JS: add "verify" as an Authorization call word

Esben Sparre Andreasen · Esben Sparre Andreasen · commit c6cfca313155 · 2018-08-06T15:15:44.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -143,7 +143,7 @@ class AuthorizationCall extends SensitiveAction, DataFlow::CallNode {
     exists(string s | s = astNode.getCalleeName() |
       // name contains `login` or `auth`, but not as part of `loginfo` or `unauth`;
       // also exclude `author`
-      s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)).*") and
+      s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)|verify).*") and
       // but it does not start with `get` or `set`
       not s.regexpMatch("(?i)(get|set).*")
     )

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ class AuthorizationCall extends SensitiveAction, DataFlow::CallNode {`
`143`	`143`	`exists(string s \| s = astNode.getCalleeName() \|`
`144`	`144`	// name contains `login` or `auth`, but not as part of `loginfo` or `unauth`;
`145`	`145`	// also exclude `author`
`146`		`- s.regexpMatch("(?i).(login(?!fo)\|(?<!un)auth(?!or\\b)).") and`
	`146`	`+ s.regexpMatch("(?i).(login(?!fo)\|(?<!un)auth(?!or\\b)\|verify).") and`
`147`	`147`	// but it does not start with `get` or `set`
`148`	`148`	`not s.regexpMatch("(?i)(get\|set).*")`
`149`	`149`	`)`