Use more flowTo.

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll

@@ -10,7 +10,7 @@ import ExternalAPIsSpecific
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll

@@ -10,7 +10,7 @@ import ExternalAPIsSpecific
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }

csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll

@@ -85,7 +85,7 @@ module RemoteSourceToExternalApi = TaintTracking::Global<RemoteSourceToExternalA
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flow(_, this) }
+  UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { RemoteSourceToExternalApi::flow(result, this) }

csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll

@@ -91,7 +91,7 @@ class ExponentialRegexSink extends DataFlow::ExprNode, Sink {
   ExponentialRegexSink() {
     exists(RegexOperation regexOperation |
       // Exponential regex flows to the pattern argument
-      ExponentialRegexDataFlow::flow(_, DataFlow::exprNode(regexOperation.getPattern()))
+      ExponentialRegexDataFlow::flowToExpr(regexOperation.getPattern())
     |
       // This is used as an input for this pattern
       this.getExpr() = regexOperation.getInput() and

csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql

@@ -53,7 +53,7 @@ where
   // JsonConvert static method call, but with additional unsafe typename tracking
   exists(DataFlow::Node settingsCallArg |
     JsonConvertTracking::flowPath(userInput.asPathNode3(), deserializeCallArg.asPathNode3()) and
-    TypeNameTracking::flow(_, settingsCallArg) and
+    TypeNameTracking::flowTo(settingsCallArg) and
     sameParent(deserializeCallArg.getNode(), settingsCallArg)
   )
 select deserializeCallArg, userInput, deserializeCallArg, "$@ flows to unsafe deserializer.",

go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll

@@ -27,7 +27,7 @@ module AllocationSizeOverflow {
   private module FindLargeLensFlow = TaintTracking::Global<FindLargeLensConfig>;
 
   private DataFlow::CallNode getALargeLenCall() {
-    exists(DataFlow::Node lenArg | FindLargeLensFlow::flow(_, lenArg) |
+    exists(DataFlow::Node lenArg | FindLargeLensFlow::flowTo(lenArg) |
       result.getArgument(0) = lenArg
     )
   }

go/ql/lib/semmle/go/security/ExternalAPIs.qll

@@ -211,7 +211,7 @@ module UntrustedDataToUnknownExternalApiFlow =
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }

go/ql/src/Security/CWE-601/OpenUrlRedirect.ql

@@ -21,6 +21,6 @@ where
   OpenUrlRedirect::Flow::flowPath(source, sink) and
   // this excludes flow from safe parts of request URLs, for example the full URL when the
   // doing a redirect from `http://<path>` to `https://<path>`
-  not SafeUrlFlow::Flow::flow(_, sink.getNode())
+  not SafeUrlFlow::Flow::flowTo(sink.getNode())
 select sink.getNode(), source, sink, "This path to an untrusted URL redirection depends on a $@.",
   source.getNode(), "user-provided value"

go/ql/src/Security/CWE-918/RequestForgery.ql

@@ -21,6 +21,6 @@ where
   RequestForgery::Flow::flowPath(source, sink) and
   request = sink.getNode().(RequestForgery::Sink).getARequest() and
   // this excludes flow from safe parts of request URLs, for example the full URL
-  not SafeUrlFlow::Flow::flow(_, sink.getNode())
+  not SafeUrlFlow::Flow::flowTo(sink.getNode())
 select request, source, sink, "The $@ of this request depends on a $@.", sink.getNode(),
   sink.getNode().(RequestForgery::Sink).getKind(), source, "user-provided value"

javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll

@@ -97,7 +97,7 @@ class ExternalApiDataNode extends DataFlow::Node instanceof Sink { }
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { ExternalAPIUsedWithUntrustedDataFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { ExternalAPIUsedWithUntrustedDataFlow::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { ExternalAPIUsedWithUntrustedDataFlow::flow(result, this) }
@@ -110,7 +110,7 @@ private newtype TExternalApi =
   /** An external API sink with `name`. */
   MkExternalApiNode(string name) {
     exists(Sink sink |
-      ExternalAPIUsedWithUntrustedDataFlow::flow(_, sink) and
+      ExternalAPIUsedWithUntrustedDataFlow::flowTo(sink) and
       name = sink.getApiName()
     )
   }

javascript/ql/test/library-tests/FlowSummary/test.ql

@@ -32,5 +32,5 @@ class BasicBarrierGuard extends DataFlow::CallNode {
 deprecated class ConsistencyConfig extends ConsistencyConfiguration {
   ConsistencyConfig() { this = "ConsistencyConfig" }
 
-  override DataFlow::Node getAnAlert() { Flow::flow(_, result) }
+  override DataFlow::Node getAnAlert() { Flow::flowTo(result) }
 }

javascript/ql/test/tutorials/Introducing the JavaScript libraries/query17.qll

@@ -14,7 +14,7 @@ predicate passwordVarAssign(Variable v, DataFlow::Node nd) {
 module PasswordFlow = DataFlow::Global<PasswordConfig>;
 
 query predicate test_query17(DataFlow::Node sink, string res) {
-  exists(Variable v | PasswordFlow::flow(_, sink) and passwordVarAssign(v, sink) |
+  exists(Variable v | PasswordFlow::flowTo(sink) and passwordVarAssign(v, sink) |
     res = "Password variable " + v.toString() + " is assigned a constant string."
   )
 }

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll

@@ -50,7 +50,7 @@ module FullServerSideRequestForgeryFlow = TaintTracking::Global<FullServerSideRe
  */
 predicate fullyControlledRequest(Http::Client::Request request) {
   forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
-    FullServerSideRequestForgeryFlow::flow(_, urlPart)
+    FullServerSideRequestForgeryFlow::flowTo(urlPart)
   )
 }
 

python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll

@@ -182,7 +182,7 @@ module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExt
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }

python/ql/src/meta/alerts/RemoteFlowSourcesReach.ql

@@ -38,5 +38,5 @@ module RemoteFlowSourceReachConfig implements DataFlow::ConfigSig {
 module RemoteFlowSourceReachFlow = TaintTracking::Global<RemoteFlowSourceReachConfig>;
 
 from DataFlow::Node reachable
-where RemoteFlowSourceReachFlow::flow(_, reachable)
+where RemoteFlowSourceReachFlow::flowTo(reachable)
 select reachable, prettyNode(reachable)

ruby/ql/src/queries/meta/TaintedNodes.ql

@@ -28,5 +28,5 @@ private module BasicTaintConfig implements DataFlow::ConfigSig {
 private module BasicTaintFlow = TaintTracking::Global<BasicTaintConfig>;
 
 from DataFlow::Node node
-where BasicTaintFlow::flow(_, node)
+where BasicTaintFlow::flowTo(node)
 select node, "Tainted node"

rust/ql/src/queries/security/CWE-614/InsecureCookie.ql

@@ -88,5 +88,5 @@ import InsecureCookieFlow::PathGraph
 from InsecureCookieFlow::PathNode sourceNode, InsecureCookieFlow::PathNode sinkNode
 where
   InsecureCookieFlow::flowPath(sourceNode, sinkNode) and
-  not PartitionedCookieFlow::flow(_, sinkNode.getNode())
+  not PartitionedCookieFlow::flowTo(sinkNode.getNode())
 select sinkNode.getNode(), sourceNode, sinkNode, "Cookie attribute 'Secure' is not set to true."

swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll

@@ -87,7 +87,7 @@ private class UrlTransmittedSink extends CleartextTransmissionSink {
     // exclude `tel:` and similar URLs. These URLs necessarily contain
     // sensitive data which you expect to transmit only by making the
     // phone call (or similar operation).
-    not ExcludeUrlFlow::flow(_, this)
+    not ExcludeUrlFlow::flowTo(this)
   }
 }