refactor copy-pasted code into getAnLibraryInputParameter

javascript/ql/src/semmle/javascript/PackageExports.qll

@@ -6,6 +6,16 @@
 
 import javascript
 
+/**
+ * Gets a parameter that is a library input to a top-level package.
+ */
+DataFlow::ParameterNode getAnLibraryInputParameter() {
+  exists(int bound, DataFlow::FunctionNode func |
+    func = getAValueExportedBy(getTopmostPackageJSON()).getABoundFunctionValue(bound) and
+    result = func.getParameter(any(int arg | arg >= bound))
+  )
+}
+
 /**
  * Gets the number of occurrences of "/" in `path`.
  */

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll

@@ -52,12 +52,7 @@ module UnsafeShellCommandConstruction {
    */
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
-      exists(int bound, DataFlow::FunctionNode func |
-        func =
-          Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())
-              .getABoundFunctionValue(bound) and
-        this = func.getParameter(any(int arg | arg >= bound))
-      ) and
+      this = Exports::getAnLibraryInputParameter() and
       not this.getName() = ["cmd", "command"] // looks to be on purpose.
     }
   }

javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll

@@ -122,14 +122,7 @@ module PolynomialReDoS {
    * A parameter of an exported function, seen as a source for polynomial-redos.
    */
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
-    ExternalInputSource() {
-      exists(int bound, DataFlow::FunctionNode func |
-        func =
-          Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())
-              .getABoundFunctionValue(bound) and
-        this = func.getParameter(any(int arg | arg >= bound))
-      )
-    }
+    ExternalInputSource() { this = Exports::getAnLibraryInputParameter() }
 
     override string getKind() { result = "library" }