deprecate the HTTP flowsTo predicates to avoid confusion with SourceNode::flowsTo

erik-krogh · erik-krogh · commit a03e6a800dbc · 2022-09-05T15:44:12.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Connect.qll b/javascript/ql/lib/semmle/javascript/frameworks/Connect.qll
@@ -66,7 +66,7 @@ module Connect {
       getMethodName() = "use" and
       (
         // app.use(fun)
-        server.flowsTo(getReceiver())
+        server.ref().flowsToExpr(getReceiver())
         or
         // app.use(...).use(fun)
         this.getReceiver().(RouteSetup).getServer() = server
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -43,7 +43,7 @@ module Express {
   /**
    * Holds if `e` may refer to the given `router` object.
    */
-  private predicate isRouter(Expr e, RouterDefinition router) { router.flowsTo(e) }
+  private predicate isRouter(Expr e, RouterDefinition router) { router.ref().flowsToExpr(e) } // TODO: DataFlow::Node
 
   /**
    * Holds if `e` may refer to a router object.
@@ -853,21 +853,24 @@ module Express {
     DataFlow::SourceNode ref() { result = this.ref(DataFlow::TypeTracker::end()) }
 
     /**
+     * DEPRECATED: Use `ref().flowsToExpr()` instead.
      * Holds if `sink` may refer to this router.
      */
-    predicate flowsTo(Expr sink) { this.ref().flowsToExpr(sink) }
+    deprecated predicate flowsTo(Expr sink) { this.ref().flowsToExpr(sink) }
 
     /**
      * Gets a `RouteSetup` that was used for setting up a route on this router.
      */
-    private RouteSetup getARouteSetup() { this.flowsTo(result.getReceiver()) }
+    private RouteSetup getARouteSetup() { this.ref().flowsToExpr(result.getReceiver()) }
 
     /**
      * Gets a sub-router registered on this router.
      *
      * Example: `router2` for `router1.use(router2)` or `router1.use("/route2", router2)`
      */
-    RouterDefinition getASubRouter() { result.flowsTo(this.getARouteSetup().getAnArgument()) }
+    RouterDefinition getASubRouter() {
+      result.ref().flowsToExpr(this.getARouteSetup().getAnArgument())
+    }
 
     /**
      * Gets a route handler registered on this router.
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll b/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
@@ -272,10 +272,14 @@ module HTTP {
         exists(DataFlow::TypeTracker t2 | result = this.ref(t2).track(t2, t))
       }
 
+      /** Gets a data flow node referring to this server. */
+      DataFlow::SourceNode ref() { result = this.ref(DataFlow::TypeTracker::end()) }
+
       /**
+       * DEPRECATED: Use `ref().flowsToExpr()` instead.
        * Holds if `sink` may refer to this server definition.
        */
-      predicate flowsTo(Expr sink) { this.ref(DataFlow::TypeTracker::end()).flowsToExpr(sink) }
+      deprecated predicate flowsTo(Expr sink) { this.ref().flowsToExpr(sink) }
     }
 
     /**
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll b/javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll
@@ -189,7 +189,7 @@ module Hapi {
     Expr handler;
 
     RouteSetup() {
-      server.flowsTo(getReceiver()) and
+      server.ref().flowsToExpr(getReceiver()) and
       (
         // server.route({ handler: fun })
         getMethodName() = "route" and
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Koa.qll b/javascript/ql/lib/semmle/javascript/frameworks/Koa.qll
@@ -118,8 +118,6 @@ module Koa {
      */
     RouteHandler getRouteHandler() { result = rh }
 
-    predicate flowsTo(DataFlow::Node nd) { this.ref().flowsTo(nd) }
-
     private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
       t.start() and
       result = this
@@ -258,7 +256,7 @@ module Koa {
   class ContextExpr extends Expr {
     ContextSource src;
 
-    ContextExpr() { src.flowsTo(DataFlow::valueNode(this)) }
+    ContextExpr() { src.ref().flowsTo(DataFlow::valueNode(this)) }
 
     /**
      * Gets the route handler that provides this response.
@@ -390,7 +388,7 @@ module Koa {
 
     RouteSetup() {
       // app.use(fun)
-      server.flowsTo(this.getReceiver()) and
+      server.ref().flowsToExpr(this.getReceiver()) and
       this.getMethodName() = "use"
     }
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -221,10 +221,10 @@ module NodeJSLib {
     Expr handler;
 
     RouteSetup() {
-      server.flowsTo(this) and
+      server.ref().flowsToExpr(this) and
       handler = this.getLastArgument()
       or
-      server.flowsTo(this.getReceiver()) and
+      server.ref().flowsToExpr(this.getReceiver()) and
       this.(MethodCallExpr).getMethodName().regexpMatch("on(ce)?") and
       this.getArgument(0).getStringValue() = "request" and
       handler = this.getArgument(1)
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Restify.qll b/javascript/ql/lib/semmle/javascript/frameworks/Restify.qll
@@ -144,7 +144,7 @@ module Restify {
     RouteSetup() {
       // server.get('/', fun)
       // server.head('/', fun)
-      server.flowsTo(getReceiver()) and
+      server.ref().flowsToExpr(getReceiver()) and
       getMethodName() = any(HTTP::RequestMethodName m).toLowerCase()
     }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionCustomizations.qll
@@ -76,8 +76,8 @@ module TemplateObjectInjection {
   predicate usesVulnerableTemplateEngine(Express::RouterDefinition router) {
     // option 1: `app.set("view engine", "theEngine")`.
     // Express will load the engine automatically.
-    exists(MethodCallExpr call |
-      router.flowsTo(call.getReceiver()) and
+    exists(DataFlow::MethodCallNode call |
+      router.ref().getAMethodCall() = call and
       call.getMethodName() = "set" and
       call.getArgument(0).getStringValue() = "view engine" and
       call.getArgument(1).getStringValue() = getAVulnerableTemplateEngine()
@@ -91,11 +91,11 @@ module TemplateObjectInjection {
       DataFlow::MethodCallNode viewEngineCall
     |
       // `app.engine("name", engine)
-      router.flowsTo(registerCall.getReceiver().asExpr()) and
+      router.ref().getAMethodCall() = registerCall and
       registerCall.getMethodName() = ["engine", "register"] and
       engine = registerCall.getArgument(1).getALocalSource() and
       // app.set("view engine", "name")
-      router.flowsTo(viewEngineCall.getReceiver().asExpr()) and
+      router.ref().getAMethodCall() = viewEngineCall and
       viewEngineCall.getMethodName() = "set" and
       viewEngineCall.getArgument(0).getStringValue() = "view engine" and
       // The name set by the `app.engine("name")` call matches `app.set("view engine", "name")`.

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ module Connect {`
`66`	`66`	`getMethodName() = "use" and`
`67`	`67`	`(`
`68`	`68`	`// app.use(fun)`
`69`		`- server.flowsTo(getReceiver())`
	`69`	`+ server.ref().flowsToExpr(getReceiver())`
`70`	`70`	`or`
`71`	`71`	`// app.use(...).use(fun)`
`72`	`72`	`this.getReceiver().(RouteSetup).getServer() = server`
Original file line number	Diff line number	Diff line change
`@@ -272,10 +272,14 @@ module HTTP {`
`272`	`272`	`exists(DataFlow::TypeTracker t2 \| result = this.ref(t2).track(t2, t))`
`273`	`273`	`}`
`274`	`274`
	`275`	`+ /** Gets a data flow node referring to this server. */`
	`276`	`+ DataFlow::SourceNode ref() { result = this.ref(DataFlow::TypeTracker::end()) }`
	`277`	`+`
`275`	`278`	`/**`
	`279`	+ * DEPRECATED: Use `ref().flowsToExpr()` instead.
`276`	`280`	* Holds if `sink` may refer to this server definition.
`277`	`281`	`*/`
`278`		`- predicate flowsTo(Expr sink) { this.ref(DataFlow::TypeTracker::end()).flowsToExpr(sink) }`
	`282`	`+ deprecated predicate flowsTo(Expr sink) { this.ref().flowsToExpr(sink) }`
`279`	`283`	`}`
`280`	`284`
`281`	`285`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ module Hapi {`
`189`	`189`	`Expr handler;`
`190`	`190`
`191`	`191`	`RouteSetup() {`
`192`		`- server.flowsTo(getReceiver()) and`
	`192`	`+ server.ref().flowsToExpr(getReceiver()) and`
`193`	`193`	`(`
`194`	`194`	`// server.route({ handler: fun })`
`195`	`195`	`getMethodName() = "route" and`
Original file line number	Diff line number	Diff line change
`@@ -144,7 +144,7 @@ module Restify {`
`144`	`144`	`RouteSetup() {`
`145`	`145`	`// server.get('/', fun)`
`146`	`146`	`// server.head('/', fun)`
`147`		`- server.flowsTo(getReceiver()) and`
	`147`	`+ server.ref().flowsToExpr(getReceiver()) and`
`148`	`148`	`getMethodName() = any(HTTP::RequestMethodName m).toLowerCase()`
`149`	`149`	`}`
`150`	`150`