python/ruby/javascript: add machinery for simple MaD sanitizers

yoff · yoff · commit 62b0c7a04354 · 2026-01-16T00:54:32.000+01:00
- add `barrierNode` to ApiGraphModels which takes MaD barreirs into account
- add `sourceNode` and `sinkNode` which operate on `DataFlow::Node`s for convenience
- use the convenience predicates throughout
- add support for parameterized barrier nodes where needed
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/BarrierGuards.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/BarrierGuards.qll
@@ -36,6 +36,30 @@ module MakeBarrierGuard<BarrierGuardSig BaseGuard> {
   }
 }
 
+module ExternalBarrierGuard {
+  private predicate guardCheck(DataFlow::Node g, Expr e, boolean branch, string kind) {
+    exists(API::CallNode call, API::Node parameter |
+      parameter = call.getAParameter() and
+      parameter = ModelOutput::getABarrierGuardNode(kind, branch)
+    |
+      g = call and
+      e = parameter.asSink().asExpr()
+    )
+  }
+
+  class BarrierGuard extends DataFlow::Node {
+    BarrierGuard() { guardCheck(this, _, _, _) }
+
+    predicate blocksExpr(boolean outcome, Expr e, string kind) {
+      guardCheck(this, e, outcome, kind)
+    }
+  }
+
+  DataFlow::Node getAnExternalBarrierNode(string kind) {
+    result = MakeStateBarrierGuard<string, BarrierGuard>::getABarrierNode(kind)
+  }
+}
+
 deprecated private module DeprecationWrapper {
   signature class LabeledBarrierGuardSig extends DataFlow::Node {
     /**
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll b/javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
@@ -29,7 +29,7 @@ module CredentialsExpr {
 private class CredentialsFromModel extends CredentialsNode {
   string kind;
 
-  CredentialsFromModel() { this = ModelOutput::getASinkNode("credentials-" + kind).asSink() }
+  CredentialsFromModel() { ModelOutput::sinkNode(this, "credentials-" + kind) }
 
   override string getCredentialsKind() { result = CredentialsExpr::normalizeKind(kind) }
 }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll
@@ -13,7 +13,7 @@ module NoSql {
   }
 
   private class QueryFromModel extends Query {
-    QueryFromModel() { this = ModelOutput::getASinkNode("nosql-injection").asSink() }
+    QueryFromModel() { ModelOutput::sinkNode(this, "nosql-injection") }
   }
 }
 
@@ -46,7 +46,7 @@ private module MongoDB {
 
     override DataFlow::Node getAQueryArgument() {
       result = [this.getAnArgument(), this.getOptionArgument(_, _)] and
-      result = ModelOutput::getASinkNode("mongodb.sink").asSink()
+      ModelOutput::sinkNode(result, "mongodb.sink")
     }
 
     override DataFlow::Node getAResult() {
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
@@ -9,7 +9,7 @@ module SQL {
   abstract class SqlString extends DataFlow::Node { }
 
   private class SqlStringFromModel extends SqlString {
-    SqlStringFromModel() { this = ModelOutput::getASinkNode("sql-injection").asSink() }
+    SqlStringFromModel() { ModelOutput::sinkNode(this, "sql-injection") }
   }
 
   /**
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll
@@ -30,7 +30,7 @@ import Shared::ModelOutput as ModelOutput
  * A remote flow source originating from a MaD source row.
  */
 private class RemoteFlowSourceFromMaD extends RemoteFlowSource {
-  RemoteFlowSourceFromMaD() { this = ModelOutput::getASourceNode("remote").asSource() }
+  RemoteFlowSourceFromMaD() { ModelOutput::sourceNode(this, "remote") }
 
   override string getSourceType() { result = "Remote flow" }
 }
@@ -39,9 +39,9 @@ private class RemoteFlowSourceFromMaD extends RemoteFlowSource {
  * A threat-model flow source originating from a data extension.
  */
 private class ThreatModelSourceFromDataExtension extends ThreatModelSource::Range {
-  ThreatModelSourceFromDataExtension() { this = ModelOutput::getASourceNode(_).asSource() }
+  ThreatModelSourceFromDataExtension() { ModelOutput::sourceNode(this, _) }
 
-  override string getThreatModel() { this = ModelOutput::getASourceNode(result).asSource() }
+  override string getThreatModel() { ModelOutput::sourceNode(this, result) }
 
   override string getSourceType() {
     result = "Source node (" + this.getThreatModel() + ") [from data-extension]"
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
@@ -781,7 +781,7 @@ module ModelOutput {
     }
 
     /**
-     * Holds if a barrier model contributed `barrier` with the given `kind`.
+     * Holds if a barrier model contributed `barrier` with the given `kind` for the given `branch`.
      */
     cached
     API::Node getABarrierGuardNode(string kind, boolean branch, string model) {
@@ -858,6 +858,25 @@ module ModelOutput {
     result = getABarrierGuardNode(kind, branch, _)
   }
 
+  /**
+   * Holds if `node` is specified as a source with the given kind in an external model.
+   */
+  predicate sourceNode(DataFlow::Node node, string kind) { node = getASourceNode(kind).asSource() }
+
+  /**
+   * Holds if `node` is specified as a sink with the given kind in an external model.
+   */
+  predicate sinkNode(DataFlow::Node node, string kind) { node = getASinkNode(kind).asSink() }
+
+  /**
+   * Holds if `node` is specified as a barrier with the given kind in an external model.
+   */
+  predicate barrierNode(DataFlow::Node node, string kind) {
+    node = getABarrierNode(kind).asSink()
+    or
+    node = DataFlow::ExternalBarrierGuard::getAnExternalBarrierNode(kind)
+  }
+
   private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
     predicate summaryKind(string kind) { summaryModel(_, _, _, _, kind, _) }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
@@ -66,7 +66,7 @@ module CorsPermissiveConfiguration {
    * The value of cors origin when initializing the application.
    */
   class CorsOriginSink extends Sink, DataFlow::ValueNode {
-    CorsOriginSink() { this = ModelOutput::getASinkNode("cors-origin").asSink() }
+    CorsOriginSink() { ModelOutput::sinkNode(this, "cors-origin") }
   }
 
   /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -268,6 +268,6 @@ module ClientSideUrlRedirect {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -436,6 +436,6 @@ module CodeInjection {
   class JsonStringifySanitizer extends Sanitizer, JsonStringifyCall { }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("code-injection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
@@ -56,6 +56,6 @@ module CommandInjection {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("command-injection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
@@ -419,6 +419,6 @@ module DomBasedXss {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
@@ -86,5 +86,5 @@ class JsonStringifySanitizer extends Sanitizer {
 }
 
 private class SinkFromModel extends Sink {
-  SinkFromModel() { this = ModelOutput::getASinkNode("log-injection").asSink() }
+  SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -145,6 +145,6 @@ module ReflectedXss {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -96,7 +96,7 @@ module RequestForgery {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("request-forgery").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "request-forgery") }
 
     override DataFlow::Node getARequest() { result = this }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
@@ -64,6 +64,6 @@ module ServerSideUrlRedirect {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -1121,6 +1121,6 @@ module TaintedPath {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("path-injection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "path-injection") }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -67,6 +67,6 @@ module UnsafeDeserialization {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("unsafe-deserialization").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "unsafe-deserialization") }
   }
 }
diff --git a/javascript/ql/test/library-tests/frameworks/data/test.ql b/javascript/ql/test/library-tests/frameworks/data/test.ql
@@ -16,13 +16,13 @@ module TestConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source.(DataFlow::CallNode).getCalleeName() = "source"
     or
-    source = ModelOutput::getASourceNode("test-source").asSource()
+    ModelOutput::sourceNode(source, "test-source")
   }
 
   predicate isSink(DataFlow::Node sink) {
     sink = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()
     or
-    sink = ModelOutput::getASinkNode("test-sink").asSink()
+    ModelOutput::sinkNode(sink, "test-sink")
   }
 }
 
@@ -48,9 +48,7 @@ query predicate taintFlow(DataFlow::Node source, DataFlow::Node sink) {
   TestFlow::flow(source, sink)
 }
 
-query predicate isSink(DataFlow::Node node, string kind) {
-  node = ModelOutput::getASinkNode(kind).asSink()
-}
+query predicate isSink(DataFlow::Node node, string kind) { ModelOutput::sinkNode(node, kind) }
 
 query predicate syntaxErrors(ApiGraphModels::AccessPath path) { path.hasSyntaxError() }
 
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -584,10 +584,6 @@ class GuardNode extends ControlFlowNode {
 
 /**
  * Holds if the guard `g` validates `node` upon evaluating to `branch`.
- *
- * The expression `e` is expected to be a syntactic part of the guard `g`.
- * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
- * the argument `x`.
  */
 signature predicate guardChecksSig(GuardNode g, ControlFlowNode node, boolean branch);
 
diff --git a/python/ql/lib/semmle/python/frameworks/data/ModelsAsData.qll b/python/ql/lib/semmle/python/frameworks/data/ModelsAsData.qll
@@ -24,9 +24,9 @@ private import semmle.python.Concepts
  * A threat-model flow source originating from a data extension.
  */
 private class ThreatModelSourceFromDataExtension extends ThreatModelSource::Range {
-  ThreatModelSourceFromDataExtension() { this = ModelOutput::getASourceNode(_).asSource() }
+  ThreatModelSourceFromDataExtension() { ModelOutput::sourceNode(this, _) }
 
-  override string getThreatModel() { this = ModelOutput::getASourceNode(result).asSource() }
+  override string getThreatModel() { ModelOutput::sourceNode(this, result) }
 
   override string getSourceType() {
     result = "Source node (" + this.getThreatModel() + ") [from data-extension]"
diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll
@@ -781,7 +781,7 @@ module ModelOutput {
     }
 
     /**
-     * Holds if a barrier model contributed `barrier` with the given `kind`.
+     * Holds if a barrier model contributed `barrier` with the given `kind` for the given `branch`.
      */
     cached
     API::Node getABarrierGuardNode(string kind, boolean branch, string model) {
@@ -858,6 +858,25 @@ module ModelOutput {
     result = getABarrierGuardNode(kind, branch, _)
   }
 
+  /**
+   * Holds if `node` is specified as a source with the given kind in an external model.
+   */
+  predicate sourceNode(DataFlow::Node node, string kind) { node = getASourceNode(kind).asSource() }
+
+  /**
+   * Holds if `node` is specified as a sink with the given kind in an external model.
+   */
+  predicate sinkNode(DataFlow::Node node, string kind) { node = getASinkNode(kind).asSink() }
+
+  /**
+   * Holds if `node` is specified as a barrier with the given kind in an external model.
+   */
+  predicate barrierNode(DataFlow::Node node, string kind) {
+    node = getABarrierNode(kind).asSink()
+    or
+    node = DataFlow::ExternalBarrierGuard::getAnExternalBarrierNode(kind)
+  }
+
   private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
     predicate summaryKind(string kind) { summaryModel(_, _, _, _, kind, _) }
 
diff --git a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionCustomizations.qll
@@ -50,7 +50,7 @@ module CodeInjection {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("code-injection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") }
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionCustomizations.qll
@@ -85,7 +85,7 @@ module CommandInjection {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("command-injection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") }
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
@@ -78,7 +78,7 @@ module LogInjection {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("log-injection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") }
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll
@@ -88,7 +88,7 @@ module PathInjection {
   private import semmle.python.frameworks.data.ModelsAsData
 
   private class DataAsFileSink extends Sink {
-    DataAsFileSink() { this = ModelOutput::getASinkNode("path-injection").asSink() }
+    DataAsFileSink() { ModelOutput::sinkNode(this, "path-injection") }
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll
@@ -46,9 +46,7 @@ module ReflectedXss {
    * A data flow sink for "reflected cross-site scripting" vulnerabilities.
    */
   private class SinkFromModel extends Sink {
-    SinkFromModel() {
-      this = ModelOutput::getASinkNode(["html-injection", "js-injection"]).asSink()
-    }
+    SinkFromModel() { ModelOutput::sinkNode(this, ["html-injection", "js-injection"]) }
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll
@@ -67,6 +67,6 @@ module SqlInjection {
 
   /** A sink for sql-injection from model data. */
   private class DataAsSqlSink extends Sink {
-    DataAsSqlSink() { this = ModelOutput::getASinkNode("sql-injection").asSink() }
+    DataAsSqlSink() { ModelOutput::sinkNode(this, "sql-injection") }
   }
 }
diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -55,7 +55,7 @@ module UnsafeDeserialization {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("unsafe-deserialization").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "unsafe-deserialization") }
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
@@ -100,7 +100,7 @@ module UrlRedirect {
    * A sink for URL redirection defined via models-as-data.
    */
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }
+    SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
   }
 
   /**
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -83,7 +83,7 @@ class CredentialSink extends DataFlow::Node {
   CredentialSink() {
     exists(string s | s.matches("credentials-%") |
       // Actual sink-type will be things like `credentials-password` or `credentials-username`
-      this = ModelOutput::getASinkNode(s).asSink()
+      ModelOutput::sinkNode(this, s)
     )
     or
     exists(string name |
diff --git a/python/ql/test/experimental/meta/MaDTest.qll b/python/ql/test/experimental/meta/MaDTest.qll
@@ -17,7 +17,7 @@ module MadSinkTest implements TestSig {
   predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
     exists(DataFlow::Node sink, string kind |
-      sink = ModelOutput::getASinkNode(kind).asSink() and
+      ModelOutput::sinkNode(sink, kind) and
       location = sink.getLocation() and
       element = sink.toString() and
       value = prettyNodeForInlineTest(sink) and
@@ -34,7 +34,7 @@ module MadSourceTest implements TestSig {
   predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
     exists(DataFlow::Node source, string kind |
-      source = ModelOutput::getASourceNode(kind).asSource() and
+      ModelOutput::sourceNode(source, kind) and
       location = source.getLocation() and
       element = source.toString() and
       value = prettyNodeForInlineTest(source) and
diff --git a/python/ql/test/library-tests/frameworks/data/test.ql b/python/ql/test/library-tests/frameworks/data/test.ql
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImpl.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImpl.qll
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionCustomizations.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
diff --git a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ module CredentialsExpr {`
`29`	`29`	`private class CredentialsFromModel extends CredentialsNode {`
`30`	`30`	`string kind;`
`31`	`31`
`32`		`- CredentialsFromModel() { this = ModelOutput::getASinkNode("credentials-" + kind).asSink() }`
	`32`	`+ CredentialsFromModel() { ModelOutput::sinkNode(this, "credentials-" + kind) }`
`33`	`33`
`34`	`34`	`override string getCredentialsKind() { result = CredentialsExpr::normalizeKind(kind) }`
`35`	`35`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ module NoSql {`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`private class QueryFromModel extends Query {`
`16`		`- QueryFromModel() { this = ModelOutput::getASinkNode("nosql-injection").asSink() }`
	`16`	`+ QueryFromModel() { ModelOutput::sinkNode(this, "nosql-injection") }`
`17`	`17`	`}`
`18`	`18`	`}`
`19`	`19`
`@@ -46,7 +46,7 @@ private module MongoDB {`
`46`	`46`
`47`	`47`	`override DataFlow::Node getAQueryArgument() {`
`48`	`48`	`result = [this.getAnArgument(), this.getOptionArgument(_, _)] and`
`49`		`- result = ModelOutput::getASinkNode("mongodb.sink").asSink()`
	`49`	`+ ModelOutput::sinkNode(result, "mongodb.sink")`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`override DataFlow::Node getAResult() {`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ module SQL {`
`9`	`9`	`abstract class SqlString extends DataFlow::Node { }`
`10`	`10`
`11`	`11`	`private class SqlStringFromModel extends SqlString {`
`12`		`- SqlStringFromModel() { this = ModelOutput::getASinkNode("sql-injection").asSink() }`
	`12`	`+ SqlStringFromModel() { ModelOutput::sinkNode(this, "sql-injection") }`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ module CorsPermissiveConfiguration {`
`66`	`66`	`* The value of cors origin when initializing the application.`
`67`	`67`	`*/`
`68`	`68`	`class CorsOriginSink extends Sink, DataFlow::ValueNode {`
`69`		`- CorsOriginSink() { this = ModelOutput::getASinkNode("cors-origin").asSink() }`
	`69`	`+ CorsOriginSink() { ModelOutput::sinkNode(this, "cors-origin") }`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -268,6 +268,6 @@ module ClientSideUrlRedirect {`
`268`	`268`	`}`
`269`	`269`
`270`	`270`	`private class SinkFromModel extends Sink {`
`271`		`- SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }`
	`271`	`+ SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }`
`272`	`272`	`}`
`273`	`273`	`}`
Original file line number	Diff line number	Diff line change
`@@ -436,6 +436,6 @@ module CodeInjection {`
`436`	`436`	`class JsonStringifySanitizer extends Sanitizer, JsonStringifyCall { }`
`437`	`437`
`438`	`438`	`private class SinkFromModel extends Sink {`
`439`		`- SinkFromModel() { this = ModelOutput::getASinkNode("code-injection").asSink() }`
	`439`	`+ SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") }`
`440`	`440`	`}`
`441`	`441`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,6 @@ module CommandInjection {`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`private class SinkFromModel extends Sink {`
`59`		`- SinkFromModel() { this = ModelOutput::getASinkNode("command-injection").asSink() }`
	`59`	`+ SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") }`
`60`	`60`	`}`
`61`	`61`	`}`