Update file-access-before-action-c rule file

ESS-ENN · ESS-ENN · commit 2e0768fc40d6 · 2025-03-31T15:45:11.000+05:30
diff --git a/rules/c/security/file-access-before-action-c.yml b/rules/c/security/file-access-before-action-c.yml
@@ -25,15 +25,10 @@ utils:
             inside:
               stopBy: end
               kind: parenthesized_expression
-              nthChild: 1
-              inside:
-                stopBy: end
-                kind: if_statement
           inside:
             stopBy: end
             kind: compound_statement
             inside:
-              stopBy: end
               kind: if_statement
               has:
                 kind: parenthesized_expression
@@ -119,14 +114,10 @@ utils:
             inside:
               stopBy: end
               kind: parenthesized_expression
-              inside:
-                stopBy: end
-                kind: if_statement
           inside:
             stopBy: end
             kind: compound_statement
             inside:
-              stopBy: end
               kind: if_statement
               has:
                 kind: parenthesized_expression
diff --git a/tests/__snapshots__/file-access-before-action-c-snapshot.yml b/tests/__snapshots__/file-access-before-action-c-snapshot.yml
@@ -109,7 +109,6 @@ snapshots:
       const char *original_key = "path/to/file/filename";
 
       if (access(original_key, W_OK) == 0){
-          // ruleid: file-access-before-action
           File *fp = fopen(original_key, "wb");
       }
     }
diff --git a/tests/__snapshots__/file-stat-before-action-cpp-snapshot.yml b/tests/__snapshots__/file-stat-before-action-cpp-snapshot.yml
@@ -3,7 +3,6 @@ snapshots:
   ? |
     if (stat(file.c_str(), &buf) == 0){
       // Open the file for reading
-      // ruleid: file-stat-before-action
       fp = fopen(file.c_str(), "r");
       if (fp == NULL)
       {
@@ -39,16 +38,16 @@ snapshots:
   : labels:
     - source: fopen
       style: primary
-      start: 111
-      end: 116
+      start: 74
+      end: 79
     - source: file.c_str()
       style: secondary
-      start: 117
-      end: 129
+      start: 80
+      end: 92
     - source: (file.c_str(), "r")
       style: secondary
-      start: 116
-      end: 135
+      start: 79
+      end: 98
     - source: stat
       style: secondary
       start: 4
@@ -84,7 +83,6 @@ snapshots:
     - source: |-
         if (stat(file.c_str(), &buf) == 0){
           // Open the file for reading
-          // ruleid: file-stat-before-action
           fp = fopen(file.c_str(), "r");
           if (fp == NULL)
           {
@@ -119,11 +117,10 @@ snapshots:
         }
       style: secondary
       start: 0
-      end: 830
+      end: 793
     - source: |-
         {
           // Open the file for reading
-          // ruleid: file-stat-before-action
           fp = fopen(file.c_str(), "r");
           if (fp == NULL)
           {
@@ -158,8 +155,8 @@ snapshots:
         }
       style: secondary
       start: 34
-      end: 830
+      end: 793
     - source: fopen(file.c_str(), "r")
       style: secondary
-      start: 111
-      end: 135
+      start: 74
+      end: 98
diff --git a/tests/__snapshots__/jwt-simple-noverify-javascript-snapshot.yml b/tests/__snapshots__/jwt-simple-noverify-javascript-snapshot.yml
@@ -1,11 +1,11 @@
 id: jwt-simple-noverify-javascript
 snapshots:
-  ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute1', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    // ruleid: jwt-simple-noverify  \n    const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
+  ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute1', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
   : labels:
     - source: jwt.decode(token, secretKey, 'HS256', 12)
       style: primary
-      start: 287
-      end: 328
+      start: 250
+      end: 291
     - source: jwt
       style: secondary
       start: 6
@@ -22,12 +22,12 @@ snapshots:
       style: secondary
       start: 0
       end: 34
-  ? "const jwt = require('jwt-simple');  \n\napp.get('/protectedRoute2', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    // ruleid: jwt-simple-noverify   \n    const decoded = jwt.decode(token, secretKey, true);\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
+  ? "const jwt = require('jwt-simple');  \n\napp.get('/protectedRoute2', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    const decoded = jwt.decode(token, secretKey, true);\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
   : labels:
     - source: jwt.decode(token, secretKey, true)
       style: primary
-      start: 289
-      end: 323
+      start: 251
+      end: 285
     - source: jwt
       style: secondary
       start: 6
@@ -44,12 +44,12 @@ snapshots:
       style: secondary
       start: 0
       end: 34
-  ? "const jwt = require('jwt-simple');  \n\napp.get('/protectedRoute3', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    // ruleid: jwt-simple-noverify    \n    const decoded = jwt.decode(token, secretKey, 'false');\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
+  ? "const jwt = require('jwt-simple');  \n\napp.get('/protectedRoute3', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    const decoded = jwt.decode(token, secretKey, 'false');\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
   : labels:
     - source: jwt.decode(token, secretKey, 'false')
       style: primary
-      start: 290
-      end: 327
+      start: 251
+      end: 288
     - source: jwt
       style: secondary
       start: 6
diff --git a/tests/__snapshots__/jwt-simple-noverify-typescript-snapshot.yml b/tests/__snapshots__/jwt-simple-noverify-typescript-snapshot.yml
@@ -1,11 +1,11 @@
 id: jwt-simple-noverify-typescript
 snapshots:
-  ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute1', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    // ruleid: jwt-simple-noverify  \n    const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
+  ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute1', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
   : labels:
     - source: jwt.decode(token, secretKey, 'HS256', 12)
       style: primary
-      start: 287
-      end: 328
+      start: 250
+      end: 291
     - source: jwt
       style: secondary
       start: 6
@@ -42,12 +42,12 @@ snapshots:
       style: secondary
       start: 0
       end: 34
-  ? "const jwt = require('jwt-simple');  \n\napp.get('/protectedRoute2', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    // ruleid: jwt-simple-noverify   \n    const decoded = jwt.decode(token, secretKey, true);\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
+  ? "const jwt = require('jwt-simple');  \n\napp.get('/protectedRoute2', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    const decoded = jwt.decode(token, secretKey, true);\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
   : labels:
     - source: jwt.decode(token, secretKey, true)
       style: primary
-      start: 289
-      end: 323
+      start: 251
+      end: 285
     - source: jwt
       style: secondary
       start: 6
@@ -84,12 +84,12 @@ snapshots:
       style: secondary
       start: 0
       end: 34
-  ? "const jwt = require('jwt-simple');  \n\napp.get('/protectedRoute3', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    // ruleid: jwt-simple-noverify    \n    const decoded = jwt.decode(token, secretKey, 'false');\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
+  ? "const jwt = require('jwt-simple');  \n\napp.get('/protectedRoute3', (req, res) => {\n  const token = req.headers.authorization;\n\n  if (!token) {\n    return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n  }\n\n  try {\n    const decoded = jwt.decode(token, secretKey, 'false');\n    res.json({ message: `Hello ${decoded.username}` });\n  } catch (error) {\n    res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n  }\n});\n"
   : labels:
     - source: jwt.decode(token, secretKey, 'false')
       style: primary
-      start: 290
-      end: 327
+      start: 251
+      end: 288
     - source: jwt
       style: secondary
       start: 6
diff --git a/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml b/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml
@@ -3,7 +3,6 @@ snapshots:
   ? |
     client := &http.Client{
      Transport: &http.Transport{
-       // ruleid: ssl-v3-is-insecure
        TLSClientConfig: &tls.Config{
          KeyLogWriter:       w,
          MinVersion:         tls.VersionSSL30,
@@ -21,36 +20,36 @@ snapshots:
              InsecureSkipVerify: true,         // test server certificate is not trusted.
            }
       style: primary
-      start: 107
-      end: 358
+      start: 74
+      end: 325
     - source: tls.Config
       style: secondary
-      start: 107
-      end: 117
+      start: 74
+      end: 84
     - source: MinVersion
       style: secondary
-      start: 152
-      end: 162
+      start: 119
+      end: 129
     - source: tls
       style: secondary
-      start: 172
-      end: 175
+      start: 139
+      end: 142
     - source: VersionSSL30
       style: secondary
-      start: 176
-      end: 188
+      start: 143
+      end: 155
     - source: tls.VersionSSL30
       style: secondary
-      start: 172
-      end: 188
+      start: 139
+      end: 155
     - source: tls.VersionSSL30
       style: secondary
-      start: 172
-      end: 188
+      start: 139
+      end: 155
     - source: 'MinVersion:         tls.VersionSSL30'
       style: secondary
-      start: 152
-      end: 188
+      start: 119
+      end: 155
     - source: |-
         {
              KeyLogWriter:       w,
@@ -59,5 +58,5 @@ snapshots:
              InsecureSkipVerify: true,         // test server certificate is not trusted.
            }
       style: secondary
-      start: 117
-      end: 358
+      start: 84
+      end: 325
diff --git a/tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml b/tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml
@@ -1,11 +1,11 @@
 id: std-vector-invalidation-cpp
 snapshots:
-  ? "void loop_variant_5(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.begin(); it != vec.end(); ++it) {\n    if (should_erase(*it)) {\n      // ruleid: std-vector-invalidation\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_6(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.begin(); it != vec.end(); it++) {\n    if (should_erase(*it)) {\n      // ruleid: std-vector-invalidation\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_7(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.rbegin(); it != vec.rend(); ++it) {\n    if (should_erase(*it)) {\n      // ruleid: std-vector-invalidation\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_8(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.rbegin(); it != vec.rend(); it++) {\n    if (should_erase(*it)) {\n      // ruleid: std-vector-invalidation\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_9(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.begin(), end = vec.end(); it != end; ++it) {\n    if (should_erase(*it)) {\n      // ruleid: std-vector-invalidation\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_10(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.begin(), end = vec.end(); it != end; it++) {\n    if (should_erase(*it)) {\n      // ruleid: std-vector-invalidation\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_11(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.rbegin(), end = vec.rend(); it != end; ++it) {\n    if (should_erase(*it)) {\n      // ruleid: std-vector-invalidation\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_12(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.rbegin(), end = vec.rend(); it != end; it++) {\n    if (should_erase(*it)) {\n      // ruleid: std-vector-invalidation\n      vec.erase(it);\n    }\n  }\n}  \nvoid f(std::vector<int> &vec, std::vector<int> &other_vec) {\n  for(std::vector<int>::iterator it = vec.begin(); it != vec.end(); it++) {\n    if (foo()) {\n      // ruleid: std-vector-invalidation\n      vec.push_back(0);\n\n      // Modifying a different container is OK\n      // ok: std-vector-invalidation\n      other_vec.push_back(0);\n    }\n  }\n}\n"
+  ? "void loop_variant_5(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.begin(); it != vec.end(); ++it) {\n    if (should_erase(*it)) {\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_6(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.begin(); it != vec.end(); it++) {\n    if (should_erase(*it)) {\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_7(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.rbegin(); it != vec.rend(); ++it) {\n    if (should_erase(*it)) {\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_8(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.rbegin(); it != vec.rend(); it++) {\n    if (should_erase(*it)) {\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_9(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.begin(), end = vec.end(); it != end; ++it) {\n    if (should_erase(*it)) {\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_10(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.begin(), end = vec.end(); it != end; it++) {\n    if (should_erase(*it)) {\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_11(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.rbegin(), end = vec.rend(); it != end; ++it) {\n    if (should_erase(*it)) {\n      vec.erase(it);\n    }\n  }\n}\nvoid loop_variant_12(std::vector<int> &vec) {\n  for(std::vector<int>::iterator it = vec.rbegin(), end = vec.rend(); it != end; it++) {\n    if (should_erase(*it)) {\n      vec.erase(it);\n    }\n  }\n}  \nvoid f(std::vector<int> &vec, std::vector<int> &other_vec) {\n  for(std::vector<int>::iterator it = vec.begin(); it != vec.end(); it++) {\n    if (foo()) {\n      vec.push_back(0);\n      // Modifying a different container is OK\n      other_vec.push_back(0);\n    }\n  }\n}\n"
   : labels:
     - source: vec.erase(it)
       style: primary
-      start: 197
-      end: 210
+      start: 156
+      end: 169
     - source: std::vector<int>::iterator it = vec.begin();
       style: secondary
       start: 51
@@ -21,10 +21,9 @@ snapshots:
     - source: |-
         for(std::vector<int>::iterator it = vec.begin(); it != vec.end(); ++it) {
             if (should_erase(*it)) {
-              // ruleid: std-vector-invalidation
               vec.erase(it);
             }
           }
       style: secondary
       start: 47
-      end: 221
+      end: 180
diff --git a/tests/cpp/file-stat-before-action-cpp-test.yml b/tests/cpp/file-stat-before-action-cpp-test.yml
@@ -6,7 +6,6 @@ invalid:
   - |
     if (stat(file.c_str(), &buf) == 0){
       // Open the file for reading
-      // ruleid: file-stat-before-action
       fp = fopen(file.c_str(), "r");
       if (fp == NULL)
       {
diff --git a/tests/cpp/return-c-str-cpp-test.yml b/tests/cpp/return-c-str-cpp-test.yml
@@ -2,7 +2,6 @@ id: return-c-str-cpp
 valid:
   - |
     std::string return_directly() {
-      // ok: return-c-str
       return std::string("foo");
     }
 invalid:
diff --git a/tests/cpp/std-vector-invalidation-cpp-test.yml b/tests/cpp/std-vector-invalidation-cpp-test.yml
diff --git a/tests/go/ssl-v3-is-insecure-go-test.yml b/tests/go/ssl-v3-is-insecure-go-test.yml
diff --git a/tests/javascript/jwt-simple-noverify-javascript-test.yml b/tests/javascript/jwt-simple-noverify-javascript-test.yml
diff --git a/tests/typescript/jwt-simple-noverify-typecript-test.yml b/tests/typescript/jwt-simple-noverify-typecript-test.yml

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,6 @@ snapshots:`
`109`	`109`	`const char *original_key = "path/to/file/filename";`
`110`	`110`
`111`	`111`	`if (access(original_key, W_OK) == 0){`
`112`		`- // ruleid: file-access-before-action`
`113`	`112`	`File *fp = fopen(original_key, "wb");`
`114`	`113`	`}`
`115`	`114`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,6 @@ invalid:`
`6`	`6`	`- \|`
`7`	`7`	`if (stat(file.c_str(), &buf) == 0){`
`8`	`8`	`// Open the file for reading`
`9`		`- // ruleid: file-stat-before-action`
`10`	`9`	`fp = fopen(file.c_str(), "r");`
`11`	`10`	`if (fp == NULL)`
`12`	`11`	`{`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@ id: return-c-str-cpp`
`2`	`2`	`valid:`
`3`	`3`	`- \|`
`4`	`4`	`std::string return_directly() {`
`5`		`- // ok: return-c-str`
`6`	`5`	`return std::string("foo");`
`7`	`6`	`}`
`8`	`7`	`invalid:`