Move ZipSlip configurations to Query.qll library

Author: egregius313

java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll

@@ -0,0 +1,46 @@
+/** Provides dataflow configurations to be used in ZipSlip queries. */
+
+import java
+import semmle.code.java.controlflow.Guards
+import semmle.code.java.dataflow.SSA
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.PathSanitizer
+private import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * A method that returns the name of an archive entry.
+ */
+class ArchiveEntryNameMethod extends Method {
+  ArchiveEntryNameMethod() {
+    exists(RefType archiveEntry |
+      archiveEntry.hasQualifiedName("java.util.zip", "ZipEntry") or
+      archiveEntry.hasQualifiedName("org.apache.commons.compress.archivers", "ArchiveEntry")
+    |
+      this.getDeclaringType().getAnAncestor() = archiveEntry and
+      this.hasName("getName")
+    )
+  }
+}
+
+/**
+ * A taint-tracking configuration for reasoning about unsafe zip file extraction.
+ */
+module ZipSlipConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
+}
+
+/** Tracks flow from archive entries to file creation. */
+module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
+
+/**
+ * A sink that represents a file creation, such as a file write, copy or move operation.
+ */
+private class FileCreationSink extends DataFlow::Node {
+  FileCreationSink() { sinkNode(this, "create-file") }
+}

java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

@@ -13,48 +13,9 @@
  */
 
 import java
-import semmle.code.java.controlflow.Guards
-import semmle.code.java.dataflow.SSA
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.PathSanitizer
-private import semmle.code.java.dataflow.ExternalFlow
-
-/**
- * A method that returns the name of an archive entry.
- */
-class ArchiveEntryNameMethod extends Method {
-  ArchiveEntryNameMethod() {
-    exists(RefType archiveEntry |
-      archiveEntry.hasQualifiedName("java.util.zip", "ZipEntry") or
-      archiveEntry.hasQualifiedName("org.apache.commons.compress.archivers", "ArchiveEntry")
-    |
-      this.getDeclaringType().getAnAncestor() = archiveEntry and
-      this.hasName("getName")
-    )
-  }
-}
-
-module ZipSlipConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
-
-  predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
-}
-
-module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
-
+import semmle.code.java.security.ZipSlipQuery
 import ZipSlipFlow::PathGraph
 
-/**
- * A sink that represents a file creation, such as a file write, copy or move operation.
- */
-private class FileCreationSink extends DataFlow::Node {
-  FileCreationSink() { sinkNode(this, "create-file") }
-}
-
 from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
 where ZipSlipFlow::flowPath(source, sink)
 select source.getNode(), source, sink,