fix format warnings/errors

am0o0 · am0o0 · commit c16a2827d70b · 2023-06-25T23:24:12.000+10:00
diff --git a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_jszip.ql b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_jszip.ql
@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 7.8
  * @precision medium
- * @id js/user-controlled-file-decompression
+ * @id js/user-controlled-file-decompression-jszip
  * @tags security
  *       experimental
  *       external/cwe/cwe-409
diff --git a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_node-tar.ql b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_node-tar.ql
@@ -5,13 +5,12 @@
  * @problem.severity error
  * @security-severity 7.8
  * @precision medium
- * @id js/user-controlled-file-decompression
+ * @id js/user-controlled-file-decompression--tar
  * @tags security
  *       experimental
  *       external/cwe/cwe-409
  */
 
-import javascript
 import DataFlow::PathGraph
 import API
 import semmle.javascript.Concepts
diff --git a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.ql b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/Bombs_zlib-Pako-AdmZip.ql
@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 7.8
  * @precision medium
- * @id js/user-controlled-file-decompression
+ * @id js/user-controlled-file-decompression-Zlib-Pako-AdmZip
  * @tags security
  *       experimental
  *       external/cwe/cwe-409
@@ -65,11 +65,7 @@ class BombConfiguration extends TaintTracking::Configuration {
     )
     or
     sink =
-      [
-        DataFlow::moduleMember("pako", ["inflate", "inflateRaw", "ungzip"])
-            .getACall()
-            .getArgument(0)
-      ]
+      DataFlow::moduleMember("pako", ["inflate", "inflateRaw", "ungzip"]).getACall().getArgument(0)
     or
     exists(API::Node n | n = API::moduleImport("adm-zip").getInstance() |
       (
@@ -85,7 +81,7 @@ class BombConfiguration extends TaintTracking::Configuration {
     readablePipeAdditionalTaintStep(pred, succ)
     or
     // succ = new Uint8Array(pred)
-    exists(DataFlow::Node n, NewExpr ne | ne = n.asExpr().(NewExpr) |
+    exists(DataFlow::Node n, NewExpr ne | ne = n.asExpr() |
       pred.asExpr() = ne.getArgument(0) and
       succ.asExpr() = ne and
       ne.getCalleeName() = "Uint8Array"
diff --git a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/CommandLineSource.qll b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/CommandLineSource.qll
@@ -3,6 +3,7 @@ import DataFlow::PathGraph
 import API
 
 /**
+ * A Command Line argument as a Flow Source
  * there are FP when the types are not str
  * because int,boolean types are not really dangerous as a source node
  */
diff --git a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/SequelizeModelMethodCall.ql b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/SequelizeModelMethodCall.ql
@@ -10,7 +10,7 @@
 
 import javascript
 import DataFlow::PathGraph
-import sequelizeModelTypes::sequelizeModel
+import sequelizeModelTypes::SequelizeModel
 import API
 
 class SequelizeModelConfiguration extends TaintTracking::Configuration {
diff --git a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/sequelizeModelTypes.qll b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/sequelizeModelTypes.qll
@@ -1,7 +1,7 @@
 import javascript
 import DataFlow
 
-module sequelizeModel {
+module SequelizeModel {
   SourceNode sequelizeModelAsSourceNode(TypeTracker t) {
     t.start() and
     exists(
