move the ExceptionXss sources into the Customizations file

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssCustomizations.qll

@@ -0,0 +1,67 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * cross-site scripting vulnerabilities where the taint-flow passes through a thrown
+ * exception.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+
+module ExceptionXss {
+  private import Xss::Shared as Shared
+
+  /** A data flow source for XSS caused by interpreting exception or error text as HTML. */
+  abstract class Source extends DataFlow::Node {
+    /**
+     * Gets a flow label to associate with this source.
+     *
+     * For sources that should pass through a `throw/catch` before reaching the sink, use the
+     * `NotYetThrown` labe. Otherwise use `taint` (the default).
+     */
+    DataFlow::FlowLabel getAFlowLabel() { result.isTaint() }
+
+    /**
+     * Gets a human-readable description of what type of error this refers to.
+     *
+     * The result should be capitalized and usable in the context of a noun.
+     */
+    string getDescription() { result = "Error text" }
+  }
+
+  /**
+   * A FlowLabel representing tainted data that has not been thrown in an exception.
+   * In the js/xss-through-exception query data-flow can only reach a sink after
+   * the data has been thrown as an exception, and data that has not been thrown
+   * as an exception therefore has this flow label, and only this flow label, associated with it.
+   */
+  abstract class NotYetThrown extends DataFlow::FlowLabel {
+    NotYetThrown() { this = "NotYetThrown" }
+  }
+
+  private class XssSourceAsSource extends Source {
+    XssSourceAsSource() { this instanceof Shared::Source }
+
+    override DataFlow::FlowLabel getAFlowLabel() { result instanceof NotYetThrown }
+
+    override string getDescription() { result = "Exception text" }
+  }
+
+  /**
+   * An error produced by validating using `ajv`.
+   *
+   * Such an error can contain property names from the input if the
+   * underlying schema uses `additionalProperties` or `propertyPatterns`.
+   *
+   * For example, an input of form `{"<img src=x onerror=alert(1)>": 45}` might produce the error
+   * `data/<img src=x onerror=alert(1)> should be string`.
+   */
+  private class JsonSchemaValidationError extends Source {
+    JsonSchemaValidationError() {
+      this = any(JsonSchema::Ajv::Instance i).getAValidationError().getAnImmediateUse()
+      or
+      this = any(JsonSchema::Joi::JoiValidationErrorRead r).getAValidationResultAccess(_)
+    }
+
+    override string getDescription() { result = "JSON schema validation error" }
+  }
+}

javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll

@@ -7,9 +7,9 @@
 import javascript
 import DomBasedXssCustomizations::DomBasedXss as DomBasedXssCustom
 import ReflectedXssCustomizations::ReflectedXss as ReflectedXssCustom
-import Xss as Xss
-import Xss::ExceptionXss
+import ExceptionXssCustomizations::ExceptionXss
 private import semmle.javascript.dataflow.InferredTypes
+import Xss::Shared as XssShared
 
 /**
  * Gets the name of a method that does not leak taint from its arguments if an exception is thrown by the method.
@@ -56,7 +56,7 @@ private predicate isNullOrUndefined(InferredType t) {
  */
 predicate canThrowSensitiveInformation(DataFlow::Node node) {
   not isUnlikelyToThrowSensitiveInformation(node) and
-  not node instanceof Xss::Shared::Sink and // removes duplicates from js/xss.
+  not node instanceof XssShared::Sink and // removes duplicates from js/xss.
   (
     // in the case of reflective calls the below ensures that both InvokeNodes have no known callee.
     forex(DataFlow::InvokeNode call | call.getAnArgument() = node | not exists(call.getACallee()))
@@ -71,7 +71,7 @@ predicate canThrowSensitiveInformation(DataFlow::Node node) {
 }
 
 // Materialize flow labels
-private class ConcreteNotYetThrown extends Xss::ExceptionXss::NotYetThrown {
+private class ConcreteNotYetThrown extends NotYetThrown {
   ConcreteNotYetThrown() { this = this }
 }
 
@@ -133,14 +133,14 @@ class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "ExceptionXss" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source.(Xss::ExceptionXss::Source).getAFlowLabel() = label
+    source.(Source).getAFlowLabel() = label
   }
 
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink instanceof Xss::Shared::Sink and not label instanceof NotYetThrown
+    sink instanceof XssShared::Sink and not label instanceof NotYetThrown
   }
 
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Xss::Shared::Sanitizer }
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof XssShared::Sanitizer }
 
   override predicate isAdditionalFlowStep(
     DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl

javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll

@@ -178,60 +178,10 @@ deprecated module XssThroughDom {
   import XssThroughDomCustomizations::XssThroughDom
 }
 
-/** Provides classes for customizing the `ExceptionXss` query. */
-module ExceptionXss {
-  /** A data flow source for XSS caused by interpreting exception or error text as HTML. */
-  abstract class Source extends DataFlow::Node {
-    /**
-     * Gets a flow label to associate with this source.
-     *
-     * For sources that should pass through a `throw/catch` before reaching the sink, use the
-     * `NotYetThrown` labe. Otherwise use `taint` (the default).
-     */
-    DataFlow::FlowLabel getAFlowLabel() { result.isTaint() }
-
-    /**
-     * Gets a human-readable description of what type of error this refers to.
-     *
-     * The result should be capitalized and usable in the context of a noun.
-     */
-    string getDescription() { result = "Error text" }
-  }
-
-  /**
-   * A FlowLabel representing tainted data that has not been thrown in an exception.
-   * In the js/xss-through-exception query data-flow can only reach a sink after
-   * the data has been thrown as an exception, and data that has not been thrown
-   * as an exception therefore has this flow label, and only this flow label, associated with it.
-   */
-  abstract class NotYetThrown extends DataFlow::FlowLabel {
-    NotYetThrown() { this = "NotYetThrown" }
-  }
-
-  private class XssSourceAsSource extends Source {
-    XssSourceAsSource() { this instanceof Shared::Source }
-
-    override DataFlow::FlowLabel getAFlowLabel() { result instanceof NotYetThrown }
-
-    override string getDescription() { result = "Exception text" }
-  }
-
-  /**
-   * An error produced by validating using `ajv`.
-   *
-   * Such an error can contain property names from the input if the
-   * underlying schema uses `additionalProperties` or `propertyPatterns`.
-   *
-   * For example, an input of form `{"<img src=x onerror=alert(1)>": 45}` might produce the error
-   * `data/<img src=x onerror=alert(1)> should be string`.
-   */
-  private class JsonSchemaValidationError extends Source {
-    JsonSchemaValidationError() {
-      this = any(JsonSchema::Ajv::Instance i).getAValidationError().getAnImmediateUse()
-      or
-      this = any(JsonSchema::Joi::JoiValidationErrorRead r).getAValidationResultAccess(_)
-    }
-
-    override string getDescription() { result = "JSON schema validation error" }
-  }
+/**
+ * DEPRECATED: Use the `ExceptionXssCustomizations.qll` file instead.
+ * Provides classes for customizing the `ExceptionXss` query.
+ */
+deprecated module ExceptionXss {
+  import ExceptionXssCustomizations::ExceptionXss
 }