deprecate the HTTP flowsTo predicates to avoid confusion with SourceNode::flowsTo

javascript/ql/lib/semmle/javascript/frameworks/Connect.qll

@@ -66,7 +66,7 @@ module Connect {
       getMethodName() = "use" and
       (
         // app.use(fun)
-        server.flowsTo(getReceiver())
+        server.ref().flowsToExpr(getReceiver())
         or
         // app.use(...).use(fun)
         this.getReceiver().(RouteSetup).getServer() = server

javascript/ql/lib/semmle/javascript/frameworks/Express.qll

@@ -43,7 +43,7 @@ module Express {
   /**
    * Holds if `e` may refer to the given `router` object.
    */
-  private predicate isRouter(Expr e, RouterDefinition router) { router.flowsTo(e) }
+  private predicate isRouter(Expr e, RouterDefinition router) { router.ref().flowsToExpr(e) } // TODO: DataFlow::Node
 
   /**
    * Holds if `e` may refer to a router object.
@@ -853,21 +853,24 @@ module Express {
     DataFlow::SourceNode ref() { result = this.ref(DataFlow::TypeTracker::end()) }
 
     /**
+     * DEPRECATED: Use `ref().flowsToExpr()` instead.
      * Holds if `sink` may refer to this router.
      */
-    predicate flowsTo(Expr sink) { this.ref().flowsToExpr(sink) }
+    deprecated predicate flowsTo(Expr sink) { this.ref().flowsToExpr(sink) }
 
     /**
      * Gets a `RouteSetup` that was used for setting up a route on this router.
      */
-    private RouteSetup getARouteSetup() { this.flowsTo(result.getReceiver()) }
+    private RouteSetup getARouteSetup() { this.ref().flowsToExpr(result.getReceiver()) }
 
     /**
      * Gets a sub-router registered on this router.
      *
      * Example: `router2` for `router1.use(router2)` or `router1.use("/route2", router2)`
      */
-    RouterDefinition getASubRouter() { result.flowsTo(this.getARouteSetup().getAnArgument()) }
+    RouterDefinition getASubRouter() {
+      result.ref().flowsToExpr(this.getARouteSetup().getAnArgument())
+    }
 
     /**
      * Gets a route handler registered on this router.

javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll

@@ -272,10 +272,14 @@ module HTTP {
         exists(DataFlow::TypeTracker t2 | result = this.ref(t2).track(t2, t))
       }
 
+      /** Gets a data flow node referring to this server. */
+      DataFlow::SourceNode ref() { result = this.ref(DataFlow::TypeTracker::end()) }
+
       /**
+       * DEPRECATED: Use `ref().flowsToExpr()` instead.
        * Holds if `sink` may refer to this server definition.
        */
-      predicate flowsTo(Expr sink) { this.ref(DataFlow::TypeTracker::end()).flowsToExpr(sink) }
+      deprecated predicate flowsTo(Expr sink) { this.ref().flowsToExpr(sink) }
     }
 
     /**

javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll

@@ -189,7 +189,7 @@ module Hapi {
     Expr handler;
 
     RouteSetup() {
-      server.flowsTo(getReceiver()) and
+      server.ref().flowsToExpr(getReceiver()) and
       (
         // server.route({ handler: fun })
         getMethodName() = "route" and

javascript/ql/lib/semmle/javascript/frameworks/Koa.qll

@@ -118,8 +118,6 @@ module Koa {
      */
     RouteHandler getRouteHandler() { result = rh }
 
-    predicate flowsTo(DataFlow::Node nd) { this.ref().flowsTo(nd) }
-
     private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
       t.start() and
       result = this
@@ -258,7 +256,7 @@ module Koa {
   class ContextExpr extends Expr {
     ContextSource src;
 
-    ContextExpr() { src.flowsTo(DataFlow::valueNode(this)) }
+    ContextExpr() { src.ref().flowsTo(DataFlow::valueNode(this)) }
 
     /**
      * Gets the route handler that provides this response.
@@ -390,7 +388,7 @@ module Koa {
 
     RouteSetup() {
       // app.use(fun)
-      server.flowsTo(this.getReceiver()) and
+      server.ref().flowsToExpr(this.getReceiver()) and
       this.getMethodName() = "use"
     }
 

javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll

@@ -221,10 +221,10 @@ module NodeJSLib {
     Expr handler;
 
     RouteSetup() {
-      server.flowsTo(this) and
+      server.ref().flowsToExpr(this) and
       handler = this.getLastArgument()
       or
-      server.flowsTo(this.getReceiver()) and
+      server.ref().flowsToExpr(this.getReceiver()) and
       this.(MethodCallExpr).getMethodName().regexpMatch("on(ce)?") and
       this.getArgument(0).getStringValue() = "request" and
       handler = this.getArgument(1)

javascript/ql/lib/semmle/javascript/frameworks/Restify.qll

@@ -144,7 +144,7 @@ module Restify {
     RouteSetup() {
       // server.get('/', fun)
       // server.head('/', fun)
-      server.flowsTo(getReceiver()) and
+      server.ref().flowsToExpr(getReceiver()) and
       getMethodName() = any(HTTP::RequestMethodName m).toLowerCase()
     }
 

javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionCustomizations.qll

@@ -76,8 +76,8 @@ module TemplateObjectInjection {
   predicate usesVulnerableTemplateEngine(Express::RouterDefinition router) {
     // option 1: `app.set("view engine", "theEngine")`.
     // Express will load the engine automatically.
-    exists(MethodCallExpr call |
-      router.flowsTo(call.getReceiver()) and
+    exists(DataFlow::MethodCallNode call |
+      router.ref().getAMethodCall() = call and
       call.getMethodName() = "set" and
       call.getArgument(0).getStringValue() = "view engine" and
       call.getArgument(1).getStringValue() = getAVulnerableTemplateEngine()
@@ -91,11 +91,11 @@ module TemplateObjectInjection {
       DataFlow::MethodCallNode viewEngineCall
     |
       // `app.engine("name", engine)
-      router.flowsTo(registerCall.getReceiver().asExpr()) and
+      router.ref().getAMethodCall() = registerCall and
       registerCall.getMethodName() = ["engine", "register"] and
       engine = registerCall.getArgument(1).getALocalSource() and
       // app.set("view engine", "name")
-      router.flowsTo(viewEngineCall.getReceiver().asExpr()) and
+      router.ref().getAMethodCall() = viewEngineCall and
       viewEngineCall.getMethodName() = "set" and
       viewEngineCall.getArgument(0).getStringValue() = "view engine" and
       // The name set by the `app.engine("name")` call matches `app.set("view engine", "name")`.