Merge pull request #10286 from erik-krogh/js-followMsg

JS: change alert messages of path queries to use the same template

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll

@@ -19,7 +19,7 @@ module CodeInjection {
     /**
      * Gets the substitute for `X` in the message `User-provided value flows to X`.
      */
-    string getMessageSuffix() { result = "here and is interpreted as code" }
+    string getMessageSuffix() { result = "this location and is interpreted as code" }
   }
 
   /**
@@ -126,7 +126,8 @@ module CodeInjection {
     }
 
     override string getMessageSuffix() {
-      result = "here and is interpreted by " + templateType + ", which may evaluate it as code"
+      result =
+        "this location and is interpreted by " + templateType + ", which may evaluate it as code"
     }
   }
 
@@ -288,7 +289,7 @@ module CodeInjection {
   /** A sink for code injection via template injection. */
   abstract private class TemplateSink extends Sink {
     override string getMessageSuffix() {
-      result = "here and is interpreted as a template, which may contain code"
+      result = "this location and is interpreted as a template, which may contain code"
     }
   }
 

javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeCustomizations.qll

@@ -54,7 +54,7 @@ module HardcodedDataInterpretedAsCode {
 
     override DataFlow::FlowLabel getLabel() { result.isTaint() }
 
-    override string getKind() { result = "code" }
+    override string getKind() { result = "Code" }
   }
 
   /**
@@ -65,6 +65,6 @@ module HardcodedDataInterpretedAsCode {
 
     override DataFlow::FlowLabel getLabel() { result.isDataOrTaint() }
 
-    override string getKind() { result = "an import path" }
+    override string getKind() { result = "An import path" }
   }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionCustomizations.qll

@@ -47,7 +47,7 @@ module RemotePropertyInjection {
       exists(DeleteExpr expr | expr.getOperand().(PropAccess).getPropertyNameExpr() = astNode)
     }
 
-    override string getMessage() { result = " a property name to write to." }
+    override string getMessage() { result = "A property name to write to" }
   }
 
   /**
@@ -65,6 +65,6 @@ module RemotePropertyInjection {
       )
     }
 
-    override string getMessage() { result = " a header name." }
+    override string getMessage() { result = "A header name" }
   }
 }

javascript/ql/src/Security/CWE-022/TaintedPath.ql

@@ -21,5 +21,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in a path.", source.getNode(),
-  "User-provided value"
+select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(),
+  "a user-provided value"

javascript/ql/src/Security/CWE-022/ZipSlip.ql

@@ -18,6 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select source.getNode(), source, sink,
-  "Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
-  "file system operation"
+select source.getNode(), source, sink, "$@ depends on $@ which may contain '..'", sink.getNode(),
+  "File system operation", source.getNode(), "unsanitized archive entry"

javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql

@@ -17,5 +17,5 @@ import semmle.javascript.security.dataflow.TemplateObjectInjectionQuery
 
 from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
-  "user-provided value"
+select sink.getNode(), source, sink, "Template object depends on $@.", source.getNode(),
+  "a user-provided value"

javascript/ql/src/Security/CWE-078/CommandInjection.ql

@@ -28,5 +28,5 @@ where
     else highlight = sink.getNode()
   ) and
   sourceNode = source.getNode()
-select highlight, source, sink, "$@ flows to here and is used in a command.", source.getNode(),
-  sourceNode.getSourceType()
+select highlight, source, sink, "Command line depends on $@.", source.getNode(),
+  "a user-provided value"

javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql

@@ -19,6 +19,6 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
 where cfg.hasFlowPath(source, sink) and sinkNode = sink.getNode()
-select sinkNode.getAlertLocation(), source, sink, "$@ based on $@ is later used in $@.",
+select sinkNode.getAlertLocation(), source, sink, "$@ which depends on $@ is later used in $@.",
   sinkNode.getAlertLocation(), sinkNode.getSinkType(), source.getNode(), "library input",
-  sinkNode.getCommandExecution(), "shell command"
+  sinkNode.getCommandExecution(), "a shell command"

javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql

@@ -18,6 +18,6 @@ import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery
 
 from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
 where cfg.hasFlowPath(source, sink) and sink.getNode() = sinkNode
-select sinkNode, source, sink, "$@ based on $@ might later cause $@.", sinkNode,
+select sinkNode, source, sink, "$@ which depends on $@ might later allow $@.", sinkNode,
   sinkNode.describe(), source.getNode(), "library input", sinkNode.getSink(),
   sinkNode.getVulnerabilityKind().toLowerCase()

javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql

@@ -68,5 +68,5 @@ where
     sink.getNode().(StringOps::ConcatenationLeaf).getRoot() = endsInCodeInjectionSink() and
     remoteFlow() = source.getNode().(DataFlow::InvokeNode).getAnArgument()
   )
-select sink.getNode(), source, sink, "$@ flows to here and is used to construct code.",
-  source.getNode(), "Improperly sanitized value"
+select sink.getNode(), source, sink, "Code construction depends on $@.", source.getNode(),
+  "an improperly sanitized value"