js: broought back ServerSideUrlRedirect and ReflectedXss as it seems they are not ready to be removed

Napalys · Napalys · commit 83e1c692d19e · 2025-05-18T12:16:07.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll
@@ -27,6 +27,27 @@ module ReflectedXssConfig implements DataFlow::ConfigSig {
  */
 module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;
 
+/**
+ * DEPRECATED. Use the `ReflectedXssFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "ReflectedXss" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof Sanitizer
+  }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof QuoteGuard or
+    guard instanceof ContainsHtmlGuard
+  }
+}
+
 private class QuoteGuard extends SharedXss::QuoteGuard {
   QuoteGuard() { this = this }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
@@ -43,6 +43,35 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig {
  */
 module ServerSideUrlRedirectFlow = TaintTracking::Global<ServerSideUrlRedirectConfig>;
 
+/**
+ * DEPRECATED. Use the `ServerSideUrlRedirectFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "ServerSideUrlRedirect" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof Sanitizer
+  }
+
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    ServerSideUrlRedirectConfig::isBarrierOut(node)
+  }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof LocalUrlSanitizingGuard or
+    guard instanceof HostnameSanitizerGuard
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    ServerSideUrlRedirectConfig::isAdditionalFlowStep(pred, succ)
+  }
+}
+
 /**
  * DEPRECATED. This is no longer used as a sanitizer guard.
  *
