JS: address review comments

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 89887e7dc8e6 · 2018-09-05T09:20:45.000+02:00
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.qhelp b/javascript/ql/src/Security/CWE-918/RequestForgery.qhelp
@@ -6,7 +6,7 @@
 	<overview>
 		<p>
 
-			Directly incorporating user input into a remote request
+			Directly incorporating user input into an HTTP request
 			without validating the input can facilitate different kinds of request
 			forgery attacks, where the attacker essentially controls the request.
 
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -53,7 +53,7 @@ private string urlPropertyName() {
 }
 
 /**
- * A model of a URL request in the `request` library.
+ * A model of a URL request made using the `request` library.
  */
 private class RequestUrlRequest extends CustomClientRequest {
 
@@ -86,7 +86,7 @@ private class RequestUrlRequest extends CustomClientRequest {
 }
 
 /**
- * A model of a URL request in the `axios` library.
+ * A model of a URL request made using the `axios` library.
  */
 private class AxiosUrlRequest extends CustomClientRequest {
 
@@ -103,7 +103,8 @@ private class AxiosUrlRequest extends CustomClientRequest {
       ) and
       (
         url = getArgument(0) or
-        url = getOptionArgument([0..2], urlPropertyName()) // slightly over-approximate, in the name of simplicity
+        // depends on the method name and the call arity, over-approximating slightly in the name of simplicity
+        url = getOptionArgument([0..2], urlPropertyName())
       )
     )
   }
@@ -115,7 +116,7 @@ private class AxiosUrlRequest extends CustomClientRequest {
 }
 
 /**
- * A model of a URL request in an implementation of the `fetch` API.
+ * A model of a URL request made using an implementation of the `fetch` API.
  */
 private class FetchUrlRequest extends CustomClientRequest {
 
@@ -146,7 +147,7 @@ private class FetchUrlRequest extends CustomClientRequest {
 }
 
 /**
- * A model of a URL request in the `got` library.
+ * A model of a URL request made using the `got` library.
  */
 private class GotUrlRequest extends CustomClientRequest {
 
@@ -171,7 +172,7 @@ private class GotUrlRequest extends CustomClientRequest {
 }
 
 /**
- * A model of a URL request in the `superagent` library.
+ * A model of a URL request made using the `superagent` library.
  */
 private class SuperAgentUrlRequest extends CustomClientRequest {
 

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ private string urlPropertyName() {`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`/**`
`56`		- * A model of a URL request in the `request` library.
	`56`	+ * A model of a URL request made using the `request` library.
`57`	`57`	`*/`
`58`	`58`	`private class RequestUrlRequest extends CustomClientRequest {`
`59`	`59`
`@@ -86,7 +86,7 @@ private class RequestUrlRequest extends CustomClientRequest {`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`/**`
`89`		- * A model of a URL request in the `axios` library.
	`89`	+ * A model of a URL request made using the `axios` library.
`90`	`90`	`*/`
`91`	`91`	`private class AxiosUrlRequest extends CustomClientRequest {`
`92`	`92`
`@@ -103,7 +103,8 @@ private class AxiosUrlRequest extends CustomClientRequest {`
`103`	`103`	`) and`
`104`	`104`	`(`
`105`	`105`	`url = getArgument(0) or`
`106`		`- url = getOptionArgument([0..2], urlPropertyName()) // slightly over-approximate, in the name of simplicity`
	`106`	`+ // depends on the method name and the call arity, over-approximating slightly in the name of simplicity`
	`107`	`+ url = getOptionArgument([0..2], urlPropertyName())`
`107`	`108`	`)`
`108`	`109`	`)`
`109`	`110`	`}`
`@@ -115,7 +116,7 @@ private class AxiosUrlRequest extends CustomClientRequest {`
`115`	`116`	`}`
`116`	`117`
`117`	`118`	`/**`
`118`		- * A model of a URL request in an implementation of the `fetch` API.
	`119`	+ * A model of a URL request made using an implementation of the `fetch` API.
`119`	`120`	`*/`
`120`	`121`	`private class FetchUrlRequest extends CustomClientRequest {`
`121`	`122`
`@@ -146,7 +147,7 @@ private class FetchUrlRequest extends CustomClientRequest {`
`146`	`147`	`}`
`147`	`148`
`148`	`149`	`/**`
`149`		- * A model of a URL request in the `got` library.
	`150`	+ * A model of a URL request made using the `got` library.
`150`	`151`	`*/`
`151`	`152`	`private class GotUrlRequest extends CustomClientRequest {`
`152`	`153`
`@@ -171,7 +172,7 @@ private class GotUrlRequest extends CustomClientRequest {`
`171`	`172`	`}`
`172`	`173`
`173`	`174`	`/**`
`174`		- * A model of a URL request in the `superagent` library.
	`175`	+ * A model of a URL request made using the `superagent` library.
`175`	`176`	`*/`
`176`	`177`	`private class SuperAgentUrlRequest extends CustomClientRequest {`
`177`	`178`