Use the split taint predicate to emulate taint where required

In particular, the OpenUrlRedirect and CleartextLogging queries, which both have taint flow into
an object when one of its fields is written.

ql/src/semmle/go/security/CleartextLogging.qll

@@ -34,19 +34,8 @@ module CleartextLogging {
       // A taint propagating data-flow edge through structs: a tainted write taints the entire struct.
       exists(Write write | write.writesField(trg.getASuccessor*(), _, src))
       or
-      trg.(DataFlow::BinaryOperationNode).getOperator() = "+" and
-      src = trg.(DataFlow::BinaryOperationNode).getAnOperand()
-      or
-      // Allow flow through functions that are considered for taint flow.
-      exists(
-        TaintTracking::FunctionModel m, DataFlow::CallNode c, DataFlow::FunctionInput inp,
-        DataFlow::FunctionOutput outp
-      |
-        c = m.getACall() and
-        m.hasTaintFlow(inp, outp) and
-        src = inp.getNode(c) and
-        trg = outp.getNode(c)
-      )
+      // taint steps that do not include flow through fields
+      TaintTracking::taintStep(src, trg) and not TaintTracking::fieldReadStep(src, trg)
     }
   }
 }

ql/src/semmle/go/security/OpenUrlRedirect.qll

@@ -35,18 +35,8 @@ module OpenUrlRedirect {
         var.getType().hasQualifiedName("net/url", "URL")
       )
       or
-      StringConcatenation::taintStep(pred, succ)
-      or
-      // Allow flow through functions that are considered for taint flow.
-      exists(
-        TaintTracking::FunctionModel m, DataFlow::CallNode c, DataFlow::FunctionInput inp,
-        DataFlow::FunctionOutput outp
-      |
-        c = m.getACall() and
-        m.hasTaintFlow(inp, outp) and
-        pred = inp.getNode(c) and
-        succ = outp.getNode(c)
-      )
+      // taint steps that do not include flow through fields
+      TaintTracking::taintStep(pred, succ) and not TaintTracking::fieldReadStep(pred, succ)
     }
 
     override predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }