Share HttpToFileAccessQuery between JS and Ruby

There's so little in this query that it may not be worth sharing, but it's an interesting exercise in figuring out how we do it nicely.
2026-05-01 11:45:14 +02:00 · 2022-03-08 12:16:00 +13:00
parent 130d93dded
commit 91a7e9405c
8 changed files with 55 additions and 44 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll
@@ -3,11 +3,9 @@
 * writing user-controlled data to files, as well as extension points
 * for adding your own.
 */
-
-import javascript
-import semmle.javascript.security.dataflow.RemoteFlowSources
-
 module HttpToFileAccess {
+  import HttpToFileAccessSpecific
+
  /**
   * A data flow source for writing user-controlled data to files.
   */
@@ -23,18 +21,6 @@ module HttpToFileAccess {
   */
  abstract class Sanitizer extends DataFlow::Node { }

-  /**
-   * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
-   */
-  private class RequestInputAccessAsSource extends Source {
-    RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
-  }
-
-  /** A response from a server, considered as a flow source for writing user-controlled data to files. */
-  private class ServerResponseAsSource extends Source {
-    ServerResponseAsSource() { this = any(ClientRequest r).getAResponseDataNode() }
-  }
-
  /** A sink that represents file access method (write, append) argument */
  class FileAccessAsSink extends Sink {
    FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll
@@ -6,8 +6,7 @@
 * `HttpToFileAccessCustomizations` should be imported instead.
 */

-import javascript
-import HttpToFileAccessCustomizations::HttpToFileAccess
+private import HttpToFileAccessCustomizations::HttpToFileAccess

 /**
 * A taint tracking configuration for writing user-controlled data to files.
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessSpecific.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessSpecific.qll
@@ -0,0 +1,19 @@
+/**
+ * Provides imports and classes needed for `HttpToFileAccessQuery` and `HttpToFileAccessCustomizations`.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+private import HttpToFileAccessCustomizations::HttpToFileAccess
+
+/**
+ * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
+ */
+private class RequestInputAccessAsSource extends Source {
+  RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
+}
+
+/** A response from a server, considered as a flow source for writing user-controlled data to files. */
+private class ServerResponseAsSource extends Source {
+  ServerResponseAsSource() { this = any(ClientRequest r).getAResponseDataNode() }
+}