JS: change "remote request" to "network request"

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 358b6c3413bb · 2018-10-10T15:34:39.000+02:00
diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md
@@ -16,7 +16,7 @@
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
 |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094  | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are not shown on LGTM by default. |
-| File data in outbound remote request | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a remote request. Results are not shown on LGTM by default. |
+| File data in outbound network request | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request. Results are not shown on LGTM by default. |
 | Host header poisoning in email generation |  security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default.  |
 | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. |
 | Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. |
diff --git a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
@@ -1,6 +1,6 @@
 /**
- * @name File data in outbound remote request
- * @description Directly sending file data in an outbound remote request can indicate unauthorized information disclosure.
+ * @name File data in outbound network request
+ * @description Directly sending file data in an outbound network request can indicate unauthorized information disclosure.
  * @kind problem
  * @problem.severity warning
  * @id js/file-access-to-http
@@ -13,4 +13,4 @@ import semmle.javascript.security.dataflow.FileAccessToHttp
 
 from FileAccessToHttp::Configuration config, DataFlow::Node src, DataFlow::Node sink
 where config.hasFlow (src, sink)
-select sink, "$@ flows directly to outbound remote request", src, "File data"
+select sink, "$@ flows directly to outbound network request", src, "File data"
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.qhelp b/javascript/ql/src/Security/CWE-918/RequestForgery.qhelp
@@ -25,8 +25,8 @@
 		<p>
 
 			To guard against request forgery, it is advisable to avoid
-			putting user input directly into a remote request. If a flexible
-			remote request mechanism is required, it is recommended to maintain a
+			putting user input directly into a network request. If a flexible
+			network request mechanism is required, it is recommended to maintain a
 			list of authorized request targets and choose from that list based on
 			the user input provided.
 
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.ql b/javascript/ql/src/Security/CWE-918/RequestForgery.ql
@@ -1,6 +1,6 @@
 /**
- * @name Uncontrolled data used in remote request
- * @description Sending remote requests with user-controlled data allows for request forgery attacks.
+ * @name Uncontrolled data used in network request
+ * @description Sending network requests with user-controlled data allows for request forgery attacks.
  * @kind problem
  * @problem.severity error
  * @precision medium
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/FileAccessToHttp.qll b/javascript/ql/src/semmle/javascript/security/dataflow/FileAccessToHttp.qll
@@ -1,28 +1,28 @@
 /**
- * Provides a taint tracking configuration for reasoning about file data in outbound remote requests.
+ * Provides a taint tracking configuration for reasoning about file data in outbound network requests.
  */
 import javascript
 import semmle.javascript.security.dataflow.RemoteFlowSources
 
 module FileAccessToHttp {
 
   /**
-   * A data flow source for file data in outbound remote requests.
+   * A data flow source for file data in outbound network requests.
    */
   abstract class Source extends DataFlow::Node { }
 
   /**
-   * A data flow sink for file data in outbound remote requests.
+   * A data flow sink for file data in outbound network requests.
    */
   abstract class Sink extends DataFlow::Node { }
 
   /**
-   * A sanitizer for file data in outbound remote requests.
+   * A sanitizer for file data in outbound network requests.
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * A taint tracking configuration for file data in outbound remote requests.
+   * A taint tracking configuration for file data in outbound network requests.
    */
   class Configuration extends TaintTracking::Configuration {
     Configuration() {
@@ -52,7 +52,7 @@ module FileAccessToHttp {
   }
 
   /**
-   * A file access parameter, considered as a flow source for file data in outbound remote requests.
+   * A file access parameter, considered as a flow source for file data in outbound network requests.
    */
   private class FileAccessArgumentAsSource extends Source {
     FileAccessArgumentAsSource() {  
@@ -63,7 +63,7 @@ module FileAccessToHttp {
   }
 
   /**
-   * The URL or data of a client request, considered as a flow source for file data in outbound remote requests.
+   * The URL or data of a client request, considered as a flow source for file data in outbound network requests.
    */
   private class ClientRequestUrlOrDataAsSink extends Sink {
     ClientRequestUrlOrDataAsSink () {
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected
@@ -1,8 +1,8 @@
-| bufferRead.js:33:21:33:28 | postData | $@ flows directly to outbound remote request | bufferRead.js:12:22:12:43 | new Buf ... s.size) | File data |
-| googlecompiler.js:38:18:38:26 | post_data | $@ flows directly to outbound remote request | googlecompiler.js:44:54:44:57 | data | File data |
-| readFileSync.js:26:18:26:18 | s | $@ flows directly to outbound remote request | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | File data |
-| readStreamRead.js:30:19:30:23 | chunk | $@ flows directly to outbound remote request | readStreamRead.js:13:21:13:35 | readable.read() | File data |
-| request.js:8:11:8:20 | {jsonData} | $@ flows directly to outbound remote request | request.js:28:52:28:55 | data | File data |
-| request.js:16:11:23:3 | {\\n    u ... ody\\n  } | $@ flows directly to outbound remote request | request.js:43:51:43:54 | data | File data |
-| sentAsHeaders.js:14:20:19:9 | {\\n      ...       } | $@ flows directly to outbound remote request | sentAsHeaders.js:10:79:10:84 | buffer | File data |
-| sentAsHeaders.js:20:20:25:9 | {\\n      ...       } | $@ flows directly to outbound remote request | sentAsHeaders.js:10:79:10:84 | buffer | File data |
+| bufferRead.js:33:21:33:28 | postData | $@ flows directly to outbound network request | bufferRead.js:12:22:12:43 | new Buf ... s.size) | File data |
+| googlecompiler.js:38:18:38:26 | post_data | $@ flows directly to outbound network request | googlecompiler.js:44:54:44:57 | data | File data |
+| readFileSync.js:26:18:26:18 | s | $@ flows directly to outbound network request | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | File data |
+| readStreamRead.js:30:19:30:23 | chunk | $@ flows directly to outbound network request | readStreamRead.js:13:21:13:35 | readable.read() | File data |
+| request.js:8:11:8:20 | {jsonData} | $@ flows directly to outbound network request | request.js:28:52:28:55 | data | File data |
+| request.js:16:11:23:3 | {\\n    u ... ody\\n  } | $@ flows directly to outbound network request | request.js:43:51:43:54 | data | File data |
+| sentAsHeaders.js:14:20:19:9 | {\\n      ...       } | $@ flows directly to outbound network request | sentAsHeaders.js:10:79:10:84 | buffer | File data |
+| sentAsHeaders.js:20:20:25:9 | {\\n      ...       } | $@ flows directly to outbound network request | sentAsHeaders.js:10:79:10:84 | buffer | File data |
