Rename empty-string sanitizer to reflect what it actually does.

2025-12-17 01:03:14 +01:00 · 2022-06-02 15:10:02 +01:00
parent bfbc1d48b7
commit 3155771abe
1 changed files with 9 additions and 3 deletions
--- a/go/ql/src/experimental/CWE-321/HardcodedKeysLib.qll
+++ b/go/ql/src/experimental/CWE-321/HardcodedKeysLib.qll
@@ -165,9 +165,15 @@ module HardcodedKeys {
    }
  }

-  /** Mark an empty string returned with an error as a sanitizer */
-  private class EmptyErrorSanitizer extends Sanitizer {
-    EmptyErrorSanitizer() {
+  /**
+   * Marks anything returned with an error as a sanitized.
+   *
+   * Typically this means contexts like `return "", errors.New("Oh no")`,
+   * where we can be reasonably confident downstream users won't mistake
+   * that empty string for a usable key.
+   */
+  private class ReturnedAlongsideErrorSanitizer extends Sanitizer {
+    ReturnedAlongsideErrorSanitizer() {
      exists(ReturnStmt r, DataFlow::CallNode c |
        c.getTarget().hasQualifiedName("errors", "New") and
        r.getNumChild() > 1 and