Apply suggestions from code review

yoff · RasmusWL · web-flow · commit ffe79f688d67 · 2020-10-14T14:08:16.000+02:00
Co-authored-by: Rasmus Wriedt Larsen &lt;rasmuswriedtlarsen@gmail.com&gt;
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -42,7 +42,7 @@ module SystemCommandExecution {
 /**
  * A data-flow node that decodes data from a binary or textual format. This
  * is intended to include deserialization, unmarshalling, decoding, unpickling,
- * unzipping, decrypting, parsing etc.
+ * decompressing, decrypting, parsing etc.
  *
  * Doing so should normally preserve taint, but it can also be a problem
  * in itself, e.g. if it allows code execution or could result in deinal-of-service.
diff --git a/python/ql/test/experimental/library-tests/frameworks/dill/Decoding.py b/python/ql/test/experimental/library-tests/frameworks/dill/Decoding.py
@@ -1,4 +1,3 @@
 import dill
 
-dill.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=dill $decodeUnsafe=
-dill.loads(payload, encoding='latin1')  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=dill $decodeUnsafe=
+dill.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=dill $decodeUnsafe
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/Decoding.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/Decoding.py
@@ -10,6 +10,5 @@
 @app.route("/")
 def hello():
     payload = request.args.get("payload")
-    pickle.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe=
-    pickle.loads(payload, encoding='latin1')  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe=
-    marshal.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe=
+    pickle.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe
+    marshal.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe
diff --git a/python/ql/test/experimental/library-tests/frameworks/yaml/Decoding.py b/python/ql/test/experimental/library-tests/frameworks/yaml/Decoding.py
@@ -10,5 +10,5 @@
 @app.route("/")
 def hello():
     payload = request.args.get("payload")
-    yaml.load(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=YAML $decodeUnsafe=
+    yaml.load(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=YAML $decodeUnsafe
     yaml.load(payload, Loader=SafeLoader)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=YAML

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ module SystemCommandExecution {`
`42`	`42`	`/**`
`43`	`43`	`* A data-flow node that decodes data from a binary or textual format. This`
`44`	`44`	`* is intended to include deserialization, unmarshalling, decoding, unpickling,`
`45`		`- * unzipping, decrypting, parsing etc.`
	`45`	`+ * decompressing, decrypting, parsing etc.`
`46`	`46`	`*`
`47`	`47`	`* Doing so should normally preserve taint, but it can also be a problem`
`48`	`48`	`* in itself, e.g. if it allows code execution or could result in deinal-of-service.`