Apply suggestions from code review

Alvaro Muñoz · jorgectf · Alvaro Muñoz · commit f251783c26bb · 2024-03-14T21:52:22.000+01:00
Co-authored-by: Jorge &lt;46056498+jorgectf@users.noreply.github.com&gt;
diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql
@@ -34,5 +34,5 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential command injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()
diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql
@@ -6,7 +6,7 @@
  * @problem.severity error
  * @security-severity 9
  * @precision high
- * @id actions/command-injection
+ * @id actions/critical-command-injection
  * @tags actions
  *       security
  *       external/cwe/cwe-078
@@ -40,5 +40,5 @@ where
     w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
   )
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential critical command injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()
diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql
@@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
 
 private class CodeInjectionSink extends DataFlow::Node {
-  CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") }
+  CodeInjectionSink() { externallyDefinedSink(this, "code-injection") }
 }
 
 private module MyConfig implements DataFlow::ConfigSig {
@@ -36,5 +36,5 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential code injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()
diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql
@@ -6,7 +6,7 @@
  * @problem.severity error
  * @security-severity 9
  * @precision high
- * @id actions/code-injection
+ * @id actions/critical-code-injection
  * @tags actions
  *       security
  *       external/cwe/cwe-094
@@ -20,7 +20,7 @@ import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
 
 private class CodeInjectionSink extends DataFlow::Node {
-  CodeInjectionSink() { externallyDefinedSink(this, "request-forgery") }
+  CodeInjectionSink() { externallyDefinedSink(this, "code-injection") }
 }
 
 private module MyConfig implements DataFlow::ConfigSig {
@@ -42,5 +42,5 @@ where
     w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
   )
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential critical code injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()
diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql
@@ -33,5 +33,5 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  "Potential request forgery in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()
