Moving the SsrfSink concept into Concepts.qll, and renaming to HttpClientRequestFromModel as suggested in PR review.

python/ql/lib/semmle/python/Concepts.qll

@@ -15,6 +15,8 @@ private import semmle.python.security.internal.EncryptionKeySizes
 private import semmle.python.dataflow.new.SensitiveDataSources
 private import codeql.threatmodels.ThreatModels
 private import codeql.concepts.ConceptsShared
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.data.ModelsAsData
 
 private module ConceptsShared = ConceptsMake<Location, PythonDataFlow>;
 
@@ -1656,8 +1658,35 @@ module Http {
   }
 
   import ConceptsShared::Http::Client as Client
+
   // TODO: investigate whether we should treat responses to client requests as
   // remote-flow-sources in general.
+  /**
+   * An HTTP request modeled from `request-forgery` sinks, modeled using MaD.
+   */
+  class HttpClientRequestFromModel extends Http::Client::Request::Range instanceof API::CallNode {
+    DataFlow::Node urlArg;
+
+    HttpClientRequestFromModel() {
+      (
+        this.getArg(_) = urlArg
+        or
+        this.getArgByName(_) = urlArg
+      ) and
+      ModelOutput::sinkNode(urlArg, "request-forgery")
+    }
+
+    override DataFlow::Node getAUrlPart() { result = urlArg }
+
+    override string getFramework() { result = "MaD" }
+
+    override predicate disablesCertificateValidation(
+      DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
+    ) {
+      // NOTE: if you need to define this, you have to special case it for every possible API in MaD
+      none()
+    }
+  }
 }
 
 /**

python/ql/lib/semmle/python/Frameworks.qll

@@ -80,7 +80,6 @@ private import semmle.python.frameworks.Setuptools
 private import semmle.python.frameworks.Simplejson
 private import semmle.python.frameworks.Socketio
 private import semmle.python.frameworks.SqlAlchemy
-private import semmle.python.frameworks.SSRFSink
 private import semmle.python.frameworks.Starlette
 private import semmle.python.frameworks.Stdlib
 private import semmle.python.frameworks.Streamlit

python/ql/lib/semmle/python/frameworks/SSRFSink.qll

@@ -1,42 +0,0 @@
-/**
- * Provides classes for SSRF sinks modeled using Models as Data (MaD).
- */
-
-private import python
-private import semmle.python.Concepts
-private import semmle.python.ApiGraphs
-private import semmle.python.frameworks.data.ModelsAsData
-
-/**
- * INTERNAL: Do not use.
- *
- * Sets up SSRF sinks as Http::Client::Request
- */
-module SsrfMaDModel {
-  /**
-   * An HTTP request modeled from `request-forgery` sinks, modeled using MaD.
-   */
-  class SsrfSink extends Http::Client::Request::Range instanceof API::CallNode {
-    DataFlow::Node urlArg;
-
-    SsrfSink() {
-      (
-        this.getArg(_) = urlArg
-        or
-        this.getArgByName(_) = urlArg
-      ) and
-      ModelOutput::sinkNode(urlArg, "request-forgery")
-    }
-
-    override DataFlow::Node getAUrlPart() { result = urlArg }
-
-    override string getFramework() { result = "MaD" }
-
-    override predicate disablesCertificateValidation(
-      DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
-    ) {
-      // NOTE: if you need to define this, you have to special case it for every possible API in MaD
-      none()
-    }
-  }
-}