Use more flowTo.

2025-12-17 01:03:14 +01:00 · 2025-12-03 14:12:08 +01:00
parent dc6d3fe7ba
commit 78e1879c9e
18 changed files with 19 additions and 19 deletions
--- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll
+++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll
@@ -10,7 +10,7 @@ import ExternalAPIsSpecific
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
  /** Gets a source of untrusted data which is passed to this external API data node. */
  DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
--- a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll
+++ b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll
@@ -10,7 +10,7 @@ import ExternalAPIsSpecific
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
  /** Gets a source of untrusted data which is passed to this external API data node. */
  DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
@@ -85,7 +85,7 @@ module RemoteSourceToExternalApi = TaintTracking::Global<RemoteSourceToExternalA
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flow(_, this) }
+  UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flowTo(this) }
  /** Gets a source of untrusted data which is passed to this external API data node. */
  DataFlow::Node getAnUntrustedSource() { RemoteSourceToExternalApi::flow(result, this) }
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll
@@ -91,7 +91,7 @@ class ExponentialRegexSink extends DataFlow::ExprNode, Sink {
  ExponentialRegexSink() {
    exists(RegexOperation regexOperation |
      // Exponential regex flows to the pattern argument
-      ExponentialRegexDataFlow::flow(_, DataFlow::exprNode(regexOperation.getPattern()))
+      ExponentialRegexDataFlow::flowToExpr(regexOperation.getPattern())
    |
      // This is used as an input for this pattern
      this.getExpr() = regexOperation.getInput() and
--- a/Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
+++ b/Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
@@ -53,7 +53,7 @@ where
  // JsonConvert static method call, but with additional unsafe typename tracking
  exists(DataFlow::Node settingsCallArg |
    JsonConvertTracking::flowPath(userInput.asPathNode3(), deserializeCallArg.asPathNode3()) and
-    TypeNameTracking::flow(_, settingsCallArg) and
+    TypeNameTracking::flowTo(settingsCallArg) and
    sameParent(deserializeCallArg.getNode(), settingsCallArg)
  )
 select deserializeCallArg, userInput, deserializeCallArg, "$@ flows to unsafe deserializer.",
--- a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
+++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
@@ -27,7 +27,7 @@ module AllocationSizeOverflow {
  private module FindLargeLensFlow = TaintTracking::Global<FindLargeLensConfig>;
  private DataFlow::CallNode getALargeLenCall() {
-    exists(DataFlow::Node lenArg | FindLargeLensFlow::flow(_, lenArg) |
+    exists(DataFlow::Node lenArg | FindLargeLensFlow::flowTo(lenArg) |
      result.getArgument(0) = lenArg
    )
  }
--- a/go/ql/lib/semmle/go/security/ExternalAPIs.qll
+++ b/go/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -211,7 +211,7 @@ module UntrustedDataToUnknownExternalApiFlow =
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
  /** Gets a source of untrusted data which is passed to this external API data node. */
  DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
--- a/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql
+++ b/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql
@@ -21,6 +21,6 @@ where
  OpenUrlRedirect::Flow::flowPath(source, sink) and
  // this excludes flow from safe parts of request URLs, for example the full URL when the
  // doing a redirect from `http://<path>` to `https://<path>`
-  not SafeUrlFlow::Flow::flow(_, sink.getNode())
+  not SafeUrlFlow::Flow::flowTo(sink.getNode())
 select sink.getNode(), source, sink, "This path to an untrusted URL redirection depends on a $@.",
  source.getNode(), "user-provided value"
--- a/go/ql/src/Security/CWE-918/RequestForgery.ql
+++ b/go/ql/src/Security/CWE-918/RequestForgery.ql
@@ -21,6 +21,6 @@ where
  RequestForgery::Flow::flowPath(source, sink) and
  request = sink.getNode().(RequestForgery::Sink).getARequest() and
  // this excludes flow from safe parts of request URLs, for example the full URL
-  not SafeUrlFlow::Flow::flow(_, sink.getNode())
+  not SafeUrlFlow::Flow::flowTo(sink.getNode())
 select request, source, sink, "The $@ of this request depends on a $@.", sink.getNode(),
  sink.getNode().(RequestForgery::Sink).getKind(), source, "user-provided value"
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
@@ -97,7 +97,7 @@ class ExternalApiDataNode extends DataFlow::Node instanceof Sink { }
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { ExternalAPIUsedWithUntrustedDataFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { ExternalAPIUsedWithUntrustedDataFlow::flowTo(this) }
  /** Gets a source of untrusted data which is passed to this external API data node. */
  DataFlow::Node getAnUntrustedSource() { ExternalAPIUsedWithUntrustedDataFlow::flow(result, this) }
@@ -110,7 +110,7 @@ private newtype TExternalApi =
  /** An external API sink with `name`. */
  MkExternalApiNode(string name) {
    exists(Sink sink |
-      ExternalAPIUsedWithUntrustedDataFlow::flow(_, sink) and
+      ExternalAPIUsedWithUntrustedDataFlow::flowTo(sink) and
      name = sink.getApiName()
    )
  }
--- a/javascript/ql/test/library-tests/FlowSummary/test.ql
+++ b/javascript/ql/test/library-tests/FlowSummary/test.ql
@@ -32,5 +32,5 @@ class BasicBarrierGuard extends DataFlow::CallNode {
 deprecated class ConsistencyConfig extends ConsistencyConfiguration {
  ConsistencyConfig() { this = "ConsistencyConfig" }
-  override DataFlow::Node getAnAlert() { Flow::flow(_, result) }
+  override DataFlow::Node getAnAlert() { Flow::flowTo(result) }
 }
--- a/javascript/ql/test/tutorials/Introducing
+++ b/javascript/ql/test/tutorials/Introducing
@@ -14,7 +14,7 @@ predicate passwordVarAssign(Variable v, DataFlow::Node nd) {
 module PasswordFlow = DataFlow::Global<PasswordConfig>;
 query predicate test_query17(DataFlow::Node sink, string res) {
-  exists(Variable v | PasswordFlow::flow(_, sink) and passwordVarAssign(v, sink) |
+  exists(Variable v | PasswordFlow::flowTo(sink) and passwordVarAssign(v, sink) |
    res = "Password variable " + v.toString() + " is assigned a constant string."
  )
 }
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
@@ -50,7 +50,7 @@ module FullServerSideRequestForgeryFlow = TaintTracking::Global<FullServerSideRe
 */
 predicate fullyControlledRequest(Http::Client::Request request) {
  forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
-    FullServerSideRequestForgeryFlow::flow(_, urlPart)
+    FullServerSideRequestForgeryFlow::flowTo(urlPart)
  )
 }
--- a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
+++ b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
@@ -182,7 +182,7 @@ module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExt
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
  /** Gets a source of untrusted data which is passed to this external API data node. */
  DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
--- a/python/ql/src/meta/alerts/RemoteFlowSourcesReach.ql
+++ b/python/ql/src/meta/alerts/RemoteFlowSourcesReach.ql
@@ -38,5 +38,5 @@ module RemoteFlowSourceReachConfig implements DataFlow::ConfigSig {
 module RemoteFlowSourceReachFlow = TaintTracking::Global<RemoteFlowSourceReachConfig>;
 from DataFlow::Node reachable
-where RemoteFlowSourceReachFlow::flow(_, reachable)
+where RemoteFlowSourceReachFlow::flowTo(reachable)
 select reachable, prettyNode(reachable)
--- a/ruby/ql/src/queries/meta/TaintedNodes.ql
+++ b/ruby/ql/src/queries/meta/TaintedNodes.ql
@@ -28,5 +28,5 @@ private module BasicTaintConfig implements DataFlow::ConfigSig {
 private module BasicTaintFlow = TaintTracking::Global<BasicTaintConfig>;
 from DataFlow::Node node
-where BasicTaintFlow::flow(_, node)
+where BasicTaintFlow::flowTo(node)
 select node, "Tainted node"
--- a/rust/ql/src/queries/security/CWE-614/InsecureCookie.ql
+++ b/rust/ql/src/queries/security/CWE-614/InsecureCookie.ql
@@ -88,5 +88,5 @@ import InsecureCookieFlow::PathGraph
 from InsecureCookieFlow::PathNode sourceNode, InsecureCookieFlow::PathNode sinkNode
 where
  InsecureCookieFlow::flowPath(sourceNode, sinkNode) and
-  not PartitionedCookieFlow::flow(_, sinkNode.getNode())
+  not PartitionedCookieFlow::flowTo(sinkNode.getNode())
 select sinkNode.getNode(), sourceNode, sinkNode, "Cookie attribute 'Secure' is not set to true."
--- a/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
@@ -87,7 +87,7 @@ private class UrlTransmittedSink extends CleartextTransmissionSink {
    // exclude `tel:` and similar URLs. These URLs necessarily contain
    // sensitive data which you expect to transmit only by making the
    // phone call (or similar operation).
-    not ExcludeUrlFlow::flow(_, this)
+    not ExcludeUrlFlow::flowTo(this)
  }
 }