Merge pull request #14068 from RasmusWL/dataflow-config-refactor

Python: Use new dataflow API

python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll

@@ -16,9 +16,11 @@ private import semmle.python.dataflow.new.SensitiveDataSources
 import CleartextLoggingCustomizations::CleartextLogging
 
 /**
+ * DEPRECATED: Use `CleartextLoggingFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CleartextLogging" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,3 +33,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module CleartextLoggingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */
+module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;

python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll

@@ -16,9 +16,11 @@ private import semmle.python.dataflow.new.SensitiveDataSources
 import CleartextStorageCustomizations::CleartextStorage
 
 /**
+ * DEPRECATED: Use `CleartextStorageFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CleartextStorage" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,3 +33,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module CleartextStorageConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */
+module CleartextStorageFlow = TaintTracking::Global<CleartextStorageConfig>;

python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import CodeInjectionCustomizations::CodeInjection
 
 /**
+ * DEPRECATED: Use `CodeInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "code injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CodeInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module CodeInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "code injection" vulnerabilities. */
+module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import CommandInjectionCustomizations::CommandInjection
 
 /**
+ * DEPRECATED: Use `CommandInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "command injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CommandInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,17 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+/**
+ * A taint-tracking configuration for detecting "command injection" vulnerabilities.
+ */
+module CommandInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "command injection" vulnerabilities. */
+module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll

@@ -14,10 +14,12 @@ import semmle.python.dataflow.new.RemoteFlowSources
 import LdapInjectionCustomizations::LdapInjection
 
 /**
+ * DEPRECATED: Use `LdapInjectionDnFlow` module instead.
+ *
  * A taint-tracking configuration for detecting LDAP injection vulnerabilities
  * via the distinguished name (DN) parameter of an LDAP search.
  */
-class DnConfiguration extends TaintTracking::Configuration {
+deprecated class DnConfiguration extends TaintTracking::Configuration {
   DnConfiguration() { this = "LdapDnInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,11 +33,24 @@ class DnConfiguration extends TaintTracking::Configuration {
   }
 }
 
+private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
+}
+
+/** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
+module LdapInjectionDnFlow = TaintTracking::Global<LdapInjectionDnConfig>;
+
 /**
+ * DEPRECATED: Use `LdapInjectionFilterFlow` module instead.
+ *
  * A taint-tracking configuration for detecting LDAP injection vulnerabilities
  * via the filter parameter of an LDAP search.
  */
-class FilterConfiguration extends TaintTracking::Configuration {
+deprecated class FilterConfiguration extends TaintTracking::Configuration {
   FilterConfiguration() { this = "LdapFilterInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -48,3 +63,19 @@ class FilterConfiguration extends TaintTracking::Configuration {
     guard instanceof FilterSanitizerGuard
   }
 }
+
+private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
+}
+
+/** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
+module LdapInjectionFilterFlow = TaintTracking::Global<LdapInjectionFilterConfig>;
+
+/** Global taint-tracking for detecting "LDAP injection" vulnerabilities. */
+module LdapInjectionFlow =
+  DataFlow::MergePathGraph<LdapInjectionDnFlow::PathNode, LdapInjectionFilterFlow::PathNode,
+    LdapInjectionDnFlow::PathGraph, LdapInjectionFilterFlow::PathGraph>;

python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll

@@ -1,5 +1,5 @@
 /**
- * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
+ * Provides a taint-tracking configuration for tracking "log injection" vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
  * `LogInjection::Configuration` is needed, otherwise
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import LogInjectionCustomizations::LogInjection
 
 /**
+ * DEPRECATED: Use `LogInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "LogInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module LogInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "log injection" vulnerabilities. */
+module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import PamAuthorizationCustomizations::PamAuthorizationCustomizations
 
 /**
+ * DEPRECATED: Use `PamAuthorizationFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PamAuthorization" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof Source }
@@ -37,3 +39,28 @@ class Configuration extends TaintTracking::Configuration {
     exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
   }
 }
+
+private module PamAuthorizationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Models flow from a remotely supplied username field to a PAM `handle`.
+    // `retval = pam_start(service, username, byref(conv), byref(handle))`
+    exists(API::CallNode pamStart, DataFlow::Node handle, API::CallNode pointer |
+      pointer = API::moduleImport("ctypes").getMember(["pointer", "byref"]).getACall() and
+      pamStart = libPam().getMember("pam_start").getACall() and
+      pointer = pamStart.getArg(3) and
+      handle = pointer.getArg(0) and
+      pamStart.getArg(1) = node1 and
+      handle = node2
+    )
+    or
+    // Flow from handle to the authenticate call in the final step
+    exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
+  }
+}
+
+/** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */
+module PamAuthorizationFlow = TaintTracking::Global<PamAuthorizationConfig>;

python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll

@@ -13,6 +13,8 @@ import semmle.python.dataflow.new.TaintTracking
 import PathInjectionCustomizations::PathInjection
 
 /**
+ * DEPRECATED: Use `PathInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "path injection" vulnerabilities.
  *
  * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
@@ -25,7 +27,7 @@ import PathInjectionCustomizations::PathInjection
  *
  * Such checks are ineffective in the `NotNormalized` state.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PathInjection" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
@@ -74,3 +76,52 @@ class NotNormalized extends DataFlow::FlowState {
 class NormalizedUnchecked extends DataFlow::FlowState {
   NormalizedUnchecked() { this = "NormalizedUnchecked" }
 }
+
+/**
+ * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
+ * to track the requirement that a file path must be first normalized and then checked
+ * before it is safe to use.
+ *
+ * At sources, paths are assumed not normalized. At normalization points, they change
+ * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
+ * check of the prefix.
+ *
+ * Such checks are ineffective in the `NotNormalized` state.
+ */
+module PathInjectionConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowState;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof Source and state instanceof NotNormalized
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof Sink and
+    (
+      state instanceof NotNormalized or
+      state instanceof NormalizedUnchecked
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
+    node instanceof Path::PathNormalization and
+    state instanceof NotNormalized
+    or
+    node instanceof Path::SafeAccessCheck and
+    state instanceof NormalizedUnchecked
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
+  ) {
+    nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
+    stateFrom instanceof NotNormalized and
+    stateTo instanceof NormalizedUnchecked
+  }
+}
+
+/** Global taint-tracking for detecting "path injection" vulnerabilities. */
+module PathInjectionFlow = TaintTracking::GlobalWithState<PathInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll

@@ -6,7 +6,6 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.dataflow.new.DataFlow2
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.RemoteFlowSources

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import PolynomialReDoSCustomizations::PolynomialReDoS
 
 /**
+ * DEPRECATED: Use `PolynomialReDoSFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PolynomialReDoS" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */
+module PolynomialReDoSFlow = TaintTracking::Global<PolynomialReDoSConfig>;

python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import ReflectedXSSCustomizations::ReflectedXss
 
 /**
+ * DEPRECATED: Use `ReflectedXssFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "ReflectedXSS" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module ReflectedXssConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */
+module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;

python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll

@@ -1,5 +1,5 @@
 /**
- * Provides a taint-tracking configuration for detecting regular expression injection
+ * Provides a taint-tracking configuration for detecting "regular expression injection"
  * vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
@@ -13,9 +13,11 @@ import semmle.python.dataflow.new.TaintTracking
 import RegexInjectionCustomizations::RegexInjection
 
 /**
+ * DEPRECATED: Use `RegexInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "RegexInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -28,3 +30,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module RegexInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "regular expression injection" vulnerabilities. */
+module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll

@@ -13,6 +13,8 @@ import semmle.python.Concepts
 import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
 
 /**
+ * DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
  *
  * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
@@ -21,7 +23,7 @@ import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
  * You should use the `fullyControlledRequest` to only select results where all
  * URL parts are fully controlled.
  */
-class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
+deprecated class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
   FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -39,24 +41,51 @@ class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configura
   }
 }
 
+/**
+ * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
+ * See `PartialServerSideRequestForgery` for a variant without this requirement.
+ *
+ * You should use the `fullyControlledRequest` to only select results where all
+ * URL parts are fully controlled.
+ */
+private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Sanitizer
+    or
+    node instanceof FullUrlControlSanitizer
+  }
+}
+
+/**
+ * Global taint-tracking for detecting "Full server-side request forgery" vulnerabilities.
+ *
+ * You should use the `fullyControlledRequest` to only select results where all
+ * URL parts are fully controlled.
+ */
+module FullServerSideRequestForgeryFlow = TaintTracking::Global<FullServerSideRequestForgeryConfig>;
+
 /**
  * Holds if all URL parts of `request` is fully user controlled.
  */
 predicate fullyControlledRequest(Http::Client::Request request) {
-  exists(FullServerSideRequestForgeryConfiguration fullConfig |
-    forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
-      fullConfig.hasFlow(_, urlPart)
-    )
+  forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
+    FullServerSideRequestForgeryFlow::flow(_, urlPart)
   )
 }
 
 /**
+ * DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
  *
  * This configuration has results, even when the attacker does not have full control over the URL.
  * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
  */
-class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
+deprecated class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
   PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -69,3 +98,21 @@ class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Config
     guard instanceof SanitizerGuard
   }
 }
+
+/**
+ * This configuration has results, even when the attacker does not have full control over the URL.
+ * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
+ */
+private module PartialServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Global taint-tracking for detecting "partial server-side request forgery" vulnerabilities.
+ */
+module PartialServerSideRequestForgeryFlow =
+  TaintTracking::Global<PartialServerSideRequestForgeryConfig>;

python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import SqlInjectionCustomizations::SqlInjection
 
 /**
+ * DEPRECATED: Use `SqlInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "SQL injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "SqlInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module SqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "SQL injection" vulnerabilities. */
+module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import StackTraceExposureCustomizations::StackTraceExposure
 
 /**
+ * DEPRECATED: Use `StackTraceExposureFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "StackTraceExposure" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -36,3 +38,23 @@ class Configuration extends TaintTracking::Configuration {
     )
   }
 }
+
+private module StackTraceExposureConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  // A stack trace is accessible as the `__traceback__` attribute of a caught exception.
+  //  see https://docs.python.org/3/reference/datamodel.html#traceback-objects
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" |
+      nodeFrom = attr.getObject() and
+      nodeTo = attr
+    )
+  }
+}
+
+/** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */
+module StackTraceExposureFlow = TaintTracking::Global<StackTraceExposureConfig>;

python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll

@@ -1,5 +1,5 @@
 /**
- * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
+ * Provides a taint-tracking configuration for detecting "tar slip" vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
  * `TarSlip::Configuration` is needed, otherwise
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import TarSlipCustomizations::TarSlip
 
 /**
- * A taint-tracking configuration for detecting "command injection" vulnerabilities.
+ * DEPRECATED: Use `TarSlipFlow` module instead.
+ *
+ * A taint-tracking configuration for detecting "tar slip" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "TarSlip" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -23,3 +25,14 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 }
+
+private module TarSlipConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "tar slip" vulnerabilities. */
+module TarSlipFlow = TaintTracking::Global<TarSlipConfig>;

python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import UnsafeDeserializationCustomizations::UnsafeDeserialization
 
 /**
+ * DEPRECATED: Use `UnsafeDeserializationFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UnsafeDeserialization" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "code execution from deserialization" vulnerabilities. */
+module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;

python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll

@@ -14,9 +14,11 @@ private import CommandInjectionCustomizations::CommandInjection as CommandInject
 private import semmle.python.dataflow.new.BarrierGuards
 
 /**
+ * DEPRECATED: Use `UnsafeShellCommandConstructionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UnsafeShellCommandConstruction" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -33,3 +35,23 @@ class Configuration extends TaintTracking::Configuration {
     result instanceof DataFlow::FeatureHasSourceCallContext
   }
 }
+
+/**
+ * A taint-tracking configuration for detecting "shell command constructed from library input" vulnerabilities.
+ */
+module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof CommandInjection::Sanitizer // using all sanitizers from `py/command-injection`
+  }
+
+  // override to require the path doesn't have unmatched return steps
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+}
+
+/** Global taint-tracking for detecting "shell command constructed from library input" vulnerabilities. */
+module UnsafeShellCommandConstructionFlow =
+  TaintTracking::Global<UnsafeShellCommandConstructionConfig>;

python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import UrlRedirectCustomizations::UrlRedirect
 
 /**
+ * DEPRECATED: Use `UrlRedirectFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UrlRedirect" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module UrlRedirectConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "URL redirection" vulnerabilities. */
+module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;

python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll

@@ -24,10 +24,12 @@ module NormalHashFunction {
   import WeakSensitiveDataHashingCustomizations::NormalHashFunction
 
   /**
+   * DEPRECATED: Use `Flow` module instead.
+   *
    * A taint-tracking configuration for detecting use of a broken or weak
    * cryptographic hashing algorithm on sensitive data.
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "NormalHashFunction" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -44,6 +46,21 @@ module NormalHashFunction {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
   }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
+  }
+
+  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
+  module Flow = TaintTracking::Global<Config>;
 }
 
 /**
@@ -57,13 +74,15 @@ module ComputationallyExpensiveHashFunction {
   import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
 
   /**
+   * DEPRECATED: Use `Flow` module instead.
+   *
    * A taint-tracking configuration for detecting use of a broken or weak
    * cryptographic hashing algorithm on passwords.
    *
    * Passwords has stricter requirements on the hashing algorithm used (must be
    * computationally expensive to prevent brute-force attacks).
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "ComputationallyExpensiveHashFunction" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -80,4 +99,49 @@ module ComputationallyExpensiveHashFunction {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
   }
+
+  /**
+   * Passwords has stricter requirements on the hashing algorithm used (must be
+   * computationally expensive to prevent brute-force attacks).
+   */
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
+  }
+
+  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
+  module Flow = TaintTracking::Global<Config>;
+}
+
+/**
+ * Global taint-tracking for detecting both variants of "use of a broken or weak
+ * cryptographic hashing algorithm on sensitive data" vulnerabilities.
+ *
+ * See convenience predicates `normalHashFunctionFlowPath` and
+ * `computationallyExpensiveHashFunctionFlowPath`.
+ */
+module WeakSensitiveDataHashingFlow =
+  DataFlow::MergePathGraph<NormalHashFunction::Flow::PathNode,
+    ComputationallyExpensiveHashFunction::Flow::PathNode, NormalHashFunction::Flow::PathGraph,
+    ComputationallyExpensiveHashFunction::Flow::PathGraph>;
+
+/** Holds if data can flow from `source` to `sink` with `NormalHashFunction::Flow`. */
+predicate normalHashFunctionFlowPath(
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
+) {
+  NormalHashFunction::Flow::flowPath(source.asPathNode1(), sink.asPathNode1())
+}
+
+/** Holds if data can flow from `source` to `sink` with `ComputationallyExpensiveHashFunction::Flow`. */
+predicate computationallyExpensiveHashFunctionFlowPath(
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
+) {
+  ComputationallyExpensiveHashFunction::Flow::flowPath(source.asPathNode2(), sink.asPathNode2())
 }

python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import XmlBombCustomizations::XmlBomb
 
 /**
+ * DEPRECATED: Use `XmlBombFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "XmlBomb" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -26,3 +28,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module XmlBombConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "XML bomb" vulnerabilities. */
+module XmlBombFlow = TaintTracking::Global<XmlBombConfig>;

python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import XpathInjectionCustomizations::XpathInjection
 
 /**
+ * DEPRECATED: Use `XpathInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "Xpath Injection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module XpathInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "Xpath Injection" vulnerabilities. */
+module XpathInjectionFlow = TaintTracking::Global<XpathInjectionConfig>;

python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll

@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import XxeCustomizations::Xxe
 
 /**
+ * DEPRECATED: Use `XxeFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "Xxe" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -26,3 +28,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module XxeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "XML External Entity (XXE)" vulnerabilities. */
+module XxeFlow = TaintTracking::Global<XxeConfig>;