update the existing expression based Express models

erik-krogh · erik-krogh · commit fc54ba823ba6 · 2022-09-05T16:11:54.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -517,9 +517,10 @@ module Express {
   /**
    * Holds if `call` is a chainable method call on the response object of `handler`.
    */
-  private predicate isChainableResponseMethodCall(RouteHandler handler, MethodCallExpr call) {
-    // TODO: DataFlow::MethodCallNode
-    exists(string name | call.calls(handler.getAResponseNode().asExpr(), name) |
+  private predicate isChainableResponseMethodCall(
+    RouteHandler handler, DataFlow::MethodCallNode call
+  ) {
+    exists(string name | call.calls(handler.getAResponseNode(), name) |
       name =
         [
           "append", "attachment", "location", "send", "sendStatus", "set", "status", "type", "vary",
@@ -541,7 +542,7 @@ module Express {
     ExplicitResponseSource() {
       this = rh.getResponseParameter()
       or
-      isChainableResponseMethodCall(rh, this.asExpr())
+      isChainableResponseMethodCall(rh, this)
     }
 
     /**
@@ -766,23 +767,22 @@ module Express {
   /**
    * Holds if `e` is an HTTP request object.
    */
-  predicate isRequest(Expr e) { any(RouteHandler rh).getARequestNode().asExpr() = e } // TODO: DataFlow::Node
+  predicate isRequest(DataFlow::Node e) { any(RouteHandler rh).getARequestNode() = e }
 
   /**
    * Holds if `e` is an HTTP response object.
    */
-  predicate isResponse(Expr e) { any(RouteHandler rh).getAResponseNode().asExpr() = e } // TODO: DataFlow::Node
+  predicate isResponse(DataFlow::Node e) { any(RouteHandler rh).getAResponseNode() = e }
 
   /**
    * An access to the HTTP request body.
    */
-  class RequestBodyAccess extends Expr {
-    // TODO: DataFlow::Node
-    RequestBodyAccess() { any(RouteHandler h).getARequestBodyAccess().asExpr() = this }
+  class RequestBodyAccess extends DataFlow::Node {
+    RequestBodyAccess() { any(RouteHandler h).getARequestBodyAccess() = this }
   }
 
   abstract private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
-    HeaderDefinition() { isResponse(this.getReceiver().asExpr()) }
+    HeaderDefinition() { isResponse(this.getReceiver()) }
 
     override RouteHandler getRouteHandler() { this.getReceiver() = result.getAResponseNode() }
   }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -647,12 +647,12 @@ module TaintedPath {
   /**
    * A path argument to the Express `res.render` method.
    */
-  class ExpressRenderSink extends Sink, DataFlow::ValueNode {
+  class ExpressRenderSink extends Sink {
     ExpressRenderSink() {
-      exists(MethodCallExpr mce |
+      exists(DataFlow::MethodCallNode mce |
         Express::isResponse(mce.getReceiver()) and
         mce.getMethodName() = "render" and
-        astNode = mce.getArgument(0)
+        this = mce.getArgument(0)
       )
     }
   }
diff --git a/javascript/ql/test/library-tests/frameworks/Express/isRequest.qll b/javascript/ql/test/library-tests/frameworks/Express/isRequest.qll
@@ -1,3 +1,3 @@
 import javascript
 
-query predicate test_isRequest(Expr nd) { Express::isRequest(nd) }
+query predicate test_isRequest(DataFlow::Node nd) { Express::isRequest(nd) }
diff --git a/javascript/ql/test/library-tests/frameworks/Express/isResponse.qll b/javascript/ql/test/library-tests/frameworks/Express/isResponse.qll
@@ -1,3 +1,3 @@
 import javascript
 
-query predicate test_isResponse(Expr nd) { Express::isResponse(nd) }
+query predicate test_isResponse(DataFlow::Node nd) { Express::isResponse(nd) }
diff --git a/javascript/ql/test/library-tests/frameworks/Express/tests.expected b/javascript/ql/test/library-tests/frameworks/Express/tests.expected

Original file line number	Diff line number	Diff line change
`@@ -647,12 +647,12 @@ module TaintedPath {`
`647`	`647`	`/**`
`648`	`648`	* A path argument to the Express `res.render` method.
`649`	`649`	`*/`
`650`		`- class ExpressRenderSink extends Sink, DataFlow::ValueNode {`
	`650`	`+ class ExpressRenderSink extends Sink {`
`651`	`651`	`ExpressRenderSink() {`
`652`		`- exists(MethodCallExpr mce \|`
	`652`	`+ exists(DataFlow::MethodCallNode mce \|`
`653`	`653`	`Express::isResponse(mce.getReceiver()) and`
`654`	`654`	`mce.getMethodName() = "render" and`
`655`		`- astNode = mce.getArgument(0)`
	`655`	`+ this = mce.getArgument(0)`
`656`	`656`	`)`
`657`	`657`	`}`
`658`	`658`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`import javascript`
`2`	`2`
`3`		`-query predicate test_isRequest(Expr nd) { Express::isRequest(nd) }`
	`3`	`+query predicate test_isRequest(DataFlow::Node nd) { Express::isRequest(nd) }`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`import javascript`
`2`	`2`
`3`		`-query predicate test_isResponse(Expr nd) { Express::isResponse(nd) }`
	`3`	`+query predicate test_isResponse(DataFlow::Node nd) { Express::isResponse(nd) }`