::PathNode sink
+where TarSlipFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
   "potentially untrusted source"

python/ql/src/Security/CWE-078/CommandInjection.ql

@@ -16,9 +16,9 @@
 
 import python
 import semmle.python.security.dataflow.CommandInjectionQuery
-import DataFlow::PathGraph
+import CommandInjectionFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
+where CommandInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql

@@ -16,11 +16,13 @@
 
 import python
 import semmle.python.security.dataflow.UnsafeShellCommandConstructionQuery
-import DataFlow::PathGraph
+import UnsafeShellCommandConstructionFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
+from
+  UnsafeShellCommandConstructionFlow::PathNode source,
+  UnsafeShellCommandConstructionFlow::PathNode sink, Sink sinkNode
 where
-  config.hasFlowPath(source, sink) and
+  UnsafeShellCommandConstructionFlow::flowPath(source, sink) and
   sinkNode = sink.getNode()
 select sinkNode.getStringConstruction(), source, sink,
   "This " + sinkNode.describe() + " which depends on $@ is later used in a $@.", source.getNode(),

python/ql/src/Security/CWE-079/ReflectedXss.ql

@@ -15,9 +15,9 @@
 
 import python
 import semmle.python.security.dataflow.ReflectedXssQuery
-import DataFlow::PathGraph
+import ReflectedXssFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from ReflectedXssFlow::PathNode source, ReflectedXssFlow::PathNode sink
+where ReflectedXssFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
   source.getNode(), "user-provided value"

python/ql/src/Security/CWE-089/SqlInjection.ql

@@ -13,9 +13,9 @@
 
 import python
 import semmle.python.security.dataflow.SqlInjectionQuery
-import DataFlow::PathGraph
+import SqlInjectionFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from SqlInjectionFlow::PathNode source, SqlInjectionFlow::PathNode sink
+where SqlInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-090/LdapInjection.ql

@@ -14,14 +14,14 @@
 // Determine precision above
 import python
 import semmle.python.security.dataflow.LdapInjectionQuery
-import DataFlow::PathGraph
+import LdapInjectionFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, string parameterName
+from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink, string parameterName
 where
-  any(DnConfiguration dnConfig).hasFlowPath(source, sink) and
+  LdapInjectionDnFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
   parameterName = "DN"
   or
-  any(FilterConfiguration filterConfig).hasFlowPath(source, sink) and
+  LdapInjectionFilterFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
   parameterName = "filter"
 select sink.getNode(), source, sink,
   "LDAP query parameter (" + parameterName + ") depends on a $@.", source.getNode(),

python/ql/src/Security/CWE-094/CodeInjection.ql

@@ -16,9 +16,9 @@
 
 import python
 import semmle.python.security.dataflow.CodeInjectionQuery
-import DataFlow::PathGraph
+import CodeInjectionFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
+where CodeInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-117/LogInjection.ql

@@ -13,9 +13,9 @@
 
 import python
 import semmle.python.security.dataflow.LogInjectionQuery
-import DataFlow::PathGraph
+import LogInjectionFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
+where LogInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-209/StackTraceExposure.ql

@@ -15,10 +15,10 @@
 
 import python
 import semmle.python.security.dataflow.StackTraceExposureQuery
-import DataFlow::PathGraph
+import StackTraceExposureFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from StackTraceExposureFlow::PathNode source, StackTraceExposureFlow::PathNode sink
+where StackTraceExposureFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ flows to this location and may be exposed to an external user.", source.getNode(),
   "Stack trace information"

python/ql/src/Security/CWE-285/PamAuthorization.ql

@@ -11,12 +11,12 @@
  */
 
 import python
-import DataFlow::PathGraph
+import PamAuthorizationFlow::PathGraph
 import semmle.python.ApiGraphs
 import semmle.python.security.dataflow.PamAuthorizationQuery
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from PamAuthorizationFlow::PathNode source, PamAuthorizationFlow::PathNode sink
+where PamAuthorizationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards.",
   source.getNode(), "user-provided value"

python/ql/src/Security/CWE-312/CleartextLogging.ql

@@ -15,12 +15,13 @@
 
 import python
 private import semmle.python.dataflow.new.DataFlow
-import DataFlow::PathGraph
+import CleartextLoggingFlow::PathGraph
 import semmle.python.security.dataflow.CleartextLoggingQuery
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
+from
+  CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink, string classification
 where
-  config.hasFlowPath(source, sink) and
+  CleartextLoggingFlow::flowPath(source, sink) and
   classification = source.getNode().(Source).getClassification()
 select sink.getNode(), source, sink, "This expression logs $@ as clear text.", source.getNode(),
   "sensitive data (" + classification + ")"

python/ql/src/Security/CWE-312/CleartextStorage.ql

@@ -15,12 +15,13 @@
 
 import python
 private import semmle.python.dataflow.new.DataFlow
-import DataFlow::PathGraph
+import CleartextStorageFlow::PathGraph
 import semmle.python.security.dataflow.CleartextStorageQuery
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
+from
+  CleartextStorageFlow::PathNode source, CleartextStorageFlow::PathNode sink, string classification
 where
-  config.hasFlowPath(source, sink) and
+  CleartextStorageFlow::flowPath(source, sink) and
   classification = source.getNode().(Source).getClassification()
 select sink.getNode(), source, sink, "This expression stores $@ as clear text.", source.getNode(),
   "sensitive data (" + classification + ")"

python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql

@@ -16,33 +16,29 @@ import python
 import semmle.python.security.dataflow.WeakSensitiveDataHashingQuery
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
-import DataFlow::PathGraph
+import WeakSensitiveDataHashingFlow::PathGraph
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, string ending, string algorithmName,
-  string classification
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink,
+  string ending, string algorithmName, string classification
 where
-  exists(NormalHashFunction::Configuration config |
-    config.hasFlowPath(source, sink) and
-    algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
-    classification = source.getNode().(NormalHashFunction::Source).getClassification() and
-    ending = "."
-  )
+  normalHashFunctionFlowPath(source, sink) and
+  algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
+  classification = source.getNode().(NormalHashFunction::Source).getClassification() and
+  ending = "."
   or
-  exists(ComputationallyExpensiveHashFunction::Configuration config |
-    config.hasFlowPath(source, sink) and
-    algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
-    classification =
-      source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
-    (
-      sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
-      ending = "."
-      or
-      not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
-      ending =
-        " for " + classification +
-          " hashing, since it is not a computationally expensive hash function."
-    )
+  computationallyExpensiveHashFunctionFlowPath(source, sink) and
+  algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
+  classification =
+    source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
+  (
+    sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
+    ending = "."
+    or
+    not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
+    ending =
+      " for " + classification +
+        " hashing, since it is not a computationally expensive hash function."
   )
 select sink.getNode(), source, sink,
   "$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,

python/ql/src/Security/CWE-502/UnsafeDeserialization.ql

@@ -14,9 +14,9 @@
 
 import python
 import semmle.python.security.dataflow.UnsafeDeserializationQuery
-import DataFlow::PathGraph
+import UnsafeDeserializationFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink
+where UnsafeDeserializationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-601/UrlRedirect.ql

@@ -14,9 +14,9 @@
 
 import python
 import semmle.python.security.dataflow.UrlRedirectQuery
-import DataFlow::PathGraph
+import UrlRedirectFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from UrlRedirectFlow::PathNode source, UrlRedirectFlow::PathNode sink
+where UrlRedirectFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-611/Xxe.ql

@@ -14,10 +14,10 @@
 
 import python
 import semmle.python.security.dataflow.XxeQuery
-import DataFlow::PathGraph
+import XxeFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from XxeFlow::PathNode source, XxeFlow::PathNode sink
+where XxeFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "XML parsing depends on a $@ without guarding against external entity expansion.",
   source.getNode(), "user-provided value"

python/ql/src/Security/CWE-643/XpathInjection.ql

@@ -13,9 +13,9 @@
 
 import python
 import semmle.python.security.dataflow.XpathInjectionQuery
-import DataFlow::PathGraph
+import XpathInjectionFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from XpathInjectionFlow::PathNode source, XpathInjectionFlow::PathNode sink
+where XpathInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-730/PolynomialReDoS.ql

@@ -15,13 +15,13 @@
 
 import python
 import semmle.python.security.dataflow.PolynomialReDoSQuery
-import DataFlow::PathGraph
+import PolynomialReDoSFlow::PathGraph
 
 from
-  Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode,
+  PolynomialReDoSFlow::PathNode source, PolynomialReDoSFlow::PathNode sink, Sink sinkNode,
   PolynomialBackTrackingTerm regexp
 where
-  config.hasFlowPath(source, sink) and
+  PolynomialReDoSFlow::flowPath(source, sink) and
   sinkNode = sink.getNode() and
   regexp.getRootTerm() = sinkNode.getRegExp()
 //   not (

python/ql/src/Security/CWE-730/RegexInjection.ql

@@ -16,13 +16,13 @@
 import python
 private import semmle.python.Concepts
 import semmle.python.security.dataflow.RegexInjectionQuery
-import DataFlow::PathGraph
+import RegexInjectionFlow::PathGraph
 
 from
-  Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  RegexInjectionFlow::PathNode source, RegexInjectionFlow::PathNode sink,
   RegexExecution regexExecution
 where
-  config.hasFlowPath(source, sink) and
+  RegexInjectionFlow::flowPath(source, sink) and
   regexExecution = sink.getNode().(Sink).getRegexExecution()
 select sink.getNode(), source, sink,
   "This regular expression depends on a $@ and is executed by $@.", source.getNode(),

python/ql/src/Security/CWE-776/XmlBomb.ql

@@ -14,10 +14,10 @@
 
 import python
 import semmle.python.security.dataflow.XmlBombQuery
-import DataFlow::PathGraph
+import XmlBombFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from XmlBombFlow::PathNode source, XmlBombFlow::PathNode sink
+where XmlBombFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "XML parsing depends on a $@ without guarding against uncontrolled entity expansion.",
   source.getNode(), "user-provided value"

python/ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -16,7 +16,6 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.filters.Tests
-import DataFlow::PathGraph
 
 bindingset[char, fraction]
 predicate fewer_characters_than(StrConst str, string char, float fraction) {
@@ -108,17 +107,19 @@ private string getACredentialRegex() {
   result = "(?i).*(cert)(?!.*(format|name)).*"
 }
 
-class HardcodedCredentialsConfiguration extends TaintTracking::Configuration {
-  HardcodedCredentialsConfiguration() { this = "Hardcoded credentials configuration" }
+private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
 }
 
-from HardcodedCredentialsConfiguration config, DataFlow::PathNode src, DataFlow::PathNode sink
+module HardcodedCredentialsFlow = TaintTracking::Global<HardcodedCredentialsConfig>;
+
+import HardcodedCredentialsFlow::PathGraph
+
+from HardcodedCredentialsFlow::PathNode src, HardcodedCredentialsFlow::PathNode sink
 where
-  config.hasFlowPath(src, sink) and
+  HardcodedCredentialsFlow::flowPath(src, sink) and
   not any(TestScope test).contains(src.getNode().asCfgNode().getNode())
 select src.getNode(), src, sink, "This hardcoded value is $@.", sink.getNode(),
   "used as credentials"

python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql

@@ -12,14 +12,14 @@
 
 import python
 import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
-import DataFlow::PathGraph
+import FullServerSideRequestForgeryFlow::PathGraph
 
 from
-  FullServerSideRequestForgeryConfiguration fullConfig, DataFlow::PathNode source,
-  DataFlow::PathNode sink, Http::Client::Request request
+  FullServerSideRequestForgeryFlow::PathNode source,
+  FullServerSideRequestForgeryFlow::PathNode sink, Http::Client::Request request
 where
   request = sink.getNode().(Sink).getRequest() and
-  fullConfig.hasFlowPath(source, sink) and
+  FullServerSideRequestForgeryFlow::flowPath(source, sink) and
   fullyControlledRequest(request)
 select request, source, sink, "The full URL of this request depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql

@@ -12,14 +12,14 @@
 
 import python
 import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
-import DataFlow::PathGraph
+import PartialServerSideRequestForgeryFlow::PathGraph
 
 from
-  PartialServerSideRequestForgeryConfiguration partialConfig, DataFlow::PathNode source,
-  DataFlow::PathNode sink, Http::Client::Request request
+  PartialServerSideRequestForgeryFlow::PathNode source,
+  PartialServerSideRequestForgeryFlow::PathNode sink, Http::Client::Request request
 where
   request = sink.getNode().(Sink).getRequest() and
-  partialConfig.hasFlowPath(source, sink) and
+  PartialServerSideRequestForgeryFlow::flowPath(source, sink) and
   not fullyControlledRequest(request)
 select request, source, sink, "Part of the URL of this request depends on a $@.", source.getNode(),
   "user-provided value"

python/ql/src/experimental/Security/CWE-022/ZipSlip.ql

@@ -15,10 +15,10 @@
 
 import python
 import experimental.semmle.python.security.ZipSlip
-import DataFlow::PathGraph
+import ZipSlipFlow::PathGraph
 
-from ZipSlipConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
+where ZipSlipFlow::flowPath(source, sink)
 select source.getNode(), source, sink,
   "This unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
   "file system operation"

python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql

@@ -16,7 +16,7 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
-import DataFlow::PathGraph
+import TarSlipImprovFlow::PathGraph
 import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.internal.Attributes
 import semmle.python.dataflow.new.BarrierGuards
@@ -54,12 +54,10 @@ class AllTarfileOpens extends API::CallNode {
 /**
  * A taint-tracking configuration for detecting more "TarSlip" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "TarSlip" }
+private module TarSlipImprovConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source = tarfileOpen().getACall() }
 
-  override predicate isSource(DataFlow::Node source) { source = tarfileOpen().getACall() }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     (
       // A sink capturing method calls to `extractall` without `members` argument.
       // For a call to `file.extractall` without `members` argument, `file` is considered a sink.
@@ -100,7 +98,7 @@ class Configuration extends TaintTracking::Configuration {
     not sink.getScope().getLocation().getFile().inStdlib()
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     nodeTo.(MethodCallNode).calls(nodeFrom, "getmembers") and
     nodeFrom instanceof AllTarfileOpens
     or
@@ -113,7 +111,10 @@ class Configuration extends TaintTracking::Configuration {
   }
 }
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+/** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */
+module TarSlipImprovFlow = TaintTracking::Global<TarSlipImprovConfig>;
+
+from TarSlipImprovFlow::PathNode source, TarSlipImprovFlow::PathNode sink
+where TarSlipImprovFlow::flowPath(source, sink)
 select sink, source, sink, "Extraction of tarfile from $@ to a potentially untrusted source $@.",
   source.getNode(), source.getNode().toString(), sink.getNode(), sink.getNode().toString()

python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql

@@ -16,9 +16,9 @@
 
 import python
 import experimental.Security.UnsafeUnpackQuery
-import DataFlow::PathGraph
+import UnsafeUnpackFlow::PathGraph
 
-from UnsafeUnpackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from UnsafeUnpackFlow::PathNode source, UnsafeUnpackFlow::PathNode sink
+where UnsafeUnpackFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "Unsafe extraction from a malicious tarball retrieved from a remote location."

python/ql/src/experimental/Security/CWE-074/paramiko/paramiko.ql

@@ -16,16 +16,13 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.ApiGraphs
-import DataFlow::PathGraph
 
 private API::Node paramikoClient() {
   result = API::moduleImport("paramiko").getMember("SSHClient").getReturn()
 }
 
-class ParamikoCmdInjectionConfiguration extends TaintTracking::Configuration {
-  ParamikoCmdInjectionConfiguration() { this = "ParamikoCMDInjectionConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+private module ParamikoConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   /**
    * exec_command of `paramiko.SSHClient` class execute command on ssh target server
@@ -33,7 +30,7 @@ class ParamikoCmdInjectionConfiguration extends TaintTracking::Configuration {
    *  and it run CMD on current system that running the ssh command
    * the Sink related to proxy command is the `connect` method of `paramiko.SSHClient` class
    */
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     sink = paramikoClient().getMember("exec_command").getACall().getParameter(0, "command").asSink()
     or
     sink = paramikoClient().getMember("connect").getACall().getParameter(11, "sock").asSink()
@@ -42,7 +39,7 @@ class ParamikoCmdInjectionConfiguration extends TaintTracking::Configuration {
   /**
    * this additional taint step help taint tracking to find the vulnerable `connect` method of `paramiko.SSHClient` class
    */
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     exists(API::CallNode call |
       call = API::moduleImport("paramiko").getMember("ProxyCommand").getACall() and
       nodeFrom = call.getParameter(0, "command_line").asSink() and
@@ -51,7 +48,12 @@ class ParamikoCmdInjectionConfiguration extends TaintTracking::Configuration {
   }
 }
 
-from ParamikoCmdInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+/** Global taint-tracking for detecting "paramiko command injection" vulnerabilities. */
+module ParamikoFlow = TaintTracking::Global<ParamikoConfig>;
+
+import ParamikoFlow::PathGraph
+
+from ParamikoFlow::PathNode source, ParamikoFlow::PathNode sink
+where ParamikoFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
   "a user-provided value"

python/ql/src/experimental/Security/CWE-079/EmailXss.ql

@@ -15,10 +15,10 @@
 
 // determine precision above
 import python
-import experimental.semmle.python.security.dataflow.ReflectedXSS
-import DataFlow::PathGraph
+import experimental.semmle.python.security.dataflow.EmailXss
+import EmailXssFlow::PathGraph
 
-from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from EmailXssFlow::PathNode source, EmailXssFlow::PathNode sink
+where EmailXssFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
   source.getNode(), "a user-provided value"

python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql

@@ -14,9 +14,9 @@
 // determine precision above
 import python
 import experimental.semmle.python.security.injection.HTTPHeaders
-import DataFlow::PathGraph
+import HeaderInjectionFlow::PathGraph
 
-from HeaderInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from HeaderInjectionFlow::PathNode source, HeaderInjectionFlow::PathNode sink
+where HeaderInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This HTTP header is constructed from a $@.", source.getNode(),
   "user-provided value"

python/ql/src/experimental/Security/CWE-1236/CsvInjection.ql

@@ -11,11 +11,11 @@
  */
 
 import python
-import DataFlow::PathGraph
+import CsvInjectionFlow::PathGraph
 import semmle.python.dataflow.new.DataFlow
 import experimental.semmle.python.security.injection.CsvInjection
 
-from CsvInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from CsvInjectionFlow::PathNode source, CsvInjectionFlow::PathNode sink
+where CsvInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Csv injection might include code from $@.", source.getNode(),
   "this user input"

python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.ql

@@ -14,10 +14,10 @@
 
 import python
 import UnicodeBypassValidationQuery
-import DataFlow::PathGraph
+import UnicodeBypassValidationFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from UnicodeBypassValidationFlow::PathNode source, UnicodeBypassValidationFlow::PathNode sink
+where UnicodeBypassValidationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters.",
   sink.getNode(), "Unicode transformation (Unicode normalization)", source.getNode(),

python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidationQuery.qll

@@ -3,6 +3,7 @@
  */
 
 private import python
+import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import semmle.python.Concepts
 import semmle.python.dataflow.new.internal.DataFlowPublic
@@ -27,16 +28,15 @@ class PostValidation extends DataFlow::FlowState {
  * This configuration uses two flow states, `PreValidation` and `PostValidation`,
  * to track the requirement that a logical validation has been performed before the Unicode Transformation.
  */
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnicodeBypassValidation" }
+private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowState;
 
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+  predicate isSource(DataFlow::Node source, FlowState state) {
     source instanceof RemoteFlowSource and state instanceof PreValidation
   }
 
-  override predicate isAdditionalTaintStep(
-    DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
-    DataFlow::FlowState stateTo
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
   ) {
     (
       exists(Escaping escaping | nodeFrom = escaping.getAnInput() and nodeTo = escaping.getOutput())
@@ -51,7 +51,7 @@ class Configuration extends TaintTracking::Configuration {
   }
 
   /* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC.  */
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+  predicate isSink(DataFlow::Node sink, FlowState state) {
     exists(API::CallNode cn |
       cn = API::moduleImport("unicodedata").getMember("normalize").getACall() and
       sink = cn.getArg(1)
@@ -71,3 +71,6 @@ class Configuration extends TaintTracking::Configuration {
     state instanceof PostValidation
   }
 }
+
+/** Global taint-tracking for detecting "Unicode transformation mishandling" vulnerabilities. */
+module UnicodeBypassValidationFlow = TaintTracking::GlobalWithState<UnicodeBypassValidationConfig>;

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql

@@ -17,21 +17,25 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import experimental.semmle.python.security.TimingAttack
-import DataFlow::PathGraph
 
 /**
  * A configuration that tracks data flow from cryptographic operations
  * to equality test
  */
-class PossibleTimingAttackAgainstHash extends TaintTracking::Configuration {
-  PossibleTimingAttackAgainstHash() { this = "PossibleTimingAttackAgainstHash" }
+private module PossibleTimingAttackAgainstHashConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
 }
 
-from PossibleTimingAttackAgainstHash config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+module PossibleTimingAttackAgainstHashFlow =
+  TaintTracking::Global<PossibleTimingAttackAgainstHashConfig>;
+
+import PossibleTimingAttackAgainstHashFlow::PathGraph
+
+from
+  PossibleTimingAttackAgainstHashFlow::PathNode source,
+  PossibleTimingAttackAgainstHashFlow::PathNode sink
+where PossibleTimingAttackAgainstHashFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Possible Timing attack against $@ validation.",
   source.getNode().(ProduceCryptoCall).getResultType(), "message"

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql

@@ -16,23 +16,24 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import experimental.semmle.python.security.TimingAttack
-import DataFlow::PathGraph
 
 /**
  * A configuration that tracks data flow from cryptographic operations
  * to Equality test.
  */
-class TimingAttackAgainsthash extends TaintTracking::Configuration {
-  TimingAttackAgainsthash() { this = "TimingAttackAgainsthash" }
+private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
 }
 
-from TimingAttackAgainsthash config, DataFlow::PathNode source, DataFlow::PathNode sink
+module TimingAttackAgainstHashFlow = TaintTracking::Global<TimingAttackAgainstHashConfig>;
+
+import TimingAttackAgainstHashFlow::PathGraph
+
+from TimingAttackAgainstHashFlow::PathNode source, TimingAttackAgainstHashFlow::PathNode sink
 where
-  config.hasFlowPath(source, sink) and
+  TimingAttackAgainstHashFlow::flowPath(source, sink) and
   sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
 select sink.getNode(), source, sink, "Timing attack against $@ validation.",
   source.getNode().(ProduceCryptoCall).getResultType(), "message"

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql

@@ -15,20 +15,26 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import experimental.semmle.python.security.TimingAttack
-import DataFlow::PathGraph
 
 /**
  * A configuration tracing flow from  a client Secret obtained by an HTTP header to a unsafe Comparison.
  */
-class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
-  ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
+private module TimingAttackAgainstHeaderValueConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
 }
 
-from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink) and not sink.getNode().(CompareSink).flowtolen()
+module TimingAttackAgainstHeaderValueFlow =
+  TaintTracking::Global<TimingAttackAgainstHeaderValueConfig>;
+
+import TimingAttackAgainstHeaderValueFlow::PathGraph
+
+from
+  TimingAttackAgainstHeaderValueFlow::PathNode source,
+  TimingAttackAgainstHeaderValueFlow::PathNode sink
+where
+  TimingAttackAgainstHeaderValueFlow::flowPath(source, sink) and
+  not sink.getNode().(CompareSink).flowtolen()
 select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
   "client-supplied token"

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql

@@ -15,20 +15,24 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import experimental.semmle.python.security.TimingAttack
-import DataFlow::PathGraph
 
 /**
  * A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
  */
-class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
-  ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
+private module PossibleTimingAttackAgainstSensitiveInfoConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
 }
 
-from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+module PossibleTimingAttackAgainstSensitiveInfoFlow =
+  TaintTracking::Global<PossibleTimingAttackAgainstSensitiveInfoConfig>;
+
+import PossibleTimingAttackAgainstSensitiveInfoFlow::PathGraph
+
+from
+  PossibleTimingAttackAgainstSensitiveInfoFlow::PathNode source,
+  PossibleTimingAttackAgainstSensitiveInfoFlow::PathNode sink
+where PossibleTimingAttackAgainstSensitiveInfoFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
   "client-supplied token"

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql

@@ -15,22 +15,25 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import experimental.semmle.python.security.TimingAttack
-import DataFlow::PathGraph
+import TimingAttackAgainstSensitiveInfoFlow::PathGraph
 
 /**
  * A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
  */
-class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
-  ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
+private module TimingAttackAgainstSensitiveInfoConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
 }
 
-from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+module TimingAttackAgainstSensitiveInfoFlow =
+  TaintTracking::Global<TimingAttackAgainstSensitiveInfoConfig>;
+
+from
+  TimingAttackAgainstSensitiveInfoFlow::PathNode source,
+  TimingAttackAgainstSensitiveInfoFlow::PathNode sink
 where
-  config.hasFlowPath(source, sink) and
+  TimingAttackAgainstSensitiveInfoFlow::flowPath(source, sink) and
   (
     source.getNode().(SecretSource).includesUserInput() or
     sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql

@@ -25,7 +25,7 @@ newtype TFrameWork =
   Flask() or
   Django()
 
-module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
+private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
   class FlowState = TFrameWork;
 
   predicate isSource(DataFlow::Node source, FlowState state) {
@@ -54,11 +54,11 @@ module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
   }
 }
 
-module WebAppConstantSecretKey = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
+module WebAppConstantSecretKeyFlow = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
 
-import WebAppConstantSecretKey::PathGraph
+import WebAppConstantSecretKeyFlow::PathGraph
 
-from WebAppConstantSecretKey::PathNode source, WebAppConstantSecretKey::PathNode sink
-where WebAppConstantSecretKey::flowPath(source, sink)
+from WebAppConstantSecretKeyFlow::PathNode source, WebAppConstantSecretKeyFlow::PathNode sink
+where WebAppConstantSecretKeyFlow::flowPath(source, sink)
 select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source,
   " this constant String"

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -96,7 +96,7 @@ newtype TAzureFlowState =
   MkUsesV1Encryption() or
   MkUsesNoEncryption()
 
-module AzureBlobClientConfig implements DataFlow::StateConfigSig {
+private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
   class FlowState = TAzureFlowState;
 
   predicate isSource(DataFlow::Node node, FlowState state) {
@@ -147,10 +147,10 @@ module AzureBlobClientConfig implements DataFlow::StateConfigSig {
   }
 }
 
-module AzureBlobClient = DataFlow::GlobalWithState<AzureBlobClientConfig>;
+module AzureBlobClientFlow = DataFlow::GlobalWithState<AzureBlobClientConfig>;
 
-import AzureBlobClient::PathGraph
+import AzureBlobClientFlow::PathGraph
 
-from AzureBlobClient::PathNode source, AzureBlobClient::PathNode sink
-where AzureBlobClient::flowPath(source, sink)
+from AzureBlobClientFlow::PathNode source, AzureBlobClientFlow::PathNode sink
+where AzureBlobClientFlow::flowPath(source, sink)
 select sink, source, sink, "Unsafe usage of v1 version of Azure Storage client-side encryption"

python/ql/src/experimental/Security/CWE-338/InsecureRandomness.ql

@@ -14,11 +14,11 @@
  */
 
 import python
-import experimental.semmle.python.security.InsecureRandomness::InsecureRandomness
+import experimental.semmle.python.security.InsecureRandomness
 import semmle.python.dataflow.new.DataFlow
-import DataFlow::PathGraph
+import InsecureRandomness::Flow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from InsecureRandomness::Flow::PathNode source, InsecureRandomness::Flow::PathNode sink
+where InsecureRandomness::Flow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.",
   source.getNode(), "random value"

python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql

@@ -16,7 +16,6 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
-import DataFlow::PathGraph
 
 class PredictableResultSource extends DataFlow::Node {
   PredictableResultSource() {
@@ -40,14 +39,12 @@ class TokenAssignmentValueSink extends DataFlow::Node {
   }
 }
 
-class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
-  TokenBuiltFromUuidConfig() { this = "TokenBuiltFromUuidConfig" }
+private module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     exists(DataFlow::CallCfgNode call |
       call = API::builtin("str").getACall() and
       nodeFrom = call.getArg(0) and
@@ -56,6 +53,11 @@ class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, TokenBuiltFromUuidConfig config
-where config.hasFlowPath(source, sink)
+/** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */
+module TokenBuiltFromUuidFlow = TaintTracking::Global<TokenBuiltFromUuidConfig>;
+
+import TokenBuiltFromUuidFlow::PathGraph
+
+from TokenBuiltFromUuidFlow::PathNode source, TokenBuiltFromUuidFlow::PathNode sink
+where TokenBuiltFromUuidFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"

python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql

@@ -16,21 +16,19 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.ApiGraphs
 import ClientSuppliedIpUsedInSecurityCheckLib
-import DataFlow::PathGraph
+import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
 
 /**
  * A taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
  */
-class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configuration {
-  ClientSuppliedIpUsedInSecurityCheckConfig() { this = "ClientSuppliedIpUsedInSecurityCheckConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
+private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     source instanceof ClientSuppliedIpUsedInSecurityCheck
   }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck }
+  predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(DataFlow::CallCfgNode ccn |
       ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and
       ccn.getArg(0) = pred and
@@ -38,7 +36,7 @@ class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configura
     )
   }
 
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     // `client_supplied_ip.split(",")[n]` for `n` > 0
     exists(Subscript ss |
       not ss.getIndex().(IntegerLiteral).getText() = "0" and
@@ -49,9 +47,13 @@ class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configura
   }
 }
 
+/** Global taint-tracking for detecting "client ip used in security check" vulnerabilities. */
+module ClientSuppliedIpUsedInSecurityCheckFlow =
+  TaintTracking::Global<ClientSuppliedIpUsedInSecurityCheckConfig>;
+
 from
-  ClientSuppliedIpUsedInSecurityCheckConfig config, DataFlow::PathNode source,
-  DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+  ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source,
+  ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink
+where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
   source.getNode(), "this user input"

python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.ql

@@ -12,9 +12,9 @@
 
 // determine precision above
 import python
-import DataFlow::PathGraph
-import experimental.semmle.python.security.LDAPInsecureAuth
+import experimental.semmle.python.security.LdapInsecureAuth
+import LdapInsecureAuthFlow::PathGraph
 
-from LdapInsecureAuthConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from LdapInsecureAuthFlow::PathNode source, LdapInsecureAuthFlow::PathNode sink
+where LdapInsecureAuthFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This LDAP host is authenticated insecurely."

python/ql/src/experimental/Security/CWE-614/CookieInjection.ql

@@ -15,13 +15,11 @@ import semmle.python.dataflow.new.DataFlow
 import experimental.semmle.python.Concepts
 import experimental.semmle.python.CookieHeader
 import experimental.semmle.python.security.injection.CookieInjection
-import DataFlow::PathGraph
+import CookieInjectionFlow::PathGraph
 
-from
-  CookieInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  string insecure
+from CookieInjectionFlow::PathNode source, CookieInjectionFlow::PathNode sink, string insecure
 where
-  config.hasFlowPath(source, sink) and
+  CookieInjectionFlow::flowPath(source, sink) and
   if exists(sink.getNode().(CookieSink))
   then insecure = ",and its " + sink.getNode().(CookieSink).getFlag() + " flag is not properly set."
   else insecure = "."

python/ql/src/experimental/Security/UnsafeUnpackQuery.qll

@@ -39,10 +39,8 @@ class AllTarfileOpens extends API::CallNode {
   }
 }
 
-class UnsafeUnpackingConfig extends TaintTracking::Configuration {
-  UnsafeUnpackingConfig() { this = "UnsafeUnpackingConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
+module UnsafeUnpackConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     // A source coming from a remote location
     source instanceof RemoteFlowSource
     or
@@ -92,7 +90,7 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
     source.(AttrRead).getAttributeName() = "FILES"
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     (
       // A sink capturing method calls to `unpack_archive`.
       sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
@@ -136,7 +134,7 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
     not sink.getScope().getLocation().getFile().inStdlib()
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     // Reading the response
     nodeTo.(MethodCallNode).calls(nodeFrom, "read")
     or
@@ -211,3 +209,6 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
     )
   }
 }
+
+/** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */
+module UnsafeUnpackFlow = TaintTracking::Global<UnsafeUnpackConfig>;

python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll

@@ -2,7 +2,7 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
-private import semmle.python.dataflow.new.TaintTracking2
+private import semmle.python.dataflow.new.TaintTracking
 
 module SmtpLib {
   /** Gets a reference to `smtplib.SMTP_SSL` */
@@ -31,16 +31,16 @@ module SmtpLib {
    * argument. Used because of the impossibility to get local source nodes from `_subparts`'
    * `(List|Tuple)` elements.
    */
-  private class SmtpMessageConfig extends TaintTracking2::Configuration {
-    SmtpMessageConfig() { this = "SMTPMessageConfig" }
+  private module SmtpMessageConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source = mimeText(_) }
 
-    override predicate isSource(DataFlow::Node source) { source = mimeText(_) }
-
-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
       sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts")
     }
   }
 
+  module SmtpMessageFlow = TaintTracking::Global<SmtpMessageConfig>;
+
   /**
    * Using the `MimeText` call retrieves the content argument whose type argument equals `mimetype`.
    * This call flows into `MIMEMultipart`'s `_subparts` argument or the `.attach()` method call
@@ -87,8 +87,7 @@ module SmtpLib {
         sink =
           [sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()]
               .getALocalSource() and
-        any(SmtpMessageConfig a)
-            .hasFlow(source, sink.(DataFlow::CallCfgNode).getArgByName("_subparts"))
+        SmtpMessageFlow::flow(source, sink.(DataFlow::CallCfgNode).getArgByName("_subparts"))
         or
         // via .attach()
         sink = smtpMimeMultipartInstance().getReturn().getMember("attach").getACall() and

python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll

@@ -21,17 +21,14 @@ module InsecureRandomness {
    * A taint-tracking configuration for reasoning about random values that are
    * not cryptographically secure.
    */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "InsecureRandomness" }
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
   }
+
+  /** Global taint-tracking for detecting "random values that are not cryptographically secure" vulnerabilities. */
+  module Flow = TaintTracking::Global<Config>;
 }

python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll

@@ -88,10 +88,8 @@ class LdapStringVar extends BinaryExpr {
 /**
  * A taint-tracking configuration for detecting LDAP insecure authentications.
  */
-class LdapInsecureAuthConfig extends TaintTracking::Configuration {
-  LdapInsecureAuthConfig() { this = "LDAPInsecureAuthConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
+private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource or
     source.asExpr() instanceof LdapFullHost or
     source.asExpr() instanceof LdapBothStrings or
@@ -100,7 +98,10 @@ class LdapInsecureAuthConfig extends TaintTracking::Configuration {
     source.asExpr() instanceof LdapStringVar
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
   }
 }
+
+/** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */
+module LdapInsecureAuthFlow = TaintTracking::Global<LdapInsecureAuthConfig>;

python/ql/src/experimental/semmle/python/security/TimingAttack.qll

@@ -1,8 +1,6 @@
 private import python
-private import semmle.python.dataflow.new.TaintTracking2
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.dataflow.new.DataFlow2
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.frameworks.Flask
@@ -164,9 +162,7 @@ class NonConstantTimeComparisonSink extends DataFlow::Node {
 
   /** Holds if remote user input was used in the comparison. */
   predicate includesUserInput() {
-    exists(UserInputInComparisonConfig config |
-      config.hasFlowTo(DataFlow2::exprNode(anotherParameter))
-    )
+    UserInputInComparisonFlow::flowTo(DataFlow::exprNode(anotherParameter))
   }
 }
 
@@ -177,9 +173,7 @@ class SecretSource extends DataFlow::Node {
   SecretSource() { secret = this.asExpr() }
 
   /** Holds if the secret was deliverd by remote user. */
-  predicate includesUserInput() {
-    exists(UserInputSecretConfig config | config.hasFlowTo(DataFlow2::exprNode(secret)))
-  }
+  predicate includesUserInput() { UserInputSecretFlow::flowTo(DataFlow::exprNode(secret)) }
 }
 
 /** A string for `match` that identifies strings that look like they represent secret data. */
@@ -267,23 +261,21 @@ private string sensitiveheaders() {
 /**
  * A config that tracks data flow from remote user input to Variable that hold sensitive info
  */
-class UserInputSecretConfig extends TaintTracking::Configuration {
-  UserInputSecretConfig() { this = "UserInputSecretConfig" }
+module UserInputSecretConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr }
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr }
 }
 
+module UserInputSecretFlow = TaintTracking::Global<UserInputSecretConfig>;
+
 /**
  * A config that tracks data flow from remote user input to Equality test
  */
-class UserInputInComparisonConfig extends TaintTracking2::Configuration {
-  UserInputInComparisonConfig() { this = "UserInputInComparisonConfig" }
+module UserInputInComparisonConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(Compare cmp, Expr left, Expr right, Cmpop cmpop |
       cmpop.getSymbol() = ["==", "in", "is not", "!="] and
       cmp.compares(left, cmpop, right) and
@@ -292,15 +284,15 @@ class UserInputInComparisonConfig extends TaintTracking2::Configuration {
   }
 }
 
+module UserInputInComparisonFlow = TaintTracking::Global<UserInputInComparisonConfig>;
+
 /**
  * A configuration tracing flow from  a client Secret obtained by an HTTP header to a len() function.
  */
-private class ExcludeLenFunc extends TaintTracking2::Configuration {
-  ExcludeLenFunc() { this = "ExcludeLenFunc" }
+private module ExcludeLenFuncConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(Call call |
       call.getFunc().(Name).getId() = "len" and
       sink.asExpr() = call.getArg(0)
@@ -308,6 +300,8 @@ private class ExcludeLenFunc extends TaintTracking2::Configuration {
   }
 }
 
+module ExcludeLenFuncFlow = TaintTracking::Global<ExcludeLenFuncConfig>;
+
 /**
  * Holds if there is a fast-fail check.
  */
@@ -343,8 +337,7 @@ class CompareSink extends DataFlow::Node {
    * Holds if there is a flow to len().
    */
   predicate flowtolen() {
-    exists(ExcludeLenFunc config, DataFlow2::PathNode source, DataFlow2::PathNode sink |
-      config.hasFlowPath(source, sink)
-    )
+    // TODO: Fly by comment: I don't understand this code at all, seems very strange.
+    ExcludeLenFuncFlow::flowPath(_, _)
   }
 }

python/ql/src/experimental/semmle/python/security/ZipSlip.qll

@@ -4,10 +4,8 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
 
-class ZipSlipConfig extends TaintTracking::Configuration {
-  ZipSlipConfig() { this = "ZipSlipConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
+private module ZipSlipConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     (
       source =
         API::moduleImport("zipfile").getMember("ZipFile").getReturn().getMember("open").getACall() or
@@ -29,7 +27,7 @@ class ZipSlipConfig extends TaintTracking::Configuration {
     not source.getScope().getLocation().getFile().inStdlib()
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     (
       sink = any(CopyFile copyfile).getAPathArgument() or
       sink = any(CopyFile copyfile).getfsrcArgument()
@@ -37,3 +35,6 @@ class ZipSlipConfig extends TaintTracking::Configuration {
     not sink.getScope().getLocation().getFile().inStdlib()
   }
 }
+
+/** Global taint-tracking for detecting "zip slip" vulnerabilities. */
+module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;

python/ql/src/experimental/semmle/python/security/dataflow/EmailXss.qll

@@ -1,6 +1,5 @@
 /**
- * Provides a taint-tracking configuration for detecting reflected server-side
- * cross-site scripting vulnerabilities.
+ * Provides a taint-tracking configuration for detecting "Email XSS" vulnerabilities.
  */
 
 import python
@@ -12,24 +11,18 @@ import experimental.semmle.python.Concepts
 import semmle.python.Concepts
 import semmle.python.ApiGraphs
 
-/**
- * A taint-tracking configuration for detecting reflected server-side cross-site
- * scripting vulnerabilities.
- */
-class ReflectedXssConfiguration extends TaintTracking::Configuration {
-  ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
+private module EmailXssConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
 
-  override predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
+  predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer = any(HtmlEscaping esc).getOutput()
     or
     sanitizer instanceof StringConstCompareBarrier
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     exists(DataFlow::CallCfgNode htmlContentCall |
       htmlContentCall =
         API::moduleImport("sendgrid")
@@ -42,3 +35,6 @@ class ReflectedXssConfiguration extends TaintTracking::Configuration {
     )
   }
 }
+
+/** Global taint-tracking for detecting "Email XSS" vulnerabilities. */
+module EmailXssFlow = TaintTracking::Global<EmailXssConfig>;

python/ql/src/experimental/semmle/python/security/injection/CookieInjection.qll

@@ -29,12 +29,13 @@ class CookieSink extends DataFlow::Node {
 /**
  * A taint-tracking configuration for detecting Cookie injections.
  */
-class CookieInjectionFlowConfig extends TaintTracking::Configuration {
-  CookieInjectionFlowConfig() { this = "CookieInjectionFlowConfig" }
+private module CookieInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(Cookie c | sink in [c.getNameArg(), c.getValueArg()])
   }
 }
+
+/** Global taint-tracking for detecting "Cookie injections" vulnerabilities. */
+module CookieInjectionFlow = TaintTracking::Global<CookieInjectionConfig>;

python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll

@@ -8,14 +8,12 @@ import semmle.python.dataflow.new.RemoteFlowSources
 /**
  * A taint-tracking configuration for tracking untrusted user input used in file read.
  */
-class CsvInjectionFlowConfig extends TaintTracking::Configuration {
-  CsvInjectionFlowConfig() { this = "CsvInjectionFlowConfig" }
+private module CsvInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }
 
-  override predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or
     node instanceof StringConstCompareBarrier
   }
@@ -29,3 +27,6 @@ private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, b
     branch = true
   )
 }
+
+/** Global taint-tracking for detecting "CSV injection" vulnerabilities. */
+module CsvInjectionFlow = TaintTracking::Global<CsvInjectionConfig>;

python/ql/src/experimental/semmle/python/security/injection/HTTPHeaders.qll

@@ -7,14 +7,15 @@ import semmle.python.dataflow.new.RemoteFlowSources
 /**
  * A taint-tracking configuration for detecting HTTP Header injections.
  */
-class HeaderInjectionFlowConfig extends TaintTracking::Configuration {
-  HeaderInjectionFlowConfig() { this = "HeaderInjectionFlowConfig" }
+private module HeaderInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(HeaderDeclaration headerDeclaration |
       sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
     )
   }
 }
+
+/** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */
+module HeaderInjectionFlow = TaintTracking::Global<HeaderInjectionConfig>;

python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll

@@ -16,9 +16,11 @@ module ModificationOfParameterWithDefault {
   import ModificationOfParameterWithDefaultCustomizations::ModificationOfParameterWithDefault
 
   /**
+   * DEPRECATED: Use `Flow` module instead.
+   *
    * A data-flow configuration for detecting modifications of a parameters default value.
    */
-  class Configuration extends DataFlow::Configuration {
+  deprecated class Configuration extends DataFlow::Configuration {
     /** Record whether the default value being tracked is non-empty. */
     boolean nonEmptyDefault;
 
@@ -43,4 +45,33 @@ module ModificationOfParameterWithDefault {
       nonEmptyDefault = false and node instanceof MustBeNonEmpty
     }
   }
+
+  private module Config implements DataFlow::StateConfigSig {
+    class FlowState = boolean;
+
+    predicate isSource(DataFlow::Node source, FlowState state) {
+      source.(Source).isNonEmpty() = state
+    }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isSink(DataFlow::Node sink, FlowState state) {
+      // dummy implementation since this predicate is required, but actual logic is in
+      // the predicate above.
+      none()
+    }
+
+    predicate isBarrier(DataFlow::Node node, FlowState state) {
+      // if we are tracking a non-empty default, then it is ok to modify empty values,
+      // so our tracking ends at those.
+      state = true and node instanceof MustBeEmpty
+      or
+      // if we are tracking a empty default, then it is ok to modify non-empty values,
+      // so our tracking ends at those.
+      state = false and node instanceof MustBeNonEmpty
+    }
+  }
+
+  /** Global data-flow for detecting modifications of a parameters default value. */
+  module Flow = DataFlow::GlobalWithState<Config>;
 }

python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected

@@ -33,7 +33,8 @@ edges
 | TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry |
 | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry |
 | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
-| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
+| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
+| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() |
 | TarSlipImprov.py:162:20:162:23 | SSA variable tarc | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc |
 | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:176:36:176:38 | GSSA Variable tar |
 | TarSlipImprov.py:176:36:176:38 | GSSA Variable tar | TarSlipImprov.py:177:9:177:13 | GSSA Variable entry |
@@ -122,6 +123,7 @@ nodes
 | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | semmle.label | GSSA Variable entry |
 | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
 | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
+| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() |
 | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | TarSlipImprov.py:162:20:162:23 | SSA variable tarc | semmle.label | SSA variable tarc |
 | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | semmle.label | ControlFlowNode for tarc |

python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.expected

@@ -1,3 +1,3 @@
 missingAnnotationOnSink
-failures
 testFailures
+failures

python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.ql

@@ -1,4 +1,4 @@
 import python
 import experimental.dataflow.TestUtil.DataflowQueryTest
 import experimental.Security.UnsafeUnpackQuery
-import FromLegacyConfiguration<UnsafeUnpackingConfig>
+import FromTaintTrackingConfig<UnsafeUnpackConfig>

python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.expected

@@ -1,43 +1,86 @@
 edges
 | UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request |
 | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request |
-| UnsafeUnpack.py:11:7:11:14 | SSA variable filename | UnsafeUnpack.py:13:13:13:20 | SSA variable response |
-| UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:7:11:14 | SSA variable filename |
+| UnsafeUnpack.py:11:7:11:14 | SSA variable filename | UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute |
 | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:11:7:11:14 | SSA variable filename |
-| UnsafeUnpack.py:13:13:13:20 | SSA variable response | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:13:13:13:20 | SSA variable response | UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response |
+| UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() | UnsafeUnpack.py:13:13:13:20 | SSA variable response |
+| UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f | UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response | UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute | UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() | UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f |
 | UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path |
 | UnsafeUnpack.py:47:20:47:34 | ControlFlowNode for compressed_file | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file |
 | UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file | UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file |
 | UnsafeUnpack.py:51:19:51:36 | ControlFlowNode for Attribute() | UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file |
 | UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file | UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file |
 | UnsafeUnpack.py:65:19:65:31 | ControlFlowNode for Attribute | UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file |
-| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response |
-| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response |
+| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename |
-| UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath |
-| UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath |
-| UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk |
-| UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path |
-| UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile |
+| UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response |
+| UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response |
+| UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f | UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response | UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute | UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() | UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f |
+| UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath |
+| UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk |
+| UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript |
+| UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript | UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk |
+| UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile | UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath |
+| UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk | UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile |
+| UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile |
 | UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile |
-| UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | UnsafeUnpack.py:118:19:118:26 | SSA variable filename |
-| UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile |
-| UnsafeUnpack.py:118:19:118:26 | SSA variable filename | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path |
+| UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path |
+| UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f | UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path |
+| UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile | UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() | UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f |
+| UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile |
+| UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile |
+| UnsafeUnpack.py:118:19:118:26 | SSA variable filename | UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename |
+| UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() | UnsafeUnpack.py:118:19:118:26 | SSA variable filename |
+| UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile | UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute | UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path |
-| UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar |
+| UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path |
+| UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename | UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar |
 | UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar |
+| UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar |
+| UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar | UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar |
-| UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | UnsafeUnpack.py:161:19:161:21 | SSA variable tar |
-| UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk |
-| UnsafeUnpack.py:161:19:161:21 | SSA variable tar | UnsafeUnpack.py:163:23:163:28 | SSA variable member |
+| UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath | UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath |
+| UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk |
+| UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript |
+| UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript | UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk |
+| UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile | UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath |
+| UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk | UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile |
+| UnsafeUnpack.py:161:19:161:21 | SSA variable tar | UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar |
+| UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | UnsafeUnpack.py:161:19:161:21 | SSA variable tar |
+| UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:163:23:163:28 | SSA variable member | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member |
+| UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar | UnsafeUnpack.py:163:23:163:28 | SSA variable member |
 | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result |
 | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result |
-| UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() |
-| UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response |
+| UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response |
+| UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath | UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f | UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response | UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute | UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() | UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f |
+| UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp |
+| UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute |
 nodes
 | UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
 | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | semmle.label | GSSA Variable request |
@@ -46,6 +89,12 @@ nodes
 | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:13:13:13:20 | SSA variable response | semmle.label | SSA variable response |
+| UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
+| UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
+| UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
 | UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |
 | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |
@@ -60,33 +109,72 @@ nodes
 | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | semmle.label | GSSA Variable url_filename |
 | UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | semmle.label | GSSA Variable response |
+| UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
+| UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
+| UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
 | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | semmle.label | SSA variable chunk |
 | UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile | semmle.label | ControlFlowNode for wfile |
+| UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk | semmle.label | ControlFlowNode for chunk |
 | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
 | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | semmle.label | SSA variable myfile |
 | UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
+| UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
+| UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile | semmle.label | ControlFlowNode for myfile |
+| UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
 | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | semmle.label | SSA variable ufile |
 | UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:118:19:118:26 | SSA variable filename | semmle.label | SSA variable filename |
+| UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile | semmle.label | ControlFlowNode for ufile |
+| UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | semmle.label | SSA variable uploaded_file_path |
+| UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename | semmle.label | ControlFlowNode for filename |
 | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | semmle.label | ControlFlowNode for uploaded_file_path |
 | UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | semmle.label | GSSA Variable unsafe_filename_tar |
 | UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar | semmle.label | ControlFlowNode for unsafe_filename_tar |
 | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | semmle.label | GSSA Variable tar |
 | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
+| UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
 | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | semmle.label | SSA variable chunk |
 | UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile | semmle.label | ControlFlowNode for wfile |
+| UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk | semmle.label | ControlFlowNode for chunk |
 | UnsafeUnpack.py:161:19:161:21 | SSA variable tar | semmle.label | SSA variable tar |
+| UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
 | UnsafeUnpack.py:163:23:163:28 | SSA variable member | semmle.label | SSA variable member |
+| UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
 | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | semmle.label | [post] ControlFlowNode for result |
 | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | semmle.label | ControlFlowNode for member |
 | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | semmle.label | ControlFlowNode for result |
 | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | semmle.label | GSSA Variable response |
+| UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
+| UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
+| UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
+| UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
 | UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | semmle.label | ControlFlowNode for tmp |
+| UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp | semmle.label | ControlFlowNode for tmp |
 | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 subpaths
 #select

python/ql/test/experimental/query-tests/Security/CWE-074-paramiko/paramiko.expected

@@ -1,7 +1,8 @@
 edges
 | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd |
 | paramiko.py:20:21:20:23 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd |
-| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() |
+| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | paramiko.py:26:136:26:138 | ControlFlowNode for cmd |
+| paramiko.py:26:136:26:138 | ControlFlowNode for cmd | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() |
 nodes
 | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
@@ -9,6 +10,7 @@ nodes
 | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | paramiko.py:25:21:25:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| paramiko.py:26:136:26:138 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 subpaths
 #select
 | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | a user-provided value |

python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected

@@ -12,7 +12,8 @@ edges
 | sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request |
 | sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request |
 | sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript |
-| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
+| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript |
+| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
 | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript |
 | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request |
 | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request |
@@ -52,6 +53,7 @@ nodes
 | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | semmle.label | ControlFlowNode for HtmlContent() |
 | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |

python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-079/EmailXss.ql

python/ql/test/experimental/query-tests/Security/CWE-079/ReflectedXSS.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-079/ReflectedXSS.ql

python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected

@@ -1,27 +1,6 @@
 edges
-| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | ControlFlowNode for ImportMember | TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request |
-| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request |
-| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request |
-| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request |
-| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request |
-| TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password |
-| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password |
-| TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password |
-| TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password |
-| TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password | TimingAttackAgainstSensitiveInfo.py:22:38:22:45 | ControlFlowNode for password |
-| TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password |
 nodes
-| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | semmle.label | GSSA Variable request |
-| TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password | semmle.label | SSA variable password |
-| TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
-| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
-| TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password | semmle.label | SSA variable password |
-| TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| TimingAttackAgainstSensitiveInfo.py:22:38:22:45 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
 subpaths
 #select
 | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token |

python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-522/LDAPInsecureAuth.ql

python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-522/LdapInsecureAuth.ql

python/ql/test/experimental/query-tests/Security/CWE-522/LDAPInsecureAuth.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-522/LDAPInsecureAuth.ql

python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-522/LdapInsecureAuth.ql

python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.ql

@@ -8,7 +8,7 @@ module ModificationOfParameterWithDefaultTest implements TestSig {
   string getARelevantTag() { result = "modification" }
 
   private predicate relevant_node(DataFlow::Node sink) {
-    exists(ModificationOfParameterWithDefault::Configuration cfg | cfg.hasFlowTo(sink))
+    ModificationOfParameterWithDefault::Flow::flowTo(sink)
   }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {

python/ql/test/query-tests/Security/CWE-022-PathInjection/DataflowQueryTest.ql

@@ -1,4 +1,4 @@
 import python
 import experimental.dataflow.TestUtil.DataflowQueryTest
 import semmle.python.security.dataflow.PathInjectionQuery
-import FromLegacyConfiguration<Configuration>
+import FromTaintTrackingStateConfig<PathInjectionConfig>