From 4e67ec19d05a74ec22bb6fb1608dec561a3bd294 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 28 Nov 2022 16:14:38 +0100
Subject: [PATCH] Python: Adjust alert text of `py/pam-auth-bypass`

---
 python/ql/src/Security/CWE-285/PamAuthorization.ql             | 3 ++-
 .../CWE-285-PamAuthorization/PamAuthorization.expected         | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Security/CWE-285/PamAuthorization.ql b/python/ql/src/Security/CWE-285/PamAuthorization.ql
index 399e98ea323..3093bcf21d5 100644
--- a/python/ql/src/Security/CWE-285/PamAuthorization.ql
+++ b/python/ql/src/Security/CWE-285/PamAuthorization.ql
@@ -18,4 +18,5 @@ import semmle.python.security.dataflow.PamAuthorizationQuery
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "This PAM authentication call may lead to an authorization bypass, since `pam_acct_mgmt` is not called afterwards."
+  "This PAM authentication depends on a $@, and `pam_acct_mgmt` is not called afterwards.",
+  source.getNode(), "user-provided value"
diff --git a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected
index 55fdfa9795c..d2abf9a88ea 100644
--- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected
+++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected
@@ -13,4 +13,4 @@ nodes
 | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | semmle.label | ControlFlowNode for pam_authenticate() |
 subpaths
 #select
-| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication call may lead to an authorization bypass, since `pam_acct_mgmt` is not called afterwards. |
+| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication depends on a $@, and `pam_acct_mgmt` is not called afterwards. | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | user-provided value |