Java: XSS with abstract class (some duplication)

I haven't figured out how to avoid the redundancy between
`getASelected{Source,Sink}Location` in the module and the class. Maybe
we need a strong notion of primary and secondary data-flow
configurations.

Author: jbj

java/ql/lib/semmle/code/java/security/XSS.qll

@@ -71,6 +71,26 @@ private module XssVulnerableWriterSourceToWritingMethodFlowConfig implements Dat
       sink.asExpr() = ma.getQualifier() and ma.getMethod() instanceof WritingMethod
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // Since this configuration is for finding sinks to be used in a main
+    // data-flow configuration, this configuration should only restrict the
+    // sinks to be found if there are no main-configuration sources in the
+    // diff range. That's because if there is such a source, we need to
+    // report query results for it even with sinks outside the diff range.
+    exists(DataFlow::DiffInformedQuery q | not q.hasSourceInDiffRange())
+  }
+
+  // The sources are not exposed outside this file module, so we know the
+  // query will not select them.
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    // This code mirrors `DefaultXssSink()`.
+    exists(MethodCall ma | result = ma.getAnArgument().getLocation() |
+      sink.asExpr() = ma.getQualifier() and ma.getMethod() instanceof WritingMethod
+    )
+  }
 }
 
 private module XssVulnerableWriterSourceToWritingMethodFlow =

java/ql/lib/semmle/code/java/security/XssQuery.qll

@@ -21,7 +21,7 @@ module XssConfig implements DataFlow::ConfigSig {
     any(XssAdditionalTaintStep s).step(node1, node2)
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() { exists(DataFlow::DiffInformedQuery q) }
 }
 
 /** Tracks flow from remote sources to cross site scripting vulnerabilities. */

java/ql/src/Security/CWE/CWE-079/XSS.ql

@@ -15,6 +15,16 @@ import java
 import semmle.code.java.security.XssQuery
 import XssFlow::PathGraph
 
+class IsDiffInformed extends DataFlow::DiffInformedQuery {
+  // This predicate is overridden to be more precise than the default
+  // implementation in order to support secondary secondary data-flow
+  // configurations that find sinks.
+  override Location getASelectedSourceLocation(DataFlow::Node source) {
+    XssConfig::isSource(source) and
+    result = source.getLocation()
+  }
+}
+
 from XssFlow::PathNode source, XssFlow::PathNode sink
 where XssFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",

shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll

@@ -18,6 +18,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
   private import DataFlowImplCommon::MakeImplCommon<Location, Lang>
   private import DataFlowImplCommonPublic
   private import Aliases
+  private import codeql.util.AlertFiltering
+
+  private module AlertFiltering = AlertFilteringImpl<Location>;
 
   /**
    * An input configuration for data flow using flow state. This signature equals
@@ -180,6 +183,21 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
     DiffInformedQueryImpl() { any() }
 
     string toString() { result = "DataFlow::DiffInformedQuery" }
+
+    // TODO: how to wire this up? It overlaps with the data-flow configuration signature!
+    Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
+
+    Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
+
+    pragma[nomagic]
+    predicate hasSourceInDiffRange() {
+      AlertFiltering::filterByLocation(this.getASelectedSourceLocation(_))
+    }
+
+    pragma[nomagic]
+    predicate hasSinkInDiffRange() {
+      AlertFiltering::filterByLocation(this.getASelectedSinkLocation(_))
+    }
   }
 
   /**