spelling: arbitrary

jsoref · jsoref · commit 6db36616cd75 · 2022-10-11T00:23:35.000-04:00
Signed-off-by: Josh Soref &lt;2119212+jsoref@users.noreply.github.com&gt;
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.qhelp
@@ -8,7 +8,7 @@
       including invocation of methods available in the JVM.
     </p>
     <p>
-      An unrestricted view name manipulation vulnerability in Spring Framework could lead to attacker-controlled arbitary SpEL expressions being evaluated using attacker-controlled data, which may in turn allow an attacker to run arbitrary code.
+      An unrestricted view name manipulation vulnerability in Spring Framework could lead to attacker-controlled arbitrary SpEL expressions being evaluated using attacker-controlled data, which may in turn allow an attacker to run arbitrary code.
     </p>
     <p>
       Note: two related variants of this problem are detected by different queries, `java/spring-view-manipulation` and `java/spring-view-manipulation-implicit`. The first detects taint flow problems where the return types is always <code>String</code>. While the latter, `java/spring-view-manipulation-implicit` detects cases where the request mapping method has a non-string return type such as <code>void</code>.
diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md
@@ -123,7 +123,7 @@ No user-facing changes.
 
 ### New Queries
 
-* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitary code execution.
+* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution.
   The query is not run by default.
 * A new query `js/file-system-race` has been added. The query detects when there is time between a file being checked and used. The query is not run by default.
 * A new query `js/jwt-missing-verification` has been added. The query detects applications that don't verify JWT tokens.
diff --git a/javascript/ql/src/Security/CWE-079/XssThroughDom.qhelp b/javascript/ql/src/Security/CWE-079/XssThroughDom.qhelp
@@ -33,7 +33,7 @@ selector to determine which element should be manipulated.
 <p>
 However, if an attacker can control the <code>data-target</code> attribute, 
 then the value of <code>target</code> can be used to cause the <code>$</code> function
-to execute arbitary JavaScript. 
+to execute arbitrary JavaScript. 
 </p>
 <p>
 The above vulnerability can be fixed by using <code>$.find</code> instead of <code>$</code>. 
diff --git a/javascript/ql/src/change-notes/released/0.0.10.md b/javascript/ql/src/change-notes/released/0.0.10.md
@@ -2,7 +2,7 @@
 
 ### New Queries
 
-* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitary code execution.
+* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitrary code execution.
   The query is not run by default.
 * A new query `js/file-system-race` has been added. The query detects when there is time between a file being checked and used. The query is not run by default.
 * A new query `js/jwt-missing-verification` has been added. The query detects applications that don't verify JWT tokens.
diff --git a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
@@ -12,7 +12,7 @@ to execute arbitrary code.
 <recommendation>
 <p>
 Avoid deserialization of untrusted data if possible. If the architecture permits
-it, use serialization formats that cannot represent arbitarary objects. For
+it, use serialization formats that cannot represent arbitrary objects. For
 libraries that support it, such as the Ruby standard library's <code>JSON</code>
 module, ensure that the parser is configured to disable
 deserialization of arbitrary objects.
