add unary type-tracking predicates

javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll

@@ -33,6 +33,13 @@ private DataFlow::Node commandArgument(SystemCommandExecution sys, DataFlow::Typ
   exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, commandArgument(sys, t2)))
 }
 
+/**
+ * Gets a data-flow node whose value ends up being interpreted as the command argument in `sys`. 
+ */
+private DataFlow::Node commandArgument(SystemCommandExecution sys) {
+  result = commandArgument(sys, DataFlow::TypeBackTracker::end())
+}
+
 /**
  * Gets a data-flow node whose value ends up being interpreted as the argument list in `sys`
  * after a flow summarized by `t`.
@@ -51,6 +58,13 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
   )
 }
 
+/**
+ * Gets a data-flow node whose value ends up being interpreted as the argument list in `sys`. 
+ */
+private DataFlow::SourceNode argumentList(SystemCommandExecution sys) {
+  result = argumentList(sys, DataFlow::TypeBackTracker::end())
+}
+
 /**
  * Holds if `source` contributes to the arguments of an indirect command execution `sys`.
  *
@@ -73,13 +87,13 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
 predicate isIndirectCommandArgument(DataFlow::Node source, SystemCommandExecution sys) {
   exists(DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC |
     shellCmd(shell.asExpr(), dashC) and
-    shell = commandArgument(sys, DataFlow::TypeBackTracker::end()) and
+    shell = commandArgument(sys) and
     args.getAPropertyWrite().getRhs().mayHaveStringValue(dashC) and
-    args = argumentList(sys, DataFlow::TypeBackTracker::end()) and
+    args = argumentList(sys) and
     (
-      source = argumentList(sys, DataFlow::TypeBackTracker::end())
+      source = argumentList(sys)
       or
-      source = argumentList(sys, DataFlow::TypeBackTracker::end()).getAPropertyWrite().getRhs()
+      source = argumentList(sys).getAPropertyWrite().getRhs()
     )
   )
 }