Refactor TemplateInjection

Author: egregius313

java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll

@@ -5,8 +5,12 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.TemplateInjection
 
-/** A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities */
-class TemplateInjectionFlowConfig extends TaintTracking::Configuration {
+/**
+ * DEPRECATED: Use `TemplateInjectionFlow` instead.
+ *
+ * A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities
+ */
+deprecated class TemplateInjectionFlowConfig extends TaintTracking::Configuration {
   TemplateInjectionFlowConfig() { this = "TemplateInjectionFlowConfig" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
@@ -36,3 +40,35 @@ class TemplateInjectionFlowConfig extends TaintTracking::Configuration {
     any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, state1, node2, state2)
   }
 }
+
+/** A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities */
+private module TemplateInjectionFlowConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowState;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source.(TemplateInjectionSource).hasState(state)
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink.(TemplateInjectionSink).hasState(state)
+  }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof TemplateInjectionSanitizer }
+
+  predicate isBarrier(DataFlow::Node sanitizer, FlowState state) {
+    sanitizer.(TemplateInjectionSanitizerWithState).hasState(state)
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2)
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
+  ) {
+    any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, state1, node2, state2)
+  }
+}
+
+/** Tracks server-side template injection (SST) vulnerabilities */
+module TemplateInjectionFlow = TaintTracking::MakeWithState<TemplateInjectionFlowConfig>;

java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql

@@ -13,9 +13,9 @@
 
 import java
 import semmle.code.java.security.TemplateInjectionQuery
-import DataFlow::PathGraph
+import TemplateInjectionFlow::PathGraph
 
-from TemplateInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink
+where TemplateInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Template, which may contain code, depends on a $@.",
   source.getNode(), "user-provided value"

java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql

@@ -9,7 +9,7 @@ class TemplateInjectionTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasTemplateInjection" and
-    exists(DataFlow::Node sink, TemplateInjectionFlowConfig conf | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink | TemplateInjectionFlow::hasFlowTo(sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""