run the use-set-literals patch

2026-01-29 14:23:03 +01:00 · 2021-12-20 17:55:19 +01:00
parent d339f13629
commit afe7ee17a0
8 changed files with 49 additions and 161 deletions
--- a/ql/lib/semmle/go/concepts/GeneratedFile.qll
+++ b/ql/lib/semmle/go/concepts/GeneratedFile.qll
@@ -13,15 +13,15 @@ module GeneratedFile {
  abstract class Range extends File { }

  private string generatorCommentRegex() {
-    result = "Generated By\\b.*\\bDo not edit" or
    result =
-      "This (file|class|interface|art[ei]fact) (was|is|(has been)) (?:auto[ -]?)?gener(e?)ated" or
-    result = "Any modifications to this file will be lost" or
-    result =
-      "This (file|class|interface|art[ei]fact) (was|is) (?:mechanically|automatically) generated" or
-    result = "The following code was (?:auto[ -]?)?generated (?:by|from)" or
-    result = "Autogenerated by Thrift" or
-    result = "(Code g|G)enerated from .* by ANTLR"
+      [
+        "Generated By\\b.*\\bDo not edit",
+        "This (file|class|interface|art[ei]fact) (was|is|(has been)) (?:auto[ -]?)?gener(e?)ated",
+        "Any modifications to this file will be lost",
+        "This (file|class|interface|art[ei]fact) (was|is) (?:mechanically|automatically) generated",
+        "The following code was (?:auto[ -]?)?generated (?:by|from)", "Autogenerated by Thrift",
+        "(Code g|G)enerated from .* by ANTLR"
+      ]
  }

  private class CommentHeuristicGeneratedFile extends Range {
--- a/ql/lib/semmle/go/frameworks/SQL.qll
+++ b/ql/lib/semmle/go/frameworks/SQL.qll
@@ -143,15 +143,7 @@ module SQL {
          or
          exists(string tp, string m | f.(Method).hasQualifiedName(gopgorm(), tp, m) |
            tp = "Query" and
-            (
-              m = "ColumnExpr" or
-              m = "For" or
-              m = "Having" or
-              m = "Where" or
-              m = "WhereIn" or
-              m = "WhereInMulti" or
-              m = "WhereOr"
-            ) and
+            m = ["ColumnExpr", "For", "Having", "Where", "WhereIn", "WhereInMulti", "WhereOr"] and
            arg = 0
            or
            tp = "Query" and
--- a/ql/lib/semmle/go/frameworks/Stdlib.qll
+++ b/ql/lib/semmle/go/frameworks/Stdlib.qll
@@ -174,11 +174,7 @@ module URL {
  class UrlGetter extends TaintTracking::FunctionModel, Method {
    UrlGetter() {
      exists(string m | hasQualifiedName("net/url", "URL", m) |
-        m = "EscapedPath" or
-        m = "Hostname" or
-        m = "Port" or
-        m = "Query" or
-        m = "RequestURI"
+        m = ["EscapedPath", "Hostname", "Port", "Query", "RequestURI"]
      )
    }

--- a/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll
+++ b/ql/lib/semmle/go/frameworks/SystemCommandExecutors.qll
@@ -126,47 +126,14 @@ private class ShellLike extends DataFlow::Node {
 }

 private string getASudoCommand() {
-  result = "sudo" or
-  result = "sudo_root" or
-  result = "su" or
-  result = "sudoedit" or
-  result = "doas" or
-  result = "access" or
-  result = "vsys" or
-  result = "userv" or
-  result = "sus" or
-  result = "super" or
-  result = "priv" or
-  result = "calife" or
-  result = "ssu" or
-  result = "su1" or
-  result = "op" or
-  result = "sudowin" or
-  result = "sudown" or
-  result = "chroot" or
-  result = "fakeroot" or
-  result = "fakeroot-sysv" or
-  result = "fakeroot-tcp" or
-  result = "fstab-decode" or
-  result = "jrunscript" or
-  result = "nohup" or
-  result = "parallel" or
-  result = "find" or
-  result = "pkexec" or
-  result = "sg" or
-  result = "sem" or
-  result = "runcon" or
-  result = "runuser" or
-  result = "stdbuf" or
-  result = "system" or
-  result = "timeout" or
-  result = "xargs" or
-  result = "time" or
-  result = "awk" or
-  result = "gawk" or
-  result = "mawk" or
-  result = "nawk" or
-  result = "git"
+  result =
+    [
+      "sudo", "sudo_root", "priv", "calife", "ssu", "su1", "op", "sudowin", "sudown", "chroot",
+      "fakeroot", "fakeroot-sysv", "su", "fakeroot-tcp", "fstab-decode", "jrunscript", "nohup",
+      "parallel", "find", "pkexec", "sg", "sem", "runcon", "sudoedit", "runuser", "stdbuf",
+      "system", "timeout", "xargs", "time", "awk", "gawk", "mawk", "nawk", "doas", "git", "access",
+      "vsys", "userv", "sus", "super"
+    ]
 }

 /**
@@ -213,31 +180,12 @@ private predicate isSudoOrSimilar(DataFlow::Node node) {
 }

 private string getAShellCommand() {
-  result = "bash" or
-  result = "sh" or
-  result = "sh.distrib" or
-  result = "rbash" or
-  result = "dash" or
-  result = "zsh" or
-  result = "csh" or
-  result = "tcsh" or
-  result = "fish" or
-  result = "pwsh" or
-  result = "elvish" or
-  result = "oh" or
-  result = "ion" or
-  result = "ksh" or
-  result = "rksh" or
-  result = "tksh" or
-  result = "mksh" or
-  result = "nu" or
-  result = "oksh" or
-  result = "osh" or
-  result = "shpp" or
-  result = "xiki" or
-  result = "xonsh" or
-  result = "yash" or
-  result = "env"
+  result =
+    [
+      "bash", "sh", "elvish", "oh", "ion", "ksh", "rksh", "tksh", "mksh", "nu", "oksh", "osh",
+      "sh.distrib", "shpp", "xiki", "xonsh", "yash", "env", "rbash", "dash", "zsh", "csh", "tcsh",
+      "fish", "pwsh"
+    ]
 }

 /**
@@ -252,12 +200,7 @@ private predicate isShell(DataFlow::Node node) {
 }

 private string getAnInterpreterName() {
-  result = "python" or
-  result = "php" or
-  result = "ruby" or
-  result = "perl" or
-  result = "node" or
-  result = "nodejs"
+  result = ["python", "php", "ruby", "perl", "node", "nodejs"]
 }

 /**
--- a/ql/lib/semmle/go/frameworks/stdlib/IoIoutil.qll
+++ b/ql/lib/semmle/go/frameworks/stdlib/IoIoutil.qll
@@ -9,11 +9,7 @@ module IoIoutil {
  private class IoUtilFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
    IoUtilFileSystemAccess() {
      exists(string fn | getTarget().hasQualifiedName("io/ioutil", fn) |
-        fn = "ReadDir" or
-        fn = "ReadFile" or
-        fn = "TempDir" or
-        fn = "TempFile" or
-        fn = "WriteFile"
+        fn = ["ReadDir", "ReadFile", "TempDir", "TempFile", "WriteFile"]
      )
    }

--- a/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
+++ b/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -28,14 +28,8 @@ module NetHttp {
    DataFlow::FieldReadNode {
    UserControlledRequestField() {
      exists(string fieldName | this.getField().hasQualifiedName("net/http", "Request", fieldName) |
-        fieldName = "Body" or
-        fieldName = "GetBody" or
-        fieldName = "Form" or
-        fieldName = "PostForm" or
-        fieldName = "MultipartForm" or
-        fieldName = "Header" or
-        fieldName = "Trailer" or
-        fieldName = "URL"
+        fieldName =
+          ["Body", "GetBody", "Form", "PostForm", "MultipartForm", "Header", "Trailer", "URL"]
      )
    }
  }
--- a/ql/src/experimental/CWE-327/CryptoLibraries.qll
+++ b/ql/src/experimental/CWE-327/CryptoLibraries.qll
@@ -20,60 +20,31 @@ import go
 */
 private module AlgorithmNames {
  predicate isStrongHashingAlgorithm(string name) {
-    name = "DSA" or
-    name = "ED25519" or
-    name = "ES256" or
-    name = "ECDSA256" or
-    name = "ES384" or
-    name = "ECDSA384" or
-    name = "ES512" or
-    name = "ECDSA512" or
-    name = "SHA2" or
-    name = "SHA224" or
-    name = "SHA256" or
-    name = "SHA384" or
-    name = "SHA512" or
-    name = "SHA3"
+    name =
+      [
+        "DSA", "ED25519", "SHA256", "SHA384", "SHA512", "SHA3", "ES256", "ECDSA256", "ES384",
+        "ECDSA384", "ES512", "ECDSA512", "SHA2", "SHA224"
+      ]
  }

  predicate isWeakHashingAlgorithm(string name) {
-    name = "HAVEL128" or
-    name = "MD2" or
-    name = "MD4" or
-    name = "MD5" or
-    name = "PANAMA" or
-    name = "RIPEMD" or
-    name = "RIPEMD128" or
-    name = "RIPEMD256" or
-    name = "RIPEMD320" or
-    name = "SHA0" or
-    name = "SHA1"
+    name =
+      [
+        "HAVEL128", "MD2", "SHA1", "MD4", "MD5", "PANAMA", "RIPEMD", "RIPEMD128", "RIPEMD256",
+        "RIPEMD320", "SHA0"
+      ]
  }

  predicate isStrongEncryptionAlgorithm(string name) {
-    name = "AES" or
-    name = "AES128" or
-    name = "AES192" or
-    name = "AES256" or
-    name = "AES512" or
-    name = "RSA" or
-    name = "RABBIT" or
-    name = "BLOWFISH"
+    name = ["AES", "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
  }

  predicate isWeakEncryptionAlgorithm(string name) {
-    name = "DES" or
-    name = "3DES" or
-    name = "TRIPLEDES" or
-    name = "TDEA" or
-    name = "TRIPLEDEA" or
-    name = "ARC2" or
-    name = "RC2" or
-    name = "ARC4" or
-    name = "RC4" or
-    name = "ARCFOUR" or
-    name = "ARC5" or
-    name = "RC5"
+    name =
+      [
+        "DES", "3DES", "ARC5", "RC5", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4",
+        "RC4", "ARCFOUR"
+      ]
  }

  predicate isStrongPasswordHashingAlgorithm(string name) {
--- a/ql/test/library-tests/semmle/go/security/SensitiveActions/DummyPasswords.ql
+++ b/ql/test/library-tests/semmle/go/security/SensitiveActions/DummyPasswords.ql
@@ -2,15 +2,11 @@ import go
 import semmle.go.security.SensitiveActions

 string getASamplePassword() {
-  result = "abcdefgh" or
-  result = "sOKY6ccizpmvF*32so%Q" or
-  result = "XXXXXXXX" or
-  result = "example_password" or
-  result = "change_me" or
-  result = "" or
-  result = "insert-auth-from-gui" or
-  result = "admin" or
-  result = "root"
+  result =
+    [
+      "abcdefgh", "sOKY6ccizpmvF*32so%Q", "XXXXXXXX", "example_password", "change_me", "",
+      "insert-auth-from-gui", "admin", "root"
+    ]
 }

 from string password, boolean isDummy