Upgrade XSJSUrlRedirect dataflow library

knewbury01 · knewbury01 · commit 8af5d58a4c3d · 2025-08-15T19:37:50.000-04:00
diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll
@@ -2,14 +2,14 @@ import javascript
 import advanced_security.javascript.frameworks.xsjs.AsyncXSJS
 import semmle.javascript.security.dataflow.ServerSideUrlRedirectQuery as UrlRedirect
 
-class Configuration extends UrlRedirect::Configuration {
-  override predicate isSource(DataFlow::Node start) {
-    super.isSource(start)
+module Configuration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node start) {
+    UrlRedirect::ServerSideUrlRedirectConfig::isSource(start)
     or
     start instanceof RemoteFlowSource
   }
 
-  override predicate isSink(DataFlow::Node end) {
+  predicate isSink(DataFlow::Node end) {
     exists(XSJSRequestOrResponseHeaders headers |
       end = headers.getHeaderSetCall("location").getArgument(1)
     )
diff --git a/javascript/frameworks/xsjs/src/XSJSUrlRedirect/XSJSUrlRedirect.ql b/javascript/frameworks/xsjs/src/XSJSUrlRedirect/XSJSUrlRedirect.ql
@@ -12,8 +12,11 @@
 
 import javascript
 import advanced_security.javascript.frameworks.xsjs.XSJSUrlRedirectQuery
-import DataFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+module ConfigurationFlow = TaintTracking::Global<Configuration>;
+
+import ConfigurationFlow::PathGraph
+
+from ConfigurationFlow::PathNode source, ConfigurationFlow::PathNode sink
+where ConfigurationFlow::flowPath(source, sink)
 select sink, source, sink, "$@ depends on a $@.", sink, "This URL", source, "user-provided value"
diff --git a/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected b/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected
@@ -1,16 +1,10 @@
-WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:15,8-27)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:17,28-46)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:17,55-73)
-nodes
-| XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue |
-| XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") |
-| XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") |
-| XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue |
-| XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue |
 edges
-| XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue | XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue |
-| XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue | XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue |
-| XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") | XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue |
-| XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") | XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue |
+| XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue | XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue | provenance |  |
+| XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") | XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue | provenance |  |
+nodes
+| XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue | semmle.label | someParameterValue |
+| XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") | semmle.label | request ... meter") |
+| XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue | semmle.label | someParameterValue |
+subpaths
 #select
 | XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue | XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") | XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue | $@ depends on a $@. | XSJSUrlRedirect.xsjs:9:38:9:55 | someParameterValue | This URL | XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") | user-provided value |
