22 * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
33 *
44 * Note, for performance reasons: only import this file if
5- * `ReflectedXSS::Configuration ` is needed, otherwise
6- * `XSS::ReflectedXSS ` should be imported instead.
5+ * `ReflectedXssFlow ` is needed, otherwise
6+ * `XSS::ReflectedXss ` should be imported instead.
77 */
88
99private import codeql.ruby.AST
@@ -12,14 +12,16 @@ import codeql.ruby.TaintTracking
1212
1313/**
1414 * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
15+ * DEPRECATED: Use `ReflectedXssFlow`
1516 */
16- module ReflectedXss {
17+ deprecated module ReflectedXss {
1718 import XSS:: ReflectedXss
1819
1920 /**
2021 * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
22+ * DEPRECATED: Use `ReflectedXssFlow`
2123 */
22- class Configuration extends TaintTracking:: Configuration {
24+ deprecated class Configuration extends TaintTracking:: Configuration {
2325 Configuration ( ) { this = "ReflectedXSS" }
2426
2527 override predicate isSource ( DataFlow:: Node source ) { source instanceof Source }
@@ -37,3 +39,22 @@ module ReflectedXss {
3739 }
3840 }
3941}
42+
43+ private module ReflectedXssConfig implements DataFlow:: ConfigSig {
44+ private import XSS:: ReflectedXss as RX
45+
46+ predicate isSource ( DataFlow:: Node source ) { source instanceof RX:: Source }
47+
48+ predicate isSink ( DataFlow:: Node sink ) { sink instanceof RX:: Sink }
49+
50+ predicate isBarrier ( DataFlow:: Node node ) { node instanceof RX:: Sanitizer }
51+
52+ predicate isAdditionalFlowStep ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
53+ RX:: isAdditionalXssTaintStep ( node1 , node2 )
54+ }
55+ }
56+
57+ /**
58+ * Taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities.
59+ */
60+ module ReflectedXssFlow = TaintTracking:: Global< ReflectedXssConfig > ;
0 commit comments