Merge pull request github#10727 from erik-krogh/js-last-msg

JS: fix some more style-guide violations in the alert-messages

Author: erik-krogh

javascript/ql/examples/queries/dataflow/DecodingAfterSanitization/DecodingAfterSanitizationGeneralized.ql

@@ -48,5 +48,5 @@ from DecodingAfterSanitization cfg, PathNode source, PathNode sink, DecodingCall
 where
   cfg.hasFlowPath(source, sink) and
   decoder.getInput() = sink.getNode()
-select sink.getNode(), source, sink,
-  decoder.getKind() + " invalidates the HTML sanitization performed $@.", source.getNode(), "here"
+select sink.getNode(), source, sink, decoder.getKind() + " invalidates .", source.getNode(),
+  "this HTML sanitization performed"

javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll

@@ -17,9 +17,15 @@ module CodeInjection {
    */
   abstract class Sink extends DataFlow::Node {
     /**
+     * DEPRECATED: Use `getMessagePrefix()` instead.
      * Gets the substitute for `X` in the message `User-provided value flows to X`.
      */
-    string getMessageSuffix() { result = "this location and is interpreted as code" }
+    deprecated string getMessageSuffix() { result = "this location and is interpreted as code" }
+
+    /**
+     * Gets the prefix for the message `X depends on a user-provided value.`.
+     */
+    string getMessagePrefix() { result = "This code execution" }
   }
 
   /**
@@ -125,10 +131,14 @@ module CodeInjection {
       )
     }
 
-    override string getMessageSuffix() {
+    deprecated override string getMessageSuffix() {
       result =
         "this location and is interpreted by " + templateType + ", which may evaluate it as code"
     }
+
+    override string getMessagePrefix() {
+      result = "This " + templateType + " template, which may contain code,"
+    }
   }
 
   /**
@@ -288,9 +298,11 @@ module CodeInjection {
 
   /** A sink for code injection via template injection. */
   abstract private class TemplateSink extends Sink {
-    override string getMessageSuffix() {
+    deprecated override string getMessageSuffix() {
       result = "this location and is interpreted as a template, which may contain code"
     }
+
+    override string getMessagePrefix() { result = "Template, which may contain code," }
   }
 
   /**

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstructionCustomizations.qll

@@ -37,6 +37,11 @@ module UnsafeCodeConstruction {
      * Gets the node where the unsafe code is executed.
      */
     abstract DataFlow::Node getCodeSink();
+
+    /**
+     * Gets the type of sink.
+     */
+    string getSinkType() { result = "code construction" }
   }
 
   /**
@@ -59,5 +64,7 @@ module UnsafeCodeConstruction {
     }
 
     override DataFlow::Node getCodeSink() { result = codeSink }
+
+    override string getSinkType() { result = "string concatenation" }
   }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll

@@ -178,7 +178,7 @@ module UnsafeHtmlConstruction {
       )
     }
 
-    override string describe() { result = "Markdown rendering" }
+    override string describe() { result = "markdown rendering" }
   }
 
   /** A test for the value of `typeof x`, restricting the potential types of `x`. */

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll

@@ -97,7 +97,7 @@ module UnsafeShellCommandConstruction {
       )
     }
 
-    override string getSinkType() { result = "String concatenation" }
+    override string getSinkType() { result = "string concatenation" }
 
     override SystemCommandExecution getCommandExecution() { result = sys }
 
@@ -125,7 +125,7 @@ module UnsafeShellCommandConstruction {
       )
     }
 
-    override string getSinkType() { result = "Array element" }
+    override string getSinkType() { result = "array element" }
 
     override SystemCommandExecution getCommandExecution() { result = sys }
 
@@ -148,7 +148,7 @@ module UnsafeShellCommandConstruction {
       )
     }
 
-    override string getSinkType() { result = "Formatted string" }
+    override string getSinkType() { result = "formatted string" }
 
     override SystemCommandExecution getCommandExecution() { result = sys }
 
@@ -195,7 +195,7 @@ module UnsafeShellCommandConstruction {
       )
     }
 
-    override string getSinkType() { result = "Shell argument" }
+    override string getSinkType() { result = "shell argument" }
 
     override SystemCommandExecution getCommandExecution() { result = sys }
 
@@ -217,7 +217,7 @@ module UnsafeShellCommandConstruction {
       )
     }
 
-    override string getSinkType() { result = "Path concatenation" }
+    override string getSinkType() { result = "path concatenation" }
 
     override SystemCommandExecution getCommandExecution() { result = sys }
 

javascript/ql/src/AngularJS/DuplicateDependency.ql

@@ -24,5 +24,5 @@ from AngularJS::InjectableFunction f, DataFlow::Node node, string name
 where
   isRepeatedDependency(f, name, node) and
   not count(f.asFunction().getParameterByName(name)) > 1 // avoid duplicating reports from js/duplicate-parameter-name
-select f.asFunction().getFunction().(FirstLineOf), "This function has a duplicate dependency '$@'.",
+select f.asFunction().getFunction().(FirstLineOf), "This function has a duplicate dependency $@.",
   node, name

javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql

@@ -78,5 +78,5 @@ from ResourceUrlWhitelistEntry entry, DataFlow::MethodCallNode setupCall, string
 where
   entry.isInsecure(explanation) and
   setupCall = entry.getSetupCall()
-select setupCall, "'$@' is not a secure whitelist entry, because " + explanation + ".", entry,
+select setupCall, "$@ is not a secure whitelist entry, because " + explanation + ".", entry,
   entry.toString()

javascript/ql/src/DOM/DuplicateAttributes.ql

@@ -28,4 +28,4 @@ predicate duplicate(DOM::AttributeDefinition earlier, DOM::AttributeDefinition l
 
 from DOM::AttributeDefinition earlier, DOM::AttributeDefinition later
 where duplicate(earlier, later) and not duplicate(_, earlier)
-select earlier, "This attribute is duplicated $@.", later, "here"
+select earlier, "This attribute $@.", later, "is duplicated later"

javascript/ql/src/Declarations/ClobberingVarInit.ql

@@ -25,5 +25,5 @@ where
   exists(Expr e1, Expr e2 | e1 = vd1.getInit() and e2 = vd2.getInit() |
     not v.getAnAccess().getParentExpr*() = e2
   )
-select vd2.(FirstLineOf), "This initialization of " + v.getName() + " overwrites $@.", vd1,
-  "an earlier initialization"
+select vd2.(FirstLineOf), "This initialization of " + v.getName() + " overwrites an $@.", vd1,
+  "earlier initialization"

javascript/ql/src/Declarations/DuplicateVarDecl.ql

@@ -18,4 +18,4 @@ where
   vd1.getBindingPattern().getAVariable() = v and
   vd2.getBindingPattern().getAVariable() = v and
   i < j
-select vd2, "Variable " + v.getName() + " has already been declared $@.", vd1, "here"
+select vd2, "Variable " + v.getName() + " has already $@.", vd1, "been previously declared"