Merge pull request #8511 from RasmusWL/use-query-suffix

Python: Use `Query.qll` suffix for dataflow configuration definitions

python/ql/lib/change-notes/2022-03-21-query-suffix-convention.md

@@ -0,0 +1,8 @@
+---
+category: deprecated
+---
+* Queries importing a data-flow configuration from `semmle.python.security.dataflow`
+  should ensure that the imported file ends with `Query`, and only import its top-level
+  module. For example, a query that used `CommandInjection::Configuration` from
+  `semmle.python.security.dataflow.CommandInjection` should from now use `Configuration`
+  from `semmle.python.security.dataflow.CommandInjectionQuery` instead.

python/ql/lib/semmle/python/security/dataflow/CleartextLogging.qll

@@ -1,10 +1,4 @@
-/**
- * Provides a taint-tracking configuration for "Clear-text logging of sensitive information".
- *
- * Note, for performance reasons: only import this file if
- * `CleartextLogging::Configuration` is needed, otherwise
- * `CleartextLoggingCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
@@ -14,26 +8,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources
 
-/**
- * Provides a taint-tracking configuration for detecting "Clear-text logging of sensitive information".
- */
-module CleartextLogging {
-  import CleartextLoggingCustomizations::CleartextLogging
-
-  /**
-   * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "CleartextLogging" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node)
-      or
-      node instanceof Sanitizer
-    }
-  }
+/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
+deprecated module CleartextLogging {
+  import CleartextLoggingQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll

@@ -0,0 +1,33 @@
+/**
+ * Provides a taint-tracking configuration for "Clear-text logging of sensitive information".
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextLogging::Configuration` is needed, otherwise
+ * `CleartextLoggingCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.SensitiveDataSources
+import CleartextLoggingCustomizations::CleartextLogging
+
+/**
+ * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CleartextLogging" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node)
+    or
+    node instanceof Sanitizer
+  }
+}

python/ql/lib/semmle/python/security/dataflow/CleartextStorage.qll

@@ -1,10 +1,4 @@
-/**
- * Provides a taint-tracking configuration for "Clear-text storage of sensitive information".
- *
- * Note, for performance reasons: only import this file if
- * `CleartextStorage::Configuration` is needed, otherwise
- * `CleartextStorageCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CleartextStorageQuery` instead. */
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
@@ -14,26 +8,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources
 
-/**
- * Provides a taint-tracking configuration for detecting "Clear-text storage of sensitive information".
- */
-module CleartextStorage {
-  import CleartextStorageCustomizations::CleartextStorage
-
-  /**
-   * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "CleartextStorage" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node)
-      or
-      node instanceof Sanitizer
-    }
-  }
+/** DEPRECATED. Import `CleartextStorageQuery` instead. */
+deprecated module CleartextStorage {
+  import CleartextStorageQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll

@@ -0,0 +1,33 @@
+/**
+ * Provides a taint-tracking configuration for "Clear-text storage of sensitive information".
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextStorage::Configuration` is needed, otherwise
+ * `CleartextStorageCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.SensitiveDataSources
+import CleartextStorageCustomizations::CleartextStorage
+
+/**
+ * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CleartextStorage" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node)
+    or
+    node instanceof Sanitizer
+  }
+}

python/ql/lib/semmle/python/security/dataflow/CodeInjection.qll

@@ -1,42 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `CodeInjection::Configuration` is needed, otherwise
- * `CodeInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
- */
-module CodeInjection {
-  import CodeInjectionCustomizations::CodeInjection
-
-  /**
-   * A taint-tracking configuration for detecting "code injection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "CodeInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */
+deprecated module CodeInjection {
+  import CodeInjectionQuery // ignore-query-import
 }
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `CodeInjectionCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `CodeInjectionQuery` instead. */
 deprecated class CodeInjectionConfiguration = CodeInjection::Configuration;

python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CodeInjection::Configuration` is needed, otherwise
+ * `CodeInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import CodeInjectionCustomizations::CodeInjection
+
+/**
+ * A taint-tracking configuration for detecting "code injection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CodeInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/CommandInjection.qll

@@ -1,42 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `CommandInjection::Configuration` is needed, otherwise
- * `CommandInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
- */
-module CommandInjection {
-  import CommandInjectionCustomizations::CommandInjection
-
-  /**
-   * A taint-tracking configuration for detecting "command injection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "CommandInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */
+deprecated module CommandInjection {
+  import CommandInjectionQuery // ignore-query-import
 }
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `CommandInjectionCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `CommandInjectionQuery` instead. */
 deprecated class CommandInjectionConfiguration = CommandInjection::Configuration;

python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CommandInjection::Configuration` is needed, otherwise
+ * `CommandInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import CommandInjectionCustomizations::CommandInjection
+
+/**
+ * A taint-tracking configuration for detecting "command injection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CommandInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll

@@ -1,10 +1,4 @@
-/**
- * Provides taint-tracking configurations for detecting LDAP injection vulnerabilities
- *
- * Note, for performance reasons: only import this file if
- * `LdapInjection::Configuration` is needed, otherwise
- * `LdapInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `LdapInjectionQuery` instead. */
 
 import python
 import semmle.python.Concepts
@@ -12,49 +6,7 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
-/**
- * Provides aint-tracking configurations for detecting LDAP injection vulnerabilities.class
- *
- * Two configurations are provided. One is for detecting LDAP injection
- * via the distinguished name (DN). The other is for detecting LDAP injection
- * via the filter. These require different escapings.
- */
-module LdapInjection {
-  import LdapInjectionCustomizations::LdapInjection
-
-  /**
-   * A taint-tracking configuration for detecting LDAP injection vulnerabilities
-   * via the distinguished name (DN) parameter of an LDAP search.
-   */
-  class DnConfiguration extends TaintTracking::Configuration {
-    DnConfiguration() { this = "LdapDnInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof DnSanitizerGuard
-    }
-  }
-
-  /**
-   * A taint-tracking configuration for detecting LDAP injection vulnerabilities
-   * via the filter parameter of an LDAP search.
-   */
-  class FilterConfiguration extends TaintTracking::Configuration {
-    FilterConfiguration() { this = "LdapFilterInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof FilterSanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `LdapInjectionQuery` instead. */
+deprecated module LdapInjection {
+  import LdapInjectionQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll

@@ -0,0 +1,50 @@
+/**
+ * Provides taint-tracking configurations for detecting LDAP injection vulnerabilities
+ *
+ * Note, for performance reasons: only import this file if
+ * `LdapInjection::Configuration` is needed, otherwise
+ * `LdapInjectionCustomizations` should be imported instead.
+ */
+
+import python
+import semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+import LdapInjectionCustomizations::LdapInjection
+
+/**
+ * A taint-tracking configuration for detecting LDAP injection vulnerabilities
+ * via the distinguished name (DN) parameter of an LDAP search.
+ */
+class DnConfiguration extends TaintTracking::Configuration {
+  DnConfiguration() { this = "LdapDnInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DnSanitizerGuard
+  }
+}
+
+/**
+ * A taint-tracking configuration for detecting LDAP injection vulnerabilities
+ * via the filter parameter of an LDAP search.
+ */
+class FilterConfiguration extends TaintTracking::Configuration {
+  FilterConfiguration() { this = "LdapFilterInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof FilterSanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/LogInjection.qll

@@ -1,35 +1,10 @@
-/**
- * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
- *
- * Note, for performance reasons: only import this file if
- * `LogInjection::Configuration` is needed, otherwise
- * `LogInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `LogInjectionQuery` instead. */
 
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
- */
-module LogInjection {
-  import LogInjectionCustomizations::LogInjection
-
-  /**
-   * A taint-tracking configuration for tracking untrusted user input used in log entries.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "LogInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `LogInjectionQuery` instead. */
+deprecated module LogInjection {
+  import LogInjectionQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
+ *
+ * Note, for performance reasons: only import this file if
+ * `LogInjection::Configuration` is needed, otherwise
+ * `LogInjectionCustomizations` should be imported instead.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import LogInjectionCustomizations::LogInjection
+
+/**
+ * A taint-tracking configuration for tracking untrusted user input used in log entries.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "LogInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/PathInjection.qll

@@ -1,84 +1,13 @@
-/**
- * Provides taint-tracking configurations for detecting "path injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `PathInjection::Configuration` is needed, otherwise
- * `PathInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `PathInjectionQuery` instead. */
 
 private import python
 private import semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "path injection" vulnerabilities.
- */
-module PathInjection {
-  import PathInjectionCustomizations::PathInjection
-
-  /**
-   * A taint-tracking configuration for detecting "path injection" vulnerabilities.
-   *
-   * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
-   * to track the requirement that a file path must be first normalized and then checked
-   * before it is safe to use.
-   *
-   * At sources, paths are assumed not normalized. At normalization points, they change
-   * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
-   * check of the prefix.
-   *
-   * Such checks are ineffective in the `NotNormalized` state.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "PathInjection" }
-
-    override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-      source instanceof Source and state instanceof NotNormalized
-    }
-
-    override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-      sink instanceof Sink and
-      (
-        state instanceof NotNormalized or
-        state instanceof NormalizedUnchecked
-      )
-    }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) {
-      // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
-      node instanceof Path::PathNormalization and
-      state instanceof NotNormalized
-      or
-      node = any(Path::SafeAccessCheck c).getAGuardedNode() and
-      state instanceof NormalizedUnchecked
-    }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-
-    override predicate isAdditionalTaintStep(
-      DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
-      DataFlow::FlowState stateTo
-    ) {
-      nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
-      stateFrom instanceof NotNormalized and
-      stateTo instanceof NormalizedUnchecked
-    }
-  }
-
-  /** A state signifying that the file path has not been normalized. */
-  class NotNormalized extends DataFlow::FlowState {
-    NotNormalized() { this = "NotNormalized" }
-  }
-
-  /** A state signifying that the file path has been normalized, but not checked. */
-  class NormalizedUnchecked extends DataFlow::FlowState {
-    NormalizedUnchecked() { this = "NormalizedUnchecked" }
-  }
+/** DEPRECATED. Import `PathInjectionQuery` instead. */
+deprecated module PathInjection {
+  import PathInjectionQuery // ignore-query-import
 }
 
 // ---------------------------------------------------------------------------
@@ -93,7 +22,7 @@ import PathInjectionCustomizations::PathInjection
 // Case 1. The path is never normalized.
 // ---------------------------------------------------------------------------
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
  *
  * Configuration to find paths from sources to sinks that contain no normalization.
  */
@@ -116,7 +45,7 @@ deprecated class PathNotNormalizedConfiguration extends TaintTracking::Configura
 }
 
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
  *
  * Holds if there is a path injection from source to sink, where the (python) path is
  * not normalized.
@@ -129,7 +58,7 @@ deprecated predicate pathNotNormalized(CustomPathNode source, CustomPathNode sin
 // Case 2. The path is normalized at least once, but never checked afterwards.
 // ---------------------------------------------------------------------------
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
  *
  * Configuration to find paths from sources to normalizations that contain no prior normalizations.
  */
@@ -150,7 +79,7 @@ deprecated class FirstNormalizationConfiguration extends TaintTracking::Configur
 }
 
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
  *
  * Configuration to find paths from normalizations to sinks that do not go through a check.
  */
@@ -171,7 +100,7 @@ deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::C
 }
 
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
  *
  * Holds if there is a path injection from source to sink, where the (python) path is
  * normalized at least once, but never checked afterwards.
@@ -191,7 +120,7 @@ deprecated predicate pathNotCheckedAfterNormalization(CustomPathNode source, Cus
 // Query: Either case 1 or case 2.
 // ---------------------------------------------------------------------------
 /**
- * DEPRECATED: Use `PathInjection::Configuration` instead
+ * DEPRECATED: Import `PathInjectionQuery` instead.
  *
  * Holds if there is a path injection from source to sink
  */

python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll

@@ -0,0 +1,76 @@
+/**
+ * Provides taint-tracking configurations for detecting "path injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `PathInjection::Configuration` is needed, otherwise
+ * `PathInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import PathInjectionCustomizations::PathInjection
+
+/**
+ * A taint-tracking configuration for detecting "path injection" vulnerabilities.
+ *
+ * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
+ * to track the requirement that a file path must be first normalized and then checked
+ * before it is safe to use.
+ *
+ * At sources, paths are assumed not normalized. At normalization points, they change
+ * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
+ * check of the prefix.
+ *
+ * Such checks are ineffective in the `NotNormalized` state.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "PathInjection" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+    source instanceof Source and state instanceof NotNormalized
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+    sink instanceof Sink and
+    (
+      state instanceof NotNormalized or
+      state instanceof NormalizedUnchecked
+    )
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) {
+    // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
+    node instanceof Path::PathNormalization and
+    state instanceof NotNormalized
+    or
+    node = any(Path::SafeAccessCheck c).getAGuardedNode() and
+    state instanceof NormalizedUnchecked
+  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+
+  override predicate isAdditionalTaintStep(
+    DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
+    DataFlow::FlowState stateTo
+  ) {
+    nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
+    stateFrom instanceof NotNormalized and
+    stateTo instanceof NormalizedUnchecked
+  }
+}
+
+/** A state signifying that the file path has not been normalized. */
+class NotNormalized extends DataFlow::FlowState {
+  NotNormalized() { this = "NotNormalized" }
+}
+
+/** A state signifying that the file path has been normalized, but not checked. */
+class NormalizedUnchecked extends DataFlow::FlowState {
+  NormalizedUnchecked() { this = "NormalizedUnchecked" }
+}

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoS.qll

@@ -1,35 +1,10 @@
-/**
- * Provides a taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `PolynomialReDoS::Configuration` is needed, otherwise
- * `PolynomialReDoSCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
- */
-module PolynomialReDoS {
-  import PolynomialReDoSCustomizations::PolynomialReDoS
-
-  /**
-   * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "PolynomialReDoS" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
+deprecated module PolynomialReDoS {
+  import PolynomialReDoSQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `PolynomialReDoS::Configuration` is needed, otherwise
+ * `PolynomialReDoSCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import PolynomialReDoSCustomizations::PolynomialReDoS
+
+/**
+ * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "PolynomialReDoS" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/ReflectedXSS.qll

@@ -1,45 +1,16 @@
-/**
- * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `ReflectedXSS::Configuration` is needed, otherwise
- * `ReflectedXSSCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
- */
-module ReflectedXss {
-  import ReflectedXSSCustomizations::ReflectedXss
-
-  /**
-   * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "ReflectedXSS" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
+deprecated module ReflectedXss {
+  import ReflectedXssQuery // ignore-query-import
 }
 
-/** DEPRECATED: Alias for ReflectedXss */
+/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
 deprecated module ReflectedXSS = ReflectedXss;
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `ReflectedXSSCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
 deprecated class ReflectedXssConfiguration = ReflectedXss::Configuration;

python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `ReflectedXSS::Configuration` is needed, otherwise
+ * `ReflectedXSSCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import ReflectedXSSCustomizations::ReflectedXss
+
+/**
+ * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "ReflectedXSS" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/RegexInjection.qll

@@ -1,37 +1,10 @@
-/**
- * Provides a taint-tracking configuration for detecting regular expression injection
- * vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `RegexInjection::Configuration` is needed, otherwise
- * `RegexInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `RegexInjectionQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting regular expression injection
- * vulnerabilities.
- */
-module RegexInjection {
-  import RegexInjectionCustomizations::RegexInjection
-
-  /**
-   * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "RegexInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `RegexInjectionQuery` instead. */
+deprecated module RegexInjection {
+  import RegexInjectionQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll

@@ -0,0 +1,30 @@
+/**
+ * Provides a taint-tracking configuration for detecting regular expression injection
+ * vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `RegexInjection::Configuration` is needed, otherwise
+ * `RegexInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import RegexInjectionCustomizations::RegexInjection
+
+/**
+ * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "RegexInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll

@@ -1,84 +1,25 @@
-/**
- * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `ServerSideRequestForgery::Configuration` is needed, otherwise
- * `ServerSideRequestForgeryCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.Concepts
+import ServerSideRequestForgeryQuery as ServerSideRequestForgeryQuery // ignore-query-import
 
-/**
- * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
- *
- * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
- * See `PartialServerSideRequestForgery` for a variant without this requirement.
- *
- * You should use the `partOfFullyControlledRequest` to only select results where all
- * URL parts are fully controlled.
- */
-module FullServerSideRequestForgery {
+/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
+deprecated module FullServerSideRequestForgery {
   import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
 
-  /**
-   * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "FullServerSideRequestForgery" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      node instanceof Sanitizer
-      or
-      node instanceof FullUrlControlSanitizer
-    }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+  class Configuration = ServerSideRequestForgeryQuery::FullServerSideRequestForgeryConfiguration;
 }
 
-/**
- * Holds if all URL parts of `request` is fully user controlled.
- */
-predicate fullyControlledRequest(HTTP::Client::Request request) {
-  exists(FullServerSideRequestForgery::Configuration fullConfig |
-    forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
-      fullConfig.hasFlow(_, urlPart)
-    )
-  )
-}
+/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
+deprecated predicate fullyControlledRequest =
+  ServerSideRequestForgeryQuery::fullyControlledRequest/1;
 
-/**
- * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
- *
- * This configuration has results, even when the attacker does not have full control over the URL.
- * See `FullServerSideRequestForgery` for variant that has this requirement.
- */
-module PartialServerSideRequestForgery {
+/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
+deprecated module PartialServerSideRequestForgery {
   import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
 
-  /**
-   * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "PartialServerSideRequestForgery" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+  class Configuration = ServerSideRequestForgeryQuery::PartialServerSideRequestForgeryConfiguration;
 }

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll

@@ -0,0 +1,71 @@
+/**
+ * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `ServerSideRequestForgery::Configuration` is needed, otherwise
+ * `ServerSideRequestForgeryCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.Concepts
+import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
+
+/**
+ * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
+ *
+ * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
+ * See `PartialServerSideRequestForgery` for a variant without this requirement.
+ *
+ * You should use the `fullyControlledRequest` to only select results where all
+ * URL parts are fully controlled.
+ */
+class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
+  FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node instanceof Sanitizer
+    or
+    node instanceof FullUrlControlSanitizer
+  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}
+
+/**
+ * Holds if all URL parts of `request` is fully user controlled.
+ */
+predicate fullyControlledRequest(HTTP::Client::Request request) {
+  exists(FullServerSideRequestForgeryConfiguration fullConfig |
+    forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
+      fullConfig.hasFlow(_, urlPart)
+    )
+  )
+}
+
+/**
+ * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
+ *
+ * This configuration has results, even when the attacker does not have full control over the URL.
+ * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
+ */
+class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
+  PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/SqlInjection.qll

@@ -1,45 +1,16 @@
-/**
- * Provides a taint-tracking configuration for detecting "SQL injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `SqlInjection::Configuration` is needed, otherwise
- * `SqlInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `SqlInjectionQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "SQL injection" vulnerabilities.
- */
-module SqlInjection {
-  import SqlInjectionCustomizations::SqlInjection
-
-  /**
-   * A taint-tracking configuration for detecting "SQL injection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "SqlInjection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `SqlInjectionQuery` instead. */
+deprecated module SqlInjection {
+  import SqlInjectionQuery // ignore-query-import
 }
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `SqlInjectionCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `SqlInjectionQuery` instead. */
 deprecated class SqlInjectionConfiguration = SqlInjection::Configuration;
 
-/** DEPRECATED: Alias for SqlInjectionConfiguration */
+/** DEPRECATED. Import `SqlInjectionQuery` instead. */
 deprecated class SQLInjectionConfiguration = SqlInjectionConfiguration;

python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "SQL injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `SqlInjection::Configuration` is needed, otherwise
+ * `SqlInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import SqlInjectionCustomizations::SqlInjection
+
+/**
+ * A taint-tracking configuration for detecting "SQL injection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "SqlInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/StackTraceExposure.qll

@@ -1,51 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `StackTraceExposure::Configuration` is needed, otherwise
- * `StackTraceExposureCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
- */
-module StackTraceExposure {
-  import StackTraceExposureCustomizations::StackTraceExposure
-
-  /**
-   * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "StackTraceExposure" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-
-    // A stack trace is accessible as the `__traceback__` attribute of a caught exception.
-    //  seehttps://docs.python.org/3/reference/datamodel.html#traceback-objects
-    override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" |
-        nodeFrom = attr.getObject() and
-        nodeTo = attr
-      )
-    }
-  }
+/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
+deprecated module StackTraceExposure {
+  import StackTraceExposureQuery // ignore-query-import
 }
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `StackTraceExposureCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
 deprecated class StackTraceExposureConfiguration = StackTraceExposure::Configuration;

python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides a taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `StackTraceExposure::Configuration` is needed, otherwise
+ * `StackTraceExposureCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import StackTraceExposureCustomizations::StackTraceExposure
+
+/**
+ * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "StackTraceExposure" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+
+  // A stack trace is accessible as the `__traceback__` attribute of a caught exception.
+  //  seehttps://docs.python.org/3/reference/datamodel.html#traceback-objects
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" |
+      nodeFrom = attr.getObject() and
+      nodeTo = attr
+    )
+  }
+}

python/ql/lib/semmle/python/security/dataflow/UnsafeDeserialization.qll

@@ -1,42 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `UnsafeDeserialization::Configuration` is needed, otherwise
- * `UnsafeDeserializationCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
- */
-module UnsafeDeserialization {
-  import UnsafeDeserializationCustomizations::UnsafeDeserialization
-
-  /**
-   * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "UnsafeDeserialization" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
+deprecated module UnsafeDeserialization {
+  import UnsafeDeserializationQuery // ignore-query-import
 }
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `UnsafeDeserializationCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
 deprecated class UnsafeDeserializationConfiguration = UnsafeDeserialization::Configuration;

python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsafeDeserialization::Configuration` is needed, otherwise
+ * `UnsafeDeserializationCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import UnsafeDeserializationCustomizations::UnsafeDeserialization
+
+/**
+ * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "UnsafeDeserialization" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/UrlRedirect.qll

@@ -1,42 +1,13 @@
-/**
- * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `UrlRedirect::Configuration` is needed, otherwise
- * `UrlRedirectCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `UrlRedirectQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities.
- */
-module UrlRedirect {
-  import UrlRedirectCustomizations::UrlRedirect
-
-  /**
-   * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "UrlRedirect" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `UrlRedirectQuery` instead. */
+deprecated module UrlRedirect {
+  import UrlRedirectQuery // ignore-query-import
 }
 
-/**
- * DEPRECATED: Don't extend this class for customization, since this will lead to bad
- * performance, instead use the new `UrlRedirectCustomizations.qll` file, and extend
- * its' classes.
- */
+/** DEPRECATED. Import `UrlRedirectQuery` instead. */
 deprecated class UrlRedirectConfiguration = UrlRedirect::Configuration;

python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `UrlRedirect::Configuration` is needed, otherwise
+ * `UrlRedirectCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import UrlRedirectCustomizations::UrlRedirect
+
+/**
+ * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "UrlRedirect" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}

python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll

@@ -1,11 +1,4 @@
-/**
- * Provides a taint-tracking configuration for detecting use of a broken or weak
- * cryptographic hashing algorithm on sensitive data.
- *
- * Note, for performance reasons: only import this file if
- * `WeakSensitiveDataHashing::Configuration` is needed, otherwise
- * `WeakSensitiveDataHashingCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
@@ -15,69 +8,12 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.dataflow.new.SensitiveDataSources
 
-/**
- * Provides a taint-tracking configuration for detecting use of a broken or weak
- * cryptographic hash function on sensitive data, that does NOT require a
- * computationally expensive hash function.
- */
-module NormalHashFunction {
-  import WeakSensitiveDataHashingCustomizations::NormalHashFunction
-
-  /**
-   * A taint-tracking configuration for detecting use of a broken or weak
-   * cryptographic hashing algorithm on sensitive data.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "NormalHashFunction" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node)
-      or
-      node instanceof Sanitizer
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-      sensitiveDataExtraStepForCalls(node1, node2)
-    }
-  }
+/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
+deprecated module NormalHashFunction {
+  import WeakSensitiveDataHashingQuery::NormalHashFunction // ignore-query-import
 }
 
-/**
- * Provides a taint-tracking configuration for detecting use of a broken or weak
- * cryptographic hashing algorithm on passwords.
- *
- * Passwords has stricter requirements on the hashing algorithm used (must be
- * computationally expensive to prevent brute-force attacks).
- */
-module ComputationallyExpensiveHashFunction {
-  import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
-
-  /**
-   * A taint-tracking configuration for detecting use of a broken or weak
-   * cryptographic hashing algorithm on passwords.
-   *
-   * Passwords has stricter requirements on the hashing algorithm used (must be
-   * computationally expensive to prevent brute-force attacks).
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "ComputationallyExpensiveHashFunction" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node)
-      or
-      node instanceof Sanitizer
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-      sensitiveDataExtraStepForCalls(node1, node2)
-    }
-  }
+/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
+deprecated module ComputationallyExpensiveHashFunction {
+  import WeakSensitiveDataHashingQuery::ComputationallyExpensiveHashFunction // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll

@@ -0,0 +1,83 @@
+/**
+ * Provides a taint-tracking configuration for detecting use of a broken or weak
+ * cryptographic hashing algorithm on sensitive data.
+ *
+ * Note, for performance reasons: only import this file if
+ * `WeakSensitiveDataHashing::Configuration` is needed, otherwise
+ * `WeakSensitiveDataHashingCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.SensitiveDataSources
+
+/**
+ * Provides a taint-tracking configuration for detecting use of a broken or weak
+ * cryptographic hash function on sensitive data, that does NOT require a
+ * computationally expensive hash function.
+ */
+module NormalHashFunction {
+  import WeakSensitiveDataHashingCustomizations::NormalHashFunction
+
+  /**
+   * A taint-tracking configuration for detecting use of a broken or weak
+   * cryptographic hashing algorithm on sensitive data.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "NormalHashFunction" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node)
+      or
+      node instanceof Sanitizer
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
+  }
+}
+
+/**
+ * Provides a taint-tracking configuration for detecting use of a broken or weak
+ * cryptographic hashing algorithm on passwords.
+ *
+ * Passwords has stricter requirements on the hashing algorithm used (must be
+ * computationally expensive to prevent brute-force attacks).
+ */
+module ComputationallyExpensiveHashFunction {
+  import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
+
+  /**
+   * A taint-tracking configuration for detecting use of a broken or weak
+   * cryptographic hashing algorithm on passwords.
+   *
+   * Passwords has stricter requirements on the hashing algorithm used (must be
+   * computationally expensive to prevent brute-force attacks).
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "ComputationallyExpensiveHashFunction" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node)
+      or
+      node instanceof Sanitizer
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
+  }
+}

python/ql/lib/semmle/python/security/dataflow/XpathInjection.qll

@@ -1,35 +1,10 @@
-/**
- * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `XpathInjection::Configuration` is needed, otherwise
- * `XpathInjectionCustomizations` should be imported instead.
- */
+/** DEPRECATED. Import `XpathInjectionQuery` instead. */
 
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 
-/**
- * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
- */
-module XpathInjection {
-  import XpathInjectionCustomizations::XpathInjection
-
-  /**
-   * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "Xpath Injection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
+/** DEPRECATED. Import `XpathInjectionQuery` instead. */
+deprecated module XpathInjection {
+  import XpathInjectionQuery // ignore-query-import
 }

python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `XpathInjection::Configuration` is needed, otherwise
+ * `XpathInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import XpathInjectionCustomizations::XpathInjection
+
+/**
+ * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Xpath Injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof SanitizerGuard
+  }
+}