update qhelp file and ql comments

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

@@ -3,8 +3,9 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>The software obtains the original client IP address through the http header <code>X-Forwarded-For</code>, which is used to ensure 
-security or track it in the log for statistical or other reasons. Attackers can use <code>X-Forwarded-For </code> Spoofing software.</p>
+<p>The software obtains the original client IP address through the http header (<code>X-Forwarded-For</code> or <code>X-Real-IP</code> or <code>Proxy-Client-IP</code> 
+etc.), which is used to ensure security or track it in the log for statistical or other reasons. Attackers can forge the value of these identifiers to attack the 
+software.</p>
 
 </overview>
 <recommendation>
@@ -15,9 +16,10 @@ security or track it in the log for statistical or other reasons. Attackers can
 <example>
 
 <p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad2</code>. 
-In the <code>bad1</code> method, the value of <code>X-Forwarded-For</code> in <code>header</code> is split, and the first value of 
-the split array is obtained. Good case, such as <code>good1</code>, split the value of <code>X-Forwarded-For</code> in <code>header</code> 
-and get the last value of the split array.</p>
+In the <code>bad1</code> method, obtain the client ip according to the specified identifier from the <code>header</code> for local 
+output and logging. In the <code>bad2</code> method, the client ip is obtained and judged according to the specified identifier 
+from the <code>header</code>. When used for permission verification, it can be bypassed by forging the ip. Good case, such as 
+<code>good1</code>, split the value of <code>X-Forwarded-For</code> in <code>header</code> and get the last value of the split array.</p>
 
 <sample src="UseOfLessTrustedSource.java" />
 

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql

@@ -1,7 +1,8 @@
 /**
  * @name IP address spoofing
- * @description The software obtains the client ip through `X-Forwarded-For`,
- *              and the attacker can modify the value of `X-Forwarded-For` to forge the ip.
+ * @description The software obtains the client ip from the remote endpoint identifier specified (`X-Forwarded-For`,
+ *              `X-Real-IP`, `Proxy-Client-IP`, etc.) in the header and uses it. Attackers can modify these The value
+ *              of the identifier to forge the client ip.
  * @kind path-problem
  * @problem.severity error
  * @precision high
@@ -12,12 +13,12 @@
 
 import java
 import UseOfLessTrustedSourceLib
-import semmle.code.java.dataflow.DataFlow2
-import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
-/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
+/**
+ * Taint-tracking configuration tracing flow from obtain client ip to use the client ip.
+ */
 class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
   UseOfLessTrustedSourceConfig() { this = "UseOfLessTrustedSourceConfig" }
 

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll

@@ -1,12 +1,11 @@
 import java
 import DataFlow
-import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.security.QueryInjection
 import experimental.semmle.code.java.Logging
 
 /**
  * A data flow source of the client ip obtained according to the remote endpoint identifier specified
- * in the header (`X-Forwarded-For`, `X-Real-IP`, `Proxy-Client-IP`, etc.).
+ * (`X-Forwarded-For`, `X-Real-IP`, `Proxy-Client-IP`, etc.) in the header.
  *
  * For example: `ServletRequest.getHeader("X-Forwarded-For")`.
  */