add comment about parameters named "code"

2026-04-29 10:45:15 +02:00 · 2021-05-13 17:49:17 +02:00
parent 53315e6ab6
commit 681179dcbb
1 changed files with 1 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll
@@ -24,6 +24,7 @@ module UnsafeCodeConstruction {
  class ExternalInputSource extends Source, DataFlow::ParameterNode {
    ExternalInputSource() {
      this = Exports::getALibraryInputParameter() and
+      // permit parameters that clearly are intended to contain executable code.
      not this.getName() = "code"
    }
  }