Ruby: renames for rb/stored-xss

alexrford · alexrford · commit f5e433940fe9 · 2023-09-03T17:20:05.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll
@@ -3,16 +3,19 @@
  * cross-site scripting vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
- * `StoredXSS::Configuration` is needed, otherwise
- * `XSS::StoredXSS` should be imported instead.
+ * `StoredXssFlow` is needed, otherwise
+ * `XSS::StoredXss` should be imported instead.
  */
 
 import codeql.ruby.AST
 import codeql.ruby.DataFlow
 import codeql.ruby.TaintTracking
 
-/** Provides a taint-tracking configuration for cross-site scripting vulnerabilities. */
-module StoredXss {
+/**
+ * Provides a taint-tracking configuration for cross-site scripting vulnerabilities.
+ * DEPRECATED: Use StoredXssFlow
+ */
+deprecated module StoredXss {
   import XSS::StoredXss
 
   /**
@@ -41,20 +44,24 @@ module StoredXss {
     }
   }
 
-  /**
-   * A taint-tracking configuration for reasoning about Stored XSS.
-   */
-  private module Config implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node source) { source instanceof Source }
+  import TaintTracking::Global<StoredXssConfig>
+}
 
-    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+private module StoredXssConfig implements DataFlow::ConfigSig {
+  private import XSS::StoredXss
 
-    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-      isAdditionalXssTaintStep(node1, node2)
-    }
-  }
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-  import TaintTracking::Global<Config>
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isAdditionalXssTaintStep(node1, node2)
+  }
 }
+
+/**
+ * Taint-tracking for reasoning about Stored XSS.
+ */
+module StoredXssFlow = TaintTracking::Global<StoredXssConfig>;
diff --git a/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql b/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql
@@ -14,9 +14,9 @@
 
 import codeql.ruby.AST
 import codeql.ruby.security.StoredXSSQuery
-import StoredXss::PathGraph
+import StoredXssFlow::PathGraph
 
-from StoredXss::PathNode source, StoredXss::PathNode sink
-where StoredXss::flowPath(source, sink)
+from StoredXssFlow::PathNode source, StoredXssFlow::PathNode sink
+where StoredXssFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Stored cross-site scripting vulnerability due to $@.",
   source.getNode(), "stored value"
