C++: More 'adversary' -> 'malicious user' and related doc changes.

2026-05-04 05:05:12 +02:00 · 2022-03-25 11:09:52 +00:00
parent 11074b6d77
commit e377eebdbc
4 changed files with 7 additions and 7 deletions
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.qhelp
@@ -3,7 +3,7 @@
  "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Exposing system data or debugging information may help a malicious user learn about the system and form an attack plan.  An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in these technologies.</p>
+<p>Exposing system data or debugging information may help a malicious user learn about the system and form an attack plan.  An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in the software.</p>

 <p>This query finds locations where system configuration information might be revealed to a remote user.</p>
 </overview>
@@ -13,7 +13,7 @@
 </recommendation>

 <example>
-<p>In this example the value of the <code>PATH</code> environment variable is revealed in full to the user when a particular error occurs.  This might reveal information such as the software installed on your system to an adversary who does not have legitimate access to that information.</p>
+<p>In this example the value of the <code>PATH</code> environment variable is revealed in full to the user when a particular error occurs.  This might reveal information such as the software installed on your system to a malicious user who does not have legitimate access to that information.</p>

 <sample src="ExposedSystemDataIncorrect.cpp" />

--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -1,7 +1,7 @@
 /**
 * @name Exposure of system data to an unauthorized control sphere
 * @description Exposing system data or debugging information helps
- *              an adversary learn about the system and form an
+ *              a malicious user learn about the system and form an
 *              attack plan.
 * @kind path-problem
 * @problem.severity warning
--- a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.qhelp
@@ -3,17 +3,17 @@
  "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Exposing system data or debugging information may help an adversary to learn about the system and form an attack plan.  An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in these technologies.</p>
+<p>Exposing system data or debugging information may help a malicious user learn about the system and form an attack plan.  An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in the software.</p>

 <p>This query finds locations where system configuration information that is particularly sensitive might be revealed to a user.</p>
 </overview>

 <recommendation>
-<p>Do not expose system configuration information to users.  Be wary of the difference between information that could be helpful to users, and unnecessary details that could be useful to an adversary.</p>
+<p>Do not expose system configuration information to users.  Be wary of the difference between information that could be helpful to users, and unnecessary details that could be useful to a malicious user.</p>
 </recommendation>

 <example>
-<p>In this example the value of the <code>PATH</code> environment variable is revealed in full to the user when a particular error occurs.  This might reveal information such as the software installed on your system to an adversary who does not have legitimate access to that information.</p>
+<p>In this example the value of the <code>PATH</code> environment variable is revealed in full to the user when a particular error occurs.  This might reveal information such as the software installed on your system to a malicious user who does not have legitimate access to that information.</p>

 <sample src="PotentiallyExposedSystemDataIncorrect.cpp" />

--- a/cpp/ql/src/Security/CWE/CWE-497/SystemData.qll
+++ b/cpp/ql/src/Security/CWE/CWE-497/SystemData.qll
@@ -7,7 +7,7 @@ import semmle.code.cpp.commons.Environment
 import semmle.code.cpp.ir.dataflow.TaintTracking

 /**
- * An element that should not be exposed to an adversary.
+ * An element that should not be exposed to a malicious user.
 */
 abstract class SystemData extends Element {
  /**