Skip to content

Commit 89887e7

Browse files
author
Esben Sparre Andreasen
committed
JS: address review comments
1 parent 2306afd commit 89887e7

File tree

2 files changed

+8
-7
lines changed

2 files changed

+8
-7
lines changed

javascript/ql/src/Security/CWE-918/RequestForgery.qhelp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
<overview>
77
<p>
88

9-
Directly incorporating user input into a remote request
9+
Directly incorporating user input into an HTTP request
1010
without validating the input can facilitate different kinds of request
1111
forgery attacks, where the attacker essentially controls the request.
1212

javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ private string urlPropertyName() {
5353
}
5454

5555
/**
56-
* A model of a URL request in the `request` library.
56+
* A model of a URL request made using the `request` library.
5757
*/
5858
private class RequestUrlRequest extends CustomClientRequest {
5959

@@ -86,7 +86,7 @@ private class RequestUrlRequest extends CustomClientRequest {
8686
}
8787

8888
/**
89-
* A model of a URL request in the `axios` library.
89+
* A model of a URL request made using the `axios` library.
9090
*/
9191
private class AxiosUrlRequest extends CustomClientRequest {
9292

@@ -103,7 +103,8 @@ private class AxiosUrlRequest extends CustomClientRequest {
103103
) and
104104
(
105105
url = getArgument(0) or
106-
url = getOptionArgument([0..2], urlPropertyName()) // slightly over-approximate, in the name of simplicity
106+
// depends on the method name and the call arity, over-approximating slightly in the name of simplicity
107+
url = getOptionArgument([0..2], urlPropertyName())
107108
)
108109
)
109110
}
@@ -115,7 +116,7 @@ private class AxiosUrlRequest extends CustomClientRequest {
115116
}
116117

117118
/**
118-
* A model of a URL request in an implementation of the `fetch` API.
119+
* A model of a URL request made using an implementation of the `fetch` API.
119120
*/
120121
private class FetchUrlRequest extends CustomClientRequest {
121122

@@ -146,7 +147,7 @@ private class FetchUrlRequest extends CustomClientRequest {
146147
}
147148

148149
/**
149-
* A model of a URL request in the `got` library.
150+
* A model of a URL request made using the `got` library.
150151
*/
151152
private class GotUrlRequest extends CustomClientRequest {
152153

@@ -171,7 +172,7 @@ private class GotUrlRequest extends CustomClientRequest {
171172
}
172173

173174
/**
174-
* A model of a URL request in the `superagent` library.
175+
* A model of a URL request made using the `superagent` library.
175176
*/
176177
private class SuperAgentUrlRequest extends CustomClientRequest {
177178

0 commit comments

Comments
 (0)