lift XssSink check to InformationLeakSink

Author: pwntester

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql

@@ -15,7 +15,6 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.XSS
 import semmle.code.java.security.InformationLeak
 
 /**
@@ -91,10 +90,7 @@ class StackTraceStringToHTTPResponseSinkFlowConfig extends TaintTracking::Config
 
   override predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof XssSink or
-    sink instanceof InformationLeakSink
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
 }
 
 /**
@@ -134,10 +130,7 @@ class GetMessageFlowSourceToHTTPResponseSinkFlowConfig extends TaintTracking::Co
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof XssSink or
-    sink instanceof InformationLeakSink
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
 }
 
 /**

java/ql/src/semmle/code/java/security/InformationLeak.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.security.XSS
 
 /** CSV sink models representing methods not susceptible to XSS but outputing to an HTTP response body. */
 private class DefaultInformationLeakSinkModel extends SinkModelCsv {
@@ -19,5 +20,8 @@ abstract class InformationLeakSink extends DataFlow::Node { }
 
 /** A default sink representing methods outputing data to an HTTP response. */
 private class DefaultInformationLeakSink extends InformationLeakSink {
-  DefaultInformationLeakSink() { sinkNode(this, "information-leak") }
+  DefaultInformationLeakSink() {
+    sinkNode(this, "information-leak") or
+    this instanceof XssSink
+  }
 }