JS: Rename getARhs -> getASink

2026-04-30 11:15:13 +02:00 · 2022-04-05 09:33:16 +02:00
parent 4c6192670e
commit 19a5db9f89
32 changed files with 126 additions and 116 deletions
--- a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -187,26 +187,36 @@ module API {
    InvokeNode getAnInvocation() { result = this.getACall() or result = this.getAnInstantiation() }

    /**
-     * Gets a data-flow node corresponding to the right-hand side of a definition of the API
-     * component represented by this node.
+     * Get a data-flow node where this value leaves the current codebase and flows into an
+     * external library (or in general, any external codebase).
     *
-     * For example, in the assignment `exports.plusOne = (x) => x+1`, the function expression
-     * `(x) => x+1` is the right-hand side of the  definition of the member `plusOne` of
-     * the enclosing module, and the expression `x+1` is the right-had side of the definition of
-     * its result.
+     * Concretely, this is either an argument passed to a call to external code,
+     * or the right-hand side of a property write on an object flows into such a call.
     *
-     * Note that for parameters, it is the arguments flowing into that parameter that count as
-     * right-hand sides of the definition, not the declaration of the parameter itself.
-     * Consequently, in `require('fs').readFileSync(file)`, `file` is the right-hand
-     * side of a definition of the first parameter of `readFileSync` from the `fs` module.
+     * For example:
+     * ```js
+     * // 'x' is matched by API::moduleImport("foo").getParameter(0).getASink()
+     * require('foo')(x);
+     *
+     * // 'x' is matched by API::moduleImport("foo").getParameter(0).getMember("prop").getASink()
+     * require('foo')({
+     *   prop: x
+     * });
+     * ```
     */
-    DataFlow::Node getARhs() { Impl::rhs(this, result) }
+    DataFlow::Node getASink() { Impl::rhs(this, result) }

    /**
     * Gets a data-flow node that may interprocedurally flow to the right-hand side of a definition
     * of the API component represented by this node.
     */
-    DataFlow::Node getAValueReachingRhs() { result = Impl::trackDefNode(this.getARhs()) }
+    DataFlow::Node getAValueReachingSink() { result = Impl::trackDefNode(this.getASink()) }
+
+    /** DEPRECATED. This predicate has been renamed to `getASink`. */
+    deprecated DataFlow::Node getARhs() { result = this.getASink() }
+
+    /** DEPRECATED. This predicate has been renamed to `getAValueReachingSink`. */
+    deprecated DataFlow::Node getAValueReachingRhs() { result = this.getAValueReachingSink() }

    /**
     * Gets a node representing member `m` of this API component.
@@ -441,7 +451,7 @@ module API {
     * In other words, the value of a use of `that` may flow into the right-hand side of a
     * definition of this node.
     */
-    predicate refersTo(Node that) { this.getARhs() = that.getAValueReachableFromSource() }
+    predicate refersTo(Node that) { this.getASink() = that.getAValueReachableFromSource() }

    /**
     * Gets the data-flow node that gives rise to this node, if any.
@@ -1301,7 +1311,7 @@ module API {
     * Gets an API node where a RHS of the node is the `i`th argument to this call.
     */
    pragma[noinline]
-    private Node getAParameterCandidate(int i) { result.getARhs() = this.getArgument(i) }
+    private Node getAParameterCandidate(int i) { result.getASink() = this.getArgument(i) }

    /** Gets the API node for a parameter of this invocation. */
    Node getAParameter() { result = this.getParameter(_) }
--- a/javascript/ql/lib/semmle/javascript/JsonSchema.qll
+++ b/javascript/ql/lib/semmle/javascript/JsonSchema.qll
@@ -134,7 +134,7 @@ module JsonSchema {
              .ref()
              .getMember(["addSchema", "validate", "compile", "compileAsync"])
              .getParameter(0)
-              .getARhs()
+              .getASink()
      }
    }
  }
--- a/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
@@ -827,7 +827,7 @@ module ClientRequest {
    class ApolloClientRequest extends ClientRequest::Range, API::InvokeNode {
      ApolloClientRequest() { this = apolloUriCallee().getAnInvocation() }

-      override DataFlow::Node getUrl() { result = this.getParameter(0).getMember("uri").getARhs() }
+      override DataFlow::Node getUrl() { result = this.getParameter(0).getMember("uri").getASink() }

      override DataFlow::Node getHost() { none() }

@@ -848,10 +848,10 @@ module ClientRequest {

    override DataFlow::Node getUrl() { result = this.getArgument(0) }

-    override DataFlow::Node getHost() { result = this.getParameter(0).getMember("host").getARhs() }
+    override DataFlow::Node getHost() { result = this.getParameter(0).getMember("host").getASink() }

    override DataFlow::Node getADataNode() {
-      result = form.getMember("append").getACall().getParameter(1).getARhs()
+      result = form.getMember("append").getACall().getParameter(1).getASink()
    }
  }
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
@@ -21,7 +21,7 @@ private class CredentialsFromModel extends CredentialsExpr {
  string kind;

  CredentialsFromModel() {
-    this = ModelOutput::getASinkNode("credentials[" + kind + "]").getARhs().asExpr()
+    this = ModelOutput::getASinkNode("credentials[" + kind + "]").getASink().asExpr()
  }

  override string getCredentialsKind() { result = kind }
--- a/javascript/ql/lib/semmle/javascript/frameworks/D3.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/D3.qll
@@ -71,7 +71,7 @@ module D3 {
    D3XssSink() {
      exists(API::Node htmlArg |
        htmlArg = d3Selection().getMember("html").getParameter(0) and
-        this = [htmlArg, htmlArg.getReturn()].getARhs()
+        this = [htmlArg, htmlArg.getReturn()].getASink()
      )
    }
  }
--- a/javascript/ql/lib/semmle/javascript/frameworks/HttpProxy.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/HttpProxy.qll
@@ -19,10 +19,10 @@ private module HttpProxy {
            .getACall()
    }

-    override DataFlow::Node getUrl() { result = getParameter(0).getMember("target").getARhs() }
+    override DataFlow::Node getUrl() { result = getParameter(0).getMember("target").getASink() }

    override DataFlow::Node getHost() {
-      result = getParameter(0).getMember("target").getMember("host").getARhs()
+      result = getParameter(0).getMember("target").getMember("host").getASink()
    }

    override DataFlow::Node getADataNode() { none() }
@@ -49,10 +49,10 @@ private module HttpProxy {
      )
    }

-    override DataFlow::Node getUrl() { result = getOptionsObject().getMember("target").getARhs() }
+    override DataFlow::Node getUrl() { result = getOptionsObject().getMember("target").getASink() }

    override DataFlow::Node getHost() {
-      result = getOptionsObject().getMember("target").getMember("host").getARhs()
+      result = getOptionsObject().getMember("target").getMember("host").getASink()
    }

    override DataFlow::Node getADataNode() { none() }
@@ -78,8 +78,8 @@ private module HttpProxy {
    ProxyListenerCallback() {
      exists(API::CallNode call |
        call = any(CreateServerCall server).getReturn().getMember(["on", "once"]).getACall() and
-        call.getParameter(0).getARhs().mayHaveStringValue(event) and
-        this = call.getParameter(1).getARhs().getAFunctionValue()
+        call.getParameter(0).getASink().mayHaveStringValue(event) and
+        this = call.getParameter(1).getASink().getAFunctionValue()
      )
    }

--- a/javascript/ql/lib/semmle/javascript/frameworks/LdapJS.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/LdapJS.qll
@@ -61,10 +61,10 @@ module LdapJS {

    SearchFilter() {
      options = ldapClient().getMember("search").getACall().getParameter(1) and
-      this = options.getARhs()
+      this = options.getASink()
    }

-    override DataFlow::Node getInput() { result = options.getMember("filter").getARhs() }
+    override DataFlow::Node getInput() { result = options.getMember("filter").getASink() }

    override DataFlow::Node getOutput() { result = this }
  }
--- a/javascript/ql/lib/semmle/javascript/frameworks/LiveServer.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/LiveServer.qll
@@ -41,7 +41,7 @@ private module LiveServer {

    override DataFlow::SourceNode getARouteHandler() {
      exists(DataFlow::SourceNode middleware |
-        middleware = call.getParameter(0).getMember("middleware").getAValueReachingRhs()
+        middleware = call.getParameter(0).getMember("middleware").getAValueReachingSink()
      |
        result = middleware.getAMemberCall(["push", "unshift"]).getArgument(0).getAFunctionValue()
        or
--- a/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
@@ -163,14 +163,14 @@ module Markdown {
        or
        call = API::moduleImport("markdown-it").getMember("Markdown").getAnInvocation()
      |
-        call.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and
+        call.getParameter(0).getMember("html").getASink().mayHaveBooleanValue(true) and
        result = call.getReturn()
      )
      or
      exists(API::CallNode call |
        call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and
        result = call.getReturn() and
-        not call.getParameter(0).getAValueReachingRhs() =
+        not call.getParameter(0).getAValueReachingSink() =
          DataFlow::moduleImport("markdown-it-sanitizer")
      )
    }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
@@ -193,7 +193,7 @@ module NestJS {
          .getAMember()
          .getMember("useFactory")
          .getReturn()
-          .getARhs() = validationPipe().getInstance().getAValueReachableFromSource() and
+          .getASink() = validationPipe().getInstance().getAValueReachableFromSource() and
      folder = decorator.getFile().getParentContainer()
    )
    or
@@ -399,7 +399,7 @@ module NestJS {
    }

    /** Gets a value returned by the decorator's callback, which becomes the value of the decorated parameter. */
-    DataFlow::Node getResult() { result = getParameter(0).getReturn().getARhs() }
+    DataFlow::Node getResult() { result = getParameter(0).getReturn().getASink() }
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll
@@ -20,7 +20,7 @@ deprecated module NoSQL = NoSql;
 * Gets a value that has been assigned to the "$where" property of an object that flows to `queryArg`.
 */
 private DataFlow::Node getADollarWhereProperty(API::Node queryArg) {
-  result = queryArg.getMember("$where").getARhs()
+  result = queryArg.getMember("$where").getASink()
 }

 /**
@@ -501,7 +501,7 @@ private module Mongoose {

    Credentials() {
      exists(string prop |
-        this = createConnection().getParameter(3).getMember(prop).getARhs().asExpr()
+        this = createConnection().getParameter(3).getMember(prop).getASink().asExpr()
      |
        prop = "user" and kind = "user name"
        or
@@ -518,7 +518,7 @@ private module Mongoose {
  class MongoDBQueryPart extends NoSql::Query {
    MongooseFunction f;

-    MongoDBQueryPart() { this = f.getQueryArgument().getARhs().asExpr() }
+    MongoDBQueryPart() { this = f.getQueryArgument().getASink().asExpr() }

    override DataFlow::Node getACodeOperator() {
      result = getADollarWhereProperty(f.getQueryArgument())
@@ -540,7 +540,7 @@ private module Mongoose {

    override DataFlow::Node getAQueryArgument() {
      // NB: the complete information is not easily accessible for deeply chained calls
-      f.getQueryArgument().getARhs() = result
+      f.getQueryArgument().getASink() = result
    }

    override DataFlow::Node getAResult() {
@@ -770,7 +770,7 @@ private module Redis {
    RedisKeyArgument() {
      exists(string method, int argIndex |
        QuerySignatures::argumentIsAmbiguousKey(method, argIndex) and
-        this = redis().getMember(method).getParameter(argIndex).getARhs().asExpr()
+        this = redis().getMember(method).getParameter(argIndex).getASink().asExpr()
      )
    }
  }
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -739,7 +739,7 @@ module NodeJSLib {
        methodName = ["execFile", "execFileSync", "spawn", "spawnSync", "fork"]
      ) and
      // all of the above methods take the command as their first argument
-      result = this.getParameter(0).getARhs()
+      result = this.getParameter(0).getASink()
    }

    override DataFlow::Node getACommandArgument() { result = this.getACommandArgument(_) }
@@ -751,7 +751,7 @@ module NodeJSLib {
    override DataFlow::Node getArgumentList() {
      methodName = ["execFile", "execFileSync", "fork", "spawn", "spawnSync"] and
      // all of the above methods take the argument list as their second argument
-      result = this.getParameter(1).getARhs()
+      result = this.getParameter(1).getASink()
    }

    override predicate isSync() { methodName.matches("%Sync") }
@@ -759,7 +759,7 @@ module NodeJSLib {
    override DataFlow::Node getOptionsArg() {
      not result.getALocalSource() instanceof DataFlow::FunctionNode and // looks like callback
      not result.getALocalSource() instanceof DataFlow::ArrayCreationNode and // looks like argumentlist
-      not result = this.getParameter(0).getARhs() and
+      not result = this.getParameter(0).getASink() and
      // fork/spawn and all sync methos always has options as the last argument
      if
        methodName.matches("fork%") or
@@ -768,7 +768,7 @@ module NodeJSLib {
      then result = this.getLastArgument()
      else
        // the rest (exec/execFile) has the options argument as their second last.
-        result = this.getParameter(this.getNumArgument() - 2).getARhs()
+        result = this.getParameter(this.getNumArgument() - 2).getASink()
    }
  }

--- a/javascript/ql/lib/semmle/javascript/frameworks/Puppeteer.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Puppeteer.qll
@@ -86,7 +86,7 @@ module Puppeteer {
      this = page().getMember(["addStyleTag", "addScriptTag"]).getACall()
    }

-    override DataFlow::Node getUrl() { result = getParameter(0).getMember("url").getARhs() }
+    override DataFlow::Node getUrl() { result = getParameter(0).getMember("url").getASink() }

    override DataFlow::Node getHost() { none() }

--- a/javascript/ql/lib/semmle/javascript/frameworks/Redux.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Redux.qll
@@ -94,7 +94,7 @@ module Redux {
      }

      override DataFlow::Node getReducerArg() {
-        result = getParameter(0).getMember("reducer").getARhs()
+        result = getParameter(0).getMember("reducer").getASink()
      }
    }
  }
@@ -193,7 +193,7 @@ module Redux {
      CombineReducers() { this = combineReducers().getACall() }

      override DataFlow::Node getStateHandlerArg(string prop) {
-        result = getParameter(0).getMember(prop).getARhs()
+        result = getParameter(0).getMember(prop).getASink()
      }
    }

@@ -207,7 +207,7 @@ module Redux {
     */
    private class NestedCombineReducers extends DelegatingReducer, DataFlow::ObjectLiteralNode {
      NestedCombineReducers() {
-        this = combineReducers().getParameter(0).getAMember+().getAValueReachingRhs()
+        this = combineReducers().getParameter(0).getAMember+().getAValueReachingSink()
      }

      override DataFlow::Node getStateHandlerArg(string prop) {
@@ -235,7 +235,7 @@ module Redux {

      override DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) {
        exists(DataFlow::PropWrite write |
-          result = getParameter(0).getAMember().getARhs() and
+          result = getParameter(0).getAMember().getASink() and
          write.getRhs() = result and
          actionType = write.getPropertyNameExpr().flow()
        )
@@ -385,14 +385,14 @@ module Redux {

      override DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) {
        exists(string name |
-          result = call.getParameter(0).getMember("reducers").getMember(name).getARhs() and
+          result = call.getParameter(0).getMember("reducers").getMember(name).getASink() and
          actionType = call.getReturn().getMember("actions").getMember(name).getASource()
        )
        or
        // Properties of 'extraReducers':
        //   { extraReducers: { [action]: reducer }}
        exists(DataFlow::PropWrite write |
-          result = call.getParameter(0).getMember("extraReducers").getAMember().getARhs() and
+          result = call.getParameter(0).getMember("extraReducers").getAMember().getASink() and
          write.getRhs() = result and
          actionType = write.getPropertyNameExpr().flow()
        )
@@ -444,7 +444,7 @@ module Redux {
      or
      // x -> bindActionCreators({ x, ... })
      exists(BindActionCreatorsCall bind, string prop |
-        ref(t.continue()).flowsTo(bind.getParameter(0).getMember(prop).getARhs()) and
+        ref(t.continue()).flowsTo(bind.getParameter(0).getMember(prop).getASink()) and
        result = bind.getReturn().getMember(prop).getASource()
      )
      or
@@ -584,7 +584,7 @@ module Redux {
      }

      override DataFlow::FunctionNode getMiddlewareFunction(boolean async) {
-        result.flowsTo(createActions.getParameter(0).getMember(getTypeTag()).getARhs()) and
+        result.flowsTo(createActions.getParameter(0).getMember(getTypeTag()).getASink()) and
        async = false
      }

@@ -619,7 +619,7 @@ module Redux {

      override string getTypeTag() {
        exists(string prefix |
-          call.getParameter(0).getMember("name").getARhs().mayHaveStringValue(prefix) and
+          call.getParameter(0).getMember("name").getASink().mayHaveStringValue(prefix) and
          result = prefix + "/" + actionName
        )
      }
@@ -640,7 +640,7 @@ module Redux {

      override DataFlow::FunctionNode getMiddlewareFunction(boolean async) {
        async = true and
-        result = getParameter(1).getAValueReachingRhs()
+        result = getParameter(1).getAValueReachingSink()
      }

      override string getTypeTag() { getArgument(0).mayHaveStringValue(result) }
@@ -916,7 +916,7 @@ module Redux {
   */
  private DataFlow::ObjectLiteralNode getAManuallyDispatchedValue(string actionType) {
    result.getAPropertyWrite("type").getRhs().mayHaveStringValue(actionType) and
-    result = getADispatchedValueNode().getAValueReachingRhs()
+    result = getADispatchedValueNode().getAValueReachingSink()
  }

  /**
@@ -994,7 +994,7 @@ module Redux {
      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
        exists(API::CallNode call |
          call = useSelector().getACall() and
-          pred = call.getParameter(0).getReturn().getARhs() and
+          pred = call.getParameter(0).getReturn().getASink() and
          succ = call
        )
      }
@@ -1046,19 +1046,19 @@ module Redux {
        //
        //   const mapDispatchToProps = { foo }
        //
-        result = getMapDispatchToProps().getMember(name).getARhs()
+        result = getMapDispatchToProps().getMember(name).getASink()
        or
        //
        //   const mapDispatchToProps = dispatch => ( { foo } )
        //
-        result = getMapDispatchToProps().getReturn().getMember(name).getARhs()
+        result = getMapDispatchToProps().getReturn().getMember(name).getASink()
        or
        // Explicitly bound by bindActionCreators:
        //
        //   const mapDispatchToProps = dispatch => bindActionCreators({ foo }, dispatch);
        //
        exists(BindActionCreatorsCall bind |
-          bind.flowsTo(getMapDispatchToProps().getReturn().getARhs()) and
+          bind.flowsTo(getMapDispatchToProps().getReturn().getASink()) and
          result = bind.getOptionArgument(0, name)
        )
      }
@@ -1115,12 +1115,12 @@ module Redux {

      override API::Node getMapStateToProps() {
        result = getAParameter() and
-        result.getARhs().asExpr().(Identifier).getName() = "mapStateToProps"
+        result.getASink().asExpr().(Identifier).getName() = "mapStateToProps"
      }

      override API::Node getMapDispatchToProps() {
        result = getAParameter() and
-        result.getARhs().asExpr().(Identifier).getName() = "mapDispatchToProps"
+        result.getASink().asExpr().(Identifier).getName() = "mapDispatchToProps"
      }
    }

@@ -1130,7 +1130,7 @@ module Redux {
    private class StateToPropsStep extends StateStep {
      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
        exists(ConnectCall call |
-          pred = call.getMapStateToProps().getReturn().getARhs() and
+          pred = call.getMapStateToProps().getReturn().getASink() and
          succ = call.getReactComponent().getADirectPropsAccess()
        )
      }
@@ -1221,13 +1221,13 @@ module Redux {
        // Return value of `i`th callback flows to the `i`th parameter of the last callback.
        exists(CreateSelectorCall call, int index |
          call.getNumArgument() > 1 and
-          pred = call.getSelectorFunction(index).getReturn().getARhs() and
+          pred = call.getSelectorFunction(index).getReturn().getASink() and
          succ = call.getLastParameter().getParameter(index).getASource()
        )
        or
        // The result of the last callback is the final result
        exists(CreateSelectorCall call |
-          pred = call.getLastParameter().getReturn().getARhs() and
+          pred = call.getLastParameter().getReturn().getASink() and
          succ = call
        )
      }
--- a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
@@ -9,7 +9,7 @@ module SQL {
  abstract class SqlString extends Expr { }

  private class SqlStringFromModel extends SqlString {
-    SqlStringFromModel() { this = ModelOutput::getASinkNode("sql-injection").getARhs().asExpr() }
+    SqlStringFromModel() { this = ModelOutput::getASinkNode("sql-injection").getASink().asExpr() }
  }

  /**
@@ -109,7 +109,7 @@ private module MySql {
    Credentials() {
      exists(API::Node callee, string prop |
        callee in [createConnection(), createPool()] and
-        this = callee.getParameter(0).getMember(prop).getARhs().asExpr() and
+        this = callee.getParameter(0).getMember(prop).getASink().asExpr() and
        (
          prop = "user" and kind = "user name"
          or
@@ -200,7 +200,7 @@ private module Postgres {
    QueryString() {
      this = any(QueryCall qc).getAQueryArgument().asExpr()
      or
-      this = API::moduleImport("pg-cursor").getParameter(0).getARhs().asExpr()
+      this = API::moduleImport("pg-cursor").getParameter(0).getASink().asExpr()
    }
  }

@@ -210,9 +210,9 @@ private module Postgres {

    Credentials() {
      exists(string prop |
-        this = [newClient(), newPool()].getParameter(0).getMember(prop).getARhs().asExpr()
+        this = [newClient(), newPool()].getParameter(0).getMember(prop).getASink().asExpr()
        or
-        this = pgPromise().getParameter(0).getMember(prop).getARhs().asExpr()
+        this = pgPromise().getParameter(0).getMember(prop).getASink().asExpr()
      |
        prop = "user" and kind = "user name"
        or
@@ -494,7 +494,7 @@ private module MsSql {
          or
          callee = mssql().getMember("ConnectionPool")
        ) and
-        this = callee.getParameter(0).getMember(prop).getARhs().asExpr() and
+        this = callee.getParameter(0).getMember(prop).getASink().asExpr() and
        (
          prop = "user" and kind = "user name"
          or
--- a/javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
@@ -233,7 +233,7 @@ module Templating {
  /** Gets an API node that may flow to `succ` through a template instantiation. */
  private API::Node getTemplateInput(DataFlow::SourceNode succ) {
    exists(TemplateInstantiation inst, API::Node base, string name |
-      base.getARhs() = inst.getTemplateParamsNode() and
+      base.getASink() = inst.getTemplateParamsNode() and
      result = base.getMember(name) and
      succ =
        inst.getTemplateFile()
@@ -244,7 +244,7 @@ module Templating {
    )
    or
    exists(TemplateInstantiation inst, string accessPath |
-      result.getARhs() = inst.getTemplateParamForValue(accessPath) and
+      result.getASink() = inst.getTemplateParamForValue(accessPath) and
      succ =
        inst.getTemplateFile()
            .getAnImportedFile*()
@@ -261,7 +261,7 @@ module Templating {

  private class TemplateInputStep extends DataFlow::SharedFlowStep {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      getTemplateInput(succ).getARhs() = pred
+      getTemplateInput(succ).getASink() = pred
    }
  }

@@ -321,8 +321,8 @@ module Templating {
      result = this.getStringValue()
      or
      exists(API::Node node |
-        this = node.getARhs() and
-        result = node.getAValueReachingRhs().getStringValue()
+        this = node.getASink() and
+        result = node.getAValueReachingSink().getStringValue()
      )
    }

--- a/javascript/ql/lib/semmle/javascript/frameworks/TrustedTypes.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/TrustedTypes.qll
@@ -38,7 +38,7 @@ module TrustedTypes {
  private class PolicyInputStep extends DataFlow::SharedFlowStep {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      exists(PolicyCreation policy, string method |
-        pred = policy.getReturn().getMember(method).getParameter(0).getARhs() and
+        pred = policy.getReturn().getMember(method).getParameter(0).getASink() and
        succ = policy.getPolicyCallback(method).getParameter(0)
      )
    }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
@@ -177,7 +177,7 @@ module Vue {
    /** Gets a component which is extended by this one. */
    Component getABaseComponent() {
      result.getComponentRef().getAValueReachableFromSource() =
-        getOwnOptions().getMember(["extends", "mixins"]).getARhs()
+        getOwnOptions().getMember(["extends", "mixins"]).getASink()
    }

    /**
@@ -200,7 +200,7 @@ module Vue {
     * Gets the options passed to the Vue object, such as the object literal `{...}` in `new Vue{{...})`
     * or the default export of a single-file component.
     */
-    deprecated DataFlow::Node getOwnOptionsObject() { result = getOwnOptions().getARhs() }
+    deprecated DataFlow::Node getOwnOptionsObject() { result = getOwnOptions().getASink() }

    /**
     * Gets the class implementing this Vue component, if any.
@@ -208,19 +208,19 @@ module Vue {
     * Specifically, this is a class annotated with `@Component` which flows to the options
     * object of this Vue component.
     */
-    ClassComponent getAsClassComponent() { result = getOwnOptions().getAValueReachingRhs() }
+    ClassComponent getAsClassComponent() { result = getOwnOptions().getAValueReachingSink() }

    /**
     * Gets the node for option `name` for this component, not including
     * those from extended objects and mixins.
     */
-    DataFlow::Node getOwnOption(string name) { result = getOwnOptions().getMember(name).getARhs() }
+    DataFlow::Node getOwnOption(string name) { result = getOwnOptions().getMember(name).getASink() }

    /**
     * Gets the node for option `name` for this component, including those from
     * extended objects and mixins.
     */
-    DataFlow::Node getOption(string name) { result = getOptions().getMember(name).getARhs() }
+    DataFlow::Node getOption(string name) { result = getOptions().getMember(name).getASink() }

    /**
     * Gets a source node flowing into the option `name` of this component, including those from
@@ -228,7 +228,7 @@ module Vue {
     */
    pragma[nomagic]
    DataFlow::SourceNode getOptionSource(string name) {
-      result = getOptions().getMember(name).getAValueReachingRhs()
+      result = getOptions().getMember(name).getAValueReachingSink()
    }

    /**
@@ -289,7 +289,7 @@ module Vue {
    DataFlow::FunctionNode getWatchHandler(string propName) {
      exists(API::Node propWatch |
        propWatch = getOptions().getMember("watch").getMember(propName) and
-        result = [propWatch, propWatch.getMember("handler")].getAValueReachingRhs()
+        result = [propWatch, propWatch.getMember("handler")].getAValueReachingSink()
      )
    }

@@ -322,7 +322,7 @@ module Vue {
     * Gets a node for a function that will be invoked with `this` bound to this component.
     */
    DataFlow::FunctionNode getABoundFunction() {
-      result = getOptions().getAMember+().getAValueReachingRhs()
+      result = getOptions().getAMember+().getAValueReachingSink()
      or
      result = getAsClassComponent().getAnInstanceMember()
    }
@@ -539,7 +539,7 @@ module Vue {

    override API::Node getOwnOptions() {
      // Use the entry point generated by `VueExportEntryPoint`
-      result.getARhs() = getModule().getDefaultOrBulkExport()
+      result.getASink() = getModule().getDefaultOrBulkExport()
    }

    override string toString() { result = file.toString() }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Vuex.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Vuex.qll
@@ -75,7 +75,7 @@ module Vuex {
        or
        exists(API::CallNode call |
          call = vuex().getMember("createNamespacedHelpers").getACall() and
-          namespace = call.getParameter(0).getAValueReachingRhs().getStringValue() + "/" and
+          namespace = call.getParameter(0).getAValueReachingSink().getStringValue() + "/" and
          this = call.getReturn().getMember(helperName).getACall()
        )
      )
@@ -88,7 +88,7 @@ module Vuex {
    pragma[noinline]
    string getNamespace() {
      getNumArgument() = 2 and
-      result = appendToNamespace(namespace, getParameter(0).getAValueReachingRhs().getStringValue())
+      result = appendToNamespace(namespace, getParameter(0).getAValueReachingSink().getStringValue())
      or
      getNumArgument() = 1 and
      result = namespace
@@ -99,17 +99,17 @@ module Vuex {
     */
    predicate hasMapping(string localName, string storeName) {
      // mapGetters('foo')
-      getLastParameter().getAValueReachingRhs().getStringValue() = localName and
+      getLastParameter().getAValueReachingSink().getStringValue() = localName and
      storeName = getNamespace() + localName
      or
      // mapGetters(['foo', 'bar'])
-      getLastParameter().getUnknownMember().getAValueReachingRhs().getStringValue() = localName and
+      getLastParameter().getUnknownMember().getAValueReachingSink().getStringValue() = localName and
      storeName = getNamespace() + localName
      or
      // mapGetters({foo: 'bar'})
      storeName =
        getNamespace() +
-          getLastParameter().getMember(localName).getAValueReachingRhs().getStringValue() and
+          getLastParameter().getMember(localName).getAValueReachingSink().getStringValue() and
      localName != "*" // ignore special API graph member named "*"
    }

@@ -117,10 +117,10 @@ module Vuex {
    Vue::Component getVueComponent() {
      exists(DataFlow::ObjectLiteralNode obj |
        obj.getASpreadProperty() = getReturn().getAValueReachableFromSource() and
-        result.getOwnOptions().getAMember().getARhs() = obj
+        result.getOwnOptions().getAMember().getASink() = obj
      )
      or
-      result.getOwnOptions().getAMember().getARhs() = this
+      result.getOwnOptions().getAMember().getASink() = this
    }
  }

@@ -146,7 +146,7 @@ module Vuex {
  /** Gets a value that is returned by a getter registered with the given name. */
  private DataFlow::Node getterPred(string name) {
    exists(string prefix, string prop |
-      result = storeConfigObject(prefix).getMember("getters").getMember(prop).getReturn().getARhs() and
+      result = storeConfigObject(prefix).getMember("getters").getMember(prop).getReturn().getASink() and
      name = prefix + prop
    )
  }
@@ -212,19 +212,19 @@ module Vuex {
      commitCall = commitLikeFunctionRef(kind, prefix).getACall()
    |
      // commit('name', payload)
-      name = prefix + commitCall.getParameter(0).getAValueReachingRhs().getStringValue() and
+      name = prefix + commitCall.getParameter(0).getAValueReachingSink().getStringValue() and
      result = commitCall.getArgument(1)
      or
      // commit({type: 'name', ...<payload>...})
      name =
        prefix +
-          commitCall.getParameter(0).getMember("type").getAValueReachingRhs().getStringValue() and
+          commitCall.getParameter(0).getMember("type").getAValueReachingSink().getStringValue() and
      result = commitCall.getArgument(0)
    )
    or
    // this.name(payload)
    // methods: {...mapMutations(['name'])} }
-    result = getAMappedAccess(getMapHelperForCommitKind(kind), name).getParameter(0).getARhs()
+    result = getAMappedAccess(getMapHelperForCommitKind(kind), name).getParameter(0).getASink()
  }

  /** Gets a node that refers the payload of a committed mutation with the given `name.` */
@@ -293,7 +293,7 @@ module Vuex {

  /** Gets a value that flows into the given access path of the state. */
  DataFlow::Node stateMutationPred(string path) {
-    result = stateRefByAccessPath(path).getARhs()
+    result = stateRefByAccessPath(path).getASink()
    or
    exists(ExtendCall call, string base, string prop |
      call.getDestinationOperand() = stateRefByAccessPath(base).getAValueReachableFromSource() and
@@ -325,7 +325,7 @@ module Vuex {
    exists(MapHelperCall call |
      call.getHelperName() = "mapState" and
      component = call.getVueComponent() and
-      result = call.getLastParameter().getMember(name).getReturn().getARhs()
+      result = call.getLastParameter().getMember(name).getReturn().getASink()
    )
  }

--- a/javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll
@@ -37,7 +37,7 @@ private class RemoteFlowSourceFromCsv extends RemoteFlowSource {
 private predicate summaryStepNodes(DataFlow::Node pred, DataFlow::Node succ, string kind) {
  exists(API::Node predNode, API::Node succNode |
    Specific::summaryStep(predNode, succNode, kind) and
-    pred = predNode.getARhs() and
+    pred = predNode.getASink() and
    succ = succNode.getASource()
  )
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll
@@ -151,7 +151,7 @@ API::Node getExtraSuccessorFromInvoke(API::InvokeNode node, AccessPathToken toke
  or
  token.getName() = "Argument" and
  token.getAnArgument() = "this" and
-  result.getARhs() = node.(DataFlow::CallNode).getReceiver()
+  result.getASink() = node.(DataFlow::CallNode).getReceiver()
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
@@ -48,7 +48,7 @@ module ExternalApiUsedWithUntrustedData {
  }

  /** Holds if `node` corresponds to a deep object argument. */
-  private predicate isDeepObjectSink(API::Node node) { node.getARhs() instanceof DeepObjectSink }
+  private predicate isDeepObjectSink(API::Node node) { node.getASink() instanceof DeepObjectSink }

  /**
   * A sanitizer for data flowing to an external API.
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
@@ -211,7 +211,7 @@ class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {
      rateLimiterClass = API::moduleImport("rate-limiter-flexible").getMember(rateLimiterClassName) and
      rateLimiterConsume = rateLimiterClass.getInstance().getMember("consume") and
      request.getParameter() = getRouteHandlerParameter(this.getFunction(), "request") and
-      request.getAPropertyRead().flowsTo(rateLimiterConsume.getAParameter().getARhs())
+      request.getAPropertyRead().flowsTo(rateLimiterConsume.getAParameter().getASink())
    )
  }
 }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
@@ -51,7 +51,7 @@ module SqlInjection {
      this = any(LdapJS::ClientCall call).getArgument(0)
      or
      // A search options object, which contains a filter and a baseDN.
-      this = any(LdapJS::SearchOptions opt).getARhs()
+      this = any(LdapJS::SearchOptions opt).getASink()
      or
      // A call to "parseDN", which parses a DN from a string.
      this = LdapJS::ldapjs().getMember("parseDN").getACall().getArgument(0)
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -681,7 +681,7 @@ module TaintedPath {
            .getMember(["pdf", "screenshot"])
            .getParameter(0)
            .getMember("path")
-            .getARhs()
+            .getASink()
    }
  }

@@ -702,7 +702,7 @@ module TaintedPath {
            .getACall()
            .getParameter(1)
            .getMember("config")
-            .getARhs()
+            .getASink()
    }
  }

@@ -716,7 +716,7 @@ module TaintedPath {
            .getMember(["readPackageAsync", "readPackageSync"])
            .getParameter(0)
            .getMember("cwd")
-            .getARhs()
+            .getASink()
    }
  }

@@ -726,8 +726,8 @@ module TaintedPath {
  private class ShellCwdSink extends TaintedPath::Sink {
    ShellCwdSink() {
      exists(SystemCommandExecution sys, API::Node opts |
-        opts.getARhs() = sys.getOptionsArg() and // assuming that an API::Node exists here.
-        this = opts.getMember("cwd").getARhs()
+        opts.getASink() = sys.getOptionsArg() and // assuming that an API::Node exists here.
+        this = opts.getMember("cwd").getASink()
      )
    }
  }
--- a/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
+++ b/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
@@ -45,7 +45,7 @@ where
    or
    // the same thing, but with API-nodes if they happen to be available
    exists(API::Node tlsInvk | tlsInvk.getAnInvocation() = tlsInvocation() |
-      disable.getRhs() = tlsInvk.getAParameter().getMember("rejectUnauthorized").getARhs()
+      disable.getRhs() = tlsInvk.getAParameter().getMember("rejectUnauthorized").getASink()
    )
  ) and
  disable.getRhs().(AnalyzedNode).getTheBooleanValue() = false
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -143,7 +143,7 @@ API::CallNode passportAuthenticateCall() {
 */
 API::CallNode nonSessionBasedAuthMiddleware() {
  result = passportAuthenticateCall() and
-  result.getParameter(1).getMember("session").getARhs().mayHaveBooleanValue(false)
+  result.getParameter(1).getMember("session").getASink().mayHaveBooleanValue(false)
 }

 /**
--- a/javascript/ql/src/meta/ApiGraphs/ApiGraphRhsNodes.ql
+++ b/javascript/ql/src/meta/ApiGraphs/ApiGraphRhsNodes.ql
@@ -12,4 +12,4 @@
 import javascript
 import meta.MetaMetrics

-select projectRoot(), count(any(API::Node nd).getARhs())
+select projectRoot(), count(any(API::Node nd).getASink())
--- a/javascript/ql/test/ApiGraphs/VerifyAssertions.qll
+++ b/javascript/ql/test/ApiGraphs/VerifyAssertions.qll
@@ -21,7 +21,7 @@ import javascript

 private DataFlow::Node getNode(API::Node nd, string kind) {
  kind = "def" and
-  result = nd.getARhs()
+  result = nd.getASink()
  or
  kind = "use" and
  result = nd.getAValueReachableFromSource()
--- a/javascript/ql/test/ApiGraphs/call-nodes/test.ql
+++ b/javascript/ql/test/ApiGraphs/call-nodes/test.ql
@@ -3,9 +3,9 @@ import javascript
 class FooCall extends API::CallNode {
  FooCall() { this = API::moduleImport("mylibrary").getMember("foo").getACall() }

-  DataFlow::Node getFirst() { result = getParameter(0).getMember("value").getARhs() }
+  DataFlow::Node getFirst() { result = getParameter(0).getMember("value").getASink() }

-  DataFlow::Node getSecond() { result = getParameter(1).getMember("value").getARhs() }
+  DataFlow::Node getSecond() { result = getParameter(1).getMember("value").getASink() }
 }

 query predicate values(FooCall call, int first, int second) {
--- a/javascript/ql/test/library-tests/Routing/test.ql
+++ b/javascript/ql/test/library-tests/Routing/test.ql
@@ -15,6 +15,6 @@ class Taint extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node node) {
    node = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()
    or
-    node = testInstance().getMember("getSink").getAParameter().getARhs()
+    node = testInstance().getMember("getSink").getAParameter().getASink()
  }
 }
--- a/javascript/ql/test/library-tests/frameworks/data/test.ql
+++ b/javascript/ql/test/library-tests/frameworks/data/test.ql
@@ -68,7 +68,7 @@ class BasicTaintTracking extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) {
    sink = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()
    or
-    sink = ModelOutput::getASinkNode("test-sink").getARhs()
+    sink = ModelOutput::getASinkNode("test-sink").getASink()
  }
 }

@@ -77,7 +77,7 @@ query predicate taintFlow(DataFlow::Node source, DataFlow::Node sink) {
 }

 query predicate isSink(DataFlow::Node node, string kind) {
-  node = ModelOutput::getASinkNode(kind).getARhs()
+  node = ModelOutput::getASinkNode(kind).getASink()
 }

 class SyntaxErrorTest extends ModelInput::SinkModelCsv {