JS: split RequestForgery.qll

javascript/ql/src/semmle/javascript/security/dataflow/RequestForgery.qll

@@ -1,35 +1,17 @@
 /**
- * Provides a taint-tracking configuration for reasoning about request forgery.
+ * Provides a taint-tracking configuration for reasoning about request
+ * forgery.
+ *
+ * Note, for performance reasons: only import this file if
+ * `RequestForgery::Configuration` is needed, otherwise
+ * `RequestForgeryCustomizations` should be imported instead.
  */
 
-import semmle.javascript.security.dataflow.RemoteFlowSources
+import javascript
 import UrlConcatenation
 
 module RequestForgery {
-  /**
-   * A data flow source for request forgery.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for request forgery.
-   */
-  abstract class Sink extends DataFlow::Node {
-    /**
-     * Gets a request that uses this sink.
-     */
-    abstract DataFlow::Node getARequest();
-
-    /**
-     * Gets the kind of this sink.
-     */
-    abstract string getKind();
-  }
-
-  /**
-   * A sanitizer for request forgery.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import RequestForgeryCustomizations::RequestForgery
 
   /**
    * A taint tracking configuration for request forgery.
@@ -50,28 +32,4 @@ module RequestForgery {
       sanitizingPrefixEdge(source, sink)
     }
   }
-
-  /** A source of remote user input, considered as a flow source for request forgery. */
-  private class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * The URL of a URL request, viewed as a sink for request forgery.
-   */
-  private class ClientRequestUrlAsSink extends Sink {
-    ClientRequest request;
-
-    string kind;
-
-    ClientRequestUrlAsSink() {
-      this = request.getUrl() and kind = "URL"
-      or
-      this = request.getHost() and kind = "host"
-    }
-
-    override DataFlow::Node getARequest() { result = request }
-
-    override string getKind() { result = kind }
-  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll

@@ -0,0 +1,57 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * request forgery, as well as extension points for adding your own.
+ */
+
+import semmle.javascript.security.dataflow.RemoteFlowSources
+
+module RequestForgery {
+  /**
+   * A data flow source for request forgery.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for request forgery.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets a request that uses this sink.
+     */
+    abstract DataFlow::Node getARequest();
+
+    /**
+     * Gets the kind of this sink.
+     */
+    abstract string getKind();
+  }
+
+  /**
+   * A sanitizer for request forgery.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for request forgery. */
+  private class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * The URL of a URL request, viewed as a sink for request forgery.
+   */
+  private class ClientRequestUrlAsSink extends Sink {
+    ClientRequest request;
+
+    string kind;
+
+    ClientRequestUrlAsSink() {
+      this = request.getUrl() and kind = "URL"
+      or
+      this = request.getHost() and kind = "host"
+    }
+
+    override DataFlow::Node getARequest() { result = request }
+
+    override string getKind() { result = kind }
+  }
+}