Apply suggestions from code review

Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2025-12-17 01:03:14 +01:00 · 2020-05-14 10:05:59 +02:00
parent ce5356f592
commit 422ade16db
2 changed files with 3 additions and 3 deletions
--- a/change-notes/1.25/analysis-javascript.md
+++ b/change-notes/1.25/analysis-javascript.md
@@ -26,7 +26,7 @@
 | Expression has no effect (`js/useless-expression`) | Less results | This query no longer flags an expression when that expression is the only content of the containing file. |
 | Unknown directive (`js/unknown-directive`) | Less results | This query no longer flags directives generated by the Babel compiler. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
-| Zip Slip (`js/zipslip`) | More results | This query now recognizes some zip-slip vulnerabilities involving links. |
+| Zip Slip (`js/zipslip`) | More results | This query now recognizes zip-slip vulnerabilities involving links. |

 ## Changes to libraries

--- a/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll
@@ -127,9 +127,9 @@ module ZipSlip {
   */
  class PathSanitizer extends Sanitizer, DataFlow::CallNode {
    PathSanitizer() {
-      this = DataFlow::moduleMember("path", "join").getACall() and
+      this = NodeJSLib::Path::moduleMember("join").getACall() and
      exists(DataFlow::CallNode inner | inner = getArgument(1) |
-        inner = DataFlow::moduleMember("path", "join").getACall() and
+        inner = NodeJSLib::Path::moduleMember("join").getACall() and
        inner.getArgument(0).mayHaveStringValue("/")
      )
    }