refactor copy-pasted code into getAnLibraryInputParameter

erik-krogh · erik-krogh · commit 0a17b0465050 · 2021-01-12T20:21:37.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/PackageExports.qll b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -6,6 +6,16 @@
 
 import javascript
 
+/**
+ * Gets a parameter that is a library input to a top-level package.
+ */
+DataFlow::ParameterNode getAnLibraryInputParameter() {
+  exists(int bound, DataFlow::FunctionNode func |
+    func = getAValueExportedBy(getTopmostPackageJSON()).getABoundFunctionValue(bound) and
+    result = func.getParameter(any(int arg | arg >= bound))
+  )
+}
+
 /**
  * Gets the number of occurrences of "/" in `path`.
  */
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -52,12 +52,7 @@ module UnsafeShellCommandConstruction {
    */
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
-      exists(int bound, DataFlow::FunctionNode func |
-        func =
-          Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())
-              .getABoundFunctionValue(bound) and
-        this = func.getParameter(any(int arg | arg >= bound))
-      ) and
+      this = Exports::getAnLibraryInputParameter() and
       not this.getName() = ["cmd", "command"] // looks to be on purpose.
     }
   }
diff --git a/javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll b/javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll
@@ -122,14 +122,7 @@ module PolynomialReDoS {
    * A parameter of an exported function, seen as a source for polynomial-redos.
    */
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
-    ExternalInputSource() {
-      exists(int bound, DataFlow::FunctionNode func |
-        func =
-          Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())
-              .getABoundFunctionValue(bound) and
-        this = func.getParameter(any(int arg | arg >= bound))
-      )
-    }
+    ExternalInputSource() { this = Exports::getAnLibraryInputParameter() }
 
     override string getKind() { result = "library" }
 

Original file line number	Diff line number	Diff line change
`@@ -52,12 +52,7 @@ module UnsafeShellCommandConstruction {`
`52`	`52`	`*/`
`53`	`53`	`class ExternalInputSource extends Source, DataFlow::ParameterNode {`
`54`	`54`	`ExternalInputSource() {`
`55`		`- exists(int bound, DataFlow::FunctionNode func \|`
`56`		`- func =`
`57`		`- Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())`
`58`		`- .getABoundFunctionValue(bound) and`
`59`		`- this = func.getParameter(any(int arg \| arg >= bound))`
`60`		`- ) and`
	`55`	`+ this = Exports::getAnLibraryInputParameter() and`
`61`	`56`	`not this.getName() = ["cmd", "command"] // looks to be on purpose.`
`62`	`57`	`}`
`63`	`58`	`}`