Factor request-forgery config so it can be used in an inline-expectations test

java/ql/src/Security/CWE/CWE-918/RequestForgery.ql

@@ -11,30 +11,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.RequestForgery
+import semmle.code.java.security.RequestForgeryConfig
 import DataFlow::PathGraph
 
-class RequestForgeryConfiguration extends TaintTracking::Configuration {
-  RequestForgeryConfiguration() { this = "Server-Side Request Forgery" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
-    // Exclude results of remote HTTP requests: fetching something else based on that result
-    // is no worse than following a redirect returned by the remote server, and typically
-    // we're requesting a resource via https which we trust to only send us to safe URLs.
-    not source.asExpr().(MethodAccess).getCallee() instanceof URLConnectionGetInputStreamMethod
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Potential server-side request forgery due to $@.",