fix format warnings/errors

2026-04-26 09:15:12 +02:00 · 2023-06-25 23:24:12 +10:00
parent 307187f6c1
commit c16a2827d7
6 changed files with 8 additions and 12 deletions
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_jszip.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_jszip.ql
@@ -5,7 +5,7 @@
 * @problem.severity error
 * @security-severity 7.8
 * @precision medium
- * @id js/user-controlled-file-decompression
+ * @id js/user-controlled-file-decompression-jszip
 * @tags security
 *       experimental
 *       external/cwe/cwe-409
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_node-tar.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_node-tar.ql
@@ -5,13 +5,12 @@
 * @problem.severity error
 * @security-severity 7.8
 * @precision medium
- * @id js/user-controlled-file-decompression
+ * @id js/user-controlled-file-decompression--tar
 * @tags security
 *       experimental
 *       external/cwe/cwe-409
 */

-import javascript
 import DataFlow::PathGraph
 import API
 import semmle.javascript.Concepts
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.ql
@@ -5,7 +5,7 @@
 * @problem.severity error
 * @security-severity 7.8
 * @precision medium
- * @id js/user-controlled-file-decompression
+ * @id js/user-controlled-file-decompression-Zlib-Pako-AdmZip
 * @tags security
 *       experimental
 *       external/cwe/cwe-409
@@ -65,11 +65,7 @@ class BombConfiguration extends TaintTracking::Configuration {
    )
    or
    sink =
-      [
-        DataFlow::moduleMember("pako", ["inflate", "inflateRaw", "ungzip"])
-            .getACall()
-            .getArgument(0)
-      ]
+      DataFlow::moduleMember("pako", ["inflate", "inflateRaw", "ungzip"]).getACall().getArgument(0)
    or
    exists(API::Node n | n = API::moduleImport("adm-zip").getInstance() |
      (
@@ -85,7 +81,7 @@ class BombConfiguration extends TaintTracking::Configuration {
    readablePipeAdditionalTaintStep(pred, succ)
    or
    // succ = new Uint8Array(pred)
-    exists(DataFlow::Node n, NewExpr ne | ne = n.asExpr().(NewExpr) |
+    exists(DataFlow::Node n, NewExpr ne | ne = n.asExpr() |
      pred.asExpr() = ne.getArgument(0) and
      succ.asExpr() = ne and
      ne.getCalleeName() = "Uint8Array"
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/CommandLineSource.qll
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/CommandLineSource.qll
@@ -3,6 +3,7 @@ import DataFlow::PathGraph
 import API

 /**
+ * A Command Line argument as a Flow Source
 * there are FP when the types are not str
 * because int,boolean types are not really dangerous as a source node
 */
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/SequelizeModelMethodCall.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/SequelizeModelMethodCall.ql
@@ -10,7 +10,7 @@

 import javascript
 import DataFlow::PathGraph
-import sequelizeModelTypes::sequelizeModel
+import sequelizeModelTypes::SequelizeModel
 import API

 class SequelizeModelConfiguration extends TaintTracking::Configuration {
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/sequelizeModelTypes.qll
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/sequelizeModelTypes.qll
@@ -1,7 +1,7 @@
 import javascript
 import DataFlow

-module sequelizeModel {
+module SequelizeModel {
  SourceNode sequelizeModelAsSourceNode(TypeTracker t) {
    t.start() and
    exists(