JS: Address review comments

javascript/ql/src/Security/CWE-022/ZipSlip.qhelp

@@ -45,7 +45,7 @@ instance, if it were created by something like <code>zip archive.zip
 <sample src="ZipSlipBad.js" />
 
 <p>To fix this vulnerability, we can to check that the path does not
-contain any <code>".."</code> in it.
+contain any <code>".."</code> elements in it.
 </p>
 
 <sample src="ZipSlipGood.js" />

javascript/ql/src/semmle/javascript/security/dataflow/ZipSlip.qll

@@ -43,6 +43,7 @@ module ZipSlip {
     // universal) pattern when using nodejs streams, whose return
     // value is the parsed stream.
     exists(DataFlow::MethodCallNode pipe |
+      pipe = result and
       pipe.getMethodName() = "pipe" and
       parsedArchive().flowsTo(pipe.getArgument(0))
     )
@@ -63,11 +64,12 @@ module ZipSlip {
     // there is an `UnzipEntrySource` node corresponding to
     // the expression `entry.path`.
     UnzipEntrySource() {
-      this = parsedArchive()
-            .getAMemberCall("on")
-            .getCallback(1)
-            .getParameter(0)
-            .getAPropertyRead("path")
+      exists(DataFlow::CallNode cn |
+        cn = parsedArchive().getAMemberCall("on") and
+        cn.getArgument(0).mayHaveStringValue("entry") and
+        this = cn.getCallback(1)
+        .getParameter(0)
+        .getAPropertyRead("path"))
     }
   }