JS: Stop using the AST-based isDocumentURL internally

Author: asger-semmle

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll

@@ -40,7 +40,7 @@ module ClientSideUrlRedirect {
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
     override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
-      isDocumentURL(source.asExpr()) and
+      source = DOM::locationSource() and
       lbl instanceof DocumentUrl
     }
 

javascript/ql/src/semmle/javascript/security/dataflow/CodeInjection.qll

@@ -51,8 +51,8 @@ module CodeInjection {
   /**
    * An access to a property that may hold (parts of) the document URL.
    */
-  class LocationSource extends Source, DataFlow::ValueNode {
-    LocationSource() { isDocumentURL(astNode) }
+  class LocationSource extends Source {
+    LocationSource() { this = DOM::locationSource() }
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll

@@ -38,7 +38,7 @@ predicate isDocument(Expr e) { DOM::documentRef().flowsToExpr(e) }
 
 /** Holds if `e` could refer to the document URL. */
 predicate isDocumentURL(Expr e) {
-  DOM::locationRef().flowsToExpr(e)
+  e.flow() = DOM::locationSource()
 }
 
 /**

javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll

@@ -42,7 +42,7 @@ module DomBasedXss {
   /**
    * An access of the URL of this page, or of the referrer to this page.
    */
-  class LocationSource extends Source, DataFlow::ValueNode {
-    LocationSource() { isDocumentURL(astNode) }
+  class LocationSource extends Source {
+    LocationSource() { this = DOM::locationSource() }
   }
 }

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll

@@ -110,7 +110,7 @@ module UnsafeDynamicMethodAccess {
    * The page URL considered as a flow source for unsafe dynamic method access.
    */
   class DocumentUrlAsSource extends Source {
-    DocumentUrlAsSource() { isDocumentURL(asExpr()) }
+    DocumentUrlAsSource() { this = DOM::locationSource() }
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll

@@ -102,7 +102,7 @@ module UnvalidatedDynamicMethodCall {
    * The page URL considered as a flow source for unvalidated dynamic method calls.
    */
   class DocumentUrlAsSource extends Source {
-    DocumentUrlAsSource() { isDocumentURL(asExpr()) }
+    DocumentUrlAsSource() { this = DOM::locationSource() }
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/XpathInjection.qll

@@ -64,8 +64,8 @@ module XpathInjection {
   }
 
   /** A part of the document URL, considered as a flow source for XPath injection. */
-  class DocumentUrlSource extends Source, DataFlow::ValueNode {
-    DocumentUrlSource() { isDocumentURL(astNode) }
+  class DocumentUrlSource extends Source {
+    DocumentUrlSource() { this = DOM::locationSource() }
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -70,7 +70,7 @@ module DomBasedXss {
           strval = prefix.getStringValue() and
           not strval.regexpMatch("\\s*<.*")
         ) and
-        not isDocumentURL(astNode)
+        not DOM::locationRef().flowsTo(this)
       )
       or
       // call to an Angular method that interprets its argument as HTML