JS: Migrate TemplateObjectInjection

javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionCustomizations.qll

@@ -12,12 +12,17 @@ private import semmle.javascript.security.TaintedObjectCustomizations
  * template object injection vulnerabilities.
  */
 module TemplateObjectInjection {
+  import semmle.javascript.security.CommonFlowState
+
   /**
    * A data flow source for template object injection vulnerabilities.
    */
   abstract class Source extends DataFlow::Node {
-    /** Gets a flow label to associate with this source. */
-    abstract DataFlow::FlowLabel getAFlowLabel();
+    /** Gets a flow state for which this is a source. */
+    FlowState getAFlowState() { result.isTaint() }
+
+    /** DEPRECATED. Use `getAFlowState()` instead */
+    deprecated DataFlow::FlowLabel getAFlowLabel() { result = this.getAFlowState().toFlowLabel() }
   }
 
   /**
@@ -31,12 +36,12 @@ module TemplateObjectInjection {
   abstract class Sanitizer extends DataFlow::Node { }
 
   private class TaintedObjectSourceAsSource extends Source instanceof TaintedObject::Source {
-    override DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
+    override FlowState getAFlowState() { result.isTaintedObject() }
   }
 
   /** An active threat-model source, considered as a flow source. */
   private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource {
-    override DataFlow::FlowLabel getAFlowLabel() { result.isTaint() }
+    override FlowState getAFlowState() { result.isTaint() }
   }
 
   /**

javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll

@@ -15,29 +15,29 @@ private import semmle.javascript.security.TaintedObject
  * A taint tracking configuration for reasoning about template object injection vulnerabilities.
  */
 module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  import semmle.javascript.security.CommonFlowState
 
-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source.(Source).getAFlowLabel() = label
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source.(Source).getAFlowState() = state
   }
 
-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink instanceof Sink and label = TaintedObject::label()
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof Sink and state.isTaintedObject()
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
     TaintTracking::defaultSanitizer(node) and
-    label.isTaint()
+    state.isTaint()
     or
-    node = TaintedObject::SanitizerGuard::getABarrierNode(label)
+    node = TaintedObject::SanitizerGuard::getABarrierNode(state)
   }
 
   predicate isAdditionalFlowStep(
-    DataFlow::Node src, DataFlow::FlowLabel inlbl, DataFlow::Node trg, DataFlow::FlowLabel outlbl
+    DataFlow::Node src, FlowState inlbl, DataFlow::Node trg, FlowState outlbl
   ) {
-    TaintedObject::step(src, trg, inlbl, outlbl)
+    TaintedObject::isAdditionalFlowStep(src, inlbl, trg, outlbl)
     or
     // We're not using a taint-tracking config because taint steps would then apply to all flow states.
     // So we use a plain data flow config and manually add the default taint steps.