Python: Get rid of deprecated terms in code and .qhelp.

python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql

@@ -31,8 +31,8 @@ predicate calls_super(FunctionObject f) {
     )
 }
 
-/** Holds if the given name is white-listed for some reason */
-predicate whitelisted(string name) {
+/** Holds if the given name is allowed for some reason */
+predicate allowed(string name) {
     /*
      * The standard library specifically recommends this :(
      * See https://docs.python.org/3/library/socketserver.html#asynchronous-mixins
@@ -53,7 +53,7 @@ where
     not name.matches("\\_\\_%\\_\\_") and
     not calls_super(o1) and
     not does_nothing(o2) and
-    not whitelisted(name) and
+    not allowed(name) and
     not o1.overrides(o2) and
     not o2.overrides(o1) and
     not c.declaresAttribute(name)

python/ql/src/Metrics/FLinesOfDuplicatedCode.ql

@@ -20,7 +20,7 @@ where
         count(int line |
             exists(DuplicateBlock d | d.sourceFile() = f |
                 line in [d.sourceStartLine() .. d.sourceEndLine()] and
-                not whitelistedLineForDuplication(f, line)
+                not allowlistedLineForDuplication(f, line)
             )
         )
 select f, n order by n desc

python/ql/src/Metrics/FLinesOfSimilarCode.ql

@@ -20,7 +20,7 @@ where
         count(int line |
             exists(SimilarBlock d | d.sourceFile() = f |
                 line in [d.sourceStartLine() .. d.sourceEndLine()] and
-                not whitelistedLineForDuplication(f, line)
+                not allowlistedLineForDuplication(f, line)
             )
         )
 select f, n order by n desc

python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp

@@ -68,7 +68,7 @@
         <p>
 
             The second two examples show safe checks.
-            In <code>safe1</code>, a white-list is used. Although fairly inflexible,
+            In <code>safe1</code>, an allowlist is used. Although fairly inflexible,
             this is easy to get right and is most likely to be safe.
         </p>
         <p>

python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py

@@ -21,16 +21,16 @@ def unsafe2(request):
 
 
 
-#Simplest and safest approach is to use a white-list
+#Simplest and safest approach is to use an allowlist
 
 @app.route('/some/path/good1')
 def safe1(request):
-    whitelist = [
+    allowlist = [
         "example.com/home",
         "example.com/login",
     ]
     target = request.args.get('target', '')
-    if target in whitelist:
+    if target in allowlist:
         return redirect(target)
 
 #More complex example allowing sub-domains.

python/ql/src/Security/CWE-022/PathInjection.qhelp

@@ -26,7 +26,7 @@ Ideally, follow these rules:
 <li>Do not allow directory separators such as "/" or "\" (depending on the file system).</li>
 <li>Do not rely on simply replacing problematic sequences such as "../". For example, after
 applying this filter to ".../...//", the resulting string would still be "../".</li>
-<li>Use a whitelist of known good patterns.</li>
+<li>Use an allowlist of known good patterns.</li>
 </ul>
 </recommendation>
 

python/ql/src/Security/CWE-078/CommandInjection.qhelp

@@ -25,7 +25,7 @@ safe before using it.</p>
 
 <p>The following example shows two functions. The first is unsafe as it takes a shell script that can be changed
 by a user, and passes it straight to <code>subprocess.call()</code> without examining it first. 
-The second is safe as it selects the command from a predefined white-list.</p>
+The second is safe as it selects the command from a predefined allowlist.</p>
 
 <sample src="examples/command_injection.py" />
 

python/ql/src/Security/CWE-078/examples/command_injection.py

@@ -19,5 +19,5 @@ def command_execution_unsafe(request):
 def command_execution_safe(request):
     if request.method == 'POST':
         action = request.POST.get('action', '')
-        #GOOD -- Use a whitelist
+        #GOOD -- Use an allowlist
         subprocess.call(["application", COMMANDS[action]])

python/ql/src/Variables/ShadowBuiltin.ql

@@ -16,7 +16,7 @@ import python
 import Shadowing
 import semmle.python.types.Builtins
 
-predicate white_list(string name) {
+predicate allow_list(string name) {
     /* These are rarely used and thus unlikely to be confusing */
     name = "iter" or
     name = "next" or
@@ -51,7 +51,7 @@ predicate shadows(Name d, string name, Function scope, int line) {
     ) and
     d.getScope() = scope and
     d.getLocation().getStartLine() = line and
-    not white_list(name) and
+    not allow_list(name) and
     not optimizing_parameter(d)
 }
 

python/ql/src/external/CodeDuplication.qll

@@ -268,6 +268,6 @@ predicate similarScopes(Scope s, Scope other, float percent, string message) {
  * Holds if the line is acceptable as a duplicate.
  * This is true for blocks of import statements.
  */
-predicate whitelistedLineForDuplication(File f, int line) {
+predicate allowlistedLineForDuplication(File f, int line) {
     exists(ImportingStmt i | i.getLocation().getFile() = f and i.getLocation().getStartLine() = line)
 }

python/ql/test/query-tests/Security/CWE-020/urltest.py

@@ -17,16 +17,16 @@ def unsafe2(request):
 
 
 
-#Simplest and safest approach is to use a white-list
+#Simplest and safest approach is to use an allowlist
 
 @app.route('/some/path/good1')
 def safe1(request):
-    whitelist = [
+    allowlist = [
         "example.com/home",
         "example.com/login",
     ]
     target = request.args.get('target', '')
-    if target in whitelist:
+    if target in allowlist:
         return redirect(target)
 
 #More complex example allowing sub-domains.