Skip to content

Commit 30aa9b2

Browse files
atorralbasubatoi
atorralba
and
subatoi
authored
Apply suggestions from code review
Co-authored-by: Ben Ahmady <[email protected]>
1 parent 46ea067 commit 30aa9b2

File tree

1 file changed

+4
-9
lines changed

1 file changed

+4
-9
lines changed

swift/ql/src/queries/Security/CWE-943/PredicateInjection.qhelp

Lines changed: 4 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -9,25 +9,20 @@ be able to change the overall meaning of the predicate.
99
</overview>
1010
<recommendation>
1111
<p>
12-
When building a predicate from untrusted data, pass it to the appropriate <code>arguments</code> parameter
13-
during initialization, or as an array of substitution variables before evaluation, instead of appending
14-
or concatenating it to the body of the predicate.
12+
When building a predicate from untrusted data, you should either pass it to the appropriate <code>arguments</code> parameter during initialization, or as an array of substitution variables before evaluation. You should not append or concatenate it to the body of the predicate.
1513
</p>
1614
</recommendation>
1715
<example>
1816
<p>
19-
In the following insecure example, a <code>NSPredicate</code> is built directly from data obtained from an HTTP request,
20-
which is untrusted, and can be arbitrarily set by an attacker to alter the meaning of the predicate:
17+
In the following insecure example, <code>NSPredicate</code> is built directly from data obtained from an HTTP request. This is untrusted, and can be arbitrarily set by an attacker to alter the meaning of the predicate:
2118
</p>
2219
<sample src="PredicateInjectionBad.swift" />
2320
<p>
24-
A better way to do this is using the <code>arguments</code> parameter of <code>NSPredicate</code>'s constructor,
25-
which prevents attackers from altering the meaning of the predicate, even if they control the externally-obtained data,
26-
as seen in the following secure example:
21+
A better way to do this is to use the <code>arguments</code> parameter of <code>NSPredicate</code>'s constructor. This prevents attackers from altering the meaning of the predicate, even if they control the externally obtained data, as seen in the following secure example:
2722
</p>
2823
<sample src="PredicateInjectionGood.swift" />
2924
</example>
3025
<references>
31-
<li>Apple Developer documentation: <a href="https://developer.apple.com/documentation/foundation/nspredicate">NSPredicate</a> </li>
26+
<li>Apple Developer Documentation: <a href="https://developer.apple.com/documentation/foundation/nspredicate">NSPredicate</a> </li>
3227
</references>
3328
</qhelp>

0 commit comments

Comments
 (0)