Merge pull request #177 from sauyon/whitelist

Use allow or allowlist instead of whitelist

Author: max-schaefer

ql/src/RedundantCode/CompareIdenticalValues.ql

@@ -17,9 +17,9 @@ from ComparisonExpr cmp, Expr l
 where
   l = cmp.getLeftOperand() and
   l.getGlobalValueNumber() = cmp.getRightOperand().getGlobalValueNumber() and
-  // whitelist floats, where self-comparison may be used for NaN checks
+  // allow floats, where self-comparison may be used for NaN checks
   not l.getType().getUnderlyingType() instanceof FloatType and
-  // whitelist comparisons of symbolic constants to literal constants; these are often feature flags
+  // allow comparisons of symbolic constants to literal constants; these are often feature flags
   not exists(DeclaredConstant decl |
     cmp.getAnOperand() = decl.getAReference() and
     cmp.getAnOperand() instanceof BasicLit

ql/src/RedundantCode/UnreachableStatement.ql

@@ -21,7 +21,7 @@ ControlFlow::Node nonGuardPredecessor(ControlFlow::Node nd) {
   )
 }
 
-predicate whitelist(Stmt s) {
+predicate allowlist(Stmt s) {
   // `panic("unreachable")` and similar
   exists(CallExpr ce | ce = s.(ExprStmt).getExpr() or ce = s.(ReturnStmt).getExpr() |
     ce.getTarget().mustPanic() or ce.getCalleeName().toLowerCase() = "error"
@@ -49,5 +49,5 @@ from Stmt s, ControlFlow::Node fst
 where
   fst = s.getFirstControlFlowNode() and
   not exists(nonGuardPredecessor(fst)) and
-  not whitelist(s)
+  not allowlist(s)
 select s, "This statement is unreachable."

ql/src/Security/CWE-022/TaintedPath.qhelp

@@ -24,7 +24,7 @@ Ideally, follow these rules:
 <li>Do not allow directory separators such as "/" or "\" (depending on the file system).</li>
 <li>Do not rely on simply replacing problematic sequences such as "../". For example, after
 applying this filter to ".../...//", the resulting string would still be "../".</li>
-<li>Use a whitelist of known good patterns.</li>
+<li>Use an allowlist of known good patterns.</li>
 </ul>
 </recommendation>
 

ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -23,7 +23,7 @@ predicate isSensitive(DataFlow::Node sink, SensitiveExpr::Classification type) {
   exists(Write write, string name |
     write.getRhs() = sink and
     name = write.getLhs().getName() and
-    // whitelist obvious test password variables
+    // allow obvious test password variables
     not name.regexpMatch(HeuristicNames::notSensitive())
   |
     name.regexpMatch(HeuristicNames::maybeSensitive(type))
@@ -35,7 +35,7 @@ where
   exists(string val | val = source.getStringValue() and val != "" |
     isSensitive(sink, type) and
     DataFlow::localFlow(source, sink) and
-    // whitelist obvious dummy/test values
+    // allow obvious dummy/test values
     not PasswordHeuristics::isDummyPassword(val) and
     not sink.asExpr().(Ident).getName().regexpMatch(HeuristicNames::notSensitive())
   ) and

ql/src/experimental/CWE-807/SensitiveConditionBypass.qll

@@ -9,7 +9,7 @@ predicate isSensitive(DataFlow::Node sink, SensitiveExpr::Classification type) {
   exists(Write write, string name |
     write.getRhs() = sink and
     name = write.getLhs().getName() and
-    // whitelist obvious test password variables
+    // allow obvious test password variables
     not name.regexpMatch(HeuristicNames::notSensitive())
   |
     name.regexpMatch(HeuristicNames::maybeSensitive(type))

ql/src/semmle/go/Scopes.qll

@@ -507,7 +507,7 @@ class DeclaredFunction extends Function, DeclaredEntity, @declfunctionobject {
       body.mayHaveSideEffects()
       or
       // functions declared in files with build constraints may be defined differently
-      // for different platforms, so whitelist them to avoid false positives
+      // for different platforms, so allow them to avoid false positives
       body.getFile().hasBuildConstraints()
     )
   }