Apply suggestions from code review

Co-authored-by: Asger F <asgerf@github.com>
2020-05-18 12:18:20 +02:00 · 2020-05-18 12:18:20 +02:00 · 9c294513c7
--- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
+++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
@ -8,7 +8,7 @@
 		Dynamically constructing a shell command with inputs from exported 
 		functions, may inadvertently change the meaning of the shell command.
 		
-		Clients using the exported function may use inputs that contains
+		Clients using the exported function may use inputs containing
 		characters that the shell interprets in a special way, for instance
 		quotes and spaces.

--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@ -779,7 +779,7 @@ module TaintTracking {
  class AdHocWhitelistCheckSanitizer extends SanitizerGuardNode, DataFlow::CallNode {
    AdHocWhitelistCheckSanitizer() {
      getCalleeName()
-          .regexpMatch("(?i).*((?<!un)safe|whitelist|valid|allow|(?<!un)auth(?!or\\b)).*") and
+          .regexpMatch("(?i).*((?<!un)safe|whitelist|(?<!in)valid|allow|(?<!un)auth(?!or\\b)).*") and
      getNumArgument() = 1
    }

--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
@ -19,7 +19,7 @@ module UnsafeShellCommandConstruction {
   * A taint-tracking configuration for reasoning about shell command constructed from library input vulnerabilities.
   */
  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "UnsafeLibaryCommandInjection" }
+    Configuration() { this = "UnsafeShellCommandConstruction" }

    override predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@ -34,7 +34,7 @@ module UnsafeShellCommandConstruction {

    /**
     * Gets the node that should be highlighted for this sink.
-     * E.g. for a string concatenation, the sink is one of the leafs and the highlight is the concatenation root.
+     * E.g. for a string concatenation, the sink is one of the leaves and the highlight is the concatenation root.
     */
    abstract DataFlow::Node getHighLight();
  }