diff --git a/config/identical-files.json b/config/identical-files.json
index 5dbebe0329a..afef0a923d5 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -531,11 +531,6 @@
     "ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
     "javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll"
   ],
-  "Hostname Regexp queries": [
-    "javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
-    "python/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
-    "ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll"
-  ],
   "ApiGraphModels": [
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
diff --git a/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll b/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll
index 1b01be0377b..d376f7d2388 100644
--- a/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll
+++ b/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll
@@ -558,6 +558,8 @@ module Impl implements RegexTreeViewSig {
     }
   }
 
+  class RegExpCharEscape = RegExpEscape;
+
   /**
    * A word boundary, that is, a regular expression term of the form `\b`.
    */
@@ -868,6 +870,9 @@ module Impl implements RegexTreeViewSig {
     predicate isNamedGroupOfLiteral(RegExpLiteral lit, string name) {
       lit = this.getLiteral() and name = this.getName()
     }
+
+    /** Holds if this is a capture group. */
+    predicate isCapture() { exists(this.getNumber()) }
   }
 
   /**
diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/HostnameRegexp.qll b/javascript/ql/lib/semmle/javascript/security/regexp/HostnameRegexp.qll
new file mode 100644
index 00000000000..1922ad01bf1
--- /dev/null
+++ b/javascript/ql/lib/semmle/javascript/security/regexp/HostnameRegexp.qll
@@ -0,0 +1,19 @@
+/**
+ * Provides predicates for reasoning about regular expressions
+ * that match URLs and hostname patterns.
+ */
+
+private import javascript as JS
+private import semmle.javascript.security.regexp.RegExpTreeView::RegExpTreeView as TreeImpl
+private import semmle.javascript.Regexp as RegExp
+private import codeql.regex.HostnameRegexp as Shared
+
+private module Impl implements Shared::HostnameRegexpSig<TreeImpl> {
+  class DataFlowNode = JS::DataFlow::Node;
+
+  class RegExpPatternSource = RegExp::RegExpPatternSource;
+
+  string getACommonTld() { result = RegExp::RegExpPatterns::getACommonTld() }
+}
+
+import Shared::Make<TreeImpl, Impl>
diff --git a/javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll b/javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll
index 5e9bc406512..524be45c653 100644
--- a/javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll
+++ b/javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll
@@ -3,200 +3,5 @@
  * that match URLs and hostname patterns.
  */
 
-private import HostnameRegexpSpecific
-
-/**
- * Holds if the given constant is unlikely to occur in the origin part of a URL.
- */
-predicate isConstantInvalidInsideOrigin(RegExpConstant term) {
-  // Look for any of these cases:
-  // - A character that can't occur in the origin
-  // - Two dashes in a row
-  // - A colon that is not part of port or scheme separator
-  // - A slash that is not part of scheme separator
-  term.getValue().regexpMatch(".*(?:[^a-zA-Z0-9.:/-]|--|:[^0-9/]|(?<![/:]|^)/).*")
-}
-
-/** Holds if `term` is a dot constant of form `\.` or `[.]`. */
-predicate isDotConstant(RegExpTerm term) {
-  term.(RegExpCharEscape).getValue() = "."
-  or
-  exists(RegExpCharacterClass cls |
-    term = cls and
-    not cls.isInverted() and
-    cls.getNumChild() = 1 and
-    cls.getAChild().(RegExpConstant).getValue() = "."
-  )
-}
-
-/** Holds if `term` is a wildcard `.` or an actual `.` character. */
-predicate isDotLike(RegExpTerm term) {
-  term instanceof RegExpDot
-  or
-  isDotConstant(term)
-}
-
-/** Holds if `term` will only ever be matched against the beginning of the input. */
-predicate matchesBeginningOfString(RegExpTerm term) {
-  term.isRootTerm()
-  or
-  exists(RegExpTerm parent | matchesBeginningOfString(parent) |
-    term = parent.(RegExpSequence).getChild(0)
-    or
-    parent.(RegExpSequence).getChild(0) instanceof RegExpCaret and
-    term = parent.(RegExpSequence).getChild(1)
-    or
-    term = parent.(RegExpAlt).getAChild()
-    or
-    term = parent.(RegExpGroup).getAChild()
-  )
-}
-
-/**
- * Holds if the given sequence `seq` contains top-level domain preceded by a dot, such as `.com`,
- * excluding cases where this is at the very beginning of the regexp.
- *
- * `i` is bound to the index of the last child in the top-level domain part.
- */
-predicate hasTopLevelDomainEnding(RegExpSequence seq, int i) {
-  seq.getChild(i)
-      .(RegExpConstant)
-      .getValue()
-      .regexpMatch("(?i)" + RegExpPatterns::getACommonTld() + "(:\\d+)?([/?#].*)?") and
-  isDotLike(seq.getChild(i - 1)) and
-  not (i = 1 and matchesBeginningOfString(seq))
-}
-
-/**
- * Holds if the given regular expression term contains top-level domain preceded by a dot,
- * such as `.com`.
- */
-predicate hasTopLevelDomainEnding(RegExpSequence seq) { hasTopLevelDomainEnding(seq, _) }
-
-/**
- * Holds if `term` will always match a hostname, that is, all disjunctions contain
- * a hostname pattern that isn't inside a quantifier.
- */
-predicate alwaysMatchesHostname(RegExpTerm term) {
-  hasTopLevelDomainEnding(term, _)
-  or
-  // `localhost` is considered a hostname pattern, but has no TLD
-  term.(RegExpConstant).getValue().regexpMatch("\\blocalhost\\b")
-  or
-  not term instanceof RegExpAlt and
-  not term instanceof RegExpQuantifier and
-  alwaysMatchesHostname(term.getAChild())
-  or
-  alwaysMatchesHostnameAlt(term)
-}
-
-/** Holds if every child of `alt` contains a hostname pattern. */
-predicate alwaysMatchesHostnameAlt(RegExpAlt alt) {
-  alwaysMatchesHostnameAlt(alt, alt.getNumChild() - 1)
-}
-
-/**
- * Holds if the first `i` children of `alt` contains a hostname pattern.
- *
- * This is used instead of `forall` to avoid materializing the set of alternatives
- * that don't contains hostnames, which is much larger.
- */
-predicate alwaysMatchesHostnameAlt(RegExpAlt alt, int i) {
-  alwaysMatchesHostname(alt.getChild(0)) and i = 0
-  or
-  alwaysMatchesHostnameAlt(alt, i - 1) and
-  alwaysMatchesHostname(alt.getChild(i))
-}
-
-/**
- * Holds if `term` occurs inside a quantifier or alternative (and thus
- * can not be expected to correspond to a unique match), or as part of
- * a lookaround assertion (which are rarely used for capture groups).
- */
-predicate isInsideChoiceOrSubPattern(RegExpTerm term) {
-  exists(RegExpParent parent | parent = term.getParent() |
-    parent instanceof RegExpAlt
-    or
-    parent instanceof RegExpQuantifier
-    or
-    parent instanceof RegExpSubPattern
-    or
-    isInsideChoiceOrSubPattern(parent)
-  )
-}
-
-/**
- * Holds if `group` is likely to be used as a capture group.
- */
-predicate isLikelyCaptureGroup(RegExpGroup group) {
-  group.isCapture() and
-  not isInsideChoiceOrSubPattern(group)
-}
-
-/**
- * Holds if `seq` contains two consecutive dots `..` or escaped dots.
- *
- * At least one of these dots is not intended to be a subdomain separator,
- * so we avoid flagging the pattern in this case.
- */
-predicate hasConsecutiveDots(RegExpSequence seq) {
-  exists(int i |
-    isDotLike(seq.getChild(i)) and
-    isDotLike(seq.getChild(i + 1))
-  )
-}
-
-predicate isIncompleteHostNameRegExpPattern(RegExpTerm regexp, RegExpSequence seq, string msg) {
-  seq = regexp.getAChild*() and
-  exists(RegExpDot unescapedDot, int i, string hostname |
-    hasTopLevelDomainEnding(seq, i) and
-    not isConstantInvalidInsideOrigin(seq.getChild([0 .. i - 1]).getAChild*()) and
-    not isLikelyCaptureGroup(seq.getChild([i .. seq.getNumChild() - 1]).getAChild*()) and
-    unescapedDot = seq.getChild([0 .. i - 1]).getAChild*() and
-    unescapedDot != seq.getChild(i - 1) and // Should not be the '.' immediately before the TLD
-    not hasConsecutiveDots(unescapedDot.getParent()) and
-    hostname =
-      seq.getChild(i - 2).getRawValue() + seq.getChild(i - 1).getRawValue() +
-        seq.getChild(i).getRawValue()
-  |
-    if unescapedDot.getParent() instanceof RegExpQuantifier
-    then
-      // `.*\.example.com` can match `evil.com/?x=.example.com`
-      //
-      // This problem only occurs when the pattern is applied against a full URL, not just a hostname/origin.
-      // We therefore check if the pattern includes a suffix after the TLD, such as `.*\.example.com/`.
-      // Note that a post-anchored pattern (`.*\.example.com$`) will usually fail to match a full URL,
-      // and patterns with neither a suffix nor an anchor fall under the purview of MissingRegExpAnchor.
-      seq.getChild(0) instanceof RegExpCaret and
-      not seq.getAChild() instanceof RegExpDollar and
-      seq.getChild([i .. i + 1]).(RegExpConstant).getValue().regexpMatch(".*[/?#].*") and
-      msg =
-        "has an unrestricted wildcard '" + unescapedDot.getParent().(RegExpQuantifier).getRawValue()
-          + "' which may cause '" + hostname +
-          "' to be matched anywhere in the URL, outside the hostname."
-    else
-      msg =
-        "has an unescaped '.' before '" + hostname +
-          "', so it might match more hosts than expected."
-  )
-}
-
-predicate incompleteHostnameRegExp(
-  RegExpSequence hostSequence, string message, DataFlow::Node aux, string label
-) {
-  exists(RegExpPatternSource re, RegExpTerm regexp, string msg, string kind |
-    regexp = re.getRegExpTerm() and
-    isIncompleteHostNameRegExpPattern(regexp, hostSequence, msg) and
-    (
-      if re.getAParse() != re
-      then (
-        kind = "string, which is used as a regular expression $@," and
-        aux = re.getAParse()
-      ) else (
-        kind = "regular expression" and aux = re
-      )
-    )
-  |
-    message = "This " + kind + " " + msg and label = "here"
-  )
-}
+deprecated import semmle.javascript.security.regexp.HostnameRegexp as Dep
+import Dep
diff --git a/javascript/ql/src/Security/CWE-020/HostnameRegexpSpecific.qll b/javascript/ql/src/Security/CWE-020/HostnameRegexpSpecific.qll
deleted file mode 100644
index 7046b14f09d..00000000000
--- a/javascript/ql/src/Security/CWE-020/HostnameRegexpSpecific.qll
+++ /dev/null
@@ -1 +0,0 @@
-import javascript
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql b/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
index 3ae844bf57f..2bf62b710a0 100644
--- a/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
@@ -11,6 +11,6 @@
  *       external/cwe/cwe-020
  */
 
-import HostnameRegexpShared
+private import semmle.javascript.security.regexp.HostnameRegexp as HostnameRegexp
 
-query predicate problems = incompleteHostnameRegExp/4;
+query predicate problems = HostnameRegexp::incompleteHostnameRegExp/4;
diff --git a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
index cd71f5c6a49..504739a68ae 100644
--- a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
+++ b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
@@ -11,29 +11,10 @@
  *       external/cwe/cwe-020
  */
 
-import javascript
-import HostnameRegexpShared
-
-/** Holds if `term` is one of the transitive left children of a regexp. */
-predicate isLeftArmTerm(RegExpTerm term) {
-  term.isRootTerm()
-  or
-  exists(RegExpTerm parent |
-    term = parent.getChild(0) and
-    isLeftArmTerm(parent)
-  )
-}
-
-/** Holds if `term` is one of the transitive right children of a regexp. */
-predicate isRightArmTerm(RegExpTerm term) {
-  term.isRootTerm()
-  or
-  exists(RegExpTerm parent |
-    term = parent.getLastChild() and
-    isRightArmTerm(parent)
-  )
-}
+private import javascript
+private import semmle.javascript.security.regexp.HostnameRegexp
 
+// TODO: Share the below code.
 /**
  * Holds if `term` is an anchor that is not the first or last node
  * in its tree.
diff --git a/python/ql/lib/semmle/python/RegexTreeView.qll b/python/ql/lib/semmle/python/RegexTreeView.qll
index 8a5d95cc7cf..5be80d94ec4 100644
--- a/python/ql/lib/semmle/python/RegexTreeView.qll
+++ b/python/ql/lib/semmle/python/RegexTreeView.qll
@@ -454,7 +454,7 @@ module Impl implements RegexTreeViewSig {
     override string getPrimaryQLClass() { result = "RegExpAlt" }
   }
 
-  additional class RegExpCharEscape = RegExpEscape;
+  class RegExpCharEscape = RegExpEscape;
 
   /**
    * An escaped regular expression term, that is, a regular expression
diff --git a/python/ql/lib/semmle/python/security/regexp/HostnameRegex.qll b/python/ql/lib/semmle/python/security/regexp/HostnameRegex.qll
new file mode 100644
index 00000000000..db0ab155b3e
--- /dev/null
+++ b/python/ql/lib/semmle/python/security/regexp/HostnameRegex.qll
@@ -0,0 +1,20 @@
+/**
+ * Provides predicates for reasoning about regular expressions
+ * that match URLs and hostname patterns.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.RegexTreeView::RegexTreeView as TreeImpl
+private import semmle.python.dataflow.new.Regexp as Regexp
+private import codeql.regex.HostnameRegexp as Shared
+
+private module Impl implements Shared::HostnameRegexpSig<TreeImpl> {
+  class DataFlowNode = DataFlow::Node;
+
+  class RegExpPatternSource = Regexp::RegExpPatternSource;
+
+  string getACommonTld() { result = Regexp::RegExpPatterns::getACommonTld() }
+}
+
+import Shared::Make<TreeImpl, Impl>
diff --git a/python/ql/src/Security/CWE-020/HostnameRegexpShared.qll b/python/ql/src/Security/CWE-020/HostnameRegexpShared.qll
index 5e9bc406512..d15714d406a 100644
--- a/python/ql/src/Security/CWE-020/HostnameRegexpShared.qll
+++ b/python/ql/src/Security/CWE-020/HostnameRegexpShared.qll
@@ -3,200 +3,6 @@
  * that match URLs and hostname patterns.
  */
 
-private import HostnameRegexpSpecific
-
-/**
- * Holds if the given constant is unlikely to occur in the origin part of a URL.
- */
-predicate isConstantInvalidInsideOrigin(RegExpConstant term) {
-  // Look for any of these cases:
-  // - A character that can't occur in the origin
-  // - Two dashes in a row
-  // - A colon that is not part of port or scheme separator
-  // - A slash that is not part of scheme separator
-  term.getValue().regexpMatch(".*(?:[^a-zA-Z0-9.:/-]|--|:[^0-9/]|(?<![/:]|^)/).*")
-}
-
-/** Holds if `term` is a dot constant of form `\.` or `[.]`. */
-predicate isDotConstant(RegExpTerm term) {
-  term.(RegExpCharEscape).getValue() = "."
-  or
-  exists(RegExpCharacterClass cls |
-    term = cls and
-    not cls.isInverted() and
-    cls.getNumChild() = 1 and
-    cls.getAChild().(RegExpConstant).getValue() = "."
-  )
-}
-
-/** Holds if `term` is a wildcard `.` or an actual `.` character. */
-predicate isDotLike(RegExpTerm term) {
-  term instanceof RegExpDot
-  or
-  isDotConstant(term)
-}
-
-/** Holds if `term` will only ever be matched against the beginning of the input. */
-predicate matchesBeginningOfString(RegExpTerm term) {
-  term.isRootTerm()
-  or
-  exists(RegExpTerm parent | matchesBeginningOfString(parent) |
-    term = parent.(RegExpSequence).getChild(0)
-    or
-    parent.(RegExpSequence).getChild(0) instanceof RegExpCaret and
-    term = parent.(RegExpSequence).getChild(1)
-    or
-    term = parent.(RegExpAlt).getAChild()
-    or
-    term = parent.(RegExpGroup).getAChild()
-  )
-}
-
-/**
- * Holds if the given sequence `seq` contains top-level domain preceded by a dot, such as `.com`,
- * excluding cases where this is at the very beginning of the regexp.
- *
- * `i` is bound to the index of the last child in the top-level domain part.
- */
-predicate hasTopLevelDomainEnding(RegExpSequence seq, int i) {
-  seq.getChild(i)
-      .(RegExpConstant)
-      .getValue()
-      .regexpMatch("(?i)" + RegExpPatterns::getACommonTld() + "(:\\d+)?([/?#].*)?") and
-  isDotLike(seq.getChild(i - 1)) and
-  not (i = 1 and matchesBeginningOfString(seq))
-}
-
-/**
- * Holds if the given regular expression term contains top-level domain preceded by a dot,
- * such as `.com`.
- */
-predicate hasTopLevelDomainEnding(RegExpSequence seq) { hasTopLevelDomainEnding(seq, _) }
-
-/**
- * Holds if `term` will always match a hostname, that is, all disjunctions contain
- * a hostname pattern that isn't inside a quantifier.
- */
-predicate alwaysMatchesHostname(RegExpTerm term) {
-  hasTopLevelDomainEnding(term, _)
-  or
-  // `localhost` is considered a hostname pattern, but has no TLD
-  term.(RegExpConstant).getValue().regexpMatch("\\blocalhost\\b")
-  or
-  not term instanceof RegExpAlt and
-  not term instanceof RegExpQuantifier and
-  alwaysMatchesHostname(term.getAChild())
-  or
-  alwaysMatchesHostnameAlt(term)
-}
-
-/** Holds if every child of `alt` contains a hostname pattern. */
-predicate alwaysMatchesHostnameAlt(RegExpAlt alt) {
-  alwaysMatchesHostnameAlt(alt, alt.getNumChild() - 1)
-}
-
-/**
- * Holds if the first `i` children of `alt` contains a hostname pattern.
- *
- * This is used instead of `forall` to avoid materializing the set of alternatives
- * that don't contains hostnames, which is much larger.
- */
-predicate alwaysMatchesHostnameAlt(RegExpAlt alt, int i) {
-  alwaysMatchesHostname(alt.getChild(0)) and i = 0
-  or
-  alwaysMatchesHostnameAlt(alt, i - 1) and
-  alwaysMatchesHostname(alt.getChild(i))
-}
-
-/**
- * Holds if `term` occurs inside a quantifier or alternative (and thus
- * can not be expected to correspond to a unique match), or as part of
- * a lookaround assertion (which are rarely used for capture groups).
- */
-predicate isInsideChoiceOrSubPattern(RegExpTerm term) {
-  exists(RegExpParent parent | parent = term.getParent() |
-    parent instanceof RegExpAlt
-    or
-    parent instanceof RegExpQuantifier
-    or
-    parent instanceof RegExpSubPattern
-    or
-    isInsideChoiceOrSubPattern(parent)
-  )
-}
-
-/**
- * Holds if `group` is likely to be used as a capture group.
- */
-predicate isLikelyCaptureGroup(RegExpGroup group) {
-  group.isCapture() and
-  not isInsideChoiceOrSubPattern(group)
-}
-
-/**
- * Holds if `seq` contains two consecutive dots `..` or escaped dots.
- *
- * At least one of these dots is not intended to be a subdomain separator,
- * so we avoid flagging the pattern in this case.
- */
-predicate hasConsecutiveDots(RegExpSequence seq) {
-  exists(int i |
-    isDotLike(seq.getChild(i)) and
-    isDotLike(seq.getChild(i + 1))
-  )
-}
-
-predicate isIncompleteHostNameRegExpPattern(RegExpTerm regexp, RegExpSequence seq, string msg) {
-  seq = regexp.getAChild*() and
-  exists(RegExpDot unescapedDot, int i, string hostname |
-    hasTopLevelDomainEnding(seq, i) and
-    not isConstantInvalidInsideOrigin(seq.getChild([0 .. i - 1]).getAChild*()) and
-    not isLikelyCaptureGroup(seq.getChild([i .. seq.getNumChild() - 1]).getAChild*()) and
-    unescapedDot = seq.getChild([0 .. i - 1]).getAChild*() and
-    unescapedDot != seq.getChild(i - 1) and // Should not be the '.' immediately before the TLD
-    not hasConsecutiveDots(unescapedDot.getParent()) and
-    hostname =
-      seq.getChild(i - 2).getRawValue() + seq.getChild(i - 1).getRawValue() +
-        seq.getChild(i).getRawValue()
-  |
-    if unescapedDot.getParent() instanceof RegExpQuantifier
-    then
-      // `.*\.example.com` can match `evil.com/?x=.example.com`
-      //
-      // This problem only occurs when the pattern is applied against a full URL, not just a hostname/origin.
-      // We therefore check if the pattern includes a suffix after the TLD, such as `.*\.example.com/`.
-      // Note that a post-anchored pattern (`.*\.example.com$`) will usually fail to match a full URL,
-      // and patterns with neither a suffix nor an anchor fall under the purview of MissingRegExpAnchor.
-      seq.getChild(0) instanceof RegExpCaret and
-      not seq.getAChild() instanceof RegExpDollar and
-      seq.getChild([i .. i + 1]).(RegExpConstant).getValue().regexpMatch(".*[/?#].*") and
-      msg =
-        "has an unrestricted wildcard '" + unescapedDot.getParent().(RegExpQuantifier).getRawValue()
-          + "' which may cause '" + hostname +
-          "' to be matched anywhere in the URL, outside the hostname."
-    else
-      msg =
-        "has an unescaped '.' before '" + hostname +
-          "', so it might match more hosts than expected."
-  )
-}
-
-predicate incompleteHostnameRegExp(
-  RegExpSequence hostSequence, string message, DataFlow::Node aux, string label
-) {
-  exists(RegExpPatternSource re, RegExpTerm regexp, string msg, string kind |
-    regexp = re.getRegExpTerm() and
-    isIncompleteHostNameRegExpPattern(regexp, hostSequence, msg) and
-    (
-      if re.getAParse() != re
-      then (
-        kind = "string, which is used as a regular expression $@," and
-        aux = re.getAParse()
-      ) else (
-        kind = "regular expression" and aux = re
-      )
-    )
-  |
-    message = "This " + kind + " " + msg and label = "here"
-  )
-}
+// HostnameRegexp should be used directly from the shared regex pack, and not from this file.
+deprecated private import semmle.python.security.regexp.HostnameRegex as Dep
+import Dep
diff --git a/python/ql/src/Security/CWE-020/HostnameRegexpSpecific.qll b/python/ql/src/Security/CWE-020/HostnameRegexpSpecific.qll
deleted file mode 100644
index 5f60495b202..00000000000
--- a/python/ql/src/Security/CWE-020/HostnameRegexpSpecific.qll
+++ /dev/null
@@ -1,3 +0,0 @@
-import semmle.python.RegexTreeView
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.Regexp
diff --git a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
index db7129e5ac5..d394107f9d6 100644
--- a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
+++ b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
@@ -11,6 +11,6 @@
  *       external/cwe/cwe-020
  */
 
-import HostnameRegexpShared
+private import semmle.python.security.regexp.HostnameRegex as HostnameRegex
 
-query predicate problems = incompleteHostnameRegExp/4;
+query predicate problems = HostnameRegex::incompleteHostnameRegExp/4;
diff --git a/ruby/ql/lib/codeql/ruby/regexp/RegExpTreeView.qll b/ruby/ql/lib/codeql/ruby/regexp/RegExpTreeView.qll
index 4a0b40ccfb2..3f56d3f59b0 100644
--- a/ruby/ql/lib/codeql/ruby/regexp/RegExpTreeView.qll
+++ b/ruby/ql/lib/codeql/ruby/regexp/RegExpTreeView.qll
@@ -539,7 +539,7 @@ private module Impl implements RegexTreeViewSig {
     override predicate isNullable() { this.getAChild().isNullable() }
   }
 
-  additional class RegExpCharEscape = RegExpEscape;
+  class RegExpCharEscape = RegExpEscape;
 
   /**
    * An escaped regular expression term, that is, a regular expression
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/HostnameRegexp.qll b/ruby/ql/lib/codeql/ruby/security/regexp/HostnameRegexp.qll
new file mode 100644
index 00000000000..234cf1e9593
--- /dev/null
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/HostnameRegexp.qll
@@ -0,0 +1,19 @@
+/**
+ * Provides predicates for reasoning about regular expressions
+ * that match URLs and hostname patterns.
+ */
+
+private import ruby
+private import codeql.ruby.regexp.RegExpTreeView::RegexTreeView as TreeImpl
+private import codeql.ruby.Regexp as Regexp
+private import codeql.regex.HostnameRegexp as Shared
+
+private module Impl implements Shared::HostnameRegexpSig<TreeImpl> {
+  class DataFlowNode = DataFlow::Node;
+
+  class RegExpPatternSource = Regexp::RegExpPatternSource;
+
+  string getACommonTld() { result = Regexp::RegExpPatterns::getACommonTld() }
+}
+
+import Shared::Make<TreeImpl, Impl>
diff --git a/ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll b/ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll
index 5e9bc406512..dc3ed9aeaf7 100644
--- a/ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll
+++ b/ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll
@@ -3,200 +3,6 @@
  * that match URLs and hostname patterns.
  */
 
-private import HostnameRegexpSpecific
-
-/**
- * Holds if the given constant is unlikely to occur in the origin part of a URL.
- */
-predicate isConstantInvalidInsideOrigin(RegExpConstant term) {
-  // Look for any of these cases:
-  // - A character that can't occur in the origin
-  // - Two dashes in a row
-  // - A colon that is not part of port or scheme separator
-  // - A slash that is not part of scheme separator
-  term.getValue().regexpMatch(".*(?:[^a-zA-Z0-9.:/-]|--|:[^0-9/]|(?<![/:]|^)/).*")
-}
-
-/** Holds if `term` is a dot constant of form `\.` or `[.]`. */
-predicate isDotConstant(RegExpTerm term) {
-  term.(RegExpCharEscape).getValue() = "."
-  or
-  exists(RegExpCharacterClass cls |
-    term = cls and
-    not cls.isInverted() and
-    cls.getNumChild() = 1 and
-    cls.getAChild().(RegExpConstant).getValue() = "."
-  )
-}
-
-/** Holds if `term` is a wildcard `.` or an actual `.` character. */
-predicate isDotLike(RegExpTerm term) {
-  term instanceof RegExpDot
-  or
-  isDotConstant(term)
-}
-
-/** Holds if `term` will only ever be matched against the beginning of the input. */
-predicate matchesBeginningOfString(RegExpTerm term) {
-  term.isRootTerm()
-  or
-  exists(RegExpTerm parent | matchesBeginningOfString(parent) |
-    term = parent.(RegExpSequence).getChild(0)
-    or
-    parent.(RegExpSequence).getChild(0) instanceof RegExpCaret and
-    term = parent.(RegExpSequence).getChild(1)
-    or
-    term = parent.(RegExpAlt).getAChild()
-    or
-    term = parent.(RegExpGroup).getAChild()
-  )
-}
-
-/**
- * Holds if the given sequence `seq` contains top-level domain preceded by a dot, such as `.com`,
- * excluding cases where this is at the very beginning of the regexp.
- *
- * `i` is bound to the index of the last child in the top-level domain part.
- */
-predicate hasTopLevelDomainEnding(RegExpSequence seq, int i) {
-  seq.getChild(i)
-      .(RegExpConstant)
-      .getValue()
-      .regexpMatch("(?i)" + RegExpPatterns::getACommonTld() + "(:\\d+)?([/?#].*)?") and
-  isDotLike(seq.getChild(i - 1)) and
-  not (i = 1 and matchesBeginningOfString(seq))
-}
-
-/**
- * Holds if the given regular expression term contains top-level domain preceded by a dot,
- * such as `.com`.
- */
-predicate hasTopLevelDomainEnding(RegExpSequence seq) { hasTopLevelDomainEnding(seq, _) }
-
-/**
- * Holds if `term` will always match a hostname, that is, all disjunctions contain
- * a hostname pattern that isn't inside a quantifier.
- */
-predicate alwaysMatchesHostname(RegExpTerm term) {
-  hasTopLevelDomainEnding(term, _)
-  or
-  // `localhost` is considered a hostname pattern, but has no TLD
-  term.(RegExpConstant).getValue().regexpMatch("\\blocalhost\\b")
-  or
-  not term instanceof RegExpAlt and
-  not term instanceof RegExpQuantifier and
-  alwaysMatchesHostname(term.getAChild())
-  or
-  alwaysMatchesHostnameAlt(term)
-}
-
-/** Holds if every child of `alt` contains a hostname pattern. */
-predicate alwaysMatchesHostnameAlt(RegExpAlt alt) {
-  alwaysMatchesHostnameAlt(alt, alt.getNumChild() - 1)
-}
-
-/**
- * Holds if the first `i` children of `alt` contains a hostname pattern.
- *
- * This is used instead of `forall` to avoid materializing the set of alternatives
- * that don't contains hostnames, which is much larger.
- */
-predicate alwaysMatchesHostnameAlt(RegExpAlt alt, int i) {
-  alwaysMatchesHostname(alt.getChild(0)) and i = 0
-  or
-  alwaysMatchesHostnameAlt(alt, i - 1) and
-  alwaysMatchesHostname(alt.getChild(i))
-}
-
-/**
- * Holds if `term` occurs inside a quantifier or alternative (and thus
- * can not be expected to correspond to a unique match), or as part of
- * a lookaround assertion (which are rarely used for capture groups).
- */
-predicate isInsideChoiceOrSubPattern(RegExpTerm term) {
-  exists(RegExpParent parent | parent = term.getParent() |
-    parent instanceof RegExpAlt
-    or
-    parent instanceof RegExpQuantifier
-    or
-    parent instanceof RegExpSubPattern
-    or
-    isInsideChoiceOrSubPattern(parent)
-  )
-}
-
-/**
- * Holds if `group` is likely to be used as a capture group.
- */
-predicate isLikelyCaptureGroup(RegExpGroup group) {
-  group.isCapture() and
-  not isInsideChoiceOrSubPattern(group)
-}
-
-/**
- * Holds if `seq` contains two consecutive dots `..` or escaped dots.
- *
- * At least one of these dots is not intended to be a subdomain separator,
- * so we avoid flagging the pattern in this case.
- */
-predicate hasConsecutiveDots(RegExpSequence seq) {
-  exists(int i |
-    isDotLike(seq.getChild(i)) and
-    isDotLike(seq.getChild(i + 1))
-  )
-}
-
-predicate isIncompleteHostNameRegExpPattern(RegExpTerm regexp, RegExpSequence seq, string msg) {
-  seq = regexp.getAChild*() and
-  exists(RegExpDot unescapedDot, int i, string hostname |
-    hasTopLevelDomainEnding(seq, i) and
-    not isConstantInvalidInsideOrigin(seq.getChild([0 .. i - 1]).getAChild*()) and
-    not isLikelyCaptureGroup(seq.getChild([i .. seq.getNumChild() - 1]).getAChild*()) and
-    unescapedDot = seq.getChild([0 .. i - 1]).getAChild*() and
-    unescapedDot != seq.getChild(i - 1) and // Should not be the '.' immediately before the TLD
-    not hasConsecutiveDots(unescapedDot.getParent()) and
-    hostname =
-      seq.getChild(i - 2).getRawValue() + seq.getChild(i - 1).getRawValue() +
-        seq.getChild(i).getRawValue()
-  |
-    if unescapedDot.getParent() instanceof RegExpQuantifier
-    then
-      // `.*\.example.com` can match `evil.com/?x=.example.com`
-      //
-      // This problem only occurs when the pattern is applied against a full URL, not just a hostname/origin.
-      // We therefore check if the pattern includes a suffix after the TLD, such as `.*\.example.com/`.
-      // Note that a post-anchored pattern (`.*\.example.com$`) will usually fail to match a full URL,
-      // and patterns with neither a suffix nor an anchor fall under the purview of MissingRegExpAnchor.
-      seq.getChild(0) instanceof RegExpCaret and
-      not seq.getAChild() instanceof RegExpDollar and
-      seq.getChild([i .. i + 1]).(RegExpConstant).getValue().regexpMatch(".*[/?#].*") and
-      msg =
-        "has an unrestricted wildcard '" + unescapedDot.getParent().(RegExpQuantifier).getRawValue()
-          + "' which may cause '" + hostname +
-          "' to be matched anywhere in the URL, outside the hostname."
-    else
-      msg =
-        "has an unescaped '.' before '" + hostname +
-          "', so it might match more hosts than expected."
-  )
-}
-
-predicate incompleteHostnameRegExp(
-  RegExpSequence hostSequence, string message, DataFlow::Node aux, string label
-) {
-  exists(RegExpPatternSource re, RegExpTerm regexp, string msg, string kind |
-    regexp = re.getRegExpTerm() and
-    isIncompleteHostNameRegExpPattern(regexp, hostSequence, msg) and
-    (
-      if re.getAParse() != re
-      then (
-        kind = "string, which is used as a regular expression $@," and
-        aux = re.getAParse()
-      ) else (
-        kind = "regular expression" and aux = re
-      )
-    )
-  |
-    message = "This " + kind + " " + msg and label = "here"
-  )
-}
+// HostnameRegexp should be used directly from the shared regex pack, and not from this file.
+deprecated import codeql.ruby.security.regexp.HostnameRegexp as Dep
+import Dep
diff --git a/ruby/ql/src/queries/security/cwe-020/HostnameRegexpSpecific.qll b/ruby/ql/src/queries/security/cwe-020/HostnameRegexpSpecific.qll
deleted file mode 100644
index 42e4445a7ba..00000000000
--- a/ruby/ql/src/queries/security/cwe-020/HostnameRegexpSpecific.qll
+++ /dev/null
@@ -1,2 +0,0 @@
-import codeql.ruby.Regexp
-import codeql.ruby.DataFlow
diff --git a/ruby/ql/src/queries/security/cwe-020/IncompleteHostnameRegExp.ql b/ruby/ql/src/queries/security/cwe-020/IncompleteHostnameRegExp.ql
index f300fc9403f..33db6e4489a 100644
--- a/ruby/ql/src/queries/security/cwe-020/IncompleteHostnameRegExp.ql
+++ b/ruby/ql/src/queries/security/cwe-020/IncompleteHostnameRegExp.ql
@@ -11,6 +11,6 @@
  *       external/cwe/cwe-020
  */
 
-import HostnameRegexpShared
+private import codeql.ruby.security.regexp.HostnameRegexp as HostnameRegxp
 
-query predicate problems = incompleteHostnameRegExp/4;
+query predicate problems = HostnameRegxp::incompleteHostnameRegExp/4;
diff --git a/ruby/ql/src/queries/security/cwe-020/MissingRegExpAnchor.ql b/ruby/ql/src/queries/security/cwe-020/MissingRegExpAnchor.ql
index 45653af568d..e39fb9d4f67 100644
--- a/ruby/ql/src/queries/security/cwe-020/MissingRegExpAnchor.ql
+++ b/ruby/ql/src/queries/security/cwe-020/MissingRegExpAnchor.ql
@@ -11,10 +11,10 @@
  *       external/cwe/cwe-020
  */
 
-import HostnameRegexpShared
 import codeql.ruby.DataFlow
 import codeql.ruby.regexp.RegExpTreeView
 import codeql.ruby.Regexp
+private import codeql.ruby.security.regexp.HostnameRegexp
 
 /**
  * Holds if `term` is a final term, that is, no term will match anything after this one.
@@ -35,26 +35,6 @@ predicate isFinalRegExpTerm(RegExpTerm term) {
   )
 }
 
-/** Holds if `term` is one of the transitive left children of a regexp. */
-predicate isLeftArmTerm(RegExpTerm term) {
-  term.isRootTerm()
-  or
-  exists(RegExpTerm parent |
-    term = parent.getChild(0) and
-    isLeftArmTerm(parent)
-  )
-}
-
-/** Holds if `term` is one of the transitive right children of a regexp. */
-predicate isRightArmTerm(RegExpTerm term) {
-  term.isRootTerm()
-  or
-  exists(RegExpTerm parent |
-    term = parent.getLastChild() and
-    isRightArmTerm(parent)
-  )
-}
-
 /**
  * Holds if `term` is an anchor that is not the first or last node
  * in its tree.
@@ -182,6 +162,7 @@ predicate hasMisleadingAnchorPrecedence(RegExpPatternSource src, string msg) {
  * rather than `\A/\z` which match the start/end of the whole string.
  */
 predicate isLineAnchoredHostnameRegExp(RegExpPatternSource src, string msg) {
+  // TODO: <- this one is Ruby specific.
   // avoid double reporting
   not (
     isSemiAnchoredHostnameRegExp(src, _) or
diff --git a/shared/regex/codeql/regex/HostnameRegexp.qll b/shared/regex/codeql/regex/HostnameRegexp.qll
new file mode 100644
index 00000000000..5370e6e18a9
--- /dev/null
+++ b/shared/regex/codeql/regex/HostnameRegexp.qll
@@ -0,0 +1,268 @@
+/**
+ * Provides predicates for reasoning about regular expressions
+ * that match URLs and hostname patterns.
+ */
+
+private import RegexTreeView
+
+/**
+ * A signature specifying the required parts to perform an
+ * analysis on regular expressions matching hostnames.
+ */
+signature module HostnameRegexpSig<RegexTreeViewSig TreeImpl> {
+  /**
+   * Gets a pattern that matches common top-level domain names in lower case.
+   */
+  string getACommonTld();
+
+  /** A node in the data-flow graph. */
+  class DataFlowNode;
+
+  /** A node in the data-flow graph that represents a regular expression pattern. */
+  class RegExpPatternSource extends DataFlowNode {
+    /**
+     * Gets the root term of the regular expression parsed from this pattern.
+     */
+    TreeImpl::RegExpTerm getRegExpTerm();
+
+    /**
+     * Gets a node where the pattern of this node is parsed as a part of
+     * a regular expression.
+     */
+    DataFlowNode getAParse();
+  }
+}
+
+/**
+ * Classes and predicates implementing an analysis on regular expressions
+ * that match URLs and hostname patterns.
+ */
+module Make<RegexTreeViewSig TreeImpl, HostnameRegexpSig<TreeImpl> Specific> {
+  private import TreeImpl
+
+  /**
+   * Holds if the given constant is unlikely to occur in the origin part of a URL.
+   */
+  predicate isConstantInvalidInsideOrigin(RegExpConstant term) {
+    // Look for any of these cases:
+    // - A character that can't occur in the origin
+    // - Two dashes in a row
+    // - A colon that is not part of port or scheme separator
+    // - A slash that is not part of scheme separator
+    term.getValue().regexpMatch(".*(?:[^a-zA-Z0-9.:/-]|--|:[^0-9/]|(?<![/:]|^)/).*")
+  }
+
+  /** Holds if `term` is a dot constant of form `\.` or `[.]`. */
+  predicate isDotConstant(RegExpTerm term) {
+    term.(RegExpCharEscape).getValue() = "."
+    or
+    exists(RegExpCharacterClass cls |
+      term = cls and
+      not cls.isInverted() and
+      cls.getNumChild() = 1 and
+      cls.getAChild().(RegExpConstant).getValue() = "."
+    )
+  }
+
+  /** Holds if `term` is a wildcard `.` or an actual `.` character. */
+  predicate isDotLike(RegExpTerm term) {
+    term instanceof RegExpDot
+    or
+    isDotConstant(term)
+  }
+
+  /** Holds if `term` will only ever be matched against the beginning of the input. */
+  predicate matchesBeginningOfString(RegExpTerm term) {
+    term.isRootTerm()
+    or
+    exists(RegExpTerm parent | matchesBeginningOfString(parent) |
+      term = parent.(RegExpSequence).getChild(0)
+      or
+      parent.(RegExpSequence).getChild(0) instanceof RegExpCaret and
+      term = parent.(RegExpSequence).getChild(1)
+      or
+      term = parent.(RegExpAlt).getAChild()
+      or
+      term = parent.(RegExpGroup).getAChild()
+    )
+  }
+
+  /**
+   * Holds if the given sequence `seq` contains top-level domain preceded by a dot, such as `.com`,
+   * excluding cases where this is at the very beginning of the regexp.
+   *
+   * `i` is bound to the index of the last child in the top-level domain part.
+   */
+  predicate hasTopLevelDomainEnding(RegExpSequence seq, int i) {
+    seq.getChild(i)
+        .(RegExpConstant)
+        .getValue()
+        .regexpMatch("(?i)" + Specific::getACommonTld() + "(:\\d+)?([/?#].*)?") and
+    isDotLike(seq.getChild(i - 1)) and
+    not (i = 1 and matchesBeginningOfString(seq))
+  }
+
+  /**
+   * Holds if the given regular expression term contains top-level domain preceded by a dot,
+   * such as `.com`.
+   */
+  predicate hasTopLevelDomainEnding(RegExpSequence seq) { hasTopLevelDomainEnding(seq, _) }
+
+  /**
+   * Holds if `term` will always match a hostname, that is, all disjunctions contain
+   * a hostname pattern that isn't inside a quantifier.
+   */
+  predicate alwaysMatchesHostname(RegExpTerm term) {
+    hasTopLevelDomainEnding(term, _)
+    or
+    // `localhost` is considered a hostname pattern, but has no TLD
+    term.(RegExpConstant).getValue().regexpMatch("\\blocalhost\\b")
+    or
+    not term instanceof RegExpAlt and
+    not term instanceof RegExpQuantifier and
+    alwaysMatchesHostname(term.getAChild())
+    or
+    alwaysMatchesHostnameAlt(term)
+  }
+
+  /** Holds if every child of `alt` contains a hostname pattern. */
+  predicate alwaysMatchesHostnameAlt(RegExpAlt alt) {
+    alwaysMatchesHostnameAlt(alt, alt.getNumChild() - 1)
+  }
+
+  /**
+   * Holds if the first `i` children of `alt` contains a hostname pattern.
+   *
+   * This is used instead of `forall` to avoid materializing the set of alternatives
+   * that don't contains hostnames, which is much larger.
+   */
+  predicate alwaysMatchesHostnameAlt(RegExpAlt alt, int i) {
+    alwaysMatchesHostname(alt.getChild(0)) and i = 0
+    or
+    alwaysMatchesHostnameAlt(alt, i - 1) and
+    alwaysMatchesHostname(alt.getChild(i))
+  }
+
+  /**
+   * Holds if `term` occurs inside a quantifier or alternative (and thus
+   * can not be expected to correspond to a unique match), or as part of
+   * a lookaround assertion (which are rarely used for capture groups).
+   */
+  predicate isInsideChoiceOrSubPattern(RegExpTerm term) {
+    exists(RegExpParent parent | parent = term.getParent() |
+      parent instanceof RegExpAlt
+      or
+      parent instanceof RegExpQuantifier
+      or
+      parent instanceof RegExpSubPattern
+      or
+      isInsideChoiceOrSubPattern(parent)
+    )
+  }
+
+  /**
+   * Holds if `group` is likely to be used as a capture group.
+   */
+  predicate isLikelyCaptureGroup(RegExpGroup group) {
+    group.isCapture() and
+    not isInsideChoiceOrSubPattern(group)
+  }
+
+  /**
+   * Holds if `seq` contains two consecutive dots `..` or escaped dots.
+   *
+   * At least one of these dots is not intended to be a subdomain separator,
+   * so we avoid flagging the pattern in this case.
+   */
+  predicate hasConsecutiveDots(RegExpSequence seq) {
+    exists(int i |
+      isDotLike(seq.getChild(i)) and
+      isDotLike(seq.getChild(i + 1))
+    )
+  }
+
+  private predicate isIncompleteHostNameRegExpPattern(
+    RegExpTerm regexp, RegExpSequence seq, string msg
+  ) {
+    seq = regexp.getAChild*() and
+    exists(RegExpDot unescapedDot, int i, string hostname |
+      hasTopLevelDomainEnding(seq, i) and
+      not isConstantInvalidInsideOrigin(seq.getChild([0 .. i - 1]).getAChild*()) and
+      not isLikelyCaptureGroup(seq.getChild([i .. seq.getNumChild() - 1]).getAChild*()) and
+      unescapedDot = seq.getChild([0 .. i - 1]).getAChild*() and
+      unescapedDot != seq.getChild(i - 1) and // Should not be the '.' immediately before the TLD
+      not hasConsecutiveDots(unescapedDot.getParent()) and
+      hostname =
+        seq.getChild(i - 2).getRawValue() + seq.getChild(i - 1).getRawValue() +
+          seq.getChild(i).getRawValue()
+    |
+      if unescapedDot.getParent() instanceof RegExpQuantifier
+      then
+        // `.*\.example.com` can match `evil.com/?x=.example.com`
+        //
+        // This problem only occurs when the pattern is applied against a full URL, not just a hostname/origin.
+        // We therefore check if the pattern includes a suffix after the TLD, such as `.*\.example.com/`.
+        // Note that a post-anchored pattern (`.*\.example.com$`) will usually fail to match a full URL,
+        // and patterns with neither a suffix nor an anchor fall under the purview of MissingRegExpAnchor.
+        seq.getChild(0) instanceof RegExpCaret and
+        not seq.getAChild() instanceof RegExpDollar and
+        seq.getChild([i .. i + 1]).(RegExpConstant).getValue().regexpMatch(".*[/?#].*") and
+        msg =
+          "has an unrestricted wildcard '" +
+            unescapedDot.getParent().(RegExpQuantifier).getRawValue() + "' which may cause '" +
+            hostname + "' to be matched anywhere in the URL, outside the hostname."
+      else
+        msg =
+          "has an unescaped '.' before '" + hostname +
+            "', so it might match more hosts than expected."
+    )
+  }
+
+  /**
+   * Holds if `regexp` is a regular expression that is likely to match a hostname,
+   * but the pattern is incomplete and may match more hosts than intended.
+   */
+  predicate incompleteHostnameRegExp(
+    RegExpSequence hostSequence, string message, Specific::DataFlowNode aux, string label
+  ) {
+    exists(Specific::RegExpPatternSource re, RegExpTerm regexp, string msg, string kind |
+      regexp = re.getRegExpTerm() and
+      isIncompleteHostNameRegExpPattern(regexp, hostSequence, msg) and
+      (
+        if re.getAParse() != re
+        then (
+          kind = "string, which is used as a regular expression $@," and
+          aux = re.getAParse()
+        ) else (
+          kind = "regular expression" and aux = re
+        )
+      )
+    |
+      message = "This " + kind + " " + msg and label = "here"
+    )
+  }
+
+  /** Holds if `term` is one of the transitive left children of a regexp. */
+  predicate isLeftArmTerm(RegExpTerm term) {
+    term.isRootTerm()
+    or
+    exists(RegExpTerm parent |
+      term = parent.getChild(0) and
+      isLeftArmTerm(parent)
+    )
+  }
+
+  /** Holds if `term` is one of the transitive right children of a regexp. */
+  predicate isRightArmTerm(RegExpTerm term) {
+    term.isRootTerm()
+    or
+    exists(RegExpTerm parent |
+      term = getLastChild(parent) and
+      isRightArmTerm(parent)
+    )
+  }
+
+  private RegExpTerm getLastChild(RegExpTerm parent) {
+    result = max(RegExpTerm child, int i | child = parent.getChild(i) | child order by i)
+  }
+}
diff --git a/shared/regex/codeql/regex/RegexTreeView.qll b/shared/regex/codeql/regex/RegexTreeView.qll
index f805bd83185..89beff34359 100644
--- a/shared/regex/codeql/regex/RegexTreeView.qll
+++ b/shared/regex/codeql/regex/RegexTreeView.qll
@@ -210,6 +210,9 @@ signature module RegexTreeViewSig {
      * not a capture group.
      */
     int getNumber();
+
+    /** Holds if this is a capture group. */
+    predicate isCapture();
   }
 
   /**
@@ -325,6 +328,20 @@ signature module RegexTreeViewSig {
     predicate isCharacter();
   }
 
+  /**
+   * A character escape in a regular expression.
+   *
+   * Example:
+   *
+   * ```
+   * \.
+   * ```
+   */
+  class RegExpCharEscape extends RegExpEscape {
+    /** Gets the string matched by this term. */
+    string getValue();
+  }
+
   /**
    * A character class in a regular expression.
    *