More Feedback integration

java/ql/src/Security/CWE/CWE-346/UnvalidatedCors.qhelp

@@ -48,7 +48,7 @@
 		the <code>Access-Control-Allow-Origin</code> header when the
 		<code>Access-Control-Allow-Credentials</code> header value is
 		<code>true</code>.This can be done using a sandboxed iframe. A more detailed
-		explanation is available in the portswigger blogpost.
+		explanation is available in the portswigger blogpost referenced below.
 
 	</p>
 </recommendation>

java/ql/src/Security/CWE/CWE-346/UnvalidatedCors.ql

@@ -19,6 +19,10 @@ import DataFlow::PathGraph
  *  Holds if `header` sets `Access-Control-Allow-Credentials` to `true`. This ensures fair chances of exploitability.
  */
 private predicate setsAllowCredentials(MethodAccess header) {
+  (
+    header.getMethod() instanceof ResponseSetHeaderMethod or
+    header.getMethod() instanceof ResponseAddHeaderMethod
+  ) and
   header.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() =
     "access-control-allow-credentials" and
   header.getArgument(1).(CompileTimeConstantExpr).getStringValue() = "true"
@@ -39,10 +43,6 @@ class CorsOriginConfig extends TaintTracking::Configuration {
         corsheader.getMethod() instanceof ResponseSetHeaderMethod or
         corsheader.getMethod() instanceof ResponseAddHeaderMethod
       ) and
-      (
-        allowcredentialsheader.getMethod() instanceof ResponseSetHeaderMethod or
-        allowcredentialsheader.getMethod() instanceof ResponseAddHeaderMethod
-      ) and
       getAccessControlAllowOriginHeaderName() = corsheader.getArgument(0) and
       setsAllowCredentials(allowcredentialsheader) and
       corsheader.getEnclosingCallable() = allowcredentialsheader.getEnclosingCallable() and

java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/StringUtils.java

@@ -2,6 +2,6 @@ package org.apache.commons.lang3;
 
 public class StringUtils {
     public static boolean isEmpty(final CharSequence cs) {
-        return cs == null || cs.length() == 0;
+        return true;
     }
 }