Python: Get rid of deprecated terms in code and .qhelp.

2026-04-30 11:15:13 +02:00 · 2020-06-19 16:51:09 +02:00
parent 2081d0cecc
commit 01fb1e3786
11 changed files with 18 additions and 18 deletions
--- a/python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql
+++ b/python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql
@@ -31,8 +31,8 @@ predicate calls_super(FunctionObject f) {
    )
 }

-/** Holds if the given name is white-listed for some reason */
-predicate whitelisted(string name) {
+/** Holds if the given name is allowed for some reason */
+predicate allowed(string name) {
    /*
     * The standard library specifically recommends this :(
     * See https://docs.python.org/3/library/socketserver.html#asynchronous-mixins
@@ -53,7 +53,7 @@ where
    not name.matches("\\_\\_%\\_\\_") and
    not calls_super(o1) and
    not does_nothing(o2) and
-    not whitelisted(name) and
+    not allowed(name) and
    not o1.overrides(o2) and
    not o2.overrides(o1) and
    not c.declaresAttribute(name)
--- a/python/ql/src/Metrics/FLinesOfDuplicatedCode.ql
+++ b/python/ql/src/Metrics/FLinesOfDuplicatedCode.ql
@@ -20,7 +20,7 @@ where
        count(int line |
            exists(DuplicateBlock d | d.sourceFile() = f |
                line in [d.sourceStartLine() .. d.sourceEndLine()] and
-                not whitelistedLineForDuplication(f, line)
+                not allowlistedLineForDuplication(f, line)
            )
        )
 select f, n order by n desc
--- a/python/ql/src/Metrics/FLinesOfSimilarCode.ql
+++ b/python/ql/src/Metrics/FLinesOfSimilarCode.ql
@@ -20,7 +20,7 @@ where
        count(int line |
            exists(SimilarBlock d | d.sourceFile() = f |
                line in [d.sourceStartLine() .. d.sourceEndLine()] and
-                not whitelistedLineForDuplication(f, line)
+                not allowlistedLineForDuplication(f, line)
            )
        )
 select f, n order by n desc
--- a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp
+++ b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp
@@ -68,7 +68,7 @@
        <p>

            The second two examples show safe checks.
-            In <code>safe1</code>, a white-list is used. Although fairly inflexible,
+            In <code>safe1</code>, an allowlist is used. Although fairly inflexible,
            this is easy to get right and is most likely to be safe.
        </p>
        <p>
--- a/python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
+++ b/python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
@@ -21,16 +21,16 @@ def unsafe2(request):



-#Simplest and safest approach is to use a white-list
+#Simplest and safest approach is to use an allowlist

@app.route('/some/path/good1')
 def safe1(request):
-    whitelist = [
+    allowlist = [
        "example.com/home",
        "example.com/login",
    ]
    target = request.args.get('target', '')
-    if target in whitelist:
+    if target in allowlist:
        return redirect(target)

 #More complex example allowing sub-domains.
--- a/python/ql/src/Security/CWE-022/PathInjection.qhelp
+++ b/python/ql/src/Security/CWE-022/PathInjection.qhelp
@@ -26,7 +26,7 @@ Ideally, follow these rules:
 <li>Do not allow directory separators such as "/" or "\" (depending on the file system).</li>
 <li>Do not rely on simply replacing problematic sequences such as "../". For example, after
 applying this filter to ".../...//", the resulting string would still be "../".</li>
-<li>Use a whitelist of known good patterns.</li>
+<li>Use an allowlist of known good patterns.</li>
 </ul>
 </recommendation>

--- a/python/ql/src/Security/CWE-078/CommandInjection.qhelp
+++ b/python/ql/src/Security/CWE-078/CommandInjection.qhelp
@@ -25,7 +25,7 @@ safe before using it.</p>

 <p>The following example shows two functions. The first is unsafe as it takes a shell script that can be changed
 by a user, and passes it straight to <code>subprocess.call()</code> without examining it first. 
-The second is safe as it selects the command from a predefined white-list.</p>
+The second is safe as it selects the command from a predefined allowlist.</p>

 <sample src="examples/command_injection.py" />

--- a/python/ql/src/Security/CWE-078/examples/command_injection.py
+++ b/python/ql/src/Security/CWE-078/examples/command_injection.py
@@ -19,5 +19,5 @@ def command_execution_unsafe(request):
 def command_execution_safe(request):
    if request.method == 'POST':
        action = request.POST.get('action', '')
-        #GOOD -- Use a whitelist
+        #GOOD -- Use an allowlist
        subprocess.call(["application", COMMANDS[action]])
--- a/python/ql/src/Variables/ShadowBuiltin.ql
+++ b/python/ql/src/Variables/ShadowBuiltin.ql
@@ -16,7 +16,7 @@ import python
 import Shadowing
 import semmle.python.types.Builtins

-predicate white_list(string name) {
+predicate allow_list(string name) {
    /* These are rarely used and thus unlikely to be confusing */
    name = "iter" or
    name = "next" or
@@ -51,7 +51,7 @@ predicate shadows(Name d, string name, Function scope, int line) {
    ) and
    d.getScope() = scope and
    d.getLocation().getStartLine() = line and
-    not white_list(name) and
+    not allow_list(name) and
    not optimizing_parameter(d)
 }

--- a/python/ql/src/external/CodeDuplication.qll
+++ b/python/ql/src/external/CodeDuplication.qll
@@ -268,6 +268,6 @@ predicate similarScopes(Scope s, Scope other, float percent, string message) {
 * Holds if the line is acceptable as a duplicate.
 * This is true for blocks of import statements.
 */
-predicate whitelistedLineForDuplication(File f, int line) {
+predicate allowlistedLineForDuplication(File f, int line) {
    exists(ImportingStmt i | i.getLocation().getFile() = f and i.getLocation().getStartLine() = line)
 }