add comment about parameters named "code"

erik-krogh · erik-krogh · commit 681179dcbb08 · 2022-02-07T13:34:18.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll
@@ -24,6 +24,7 @@ module UnsafeCodeConstruction {
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
       this = Exports::getALibraryInputParameter() and
+      // permit parameters that clearly are intended to contain executable code.
       not this.getName() = "code"
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ module UnsafeCodeConstruction {`
`24`	`24`	`class ExternalInputSource extends Source, DataFlow::ParameterNode {`
`25`	`25`	`ExternalInputSource() {`
`26`	`26`	`this = Exports::getALibraryInputParameter() and`
	`27`	`+ // permit parameters that clearly are intended to contain executable code.`
`27`	`28`	`not this.getName() = "code"`
`28`	`29`	`}`
`29`	`30`	`}`