Respond to review comments.

2026-05-02 12:15:17 +02:00 · 2021-09-21 14:29:26 +01:00
parent dfe932d053
commit bd5edc7ae5
3 changed files with 9 additions and 9 deletions
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/PostgreSql.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/PostgreSql.qll
@@ -71,8 +71,8 @@ private class PostgreSqlExecutionFunction extends SqlExecutionFunction {
  }
 }

-private class PostgreSqlEscapeFunction extends SqlEscapeFunction {
-  PostgreSqlEscapeFunction() {
+private class PostgreSqlBarrierFunction extends SqlBarrierFunction {
+  PostgreSqlBarrierFunction() {
    exists(Class c |
      this.getDeclaringType() = c and
      // transaction and connection escape functions
@@ -84,7 +84,7 @@ private class PostgreSqlEscapeFunction extends SqlEscapeFunction {
    )
  }

-  override predicate escapesSqlArgument(FunctionInput input, FunctionOutput output) {
+  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
    exists(int argIndex |
      input.isParameterDeref(argIndex) and
      output.isReturnValueDeref() and
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Sql.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Sql.qll
@@ -1,6 +1,6 @@
 /**
 * Provides abstract classes for modeling functions that execute and escape SQL query strings.
- * To use this QL library, create a QL class extending `SqlExecutionFunction` or `SqlEscapeFunction`
+ * To extend this QL library, create a QL class extending `SqlExecutionFunction` or `SqlEscapeFunction`
 * with a characteristic predicate that selects the function or set of functions you are modeling.
 * Within that class, override the predicates provided by the class to match the way a
 * parameter flows into the function and, in the case of `SqlEscapeFunction`, out of the function.
@@ -21,10 +21,10 @@ abstract class SqlExecutionFunction extends Function {
 /**
 * An abstract class that represents a function that escapes an SQL query string.
 */
-abstract class SqlEscapeFunction extends Function {
+abstract class SqlBarrierFunction extends Function {
  /**
-   * Holds if the `output` escapes the SQL input `input` such that is it safe to pass to
+   * Holds if the `output` is a barrier to the SQL input `input` such that is it safe to pass to
   * an `SqlExecutionFunction`.
   */
-  abstract predicate escapesSqlArgument(FunctionInput input, FunctionOutput output);
+  abstract predicate barrierSqlArgument(FunctionInput input, FunctionOutput output);
 }
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -34,10 +34,10 @@ class Configuration extends TaintTrackingConfiguration {
    or
    e.getUnspecifiedType() instanceof IntegralType
    or
-    exists(SqlEscapeFunction sql, int arg, FunctionInput input |
+    exists(SqlBarrierFunction sql, int arg, FunctionInput input |
      e = sql.getACallToThisFunction().getArgument(arg) and
      input.isParameterDeref(arg) and
-      sql.escapesSqlArgument(input, _)
+      sql.barrierSqlArgument(input, _)
    )
  }
 }