cklin
diff --git a/‎cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions
diff --git a/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
Lines changed: 42 additions & 15 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
Lines changed: 42 additions & 15 deletions
diff --git a/‎csharp/ql/src/API Abuse/FormatInvalid.ql
Lines changed: 14 additions & 16 deletions b/‎csharp/ql/src/API Abuse/FormatInvalid.ql
Lines changed: 14 additions & 16 deletions
@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}
@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}
@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}
@@ -18,12 +18,10 @@ private import semmle.code.csharp.dataflow.TaintTracking2
  */
 predicate xssFlow(XssNode source, XssNode sink, string message) {
   // standard taint-tracking
-  exists(
-    TaintTrackingConfiguration c, DataFlow2::PathNode sourceNode, DataFlow2::PathNode sinkNode
-  |
+  exists(XssTracking::PathNode sourceNode, XssTracking::PathNode sinkNode |
     sourceNode = source.asDataFlowNode() and
     sinkNode = sink.asDataFlowNode() and
-    c.hasFlowPath(sourceNode, sinkNode) and
+    XssTracking::flowPath(sourceNode, sinkNode) and
     message =
       "is written to HTML or JavaScript" +
         any(string explanation |
@@ -45,7 +43,7 @@ predicate xssFlow(XssNode source, XssNode sink, string message) {
 module PathGraph {
   /** Holds if `(pred,succ)` is an edge in the graph of data flow path explanations. */
   query predicate edges(XssNode pred, XssNode succ) {
-    exists(DataFlow2::PathNode a, DataFlow2::PathNode b | DataFlow2::PathGraph::edges(a, b) |
+    exists(XssTracking::PathNode a, XssTracking::PathNode b | XssTracking::PathGraph::edges(a, b) |
       pred.asDataFlowNode() = a and
       succ.asDataFlowNode() = b
     )
@@ -56,7 +54,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(XssNode n, string key, string val) {
-    DataFlow2::PathGraph::nodes(n.asDataFlowNode(), key, val)
+    XssTracking::PathGraph::nodes(n.asDataFlowNode(), key, val)
     or
     xssFlow(n, n, _) and
     key = "semmle.label" and
@@ -69,13 +67,13 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(XssNode arg, XssNode par, XssNode ret, XssNode out) {
-    DataFlow2::PathGraph::subpaths(arg.asDataFlowNode(), par.asDataFlowNode(), ret.asDataFlowNode(),
-      out.asDataFlowNode())
+    XssTracking::PathGraph::subpaths(arg.asDataFlowNode(), par.asDataFlowNode(),
+      ret.asDataFlowNode(), out.asDataFlowNode())
   }
 }
 
 private newtype TXssNode =
-  TXssDataFlowNode(DataFlow2::PathNode node) or
+  TXssDataFlowNode(XssTracking::PathNode node) or
   TXssAspNode(AspInlineMember m)
 
 /**
@@ -90,21 +88,25 @@ class XssNode extends TXssNode {
   /** Gets the location of this node. */
   Location getLocation() { none() }
 
-  /** Gets the data flow node corresponding to this node, if any. */
-  DataFlow2::PathNode asDataFlowNode() { result = this.(XssDataFlowNode).getDataFlowNode() }
+  /**
+   * Gets the data flow node corresponding to this node, if any.
+   */
+  XssTracking::PathNode asDataFlowNode() { result = this.(XssDataFlowNode).getDataFlowNode() }
 
   /** Gets the ASP inline code element corresponding to this node, if any. */
   AspInlineMember asAspInlineMember() { result = this.(XssAspNode).getAspInlineMember() }
 }
 
-/** A data flow node, viewed as an XSS flow node. */
+/**
+ * A data flow node, viewed as an XSS flow node.
+ */
 class XssDataFlowNode extends TXssDataFlowNode, XssNode {
-  DataFlow2::PathNode node;
+  XssTracking::PathNode node;
 
   XssDataFlowNode() { this = TXssDataFlowNode(node) }
 
   /** Gets the data flow node corresponding to this node. */
-  DataFlow2::PathNode getDataFlowNode() { result = node }
+  XssTracking::PathNode getDataFlowNode() { result = node }
 
   override string toString() { result = node.toString() }
 
@@ -136,9 +138,11 @@ abstract class Source extends DataFlow::Node { }
 abstract class Sanitizer extends DataFlow::ExprNode { }
 
 /**
+ * DEPRECATED: Use `XssTracking` instead.
+ *
  * A taint-tracking configuration for cross-site scripting (XSS) vulnerabilities.
  */
-class TaintTrackingConfiguration extends TaintTracking2::Configuration {
+deprecated class TaintTrackingConfiguration extends TaintTracking2::Configuration {
   TaintTrackingConfiguration() { this = "XSSDataFlowConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -148,6 +152,29 @@ class TaintTrackingConfiguration extends TaintTracking2::Configuration {
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 }
 
+/**
+ * A taint-tracking configuration for cross-site scripting (XSS) vulnerabilities.
+ */
+module XssTrackingConfig implements DataFlow::ConfigSig {
+  /**
+   * Holds if `source` is a relevant data flow source.
+   */
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  /**
+   * Holds if `sink` is a relevant data flow sink.
+   */
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  /**
+   * Holds if data flow through `node` is prohibited. This completely removes
+   * `node` from the data flow graph.
+   */
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+module XssTracking = TaintTracking::Global<XssTrackingConfig>;
+
 /** A source of remote user input. */
 private class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 
@@ -12,38 +12,36 @@
 
 import csharp
 import semmle.code.csharp.frameworks.Format
-import DataFlow::PathGraph
+import FormatInvalid::PathGraph
 
-private class FormatConfiguration extends DataFlow::Configuration {
-  FormatConfiguration() { this = "format" }
+module FormatInvalidConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLiteral }
 
-  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLiteral }
-
-  override predicate isSink(DataFlow::Node n) {
-    exists(FormatCall c | n.asExpr() = c.getFormatExpr())
-  }
+  predicate isSink(DataFlow::Node n) { exists(FormatCall c | n.asExpr() = c.getFormatExpr()) }
 }
 
+module FormatInvalid = DataFlow::Global<FormatInvalidConfig>;
+
 private predicate invalidFormatString(
-  InvalidFormatString src, DataFlow::PathNode source, DataFlow::PathNode sink, string msg,
+  InvalidFormatString src, FormatInvalid::PathNode source, FormatInvalid::PathNode sink, string msg,
   FormatCall call, string callString
 ) {
   source.getNode().asExpr() = src and
   sink.getNode().asExpr() = call.getFormatExpr() and
-  any(FormatConfiguration conf).hasFlowPath(source, sink) and
+  FormatInvalid::flowPath(source, sink) and
   call.hasInsertions() and
   msg = "Invalid format string used in $@ formatting call." and
   callString = "this"
 }
 
 private predicate unusedArgument(
-  FormatCall call, DataFlow::PathNode source, DataFlow::PathNode sink, string msg,
+  FormatCall call, FormatInvalid::PathNode source, FormatInvalid::PathNode sink, string msg,
   ValidFormatString src, string srcString, Expr unusedExpr, string unusedString
 ) {
   exists(int unused |
     source.getNode().asExpr() = src and
     sink.getNode().asExpr() = call.getFormatExpr() and
-    any(FormatConfiguration conf).hasFlowPath(source, sink) and
+    FormatInvalid::flowPath(source, sink) and
     unused = call.getASuppliedArgument() and
     not unused = src.getAnInsert() and
     not src.getValue() = "" and
@@ -55,13 +53,13 @@ private predicate unusedArgument(
 }
 
 private predicate missingArgument(
-  FormatCall call, DataFlow::PathNode source, DataFlow::PathNode sink, string msg,
+  FormatCall call, FormatInvalid::PathNode source, FormatInvalid::PathNode sink, string msg,
   ValidFormatString src, string srcString
 ) {
   exists(int used, int supplied |
     source.getNode().asExpr() = src and
     sink.getNode().asExpr() = call.getFormatExpr() and
-    any(FormatConfiguration conf).hasFlowPath(source, sink) and
+    FormatInvalid::flowPath(source, sink) and
     used = src.getAnInsert() and
     supplied = call.getSuppliedArguments() and
     used >= supplied and
@@ -71,8 +69,8 @@ private predicate missingArgument(
 }
 
 from
-  Element alert, DataFlow::PathNode source, DataFlow::PathNode sink, string msg, Element extra1,
-  string extra1String, Element extra2, string extra2String
+  Element alert, FormatInvalid::PathNode source, FormatInvalid::PathNode sink, string msg,
+  Element extra1, string extra1String, Element extra2, string extra2String
 where
   invalidFormatString(alert, source, sink, msg, extra1, extra1String) and
   extra2 = extra1 and