Apply suggestions from code review

erik-krogh · alexrford · web-flow · commit 32c4cf5769b4 · 2023-01-23T14:58:04.000+01:00
Co-authored-by: Alex Ford &lt;alexrford@users.noreply.github.com&gt;
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionCustomizations.qll
@@ -36,7 +36,7 @@ module UnsafeHtmlConstruction {
   private import codeql.ruby.security.XSS::ReflectedXss as ReflectedXss
 
   /** Gets a node that eventually ends up in the XSS `sink`. */
-  DataFlow::Node getANodeThatEndsInXssSink(ReflectedXss::Sink sink) {
+  private DataFlow::Node getANodeThatEndsInXssSink(ReflectedXss::Sink sink) {
     result = getANodeThatEndsInXssSink(TypeTracker::TypeBackTracker::end(), sink)
   }
 
@@ -55,10 +55,10 @@ module UnsafeHtmlConstruction {
   }
 
   /**
-   * A string constructed from a string-literal (e.g. `"foo #{sink}"`),
+   * A component of a string-literal (e.g. `"foo #{sink}"`),
    * where the resulting string ends up being used in an XSS sink.
    */
-  class StringFormatAsSink extends Sink {
+  private class StringFormatAsSink extends Sink {
     ReflectedXss::Sink s;
 
     StringFormatAsSink() {
@@ -73,13 +73,13 @@ module UnsafeHtmlConstruction {
     override string getSinkType() { result = "string interpolation" }
   }
 
-  import codeql.ruby.security.TaintedFormatStringSpecific as TaintedFormat
+  private import codeql.ruby.security.TaintedFormatStringSpecific as TaintedFormat
 
   /**
-   * A string constructed from a printf-style call,
+   * An argument to a printf-style call,
    * where the resulting string ends up being used in an XSS sink.
    */
-  class TaintedFormatStringAsSink extends Sink {
+  private class TaintedFormatStringAsSink extends Sink {
     ReflectedXss::Sink s;
 
     TaintedFormatStringAsSink() {
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
@@ -15,7 +15,7 @@ private import codeql.ruby.dataflow.BarrierGuards
  * A taint-tracking configuration for detecting unsafe HTML construction.
  */
 class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnsafeShellCommandConstruction" }
+  Configuration() { this = "UnsafeHtmlConstruction" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
diff --git a/ruby/ql/src/queries/security/cwe-079/examples/unsafe-html-construction.rb b/ruby/ql/src/queries/security/cwe-079/examples/unsafe-html-construction.rb
@@ -1,6 +1,6 @@
 class UsersController < ActionController::Base
   # BAD - create a user description, where the name is not escaped
   def create_user_description (name)
-    "<h2>#{name}</h2>".html_safe
+    "<b>#{name}</b>".html_safe
   end
 end
diff --git a/ruby/ql/src/queries/security/cwe-079/examples/unsafe-html-construction_safe.rb b/ruby/ql/src/queries/security/cwe-079/examples/unsafe-html-construction_safe.rb
@@ -1,6 +1,6 @@
 class UsersController < ActionController::Base
   # Good - create a user description, where the name is escaped
   def create_user_description (name)
-    "<h2>#{ERB::Util.html_escape(name)}</h2>".html_safe
+    "<b>#{ERB::Util.html_escape(name)}</b>".html_safe
   end
 end
