refactor a use of MethodCallExpr in ClientSideUrlRedirectCustomizations.qll

2026-04-30 19:26:02 +02:00 · 2022-03-31 11:07:37 +02:00
parent e0e8085b95
commit 4d0534352e
1 changed files with 8 additions and 8 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -57,23 +57,23 @@ module ClientSideUrlRedirect {
   * when `base` is the current URL.
   */
  predicate untrustedUrlSubstring(DataFlow::Node base, DataFlow::Node substring) {
-    exists(MethodCallExpr mce, string methodName |
-      mce = substring.asExpr() and mce.calls(base.asExpr(), methodName)
+    exists(DataFlow::MethodCallNode mcn, string methodName |
+      mcn = substring and mcn.calls(base, methodName)
    |
      methodName = "split" and
      // exclude all splits where only the prefix is accessed, which is safe for url-redirects.
-      not exists(PropAccess pacc | mce = pacc.getBase() | pacc.getPropertyName() = "0")
+      not exists(DataFlow::PropRead pacc | mcn = pacc.getBase() | pacc.getPropertyName() = "0")
      or
      methodName = StringOps::substringMethodName() and
      // exclude `location.href.substring(0, ...)` and similar, which can
      // never refer to the query string
-      not mce.getArgument(0).(NumberLiteral).getIntValue() = 0
+      not mcn.getArgument(0).asExpr().(NumberLiteral).getIntValue() = 0
    )
    or
-    exists(MethodCallExpr mce |
-      substring.asExpr() = mce and
-      mce = any(DataFlow::RegExpCreationNode re).getAMethodCall("exec").asExpr() and
-      base.asExpr() = mce.getArgument(0)
+    exists(DataFlow::MethodCallNode mcn |
+      substring = mcn and
+      mcn = any(DataFlow::RegExpCreationNode re).getAMethodCall("exec") and
+      base = mcn.getArgument(0)
    )
  }