Make predicates containing query logic more self-contained

Author: owen-mc

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -93,23 +93,29 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
 module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
 
 /**
- * Holds if the flow from `source` to `sink` has critical severity and they are
- * linked by `event`.
+ * Holds if there is a code injection flow from `source` to `sink` with
+ * critical severity, linked by `event`.
  */
-pragma[inline]
-predicate criticalSeverity(DataFlow::Node source, DataFlow::Node sink, Event event) {
-  event = getRelevantCriticalEventForSink(sink) and
-  source.(RemoteFlowSource).getEventName() = event.getName()
+predicate criticalSeverityCodeInjection(
+  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
+) {
+  CodeInjectionFlow::flowPath(source, sink) and
+  event = getRelevantCriticalEventForSink(sink.getNode()) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
 }
 
-/** Holds if the flow from `source` to `sink` has medium severity. */
-pragma[inline]
-predicate mediumSeverity(DataFlow::Node source, DataFlow::Node sink) {
-  not criticalSeverity(source, sink, _) and
+/**
+ * Holds if there is a code injection flow from `source` to `sink` with medium severity.
+ */
+predicate mediumSeverityCodeInjection(
+  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
+) {
+  CodeInjectionFlow::flowPath(source, sink) and
+  not criticalSeverityCodeInjection(source, sink, _) and
   // exclude cases where the sink is a JS script and the expression uses toJson
   not exists(UsesStep script |
     script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = sink.asExpr() and
-    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
+    script.getArgumentExpr("script") = sink.getNode().asExpr() and
+    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
   )
 }

actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql

@@ -20,9 +20,7 @@ import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks
 
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
-where
-  CodeInjectionFlow::flowPath(source, sink) and
-  criticalSeverity(source.getNode(), sink.getNode(), event)
+where criticalSeverityCodeInjection(source, sink, event)
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()

actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql

@@ -19,9 +19,7 @@ import codeql.actions.security.CodeInjectionQuery
 import CodeInjectionFlow::PathGraph
 
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
-where
-  CodeInjectionFlow::flowPath(source, sink) and
-  mediumSeverity(source.getNode(), sink.getNode())
+where mediumSeverityCodeInjection(source, sink)
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()