From d388be7d3ba58ceef89ba3274b98559c08837600 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Fri, 16 Aug 2019 14:21:49 +0200
Subject: [PATCH 1/9] C++: Use pyrameterized modules for TaintTracking

---
 config/identical-files.json                   |   4 +
 .../code/cpp/dataflow/TaintTracking.qll       | 255 +-----------------
 .../code/cpp/dataflow/TaintTracking2.qll      |  12 +
 .../dataflow/internal/TaintTrackingUtil.qll   | 123 +++++++++
 .../tainttracking1/TaintTrackingImpl.qll      |  98 +++++++
 .../tainttracking1/TaintTrackingParameter.qll |   2 +
 .../tainttracking2/TaintTrackingImpl.qll      |  98 +++++++
 .../tainttracking2/TaintTrackingParameter.qll |   2 +
 .../dataflow/recursion/chained_use.ql         |   2 +
 9 files changed, 346 insertions(+), 250 deletions(-)
 create mode 100644 cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking2.qll
 create mode 100644 cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
 create mode 100644 cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
 create mode 100644 cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
 create mode 100644 cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
 create mode 100644 cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index 0e364c384c01..d4fa5c219d33 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -25,6 +25,10 @@
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll"
   ],
+  "Taint tracking C/C++": [
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
+  ],
   "IR Instruction": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll b/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll
index 224e3858a2ac..92cd085927a5 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll
@@ -9,259 +9,14 @@
  */
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.dataflow.DataFlow2
-import semmle.code.cpp.models.interfaces.DataFlow
-import semmle.code.cpp.models.interfaces.Taint
 
 module TaintTracking {
+  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
+  private import semmle.code.cpp.dataflow.TaintTracking2
 
   /**
-   * A configuration of interprocedural taint tracking analysis. This defines
-   * sources, sinks, and any other configurable aspect of the analysis. Each
-   * use of the taint tracking library must define its own unique extension of
-   * this abstract class.
-   *
-   * A taint-tracking configuration is a special data flow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values but are still relevant from a taint-tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * To create a configuration, extend this class with a subclass whose
-   * characteristic predicate is a unique singleton string. For example, write
-   *
-   * ```
-   * class MyAnalysisConfiguration extends TaintTracking::Configuration {
-   *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
-   *   // Override `isSource` and `isSink`.
-   *   // Optionally override `isSanitizer`.
-   *   // Optionally override `isSanitizerEdge`.
-   *   // Optionally override `isAdditionalTaintStep`.
-   * }
-   * ```
-   *
-   * Then, to query whether there is flow between some `source` and `sink`,
-   * write
-   *
-   * ```
-   * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
-   * ```
-   *
-   * Multiple configurations can coexist, but it is unsupported to depend on a
-   * `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
-   * overridden predicates that define sources, sinks, or additional steps.
-   * Instead, the dependency should go to a `TaintTracking::Configuration2` or
-   * a `DataFlow{2,3,4}::Configuration`.
+   * DEPRECATED: Use TaintTracking2::Configuration instead.
    */
-  abstract class Configuration extends DataFlow::Configuration {
-    bindingset[this]
-    Configuration() { any() }
-
-    /** Holds if `source` is a taint source. */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /** Holds if `sink` is a taint sink. */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /**
-     * Holds if taint should not flow into `node`.
-     */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    /** Holds if data flow from `node1` to `node2` is prohibited. */
-    predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      none()
-    }
-
-    /**
-     * Holds if the additional taint propagation step
-     * from `source` to `target` must be taken into account in the analysis.
-     * This step will only be followed if `target` is not in the `isSanitizer`
-     * predicate.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node source,
-                                    DataFlow::Node target)
-    { none() }
-
-    final override
-    predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /** DEPRECATED: use `isSanitizerEdge` instead. */
-    override deprecated
-    predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      this.isSanitizerEdge(node1, node2)
-    }
-
-    final override
-    predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node target) {
-      this.isAdditionalTaintStep(source, target)
-      or
-      localTaintStep(source, target)
-    }
-  }
-
-  /**
-   * A taint-tracking configuration that is backed by the `DataFlow2` library
-   * instead of `DataFlow`. Use this class when taint-tracking configurations
-   * or data-flow configurations must depend on each other.
-   *
-   * See `TaintTracking::Configuration` for the full documentation.
-   */
-  abstract class Configuration2 extends DataFlow2::Configuration {
-    bindingset[this]
-    Configuration2() { any() }
-
-    /** Holds if `source` is a taint source. */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /** Holds if `sink` is a taint sink. */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /**
-     * Holds if taint should not flow into `node`.
-     */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    /** Holds if data flow from `node1` to `node2` is prohibited. */
-    predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      none()
-    }
-
-    /**
-     * Holds if the additional taint propagation step
-     * from `source` to `target` must be taken into account in the analysis.
-     * This step will only be followed if `target` is not in the `isSanitizer`
-     * predicate.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node source,
-                                    DataFlow::Node target)
-    { none() }
-
-    final override
-    predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /** DEPRECATED: use `isSanitizerEdge` instead. */
-    override deprecated
-    predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      this.isSanitizerEdge(node1, node2)
-    }
-
-    final override
-    predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node target) {
-      this.isAdditionalTaintStep(source, target)
-      or
-      localTaintStep(source, target)
-    }
-  }
-
-  /**
-   * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
-   * (intra-procedural) step.
-   */
-  predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // Taint can flow into using ordinary data flow.
-    DataFlow::localFlowStep(nodeFrom, nodeTo)
-    or
-    // Taint can flow through expressions that alter the value but preserve
-    // more than one bit of it _or_ expressions that follow data through
-    // pointer indirections.
-    exists(Expr exprFrom, Expr exprTo |
-      exprFrom = nodeFrom.asExpr() and
-      exprTo = nodeTo.asExpr()
-    |
-      exprFrom = exprTo.getAChild() and
-      not noParentExprFlow(exprFrom, exprTo) and
-      not noFlowFromChildExpr(exprTo)
-      or
-      // Taint can flow from the `x` variable in `x++` to all subsequent
-      // accesses to the unmodified `x` variable.
-      //
-      // `DataFlow` without taint specifies flow from `++x` and `x += 1` into the
-      // variable `x` and thus into subsequent accesses because those expressions
-      // compute the same value as `x`. This is not the case for `x++`, which
-      // computes a different value, so we have to add that ourselves for taint
-      // tracking. The flow from expression `x` into `x++` etc. is handled in the
-      // case above.
-      exprTo = DataFlow::getAnAccessToAssignedVariable(
-        exprFrom.(PostfixCrementOperation)
-      )
-    )
-    or
-    // Taint can flow through modeled functions
-    exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
-  }
-
-  /**
-   * Holds if taint may propagate from `source` to `sink` in zero or more local
-   * (intra-procedural) steps.
-   */
-  predicate localTaint(DataFlow::Node source, DataFlow::Node sink) {
-    localTaintStep*(source, sink)
-  }
-
-  /**
-   * Holds if we do not propagate taint from `fromExpr` to `toExpr`
-   * even though `toExpr` is the AST parent of `fromExpr`.
-   */
-  private predicate noParentExprFlow(Expr fromExpr, Expr toExpr) {
-    fromExpr = toExpr.(ConditionalExpr).getCondition()
-    or
-    fromExpr = toExpr.(CommaExpr).getLeftOperand()
-    or
-    fromExpr = toExpr.(AssignExpr).getLValue() // LHS of `=`
-  }
-
-  /**
-   * Holds if we do not propagate taint from a child of `e` to `e` itself.
-   */
-  private predicate noFlowFromChildExpr(Expr e) {
-    e instanceof ComparisonOperation
-    or
-    e instanceof LogicalAndExpr
-    or
-    e instanceof LogicalOrExpr
-    or
-    e instanceof Call
-    or
-    e instanceof SizeofOperator
-    or
-    e instanceof AlignofOperator
-  }
-
-  private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
-    exists(DataFlowFunction f, Call call, FunctionOutput outModel, int argOutIndex |
-      call.getTarget() = f and
-      argOut = call.getArgument(argOutIndex) and
-      outModel.isOutParameterPointer(argOutIndex) and
-      exists(int argInIndex, FunctionInput inModel |
-        f.hasDataFlow(inModel, outModel)
-      |
-        // Taint flows from a pointer to a dereference, which DataFlow does not handle
-        // memcpy(&dest_var, tainted_ptr, len)
-        inModel.isInParameterPointer(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-      )
-    )
-    or
-    exists(TaintFunction f, Call call, FunctionOutput outModel, int argOutIndex |
-      call.getTarget() = f and
-      argOut = call.getArgument(argOutIndex) and
-      outModel.isOutParameterPointer(argOutIndex) and
-      exists(int argInIndex, FunctionInput inModel |
-        f.hasTaintFlow(inModel, outModel)
-      |
-        inModel.isInParameterPointer(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-        or
-        inModel.isInParameterPointer(argInIndex) and
-        call.passesByReference(argInIndex, exprIn)
-        or
-        inModel.isInParameter(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-      )
-    )
-  }
+  deprecated
+  class Configuration2 = TaintTracking2::Configuration;
 }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking2.qll
new file mode 100644
index 000000000000..f67a0e711002
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking2.qll
@@ -0,0 +1,12 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ *
+ * We define _taint propagation_ informally to mean that a substantial part of
+ * the information from the source is preserved at the sink. For example, taint
+ * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
+ * 100` since we consider a single bit of information to be too little.
+ */
+module TaintTracking2 {
+  import semmle.code.cpp.dataflow.internal.tainttracking2.TaintTrackingImpl
+}
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
new file mode 100644
index 000000000000..fec8e44be66f
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -0,0 +1,123 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ *
+ * We define _taint propagation_ informally to mean that a substantial part of
+ * the information from the source is preserved at the sink. For example, taint
+ * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
+ * 100` since we consider a single bit of information to be too little.
+ */
+private import semmle.code.cpp.models.interfaces.DataFlow
+private import semmle.code.cpp.models.interfaces.Taint
+
+private module DataFlow {
+  import semmle.code.cpp.dataflow.internal.DataFlowUtil
+}
+
+/**
+ * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
+ * (intra-procedural) step.
+ */
+predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  // Taint can flow into using ordinary data flow.
+  DataFlow::localFlowStep(nodeFrom, nodeTo)
+  or
+  // Taint can flow through expressions that alter the value but preserve
+  // more than one bit of it _or_ expressions that follow data through
+  // pointer indirections.
+  exists(Expr exprFrom, Expr exprTo |
+    exprFrom = nodeFrom.asExpr() and
+    exprTo = nodeTo.asExpr()
+  |
+    exprFrom = exprTo.getAChild() and
+    not noParentExprFlow(exprFrom, exprTo) and
+    not noFlowFromChildExpr(exprTo)
+    or
+    // Taint can flow from the `x` variable in `x++` to all subsequent
+    // accesses to the unmodified `x` variable.
+    //
+    // `DataFlow` without taint specifies flow from `++x` and `x += 1` into the
+    // variable `x` and thus into subsequent accesses because those expressions
+    // compute the same value as `x`. This is not the case for `x++`, which
+    // computes a different value, so we have to add that ourselves for taint
+    // tracking. The flow from expression `x` into `x++` etc. is handled in the
+    // case above.
+    exprTo = DataFlow::getAnAccessToAssignedVariable(
+      exprFrom.(PostfixCrementOperation)
+    )
+  )
+  or
+  // Taint can flow through modeled functions
+  exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
+}
+
+/**
+ * Holds if taint may propagate from `source` to `sink` in zero or more local
+ * (intra-procedural) steps.
+ */
+predicate localTaint(DataFlow::Node source, DataFlow::Node sink) {
+  localTaintStep*(source, sink)
+}
+
+/**
+ * Holds if we do not propagate taint from `fromExpr` to `toExpr`
+ * even though `toExpr` is the AST parent of `fromExpr`.
+ */
+private predicate noParentExprFlow(Expr fromExpr, Expr toExpr) {
+  fromExpr = toExpr.(ConditionalExpr).getCondition()
+  or
+  fromExpr = toExpr.(CommaExpr).getLeftOperand()
+  or
+  fromExpr = toExpr.(AssignExpr).getLValue() // LHS of `=`
+}
+
+/**
+ * Holds if we do not propagate taint from a child of `e` to `e` itself.
+ */
+private predicate noFlowFromChildExpr(Expr e) {
+  e instanceof ComparisonOperation
+  or
+  e instanceof LogicalAndExpr
+  or
+  e instanceof LogicalOrExpr
+  or
+  e instanceof Call
+  or
+  e instanceof SizeofOperator
+  or
+  e instanceof AlignofOperator
+}
+
+private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
+  exists(DataFlowFunction f, Call call, FunctionOutput outModel, int argOutIndex |
+    call.getTarget() = f and
+    argOut = call.getArgument(argOutIndex) and
+    outModel.isOutParameterPointer(argOutIndex) and
+    exists(int argInIndex, FunctionInput inModel |
+      f.hasDataFlow(inModel, outModel)
+    |
+      // Taint flows from a pointer to a dereference, which DataFlow does not handle
+      // memcpy(&dest_var, tainted_ptr, len)
+      inModel.isInParameterPointer(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
+    )
+  )
+  or
+  exists(TaintFunction f, Call call, FunctionOutput outModel, int argOutIndex |
+    call.getTarget() = f and
+    argOut = call.getArgument(argOutIndex) and
+    outModel.isOutParameterPointer(argOutIndex) and
+    exists(int argInIndex, FunctionInput inModel |
+      f.hasTaintFlow(inModel, outModel)
+    |
+      inModel.isInParameterPointer(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
+      or
+      inModel.isInParameterPointer(argInIndex) and
+      call.passesByReference(argInIndex, exprIn)
+      or
+      inModel.isInParameter(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
+    )
+  )
+}
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..0e8da75360fc
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -0,0 +1,98 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ *
+ * We define _taint propagation_ informally to mean that a substantial part of
+ * the information from the source is preserved at the sink. For example, taint
+ * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
+ * 100` since we consider a single bit of information to be too little.
+ */
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A configuration of interprocedural taint tracking analysis. This defines
+ * sources, sinks, and any other configurable aspect of the analysis. Each
+ * use of the taint tracking library must define its own unique extension of
+ * this abstract class.
+ *
+ * A taint-tracking configuration is a special data flow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values but are still relevant from a taint-tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * To create a configuration, extend this class with a subclass whose
+ * characteristic predicate is a unique singleton string. For example, write
+ *
+ * ```
+ * class MyAnalysisConfiguration extends TaintTracking::Configuration {
+ *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
+ *   // Override `isSource` and `isSink`.
+ *   // Optionally override `isSanitizer`.
+ *   // Optionally override `isSanitizerEdge`.
+ *   // Optionally override `isAdditionalTaintStep`.
+ * }
+ * ```
+ *
+ * Then, to query whether there is flow between some `source` and `sink`,
+ * write
+ *
+ * ```
+ * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
+ * ```
+ *
+ * Multiple configurations can coexist, but it is unsupported to depend on a
+ * `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
+ * overridden predicates that define sources, sinks, or additional steps.
+ * Instead, the dependency should go to a `TaintTracking2::Configuration` or
+ * a `DataFlow{2,3,4}::Configuration`.
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /** Holds if `source` is a taint source. */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /** Holds if `sink` is a taint sink. */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /**
+   * Holds if taint should not flow into `node`.
+   */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  /** Holds if data flow from `node1` to `node2` is prohibited. */
+  predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) {
+    none()
+  }
+
+  /**
+   * Holds if the additional taint propagation step
+   * from `source` to `target` must be taken into account in the analysis.
+   * This step will only be followed if `target` is not in the `isSanitizer`
+   * predicate.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node source,
+                                  DataFlow::Node target)
+  { none() }
+
+  final override
+  predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
+
+  /** DEPRECATED: use `isSanitizerEdge` instead. */
+  override deprecated
+  predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
+    this.isSanitizerEdge(node1, node2)
+  }
+
+  final override
+  predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node target) {
+    this.isAdditionalTaintStep(source, target)
+    or
+    localTaintStep(source, target)
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..bd583d5c33d3
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
@@ -0,0 +1,2 @@
+import semmle.code.cpp.dataflow.DataFlow as Private
+import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..0e8da75360fc
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -0,0 +1,98 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ *
+ * We define _taint propagation_ informally to mean that a substantial part of
+ * the information from the source is preserved at the sink. For example, taint
+ * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
+ * 100` since we consider a single bit of information to be too little.
+ */
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A configuration of interprocedural taint tracking analysis. This defines
+ * sources, sinks, and any other configurable aspect of the analysis. Each
+ * use of the taint tracking library must define its own unique extension of
+ * this abstract class.
+ *
+ * A taint-tracking configuration is a special data flow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values but are still relevant from a taint-tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * To create a configuration, extend this class with a subclass whose
+ * characteristic predicate is a unique singleton string. For example, write
+ *
+ * ```
+ * class MyAnalysisConfiguration extends TaintTracking::Configuration {
+ *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
+ *   // Override `isSource` and `isSink`.
+ *   // Optionally override `isSanitizer`.
+ *   // Optionally override `isSanitizerEdge`.
+ *   // Optionally override `isAdditionalTaintStep`.
+ * }
+ * ```
+ *
+ * Then, to query whether there is flow between some `source` and `sink`,
+ * write
+ *
+ * ```
+ * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
+ * ```
+ *
+ * Multiple configurations can coexist, but it is unsupported to depend on a
+ * `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
+ * overridden predicates that define sources, sinks, or additional steps.
+ * Instead, the dependency should go to a `TaintTracking2::Configuration` or
+ * a `DataFlow{2,3,4}::Configuration`.
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /** Holds if `source` is a taint source. */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /** Holds if `sink` is a taint sink. */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /**
+   * Holds if taint should not flow into `node`.
+   */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  /** Holds if data flow from `node1` to `node2` is prohibited. */
+  predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) {
+    none()
+  }
+
+  /**
+   * Holds if the additional taint propagation step
+   * from `source` to `target` must be taken into account in the analysis.
+   * This step will only be followed if `target` is not in the `isSanitizer`
+   * predicate.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node source,
+                                  DataFlow::Node target)
+  { none() }
+
+  final override
+  predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
+
+  /** DEPRECATED: use `isSanitizerEdge` instead. */
+  override deprecated
+  predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
+    this.isSanitizerEdge(node1, node2)
+  }
+
+  final override
+  predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node target) {
+    this.isAdditionalTaintStep(source, target)
+    or
+    localTaintStep(source, target)
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..bd583d5c33d3
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
@@ -0,0 +1,2 @@
+import semmle.code.cpp.dataflow.DataFlow as Private
+import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
diff --git a/cpp/ql/test/library-tests/dataflow/recursion/chained_use.ql b/cpp/ql/test/library-tests/dataflow/recursion/chained_use.ql
index aeed7825a375..ef2bead91294 100644
--- a/cpp/ql/test/library-tests/dataflow/recursion/chained_use.ql
+++ b/cpp/ql/test/library-tests/dataflow/recursion/chained_use.ql
@@ -3,6 +3,8 @@ import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.dataflow.DataFlow2
 import semmle.code.cpp.dataflow.DataFlow3
 import semmle.code.cpp.dataflow.DataFlow4
+import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.TaintTracking2
 import semmle.code.cpp.dataflow.RecursionPrevention
 
 class TestConf1 extends DataFlow::Configuration {

From b1cd64bbf48bd4a5926ddc0630b366fe6ba3c1e0 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Fri, 16 Aug 2019 16:23:35 +0200
Subject: [PATCH 2/9] C++: Fix mismatch between taint and dataflow copy

---
 .../dataflow/internal/tainttracking2/TaintTrackingParameter.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
index bd583d5c33d3..ea048717bd5f 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
@@ -1,2 +1,2 @@
-import semmle.code.cpp.dataflow.DataFlow as Private
+import semmle.code.cpp.dataflow.DataFlow2 as Private
 import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public

From d65b09d94af72f43f4c20e0c031b7e1f1f980bfb Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Mon, 19 Aug 2019 09:19:51 +0200
Subject: [PATCH 3/9] C++: Proper fix for TaintTracking2 parameter

---
 .../internal/tainttracking1/TaintTrackingParameter.qll       | 5 ++++-
 .../internal/tainttracking2/TaintTrackingParameter.qll       | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
index bd583d5c33d3..7fd632efb0ec 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
@@ -1,2 +1,5 @@
-import semmle.code.cpp.dataflow.DataFlow as Private
 import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.cpp.dataflow.DataFlow::DataFlow as DataFlow
+}
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
index ea048717bd5f..fb4862fd06bd 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
@@ -1,2 +1,5 @@
-import semmle.code.cpp.dataflow.DataFlow2 as Private
 import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.cpp.dataflow.DataFlow2::DataFlow2 as DataFlow
+}

From aeb2323128c552d9c541730e5d5968618bafb83b Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Tue, 20 Aug 2019 12:02:24 +0200
Subject: [PATCH 4/9] Java: Use pyrameterized modules for TaintTracking

---
 config/identical-files.json                   |   4 +
 .../code/java/dataflow/TaintTracking.qll      | 804 +-----------------
 .../code/java/dataflow/TaintTracking2.qll     |  12 +
 .../dataflow/internal/TaintTrackingUtil.qll   | 635 ++++++++++++++
 .../tainttracking1/TaintTrackingImpl.qll      |  88 ++
 .../tainttracking1/TaintTrackingParameter.qll |   5 +
 .../tainttracking2/TaintTrackingImpl.qll      |  88 ++
 .../tainttracking2/TaintTrackingParameter.qll |   5 +
 8 files changed, 849 insertions(+), 792 deletions(-)
 create mode 100644 java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingParameter.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index d4fa5c219d33..5e28ac94a9bd 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -29,6 +29,10 @@
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
   ],
+  "Taint tracking Java": [
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
+  ],
   "IR Instruction": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
diff --git a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
index 6d79359bb362..8dd3e12735a3 100644
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -1,804 +1,24 @@
 /**
  * Provides classes for performing local (intra-procedural) and
  * global (inter-procedural) taint-tracking analyses.
+ *
+ * We define _taint propagation_ informally to mean that a substantial part of
+ * the information from the source is preserved at the sink. For example, taint
+ * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
+ * 100` since we consider a single bit of information to be too little.
  */
-
-import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow2
-import semmle.code.java.Collections
-private import SSA
-private import DefUse
-private import semmle.code.java.security.SecurityTests
-private import semmle.code.java.security.Validation
-private import semmle.code.java.frameworks.android.Intent
-private import semmle.code.java.frameworks.Guice
-private import semmle.code.java.frameworks.Protobuf
-private import semmle.code.java.Maps
-private import semmle.code.java.dataflow.internal.ContainerFlow
-
-module TaintTracking {
-  /**
-   * A taint tracking configuration.
-   *
-   * A taint tracking configuration is a special dataflow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values, but are still relevant from a taint tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * Each use of the taint tracking library must define its own unique extension
-   * of this abstract class. A configuration defines a set of relevant sources
-   * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
-   * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
-   * (`isAdditionalTaintStep()`).
-   */
-  abstract class Configuration extends DataFlow::Configuration {
-    bindingset[this]
-    Configuration() { any() }
-
-    /**
-     * Holds if `source` is a relevant taint source.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /**
-     * Holds if `sink` is a relevant taint sink.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /** Holds if the node `node` is a taint sanitizer. */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    final override predicate isBarrier(DataFlow::Node node) {
-      isSanitizer(node) or
-      // Ignore paths through test code.
-      node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or
-      node.asExpr() instanceof ValidatedVariableAccess
-    }
-
-    /** DEPRECATED: override `isSanitizerIn` and `isSanitizerOut` instead. */
-    deprecated predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-    deprecated final override predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      isSanitizerEdge(node1, node2)
-    }
-
-    /** Holds if data flow into `node` is prohibited. */
-    predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-    final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
-
-    /** Holds if data flow out of `node` is prohibited. */
-    predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-    final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
-
-    /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-    predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-    final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
-
-    /**
-     * Holds if the additional taint propagation step from `node1` to `node2`
-     * must be taken into account in the analysis.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-    final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-      isAdditionalTaintStep(node1, node2) or
-      localAdditionalTaintStep(node1, node2)
-    }
-
-    /**
-     * Holds if taint may flow from `source` to `sink` for this configuration.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink)
-    }
-  }
-
-  /**
-   * A taint tracking configuration.
-   *
-   * A taint tracking configuration is a special dataflow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values, but are still relevant from a taint tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * Each use of the taint tracking library must define its own unique extension
-   * of this abstract class. A configuration defines a set of relevant sources
-   * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
-   * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
-   * (`isAdditionalTaintStep()`).
-   */
-  abstract class Configuration2 extends DataFlow2::Configuration {
-    bindingset[this]
-    Configuration2() { any() }
-
-    /**
-     * Holds if `source` is a relevant taint source.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /**
-     * Holds if `sink` is a relevant taint sink.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /** Holds if the node `node` is a taint sanitizer. */
-    predicate isSanitizer(DataFlow::Node node) { none() }
 
-    final override predicate isBarrier(DataFlow::Node node) {
-      isSanitizer(node) or
-      // Ignore paths through test code.
-      node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or
-      node.asExpr() instanceof ValidatedVariableAccess
-    }
+import semmle.code.java.dataflow.internal.TaintTrackingUtil::StringBuilderVarModule
 
-    /** DEPRECATED: override `isSanitizerIn` and `isSanitizerOut` instead. */
-    deprecated predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-    deprecated final override predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      isSanitizerEdge(node1, node2)
-    }
-
-    /** Holds if data flow into `node` is prohibited. */
-    predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-    final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
-
-    /** Holds if data flow out of `node` is prohibited. */
-    predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-    final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
-
-    /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-    predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-    final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
-
-    /**
-     * Holds if the additional taint propagation step from `node1` to `node2`
-     * must be taken into account in the analysis.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-    final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-      isAdditionalTaintStep(node1, node2) or
-      localAdditionalTaintStep(node1, node2)
-    }
-
-    /**
-     * Holds if taint may flow from `source` to `sink` for this configuration.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink)
-    }
-  }
-
-  /**
-   * Holds if taint can flow from `src` to `sink` in zero or more
-   * local (intra-procedural) steps.
-   */
-  predicate localTaint(DataFlow::Node src, DataFlow::Node sink) { localTaintStep*(src, sink) }
-
-  /**
-   * Holds if taint can flow in one local step from `src` to `sink`.
-   */
-  predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-    DataFlow::localFlowStep(src, sink) or
-    localAdditionalTaintStep(src, sink)
-  }
-
-  /**
-   * Holds if taint can flow in one local step from `src` to `sink` excluding
-   * local data flow steps. That is, `src` and `sink` are likely to represent
-   * different objects.
-   */
-  predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-    localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
-    or
-    exists(Argument arg |
-      src.asExpr() = arg and
-      arg.isVararg() and
-      sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
-    )
-  }
-
-  /**
-   * Holds if taint can flow in one local step from `src` to `sink` excluding
-   * local data flow steps. That is, `src` and `sink` are likely to represent
-   * different objects.
-   */
-  private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
-    sink.(AddExpr).getAnOperand() = src and sink.getType() instanceof TypeString
-    or
-    sink.(AssignAddExpr).getSource() = src and sink.getType() instanceof TypeString
-    or
-    sink.(ArrayCreationExpr).getInit() = src
-    or
-    sink.(ArrayInit).getAnInit() = src
-    or
-    sink.(ArrayAccess).getArray() = src
-    or
-    sink.(LogicExpr).getAnOperand() = src
-    or
-    exists(Assignment assign | assign.getSource() = src |
-      sink = assign.getDest().(ArrayAccess).getArray()
-    )
-    or
-    exists(EnhancedForStmt for, SsaExplicitUpdate v |
-      for.getExpr() = src and
-      v.getDefiningExpr() = for.getVariable() and
-      v.getAFirstUse() = sink
-    )
-    or
-    containerStep(src, sink)
-    or
-    constructorStep(src, sink)
-    or
-    qualifierToMethodStep(src, sink)
-    or
-    qualifierToArgumentStep(src, sink)
-    or
-    argToMethodStep(src, sink)
-    or
-    argToArgStep(src, sink)
-    or
-    argToQualifierStep(src, sink)
-    or
-    comparisonStep(src, sink)
-    or
-    stringBuilderStep(src, sink)
-    or
-    serializationStep(src, sink)
-  }
-
-  private class BulkData extends RefType {
-    BulkData() {
-      this.(Array).getElementType().(PrimitiveType).getName().regexpMatch("byte|char")
-      or
-      exists(RefType t | this.getASourceSupertype*() = t |
-        t.hasQualifiedName("java.io", "InputStream") or
-        t.hasQualifiedName("java.nio", "ByteBuffer") or
-        t.hasQualifiedName("java.lang", "Readable") or
-        t.hasQualifiedName("java.io", "DataInput") or
-        t.hasQualifiedName("java.nio.channels", "ReadableByteChannel")
-      )
-    }
-  }
-
-  /**
-   * Holds if `c` is a constructor for a subclass of `java.io.InputStream` that
-   * wraps an underlying data source. The underlying data source is given as a
-   * the `argi`'th parameter to the constructor.
-   *
-   * An object construction of such a wrapper is likely to preserve the data flow
-   * status of its argument.
-   */
-  private predicate inputStreamWrapper(Constructor c, int argi) {
-    c.getParameterType(argi) instanceof BulkData and
-    c.getDeclaringType().getASourceSupertype().hasQualifiedName("java.io", "InputStream")
-  }
-
-  /** An object construction that preserves the data flow status of any of its arguments. */
-  private predicate constructorStep(Expr tracked, ConstructorCall sink) {
-    exists(int argi | sink.getArgument(argi) = tracked |
-      exists(string s | sink.getConstructedType().getQualifiedName() = s |
-        // String constructor does nothing to data
-        s = "java.lang.String" and argi = 0
-        or
-        // some readers preserve the content of streams
-        s = "java.io.InputStreamReader" and argi = 0
-        or
-        s = "java.io.BufferedReader" and argi = 0
-        or
-        s = "java.io.CharArrayReader" and argi = 0
-        or
-        s = "java.io.StringReader" and argi = 0
-        or
-        // data preserved through streams
-        s = "java.io.ObjectInputStream" and argi = 0
-        or
-        s = "java.io.ByteArrayInputStream" and argi = 0
-        or
-        s = "java.io.DataInputStream" and argi = 0
-        or
-        s = "java.io.BufferedInputStream" and argi = 0
-        or
-        s = "com.esotericsoftware.kryo.io.Input" and argi = 0
-        or
-        s = "java.beans.XMLDecoder" and argi = 0
-        or
-        // a tokenizer preserves the content of a string
-        s = "java.util.StringTokenizer" and argi = 0
-        or
-        // unzipping the stream preserves content
-        s = "java.util.zip.ZipInputStream" and argi = 0
-        or
-        s = "java.util.zip.GZIPInputStream" and argi = 0
-        or
-        // string builders and buffers
-        s = "java.lang.StringBuilder" and argi = 0
-        or
-        s = "java.lang.StringBuffer" and argi = 0
-        or
-        // a cookie with tainted ingredients is tainted
-        s = "javax.servlet.http.Cookie" and argi = 0
-        or
-        s = "javax.servlet.http.Cookie" and argi = 1
-        or
-        // various xml stream source constructors.
-        s = "org.xml.sax.InputSource" and argi = 0
-        or
-        s = "javax.xml.transform.sax.SAXSource" and argi = 0 and sink.getNumArgument() = 1
-        or
-        s = "javax.xml.transform.sax.SAXSource" and argi = 1 and sink.getNumArgument() = 2
-        or
-        s = "javax.xml.transform.stream.StreamSource" and argi = 0
-        or
-        //a URI constructed from a tainted string is tainted.
-        s = "java.net.URI" and argi = 0 and sink.getNumArgument() = 1
-      )
-      or
-      exists(RefType t | t.getQualifiedName() = "java.lang.Number" |
-        hasSubtype*(t, sink.getConstructedType())
-      ) and
-      argi = 0
-      or
-      // wrappers constructed by extension
-      exists(Constructor c, Parameter p, SuperConstructorInvocationStmt sup |
-        c = sink.getConstructor() and
-        p = c.getParameter(argi) and
-        sup.getEnclosingCallable() = c and
-        constructorStep(p.getAnAccess(), sup)
-      )
-      or
-      // a custom InputStream that wraps a tainted data source is tainted
-      inputStreamWrapper(sink.getConstructor(), argi)
-    )
-  }
-
-  /** Access to a method that passes taint from qualifier to argument. */
-  private predicate qualifierToArgumentStep(Expr tracked, RValue sink) {
-    exists(MethodAccess ma, int arg |
-      taintPreservingQualifierToArgument(ma.getMethod(), arg) and
-      tracked = ma.getQualifier() and
-      sink = ma.getArgument(arg)
-    )
-  }
-
-  /** Methods that passes tainted data from qualifier to argument. */
-  private predicate taintPreservingQualifierToArgument(Method m, int arg) {
-    m.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
-    m.hasName("writeTo") and
-    arg = 0
-    or
-    m.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
-    m.hasName("read") and
-    arg = 0
-    or
-    m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
-    m.hasName("read") and
-    arg = 0
-  }
-
-  /** Access to a method that passes taint from the qualifier. */
-  private predicate qualifierToMethodStep(Expr tracked, MethodAccess sink) {
-    (taintPreservingQualifierToMethod(sink.getMethod()) or unsafeEscape(sink)) and
-    tracked = sink.getQualifier()
-  }
-
-  /**
-   * Methods that return tainted data when called on tainted data.
-   */
-  private predicate taintPreservingQualifierToMethod(Method m) {
-    m.getDeclaringType() instanceof TypeString and
-    (
-      m.getName() = "concat" or
-      m.getName() = "endsWith" or
-      m.getName() = "getBytes" or
-      m.getName() = "split" or
-      m.getName() = "substring" or
-      m.getName() = "toCharArray" or
-      m.getName() = "toLowerCase" or
-      m.getName() = "toString" or
-      m.getName() = "toUpperCase" or
-      m.getName() = "trim"
-    )
-    or
-    exists(Class c | c.getQualifiedName() = "java.lang.Number" |
-      hasSubtype*(c, m.getDeclaringType())
-    ) and
-    (
-      m.getName().matches("to%String") or
-      m.getName() = "toByteArray" or
-      m.getName().matches("%Value")
-    )
-    or
-    m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
-    (
-      m.getName() = "read" and m.getNumberOfParameters() = 0
-      or
-      m.getName() = "readLine"
-    )
-    or
-    m.getDeclaringType().getQualifiedName().matches("%StringWriter") and
-    m.getName() = "toString"
-    or
-    m.getDeclaringType().hasQualifiedName("java.util", "StringTokenizer") and
-    m.getName().matches("next%")
-    or
-    m.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
-    (m.getName() = "toByteArray" or m.getName() = "toString")
-    or
-    m.getDeclaringType().hasQualifiedName("java.io", "ObjectInputStream") and
-    m.getName().matches("read%")
-    or
-    (
-      m.getDeclaringType().hasQualifiedName("java.lang", "StringBuilder") or
-      m.getDeclaringType().hasQualifiedName("java.lang", "StringBuffer")
-    ) and
-    (m.getName() = "toString" or m.getName() = "append")
-    or
-    m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXSource") and
-    m.hasName("getInputSource")
-    or
-    m.getDeclaringType().hasQualifiedName("javax.xml.transform.stream", "StreamSource") and
-    m.hasName("getInputStream")
-    or
-    m instanceof IntentGetExtraMethod
-    or
-    m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
-    m.hasName("get")
-    or
-    m = any(GuiceProvider gp).getAnOverridingGetMethod()
-    or
-    m = any(ProtobufMessageLite p).getAGetterMethod()
-  }
-
-  private class StringReplaceMethod extends Method {
-    StringReplaceMethod() {
-      getDeclaringType() instanceof TypeString and
-      (
-        hasName("replace") or
-        hasName("replaceAll") or
-        hasName("replaceFirst")
-      )
-    }
-  }
-
-  private predicate unsafeEscape(MethodAccess ma) {
-    // Removing `<script>` tags using a string-replace method is
-    // unsafe if such a tag is embedded inside another one (e.g. `<scr<script>ipt>`).
-    exists(StringReplaceMethod m | ma.getMethod() = m |
-      ma.getArgument(0).(StringLiteral).getRepresentedString() = "(<script>)" and
-      ma.getArgument(1).(StringLiteral).getRepresentedString() = ""
-    )
-  }
-
-  /** Access to a method that passes taint from an argument. */
-  private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
-    exists(Method m, int i |
-      m = sink.(MethodAccess).getMethod() and
-      taintPreservingArgumentToMethod(m, i) and
-      tracked = sink.(MethodAccess).getArgument(i)
-    )
-  }
-
-  /**
-   * Holds if `method` is a library method that return tainted data if its
-   * `arg`th argument is tainted.
-   */
-  private predicate taintPreservingArgumentToMethod(Method method, int arg) {
-    method instanceof StringReplaceMethod and arg = 1
-    or
-    exists(Class c | c.getQualifiedName() = "java.lang.Number" |
-      hasSubtype*(c, method.getDeclaringType())
-    ) and
-    (
-      method.getName().matches("parse%") and arg = 0
-      or
-      method.getName().matches("valueOf%") and arg = 0
-      or
-      method.getName().matches("to%String") and arg = 0
-    )
-    or
-    method.getDeclaringType() instanceof TypeString and
-    method.getName() = "concat" and
-    arg = 0
-    or
-    (
-      method.getDeclaringType().hasQualifiedName("java.lang", "StringBuilder") or
-      method.getDeclaringType().hasQualifiedName("java.lang", "StringBuffer")
-    ) and
-    (
-      method.getName() = "append" and arg = 0
-      or
-      method.getName() = "insert" and arg = 1
-      or
-      method.getName() = "replace" and arg = 2
-    )
-    or
-    (
-      method.getDeclaringType().hasQualifiedName("java.util", "Base64$Encoder") or
-      method.getDeclaringType().hasQualifiedName("java.util", "Base64$Decoder")
-    ) and
-    (
-      method.getName() = "encode" and arg = 0 and method.getNumberOfParameters() = 1
-      or
-      method.getName() = "decode" and arg = 0 and method.getNumberOfParameters() = 1
-      or
-      method.getName() = "encodeToString" and arg = 0
-      or
-      method.getName() = "wrap" and arg = 0
-    )
-    or
-    method.getDeclaringType().hasQualifiedName("org.apache.commons.io", "IOUtils") and
-    (
-      method.getName() = "buffer" and arg = 0
-      or
-      method.getName() = "readLines" and arg = 0
-      or
-      method.getName() = "readFully" and arg = 0 and method.getParameterType(1).hasName("int")
-      or
-      method.getName() = "toBufferedInputStream" and arg = 0
-      or
-      method.getName() = "toBufferedReader" and arg = 0
-      or
-      method.getName() = "toByteArray" and arg = 0
-      or
-      method.getName() = "toCharArray" and arg = 0
-      or
-      method.getName() = "toInputStream" and arg = 0
-      or
-      method.getName() = "toString" and arg = 0
-    )
-    or
-    // A URI created from a tainted string is still tainted.
-    method.getDeclaringType().hasQualifiedName("java.net", "URI") and
-    method.hasName("create") and
-    arg = 0
-    or
-    method.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXSource") and
-    method.hasName("sourceToInputSource") and
-    arg = 0
-    or
-    exists(ProtobufParser p | method = p.getAParseFromMethod()) and
-    arg = 0
-    or
-    exists(ProtobufMessageLite m | method = m.getAParseFromMethod()) and
-    arg = 0
-  }
-
-  /**
-   * Holds if `tracked` and `sink` are arguments to a method that transfers taint
-   * between arguments.
-   */
-  private predicate argToArgStep(Expr tracked, RValue sink) {
-    exists(MethodAccess ma, Method method, int input, int output |
-      taintPreservingArgToArg(method, input, output) and
-      ma.getMethod() = method and
-      ma.getArgument(input) = tracked and
-      ma.getArgument(output) = sink
-    )
-  }
-
-  /**
-   * Holds if `method` is a library method that writes tainted data to the
-   * `output`th argument if the `input`th argument is tainted.
-   */
-  private predicate taintPreservingArgToArg(Method method, int input, int output) {
-    method.getDeclaringType().hasQualifiedName("org.apache.commons.io", "IOUtils") and
-    (
-      method.hasName("copy") and input = 0 and output = 1
-      or
-      method.hasName("copyLarge") and input = 0 and output = 1
-      or
-      method.hasName("read") and input = 0 and output = 1
-      or
-      method.hasName("readFully") and
-      input = 0 and
-      output = 1 and
-      not method.getParameterType(1).hasName("int")
-      or
-      method.hasName("write") and input = 0 and output = 1
-      or
-      method.hasName("writeChunked") and input = 0 and output = 1
-      or
-      method.hasName("writeLines") and input = 0 and output = 2
-      or
-      method.hasName("writeLines") and input = 1 and output = 2
-    )
-    or
-    method.getDeclaringType().hasQualifiedName("java.lang", "System") and
-    method.hasName("arraycopy") and
-    input = 0 and
-    output = 2
-  }
-
-  /**
-   * Holds if `tracked` is the argument of a method that transfers taint
-   * from the argument to the qualifier and `sink` is the qualifier.
-   */
-  private predicate argToQualifierStep(Expr tracked, Expr sink) {
-    exists(Method m, int i, MethodAccess ma |
-      taintPreservingArgumentToQualifier(m, i) and
-      ma.getMethod() = m and
-      tracked = ma.getArgument(i) and
-      sink = ma.getQualifier()
-    )
-  }
-
-  /**
-   * Holds if `method` is a method that transfers taint from argument to qualifier and
-   * `arg` is the index of the argument.
-   */
-  private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
-    method.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
-    method.hasName("write") and
-    arg = 0
-  }
-
-  /** A comparison or equality test with a constant. */
-  private predicate comparisonStep(Expr tracked, Expr sink) {
-    exists(Expr other |
-      exists(BinaryExpr e | e instanceof ComparisonExpr or e instanceof EqualityTest |
-        e = sink and
-        e.hasOperands(tracked, other)
-      )
-      or
-      exists(MethodAccess m | m.getMethod() instanceof EqualsMethod |
-        m = sink and
-        (
-          m.getQualifier() = tracked and m.getArgument(0) = other
-          or
-          m.getQualifier() = other and m.getArgument(0) = tracked
-        )
-      )
-    |
-      other.isCompileTimeConstant() or other instanceof NullLiteral
-    )
-  }
-
-  /** Flow through a `StringBuilder`. */
-  private predicate stringBuilderStep(Expr tracked, Expr sink) {
-    exists(StringBuilderVar sbvar, MethodAccess input, int arg |
-      input = sbvar.getAnInput(arg) and
-      tracked = input.getArgument(arg) and
-      sink = sbvar.getToStringCall()
-    )
-  }
-
-  /** Flow through data serialization. */
-  private predicate serializationStep(Expr tracked, Expr sink) {
-    exists(ObjectOutputStreamVar v, VariableAssign def |
-      def = v.getADef() and
-      exists(MethodAccess ma, RValue use |
-        ma.getArgument(0) = tracked and
-        ma = v.getAWriteObjectMethodAccess() and
-        use = ma.getQualifier() and
-        defUsePair(def, use)
-      ) and
-      exists(RValue outputstream, ClassInstanceExpr cie |
-        cie = def.getSource() and
-        outputstream = cie.getArgument(0) and
-        adjacentUseUse(outputstream, sink)
-      )
-    )
-  }
-
-  /**
-   * A local variable that is assigned an `ObjectOutputStream`.
-   * Writing tainted data to such a stream causes the underlying
-   * `OutputStream` to be tainted.
-   */
-  class ObjectOutputStreamVar extends LocalVariableDecl {
-    ObjectOutputStreamVar() {
-      exists(ClassInstanceExpr cie | cie = this.getAnAssignedValue() |
-        cie.getType() instanceof TypeObjectOutputStream
-      )
-    }
-
-    VariableAssign getADef() {
-      result.getSource().(ClassInstanceExpr).getType() instanceof TypeObjectOutputStream and
-      result.getDestVar() = this
-    }
-
-    MethodAccess getAWriteObjectMethodAccess() {
-      result.getQualifier() = getAnAccess() and
-      result.getMethod().hasName("writeObject")
-    }
-  }
-}
-
-/**
- * A local variable that is initialized to a `StringBuilder`
- * or `StringBuffer`. Such variables are often used to
- * build up a query using string concatenation.
- */
-class StringBuilderVar extends LocalVariableDecl {
-  StringBuilderVar() {
-    this.getType() instanceof TypeStringBuilder or
-    this.getType() instanceof TypeStringBuffer
-  }
-
-  /**
-   * Gets a call that adds something to this string builder, from the argument at the given index.
-   */
-  MethodAccess getAnInput(int arg) {
-    result.getQualifier() = getAChainedReference() and
-    (
-      result.getMethod().getName() = "append" and arg = 0
-      or
-      result.getMethod().getName() = "insert" and arg = 1
-      or
-      result.getMethod().getName() = "replace" and arg = 2
-    )
-  }
-
-  /**
-   * Gets a call that appends something to this string builder.
-   */
-  MethodAccess getAnAppend() {
-    result.getQualifier() = getAChainedReference() and
-    result.getMethod().getName() = "append"
-  }
-
-  MethodAccess getNextAppend(MethodAccess append) {
-    result = getAnAppend() and
-    append = getAnAppend() and
-    (
-      result.getQualifier() = append
-      or
-      not exists(MethodAccess chainAccess | chainAccess.getQualifier() = append) and
-      exists(RValue sbva1, RValue sbva2 |
-        adjacentUseUse(sbva1, sbva2) and
-        append.getQualifier() = getAChainedReference(sbva1) and
-        result.getQualifier() = sbva2
-      )
-    )
-  }
-
-  /**
-   * Gets a call that converts this string builder to a string.
-   */
-  MethodAccess getToStringCall() {
-    result.getQualifier() = getAChainedReference() and
-    result.getMethod().getName() = "toString"
-  }
-
-  private Expr getAChainedReference(VarAccess sbva) {
-    // All the methods on `StringBuilder` that return the same type return
-    // the same object.
-    result = callReturningSameType+(sbva) and sbva = this.getAnAccess()
-    or
-    result = sbva and sbva = this.getAnAccess()
-  }
+module TaintTracking {
+  import semmle.code.java.dataflow.internal.tainttracking1.TaintTrackingImpl
+  private import semmle.code.java.dataflow.TaintTracking2
 
   /**
-   * Gets an expression that refers to this `StringBuilder`, possibly after some chained calls.
+   * DEPRECATED: Use TaintTracking2::Configuration instead.
    */
-  Expr getAChainedReference() { result = getAChainedReference(_) }
-}
-
-private MethodAccess callReturningSameType(Expr ref) {
-  ref = result.getQualifier() and
-  result.getMethod().getReturnType() = ref.getType()
+  deprecated
+  class Configuration2 = TaintTracking2::Configuration;
 }
diff --git a/java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll b/java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll
new file mode 100644
index 000000000000..9042e9c011bf
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll
@@ -0,0 +1,12 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ *
+ * We define _taint propagation_ informally to mean that a substantial part of
+ * the information from the source is preserved at the sink. For example, taint
+ * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
+ * 100` since we consider a single bit of information to be too little.
+ */
+module TaintTracking2 {
+  import semmle.code.java.dataflow.internal.tainttracking2.TaintTrackingImpl
+}
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
new file mode 100644
index 000000000000..28ed6c5e86c1
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -0,0 +1,635 @@
+private import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.Collections
+private import semmle.code.java.dataflow.SSA
+private import semmle.code.java.dataflow.DefUse
+private import semmle.code.java.security.SecurityTests
+private import semmle.code.java.security.Validation
+private import semmle.code.java.frameworks.android.Intent
+private import semmle.code.java.frameworks.Guice
+private import semmle.code.java.frameworks.Protobuf
+private import semmle.code.java.Maps
+private import semmle.code.java.dataflow.internal.ContainerFlow
+
+/**
+ * Holds if taint can flow from `src` to `sink` in zero or more
+ * local (intra-procedural) steps.
+ */
+predicate localTaint(DataFlow::Node src, DataFlow::Node sink) { localTaintStep*(src, sink) }
+
+/**
+ * Holds if taint can flow in one local step from `src` to `sink`.
+ */
+predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+  DataFlow::localFlowStep(src, sink) or
+  localAdditionalTaintStep(src, sink)
+}
+
+/**
+ * Holds if taint can flow in one local step from `src` to `sink` excluding
+ * local data flow steps. That is, `src` and `sink` are likely to represent
+ * different objects.
+ */
+predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+  localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
+  or
+  exists(Argument arg |
+    src.asExpr() = arg and
+    arg.isVararg() and
+    sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
+  )
+}
+
+/**
+ * Holds if `node` should be a barrier in all global taint flow configurations
+ * but not in local taint.
+ */
+predicate defaultTaintBarrier(DataFlow::Node node) {
+  // Ignore paths through test code.
+  node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or
+  node.asExpr() instanceof ValidatedVariableAccess
+}
+
+/**
+ * Holds if taint can flow in one local step from `src` to `sink` excluding
+ * local data flow steps. That is, `src` and `sink` are likely to represent
+ * different objects.
+ */
+private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
+  sink.(AddExpr).getAnOperand() = src and sink.getType() instanceof TypeString
+  or
+  sink.(AssignAddExpr).getSource() = src and sink.getType() instanceof TypeString
+  or
+  sink.(ArrayCreationExpr).getInit() = src
+  or
+  sink.(ArrayInit).getAnInit() = src
+  or
+  sink.(ArrayAccess).getArray() = src
+  or
+  sink.(LogicExpr).getAnOperand() = src
+  or
+  exists(Assignment assign | assign.getSource() = src |
+    sink = assign.getDest().(ArrayAccess).getArray()
+  )
+  or
+  exists(EnhancedForStmt for, SsaExplicitUpdate v |
+    for.getExpr() = src and
+    v.getDefiningExpr() = for.getVariable() and
+    v.getAFirstUse() = sink
+  )
+  or
+  containerStep(src, sink)
+  or
+  constructorStep(src, sink)
+  or
+  qualifierToMethodStep(src, sink)
+  or
+  qualifierToArgumentStep(src, sink)
+  or
+  argToMethodStep(src, sink)
+  or
+  argToArgStep(src, sink)
+  or
+  argToQualifierStep(src, sink)
+  or
+  comparisonStep(src, sink)
+  or
+  stringBuilderStep(src, sink)
+  or
+  serializationStep(src, sink)
+}
+
+private class BulkData extends RefType {
+  BulkData() {
+    this.(Array).getElementType().(PrimitiveType).getName().regexpMatch("byte|char")
+    or
+    exists(RefType t | this.getASourceSupertype*() = t |
+      t.hasQualifiedName("java.io", "InputStream") or
+      t.hasQualifiedName("java.nio", "ByteBuffer") or
+      t.hasQualifiedName("java.lang", "Readable") or
+      t.hasQualifiedName("java.io", "DataInput") or
+      t.hasQualifiedName("java.nio.channels", "ReadableByteChannel")
+    )
+  }
+}
+
+/**
+ * Holds if `c` is a constructor for a subclass of `java.io.InputStream` that
+ * wraps an underlying data source. The underlying data source is given as a
+ * the `argi`'th parameter to the constructor.
+ *
+ * An object construction of such a wrapper is likely to preserve the data flow
+ * status of its argument.
+ */
+private predicate inputStreamWrapper(Constructor c, int argi) {
+  c.getParameterType(argi) instanceof BulkData and
+  c.getDeclaringType().getASourceSupertype().hasQualifiedName("java.io", "InputStream")
+}
+
+/** An object construction that preserves the data flow status of any of its arguments. */
+private predicate constructorStep(Expr tracked, ConstructorCall sink) {
+  exists(int argi | sink.getArgument(argi) = tracked |
+    exists(string s | sink.getConstructedType().getQualifiedName() = s |
+      // String constructor does nothing to data
+      s = "java.lang.String" and argi = 0
+      or
+      // some readers preserve the content of streams
+      s = "java.io.InputStreamReader" and argi = 0
+      or
+      s = "java.io.BufferedReader" and argi = 0
+      or
+      s = "java.io.CharArrayReader" and argi = 0
+      or
+      s = "java.io.StringReader" and argi = 0
+      or
+      // data preserved through streams
+      s = "java.io.ObjectInputStream" and argi = 0
+      or
+      s = "java.io.ByteArrayInputStream" and argi = 0
+      or
+      s = "java.io.DataInputStream" and argi = 0
+      or
+      s = "java.io.BufferedInputStream" and argi = 0
+      or
+      s = "com.esotericsoftware.kryo.io.Input" and argi = 0
+      or
+      s = "java.beans.XMLDecoder" and argi = 0
+      or
+      // a tokenizer preserves the content of a string
+      s = "java.util.StringTokenizer" and argi = 0
+      or
+      // unzipping the stream preserves content
+      s = "java.util.zip.ZipInputStream" and argi = 0
+      or
+      s = "java.util.zip.GZIPInputStream" and argi = 0
+      or
+      // string builders and buffers
+      s = "java.lang.StringBuilder" and argi = 0
+      or
+      s = "java.lang.StringBuffer" and argi = 0
+      or
+      // a cookie with tainted ingredients is tainted
+      s = "javax.servlet.http.Cookie" and argi = 0
+      or
+      s = "javax.servlet.http.Cookie" and argi = 1
+      or
+      // various xml stream source constructors.
+      s = "org.xml.sax.InputSource" and argi = 0
+      or
+      s = "javax.xml.transform.sax.SAXSource" and argi = 0 and sink.getNumArgument() = 1
+      or
+      s = "javax.xml.transform.sax.SAXSource" and argi = 1 and sink.getNumArgument() = 2
+      or
+      s = "javax.xml.transform.stream.StreamSource" and argi = 0
+      or
+      //a URI constructed from a tainted string is tainted.
+      s = "java.net.URI" and argi = 0 and sink.getNumArgument() = 1
+    )
+    or
+    exists(RefType t | t.getQualifiedName() = "java.lang.Number" |
+      hasSubtype*(t, sink.getConstructedType())
+    ) and
+    argi = 0
+    or
+    // wrappers constructed by extension
+    exists(Constructor c, Parameter p, SuperConstructorInvocationStmt sup |
+      c = sink.getConstructor() and
+      p = c.getParameter(argi) and
+      sup.getEnclosingCallable() = c and
+      constructorStep(p.getAnAccess(), sup)
+    )
+    or
+    // a custom InputStream that wraps a tainted data source is tainted
+    inputStreamWrapper(sink.getConstructor(), argi)
+  )
+}
+
+/** Access to a method that passes taint from qualifier to argument. */
+private predicate qualifierToArgumentStep(Expr tracked, RValue sink) {
+  exists(MethodAccess ma, int arg |
+    taintPreservingQualifierToArgument(ma.getMethod(), arg) and
+    tracked = ma.getQualifier() and
+    sink = ma.getArgument(arg)
+  )
+}
+
+/** Methods that passes tainted data from qualifier to argument. */
+private predicate taintPreservingQualifierToArgument(Method m, int arg) {
+  m.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
+  m.hasName("writeTo") and
+  arg = 0
+  or
+  m.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
+  m.hasName("read") and
+  arg = 0
+  or
+  m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
+  m.hasName("read") and
+  arg = 0
+}
+
+/** Access to a method that passes taint from the qualifier. */
+private predicate qualifierToMethodStep(Expr tracked, MethodAccess sink) {
+  (taintPreservingQualifierToMethod(sink.getMethod()) or unsafeEscape(sink)) and
+  tracked = sink.getQualifier()
+}
+
+/**
+ * Methods that return tainted data when called on tainted data.
+ */
+private predicate taintPreservingQualifierToMethod(Method m) {
+  m.getDeclaringType() instanceof TypeString and
+  (
+    m.getName() = "concat" or
+    m.getName() = "endsWith" or
+    m.getName() = "getBytes" or
+    m.getName() = "split" or
+    m.getName() = "substring" or
+    m.getName() = "toCharArray" or
+    m.getName() = "toLowerCase" or
+    m.getName() = "toString" or
+    m.getName() = "toUpperCase" or
+    m.getName() = "trim"
+  )
+  or
+  exists(Class c | c.getQualifiedName() = "java.lang.Number" |
+    hasSubtype*(c, m.getDeclaringType())
+  ) and
+  (
+    m.getName().matches("to%String") or
+    m.getName() = "toByteArray" or
+    m.getName().matches("%Value")
+  )
+  or
+  m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
+  (
+    m.getName() = "read" and m.getNumberOfParameters() = 0
+    or
+    m.getName() = "readLine"
+  )
+  or
+  m.getDeclaringType().getQualifiedName().matches("%StringWriter") and
+  m.getName() = "toString"
+  or
+  m.getDeclaringType().hasQualifiedName("java.util", "StringTokenizer") and
+  m.getName().matches("next%")
+  or
+  m.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
+  (m.getName() = "toByteArray" or m.getName() = "toString")
+  or
+  m.getDeclaringType().hasQualifiedName("java.io", "ObjectInputStream") and
+  m.getName().matches("read%")
+  or
+  (
+    m.getDeclaringType().hasQualifiedName("java.lang", "StringBuilder") or
+    m.getDeclaringType().hasQualifiedName("java.lang", "StringBuffer")
+  ) and
+  (m.getName() = "toString" or m.getName() = "append")
+  or
+  m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXSource") and
+  m.hasName("getInputSource")
+  or
+  m.getDeclaringType().hasQualifiedName("javax.xml.transform.stream", "StreamSource") and
+  m.hasName("getInputStream")
+  or
+  m instanceof IntentGetExtraMethod
+  or
+  m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
+  m.hasName("get")
+  or
+  m = any(GuiceProvider gp).getAnOverridingGetMethod()
+  or
+  m = any(ProtobufMessageLite p).getAGetterMethod()
+}
+
+private class StringReplaceMethod extends Method {
+  StringReplaceMethod() {
+    getDeclaringType() instanceof TypeString and
+    (
+      hasName("replace") or
+      hasName("replaceAll") or
+      hasName("replaceFirst")
+    )
+  }
+}
+
+private predicate unsafeEscape(MethodAccess ma) {
+  // Removing `<script>` tags using a string-replace method is
+  // unsafe if such a tag is embedded inside another one (e.g. `<scr<script>ipt>`).
+  exists(StringReplaceMethod m | ma.getMethod() = m |
+    ma.getArgument(0).(StringLiteral).getRepresentedString() = "(<script>)" and
+    ma.getArgument(1).(StringLiteral).getRepresentedString() = ""
+  )
+}
+
+/** Access to a method that passes taint from an argument. */
+private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
+  exists(Method m, int i |
+    m = sink.(MethodAccess).getMethod() and
+    taintPreservingArgumentToMethod(m, i) and
+    tracked = sink.(MethodAccess).getArgument(i)
+  )
+}
+
+/**
+ * Holds if `method` is a library method that return tainted data if its
+ * `arg`th argument is tainted.
+ */
+private predicate taintPreservingArgumentToMethod(Method method, int arg) {
+  method instanceof StringReplaceMethod and arg = 1
+  or
+  exists(Class c | c.getQualifiedName() = "java.lang.Number" |
+    hasSubtype*(c, method.getDeclaringType())
+  ) and
+  (
+    method.getName().matches("parse%") and arg = 0
+    or
+    method.getName().matches("valueOf%") and arg = 0
+    or
+    method.getName().matches("to%String") and arg = 0
+  )
+  or
+  method.getDeclaringType() instanceof TypeString and
+  method.getName() = "concat" and
+  arg = 0
+  or
+  (
+    method.getDeclaringType().hasQualifiedName("java.lang", "StringBuilder") or
+    method.getDeclaringType().hasQualifiedName("java.lang", "StringBuffer")
+  ) and
+  (
+    method.getName() = "append" and arg = 0
+    or
+    method.getName() = "insert" and arg = 1
+    or
+    method.getName() = "replace" and arg = 2
+  )
+  or
+  (
+    method.getDeclaringType().hasQualifiedName("java.util", "Base64$Encoder") or
+    method.getDeclaringType().hasQualifiedName("java.util", "Base64$Decoder")
+  ) and
+  (
+    method.getName() = "encode" and arg = 0 and method.getNumberOfParameters() = 1
+    or
+    method.getName() = "decode" and arg = 0 and method.getNumberOfParameters() = 1
+    or
+    method.getName() = "encodeToString" and arg = 0
+    or
+    method.getName() = "wrap" and arg = 0
+  )
+  or
+  method.getDeclaringType().hasQualifiedName("org.apache.commons.io", "IOUtils") and
+  (
+    method.getName() = "buffer" and arg = 0
+    or
+    method.getName() = "readLines" and arg = 0
+    or
+    method.getName() = "readFully" and arg = 0 and method.getParameterType(1).hasName("int")
+    or
+    method.getName() = "toBufferedInputStream" and arg = 0
+    or
+    method.getName() = "toBufferedReader" and arg = 0
+    or
+    method.getName() = "toByteArray" and arg = 0
+    or
+    method.getName() = "toCharArray" and arg = 0
+    or
+    method.getName() = "toInputStream" and arg = 0
+    or
+    method.getName() = "toString" and arg = 0
+  )
+  or
+  // A URI created from a tainted string is still tainted.
+  method.getDeclaringType().hasQualifiedName("java.net", "URI") and
+  method.hasName("create") and
+  arg = 0
+  or
+  method.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXSource") and
+  method.hasName("sourceToInputSource") and
+  arg = 0
+  or
+  exists(ProtobufParser p | method = p.getAParseFromMethod()) and
+  arg = 0
+  or
+  exists(ProtobufMessageLite m | method = m.getAParseFromMethod()) and
+  arg = 0
+}
+
+/**
+ * Holds if `tracked` and `sink` are arguments to a method that transfers taint
+ * between arguments.
+ */
+private predicate argToArgStep(Expr tracked, RValue sink) {
+  exists(MethodAccess ma, Method method, int input, int output |
+    taintPreservingArgToArg(method, input, output) and
+    ma.getMethod() = method and
+    ma.getArgument(input) = tracked and
+    ma.getArgument(output) = sink
+  )
+}
+
+/**
+ * Holds if `method` is a library method that writes tainted data to the
+ * `output`th argument if the `input`th argument is tainted.
+ */
+private predicate taintPreservingArgToArg(Method method, int input, int output) {
+  method.getDeclaringType().hasQualifiedName("org.apache.commons.io", "IOUtils") and
+  (
+    method.hasName("copy") and input = 0 and output = 1
+    or
+    method.hasName("copyLarge") and input = 0 and output = 1
+    or
+    method.hasName("read") and input = 0 and output = 1
+    or
+    method.hasName("readFully") and
+    input = 0 and
+    output = 1 and
+    not method.getParameterType(1).hasName("int")
+    or
+    method.hasName("write") and input = 0 and output = 1
+    or
+    method.hasName("writeChunked") and input = 0 and output = 1
+    or
+    method.hasName("writeLines") and input = 0 and output = 2
+    or
+    method.hasName("writeLines") and input = 1 and output = 2
+  )
+  or
+  method.getDeclaringType().hasQualifiedName("java.lang", "System") and
+  method.hasName("arraycopy") and
+  input = 0 and
+  output = 2
+}
+
+/**
+ * Holds if `tracked` is the argument of a method that transfers taint
+ * from the argument to the qualifier and `sink` is the qualifier.
+ */
+private predicate argToQualifierStep(Expr tracked, Expr sink) {
+  exists(Method m, int i, MethodAccess ma |
+    taintPreservingArgumentToQualifier(m, i) and
+    ma.getMethod() = m and
+    tracked = ma.getArgument(i) and
+    sink = ma.getQualifier()
+  )
+}
+
+/**
+ * Holds if `method` is a method that transfers taint from argument to qualifier and
+ * `arg` is the index of the argument.
+ */
+private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
+  method.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
+  method.hasName("write") and
+  arg = 0
+}
+
+/** A comparison or equality test with a constant. */
+private predicate comparisonStep(Expr tracked, Expr sink) {
+  exists(Expr other |
+    exists(BinaryExpr e | e instanceof ComparisonExpr or e instanceof EqualityTest |
+      e = sink and
+      e.hasOperands(tracked, other)
+    )
+    or
+    exists(MethodAccess m | m.getMethod() instanceof EqualsMethod |
+      m = sink and
+      (
+        m.getQualifier() = tracked and m.getArgument(0) = other
+        or
+        m.getQualifier() = other and m.getArgument(0) = tracked
+      )
+    )
+  |
+    other.isCompileTimeConstant() or other instanceof NullLiteral
+  )
+}
+
+/** Flow through a `StringBuilder`. */
+private predicate stringBuilderStep(Expr tracked, Expr sink) {
+  exists(StringBuilderVar sbvar, MethodAccess input, int arg |
+    input = sbvar.getAnInput(arg) and
+    tracked = input.getArgument(arg) and
+    sink = sbvar.getToStringCall()
+  )
+}
+
+/** Flow through data serialization. */
+private predicate serializationStep(Expr tracked, Expr sink) {
+  exists(ObjectOutputStreamVar v, VariableAssign def |
+    def = v.getADef() and
+    exists(MethodAccess ma, RValue use |
+      ma.getArgument(0) = tracked and
+      ma = v.getAWriteObjectMethodAccess() and
+      use = ma.getQualifier() and
+      defUsePair(def, use)
+    ) and
+    exists(RValue outputstream, ClassInstanceExpr cie |
+      cie = def.getSource() and
+      outputstream = cie.getArgument(0) and
+      adjacentUseUse(outputstream, sink)
+    )
+  )
+}
+
+/**
+ * A local variable that is assigned an `ObjectOutputStream`.
+ * Writing tainted data to such a stream causes the underlying
+ * `OutputStream` to be tainted.
+ */
+class ObjectOutputStreamVar extends LocalVariableDecl {
+  ObjectOutputStreamVar() {
+    exists(ClassInstanceExpr cie | cie = this.getAnAssignedValue() |
+      cie.getType() instanceof TypeObjectOutputStream
+    )
+  }
+
+  VariableAssign getADef() {
+    result.getSource().(ClassInstanceExpr).getType() instanceof TypeObjectOutputStream and
+    result.getDestVar() = this
+  }
+
+  MethodAccess getAWriteObjectMethodAccess() {
+    result.getQualifier() = getAnAccess() and
+    result.getMethod().hasName("writeObject")
+  }
+}
+
+private import StringBuilderVarModule
+module StringBuilderVarModule {
+  /**
+   * A local variable that is initialized to a `StringBuilder`
+   * or `StringBuffer`. Such variables are often used to
+   * build up a query using string concatenation.
+   */
+  class StringBuilderVar extends LocalVariableDecl {
+    StringBuilderVar() {
+      this.getType() instanceof TypeStringBuilder or
+      this.getType() instanceof TypeStringBuffer
+    }
+
+    /**
+     * Gets a call that adds something to this string builder, from the argument at the given index.
+     */
+    MethodAccess getAnInput(int arg) {
+      result.getQualifier() = getAChainedReference() and
+      (
+        result.getMethod().getName() = "append" and arg = 0
+        or
+        result.getMethod().getName() = "insert" and arg = 1
+        or
+        result.getMethod().getName() = "replace" and arg = 2
+      )
+    }
+
+    /**
+     * Gets a call that appends something to this string builder.
+     */
+    MethodAccess getAnAppend() {
+      result.getQualifier() = getAChainedReference() and
+      result.getMethod().getName() = "append"
+    }
+
+    MethodAccess getNextAppend(MethodAccess append) {
+      result = getAnAppend() and
+      append = getAnAppend() and
+      (
+        result.getQualifier() = append
+        or
+        not exists(MethodAccess chainAccess | chainAccess.getQualifier() = append) and
+        exists(RValue sbva1, RValue sbva2 |
+          adjacentUseUse(sbva1, sbva2) and
+          append.getQualifier() = getAChainedReference(sbva1) and
+          result.getQualifier() = sbva2
+        )
+      )
+    }
+
+    /**
+     * Gets a call that converts this string builder to a string.
+     */
+    MethodAccess getToStringCall() {
+      result.getQualifier() = getAChainedReference() and
+      result.getMethod().getName() = "toString"
+    }
+
+    private Expr getAChainedReference(VarAccess sbva) {
+      // All the methods on `StringBuilder` that return the same type return
+      // the same object.
+      result = callReturningSameType+(sbva) and sbva = this.getAnAccess()
+      or
+      result = sbva and sbva = this.getAnAccess()
+    }
+
+    /**
+     * Gets an expression that refers to this `StringBuilder`, possibly after some chained calls.
+     */
+    Expr getAChainedReference() { result = getAChainedReference(_) }
+  }
+}
+
+private MethodAccess callReturningSameType(Expr ref) {
+  ref = result.getQualifier() and
+  result.getMethod().getReturnType() = ref.getType()
+}
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..985768177d47
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -0,0 +1,88 @@
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A taint tracking configuration.
+ *
+ * A taint tracking configuration is a special dataflow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values, but are still relevant from a taint tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * Each use of the taint tracking library must define its own unique extension
+ * of this abstract class. A configuration defines a set of relevant sources
+ * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
+ * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
+ * (`isAdditionalTaintStep()`).
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /**
+   * Holds if `source` is a relevant taint source.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /**
+   * Holds if `sink` is a relevant taint sink.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /** Holds if the node `node` is a taint sanitizer. */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  final override predicate isBarrier(DataFlow::Node node) {
+    isSanitizer(node) or
+    defaultTaintBarrier(node)
+  }
+
+  /** DEPRECATED: override `isSanitizerIn` and `isSanitizerOut` instead. */
+  deprecated predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+  deprecated final override predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
+    isSanitizerEdge(node1, node2)
+  }
+
+  /** Holds if data flow into `node` is prohibited. */
+  predicate isSanitizerIn(DataFlow::Node node) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
+
+  /** Holds if data flow out of `node` is prohibited. */
+  predicate isSanitizerOut(DataFlow::Node node) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
+
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
+
+  /**
+   * Holds if the additional taint propagation step from `node1` to `node2`
+   * must be taken into account in the analysis.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isAdditionalTaintStep(node1, node2) or
+    localAdditionalTaintStep(node1, node2)
+  }
+
+  /**
+   * Holds if taint may flow from `source` to `sink` for this configuration.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
+    super.hasFlow(source, sink)
+  }
+}
+
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingParameter.qll b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..d2acc1130e5c
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
@@ -0,0 +1,5 @@
+import semmle.code.java.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.java.dataflow.DataFlow::DataFlow as DataFlow
+}
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..985768177d47
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -0,0 +1,88 @@
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A taint tracking configuration.
+ *
+ * A taint tracking configuration is a special dataflow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values, but are still relevant from a taint tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * Each use of the taint tracking library must define its own unique extension
+ * of this abstract class. A configuration defines a set of relevant sources
+ * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
+ * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
+ * (`isAdditionalTaintStep()`).
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /**
+   * Holds if `source` is a relevant taint source.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /**
+   * Holds if `sink` is a relevant taint sink.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /** Holds if the node `node` is a taint sanitizer. */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  final override predicate isBarrier(DataFlow::Node node) {
+    isSanitizer(node) or
+    defaultTaintBarrier(node)
+  }
+
+  /** DEPRECATED: override `isSanitizerIn` and `isSanitizerOut` instead. */
+  deprecated predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+  deprecated final override predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
+    isSanitizerEdge(node1, node2)
+  }
+
+  /** Holds if data flow into `node` is prohibited. */
+  predicate isSanitizerIn(DataFlow::Node node) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
+
+  /** Holds if data flow out of `node` is prohibited. */
+  predicate isSanitizerOut(DataFlow::Node node) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
+
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
+
+  /**
+   * Holds if the additional taint propagation step from `node1` to `node2`
+   * must be taken into account in the analysis.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isAdditionalTaintStep(node1, node2) or
+    localAdditionalTaintStep(node1, node2)
+  }
+
+  /**
+   * Holds if taint may flow from `source` to `sink` for this configuration.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
+    super.hasFlow(source, sink)
+  }
+}
+
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingParameter.qll b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..5a9c924b6bd6
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
@@ -0,0 +1,5 @@
+import semmle.code.java.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.java.dataflow.DataFlow2::DataFlow2 as DataFlow
+}

From 9ac0cdd2a2482456546ea46c4654adb2aa2fd982 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Tue, 20 Aug 2019 12:56:53 +0200
Subject: [PATCH 5/9] Java: Don't use the deprecated Configuration2

---
 java/ql/src/Security/CWE/CWE-079/XSS.ql                | 3 ++-
 java/ql/src/Security/CWE/CWE-079/XSSLocal.ql           | 3 ++-
 java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql | 5 +++--
 java/ql/src/Security/CWE/CWE-611/XXE.ql                | 3 ++-
 4 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql
index 5b1bfb2ab168..009c8fa69355 100644
--- a/java/ql/src/Security/CWE/CWE-079/XSS.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql
@@ -12,10 +12,11 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.security.XSS
 import DataFlow2::PathGraph
 
-class XSSConfig extends TaintTracking::Configuration2 {
+class XSSConfig extends TaintTracking2::Configuration {
   XSSConfig() { this = "XSSConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
index d0e2a04b681c..3c6691986e16 100644
--- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
@@ -12,10 +12,11 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.security.XSS
 import DataFlow2::PathGraph
 
-class XSSLocalConfig extends TaintTracking::Configuration2 {
+class XSSLocalConfig extends TaintTracking2::Configuration {
   XSSLocalConfig() { this = "XSSLocalConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index 87153e48244a..5c353958bc22 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -14,6 +14,7 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.security.XSS
 
 /**
@@ -80,7 +81,7 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
   )
 }
 
-class StackTraceStringToXssSinkFlowConfig extends TaintTracking::Configuration2 {
+class StackTraceStringToXssSinkFlowConfig extends TaintTracking2::Configuration {
   StackTraceStringToXssSinkFlowConfig() {
     this = "StackTraceExposure::StackTraceStringToXssSinkFlowConfig"
   }
@@ -119,7 +120,7 @@ class GetMessageFlowSource extends MethodAccess {
   }
 }
 
-class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking::Configuration2 {
+class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking2::Configuration {
   GetMessageFlowSourceToXssSinkFlowConfig() {
     this = "StackTraceExposure::GetMessageFlowSourceToXssSinkFlowConfig"
   }
diff --git a/java/ql/src/Security/CWE/CWE-611/XXE.ql b/java/ql/src/Security/CWE/CWE-611/XXE.ql
index 35764f88bc8a..b572beb4d042 100644
--- a/java/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -13,9 +13,10 @@
 import java
 import XmlParsers
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking2
 import DataFlow::PathGraph
 
-class SafeSAXSourceFlowConfig extends TaintTracking::Configuration2 {
+class SafeSAXSourceFlowConfig extends TaintTracking2::Configuration {
   SafeSAXSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSAXSource }

From f1e6e36ce6fd4ed2fff2900eea2499d1caa8594a Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Tue, 20 Aug 2019 12:58:25 +0200
Subject: [PATCH 6/9] Java: Remove wrong definition of taint tracking

This explanation, taken from C/C++, was not correct for Java.
---
 java/ql/src/semmle/code/java/dataflow/TaintTracking.qll  | 5 -----
 java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll | 5 -----
 2 files changed, 10 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
index 8dd3e12735a3..fa8564f182f5 100644
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -1,11 +1,6 @@
 /**
  * Provides classes for performing local (intra-procedural) and
  * global (inter-procedural) taint-tracking analyses.
- *
- * We define _taint propagation_ informally to mean that a substantial part of
- * the information from the source is preserved at the sink. For example, taint
- * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
- * 100` since we consider a single bit of information to be too little.
  */
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow2
diff --git a/java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll b/java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll
index 9042e9c011bf..abd909dba2bd 100644
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking2.qll
@@ -1,11 +1,6 @@
 /**
  * Provides classes for performing local (intra-procedural) and
  * global (inter-procedural) taint-tracking analyses.
- *
- * We define _taint propagation_ informally to mean that a substantial part of
- * the information from the source is preserved at the sink. For example, taint
- * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
- * 100` since we consider a single bit of information to be too little.
  */
 module TaintTracking2 {
   import semmle.code.java.dataflow.internal.tainttracking2.TaintTrackingImpl

From 11583b69e03b4c4ca33c09e9f626622b6f0450a6 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Tue, 20 Aug 2019 13:36:00 +0200
Subject: [PATCH 7/9] C#: Use pyrameterized modules for TaintTracking

To keep the code changes minimal, and to keep the implementation similar
to C++ and Java, the `TaintTracking{Public,Private}` files are now
imported together through `TaintTrackingUtil`. This has the side effect
of exposing `localAdditionalTaintStep`. The corresponding predicate for
Java was already exposed.
---
 config/identical-files.json                   |  7 ++
 .../code/csharp/dataflow/TaintTracking.qll    | 67 +------------------
 .../code/csharp/dataflow/TaintTracking2.qll   | 67 +------------------
 .../code/csharp/dataflow/TaintTracking3.qll   | 67 +------------------
 .../code/csharp/dataflow/TaintTracking4.qll   | 67 +------------------
 .../code/csharp/dataflow/TaintTracking5.qll   | 67 +------------------
 .../internal/TaintTrackingPrivate.qll         |  2 +-
 .../dataflow/internal/TaintTrackingPublic.qll |  2 +-
 .../dataflow/internal/TaintTrackingUtil.qll   |  2 +
 .../tainttracking1/TaintTrackingImpl.qll      | 65 ++++++++++++++++++
 .../tainttracking1/TaintTrackingParameter.qll |  5 ++
 .../tainttracking2/TaintTrackingImpl.qll      | 65 ++++++++++++++++++
 .../tainttracking2/TaintTrackingParameter.qll |  5 ++
 .../tainttracking3/TaintTrackingImpl.qll      | 65 ++++++++++++++++++
 .../tainttracking3/TaintTrackingParameter.qll |  5 ++
 .../tainttracking4/TaintTrackingImpl.qll      | 65 ++++++++++++++++++
 .../tainttracking4/TaintTrackingParameter.qll |  5 ++
 .../tainttracking5/TaintTrackingImpl.qll      | 65 ++++++++++++++++++
 .../tainttracking5/TaintTrackingParameter.qll |  5 ++
 .../cil/dataflow/TaintTracking.ql             |  7 ++
 20 files changed, 373 insertions(+), 332 deletions(-)
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingParameter.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingParameter.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll
 create mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingParameter.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index 5e28ac94a9bd..0f5bd3aafb21 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -29,6 +29,13 @@
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
   ],
+  "Taint tracking C#": [
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll"
+  ],
   "Taint tracking Java": [
     "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking.qll b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking.qll
index e5cf80e764cf..97f5073cab0d 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking.qll
@@ -6,70 +6,5 @@
 import csharp
 
 module TaintTracking {
-  private import semmle.code.csharp.dataflow.DataFlow
-  private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
-  import semmle.code.csharp.dataflow.internal.TaintTrackingPublic
-
-  /**
-   * A taint tracking configuration.
-   *
-   * A taint tracking configuration is a special dataflow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values, but are still relevant from a taint tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * Each use of the taint tracking library must define its own unique extension
-   * of this abstract class. A configuration defines a set of relevant sources
-   * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
-   * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
-   * (`isAdditionalTaintStep()`).
-   */
-  abstract class Configuration extends DataFlow::Configuration {
-    bindingset[this]
-    Configuration() { any() }
-
-    /**
-     * Holds if `source` is a relevant taint source.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /**
-     * Holds if `sink` is a relevant taint sink.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /** Holds if the intermediate node `node` is a taint sanitizer. */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /**
-     * Holds if the additional taint propagation step from `pred` to `succ`
-     * must be taken into account in the analysis.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
-
-    final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-      isAdditionalTaintStep(pred, succ)
-      or
-      localAdditionalTaintStep(pred, succ)
-      or
-      succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
-    }
-
-    /**
-     * Holds if taint may flow from `source` to `sink` for this configuration.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink)
-    }
-  }
+  import semmle.code.csharp.dataflow.internal.tainttracking1.TaintTrackingImpl
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking2.qll
index 37a843e6df63..9ee798ed9fd5 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking2.qll
@@ -6,70 +6,5 @@
 import csharp
 
 module TaintTracking2 {
-  private import semmle.code.csharp.dataflow.DataFlow2
-  private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
-  import semmle.code.csharp.dataflow.internal.TaintTrackingPublic
-
-  /**
-   * A taint tracking configuration.
-   *
-   * A taint tracking configuration is a special dataflow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values, but are still relevant from a taint tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * Each use of the taint tracking library must define its own unique extension
-   * of this abstract class. A configuration defines a set of relevant sources
-   * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
-   * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
-   * (`isAdditionalTaintStep()`).
-   */
-  abstract class Configuration extends DataFlow2::Configuration {
-    bindingset[this]
-    Configuration() { any() }
-
-    /**
-     * Holds if `source` is a relevant taint source.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /**
-     * Holds if `sink` is a relevant taint sink.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /** Holds if the intermediate node `node` is a taint sanitizer. */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /**
-     * Holds if the additional taint propagation step from `pred` to `succ`
-     * must be taken into account in the analysis.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
-
-    final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-      isAdditionalTaintStep(pred, succ)
-      or
-      localAdditionalTaintStep(pred, succ)
-      or
-      succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
-    }
-
-    /**
-     * Holds if taint may flow from `source` to `sink` for this configuration.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink)
-    }
-  }
+  import semmle.code.csharp.dataflow.internal.tainttracking2.TaintTrackingImpl
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking3.qll
index 3e507e6b8d2f..476d7bf7dd77 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking3.qll
@@ -6,70 +6,5 @@
 import csharp
 
 module TaintTracking3 {
-  private import semmle.code.csharp.dataflow.DataFlow3
-  private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
-  import semmle.code.csharp.dataflow.internal.TaintTrackingPublic
-
-  /**
-   * A taint tracking configuration.
-   *
-   * A taint tracking configuration is a special dataflow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values, but are still relevant from a taint tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * Each use of the taint tracking library must define its own unique extension
-   * of this abstract class. A configuration defines a set of relevant sources
-   * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
-   * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
-   * (`isAdditionalTaintStep()`).
-   */
-  abstract class Configuration extends DataFlow3::Configuration {
-    bindingset[this]
-    Configuration() { any() }
-
-    /**
-     * Holds if `source` is a relevant taint source.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /**
-     * Holds if `sink` is a relevant taint sink.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /** Holds if the intermediate node `node` is a taint sanitizer. */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /**
-     * Holds if the additional taint propagation step from `pred` to `succ`
-     * must be taken into account in the analysis.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
-
-    final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-      isAdditionalTaintStep(pred, succ)
-      or
-      localAdditionalTaintStep(pred, succ)
-      or
-      succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
-    }
-
-    /**
-     * Holds if taint may flow from `source` to `sink` for this configuration.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink)
-    }
-  }
+  import semmle.code.csharp.dataflow.internal.tainttracking3.TaintTrackingImpl
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking4.qll
index 8aef491d8c00..45b8f12be5cf 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking4.qll
@@ -6,70 +6,5 @@
 import csharp
 
 module TaintTracking4 {
-  private import semmle.code.csharp.dataflow.DataFlow4
-  private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
-  import semmle.code.csharp.dataflow.internal.TaintTrackingPublic
-
-  /**
-   * A taint tracking configuration.
-   *
-   * A taint tracking configuration is a special dataflow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values, but are still relevant from a taint tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * Each use of the taint tracking library must define its own unique extension
-   * of this abstract class. A configuration defines a set of relevant sources
-   * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
-   * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
-   * (`isAdditionalTaintStep()`).
-   */
-  abstract class Configuration extends DataFlow4::Configuration {
-    bindingset[this]
-    Configuration() { any() }
-
-    /**
-     * Holds if `source` is a relevant taint source.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /**
-     * Holds if `sink` is a relevant taint sink.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /** Holds if the intermediate node `node` is a taint sanitizer. */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /**
-     * Holds if the additional taint propagation step from `pred` to `succ`
-     * must be taken into account in the analysis.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
-
-    final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-      isAdditionalTaintStep(pred, succ)
-      or
-      localAdditionalTaintStep(pred, succ)
-      or
-      succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
-    }
-
-    /**
-     * Holds if taint may flow from `source` to `sink` for this configuration.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink)
-    }
-  }
+  import semmle.code.csharp.dataflow.internal.tainttracking4.TaintTrackingImpl
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking5.qll
index 1a1bd4138b76..7a75ce532bcb 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking5.qll
@@ -6,70 +6,5 @@
 import csharp
 
 module TaintTracking5 {
-  private import semmle.code.csharp.dataflow.DataFlow5
-  private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
-  import semmle.code.csharp.dataflow.internal.TaintTrackingPublic
-
-  /**
-   * A taint tracking configuration.
-   *
-   * A taint tracking configuration is a special dataflow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values, but are still relevant from a taint tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * Each use of the taint tracking library must define its own unique extension
-   * of this abstract class. A configuration defines a set of relevant sources
-   * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
-   * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
-   * (`isAdditionalTaintStep()`).
-   */
-  abstract class Configuration extends DataFlow5::Configuration {
-    bindingset[this]
-    Configuration() { any() }
-
-    /**
-     * Holds if `source` is a relevant taint source.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /**
-     * Holds if `sink` is a relevant taint sink.
-     *
-     * The smaller this predicate is, the faster `hasFlow()` will converge.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /** Holds if the intermediate node `node` is a taint sanitizer. */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /**
-     * Holds if the additional taint propagation step from `pred` to `succ`
-     * must be taken into account in the analysis.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
-
-    final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-      isAdditionalTaintStep(pred, succ)
-      or
-      localAdditionalTaintStep(pred, succ)
-      or
-      succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
-    }
-
-    /**
-     * Holds if taint may flow from `source` to `sink` for this configuration.
-     */
-    // overridden to provide taint-tracking specific qldoc
-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink)
-    }
-  }
+  import semmle.code.csharp.dataflow.internal.tainttracking5.TaintTrackingImpl
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
index 7f67b2d2f9fb..36053eeccd61 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -1,4 +1,4 @@
-import csharp
+private import csharp
 private import TaintTrackingPublic
 private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPublic.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPublic.qll
index 650a96823ab8..165172be2a6a 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPublic.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPublic.qll
@@ -1,4 +1,4 @@
-import csharp
+private import csharp
 private import TaintTrackingPrivate
 
 /**
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll
new file mode 100644
index 000000000000..05d61e62d331
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll
@@ -0,0 +1,2 @@
+import TaintTrackingPrivate
+import TaintTrackingPublic
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..6bb1e17558db
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -0,0 +1,65 @@
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A taint tracking configuration.
+ *
+ * A taint tracking configuration is a special dataflow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values, but are still relevant from a taint tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * Each use of the taint tracking library must define its own unique extension
+ * of this abstract class. A configuration defines a set of relevant sources
+ * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
+ * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
+ * (`isAdditionalTaintStep()`).
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /**
+   * Holds if `source` is a relevant taint source.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /**
+   * Holds if `sink` is a relevant taint sink.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /** Holds if the intermediate node `node` is a taint sanitizer. */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
+
+  /**
+   * Holds if the additional taint propagation step from `pred` to `succ`
+   * must be taken into account in the analysis.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
+
+  final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    isAdditionalTaintStep(pred, succ)
+    or
+    localAdditionalTaintStep(pred, succ)
+    or
+    succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+  }
+
+  /**
+   * Holds if taint may flow from `source` to `sink` for this configuration.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
+    super.hasFlow(source, sink)
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..835fbee4a942
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
@@ -0,0 +1,5 @@
+import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.csharp.dataflow.DataFlow::DataFlow as DataFlow
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..6bb1e17558db
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -0,0 +1,65 @@
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A taint tracking configuration.
+ *
+ * A taint tracking configuration is a special dataflow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values, but are still relevant from a taint tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * Each use of the taint tracking library must define its own unique extension
+ * of this abstract class. A configuration defines a set of relevant sources
+ * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
+ * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
+ * (`isAdditionalTaintStep()`).
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /**
+   * Holds if `source` is a relevant taint source.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /**
+   * Holds if `sink` is a relevant taint sink.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /** Holds if the intermediate node `node` is a taint sanitizer. */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
+
+  /**
+   * Holds if the additional taint propagation step from `pred` to `succ`
+   * must be taken into account in the analysis.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
+
+  final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    isAdditionalTaintStep(pred, succ)
+    or
+    localAdditionalTaintStep(pred, succ)
+    or
+    succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+  }
+
+  /**
+   * Holds if taint may flow from `source` to `sink` for this configuration.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
+    super.hasFlow(source, sink)
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..5f6fe4cf2041
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
@@ -0,0 +1,5 @@
+import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.csharp.dataflow.DataFlow2::DataFlow2 as DataFlow
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..6bb1e17558db
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -0,0 +1,65 @@
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A taint tracking configuration.
+ *
+ * A taint tracking configuration is a special dataflow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values, but are still relevant from a taint tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * Each use of the taint tracking library must define its own unique extension
+ * of this abstract class. A configuration defines a set of relevant sources
+ * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
+ * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
+ * (`isAdditionalTaintStep()`).
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /**
+   * Holds if `source` is a relevant taint source.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /**
+   * Holds if `sink` is a relevant taint sink.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /** Holds if the intermediate node `node` is a taint sanitizer. */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
+
+  /**
+   * Holds if the additional taint propagation step from `pred` to `succ`
+   * must be taken into account in the analysis.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
+
+  final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    isAdditionalTaintStep(pred, succ)
+    or
+    localAdditionalTaintStep(pred, succ)
+    or
+    succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+  }
+
+  /**
+   * Holds if taint may flow from `source` to `sink` for this configuration.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
+    super.hasFlow(source, sink)
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..5a7f26adc24f
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingParameter.qll
@@ -0,0 +1,5 @@
+import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.csharp.dataflow.DataFlow3::DataFlow3 as DataFlow
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..6bb1e17558db
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll
@@ -0,0 +1,65 @@
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A taint tracking configuration.
+ *
+ * A taint tracking configuration is a special dataflow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values, but are still relevant from a taint tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * Each use of the taint tracking library must define its own unique extension
+ * of this abstract class. A configuration defines a set of relevant sources
+ * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
+ * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
+ * (`isAdditionalTaintStep()`).
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /**
+   * Holds if `source` is a relevant taint source.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /**
+   * Holds if `sink` is a relevant taint sink.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /** Holds if the intermediate node `node` is a taint sanitizer. */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
+
+  /**
+   * Holds if the additional taint propagation step from `pred` to `succ`
+   * must be taken into account in the analysis.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
+
+  final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    isAdditionalTaintStep(pred, succ)
+    or
+    localAdditionalTaintStep(pred, succ)
+    or
+    succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+  }
+
+  /**
+   * Holds if taint may flow from `source` to `sink` for this configuration.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
+    super.hasFlow(source, sink)
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..d53b9b762122
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingParameter.qll
@@ -0,0 +1,5 @@
+import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.csharp.dataflow.DataFlow4::DataFlow4 as DataFlow
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll
new file mode 100644
index 000000000000..6bb1e17558db
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll
@@ -0,0 +1,65 @@
+import TaintTrackingParameter::Public
+private import TaintTrackingParameter::Private
+
+/**
+ * A taint tracking configuration.
+ *
+ * A taint tracking configuration is a special dataflow configuration
+ * (`DataFlow::Configuration`) that allows for flow through nodes that do not
+ * necessarily preserve values, but are still relevant from a taint tracking
+ * perspective. (For example, string concatenation, where one of the operands
+ * is tainted.)
+ *
+ * Each use of the taint tracking library must define its own unique extension
+ * of this abstract class. A configuration defines a set of relevant sources
+ * (`isSource`) and sinks (`isSink`), and may additionally treat intermediate
+ * nodes as "sanitizers" (`isSanitizer`) as well as add custom taint flow steps
+ * (`isAdditionalTaintStep()`).
+ */
+abstract class Configuration extends DataFlow::Configuration {
+  bindingset[this]
+  Configuration() { any() }
+
+  /**
+   * Holds if `source` is a relevant taint source.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSource(DataFlow::Node source);
+
+  /**
+   * Holds if `sink` is a relevant taint sink.
+   *
+   * The smaller this predicate is, the faster `hasFlow()` will converge.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  abstract override predicate isSink(DataFlow::Node sink);
+
+  /** Holds if the intermediate node `node` is a taint sanitizer. */
+  predicate isSanitizer(DataFlow::Node node) { none() }
+
+  final override predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
+
+  /**
+   * Holds if the additional taint propagation step from `pred` to `succ`
+   * must be taken into account in the analysis.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
+
+  final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    isAdditionalTaintStep(pred, succ)
+    or
+    localAdditionalTaintStep(pred, succ)
+    or
+    succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+  }
+
+  /**
+   * Holds if taint may flow from `source` to `sink` for this configuration.
+   */
+  // overridden to provide taint-tracking specific qldoc
+  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
+    super.hasFlow(source, sink)
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingParameter.qll
new file mode 100644
index 000000000000..4a5a4787e4ee
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingParameter.qll
@@ -0,0 +1,5 @@
+import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.csharp.dataflow.DataFlow5::DataFlow5 as DataFlow
+}
diff --git a/csharp/ql/test/library-tests/cil/dataflow/TaintTracking.ql b/csharp/ql/test/library-tests/cil/dataflow/TaintTracking.ql
index d0dbafc06589..98427634868d 100644
--- a/csharp/ql/test/library-tests/cil/dataflow/TaintTracking.ql
+++ b/csharp/ql/test/library-tests/cil/dataflow/TaintTracking.ql
@@ -1,6 +1,13 @@
 import csharp
 import semmle.code.csharp.dataflow.TaintTracking
 
+// Test that all the copies of the taint tracking library can be imported
+// simultaneously without errors.
+import semmle.code.csharp.dataflow.TaintTracking2
+import semmle.code.csharp.dataflow.TaintTracking3
+import semmle.code.csharp.dataflow.TaintTracking4
+import semmle.code.csharp.dataflow.TaintTracking5
+
 class FlowConfig extends TaintTracking::Configuration {
   FlowConfig() { this = "FlowConfig" }
 

From bc702debf99f405f197a99a92b60ac227470fb6c Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Tue, 20 Aug 2019 13:43:25 +0200
Subject: [PATCH 8/9] C++/Java: Change notes for Configuration2 rename

---
 change-notes/1.22/analysis-cpp.md  | 1 +
 change-notes/1.22/analysis-java.md | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/change-notes/1.22/analysis-cpp.md b/change-notes/1.22/analysis-cpp.md
index b394935a15f0..75548c0290bb 100644
--- a/change-notes/1.22/analysis-cpp.md
+++ b/change-notes/1.22/analysis-cpp.md
@@ -25,6 +25,7 @@
 - The predicate `Variable.getAnAssignedValue()` now reports assignments to fields resulting from aggregate initialization (` = {...}`).
 - The predicate `TypeMention.toString()` has been simplified to always return the string "`type mention`".  This may improve performance when using `Element.toString()` or its descendants.
 - The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
+- The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name.
 - Fixed the `LocalScopeVariableReachability.qll` library's handling of loops with an entry condition is both always true upon first entry, and where there is more than one control flow path through the loop condition.  This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries which depend on it.
 - The `semmle.code.cpp.models` library now models data flow through `std::swap`.
 - There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`.
diff --git a/change-notes/1.22/analysis-java.md b/change-notes/1.22/analysis-java.md
index aee6bfd14c35..d37b3cda602a 100644
--- a/change-notes/1.22/analysis-java.md
+++ b/change-notes/1.22/analysis-java.md
@@ -16,4 +16,4 @@
   removes false positives that arose from paths through impossible `toString()`
   calls.
 * The library `VCS.qll` and all queries that imported it have been removed.
-
+* The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.java.dataflow.TaintTracking2` to access the new name.

From 7c4938c035c63b0eaf8e3d23351ab5997e02ba0a Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Tue, 20 Aug 2019 13:56:13 +0200
Subject: [PATCH 9/9] C#: Get rid of `TaintTrackingUtil.qll`

---
 .../semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll | 2 --
 .../internal/tainttracking1/TaintTrackingParameter.qll         | 3 ++-
 .../internal/tainttracking2/TaintTrackingParameter.qll         | 3 ++-
 .../internal/tainttracking3/TaintTrackingParameter.qll         | 3 ++-
 .../internal/tainttracking4/TaintTrackingParameter.qll         | 3 ++-
 .../internal/tainttracking5/TaintTrackingParameter.qll         | 3 ++-
 6 files changed, 10 insertions(+), 7 deletions(-)
 delete mode 100644 csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll
deleted file mode 100644
index 05d61e62d331..000000000000
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingUtil.qll
+++ /dev/null
@@ -1,2 +0,0 @@
-import TaintTrackingPrivate
-import TaintTrackingPublic
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
index 835fbee4a942..275149a07d4d 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll
@@ -1,5 +1,6 @@
-import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+import semmle.code.csharp.dataflow.internal.TaintTrackingPublic as Public
 
 module Private {
   import semmle.code.csharp.dataflow.DataFlow::DataFlow as DataFlow
+  import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
index 5f6fe4cf2041..6a8fa23ef31c 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll
@@ -1,5 +1,6 @@
-import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+import semmle.code.csharp.dataflow.internal.TaintTrackingPublic as Public
 
 module Private {
   import semmle.code.csharp.dataflow.DataFlow2::DataFlow2 as DataFlow
+  import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingParameter.qll
index 5a7f26adc24f..6c73b6ceda63 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingParameter.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingParameter.qll
@@ -1,5 +1,6 @@
-import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+import semmle.code.csharp.dataflow.internal.TaintTrackingPublic as Public
 
 module Private {
   import semmle.code.csharp.dataflow.DataFlow3::DataFlow3 as DataFlow
+  import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingParameter.qll
index d53b9b762122..e394e27a50c2 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingParameter.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingParameter.qll
@@ -1,5 +1,6 @@
-import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+import semmle.code.csharp.dataflow.internal.TaintTrackingPublic as Public
 
 module Private {
   import semmle.code.csharp.dataflow.DataFlow4::DataFlow4 as DataFlow
+  import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingParameter.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingParameter.qll
index 4a5a4787e4ee..2668be3b376e 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingParameter.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingParameter.qll
@@ -1,5 +1,6 @@
-import semmle.code.csharp.dataflow.internal.TaintTrackingUtil as Public
+import semmle.code.csharp.dataflow.internal.TaintTrackingPublic as Public
 
 module Private {
   import semmle.code.csharp.dataflow.DataFlow5::DataFlow5 as DataFlow
+  import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 }