Update javascript/ql/src/experimental/Security/CWE-090/LdapInjectionCustomizations.qll

dellalibera · erik-krogh · web-flow · commit b86b9ba510cb · 2020-09-01T21:00:21.000+02:00
Co-authored-by: Erik Krogh Kristensen &lt;erik-krogh@github.com&gt;
diff --git a/javascript/ql/src/experimental/Security/CWE-090/LdapInjectionCustomizations.qll b/javascript/ql/src/experimental/Security/CWE-090/LdapInjectionCustomizations.qll
@@ -39,26 +39,16 @@ module LdapInjection {
    * An LDAP filter for an API call that executes an operation against the LDAP server.
    */
   class LdapjsSearchFilterAsSink extends Sink, LdapjsSearchFilter {
-    override DataFlow::Node getQueryCall() {
-      exists(LdapjsClientAPICall call | result = call.getCalleeNode() |
-        this =
-          call
-              .getArgument(1)
-              .getALocalSource()
-              .(DataFlow::SourceNode)
-              .getAPropertyWrite("filter")
-              .getRhs()
-      )
+    override DataFlow::InvokeNode getQueryCall() {
+      result = this.(LdapjsSearchFilter).getQueryCall()
     }
   }
 
   /**
    * An LDAP DN argument for an API call that executes an operation against the LDAP server.
    */
   class LdapjsDNArgumentAsSink extends Sink, LdapjsDNArgument {
-    override DataFlow::Node getQueryCall() {
-      exists(LdapjsClientAPICall call | result = call.getCalleeNode() | this = call.getArgument(0))
-    }
+    override DataFlow::InvokeNode getQueryCall() { result = this.(LdapjsDNArgument).getQueryCall() }
   }
 
   /**
