Apply suggestions from code review

Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
This commit is contained in:
Max Schaefer
2020-12-15 15:44:19 +00:00
committed by GitHub
parent 7e3feb4f52
commit f8d8a9b356

View File

@@ -22,25 +22,23 @@ will then automatically pick up this new source of remote flow.
However, this approach requires writing QL code and adding it to the standard library, which is not
always easy to do. Instead, you can also add a JSON file describing custom sources of untrusted
input to your code base and have it picked up without needing to modify the standard library. This
JSON file can be hand-written or generated by another tool, but note that these customizations
are specific to the code base containing the JSON file. To use them in other code bases, you need
to copy over the JSON file.
JSON file can be hand-written or generated by another tool. The custom remote flow sources are only available to the code base containing the JSON file. This means that you need to copy the JSON file into each code base that requires the customizations.
Specification format
--------------------
The JSON file must be called ``codeql-javascript-remote-flow-sources.json`` (case-sensitive) and
The JSON file must be called ``codeql-javascript-remote-flow-sources.json`` and
can be located anywhere in your code base. It should consist of a single JSON object. The property
names of this object are interpreted as `source types`. The values they map to should be arrays of
strings. Each string should be of the form ``window.props``, where ``props`` is a sequence of one
or more property names separated by dots, specifying that any value reachable from the global window
or more property names separated by dots. This notation specifies that any value reachable from the global window
object by this sequence of property names should be considered as untrusted user input of the
associated source type.
Example
-------
As an example, consider the following specification:
Consider the following specification:
.. code-block:: json