JavaScript: Refactor flowsIntoHigherOrderCall predicate.

Author: Max Schaefer

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -619,20 +619,35 @@ private predicate flowThroughProperty(
   )
 }
 
+/**
+ * Holds if `arg` and `cb` are passed as arguments to a function which in turn
+ * invokes `cb`, passing `arg` as its `i`th argument. All of this is done under
+ * configuration `cfg`, and `arg` flows along a path summarized by `summary`,
+ * while `cb` is only tracked locally.
+ */
+private predicate higherOrderCall(
+  DataFlow::Node arg, DataFlow::Node cb, int i, DataFlow::Configuration cfg, PathSummary summary
+) {
+  exists (Function f, DataFlow::InvokeNode outer, DataFlow::InvokeNode inner |
+    reachableFromInput(f, outer, arg, inner.getArgument(i), cfg, summary) and
+    argumentPassing(outer, cb, f, inner.getCalleeNode().getALocalSource())
+  )
+}
+
 /**
  * Holds if `pred` is passed as an argument to a function `f` which also takes a
  * callback parameter `cb` and then invokes `cb`, passing `pred` into parameter `succ`
- * of `cb`.
+ * of `cb`. All of this is done under configuration `cfg`, and `arg` flows along a path
+ * summarized by `summary`, while `cb` is only tracked locally.
  */
 private predicate flowIntoHigherOrderCall(
   DataFlow::Node pred, DataFlow::Node succ, DataFlow::Configuration cfg, PathSummary summary
 ) {
   exists(
-    Function f, DataFlow::InvokeNode fCall, DataFlow::Node fArg, DataFlow::FunctionNode cb,
-    DataFlow::InvokeNode cbCall, int i, PathSummary oldSummary
+    DataFlow::Node fArg, DataFlow::FunctionNode cb,
+    int i, PathSummary oldSummary
   |
-    reachableFromInput(f, fCall, pred, cbCall.getArgument(i), cfg, oldSummary) and
-    argumentPassing(fCall, fArg, f, cbCall.getCalleeNode().getALocalSource()) and
+    higherOrderCall(pred, fArg, i, cfg, oldSummary) and
     cb = fArg.getALocalSource() and
     succ = cb.getParameter(i) and
     summary = oldSummary.append(PathSummary::call())

javascript/ql/src/semmle/javascript/dataflow/TrackedNodes.qll

@@ -205,20 +205,34 @@ private module NodeTracking {
     )
   }
 
+  /**
+   * Holds if `arg` and `cb` are passed as arguments to a function which in turn
+   * invokes `cb`, passing `arg` as its `i`th argument. `arg` flows along a path summarized
+   * by `summary`, while `cb` is only tracked locally.
+   */
+  private predicate higherOrderCall(
+    DataFlow::Node arg, DataFlow::Node cb, int i, PathSummary summary
+  ) {
+    exists (Function f, DataFlow::InvokeNode outer, DataFlow::InvokeNode inner |
+      reachableFromInput(f, outer, arg, inner.getArgument(i), summary) and
+      argumentPassing(outer, cb, f, inner.getCalleeNode().getALocalSource())
+    )
+  }
+
   /**
    * Holds if `pred` is passed as an argument to a function `f` which also takes a
    * callback parameter `cb` and then invokes `cb`, passing `pred` into parameter `succ`
-   * of `cb`.
+   * of `cb`. `arg` flows along a path summarized by `summary`, while `cb` is only tracked
+   * locally.
    */
   private predicate flowIntoHigherOrderCall(
     DataFlow::Node pred, DataFlow::Node succ, PathSummary summary
   ) {
     exists(
-      Function f, DataFlow::InvokeNode fCall, DataFlow::Node fArg, DataFlow::FunctionNode cb,
-      DataFlow::InvokeNode cbCall, int i, PathSummary oldSummary
+      DataFlow::Node fArg, DataFlow::FunctionNode cb,
+      int i, PathSummary oldSummary
     |
-      reachableFromInput(f, fCall, pred, cbCall.getArgument(i), oldSummary) and
-      argumentPassing(fCall, fArg, f, cbCall.getCalleeNode().getALocalSource()) and
+      higherOrderCall(pred, fArg, i, oldSummary) and
       cb = fArg.getALocalSource() and
       succ = cb.getParameter(i) and
       summary = oldSummary.append(PathSummary::call())