document that the WeakFilePermissions access predicate should return at most one value

alexrford · alexrford · commit 0d1c4a12907e · 2021-05-13T13:06:45.000+01:00
diff --git a/ql/src/queries/security/cwe-732/WeakFilePermissions.ql b/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
@@ -40,6 +40,8 @@ bindingset[p]
 string access(int p) {
   p.bitAnd(2) != 0 and result = "writable"
   or
+  // report only the "most permissive" permission, i.e. report the file as
+  // readable only if it is not also writable
   p.bitAnd(2) = 0 and p.bitAnd(4) != 0 and result = "readable"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,8 @@ bindingset[p]`
`40`	`40`	`string access(int p) {`
`41`	`41`	`p.bitAnd(2) != 0 and result = "writable"`
`42`	`42`	`or`
	`43`	`+ // report only the "most permissive" permission, i.e. report the file as`
	`44`	`+ // readable only if it is not also writable`
`43`	`45`	`p.bitAnd(2) = 0 and p.bitAnd(4) != 0 and result = "readable"`
`44`	`46`	`}`
`45`	`47`