Apply suggestions from code review

Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
2025-12-28 14:46:33 +01:00 · 2024-03-14 17:47:20 +01:00
parent d21d453d1c
commit f251783c26
5 changed files with 9 additions and 9 deletions
--- a/ql/src/Security/CWE-078/CommandInjection.ql
+++ b/ql/src/Security/CWE-078/CommandInjection.ql
@@ -34,5 +34,5 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential command injection in $@, which may be controlled by an external user.", sink,
  sink.getNode().asExpr().(Expression).getRawExpression()
--- a/ql/src/Security/CWE-078/CriticalCommandInjection.ql
+++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql
@@ -6,7 +6,7 @@
 * @problem.severity error
 * @security-severity 9
 * @precision high
- * @id actions/command-injection
+ * @id actions/critical-command-injection
 * @tags actions
 *       security
 *       external/cwe/cwe-078
@@ -40,5 +40,5 @@ where
    w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
  )
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential critical command injection in $@, which may be controlled by an external user.", sink,
  sink.getNode().asExpr().(Expression).getRawExpression()
--- a/ql/src/Security/CWE-094/CodeInjection.ql
+++ b/ql/src/Security/CWE-094/CodeInjection.ql
@@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow

 private class CodeInjectionSink extends DataFlow::Node {
-  CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") }
+  CodeInjectionSink() { externallyDefinedSink(this, "code-injection") }
 }

 private module MyConfig implements DataFlow::ConfigSig {
@@ -36,5 +36,5 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential code injection in $@, which may be controlled by an external user.", sink,
  sink.getNode().asExpr().(Expression).getRawExpression()
--- a/ql/src/Security/CWE-094/CriticalCodeInjection.ql
+++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql
@@ -6,7 +6,7 @@
 * @problem.severity error
 * @security-severity 9
 * @precision high
- * @id actions/code-injection
+ * @id actions/critical-code-injection
 * @tags actions
 *       security
 *       external/cwe/cwe-094
@@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow

 private class CodeInjectionSink extends DataFlow::Node {
-  CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") }
+  CodeInjectionSink() { externallyDefinedSink(this, "code-injection") }
 }

 private module MyConfig implements DataFlow::ConfigSig {
@@ -42,5 +42,5 @@ where
    w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
  )
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential critical code injection in $@, which may be controlled by an external user.", sink,
  sink.getNode().asExpr().(Expression).getRawExpression()
--- a/ql/src/Security/CWE-918/RequestForgery.ql
+++ b/ql/src/Security/CWE-918/RequestForgery.ql
@@ -33,5 +33,5 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential request forgery in $@, which may be controlled by an external user.", sink,
  sink.getNode().asExpr().(Expression).getRawExpression()