JS: Mass rename to node1,state1,node2,state2 naming convention

Author: asgerf

javascript/ql/examples/queries/dataflow/BackendIdor/BackendIdor.ql

@@ -18,9 +18,9 @@ module IdorTaintConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { exists(ClientRequest req | node = req.getADataNode()) }
 
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     // Step from x -> { userId: x }
-    succ.(DataFlow::SourceNode).getAPropertyWrite("userId").getRhs() = pred
+    node2.(DataFlow::SourceNode).getAPropertyWrite("userId").getRhs() = node1
   }
 
   predicate isBarrier(DataFlow::Node node) {

javascript/ql/examples/queries/dataflow/InformationDisclosure/InformationDisclosure.ql

@@ -37,16 +37,16 @@ module AuthKeyTrackingConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     // Step into objects: x -> { f: x }
-    succ.(DataFlow::SourceNode).getAPropertyWrite().getRhs() = pred
+    node2.(DataFlow::SourceNode).getAPropertyWrite().getRhs() = node1
     or
     // Step through JSON serialization: x -> JSON.stringify(x)
     // Note: TaintTracking::Configuration includes this step by default, but not DataFlow::Configuration
     exists(DataFlow::CallNode call |
       call = DataFlow::globalVarRef("JSON").getAMethodCall("stringify") and
-      pred = call.getArgument(0) and
-      succ = call
+      node1 = call.getArgument(0) and
+      node2 = call
     )
   }
 }

javascript/ql/lib/semmle/javascript/security/TaintedObject.qll

@@ -36,42 +36,42 @@ module TaintedObject {
   /**
    * Holds for the flows steps that are relevant for tracking user-controlled JSON objects.
    */
-  predicate isAdditionalFlowStep(Node src, FlowState inlbl, Node trg, FlowState outlbl) {
+  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
     // JSON parsers map tainted inputs to tainted JSON
-    inlbl.isTaint() and
-    outlbl.isTaintedObject() and
+    state1.isTaint() and
+    state2.isTaintedObject() and
     exists(JsonParserCall parse |
-      src = parse.getInput() and
-      trg = parse.getOutput()
+      node1 = parse.getInput() and
+      node2 = parse.getOutput()
     )
     or
     // Property reads preserve deep object taint.
-    inlbl.isTaintedObject() and
-    outlbl.isTaintedObject() and
-    trg.(PropRead).getBase() = src
+    state1.isTaintedObject() and
+    state2.isTaintedObject() and
+    node2.(PropRead).getBase() = node1
     or
     // Property projection preserves deep object taint
-    inlbl.isTaintedObject() and
-    outlbl.isTaintedObject() and
-    trg.(PropertyProjection).getObject() = src
+    state1.isTaintedObject() and
+    state2.isTaintedObject() and
+    node2.(PropertyProjection).getObject() = node1
     or
     // Extending objects preserves deep object taint
-    inlbl.isTaintedObject() and
-    outlbl.isTaintedObject() and
+    state1.isTaintedObject() and
+    state2.isTaintedObject() and
     exists(ExtendCall call |
-      src = call.getAnOperand() and
-      trg = call
+      node1 = call.getAnOperand() and
+      node2 = call
       or
-      src = call.getASourceOperand() and
-      trg = call.getDestinationOperand().getALocalSource()
+      node1 = call.getASourceOperand() and
+      node2 = call.getDestinationOperand().getALocalSource()
     )
     or
     // Spreading into an object preserves deep object taint: `p -> { ...p }`
-    inlbl.isTaintedObject() and
-    outlbl.isTaintedObject() and
+    state1.isTaintedObject() and
+    state2.isTaintedObject() and
     exists(ObjectLiteralNode obj |
-      src = obj.getASpreadProperty() and
-      trg = obj
+      node1 = obj.getASpreadProperty() and
+      node2 = obj
     )
   }
 
@@ -96,8 +96,8 @@ module TaintedObject {
     /** Holds if this node blocks flow through `e`, provided it evaluates to `outcome`. */
     predicate blocksExpr(boolean outcome, Expr e) { none() }
 
-    /** Holds if this node blocks flow of `label` through `e`, provided it evaluates to `outcome`. */
-    predicate blocksExpr(boolean outcome, Expr e, FlowState label) { none() }
+    /** Holds if this node blocks flow of `state` through `e`, provided it evaluates to `outcome`. */
+    predicate blocksExpr(boolean outcome, Expr e, FlowState state) { none() }
 
     /** DEPRECATED. Use `blocksExpr` instead. */
     deprecated predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {

javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll

@@ -66,11 +66,11 @@ module TaintedUrlSuffix {
   }
 
   /**
-   * Holds if there is a flow step `src -> dst` involving the URL suffix flow state.
+   * Holds if there is a flow step `node1 -> node2` involving the URL suffix flow state.
    *
    * This handles steps through string operations, promises, URL parsers, and URL accessors.
    */
-  predicate isAdditionalFlowStep(Node src, FlowState srclbl, Node dst, FlowState dstlbl) {
+  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
     // Transition from tainted-url-suffix to general taint when entering the second array element
     // of a split('#') or split('?') array.
     //
@@ -79,17 +79,17 @@ module TaintedUrlSuffix {
     // Technically we should also preverse tainted-url-suffix when entering the first array element of such
     // a split, but this mostly leads to FPs since we currently don't track if the taint has been through URI-decoding.
     // (The query/fragment parts are often URI-decoded in practice, but not the other URL parts are not)
-    srclbl.isTaintedUrlSuffix() and
-    dstlbl.isTaint() and
-    DataFlowPrivate::optionalStep(src, "split-url-suffix-post", dst)
+    state1.isTaintedUrlSuffix() and
+    state2.isTaint() and
+    DataFlowPrivate::optionalStep(node1, "split-url-suffix-post", node2)
     or
     // Transition from URL suffix to full taint when extracting the query/fragment part.
-    srclbl.isTaintedUrlSuffix() and
-    dstlbl.isTaint() and
+    state1.isTaintedUrlSuffix() and
+    state2.isTaint() and
     (
       exists(MethodCallNode call, string name |
-        src = call.getReceiver() and
-        dst = call and
+        node1 = call.getReceiver() and
+        node2 = call and
         name = call.getMethodName()
       |
         // Substring that is not a prefix
@@ -118,22 +118,22 @@ module TaintedUrlSuffix {
       )
       or
       exists(PropRead read |
-        src = read.getBase() and
-        dst = read and
+        node1 = read.getBase() and
+        node2 = read and
         // Unlike the `search` property, the `query` property from `url.parse` does not include the `?`.
         read.getPropertyName() = "query"
       )
       or
       exists(MethodCallNode call, DataFlow::RegExpCreationNode re |
         (
           call = re.getAMethodCall("exec") and
-          src = call.getArgument(0) and
-          dst = call
+          node1 = call.getArgument(0) and
+          node2 = call
           or
           call.getMethodName() = ["match", "matchAll"] and
           re.flowsTo(call.getArgument(0)) and
-          src = call.getReceiver() and
-          dst = call
+          node1 = call.getReceiver() and
+          node2 = call
         )
       |
         captureAfterSuffixIndicator(re.getRoot().getAChild*())

javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll

@@ -21,8 +21,8 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof CleartextLogging::Barrier }
 
-  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
-    CleartextLogging::isAdditionalTaintStep(src, trg)
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    CleartextLogging::isAdditionalTaintStep(node1, node2)
   }
 
   predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {

javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll

@@ -32,8 +32,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
     isSource(node)
   }
 
-  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
-    CleartextLogging::isAdditionalTaintStep(src, trg)
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    CleartextLogging::isAdditionalTaintStep(node1, node2)
   }
 
   predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll

@@ -28,8 +28,8 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
 
   predicate isBarrierOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
 
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    isAdditionalRequestForgeryStep(pred, succ)
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isAdditionalRequestForgeryStep(node1, node2)
   }
 }
 

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll

@@ -41,7 +41,7 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
 
   predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
 
-  predicate isBarrierOut(DataFlow::Node node, FlowState label) { isSink(node, label) }
+  predicate isBarrierOut(DataFlow::Node node, FlowState state) { isSink(node, state) }
 
   predicate isAdditionalFlowStep(
     DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2

javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll

@@ -20,9 +20,9 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dst) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     // comparing a tainted expression against a constant gives a tainted result
-    dst.asExpr().(Comparison).hasOperands(src.asExpr(), any(ConstantExpr c))
+    node2.asExpr().(Comparison).hasOperands(node1.asExpr(), any(ConstantExpr c))
   }
 }
 

javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll

@@ -146,12 +146,12 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig {
   }
 
   predicate isAdditionalFlowStep(
-    DataFlow::Node pred, FlowState inlbl, DataFlow::Node succ, FlowState outlbl
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
   ) {
-    inlbl = FlowState::notYetThrown() and
-    outlbl = [FlowState::thrown(), FlowState::notYetThrown()] and
-    canThrowSensitiveInformation(pred) and
-    succ = getExceptionTarget(pred)
+    state1 = FlowState::notYetThrown() and
+    state2 = [FlowState::thrown(), FlowState::notYetThrown()] and
+    canThrowSensitiveInformation(node1) and
+    node2 = getExceptionTarget(node1)
   }
 }