Address PR feedback: trim examples, remove duplicate CWE ref, autoformat

Copilot · geoffw0 · Copilot · commit 7b1aa2307fd0 · 2025-08-14T13:15:03.000Z
Co-authored-by: geoffw0 &lt;40627776+geoffw0@users.noreply.github.com&gt;
diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll
@@ -42,4 +42,4 @@ module LogInjection {
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, "log-injection") }
   }
-}
+}
diff --git a/rust/ql/src/queries/security/CWE-117/LogInjection.qhelp b/rust/ql/src/queries/security/CWE-117/LogInjection.qhelp
@@ -43,6 +43,5 @@ potentially forging a legitimate admin login entry.
 
 <references>
 <li>OWASP: <a href="https://owasp.org/www-community/attacks/Log_Injection">Log Injection</a>.</li>
-<li>CWE-117: <a href="https://cwe.mitre.org/data/definitions/117.html">Improper Output Neutralization for Logs</a>.</li>
 </references>
 </qhelp>
diff --git a/rust/ql/src/queries/security/CWE-117/LogInjection.ql b/rust/ql/src/queries/security/CWE-117/LogInjection.ql
@@ -37,5 +37,5 @@ import LogInjectionFlow::PathGraph
 
 from LogInjectionFlow::PathNode sourceNode, LogInjectionFlow::PathNode sinkNode
 where LogInjectionFlow::flowPath(sourceNode, sinkNode)
-select sinkNode.getNode(), sourceNode, sinkNode, "Log entry depends on a $@.",
-  sourceNode.getNode(), "user-provided value"
+select sinkNode.getNode(), sourceNode, sinkNode, "Log entry depends on a $@.", sourceNode.getNode(),
+  "user-provided value"
diff --git a/rust/ql/src/queries/security/CWE-117/LogInjectionBad.rs b/rust/ql/src/queries/security/CWE-117/LogInjectionBad.rs
@@ -1,5 +1,5 @@
 use std::env;
-use log::{info, error};
+use log::info;
 
 fn main() {
     env_logger::init();
@@ -10,13 +10,4 @@ fn main() {
     
     // BAD: log message constructed with unsanitized user input
     info!("User login attempt: {}", username);
-    
-    // BAD: another example with error logging
-    if username.is_empty() {
-        error!("Login failed for user: {}", username);
-    }
-    
-    // BAD: formatted string with user input
-    let message = format!("Processing request for user: {}", username);
-    info!("{}", message);
 }
diff --git a/rust/ql/src/queries/security/CWE-117/LogInjectionGood.rs b/rust/ql/src/queries/security/CWE-117/LogInjectionGood.rs
@@ -1,5 +1,5 @@
 use std::env;
-use log::{info, error};
+use log::info;
 
 fn sanitize_for_logging(input: &str) -> String {
     // Remove newlines and carriage returns to prevent log injection
@@ -16,13 +16,4 @@ fn main() {
     // GOOD: log message constructed with sanitized user input
     let sanitized_username = sanitize_for_logging(username);
     info!("User login attempt: {}", sanitized_username);
-    
-    // GOOD: another example with error logging
-    if username.is_empty() {
-        error!("Login failed for user: {}", sanitized_username);
-    }
-    
-    // GOOD: formatted string with sanitized user input
-    let message = format!("Processing request for user: {}", sanitized_username);
-    info!("{}", message);
 }

Original file line number	Diff line number	Diff line change
`@@ -42,4 +42,4 @@ module LogInjection {`
`42`	`42`	`private class ModelsAsDataSink extends Sink {`
`43`	`43`	`ModelsAsDataSink() { sinkNode(this, "log-injection") }`
`44`	`44`	`}`
`45`		`-}`
	`45`	`+}`