Apply suggestions from code review

erik-krogh · asgerf · erik-krogh · commit 017c73dce31c · 2020-10-16T14:20:40.000+02:00
Co-authored-by: Asger F &lt;asgerf@github.com&gt;
diff --git a/change-notes/1.26/analysis-javascript.md b/change-notes/1.26/analysis-javascript.md
@@ -43,7 +43,7 @@
 | Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
 | Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | More results | This query now recognizes some unsafe uses of `importScripts()` inside WebWorkers. |
 | Missing CSRF middleware (`js/missing-token-validation`) | More results | This query now recognizes writes to cookie and session variables as potentially vulnerable to CSRF attacks. |
-| Missing CSRF middleware (`js/missing-token-validation`) | Less results | This query now recognizes more ways of protecting against CSRF attacks. |
+| Missing CSRF middleware (`js/missing-token-validation`) | Fewer results | This query now recognizes more ways of protecting against CSRF attacks. |
 
 
 ## Changes to libraries
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -126,7 +126,7 @@ private Express::RouteHandler getAHandlerSettingCsrfCookie() {
  * This is indicated either by the request parameter having a CSRF related write to a session variable.
  * Or by the response parameter setting a CSRF related cookie.
  */
-predicate isACsrfProtectionRouteHandler(Express::RouteHandler handler) {
+predicate isCsrfProtectionRouteHandler(Express::RouteHandler handler) {
   DataFlow::parameterNode(handler.getRequestParameter()) =
     nodeLeadingToCsrfWrite(DataFlow::TypeBackTracker::end())
   or
@@ -136,7 +136,7 @@ predicate isACsrfProtectionRouteHandler(Express::RouteHandler handler) {
 /** Gets a data flow node refering to a route handler that is protecting against CSRF. */
 private DataFlow::SourceNode getACsrfProtectionRouteHandler(DataFlow::TypeTracker t) {
   t.start() and
-  isACsrfProtectionRouteHandler(result)
+  isCsrfProtectionRouteHandler(result)
   or
   exists(DataFlow::TypeTracker t2, DataFlow::SourceNode pred |
     pred = getACsrfProtectionRouteHandler(t2)
@@ -150,7 +150,7 @@ private DataFlow::SourceNode getACsrfProtectionRouteHandler(DataFlow::TypeTracke
 
 /**
  * Gets an express route handler expression that is either a custom CSRF protection middleware,
- * or a CSFR protecting library.
+ * or a CSRF protecting library.
  */
 Express::RouteHandlerExpr getACsrfMiddleware() {
   csrfMiddlewareCreation().flowsToExpr(result)
