Improve handling of the 'author' word as an exception

Author: atorralba

java/ql/lib/semmle/code/java/security/SensitiveActions.qll

@@ -81,9 +81,9 @@ class AuthMethod extends SensitiveExecutionMethod {
   AuthMethod() {
     exists(string s | s = this.getName().toLowerCase() |
       s.matches(["%login%", "%auth%"]) and
-      not s.matches([
-          "get%", "set%", "parse%", "%loginfo%", "remove%", "clean%", "%unauth%", "%author%"
-        ])
+      not s.matches(["get%", "set%", "parse%", "%loginfo%", "remove%", "clean%", "%unauth%"]) and
+      // exclude "author", but not "authorize" or "authority"
+      not s.regexpMatch(".*[aA]uthors?([A-Z0-9_].*|$)")
     ) and
     not this.getDeclaringType().getASupertype*() instanceof TypeException
   }

java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java

@@ -129,6 +129,27 @@ public static void test7(String user, String password) {
 		}
 	}
 
+	public static void test8(String user, String password) {
+		Cookie adminCookie = getCookies()[0];
+		{
+			// BAD: login may not happen
+			if (adminCookie.getValue() == "false") // $ hasConditionalBypassTest
+				authorize(user, password);
+			else {
+				// do something else
+				doIt();
+			}
+		}
+		{
+			// obtainAuthor is not sensitive, so this is safe
+			if (adminCookie.getValue() == "false")
+				obtainAuthor();
+			else {
+				doIt();
+			}
+		}
+	}
+
 	public static void login(String user, String password) {
 		// login
 	}
@@ -137,6 +158,14 @@ public static void reCheckAuth(String user, String password) {
 		// login
 	}
 
+	public static void authorize(String user, String password) {
+		// login
+	}
+
+	public static String obtainAuthor() {
+		return "";
+	}
+
 	public static Cookie[] getCookies() {
 		// get cookies from a servlet
 		return new Cookie[0];