change CookieDefinition to a DataFlow::Node

Author: erik-krogh

javascript/ql/lib/semmle/javascript/frameworks/CookieLibraries.qll

@@ -271,30 +271,27 @@ private module ExpressCookies {
   /**
    * A cookie set using `response.cookie` from `express` module (https://expressjs.com/en/api.html#res.cookie).
    */
-  private class InsecureExpressCookieResponse extends CookieWrites::CookieWrite,
-    DataFlow::MethodCallNode {
-    InsecureExpressCookieResponse() { this.asExpr() instanceof Express::SetCookie }
-
+  private class InsecureExpressCookieResponse extends CookieWrites::CookieWrite instanceof Express::SetCookie {
     override predicate isSecure() {
       // A cookie is secure if there are cookie options with the `secure` flag set to `true`.
       // The default is `false`.
-      exists(DataFlow::Node value | value = this.getOptionArgument(2, CookieWrites::secure()) |
+      exists(DataFlow::Node value | value = super.getOptionArgument(2, CookieWrites::secure()) |
         not value.mayHaveBooleanValue(false) // anything but `false` is accepted as being maybe true
       )
     }
 
-    override predicate isSensitive() { canHaveSensitiveCookie(this.getArgument(0)) }
+    override predicate isSensitive() { canHaveSensitiveCookie(super.getArgument(0)) }
 
     override predicate isHttpOnly() {
       // A cookie is httpOnly if there are cookie options with the `httpOnly` flag set to `true`.
       // The default is `false`.
-      exists(DataFlow::Node value | value = this.getOptionArgument(2, CookieWrites::httpOnly()) |
+      exists(DataFlow::Node value | value = super.getOptionArgument(2, CookieWrites::httpOnly()) |
         not value.mayHaveBooleanValue(false) // anything but `false` is accepted as being maybe true
       )
     }
 
     override string getSameSite() {
-      result = getSameSiteValue(this.getOptionArgument(2, "sameSite"))
+      result = getSameSiteValue(super.getOptionArgument(2, "sameSite"))
     }
   }
 
@@ -372,10 +369,10 @@ private class HttpCookieWrite extends CookieWrites::CookieWrite {
 
   HttpCookieWrite() {
     exists(HTTP::CookieDefinition setCookie |
-      this.asExpr() = setCookie.getHeaderArgument() and
+      this = setCookie.getHeaderArgument() and
       not this instanceof DataFlow::ArrayCreationNode
       or
-      this = setCookie.getHeaderArgument().flow().(DataFlow::ArrayCreationNode).getAnElement()
+      this = setCookie.getHeaderArgument().(DataFlow::ArrayCreationNode).getAnElement()
     ) and
     header =
       [

javascript/ql/lib/semmle/javascript/frameworks/Express.qll

@@ -774,14 +774,14 @@ module Express {
   /**
    * An invocation of the `cookie` method on an HTTP response object.
    */
-  class SetCookie extends HTTP::CookieDefinition, MethodCallExpr {
+  class SetCookie extends HTTP::CookieDefinition, DataFlow::MethodCallNode {
     ResponseSource response;
 
-    SetCookie() { this = response.ref().getAMethodCall("cookie").asExpr() }
+    SetCookie() { this = response.ref().getAMethodCall("cookie") }
 
-    override Expr getNameArgument() { result = this.getArgument(0) }
+    override DataFlow::Node getNameArgument() { result = this.getArgument(0) }
 
-    override Expr getValueArgument() { result = this.getArgument(1) }
+    override DataFlow::Node getValueArgument() { result = this.getArgument(1) }
 
     override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
   }

javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll

@@ -133,22 +133,21 @@ module HTTP {
   /**
    * An expression that sets a cookie in an HTTP response.
    */
-  abstract class CookieDefinition extends Expr {
-    // TODO: DataFlow::Node
+  abstract class CookieDefinition extends DataFlow::Node {
     /**
      * Gets the argument, if any, specifying the raw cookie header.
      */
-    Expr getHeaderArgument() { none() } // TODO: DataFlow::Node
+    DataFlow::Node getHeaderArgument() { none() }
 
     /**
      * Gets the argument, if any, specifying the cookie name.
      */
-    Expr getNameArgument() { none() } // TODO: DataFlow::Node
+    DataFlow::Node getNameArgument() { none() }
 
     /**
      * Gets the argument, if any, specifying the cookie value.
      */
-    Expr getValueArgument() { none() } // TODO: DataFlow::Node
+    DataFlow::Node getValueArgument() { none() }
 
     /** Gets the route handler that sets this cookie. */
     abstract RouteHandler getRouteHandler();
@@ -161,12 +160,12 @@ module HTTP {
     HeaderDefinition header;
 
     SetCookieHeader() {
-      this = header.asExpr() and
+      this = header and
       header.getAHeaderName() = "set-cookie"
     }
 
-    override Expr getHeaderArgument() {
-      header.(ExplicitHeaderDefinition).definesHeaderValue("set-cookie", result.flow())
+    override DataFlow::Node getHeaderArgument() {
+      header.(ExplicitHeaderDefinition).definesHeaderValue("set-cookie", result)
     }
 
     override RouteHandler getRouteHandler() { result = header.getRouteHandler() }

javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageCustomizations.qll

@@ -52,8 +52,8 @@ module CleartextStorage {
   class CookieStorageSink extends Sink {
     CookieStorageSink() {
       exists(HTTP::CookieDefinition cookieDef |
-        this.asExpr() = cookieDef.getValueArgument() or
-        this.asExpr() = cookieDef.getHeaderArgument()
+        this = cookieDef.getValueArgument() or
+        this = cookieDef.getHeaderArgument()
       )
     }
   }

javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll

@@ -144,6 +144,7 @@ class DomPropWriteNode extends Assignment {
  * A value written to web storage, like `localStorage` or `sessionStorage`.
  */
 class WebStorageWrite extends Expr {
+  // TODO: DataFlow::Node
   WebStorageWrite() {
     exists(DataFlow::SourceNode webStorage |
       webStorage = DataFlow::globalVarRef("localStorage") or