JavaScript: Rename a predicate in CommandInjection.qll.

Max Schaefer · Max Schaefer · commit 4e4ef520abd7 · 2018-10-03T15:49:02.000+01:00
diff --git a/javascript/ql/src/Security/CWE-078/CommandInjection.ql b/javascript/ql/src/Security/CWE-078/CommandInjection.ql
@@ -17,5 +17,8 @@ import semmle.javascript.security.dataflow.CommandInjection::CommandInjection
 
 from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, DataFlow::Node highlight
 where cfg.hasFlow(source, sink) and
-      if cfg.isSink(sink, _) then cfg.isSink(sink, highlight) else highlight = sink
+      if cfg.isSinkWithHighlight(sink, _) then
+        cfg.isSinkWithHighlight(sink, highlight)
+      else
+        highlight = sink
 select highlight, "This command depends on $@.", source, "a user-provided value"
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CommandInjection.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CommandInjection.qll
@@ -37,14 +37,14 @@ module CommandInjection {
      * Holds if `sink` is a data flow sink for command-injection vulnerabilities, and
      * the alert should be placed at the node `highlight`.
      */
-    predicate isSink(DataFlow::Node sink, DataFlow::Node highlight) {
+    predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
       sink instanceof Sink and highlight = sink
       or
       indirectCommandInjection(sink, highlight)
     }
 
     override predicate isSink(DataFlow::Node sink) {
-      isSink(sink, _)
+      isSinkWithHighlight(sink, _)
     }
 
     override predicate isSanitizer(DataFlow::Node node) {
