github
diff --git a/‎go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql‎
Lines changed: 41 additions & 61 deletions b/‎go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql‎
Lines changed: 41 additions & 61 deletions
@@ -11,7 +11,6 @@
  */
 
 import go
-import DataFlow::PathGraph
 
 /**
  * Holds if the provided `untrusted` node flows into a conversion to a PassthroughType.
@@ -21,10 +20,10 @@ import DataFlow::PathGraph
 predicate flowsFromUntrustedToConversion(
   DataFlow::Node untrusted, PassthroughTypeName targetType, DataFlow::Node conversionSink
 ) {
-  exists(FlowConfFromUntrustedToPassthroughTypeConversion cfg, DataFlow::Node source |
-    cfg.hasFlow(source, conversionSink) and
+  exists(DataFlow::Node source |
+    UntrustedToPassthroughTypeConversionFlow::flow(source, conversionSink) and
     source = untrusted and
-    targetType = cfg.getDstTypeName()
+    UntrustedToPassthroughTypeConversionConfig::isSinkToPassthroughType(conversionSink, targetType)
   )
 }
 
@@ -42,72 +41,45 @@ class PassthroughTypeName extends string {
  * this allows the injection of arbitrary content (html, css, js) into the generated
  * output of the templates.
  */
-class FlowConfFromUntrustedToPassthroughTypeConversion extends TaintTracking::Configuration {
-  PassthroughTypeName dstTypeName;
+module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
 
-  FlowConfFromUntrustedToPassthroughTypeConversion() {
-    this = "UntrustedToConversion" + dstTypeName
-  }
-
-  /**
-   * Gets the name of conversion's destination type.
-   */
-  PassthroughTypeName getDstTypeName() { result = dstTypeName }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
-
-  private predicate isSinkToPassthroughType(DataFlow::TypeCastNode sink, PassthroughTypeName name) {
+  additional predicate isSinkToPassthroughType(DataFlow::TypeCastNode sink, PassthroughTypeName name) {
     exists(Type typ |
       typ = sink.getResultType() and
       typ.getUnderlyingType*().hasQualifiedName("html/template", name)
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { this.isSinkToPassthroughType(sink, dstTypeName) }
+  predicate isSink(DataFlow::Node sink) { isSinkToPassthroughType(sink, _) }
 
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer instanceof SharedXss::Sanitizer or sanitizer.getType() instanceof NumericType
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof SharedXss::Sanitizer or node.getType() instanceof NumericType
   }
 }
 
+module UntrustedToPassthroughTypeConversionFlow =
+  TaintTracking::Global<UntrustedToPassthroughTypeConversionConfig>;
+
 /**
  * Holds if the provided `conversion` node flows into the provided `execSink`.
  */
 predicate flowsFromConversionToExec(
   DataFlow::Node conversion, PassthroughTypeName targetType, DataFlow::Node execSink
 ) {
-  exists(
-    FlowConfPassthroughTypeConversionToTemplateExecutionCall cfg, DataFlow::Node source,
-    DataFlow::Node execSinkLocal
-  |
-    cfg.hasFlow(source, execSinkLocal) and
-    source = conversion and
-    execSink = execSinkLocal and
-    targetType = cfg.getDstTypeName()
-  )
+  PassthroughTypeConversionToTemplateExecutionCallFlow::flow(conversion, execSink) and
+  PassthroughTypeConversionToTemplateExecutionCallConfig::isSourceConversionToPassthroughType(conversion,
+    targetType)
 }
 
 /**
  * A taint-tracking configuration for reasoning about when the result of a conversion
  * to a PassthroughType flows to a template execution call.
  */
-class FlowConfPassthroughTypeConversionToTemplateExecutionCall extends TaintTracking::Configuration {
-  PassthroughTypeName dstTypeName;
-
-  FlowConfPassthroughTypeConversionToTemplateExecutionCall() {
-    this = "ConversionToExec" + dstTypeName
-  }
+module PassthroughTypeConversionToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { isSourceConversionToPassthroughType(source, _) }
 
-  /**
-   * Gets the name of conversion's destination type.
-   */
-  PassthroughTypeName getDstTypeName() { result = dstTypeName }
-
-  override predicate isSource(DataFlow::Node source) {
-    this.isSourceConversionToPassthroughType(source, dstTypeName)
-  }
-
-  private predicate isSourceConversionToPassthroughType(
+  additional predicate isSourceConversionToPassthroughType(
     DataFlow::TypeCastNode source, PassthroughTypeName name
   ) {
     exists(Type typ |
@@ -116,9 +88,12 @@ class FlowConfPassthroughTypeConversionToTemplateExecutionCall extends TaintTrac
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
+  predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
 }
 
+module PassthroughTypeConversionToTemplateExecutionCallFlow =
+  TaintTracking::Global<PassthroughTypeConversionToTemplateExecutionCallConfig>;
+
 /**
  * Holds if the sink is a data value argument of a template execution call.
  */
@@ -137,37 +112,42 @@ predicate isSinkToTemplateExec(DataFlow::Node sink, DataFlow::CallNode call) {
  * A taint-tracking configuration for reasoning about when an UntrustedFlowSource
  * flows into a template executor call.
  */
-class FlowConfFromUntrustedToTemplateExecutionCall extends TaintTracking::Configuration {
-  FlowConfFromUntrustedToTemplateExecutionCall() {
-    this = "FlowConfFromUntrustedToTemplateExecutionCall"
-  }
+module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
+  predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
 }
 
+module FromUntrustedToTemplateExecutionCallFlow =
+  TaintTracking::Global<FromUntrustedToTemplateExecutionCallConfig>;
+
+import FromUntrustedToTemplateExecutionCallFlow::PathGraph
+
 /**
  * Holds if the provided `untrusted` node flows into the provided `execSink`.
  */
-predicate flowsFromUntrustedToExec(DataFlow::PathNode untrusted, DataFlow::PathNode execSink) {
-  exists(FlowConfFromUntrustedToTemplateExecutionCall cfg | cfg.hasFlowPath(untrusted, execSink))
+predicate flowsFromUntrustedToExec(
+  FromUntrustedToTemplateExecutionCallFlow::PathNode untrusted,
+  FromUntrustedToTemplateExecutionCallFlow::PathNode execSink
+) {
+  FromUntrustedToTemplateExecutionCallFlow::flowPath(untrusted, execSink)
 }
 
 from
-  DataFlow::PathNode untrustedSource, DataFlow::PathNode templateExecCall,
-  PassthroughTypeName targetTypeName, DataFlow::PathNode conversion
+  FromUntrustedToTemplateExecutionCallFlow::PathNode untrustedSource,
+  FromUntrustedToTemplateExecutionCallFlow::PathNode templateExecCall,
+  PassthroughTypeName targetTypeName, DataFlow::Node conversion
 where
   // A = untrusted remote flow source
   // B = conversion to PassthroughType
   // C = template execution call
   // Flows:
   // A -> B
-  flowsFromUntrustedToConversion(untrustedSource.getNode(), targetTypeName, conversion.getNode()) and
+  flowsFromUntrustedToConversion(untrustedSource.getNode(), targetTypeName, conversion) and
   // B -> C
-  flowsFromConversionToExec(conversion.getNode(), targetTypeName, templateExecCall.getNode()) and
+  flowsFromConversionToExec(conversion, targetTypeName, templateExecCall.getNode()) and
   // A -> C
   flowsFromUntrustedToExec(untrustedSource, templateExecCall)
 select templateExecCall.getNode(), untrustedSource, templateExecCall,
   "Data from an $@ will not be auto-escaped because it was $@ to template." + targetTypeName,
-  untrustedSource.getNode(), "untrusted source", conversion.getNode(), "converted"
+  untrustedSource.getNode(), "untrusted source", conversion, "converted"