rename name dataflow configuration in js/template-object-injection

erik-krogh · erik-krogh · commit d016ba225286 · 2021-02-03T12:29:23.000+01:00
diff --git a/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql b/javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql
@@ -18,8 +18,8 @@ predicate isUsingHbsEngine() {
   Express::appCreation().getAMethodCall("set").getArgument(1).mayHaveStringValue("hbs")
 }
 
-class HbsLFRTaint extends TaintTracking::Configuration {
-  HbsLFRTaint() { this = "HbsLFRTaint" }
+class TemplateObjInjectionConfig extends TaintTracking::Configuration {
+  TemplateObjInjectionConfig() { this = "TemplateObjInjectionConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
@@ -48,7 +48,7 @@ class HbsLFRTaint extends TaintTracking::Configuration {
   }
 }
 
-from HbsLFRTaint cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
   "user-provided value"

Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,8 @@ predicate isUsingHbsEngine() {`
`18`	`18`	`Express::appCreation().getAMethodCall("set").getArgument(1).mayHaveStringValue("hbs")`
`19`	`19`	`}`
`20`	`20`
`21`		`-class HbsLFRTaint extends TaintTracking::Configuration {`
`22`		`- HbsLFRTaint() { this = "HbsLFRTaint" }`
	`21`	`+class TemplateObjInjectionConfig extends TaintTracking::Configuration {`
	`22`	`+ TemplateObjInjectionConfig() { this = "TemplateObjInjectionConfig" }`
`23`	`23`
`24`	`24`	`override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`25`	`25`
`@@ -48,7 +48,7 @@ class HbsLFRTaint extends TaintTracking::Configuration {`
`48`	`48`	`}`
`49`	`49`	`}`
`50`	`50`
`51`		`-from HbsLFRTaint cfg, DataFlow::PathNode source, DataFlow::PathNode sink`
	`51`	`+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink`
`52`	`52`	`where cfg.hasFlowPath(source, sink)`
`53`	`53`	`select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),`
`54`	`54`	`"user-provided value"`