JavaScript: Apply review suggestion.

Co-Authored-By: Esben Sparre Andreasen <42067045+esben-semmle@users.noreply.github.com>

Author: Max Schaefer

javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll

@@ -23,6 +23,7 @@
  */
 
 import javascript
+private import semmle.javascript.frameworks.ConnectExpressShared::ConnectExpressShared
 
 // main concepts
 /**
@@ -160,8 +161,8 @@ class RouteHandlerLimitedByExpressLimiter extends RateLimitedRouteHandlerExpr {
  * A rate-handler function implemented using one of the rate-limiting classes provided
  * by the `rate-limiter-flexible` package.
  *
- * We look for functions that invoke the `consume` method of one of the `RateLimiter*`
- * classes from the `rate-limiter-flexible` package on a property of their first argument,
+ * We look for route handlers that invoke the `consume` method of one of the `RateLimiter*`
+ * classes from the `rate-limiter-flexible` package on a property of their request parameter,
  * like the `rateLimiterMiddleware` function in this example:
  *
  * ```
@@ -176,14 +177,13 @@ class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {
   RateLimiterFlexibleRateLimiter() {
     exists(
       string rateLimiterClassName, DataFlow::SourceNode rateLimiterClass,
-      DataFlow::SourceNode rateLimiterInstance
+      DataFlow::SourceNode rateLimiterInstance, DataFlow::ParameterNode request
     |
       rateLimiterClassName.matches("RateLimiter%") and
       rateLimiterClass = DataFlow::moduleMember("rate-limiter-flexible", rateLimiterClassName) and
       rateLimiterInstance = rateLimiterClass.getAnInstantiation() and
-      getParameter(0).getAPropertyRead() = rateLimiterInstance
-            .getAMemberCall("consume")
-            .getAnArgument()
+      request.getParameter() = getRouteHandlerParameter(getFunction(), "request") and
+      request.getAPropertyRead() = rateLimiterInstance.getAMemberCall("consume").getAnArgument()
     )
   }
 }