StackTraceExposureQuery documentation

egregius313 · egregius313 · commit 83937b90899a · 2023-04-06T16:23:00.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll b/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll
@@ -75,7 +75,7 @@ private module StackTraceStringToHttpResponseSinkFlow =
   TaintTracking::Global<StackTraceStringToHttpResponseSinkFlowConfig>;
 
 /**
- * A write of stack trace data to an external stream.
+ * Holds if `call` writes the data of `stackTrace` to an external stream.
  */
 predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
   printsStackToWriter(call) and
@@ -84,7 +84,7 @@ predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
 }
 
 /**
- * A stringified stack trace flows to an external sink.
+ * Holds if `stackTrace` is a stringified stack trace which flows to an external sink.
  */
 predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) {
   exists(MethodAccess stackTraceString |
@@ -113,7 +113,7 @@ private module GetMessageFlowSourceToHttpResponseSinkFlow =
   TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
 
 /**
- * A call to `getMessage()` that then flows to a servlet response.
+ * Holds if there is a call to `getMessage()` that then flows to a servlet response.
  */
 predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
   GetMessageFlowSourceToHttpResponseSinkFlow::flow(getMessage, externalExpr)
