JS: Factor out StringOps::substringMethodName

Author: asgerf

javascript/ql/src/semmle/javascript/StringOps.qll

@@ -802,4 +802,11 @@ module StringOps {
       override boolean getPolarity() { result = polarity }
     }
   }
+
+  /**
+   * Gets the name of a string method which performs substring extraction.
+   *
+   * These are `substring`, `substr`, and `slice`.
+   */
+  string substringMethodName() { result = ["substring", "substr", "slice"] }
 }

javascript/ql/src/semmle/javascript/security/TaintedUrlSuffix.qll

@@ -67,7 +67,7 @@ module TaintedUrlSuffix {
         name = call.getMethodName()
       |
         // Substring that is not a prefix
-        name = ["substring", "substr", "slice"] and
+        name = StringOps::substringMethodName() and
         not call.getArgument(0).getIntValue() = 0
         or
         // Split around '#' or '?' and extract the suffix

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -69,7 +69,7 @@ module ClientSideUrlRedirect {
       // exclude all splits where only the prefix is accessed, which is safe for url-redirects.
       not exists(PropAccess pacc | mce = pacc.getBase() | pacc.getPropertyName() = "0")
       or
-      (methodName = "substring" or methodName = "substr" or methodName = "slice") and
+      methodName = StringOps::substringMethodName() and
       // exclude `location.href.substring(0, ...)` and similar, which can
       // never refer to the query string
       not mce.getArgument(0).(NumberLiteral).getIntValue() = 0

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -734,15 +734,9 @@ module TaintedPath {
     exists(DataFlow::MethodCallNode mcn, string name |
       srclabel = dstlabel and dst = mcn and mcn.calls(src, name)
     |
-      exists(string substringMethodName |
-        substringMethodName = "substr" or
-        substringMethodName = "substring" or
-        substringMethodName = "slice"
-      |
-        name = substringMethodName and
-        // to avoid very dynamic transformations, require at least one fixed index
-        exists(mcn.getAnArgument().asExpr().getIntValue())
-      )
+      name = StringOps::substringMethodName() and
+      // to avoid very dynamic transformations, require at least one fixed index
+      exists(mcn.getAnArgument().asExpr().getIntValue())
       or
       exists(string argumentlessMethodName |
         argumentlessMethodName = "toLocaleLowerCase" or

javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll

@@ -100,9 +100,7 @@ module PolynomialReDoS {
         root instanceof RegExpCharacterClassEscape
       )
       or
-      exists(string name | name = "slice" or name = "substring" or name = "substr" |
-        this.(DataFlow::MethodCallNode).getMethodName() = name
-      )
+      this.(DataFlow::MethodCallNode).getMethodName() = StringOps::substringMethodName()
     }
   }