JS: address more review comments

Author: Esben Sparre Andreasen

change-notes/1.19/analysis-javascript.md

@@ -16,7 +16,7 @@
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
 |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094  | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are not shown on LGTM by default. |
-| File data in outbound remote request | security, external/cwe/cwe-200 | Highligts locations where file data is sent in a remote request. Results are not shown on LGTM by default. |
+| File data in outbound remote request | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a remote request. Results are not shown on LGTM by default. |
 | Host header poisoning in email generation |  security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default.  |
 | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. |
 | Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. |

javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql

@@ -1,5 +1,5 @@
 /**
- * @name User-controlled data in file
+ * @name User-controlled data written to file
  * @description Writing user-controlled data directly to the file system allows arbitrary file upload and might indicate a backdoor.
  * @kind problem
  * @problem.severity warning

javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll

@@ -10,7 +10,7 @@ import javascript
 /**
  * A call that performs a request to a URL.
  *
- * Example: An HTTP POST request is client request that sends some
+ * Example: An HTTP POST request is a client request that sends some
  * `data` to a `url`, where both the headers and the body of the request
  * contribute to the `data`.
  */

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -480,7 +480,7 @@ module NodeJSLib {
   }
 
   /**
-   * A read from the file system.
+   * A write to the file system, using a stream.
    */
   private class FileStreamWrite extends FileSystemWriteAccess, DataFlow::CallNode {
 

javascript/ql/src/semmle/javascript/security/dataflow/HttpToFileAccess.qll

@@ -1,28 +1,28 @@
 /**
- * Provides a taint tracking configuration for reasoning about user-controlled data in files.
+ * Provides a taint tracking configuration for reasoning about writing user-controlled data to files.
  */
 import javascript
 import semmle.javascript.security.dataflow.RemoteFlowSources
 
 module HttpToFileAccess {
 
   /**
-   * A data flow source for user-controlled data in files.
+   * A data flow source for writing user-controlled data to files.
    */
   abstract class Source extends DataFlow::Node { }
 
   /**
-   * A data flow sink for user-controlled data in files.
+   * A data flow sink for writing user-controlled data to files.
    */
   abstract class Sink extends DataFlow::Node { }
 
   /**
-   * A sanitizer for user-controlled data in files.
+   * A sanitizer for writing user-controlled data to files.
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * A taint tracking configuration for user-controlled data in files.
+   * A taint tracking configuration for writing user-controlled data to files.
    */
   class Configuration extends TaintTracking::Configuration {
     Configuration() {
@@ -43,7 +43,7 @@ module HttpToFileAccess {
     }
   }
 
-  /** A source of remote user input, considered as a flow source for user-controlled data in files. */
+  /** A source of remote user input, considered as a flow source for writing user-controlled data to files. */
   class RemoteFlowSourceAsSource extends Source {
     RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
   }