From bb452bea45a13187902ebcecc5ace9995d746d40 Mon Sep 17 00:00:00 2001
From: Esben Sparre Andreasen <esben@semmle.com>
Date: Thu, 4 Jul 2019 08:39:10 +0200
Subject: [PATCH] JS: split UnsafeDeserialization.qll

---
 .../dataflow/UnsafeDeserialization.qll        | 47 ++--------------
 .../UnsafeDeserializationCustomizations.qll   | 53 +++++++++++++++++++
 2 files changed, 58 insertions(+), 42 deletions(-)
 create mode 100644 javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserialization.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserialization.qll
index ba3a2bfb5db..31ceef258a2 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserialization.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserialization.qll
@@ -1,25 +1,16 @@
 /**
  * Provides a taint-tracking configuration for reasoning about unsafe deserialization.
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsafeDeserialization::Configuration` is needed, otherwise
+ * `UnsafeDeserializationCustomizations` should be imported instead.
  */
 
 import javascript
 import semmle.javascript.security.dataflow.RemoteFlowSources
 
 module UnsafeDeserialization {
-  /**
-   * A data flow source for unsafe deserialization vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for unsafe deserialization vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for unsafe deserialization vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import UnsafeDeserializationCustomizations::UnsafeDeserialization
 
   /**
    * A taint-tracking configuration for reasoning about unsafe deserialization.
@@ -36,32 +27,4 @@ module UnsafeDeserialization {
       node instanceof Sanitizer
     }
   }
-
-  /** A source of remote user input, considered as a flow source for unsafe deserialization. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * An expression passed to one of the unsafe load functions of the `js-yaml` package.
-   */
-  class JsYamlUnsafeLoad extends Sink {
-    JsYamlUnsafeLoad() {
-      exists(DataFlow::ModuleImportNode mi | mi.getPath() = "js-yaml" |
-        // the first argument to a call to `load` or `loadAll`
-        exists(string n | n = "load" or n = "loadAll" | this = mi.getAMemberCall(n).getArgument(0))
-        or
-        // the first argument to a call to `safeLoad` or `safeLoadAll` where
-        // the schema is specified to be `DEFAULT_FULL_SCHEMA`
-        exists(string n, DataFlow::CallNode c, DataFlow::Node fullSchema |
-          n = "safeLoad" or n = "safeLoadAll"
-        |
-          c = mi.getAMemberCall(n) and
-          this = c.getArgument(0) and
-          fullSchema = c.getOptionArgument(c.getNumArgument() - 1, "schema") and
-          mi.getAPropertyRead("DEFAULT_FULL_SCHEMA").flowsTo(fullSchema)
-        )
-      )
-    }
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
new file mode 100644
index 00000000000..9471313415d
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -0,0 +1,53 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * unsafe deserialization, as well as extension points for
+ * adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+
+module UnsafeDeserialization {
+  /**
+   * A data flow source for unsafe deserialization vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for unsafe deserialization vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for unsafe deserialization vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for unsafe deserialization. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * An expression passed to one of the unsafe load functions of the `js-yaml` package.
+   */
+  class JsYamlUnsafeLoad extends Sink {
+    JsYamlUnsafeLoad() {
+      exists(DataFlow::ModuleImportNode mi | mi.getPath() = "js-yaml" |
+        // the first argument to a call to `load` or `loadAll`
+        exists(string n | n = "load" or n = "loadAll" | this = mi.getAMemberCall(n).getArgument(0))
+        or
+        // the first argument to a call to `safeLoad` or `safeLoadAll` where
+        // the schema is specified to be `DEFAULT_FULL_SCHEMA`
+        exists(string n, DataFlow::CallNode c, DataFlow::Node fullSchema |
+          n = "safeLoad" or n = "safeLoadAll"
+        |
+          c = mi.getAMemberCall(n) and
+          this = c.getArgument(0) and
+          fullSchema = c.getOptionArgument(c.getNumArgument() - 1, "schema") and
+          mi.getAPropertyRead("DEFAULT_FULL_SCHEMA").flowsTo(fullSchema)
+        )
+      )
+    }
+  }
+}