JS: Move Source def into customizations lib

Author: asgerf

javascript/ql/src/semmle/javascript/security/TaintedObject.qll

@@ -16,22 +16,16 @@
 import javascript
 private import semmle.javascript.dataflow.InferredTypes
 
+/** Provides classes and predicates for reasoning about deeply tainted objects. */
 module TaintedObject {
   private import DataFlow
+  import TaintedObjectCustomizations::TaintedObject
 
-  private class TaintedObjectLabel extends FlowLabel {
-    TaintedObjectLabel() { this = "tainted-object" }
+  // Materialize flow labels
+  private class ConcreteTaintedObjectLabel extends TaintedObjectLabel {
+    ConcreteTaintedObjectLabel() { this = this }
   }
 
-  /**
-   * Gets the flow label representing a deeply tainted object.
-   *
-   * A "tainted object" is an array or object whose property values are all assumed to be tainted as well.
-   *
-   * Note that the presence of the this label generally implies the presence of the `taint` label as well.
-   */
-  FlowLabel label() { result instanceof TaintedObjectLabel }
-
   /**
    * Holds for the flows steps that are relevant for tracking user-controlled JSON objects.
    */
@@ -79,11 +73,6 @@ module TaintedObject {
    */
   predicate isSource(Node source, FlowLabel label) { source instanceof Source and label = label() }
 
-  /**
-   * A source of a user-controlled deep object.
-   */
-  abstract class Source extends DataFlow::Node { }
-
   /** Request input accesses as a JSON source. */
   private class RequestInputAsSource extends Source {
     RequestInputAsSource() { this.(HTTP::RequestInputAccess).isUserControlledObject() }

javascript/ql/src/semmle/javascript/security/TaintedObjectCustomizations.qll

@@ -0,0 +1,28 @@
+/**
+ * Provides access to the "tainted object" flow label defined in `TaintedObject.qll`, without
+ * materializing that flow label.
+ */
+
+import javascript
+
+/** Provides classes and predicates for reasoning about deeply tainted objects. */
+module TaintedObject {
+  /** A flow label representing a deeply tainted object. */
+  abstract class TaintedObjectLabel extends DataFlow::FlowLabel {
+    TaintedObjectLabel() { this = "tainted-object" }
+  }
+
+  /**
+   * Gets the flow label representing a deeply tainted object.
+   *
+   * A "tainted object" is an array or object whose property values are all assumed to be tainted as well.
+   *
+   * Note that the presence of the this label generally implies the presence of the `taint` label as well.
+   */
+  DataFlow::FlowLabel label() { result instanceof TaintedObjectLabel }
+
+  /**
+   * A source of a user-controlled deep object.
+   */
+  abstract class Source extends DataFlow::Node { }
+}

javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustion.qll

@@ -21,13 +21,7 @@ module DeepObjectResourceExhaustion {
     Configuration() { this = "DeepObjectResourceExhaustion" }
 
     override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-      source instanceof Source and label = TaintedObject::label()
-      or
-      // We currently can't expose the TaintedObject label in the Customizations library
-      // so just add its default sources here.
-      source instanceof TaintedObject::Source and label = TaintedObject::label()
-      or
-      source instanceof RemoteFlowSource and label.isTaint()
+      source.(Source).getAFlowLabel() = label
     }
 
     override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {

javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionCustomizations.qll

@@ -4,6 +4,7 @@
  */
 
 import javascript
+private import semmle.javascript.security.TaintedObjectCustomizations
 
 /**
  * Provides sources, sinks and sanitizers for reasoning about
@@ -13,7 +14,22 @@ module DeepObjectResourceExhaustion {
   /**
    * A data flow source for slow input validation.
    */
-  abstract class Source extends DataFlow::Node { }
+  abstract class Source extends DataFlow::Node {
+    /** Gets a flow label to associate with this source. */
+    DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
+  }
+
+  private class TaintedObjectSourceAsSource extends Source {
+    TaintedObjectSourceAsSource() { this instanceof TaintedObject::Source }
+
+    override DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
+  }
+
+  private class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+
+    override DataFlow::FlowLabel getAFlowLabel() { result.isTaint() }
+  }
 
   /**
    * A data flow sink for slow input validation.