diff --git a/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll b/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll index 5b0f8cb2022..c2d9929fa54 100644 --- a/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll +++ b/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll @@ -38,7 +38,7 @@ private class SystemCommandExecutors extends SystemCommandExecution::Range, Data // NOTE: syscall.ForkExec exists only on unix. // NOTE: syscall.CreateProcess and syscall.CreateProcessAsUser exist only on windows. pkg = "syscall" and - (name = "Exec" or name = "ForkExec" or name = "StartProcess" or name = "CreateProcess") and + name = ["Exec", "ForkExec", "StartProcess", "CreateProcess"] and cmdArg = 0 or pkg = "syscall" and @@ -93,13 +93,7 @@ module CryptoSsh { SshCommandExecution() { // Catch method calls on the `Session` object: exists(Method method, string methodName | - methodName = "CombinedOutput" - or - methodName = "Output" - or - methodName = "Run" - or - methodName = "Start" + methodName = ["CombinedOutput", "Output", "Run", "Start"] | method.hasQualifiedName(packagePath(), "Session", methodName) and this = method.getACall() @@ -217,9 +211,7 @@ private predicate isProgrammingLanguageCli(DataFlow::Node node) { ) } -private string getASshCommand() { - result = "ssh" or result = "ssh-argv0" or result = "putty.exe" or result = "kitty.exe" -} +private string getASshCommand() { result = ["ssh", "ssh-argv0", "putty.exe", "kitty.exe"] } /** * A data-flow node whose string value might refer to an SSH client or similar, whose arguments can be diff --git a/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll b/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll index c8b23ac0e66..429bb9ecbf9 100644 --- a/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll +++ b/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll @@ -126,7 +126,7 @@ private class SafeUrlSink extends SafeUrlFlow::Sink { private class UnsafeFieldReadSanitizer extends SafeUrlFlow::SanitizerEdge { UnsafeFieldReadSanitizer() { exists(DataFlow::FieldReadNode frn, string name | - (name = "User" or name = "RawQuery" or name = "Fragment" or name = "User") and + name = ["User", "RawQuery", "Fragment", "User"] and frn.getField().hasQualifiedName("net/url", "URL") | this = frn.getBase() diff --git a/ql/lib/semmle/go/security/SensitiveActions.qll b/ql/lib/semmle/go/security/SensitiveActions.qll index b097373006f..a0b18f152e6 100644 --- a/ql/lib/semmle/go/security/SensitiveActions.qll +++ b/ql/lib/semmle/go/security/SensitiveActions.qll @@ -85,7 +85,7 @@ module SensitiveExpr { * Instead, use the predicates below to work with classifications. */ class Classification extends string { - Classification() { this = "secret" or this = "id" or this = "password" or this = "certificate" } + Classification() { this = ["secret", "id", "password", "certificate"] } } /** Gets the classification for secret or trusted data. */ diff --git a/ql/src/experimental/CWE-327/CryptoLibraries.qll b/ql/src/experimental/CWE-327/CryptoLibraries.qll index 084e971fdeb..6db266273b5 100644 --- a/ql/src/experimental/CWE-327/CryptoLibraries.qll +++ b/ql/src/experimental/CWE-327/CryptoLibraries.qll @@ -48,10 +48,7 @@ private module AlgorithmNames { } predicate isStrongPasswordHashingAlgorithm(string name) { - name = "ARGON2" or - name = "PBKDF2" or - name = "BCRYPT" or - name = "SCRYPT" + name = ["ARGON2", "PBKDF2", "BCRYPT", "SCRYPT"] } predicate isWeakPasswordHashingAlgorithm(string name) { none() }