Share HttpToFileAccessQuery between JS and Ruby

There's so little in this query that it may not be worth sharing, but
it's an interesting exercise in figuring out how we do it nicely.

Author: hmac

config/identical-files.json

@@ -533,5 +533,13 @@
   "TaintedFormatStringCustomizations Ruby/JS": [
     "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
     "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
+  ],
+  "HttpToFileAccessQuery JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"
+  ],
+  "HttpToFileAccessCustomizations JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
+    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
   ]
 }

javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll

@@ -3,11 +3,9 @@
  * writing user-controlled data to files, as well as extension points
  * for adding your own.
  */
-
-import javascript
-import semmle.javascript.security.dataflow.RemoteFlowSources
-
 module HttpToFileAccess {
+  import HttpToFileAccessSpecific
+
   /**
    * A data flow source for writing user-controlled data to files.
    */
@@ -23,18 +21,6 @@ module HttpToFileAccess {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  /**
-   * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
-   */
-  private class RequestInputAccessAsSource extends Source {
-    RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
-  }
-
-  /** A response from a server, considered as a flow source for writing user-controlled data to files. */
-  private class ServerResponseAsSource extends Source {
-    ServerResponseAsSource() { this = any(ClientRequest r).getAResponseDataNode() }
-  }
-
   /** A sink that represents file access method (write, append) argument */
   class FileAccessAsSink extends Sink {
     FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }

javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll

@@ -6,8 +6,7 @@
  * `HttpToFileAccessCustomizations` should be imported instead.
  */
 
-import javascript
-import HttpToFileAccessCustomizations::HttpToFileAccess
+private import HttpToFileAccessCustomizations::HttpToFileAccess
 
 /**
  * A taint tracking configuration for writing user-controlled data to files.

javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessSpecific.qll

@@ -0,0 +1,19 @@
+/**
+ * Provides imports and classes needed for `HttpToFileAccessQuery` and `HttpToFileAccessCustomizations`.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+private import HttpToFileAccessCustomizations::HttpToFileAccess
+
+/**
+ * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
+ */
+private class RequestInputAccessAsSource extends Source {
+  RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
+}
+
+/** A response from a server, considered as a flow source for writing user-controlled data to files. */
+private class ServerResponseAsSource extends Source {
+  ServerResponseAsSource() { this = any(ClientRequest r).getAResponseDataNode() }
+}

ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll

@@ -1,20 +1,11 @@
-/**
- * Provides default sources, sinks and sanitizers for reasoning about
- * writing user-controlled data to files, as well as extension points
- * for adding your own.
- */
-
-import ruby
-import codeql.ruby.DataFlow
-import codeql.ruby.dataflow.RemoteFlowSources
-import codeql.ruby.Concepts
-
 /**
  * Provides default sources, sinks and sanitizers for reasoning about
  * writing user-controlled data to files, as well as extension points
  * for adding your own.
  */
 module HttpToFileAccess {
+  import HttpToFileAccessSpecific
+
   /**
    * A data flow source for writing user-controlled data to files.
    */
@@ -30,17 +21,6 @@ module HttpToFileAccess {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  /**
-   * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
-   */
-  private class RequestInputAccessAsSource extends Source instanceof HTTP::Server::RequestInputAccess {
-  }
-
-  /** A response from an outgoing HTTP request, considered as a flow source for writing user-controlled data to files. */
-  private class HttpResponseAsSource extends Source {
-    HttpResponseAsSource() { this = any(HTTP::Client::Request r).getResponseBody() }
-  }
-
   /** A sink that represents file access method (write, append) argument */
   class FileAccessAsSink extends Sink {
     FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }

ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll

@@ -6,10 +6,7 @@
  * `HttpToFileAccessCustomizations` should be imported instead.
  */
 
-import ruby
-import codeql.ruby.TaintTracking
-import codeql.ruby.DataFlow
-import codeql.ruby.security.HttpToFileAccessCustomizations::HttpToFileAccess
+private import HttpToFileAccessCustomizations::HttpToFileAccess
 
 /**
  * A taint tracking configuration for writing user-controlled data to files.

ruby/ql/lib/codeql/ruby/security/HttpToFileAccessSpecific.qll

@@ -0,0 +1,21 @@
+/**
+ * Provides imports and classes needed for `HttpToFileAccessQuery` and `HttpToFileAccessCustomizations`.
+ */
+
+import ruby
+import codeql.ruby.DataFlow
+import codeql.ruby.dataflow.RemoteFlowSources
+import codeql.ruby.Concepts
+import codeql.ruby.TaintTracking
+private import HttpToFileAccessCustomizations::HttpToFileAccess
+
+/**
+ * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
+ */
+private class RequestInputAccessAsSource extends Source instanceof HTTP::Server::RequestInputAccess {
+}
+
+/** A response from an outgoing HTTP request, considered as a flow source for writing user-controlled data to files. */
+private class HttpResponseAsSource extends Source {
+  HttpResponseAsSource() { this = any(HTTP::Client::Request r).getResponseBody() }
+}

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql

@@ -12,6 +12,7 @@
  */
 
 import ruby
+import codeql.ruby.DataFlow
 import codeql.ruby.DataFlow::DataFlow::PathGraph
 import codeql.ruby.security.HttpToFileAccessQuery