github · erik-krogh · Sep 20, 2022 · Sep 2, 2022 · Sep 6, 2022 · Sep 8, 2022
@@ -19,7 +19,7 @@ module CodeInjection {
     /**
      * Gets the substitute for `X` in the message `User-provided value flows to X`.
      */
-    string getMessageSuffix() { result = "here and is interpreted as code" }
+    string getMessageSuffix() { result = "this location and is interpreted as code" }
   }
 
   /**
@@ -126,7 +126,8 @@ module CodeInjection {
     }
 
     override string getMessageSuffix() {
-      result = "here and is interpreted by " + templateType + ", which may evaluate it as code"
+      result =
+        "this location and is interpreted by " + templateType + ", which may evaluate it as code"
     }
   }
 
@@ -288,7 +289,7 @@ module CodeInjection {
   /** A sink for code injection via template injection. */
   abstract private class TemplateSink extends Sink {
     override string getMessageSuffix() {
-      result = "here and is interpreted as a template, which may contain code"
+      result = "this location and is interpreted as a template, which may contain code"
     }
   }
 

@@ -54,7 +54,7 @@ module HardcodedDataInterpretedAsCode {
 
     override DataFlow::FlowLabel getLabel() { result.isTaint() }
 
-    override string getKind() { result = "code" }
+    override string getKind() { result = "Code" }
   }
 
   /**
@@ -65,6 +65,6 @@ module HardcodedDataInterpretedAsCode {
 
     override DataFlow::FlowLabel getLabel() { result.isDataOrTaint() }
 
-    override string getKind() { result = "an import path" }
+    override string getKind() { result = "An import path" }
   }
 }
@@ -47,7 +47,7 @@ module RemotePropertyInjection {
       exists(DeleteExpr expr | expr.getOperand().(PropAccess).getPropertyNameExpr() = astNode)
     }
 
-    override string getMessage() { result = " a property name to write to." }
+    override string getMessage() { result = "A property name to write to" }
   }
 
   /**
@@ -65,6 +65,6 @@ module RemotePropertyInjection {
       )
     }
 
-    override string getMessage() { result = " a header name." }
+    override string getMessage() { result = "A header name" }
   }
 }
@@ -21,5 +21,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in a path.", source.getNode(),
-  "User-provided value"
+select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -18,6 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select source.getNode(), source, sink,
-  "Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
-  "file system operation"
+select source.getNode(), source, sink, "$@ depends on $@ which may contain '..'", sink.getNode(),
+  "File system operation", source.getNode(), "unsanitized archive entry"
@@ -17,5 +17,5 @@ import semmle.javascript.security.dataflow.TemplateObjectInjectionQuery
 
 from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
-  "user-provided value"
+select sink.getNode(), source, sink, "Template object depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -28,5 +28,5 @@ where
     else highlight = sink.getNode()
   ) and
   sourceNode = source.getNode()
-select highlight, source, sink, "$@ flows to here and is used in a command.", source.getNode(),
-  sourceNode.getSourceType()
+select highlight, source, sink, "Command line depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -19,6 +19,6 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
 where cfg.hasFlowPath(source, sink) and sinkNode = sink.getNode()
-select sinkNode.getAlertLocation(), source, sink, "$@ based on $@ is later used in $@.",
+select sinkNode.getAlertLocation(), source, sink, "$@ which depends on $@ is later used in $@.",
   sinkNode.getAlertLocation(), sinkNode.getSinkType(), source.getNode(), "library input",
-  sinkNode.getCommandExecution(), "shell command"
+  sinkNode.getCommandExecution(), "a shell command"
@@ -18,6 +18,6 @@ import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery
 
 from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
 where cfg.hasFlowPath(source, sink) and sink.getNode() = sinkNode
-select sinkNode, source, sink, "$@ based on $@ might later cause $@.", sinkNode,
+select sinkNode, source, sink, "$@ which depends on $@ might later allow $@.", sinkNode,
   sinkNode.describe(), source.getNode(), "library input", sinkNode.getSink(),
   sinkNode.getVulnerabilityKind().toLowerCase()
@@ -68,5 +68,5 @@ where
     sink.getNode().(StringOps::ConcatenationLeaf).getRoot() = endsInCodeInjectionSink() and
     remoteFlow() = source.getNode().(DataFlow::InvokeNode).getAnArgument()
   )
-select sink.getNode(), source, sink, "$@ flows to here and is used to construct code.",
-  source.getNode(), "Improperly sanitized value"
+select sink.getNode(), source, sink, "Code construction depends on $@.", source.getNode(),
+  "an improperly sanitized value"
@@ -19,5 +19,5 @@ import semmle.javascript.security.dataflow.UnsafeCodeConstruction::UnsafeCodeCon
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is later $@.", source.getNode(),
+select sink.getNode(), source, sink, "$@ flows to this location and is later $@.", source.getNode(),
   "Library input", sink.getNode().(Sink).getCodeSink(), "interpreted as code"
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink, source, sink,
-  "Invocation of method derived from $@ may lead to remote code execution.", source.getNode(),
-  "user-controlled value"
+  "This method is invoked using $@, which may allow remote code execution.", source.getNode(),
+  "a user-controlled value"
@@ -17,5 +17,5 @@ import semmle.javascript.security.dataflow.LogInjectionQuery
 
 from LogInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to log entry.", source.getNode(),
-  "User-provided value"
+select sink.getNode(), source, sink, "Log entry depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -16,5 +16,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in a format string.",
-  source.getNode(), "User-provided value"
+select sink.getNode(), source, sink, "Format string depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -16,5 +16,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows directly to outbound network request",
-  source.getNode(), "File data"
+select sink.getNode(), source, sink, "Outbound network request depends on $@", source.getNode(),
+  "file data"
@@ -19,6 +19,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink,
-  "Sensitive data returned from $@ is sent to another window without origin restriction.",
-  source.getNode(), "here"
+select sink.getNode(), source, sink, "$@ is sent to another window without origin restriction.",
+  source.getNode(), "Sensitive data"
@@ -20,5 +20,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Stack trace information from $@ may be exposed to an external user here.", source.getNode(),
-  "here"
+  "$@ flows to this location and may be exposed to an external user.", source.getNode(),
+  "Stack trace information"
@@ -20,5 +20,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Sensitive data returned by $@ is stored in a build artifact here.", source.getNode(),
-  source.getNode().(CleartextLogging::Source).describe()
+  "Sensitive data returned by $@ flows to this location and is stored in a build artifact.",
+  source.getNode(), source.getNode().(CleartextLogging::Source).describe()
@@ -38,5 +38,5 @@ where
   cfg.hasFlowPath(source, sink) and
   // ignore logging to the browser console (even though it is not a good practice)
   not inBrowserEnvironment(sink.getNode().asExpr().getTopLevel())
-select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.",
-  source.getNode(), source.getNode().(Source).describe()
+select sink.getNode(), source, sink, "$@ is logged here.", source.getNode(),
+  "Sensitive data returned by " + source.getNode().(Source).describe()
@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.",
-  source.getNode(), source.getNode().(Source).describe()
+select sink.getNode(), source, sink, "$@ is stored here.", source.getNode(),
+  "Sensitive data returned by " + source.getNode().(Source).describe()
@@ -20,6 +20,5 @@ from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where
   cfg.hasFlowPath(source, sink) and
   not source.getNode() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
-select sink.getNode(), source, sink,
-  "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source.getNode(),
-  source.getNode().(Source).describe()
+select sink.getNode(), source, sink, "A broken or weak cryptographic algorithm depends on $@.",
+  source.getNode(), "sensitive data from" + source.getNode().(Source).describe()
@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Cryptographically insecure random number is generated at $@ and used here in a security context.",
+  "This security context depends on a cryptographically insecure random number at $@.",
   source.getNode(), source.getNode().toString()
@@ -20,5 +20,5 @@ from
 where
   cfg.hasFlowPath(source, sink) and
   sink.getNode().(Sink).hasReason(link, reason)
-select sink, source, sink, "Denial of service caused by processing user input from $@ with $@.",
-  source.getNode(), "here", link, reason
+select sink, source, sink, "Denial of service caused by processing $@ with $@.", source.getNode(),
+  "user input", link, reason
@@ -18,5 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "A $@ is used as" + sink.getNode().(Sink).getMessage(),
-  source.getNode(), "user-provided value"
+select sink.getNode(), source, sink, sink.getNode().(Sink).getMessage() + " depends on $@.",
+  source.getNode(), "a user-provided value"
@@ -17,4 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Unsafe deserialization of $@.", source.getNode(), "user input"
+select sink.getNode(), source, sink, "Unsafe deserialization that depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Hard-coded data from $@ is interpreted as " + sink.getNode().(Sink).getKind() + ".",
-  source.getNode(), "here"
+  "$@ is interpreted as " + sink.getNode().(Sink).getKind() + ".", source.getNode(),
+  "Hard-coded data"
@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
-  "user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL redirection depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
-  "user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL redirection depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "A $@ is parsed as XML without guarding against external entity expansion.", source.getNode(),
-  "user-provided value"
+  "XML parsing depends on $@ without guarding against external entity expansion.", source.getNode(),
+  "a user-provided value"
@@ -17,6 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink,
-  "Links in this email can be hijacked by poisoning the HTTP host header $@.", source.getNode(),
-  "here"
+select sink.getNode(), source, sink, "Links in this email can be hijacked by poisoning the $@.",
+  source.getNode(), "HTTP host header"
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
-  source.getNode(), "User-provided value"
+select sink.getNode(), source, sink, "XPath expression depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
-  source.getNode(), "user-provided value"
+select sink.getNode(), source, sink, "This regular expression depends on $@.", source.getNode(),
+  "a user-provided value"
@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "A $@ is parsed as XML without guarding against uncontrolled entity expansion.", source.getNode(),
-  "user-provided value"
+  "XML parsing depends on $@ without guarding against uncontrolled entity expansion.",
+  source.getNode(), "a user-provided value"
@@ -19,5 +19,5 @@ import DataFlow::PathGraph
 from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
 where dataflow.hasFlowPath(source, sink)
 select sink, source, sink,
-  "Iterating over user-controlled object with a potentially unbounded .length property from $@.",
-  source, "here"
+  "Iteration over a user-controlled object with a potentially unbounded .length property from $@.",
+  source, "a user-provided value"
@@ -17,4 +17,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to file system", source.getNode(), "Untrusted data"
+select sink.getNode(), source, sink, "$@ flows to file system.", source.getNode(), "Untrusted data"