use more set literals instead of big disjunctions

erik-krogh · erik-krogh · commit a404a8c61aa0 · 2022-05-24T11:09:10.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ClosureLibrary.qll b/javascript/ql/lib/semmle/javascript/frameworks/ClosureLibrary.qll
@@ -13,38 +13,40 @@ module ClosureLibrary {
         call = Closure::moduleImport("goog.string." + name).getACall() and succ = call
       |
         pred = call.getAnArgument() and
-        (
-          name = "canonicalizeNewlines" or
-          name = "capitalize" or
-          name = "collapseBreakingSpaces" or
-          name = "collapseWhitespace" or
-          name = "format" or
-          name = "makeSafe" or // makeSafe just guards against null and undefined
-          name = "newLineOrBr" or
-          name = "normalizeSpaces" or
-          name = "normalizeWhitespace" or
-          name = "preserveSpaces" or
-          name = "remove" or // removes first occurrence of a substring
-          name = "repeat" or
-          name = "splitLimit" or
-          name = "stripNewlines" or
-          name = "subs" or
-          name = "toCamelCase" or
-          name = "toSelectorCase" or
-          name = "toTitleCase" or
-          name = "trim" or
-          name = "trimLeft" or
-          name = "trimRight" or
-          name = "unescapeEntities" or
-          name = "whitespaceEscape"
-        )
+        name =
+          [
+            "canonicalizeNewlines", //
+            "capitalize", //
+            "collapseBreakingSpaces", //
+            "collapseWhitespace", //
+            "format", //
+            "makeSafe", // makeSafe just guards against null and undefined
+            "newLineOrBr", //
+            "normalizeSpaces", //
+            "normalizeWhitespace", //
+            "preserveSpaces", //
+            "remove", // removes first occurrence of a substring
+            "repeat", //
+            "splitLimit", //
+            "stripNewlines", //
+            "subs", //
+            "toCamelCase", //
+            "toSelectorCase", //
+            "toTitleCase", //
+            "trim", //
+            "trimLeft", //
+            "trimRight", //
+            "unescapeEntities", //
+            "whitespaceEscape"
+          ]
         or
         pred = call.getArgument(0) and
-        (
-          name = "truncate" or
-          name = "truncateMiddle" or
-          name = "unescapeEntitiesWithDocument"
-        )
+        name =
+          [
+            "truncate", //
+            "truncateMiddle", //
+            "unescapeEntitiesWithDocument", //
+          ]
       )
     }
   }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll
@@ -362,29 +362,31 @@ private module ClosureLibraryUri {
         // static methods in goog.uri.utils
         arg = 0 and
         exists(string name | invoke = Closure::moduleImport("goog.uri.utils." + name).getACall() |
-          name = "appendParam" or // preserve taint from the original URI, but not from the appended param
-          name = "appendParams" or
-          name = "appendParamsFromMap" or
-          name = "appendPath" or
-          name = "getParamValue" or
-          name = "getParamValues" or
-          name = "getPath" or
-          name = "getPathAndAfter" or
-          name = "getQueryData" or
-          name = "parseQueryData" or
-          name = "removeFragment" or
-          name = "removeParam" or
-          name = "setParam" or
-          name = "setParamsFromMap" or
-          name = "setPath" or
-          name = "split"
+          name =
+            [
+              "appendParam", // preserve taint from the original URI, but not from the appended param
+              "appendParams", //
+              "appendParamsFromMap", //
+              "appendPath", //
+              "getParamValue", //
+              "getParamValues", //
+              "getPath", //
+              "getPathAndAfter", //
+              "getQueryData", //
+              "parseQueryData", //
+              "removeFragment", //
+              "removeParam", //
+              "setParam", //
+              "setParamsFromMap", //
+              "setPath", //
+              "split", //
+            ]
         )
         or
         // static methods in goog.string
         arg = 0 and
         exists(string name | invoke = Closure::moduleImport("goog.string." + name).getACall() |
-          name = "urlDecode" or
-          name = "urlEncode"
+          name = ["urlDecode", "urlEncode"]
         )
       )
     }
diff --git a/javascript/ql/src/Expressions/StringInsteadOfRegex.ql b/javascript/ql/src/Expressions/StringInsteadOfRegex.ql
@@ -14,13 +14,16 @@ import javascript
  * Gets a regular expression pattern that matches the syntax of likely regular expressions.
  */
 private string getALikelyRegExpPattern() {
-  result = "/.*/[gimuy]{1,5}" or // pattern with at least one flag: /foo/i
-  result = "/\\^.*/[gimuy]{0,5}" or // pattern with anchor: /^foo/
-  result = "/.*\\$/[gimuy]{0,5}" or // pattern with anchor: /foo$/
-  result = "\\^.*\\$" or // pattern body with anchors: ^foo$
-  result = ".*(?<!\\\\)\\\\[dDwWsSB].*" or // contains a builtin character class: \s
-  result = ".*(?<!\\\\)\\\\[\\[\\]()*+?{}|^$.].*" or // contains an escaped meta-character: \(
-  result = ".*\\[\\^?[\\p{Alnum}\\p{Blank}_-]+\\][*+].*" // contains a quantified custom character class: [^a-zA-Z123]+
+  result =
+    [
+      "/.*/[gimuy]{1,5}", // pattern with at least one flag: /foo/i
+      "/\\^.*/[gimuy]{0,5}", // pattern with anchor: /^foo/
+      "/.*\\$/[gimuy]{0,5}", // pattern with anchor: /foo$/
+      "\\^.*\\$", // pattern body with anchors: ^foo$
+      ".*(?<!\\\\)\\\\[dDwWsSB].*", // contains a builtin character class: \s
+      ".*(?<!\\\\)\\\\[\\[\\]()*+?{}|^$.].*", // contains an escaped meta-character: \(
+      ".*\\[\\^?[\\p{Alnum}\\p{Blank}_-]+\\][*+].*" // contains a quantified custom character class: [^a-zA-Z123]+
+    ]
 }
 
 /**
diff --git a/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql b/javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql
@@ -110,13 +110,11 @@ where
   ref.getWith().getStep() = step and
   step.getJob() = job and
   uses.getGitHubRepository() = "actions/checkout" and
-  (
-    ref.getValue().matches("%github.event.pull_request.head.ref%") or
-    ref.getValue().matches("%github.event.pull_request.head.sha%") or
-    ref.getValue().matches("%github.event.pull_request.number%") or
-    ref.getValue().matches("%github.event.number%") or
-    ref.getValue().matches("%github.head_ref%")
-  ) and
+  ref.getValue()
+      .matches([
+          "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%",
+          "%github.event.pull_request.number%", "%github.event.number%", "%github.head_ref%"
+        ]) and
   step instanceof ProbableStep and
   job instanceof ProbableJob
 select step, "Potential unsafe checkout of untrusted pull request on `pull_request_target`"
