Merge pull request github#3743 from tausbn/python-fix-deprecated-terms

Python: Fix a bunch of deprecated terms.

Author: RasmusWL

python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql

@@ -31,8 +31,8 @@ predicate calls_super(FunctionObject f) {
     )
 }
 
-/** Holds if the given name is white-listed for some reason */
-predicate whitelisted(string name) {
+/** Holds if the given name is allowed for some reason */
+predicate allowed(string name) {
     /*
      * The standard library specifically recommends this :(
      * See https://docs.python.org/3/library/socketserver.html#asynchronous-mixins
@@ -53,7 +53,7 @@ where
     not name.matches("\\_\\_%\\_\\_") and
     not calls_super(o1) and
     not does_nothing(o2) and
-    not whitelisted(name) and
+    not allowed(name) and
     not o1.overrides(o2) and
     not o2.overrides(o1) and
     not c.declaresAttribute(name)

python/ql/src/Metrics/FLinesOfDuplicatedCode.ql

@@ -20,7 +20,7 @@ where
         count(int line |
             exists(DuplicateBlock d | d.sourceFile() = f |
                 line in [d.sourceStartLine() .. d.sourceEndLine()] and
-                not whitelistedLineForDuplication(f, line)
+                not allowlistedLineForDuplication(f, line)
             )
         )
 select f, n order by n desc

python/ql/src/Metrics/FLinesOfSimilarCode.ql

@@ -20,7 +20,7 @@ where
         count(int line |
             exists(SimilarBlock d | d.sourceFile() = f |
                 line in [d.sourceStartLine() .. d.sourceEndLine()] and
-                not whitelistedLineForDuplication(f, line)
+                not allowlistedLineForDuplication(f, line)
             )
         )
 select f, n order by n desc

python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp

@@ -68,7 +68,7 @@
         <p>
 
             The second two examples show safe checks.
-            In <code>safe1</code>, a white-list is used. Although fairly inflexible,
+            In <code>safe1</code>, an allowlist is used. Although fairly inflexible,
             this is easy to get right and is most likely to be safe.
         </p>
         <p>

python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py

@@ -21,16 +21,16 @@ def unsafe2(request):
 
 
 
-#Simplest and safest approach is to use a white-list
+#Simplest and safest approach is to use an allowlist
 
 @app.route('/some/path/good1')
 def safe1(request):
-    whitelist = [
+    allowlist = [
         "example.com/home",
         "example.com/login",
     ]
     target = request.args.get('target', '')
-    if target in whitelist:
+    if target in allowlist:
         return redirect(target)
 
 #More complex example allowing sub-domains.

python/ql/src/Security/CWE-022/PathInjection.qhelp

@@ -26,7 +26,7 @@ Ideally, follow these rules:
 <li>Do not allow directory separators such as "/" or "\" (depending on the file system).</li>
 <li>Do not rely on simply replacing problematic sequences such as "../". For example, after
 applying this filter to ".../...//", the resulting string would still be "../".</li>
-<li>Use a whitelist of known good patterns.</li>
+<li>Use an allowlist of known good patterns.</li>
 </ul>
 </recommendation>
 

python/ql/src/Security/CWE-078/CommandInjection.qhelp

@@ -25,7 +25,7 @@ safe before using it.</p>
 
 <p>The following example shows two functions. The first is unsafe as it takes a shell script that can be changed
 by a user, and passes it straight to <code>subprocess.call()</code> without examining it first. 
-The second is safe as it selects the command from a predefined white-list.</p>
+The second is safe as it selects the command from a predefined allowlist.</p>
 
 <sample src="examples/command_injection.py" />
 

python/ql/src/Security/CWE-078/examples/command_injection.py

@@ -19,5 +19,5 @@ def command_execution_unsafe(request):
 def command_execution_safe(request):
     if request.method == 'POST':
         action = request.POST.get('action', '')
-        #GOOD -- Use a whitelist
+        #GOOD -- Use an allowlist
         subprocess.call(["application", COMMANDS[action]])

python/ql/src/Variables/ShadowBuiltin.ql

@@ -16,7 +16,7 @@ import python
 import Shadowing
 import semmle.python.types.Builtins
 
-predicate white_list(string name) {
+predicate allow_list(string name) {
     /* These are rarely used and thus unlikely to be confusing */
     name = "iter" or
     name = "next" or
@@ -51,7 +51,7 @@ predicate shadows(Name d, string name, Function scope, int line) {
     ) and
     d.getScope() = scope and
     d.getLocation().getStartLine() = line and
-    not white_list(name) and
+    not allow_list(name) and
     not optimizing_parameter(d)
 }
 

python/ql/src/analysis/Sanity.ql renamed to python/ql/src/analysis/Consistency.ql

@@ -1,7 +1,7 @@
 /**
- * @name Sanity check
- * @description General sanity check to be run on any and all code. Should never produce any results.
- * @id py/sanity-check
+ * @name Consistency check
+ * @description General consistency check to be run on any and all code. Should never produce any results.
+ * @id py/consistency-check
  */
 
 import python
@@ -24,7 +24,7 @@ predicate uniqueness_error(int number, string what, string problem) {
     )
 }
 
-predicate ast_sanity(string clsname, string problem, string what) {
+predicate ast_consistency(string clsname, string problem, string what) {
     exists(AstNode a | clsname = a.getAQlClass() |
         uniqueness_error(count(a.toString()), "toString", problem) and
         what = "at " + a.getLocation().toString()
@@ -39,7 +39,7 @@ predicate ast_sanity(string clsname, string problem, string what) {
     )
 }
 
-predicate location_sanity(string clsname, string problem, string what) {
+predicate location_consistency(string clsname, string problem, string what) {
     exists(Location l | clsname = l.getAQlClass() |
         uniqueness_error(count(l.toString()), "toString", problem) and what = "at " + l.toString()
         or
@@ -65,7 +65,7 @@ predicate location_sanity(string clsname, string problem, string what) {
     )
 }
 
-predicate cfg_sanity(string clsname, string problem, string what) {
+predicate cfg_consistency(string clsname, string problem, string what) {
     exists(ControlFlowNode f | clsname = f.getAQlClass() |
         uniqueness_error(count(f.getNode()), "getNode", problem) and
         what = "at " + f.getLocation().toString()
@@ -80,7 +80,7 @@ predicate cfg_sanity(string clsname, string problem, string what) {
     )
 }
 
-predicate scope_sanity(string clsname, string problem, string what) {
+predicate scope_consistency(string clsname, string problem, string what) {
     exists(Scope s | clsname = s.getAQlClass() |
         uniqueness_error(count(s.getEntryNode()), "getEntryNode", problem) and
         what = "at " + s.getLocation().toString()
@@ -125,7 +125,7 @@ private predicate introspected_builtin_object(Object o) {
     py_cobject_sources(o, 0)
 }
 
-predicate builtin_object_sanity(string clsname, string problem, string what) {
+predicate builtin_object_consistency(string clsname, string problem, string what) {
     exists(Object o |
         clsname = o.getAQlClass() and
         what = best_description_builtin_object(o) and
@@ -146,7 +146,7 @@ predicate builtin_object_sanity(string clsname, string problem, string what) {
     )
 }
 
-predicate source_object_sanity(string clsname, string problem, string what) {
+predicate source_object_consistency(string clsname, string problem, string what) {
     exists(Object o | clsname = o.getAQlClass() and not o.isBuiltin() |
         uniqueness_error(count(o.getOrigin()), "getOrigin", problem) and
         what = "at " + o.getOrigin().getLocation().toString()
@@ -161,7 +161,7 @@ predicate source_object_sanity(string clsname, string problem, string what) {
     )
 }
 
-predicate ssa_sanity(string clsname, string problem, string what) {
+predicate ssa_consistency(string clsname, string problem, string what) {
     /* Zero or one definitions of each SSA variable */
     exists(SsaVariable var | clsname = var.getAQlClass() |
         uniqueness_error(strictcount(var.getDefinition()), "getDefinition", problem) and
@@ -196,7 +196,7 @@ predicate ssa_sanity(string clsname, string problem, string what) {
     )
 }
 
-predicate function_object_sanity(string clsname, string problem, string what) {
+predicate function_object_consistency(string clsname, string problem, string what) {
     exists(FunctionObject func | clsname = func.getAQlClass() |
         what = func.getName() and
         (
@@ -229,7 +229,7 @@ predicate intermediate_origins(ControlFlowNode use, ControlFlowNode inter, Objec
     )
 }
 
-predicate points_to_sanity(string clsname, string problem, string what) {
+predicate points_to_consistency(string clsname, string problem, string what) {
     exists(Object obj |
         multiple_origins_per_object(obj) and
         clsname = obj.getAQlClass() and
@@ -245,7 +245,7 @@ predicate points_to_sanity(string clsname, string problem, string what) {
     )
 }
 
-predicate jump_to_definition_sanity(string clsname, string problem, string what) {
+predicate jump_to_definition_consistency(string clsname, string problem, string what) {
     problem = "multiple (jump-to) definitions" and
     exists(Expr use |
         strictcount(getUniqueDefinition(use)) > 1 and
@@ -254,7 +254,7 @@ predicate jump_to_definition_sanity(string clsname, string problem, string what)
     )
 }
 
-predicate file_sanity(string clsname, string problem, string what) {
+predicate file_consistency(string clsname, string problem, string what) {
     exists(File file, Folder folder |
         clsname = file.getAQlClass() and
         problem = "has same name as a folder" and
@@ -269,7 +269,7 @@ predicate file_sanity(string clsname, string problem, string what) {
     )
 }
 
-predicate class_value_sanity(string clsname, string problem, string what) {
+predicate class_value_consistency(string clsname, string problem, string what) {
     exists(ClassValue value, ClassValue sup, string attr |
         what = value.getName() and
         sup = value.getASuperType() and
@@ -283,16 +283,16 @@ predicate class_value_sanity(string clsname, string problem, string what) {
 
 from string clsname, string problem, string what
 where
-    ast_sanity(clsname, problem, what) or
-    location_sanity(clsname, problem, what) or
-    scope_sanity(clsname, problem, what) or
-    cfg_sanity(clsname, problem, what) or
-    ssa_sanity(clsname, problem, what) or
-    builtin_object_sanity(clsname, problem, what) or
-    source_object_sanity(clsname, problem, what) or
-    function_object_sanity(clsname, problem, what) or
-    points_to_sanity(clsname, problem, what) or
-    jump_to_definition_sanity(clsname, problem, what) or
-    file_sanity(clsname, problem, what) or
-    class_value_sanity(clsname, problem, what)
+    ast_consistency(clsname, problem, what) or
+    location_consistency(clsname, problem, what) or
+    scope_consistency(clsname, problem, what) or
+    cfg_consistency(clsname, problem, what) or
+    ssa_consistency(clsname, problem, what) or
+    builtin_object_consistency(clsname, problem, what) or
+    source_object_consistency(clsname, problem, what) or
+    function_object_consistency(clsname, problem, what) or
+    points_to_consistency(clsname, problem, what) or
+    jump_to_definition_consistency(clsname, problem, what) or
+    file_consistency(clsname, problem, what) or
+    class_value_consistency(clsname, problem, what)
 select clsname + " " + what + " has " + problem