Ruby: configsig rb/reflected-xss

ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll

@@ -2,8 +2,8 @@
  * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
- * `ReflectedXSS::Configuration` is needed, otherwise
- * `XSS::ReflectedXSS` should be imported instead.
+ * `ReflectedXssFlow` is needed, otherwise
+ * `XSS::ReflectedXss` should be imported instead.
  */
 
 private import codeql.ruby.AST
@@ -12,14 +12,16 @@ import codeql.ruby.TaintTracking
 
 /**
  * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+ * DEPRECATED: Use `ReflectedXssFlow`
  */
-module ReflectedXss {
+deprecated module ReflectedXss {
   import XSS::ReflectedXss
 
   /**
    * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+   * DEPRECATED: Use `ReflectedXssFlow`
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "ReflectedXSS" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -37,3 +39,22 @@ module ReflectedXss {
     }
   }
 }
+
+private module ReflectedXssConfig implements DataFlow::ConfigSig {
+  private import XSS::ReflectedXss as RX
+
+  predicate isSource(DataFlow::Node source) { source instanceof RX::Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RX::Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof RX::Sanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    RX::isAdditionalXssTaintStep(node1, node2)
+  }
+}
+
+/**
+ * Taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities.
+ */
+module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;