move TaintedPath sink into TaintedPathCustomizations to avoid side-effects

Author: erik-krogh

javascript/ql/src/semmle/javascript/frameworks/Prettier.qll

@@ -26,27 +26,4 @@ private module Prettier {
       )
     }
   }
-
-  private import semmle.javascript.security.dataflow.TaintedPathCustomizations::TaintedPath as TaintedPath
-
-  /**
-   * An argument given to the `prettier` library specificing the location of a config file.
-   */
-  private class PrettierFileSink extends TaintedPath::Sink {
-    PrettierFileSink() {
-      this =
-        API::moduleImport("prettier")
-            .getMember(["resolveConfig", "resolveConfigFile", "getFileInfo"])
-            .getACall()
-            .getArgument(0)
-      or
-      this =
-        API::moduleImport("prettier")
-            .getMember("resolveConfig")
-            .getACall()
-            .getParameter(1)
-            .getMember("config")
-            .getARhs()
-    }
-  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -650,6 +650,27 @@ module TaintedPath {
     }
   }
 
+  /**
+   * An argument given to the `prettier` library specificing the location of a config file.
+   */
+  private class PrettierFileSink extends TaintedPath::Sink {
+    PrettierFileSink() {
+      this =
+        API::moduleImport("prettier")
+            .getMember(["resolveConfig", "resolveConfigFile", "getFileInfo"])
+            .getACall()
+            .getArgument(0)
+      or
+      this =
+        API::moduleImport("prettier")
+            .getMember("resolveConfig")
+            .getACall()
+            .getParameter(1)
+            .getMember("config")
+            .getARhs()
+    }
+  }
+
   /**
    * Holds if there is a step `src -> dst` mapping `srclabel` to `dstlabel` relevant for path traversal vulnerabilities.
    */