refactor a use of MethodCallExpr in ClientSideUrlRedirectCustomizations.qll

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -57,23 +57,23 @@ module ClientSideUrlRedirect {
    * when `base` is the current URL.
    */
   predicate untrustedUrlSubstring(DataFlow::Node base, DataFlow::Node substring) {
-    exists(MethodCallExpr mce, string methodName |
-      mce = substring.asExpr() and mce.calls(base.asExpr(), methodName)
+    exists(DataFlow::MethodCallNode mcn, string methodName |
+      mcn = substring and mcn.calls(base, methodName)
     |
       methodName = "split" and
       // exclude all splits where only the prefix is accessed, which is safe for url-redirects.
-      not exists(PropAccess pacc | mce = pacc.getBase() | pacc.getPropertyName() = "0")
+      not exists(DataFlow::PropRead pacc | mcn = pacc.getBase() | pacc.getPropertyName() = "0")
       or
       methodName = StringOps::substringMethodName() and
       // exclude `location.href.substring(0, ...)` and similar, which can
       // never refer to the query string
-      not mce.getArgument(0).(NumberLiteral).getIntValue() = 0
+      not mcn.getArgument(0).asExpr().(NumberLiteral).getIntValue() = 0
     )
     or
-    exists(MethodCallExpr mce |
-      substring.asExpr() = mce and
-      mce = any(DataFlow::RegExpCreationNode re).getAMethodCall("exec").asExpr() and
-      base.asExpr() = mce.getArgument(0)
+    exists(DataFlow::MethodCallNode mcn |
+      substring = mcn and
+      mcn = any(DataFlow::RegExpCreationNode re).getAMethodCall("exec") and
+      base = mcn.getArgument(0)
     )
   }