Exclude constant names from sources to avoid duplicate results

owen-mc · owen-mc · commit fd306ed79be8 · 2024-04-24T14:19:30.000+01:00
diff --git a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
@@ -81,9 +81,12 @@ predicate regexpGuardsError(RegexpPattern regexp) {
 
 module IncompleteHostNameRegexpConfig implements DataFlow::ConfigSig {
   additional predicate isSourceString(DataFlow::Node source, string hostPart) {
-    exists(Expr e |
-      e = source.asExpr() and
-      isIncompleteHostNameRegexpPattern(e.getStringValue(), hostPart)
+    exists(Expr e | e = source.asExpr() |
+      isIncompleteHostNameRegexpPattern(e.getStringValue(), hostPart) and
+      // Exclude constant names to avoid duplicate results, because the string
+      // literals which they are initialised with are also considered as
+      // sources.
+      not e instanceof ConstantName
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -81,9 +81,12 @@ predicate regexpGuardsError(RegexpPattern regexp) {`
`81`	`81`
`82`	`82`	`module IncompleteHostNameRegexpConfig implements DataFlow::ConfigSig {`
`83`	`83`	`additional predicate isSourceString(DataFlow::Node source, string hostPart) {`
`84`		`- exists(Expr e \|`
`85`		`- e = source.asExpr() and`
`86`		`- isIncompleteHostNameRegexpPattern(e.getStringValue(), hostPart)`
	`84`	`+ exists(Expr e \| e = source.asExpr() \|`
	`85`	`+ isIncompleteHostNameRegexpPattern(e.getStringValue(), hostPart) and`
	`86`	`+ // Exclude constant names to avoid duplicate results, because the string`
	`87`	`+ // literals which they are initialised with are also considered as`
	`88`	`+ // sources.`
	`89`	`+ not e instanceof ConstantName`
`87`	`90`	`)`
`88`	`91`	`}`
`89`	`92`