I'm confused by what you've done with this class.

It seems to me that you've changed the behavior of the first case (pasted below) in this "refactoring" commit.

NodeJSLib::Path::moduleMember(["dirname", "toNamespacedPath", "parse", "format"]).getACall() and
input = this.getAnArgument() and
output = this

This class was used in the isPosixPathStep predicate to just forward a step while preserving the flow-labels.

It seems to me that you've changed it.

The "dirname" and "format" case is in the PreservingPathCall class, with the same behavior.
The "toNamespacedPath" case is in ToNamespacedPathCall, with the same behavior.

But the "parse" case is in a new class ParseCall with different behavior.
You've added some property checks based on ["root", "dir"]

I don't think that check works, but that's another matter. (CallNode::getALocalUse() can never be a PropRead).

Sorry this reply took so long, I got really bogged down with other work and then time off.

What I tried to do here was to track through parse more precisely (it gives you an object which contains the root, dir, extension, baseName of a path). In principle, we may add more precise tracking of those individual properties — but that's neither a refactoring, nor what this PR really needs to be adding.

As the PR big enough on its own, I've amend the refactoring PR to remove the class ParseCall altogether (https://github.com/github/codeql/compare/7193fd691a391fb2f27db708b7877c648f797589..8b817fe555a0fdee7caed60ba44be1fc11ac39b7) and moved parse back to its friends dirname and format.

Thank you 👍

This should be part of PreservingPathCall (like it was before).

?

I think you should just inline this predicate into the place it's used.
With your refactoring the predicate has become a predicate for taint-steps that originate from some call, which is not reflected in the name/qldoc.

I think all of these utility predicates should preserve the platform
(add this.getPlatform() = result.getPlatform() to toNormalized, toNonNormalized, toAbsolute, toRelative`).

I think your NormalizingPathCall doesn't preserve the platform due to you not preserving the platform in these utility predicates.
(The rest look OK).

Note to self: add this as an example to the ql/redundant-import ticket.

I would like a test of which taint-flows are only an issue on Windows.

I've written it for you here:

import javascript
import semmle.javascript.security.dataflow.TaintedPathQuery

// TODO: Move this to TaintedWindowsPathQuery.qll?
class Win32Platform extends Path::Platform {
  Win32Platform() { this = Path::platformWin32() }

  override string getSep() { result = "\\" }
}

from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where
  cfg.hasFlowPath(source, sink) and
  sink.getFlowLabel().(Path::PathLabel).getPlatform() = Path::platformWin32() and
  not sink.getFlowLabel().(Path::PathLabel).getPlatform() = Path::platformPosix()
select source, sink

It detects that express.js:27 is only an issue on windows (as expected).
But it doesn't flag express.js:35. I haven't looked into why.

Could you move this test to the Windows-path test folder?
With the test I suggested we can actually test that req.files.foo.mv(p) is only flagged by the windows query.