Apply suggestions from code review

asgerf · max-schaefer · web-flow · commit 405f07720a40 · 2020-11-20T10:21:19.000Z
Co-authored-by: Max Schaefer &lt;54907921+max-schaefer@users.noreply.github.com&gt;
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
@@ -34,7 +34,7 @@ module ExternalAPIUsedWithUntrustedData {
    *
    * By default, this includes the objects passed to a `PropertyProjection` or `ExtendCall`.
    *
-   * Such objects tend of have lots of application-defined properties which don't represent
+   * Such objects tend to have lots of application-defined properties which don't represent
    * distinct API usages, so the query will avoid generating API names from them.
    */
   abstract class DeepObjectSink extends DataFlow::Node { }
@@ -48,7 +48,7 @@ module ExternalAPIUsedWithUntrustedData {
   }
 
   /** Holds if `node` corresponds to a deep object argument. */
-  private predicate isDeepObjectSink(API::Node node) { node.getARhs() = any(DeepObjectSink deep) }
+  private predicate isDeepObjectSink(API::Node node) { node.getARhs() instanceof DeepObjectSink }
 
   /**
    * A sanitizer for data flowing to an external API.
@@ -136,7 +136,7 @@ module ExternalAPIUsedWithUntrustedData {
   }
 
   /**
-   * Holds `node` may be part of an access path leading to an external API call.
+   * Holds if `node` may be part of an access path leading to an external API call.
    */
   private predicate nodeIsRelevant(API::Node node) {
     mayComeFromLibrary(node) and

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ module ExternalAPIUsedWithUntrustedData {`
`34`	`34`	`*`
`35`	`35`	* By default, this includes the objects passed to a `PropertyProjection` or `ExtendCall`.
`36`	`36`	`*`
`37`		`- * Such objects tend of have lots of application-defined properties which don't represent`
	`37`	`+ * Such objects tend to have lots of application-defined properties which don't represent`
`38`	`38`	`* distinct API usages, so the query will avoid generating API names from them.`
`39`	`39`	`*/`
`40`	`40`	`abstract class DeepObjectSink extends DataFlow::Node { }`
`@@ -48,7 +48,7 @@ module ExternalAPIUsedWithUntrustedData {`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	/** Holds if `node` corresponds to a deep object argument. */
`51`		`- private predicate isDeepObjectSink(API::Node node) { node.getARhs() = any(DeepObjectSink deep) }`
	`51`	`+ private predicate isDeepObjectSink(API::Node node) { node.getARhs() instanceof DeepObjectSink }`
`52`	`52`
`53`	`53`	`/**`
`54`	`54`	`* A sanitizer for data flowing to an external API.`
`@@ -136,7 +136,7 @@ module ExternalAPIUsedWithUntrustedData {`
`136`	`136`	`}`
`137`	`137`
`138`	`138`	`/**`
`139`		- * Holds `node` may be part of an access path leading to an external API call.
	`139`	+ * Holds if `node` may be part of an access path leading to an external API call.
`140`	`140`	`*/`
`141`	`141`	`private predicate nodeIsRelevant(API::Node node) {`
`142`	`142`	`mayComeFromLibrary(node) and`