Elaborate comment and change-note a little

2026-04-30 03:05:15 +02:00 · 2021-04-21 12:36:43 +01:00
parent a152eec9f2
commit e50ad90856
2 changed files with 2 additions and 2 deletions
--- a/change-notes/2021-04-20-tuple-types.md
+++ b/change-notes/2021-04-20-tuple-types.md
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* Fixed a bug where data flow was not correctly computed through two-value index expressions. This may cause more results from the security queries.
+* Fixed a bug where data flow was not correctly computed through two-value index expressions (e.g. `got, ok := myMap[someIndex]`). This may lead to extra results from any dataflow query when an index expression would form part of an important dataflow path.
--- a/ql/test/query-tests/Security/CWE-079/reflectedxsstest.go
+++ b/ql/test/query-tests/Security/CWE-079/reflectedxsstest.go
@@ -51,6 +51,6 @@ func QueryMapTest(w http.ResponseWriter, r http.Request) {
 	keys, ok := r.URL.Query()["data_id"]
 	if ok && len(keys[0]) > 0 {
 		key := keys[0]
-		w.Write([]byte(key)) // BAD
+		w.Write([]byte(key)) // BAD: query string is user-controlled
 	}
 }