Merge pull request #7598 from erik-krogh/fieldOnlyUsedInCharPred

QL: field only used in charPred

Author: erik-krogh

javascript/ql/lib/semmle/javascript/Arrays.qll

@@ -152,15 +152,12 @@ private module ArrayDataFlow {
   /**
    * A node that reads or writes an element from an array inside a for-loop.
    */
-  private class ArrayIndexingAccess extends DataFlow::Node {
-    DataFlow::PropRef read;
-
+  private class ArrayIndexingAccess extends DataFlow::Node instanceof DataFlow::PropRef {
     ArrayIndexingAccess() {
-      read = this and
       TTNumber() =
-        unique(InferredType type | type = read.getPropertyNameExpr().flow().analyze().getAType()) and
+        unique(InferredType type | type = super.getPropertyNameExpr().flow().analyze().getAType()) and
       exists(VarAccess i, ExprOrVarDecl init |
-        i = read.getPropertyNameExpr() and init = any(ForStmt f).getInit()
+        i = super.getPropertyNameExpr() and init = any(ForStmt f).getInit()
       |
         i.getVariable().getADefinition() = init or
         i.getVariable().getADefinition().(VariableDeclarator).getDeclStmt() = init

javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll

@@ -445,9 +445,8 @@ module DataFlow {
    */
   private class ReflectiveCallNode extends Node, TReflectiveCallNode {
     MethodCallExpr call;
-    string kind;
 
-    ReflectiveCallNode() { this = TReflectiveCallNode(call, kind) }
+    ReflectiveCallNode() { this = TReflectiveCallNode(call, _) }
 
     override BasicBlock getBasicBlock() { result = call.getBasicBlock() }
 

javascript/ql/lib/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll

@@ -380,9 +380,10 @@ private class AnalyzedExportAssign extends AnalyzedPropertyWrite, DataFlow::Valu
  */
 private class AnalyzedClosureExportAssign extends AnalyzedPropertyWrite, DataFlow::ValueNode {
   override AssignExpr astNode;
-  Closure::ClosureModule mod;
 
-  AnalyzedClosureExportAssign() { astNode.getLhs() = mod.getExportsVariable().getAReference() }
+  AnalyzedClosureExportAssign() {
+    astNode.getLhs() = any(Closure::ClosureModule mod).getExportsVariable().getAReference()
+  }
 
   override predicate writes(AbstractValue baseVal, string propName, DataFlow::AnalyzedNode source) {
     baseVal = TAbstractModuleObject(astNode.getTopLevel()) and

javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll

@@ -302,12 +302,11 @@ private class TypeInferredMethodWithAnalyzedReturnFlow extends CallWithNonLocalA
  * Propagates receivers into locally defined callbacks of partial invocations.
  */
 private class AnalyzedThisInPartialInvokeCallback extends AnalyzedNode, DataFlow::ThisNode {
-  DataFlow::PartialInvokeNode call;
   DataFlow::Node receiver;
 
   AnalyzedThisInPartialInvokeCallback() {
     exists(DataFlow::Node callbackArg |
-      receiver = call.getBoundReceiver(callbackArg) and
+      receiver = any(DataFlow::PartialInvokeNode call).getBoundReceiver(callbackArg) and
       getBinder().flowsTo(callbackArg)
     )
   }

javascript/ql/lib/semmle/javascript/explore/BackwardDataFlow.qll

@@ -16,9 +16,7 @@
 import javascript
 
 private class BackwardExploringConfiguration extends DataFlow::Configuration {
-  DataFlow::Configuration cfg;
-
-  BackwardExploringConfiguration() { this = cfg }
+  BackwardExploringConfiguration() { this = any(DataFlow::Configuration cfg) }
 
   override predicate isSource(DataFlow::Node node) { any() }
 

javascript/ql/lib/semmle/javascript/explore/ForwardDataFlow.qll

@@ -14,9 +14,7 @@
 import javascript
 
 private class ForwardExploringConfiguration extends DataFlow::Configuration {
-  DataFlow::Configuration cfg;
-
-  ForwardExploringConfiguration() { this = cfg }
+  ForwardExploringConfiguration() { this = any(DataFlow::Configuration cfg) }
 
   override predicate isSink(DataFlow::Node node) { any() }
 

javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll

@@ -149,12 +149,10 @@ DataFlow::CallNode moduleRef(AngularModule m) {
  * A call to a method from the `angular.Module` API.
  */
 class ModuleApiCall extends DataFlow::CallNode {
-  /** The module on which the method is called. */
-  AngularModule mod;
   /** The name of the called method. */
   string methodName;
 
-  ModuleApiCall() { this = moduleRef(mod).getAMethodCall(methodName) }
+  ModuleApiCall() { this = moduleRef(_).getAMethodCall(methodName) }
 
   /**
    * Gets the name of the invoked method.

javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSExpressions.qll

@@ -65,10 +65,9 @@ private string getInterpolatedExpressionPattern() { result = "(?<=\\{\\{).*?(?=\
  */
 private class HtmlTextNodeAsNgSourceProvider extends NgSourceProvider, HTML::TextNode {
   string source;
-  int offset;
 
   HtmlTextNodeAsNgSourceProvider() {
-    source = this.getText().regexpFind(getInterpolatedExpressionPattern(), _, offset)
+    source = this.getText().regexpFind(getInterpolatedExpressionPattern(), _, _)
   }
 
   override predicate providesSourceAt(

javascript/ql/lib/semmle/javascript/frameworks/Babel.qll

@@ -140,17 +140,15 @@ module Babel {
    */
   private class BabelRootTransformedPathExpr extends PathExpr, Expr {
     RootImportConfig plugin;
-    string rawPath;
     string prefix;
     string mappedPrefix;
     string suffix;
 
     BabelRootTransformedPathExpr() {
       this instanceof PathExpr and
       plugin.appliesTo(getTopLevel()) and
-      rawPath = getStringValue() and
-      prefix = rawPath.regexpCapture("(.)/(.*)", 1) and
-      suffix = rawPath.regexpCapture("(.)/(.*)", 2) and
+      prefix = getStringValue().regexpCapture("(.)/(.*)", 1) and
+      suffix = getStringValue().regexpCapture("(.)/(.*)", 2) and
       mappedPrefix = plugin.getRoot(prefix)
     }
 

javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll

@@ -378,10 +378,9 @@ private module CryptoJS {
  * A model of the TweetNaCl library.
  */
 private module TweetNaCl {
-  private class Apply extends CryptographicOperation {
+  private class Apply extends CryptographicOperation instanceof MethodCallExpr {
     Expr input;
     CryptographicAlgorithm algorithm;
-    MethodCallExpr mce;
 
     Apply() {
       /*
@@ -395,15 +394,14 @@ private module TweetNaCl {
        *      Also matches the "hash" method name, and the "nacl-fast" module.
        */
 
-      this = mce and
       exists(DataFlow::SourceNode mod, string name |
         name = "hash" and algorithm.matchesName("SHA512")
         or
         name = "sign" and algorithm.matchesName("ed25519")
       |
         (mod = DataFlow::moduleImport("nacl") or mod = DataFlow::moduleImport("nacl-fast")) and
-        mce = mod.getAMemberCall(name).asExpr() and
-        mce.getArgument(0) = input
+        this = mod.getAMemberCall(name).asExpr() and
+        super.getArgument(0) = input
       )
     }
 
@@ -440,10 +438,9 @@ private module HashJs {
     )
   }
 
-  private class Apply extends CryptographicOperation {
+  private class Apply extends CryptographicOperation instanceof MethodCallExpr {
     Expr input;
     CryptographicAlgorithm algorithm; // non-functional
-    MethodCallExpr mce;
 
     Apply() {
       /*
@@ -459,9 +456,8 @@ private module HashJs {
        *      Also matches where `hash.<algorithmName>()` has been replaced by a more specific require a la `require("hash.js/lib/hash/sha/512")`
        */
 
-      this = mce and
-      mce = getAlgorithmExpr(algorithm).getAMemberCall("update").asExpr() and
-      input = mce.getArgument(0)
+      this = getAlgorithmExpr(algorithm).getAMemberCall("update").asExpr() and
+      input = super.getArgument(0)
     }
 
     override Expr getInput() { result = input }
@@ -535,16 +531,14 @@ private module Forge {
     override CryptographicAlgorithm getAlgorithm() { result = algorithm }
   }
 
-  private class Apply extends CryptographicOperation {
+  private class Apply extends CryptographicOperation instanceof MethodCallExpr {
     Expr input;
     CryptographicAlgorithm algorithm; // non-functional
-    MethodCallExpr mce;
 
     Apply() {
-      this = mce and
       exists(Cipher cipher |
-        mce = cipher.getAMemberCall("update").asExpr() and
-        mce.getArgument(0) = input and
+        this = cipher.getAMemberCall("update").asExpr() and
+        super.getArgument(0) = input and
         algorithm = cipher.getAlgorithm()
       )
     }
@@ -596,19 +590,17 @@ private module Forge {
  * A model of the md5 library.
  */
 private module Md5 {
-  private class Apply extends CryptographicOperation {
+  private class Apply extends CryptographicOperation instanceof CallExpr {
     Expr input;
     CryptographicAlgorithm algorithm;
-    CallExpr call;
 
     Apply() {
       // `require("md5")("message");`
-      this = call and
       exists(DataFlow::SourceNode mod |
         mod = DataFlow::moduleImport("md5") and
         algorithm.matchesName("MD5") and
-        call = mod.getACall().asExpr() and
-        call.getArgument(0) = input
+        this = mod.getACall().asExpr() and
+        super.getArgument(0) = input
       )
     }
 
@@ -622,14 +614,12 @@ private module Md5 {
  * A model of the bcrypt, bcryptjs, bcrypt-nodejs libraries.
  */
 private module Bcrypt {
-  private class Apply extends CryptographicOperation {
+  private class Apply extends CryptographicOperation instanceof MethodCallExpr {
     Expr input;
     CryptographicAlgorithm algorithm;
-    MethodCallExpr mce;
 
     Apply() {
       // `require("bcrypt").hash(password);` with minor naming variations
-      this = mce and
       exists(DataFlow::SourceNode mod, string moduleName, string methodName |
         algorithm.matchesName("BCRYPT") and
         (
@@ -642,8 +632,8 @@ private module Bcrypt {
           methodName = "hashSync"
         ) and
         mod = DataFlow::moduleImport(moduleName) and
-        mce = mod.getAMemberCall(methodName).asExpr() and
-        mce.getArgument(0) = input
+        this = mod.getAMemberCall(methodName).asExpr() and
+        super.getArgument(0) = input
       )
     }
 
@@ -657,20 +647,18 @@ private module Bcrypt {
  * A model of the hasha library.
  */
 private module Hasha {
-  private class Apply extends CryptographicOperation {
+  private class Apply extends CryptographicOperation instanceof CallExpr {
     Expr input;
     CryptographicAlgorithm algorithm;
-    CallExpr call;
 
     Apply() {
       // `require('hasha')('unicorn', { algorithm: "md5" });`
-      this = call and
       exists(DataFlow::SourceNode mod, string algorithmName, Expr algorithmNameNode |
         mod = DataFlow::moduleImport("hasha") and
-        call = mod.getACall().asExpr() and
-        call.getArgument(0) = input and
+        this = mod.getACall().asExpr() and
+        super.getArgument(0) = input and
         algorithm.matchesName(algorithmName) and
-        call.hasOptionArgument(1, "algorithm", algorithmNameNode) and
+        super.hasOptionArgument(1, "algorithm", algorithmNameNode) and
         algorithmNameNode.mayHaveStringValue(algorithmName)
       )
     }

javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll

@@ -411,10 +411,10 @@ module HTTP {
      * E.g. `chunk` in: `http.createServer().on('request', (req, res) => req.on("data", (chunk) => ...))`.
      */
     private class ServerRequestDataEvent extends RemoteFlowSource, DataFlow::ParameterNode {
-      RequestSource req;
-
       ServerRequestDataEvent() {
-        exists(DataFlow::MethodCallNode mcn | mcn = req.ref().getAMethodCall(EventEmitter::on()) |
+        exists(DataFlow::MethodCallNode mcn, RequestSource req |
+          mcn = req.ref().getAMethodCall(EventEmitter::on())
+        |
           mcn.getArgument(0).mayHaveStringValue("data") and
           this = mcn.getABoundCallbackParameter(1, 0)
         )

javascript/ql/lib/semmle/javascript/frameworks/HttpProxy.qll

@@ -74,12 +74,13 @@ private module HttpProxy {
    */
   class ProxyListenerCallback extends NodeJSLib::RouteHandler, DataFlow::FunctionNode {
     string event;
-    API::CallNode call;
 
     ProxyListenerCallback() {
-      call = any(CreateServerCall server).getReturn().getMember(["on", "once"]).getACall() and
-      call.getParameter(0).getARhs().mayHaveStringValue(event) and
-      this = call.getParameter(1).getARhs().getAFunctionValue()
+      exists(API::CallNode call |
+        call = any(CreateServerCall server).getReturn().getMember(["on", "once"]).getACall() and
+        call.getParameter(0).getARhs().mayHaveStringValue(event) and
+        this = call.getParameter(1).getARhs().getAFunctionValue()
+      )
     }
 
     override Parameter getRequestParameter() {

javascript/ql/lib/semmle/javascript/frameworks/LdapJS.qll

@@ -29,9 +29,9 @@ module LdapJS {
 
   /** A reference to a LDAPjs client `search` options. */
   class SearchOptions extends API::Node {
-    ClientCall call;
-
-    SearchOptions() { call.getMethodName() = "search" and this = call.getParameter(1) }
+    SearchOptions() {
+      exists(ClientCall call | call.getMethodName() = "search" and this = call.getParameter(1))
+    }
   }
 
   /** A creation of an LDAPjs filter, or object containing a filter, that doesn't sanitizes the input. */

javascript/ql/lib/semmle/javascript/frameworks/Nest.qll

@@ -376,11 +376,11 @@ module NestJS {
    * redirects to `https://example.com`.
    */
   private class ReturnValueAsRedirection extends ServerSideUrlRedirect::Sink {
-    NestJSRouteHandler handler;
-
     ReturnValueAsRedirection() {
-      handler.hasRedirectDecorator() and
-      this = handler.getAReturn().getALocalSource().getAPropertyWrite("url").getRhs()
+      exists(NestJSRouteHandler handler |
+        handler.hasRedirectDecorator() and
+        this = handler.getAReturn().getALocalSource().getAPropertyWrite("url").getRhs()
+      )
     }
   }
 

javascript/ql/lib/semmle/javascript/frameworks/Next.qll

@@ -155,11 +155,7 @@ module NextJS {
    * A Next.js function that is exected on the server for every request, seen as a routehandler.
    */
   class NextHttpRouteHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
-    Module pageModule;
-
-    NextHttpRouteHandler() {
-      this = getServerSidePropsFunction(pageModule) or this = getInitialProps(pageModule)
-    }
+    NextHttpRouteHandler() { this = getServerSidePropsFunction(_) or this = getInitialProps(_) }
   }
 
   /**

javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll

@@ -1171,17 +1171,17 @@ module NodeJSLib {
    * A connection opened on a NodeJS net server.
    */
   private class NodeJSNetServerConnection extends EventEmitter::Range {
-    NodeJSNetServer server;
-
     NodeJSNetServerConnection() {
-      exists(DataFlow::MethodCallNode call |
-        call = server.ref().getAMethodCall("on") and
-        call.getArgument(0).mayHaveStringValue("connection")
-      |
-        this = call.getCallback(1).getParameter(0)
+      exists(NodeJSNetServer server |
+        exists(DataFlow::MethodCallNode call |
+          call = server.ref().getAMethodCall("on") and
+          call.getArgument(0).mayHaveStringValue("connection")
+        |
+          this = call.getCallback(1).getParameter(0)
+        )
+        or
+        this = server.getCallback([0, 1]).getParameter(0)
       )
-      or
-      this = server.getCallback([0, 1]).getParameter(0)
     }
 
     DataFlow::SourceNode ref() { result = EventEmitter::trackEventEmitter(this) }
@@ -1201,9 +1201,9 @@ module NodeJSLib {
    * A data flow node representing data received from a client to a NodeJS net server, viewed as remote user input.
    */
   private class NodeJSNetServerItemAsRemoteFlow extends RemoteFlowSource {
-    NodeJSNetServerRegistration reg;
-
-    NodeJSNetServerItemAsRemoteFlow() { this = reg.getReceivedItem(_) }
+    NodeJSNetServerItemAsRemoteFlow() {
+      this = any(NodeJSNetServerRegistration reg).getReceivedItem(_)
+    }
 
     override string getSourceType() { result = "NodeJS server" }
   }

javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll

@@ -284,10 +284,8 @@ private class JQueryAttr3Call extends JQueryAttributeDefinition, @call_expr {
  * the DOM element constructed by `$("<script/>")`.
  */
 private class JQueryChainedElement extends DOM::Element, InvokeExpr {
-  DOM::Element inner;
-
   JQueryChainedElement() {
-    exists(JQuery::MethodCall call | this = call.asExpr() |
+    exists(JQuery::MethodCall call, DOM::Element inner | this = call.asExpr() |
       call.getReceiver().asExpr() = inner and
       defn = inner.getDefinition()
     )