Move OpenUrlRedirect customisation into the query's qll file

smowton · smowton · commit f0c0a890a52a · 2020-10-26T12:25:56.000Z
diff --git a/ql/src/semmle/go/frameworks/Revel.qll b/ql/src/semmle/go/frameworks/Revel.qll
@@ -29,23 +29,6 @@ module Revel {
     }
   }
 
-  /**
-   * Reinstate the usual field propagation rules for fields, which the OpenURLRedirect
-   * query usually excludes, for fields of `Params` other than `Params.Fixed`.
-   */
-  private class PropagateParamsFields extends OpenUrlRedirect::AdditionalStep {
-    PropagateParamsFields() { this = "PropagateParamsFields" }
-
-    override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(Field f, string field |
-        f.hasQualifiedName(packagePath(), "Params", field) and
-        field != "Fixed"
-      |
-        succ.(Read).readsField(pred, f)
-      )
-    }
-  }
-
   private class ParamsBind extends TaintTracking::FunctionModel, Method {
     ParamsBind() { this.hasQualifiedName(packagePath(), "Params", ["Bind", "BindJSON"]) }
 
diff --git a/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll b/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -128,3 +128,20 @@ private class UnsafeFieldReadSanitizer extends SafeUrlFlow::SanitizerEdge {
     )
   }
 }
+
+/**
+ * Reinstate the usual field propagation rules for fields, which the OpenURLRedirect
+ * query usually excludes, for fields of `Params` other than `Params.Fixed`.
+ */
+private class PropagateParamsFields extends OpenUrlRedirect::AdditionalStep {
+  PropagateParamsFields() { this = "PropagateParamsFields" }
+
+  override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(Field f, string field |
+      f.hasQualifiedName(Revel::packagePath(), "Params", field) and
+      field != "Fixed"
+    |
+      succ.(Read).readsField(pred, f)
+    )
+  }
+}
