Java: move query restrictions to libraries

To be folded into the previous commit before merge.
github · Aug 16, 2024 · 888db84 · 888db84
1 parent ba6ac7e
commit 888db84
Show file tree

Hide file tree

Showing 89 changed files with 68 additions and 261 deletions.
diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll
@@ -42,7 +42,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks the flow of tainted Intents being used to start Android components. */
-module IntentRedirectionFlow = TaintTracking::Global<IntentRedirectionConfig>;
+module IntentRedirectionFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<IntentRedirectionConfig>>;
 
 /**
  * A sanitizer for sinks that receive the original incoming Intent,

diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
@@ -36,4 +36,4 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for use of broken or risky cryptographic algorithms.
  */
-module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
+module InsecureCryptoFlow = TaintTracking::Global<DataFlow::FilteredConfig<InsecureCryptoConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll
@@ -36,8 +36,7 @@ abstract class Storable extends Call {
   abstract Expr getAStore();
 }
 
-/** Flow configuration for sensitive data flowing into cleartext storage. */
-module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
+private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CleartextStorageSink }

diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -68,7 +68,8 @@ deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToE
 /**
  * Taint-tracking flow for unvalidated input that is used to run an external process.
  */
-module InputToArgumentToExecFlow = TaintTracking::Global<InputToArgumentToExecFlowConfig>;
+module InputToArgumentToExecFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<InputToArgumentToExecFlowConfig>>;
 
 /**
  * DEPRECATED: Use `InputToArgumentToExecFlow` instead.

diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll
@@ -29,4 +29,4 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
  * Taint-tracking flow for externally controlled format string vulnerabilities.
  */
 module ExternallyControlledFormatStringFlow =
-  TaintTracking::Global<ExternallyControlledFormatStringConfig>;
+  TaintTracking::Global<DataFlow::FilteredConfig<ExternallyControlledFormatStringConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
@@ -41,4 +41,5 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
  * Taint-tracking flow for unsafe user input
  * that is used to create Android fragments dynamically.
  */
-module FragmentInjectionTaintFlow = TaintTracking::Global<FragmentInjectionTaintConfig>;
+module FragmentInjectionTaintFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<FragmentInjectionTaintConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll
@@ -41,4 +41,4 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig {
  * Detect taint flow of unsafe user input
  * that is used to evaluate a Groovy expression.
  */
-module GroovyInjectionFlow = TaintTracking::Global<GroovyInjectionConfig>;
+module GroovyInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<GroovyInjectionConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
@@ -100,4 +100,4 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
 }
 
 module ImplicitPendingIntentStartFlow =
-  TaintTracking::GlobalWithState<ImplicitPendingIntentStartConfig>;
+  TaintTracking::GlobalWithState<DataFlow::FilteredStateConfig<ImplicitPendingIntentStartConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll
@@ -52,7 +52,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from user input to the argument of a method that builds constraint error messages. */
-module BeanValidationFlow = TaintTracking::Global<BeanValidationConfig>;
+module BeanValidationFlow = TaintTracking::Global<DataFlow::FilteredConfig<BeanValidationConfig>>;
 
 /**
  * A bean validation sink, such as method `buildConstraintViolationWithTemplate`

diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll
@@ -24,7 +24,7 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
   }
 }
 
-module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;
+module InsecureLdapUrlFlow = TaintTracking::Global<DataFlow::FilteredConfig<InsecureLdapUrlConfig>>;
 
 /**
  * A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.

diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll
@@ -101,4 +101,5 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow of a Insecurely random value into a sensitive sink.
  */
-module InsecureRandomnessFlow = TaintTracking::Global<InsecureRandomnessConfig>;
+module InsecureRandomnessFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<InsecureRandomnessConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll
@@ -42,4 +42,5 @@ module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
   }
 }
 
-module InsecureTrustManagerFlow = DataFlow::Global<InsecureTrustManagerConfig>;
+module InsecureTrustManagerFlow =
+  DataFlow::Global<DataFlow::FilteredConfig<InsecureTrustManagerConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -36,4 +36,4 @@ module KeySizeConfig implements DataFlow::StateConfigSig {
 }
 
 /** Tracks key sizes used in cryptographic algorithms. */
-module KeySizeFlow = DataFlow::GlobalWithState<KeySizeConfig>;
+module KeySizeFlow = DataFlow::GlobalWithState<DataFlow::FilteredStateConfig<KeySizeConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll
@@ -52,4 +52,4 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
  * Taint tracking flow for user-provided Intents being returned to third party apps.
  */
 module IntentUriPermissionManipulationFlow =
-  TaintTracking::Global<IntentUriPermissionManipulationConfig>;
+  TaintTracking::Global<DataFlow::FilteredConfig<IntentUriPermissionManipulationConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll
@@ -76,7 +76,7 @@ module JexlInjectionConfig implements DataFlow::ConfigSig {
  * Tracks unsafe user input that is used to construct and evaluate a JEXL expression.
  * It supports both JEXL 2 and 3.
  */
-module JexlInjectionFlow = TaintTracking::Global<JexlInjectionConfig>;
+module JexlInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<JexlInjectionConfig>>;
 
 /**
  * Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine

diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll
@@ -48,7 +48,7 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unvalidated user input that is used in JNDI lookup */
-module JndiInjectionFlow = TaintTracking::Global<JndiInjectionFlowConfig>;
+module JndiInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<JndiInjectionFlowConfig>>;
 
 /**
  * A method that does a JNDI lookup when it receives a `SearchControls` argument with `setReturningObjFlag` = `true`

diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll
@@ -20,4 +20,4 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from remote sources to LDAP injection vulnerabilities. */
-module LdapInjectionFlow = TaintTracking::Global<LdapInjectionFlowConfig>;
+module LdapInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<LdapInjectionFlowConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll
@@ -38,4 +38,5 @@ module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig {
   }
 }
 
-module MissingJwtSignatureCheckFlow = DataFlow::Global<MissingJwtSignatureCheckConfig>;
+module MissingJwtSignatureCheckFlow =
+  DataFlow::Global<DataFlow::FilteredConfig<MissingJwtSignatureCheckConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll
@@ -44,4 +44,4 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */
-module MvelInjectionFlow = TaintTracking::Global<MvelInjectionFlowConfig>;
+module MvelInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<MvelInjectionFlowConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
@@ -107,7 +107,7 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for user input that is used in a numeric cast.
  */
-module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
+module NumericCastFlow = TaintTracking::Global<DataFlow::FilteredConfig<NumericCastFlowConfig>>;
 
 /**
  * A taint-tracking configuration for reasoning about local user input that is

diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll
@@ -42,4 +42,4 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */
-module OgnlInjectionFlow = TaintTracking::Global<OgnlInjectionFlowConfig>;
+module OgnlInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<OgnlInjectionFlowConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll
@@ -38,4 +38,4 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
 
 /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
 module PartialPathTraversalFromRemoteFlow =
-  TaintTracking::Global<PartialPathTraversalFromRemoteConfig>;
+  TaintTracking::Global<DataFlow::FilteredConfig<PartialPathTraversalFromRemoteConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
@@ -55,4 +55,4 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }
 
-module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
+module RequestForgeryFlow = TaintTracking::Global<DataFlow::FilteredConfig<RequestForgeryConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll
@@ -36,4 +36,5 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
 /**
  * Tracks flow from remote sources to response splitting vulnerabilities.
  */
-module ResponseSplittingFlow = TaintTracking::Global<ResponseSplittingConfig>;
+module ResponseSplittingFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<ResponseSplittingConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
@@ -45,4 +45,4 @@ module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
 }
 
 /** Flow for finding RSA ciphers initialized without using OAEP padding. */
-module RsaWithoutOaepFlow = DataFlow::Global<RsaWithoutOaepConfig>;
+module RsaWithoutOaepFlow = DataFlow::Global<DataFlow::FilteredConfig<RsaWithoutOaepConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll
@@ -39,7 +39,7 @@ module SpelInjectionConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */
-module SpelInjectionFlow = TaintTracking::Global<SpelInjectionConfig>;
+module SpelInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<SpelInjectionConfig>>;
 
 /** Default sink for SpEL injection vulnerabilities. */
 private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink {

diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll
@@ -50,7 +50,8 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unvalidated user input that is used in SQL queries. */
-module QueryInjectionFlow = TaintTracking::Global<QueryInjectionFlowConfig>;
+module QueryInjectionFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<QueryInjectionFlowConfig>>;
 
 /**
  * Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it

diff --git a/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll b/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll
@@ -7,7 +7,7 @@ private import semmle.code.java.security.InformationLeak
 /**
  * One of the `printStackTrace()` overloads on `Throwable`.
  */
-class PrintStackTraceMethod extends Method {
+private class PrintStackTraceMethod extends Method {
   PrintStackTraceMethod() {
     this.getDeclaringType()
         .getSourceDeclaration()
@@ -17,11 +17,7 @@ class PrintStackTraceMethod extends Method {
   }
 }
 
-/**
- * Flow configuration for xss vulnerable writer source flowing to `Throwable.printStackTrace()` on
- * a stream that is connected to external output.
- */
-module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow::ConfigSig {
+private module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof XssVulnerableWriterSourceNode }
 
   predicate isSink(DataFlow::Node sink) {
@@ -32,7 +28,7 @@ module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow:
 }
 
 private module ServletWriterSourceToPrintStackTraceMethodFlow =
-  TaintTracking::Global<ServletWriterSourceToPrintStackTraceMethodFlowConfig>;
+  TaintTracking::Global<DataFlow::FilteredConfig<ServletWriterSourceToPrintStackTraceMethodFlowConfig>>;
 
 /**
  * A call that uses `Throwable.printStackTrace()` on a stream that is connected
@@ -59,10 +55,7 @@ private predicate printWriterOnStringWriter(Expr printWriter, Variable stringWri
   )
 }
 
-/**
- * Holds if `stackTraceString` writes the stack trace from `exception` to a string.
- */
-predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
+private predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
   exists(Expr printWriter, Variable stringWriterVar, MethodCall printStackCall |
     printWriterOnStringWriter(printWriter, stringWriterVar) and
     printStackCall.getMethod() instanceof PrintStackTraceMethod and
@@ -73,15 +66,14 @@ predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
   )
 }
 
-/** Flow configuration for stack trace flowing to http response. */
-module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
+private module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
 }
 
 private module StackTraceStringToHttpResponseSinkFlow =
-  TaintTracking::Global<StackTraceStringToHttpResponseSinkFlowConfig>;
+  TaintTracking::Global<DataFlow::FilteredConfig<StackTraceStringToHttpResponseSinkFlowConfig>>;
 
 /**
  * Holds if `call` writes the data of `stackTrace` to an external stream.

diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll
@@ -144,4 +144,5 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks the flow from a static initialization vector to the initialization of a cipher */
-module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>;
+module StaticInitializationVectorFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<StaticInitializationVectorConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
@@ -75,7 +75,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from remote sources to the creation of a path. */
-module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
+module TaintedPathFlow = TaintTracking::Global<DataFlow::FilteredConfig<TaintedPathConfig>>;
 
 /**
  * A taint-tracking configuration for tracking flow from local user input to the creation of a path.

diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll
@@ -62,4 +62,5 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from user input to a permissions check. */
-module TaintedPermissionsCheckFlow = TaintTracking::Global<TaintedPermissionsCheckFlowConfig>;
+module TaintedPermissionsCheckFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<TaintedPermissionsCheckFlowConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll
@@ -55,4 +55,5 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks server-side template injection (SST) vulnerabilities */
-module TemplateInjectionFlow = TaintTracking::Global<TemplateInjectionFlowConfig>;
+module TemplateInjectionFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<TemplateInjectionFlowConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll
@@ -44,4 +44,5 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
 }
 
 /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
-module UnsafeContentResolutionFlow = TaintTracking::Global<UnsafeContentResolutionConfig>;
+module UnsafeContentResolutionFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<UnsafeContentResolutionConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -334,7 +334,7 @@ deprecated class UnsafeDeserializationConfig extends TaintTracking::Configuratio
 }
 
 /** Tracks flows from remote user input to a deserialization sink. */
-module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
+private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
@@ -346,7 +346,8 @@ module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) }
 }
 
-module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;
+module UnsafeDeserializationFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<UnsafeDeserializationConfig>>;
 
 /**
  * Gets a safe usage of the `use` method of Flexjson, which could be:

diff --git a/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll
@@ -68,7 +68,8 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
 }
 
 /** Data flow to model the flow of a `TrustAllHostnameVerifier` to a `set(Default)HostnameVerifier` call. */
-module TrustAllHostnameVerifierFlow = DataFlow::Global<TrustAllHostnameVerifierConfig>;
+module TrustAllHostnameVerifierFlow =
+  DataFlow::Global<DataFlow::FilteredConfig<TrustAllHostnameVerifierConfig>>;
 
 /**
  * A sink that sets the `HostnameVerifier` on `HttpsURLConnection`.

diff --git a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll
@@ -200,4 +200,4 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for URL forwarding.
  */
-module UrlForwardFlow = TaintTracking::Global<UrlForwardFlowConfig>;
+module UrlForwardFlow = TaintTracking::Global<DataFlow::FilteredConfig<UrlForwardFlowConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll
@@ -18,4 +18,4 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for URL redirections.
  */
-module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;
+module UrlRedirectFlow = TaintTracking::Global<DataFlow::FilteredConfig<UrlRedirectConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll
@@ -75,4 +75,5 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
 /**
  * Tracks instances of `setWebContentDebuggingEnabled` with `true` values.
  */
-module WebviewDebugEnabledFlow = DataFlow::Global<WebviewDebugEnabledConfig>;
+module WebviewDebugEnabledFlow =
+  DataFlow::Global<DataFlow::FilteredConfig<WebviewDebugEnabledConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll
@@ -17,4 +17,4 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for XPath injection vulnerabilities.
  */
-module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
+module XPathInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<XPathInjectionConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll
@@ -46,7 +46,7 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
 /**
  * Tracks flow from unvalidated user input to XSLT transformation.
  */
-module XsltInjectionFlow = TaintTracking::Global<XsltInjectionFlowConfig>;
+module XsltInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<XsltInjectionFlowConfig>>;
 
 /**
  * A set of additional taint steps to consider when taint tracking XSLT related data flows.

diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll
@@ -23,4 +23,4 @@ module XssConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from remote sources to cross site scripting vulnerabilities. */
-module XssFlow = TaintTracking::Global<XssConfig>;
+module XssFlow = TaintTracking::Global<DataFlow::FilteredConfig<XssConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll
@@ -42,4 +42,4 @@ module XxeConfig implements DataFlow::ConfigSig {
 /**
  * Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
  */
-module XxeFlow = TaintTracking::Global<XxeConfig>;
+module XxeFlow = TaintTracking::Global<DataFlow::FilteredConfig<XxeConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
@@ -47,7 +47,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from archive entries to file creation. */
-module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
+module ZipSlipFlow = TaintTracking::Global<DataFlow::FilteredConfig<ZipSlipConfig>>;
 
 /**
  * A sink that represents a file creation, such as a file write, copy or move operation.

diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
@@ -81,4 +81,4 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
   }
 }
 
-module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;
+module PolynomialRedosFlow = TaintTracking::Global<DataFlow::FilteredConfig<PolynomialRedosConfig>>;
diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll
@@ -34,4 +34,4 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for untrusted user input used to construct regular expressions.
  */
-module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>;
+module RegexInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<RegexInjectionConfig>>;