Simplify CredentialExpr as the AddExpr step is included by TaintTracking::localTaintStep(node1, node2)

luchua-bc · web-flow · commit 632cb8b66608 · 2020-05-13T07:55:32.000-04:00
diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
@@ -20,14 +20,10 @@ private string getACredentialRegex() {
   result = "(?i)(.*username|url).*"
 }
 
-/** The variable or concatenated string with the variable that keeps sensitive information judging by its name * */
+/** Variable keeps sensitive information judging by its name * */
 class CredentialExpr extends Expr {
   CredentialExpr() {
-    exists(Variable v |
-      (this.(AddExpr).getAnOperand() = v.getAnAccess() or this = v.getAnAccess())
-    |
-      v.getName().regexpMatch(getACredentialRegex())
-    )
+    exists(Variable v | this = v.getAnAccess() | v.getName().regexpMatch(getACredentialRegex()))
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -20,14 +20,10 @@ private string getACredentialRegex() {`
`20`	`20`	`result = "(?i)(.username\|url)."`
`21`	`21`	`}`
`22`	`22`
`23`		`-/** The variable or concatenated string with the variable that keeps sensitive information judging by its name * */`
	`23`	`+/** Variable keeps sensitive information judging by its name * */`
`24`	`24`	`class CredentialExpr extends Expr {`
`25`	`25`	`CredentialExpr() {`
`26`		`- exists(Variable v \|`
`27`		`- (this.(AddExpr).getAnOperand() = v.getAnAccess() or this = v.getAnAccess())`
`28`		`- \|`
`29`		`- v.getName().regexpMatch(getACredentialRegex())`
`30`		`- )`
	`26`	`+ exists(Variable v \| this = v.getAnAccess() \| v.getName().regexpMatch(getACredentialRegex()))`
`31`	`27`	`}`
`32`	`28`	`}`
`33`	`29`