adjust qhelp to focus on user-controlled data

erik-krogh · erik-krogh · commit 2b1724291b0c · 2020-05-18T12:27:20.000+02:00
diff --git a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
@@ -49,10 +49,10 @@
 	</p>
 
 	<p>
-		Even worse, although less likely, a malicious user could
-		provide the input <code>http://example.org; cat /etc/passwd</code>
+		Even worse, although less likely, a client might pass in user-controlled
+		data not knowing that the input is interpreted as a shell command. 
+		This could allow a malicious user to provide the input <code>http://example.org; cat /etc/passwd</code>
 		in order to execute the command <code>cat /etc/passwd</code>.
-
 	</p>
 
 	<p>
