Python fp and docs updtes (#58)

* refactor: Update comments for clarity and add expectations.json files for performance metrics

* feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks

* feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks

* refactor: Simplify code formatting for better readability in multiple files

* refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration

* feat: Update Java and Python patterns to include new security rules

* refactor: Improve comment clarity and consistency across multiple Rust files

* refactor: Simplify code formatting for improved readability in integration tests and module files

* refactor: Improve comment formatting and enhance clarity in assertions across multiple files
This commit is contained in:
Eli Peter 2026-04-29 19:53:34 -04:00 committed by GitHub
parent 4db0805de6
commit a438886217
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
291 changed files with 9485 additions and 3851 deletions

View file

@ -1,7 +1,7 @@
// Target: authorization happens inside `require_owner`, which
// delegates to `require_group_member` (a configured authorization
// check name). The handler in `cross_file_helper_handler.rs`
// delegates ownership validation to this helper cross-file helper
// delegates ownership validation to this helper, cross-file helper
// lifting should recognise the call as an auth check covering the
// supplied `row`.
struct Db;

View file

@ -2,7 +2,7 @@
// produces a `DatabaseConnection` via SSA `constructor_type` (through
// `peel_identity_suffix`, which strips `.unwrap()` before matching). The
// handler then calls `conn.execute(..)`, a callee name that appears in
// neither `mutation_indicator_names` nor `read_indicator_names` for Rust
// neither `mutation_indicator_names` nor `read_indicator_names` for Rust ,
// name-based classification returns `None`, so the ownership gate
// already cannot flag the call. The type-map refinement should *still*
// leave the call unflagged (the type map produces `DbMutation`, but

View file

@ -16,7 +16,7 @@ pub async fn handle_list_peer_docs(req: Req, ctx: Ctx) -> Result<String, ()> {
let user = auth::require_auth(&req, &ctx).await?;
let doc_ids: Vec<i64> = vec![1, 2, 3];
// Pure in-memory bookkeeping no authorization decision here.
// Pure in-memory bookkeeping, no authorization decision here.
let mut counts: HashMap<i64, usize> = HashMap::new();
let mut seen: HashSet<i64> = HashSet::new();
for doc_id in &doc_ids {

View file

@ -1,5 +1,5 @@
// B4 regression guard: `format_target` does NOT auth-check
// `group_id` it just constructs a string from it. The helper-lift
// `group_id`, it just constructs a string from it. The helper-lift
// pass must not synthesise a covering AuthCheck on the handler's call
// site, so the subsequent `db.exec("INSERT INTO comments …", &[group_id])`
// MUST still flag.
@ -19,7 +19,7 @@ mod auth {
}
fn format_target(group_id: i64, suffix: &str) -> String {
// No auth check here pure formatting.
// No auth check here, pure formatting.
format!("group:{}{}", group_id, suffix)
}

View file

@ -41,7 +41,7 @@ pub async fn handle_delete_doc(req: Req, ctx: Ctx, doc_id: i64) -> Result<String
return json_err("cannot delete another user's doc", 403);
}
// By construction, the row belongs to `user` so any id read from it is authorized.
// By construction, the row belongs to `user`, so any id read from it is authorized.
let group_id = existing.get_i64("group_id");
realtime::publish_to_group(group_id, "doc_deleted");
Ok("ok".into())

View file

@ -31,7 +31,7 @@ pub async fn handle_update_doc(req: Req, ctx: Ctx, doc_id: i64) -> Result<String
);
let owner_id = existing.get_i64("user_id");
// Equality compared but no early exit the check has no effect.
// Equality compared but no early exit, the check has no effect.
if owner_id != user.id {
// missing return
println!("not your doc (but proceeding anyway)");

View file

@ -5,7 +5,7 @@ mod auth { pub async fn require_auth(_r: &super::Req, _c: &super::Ctx) -> Result
// The handler's `get_peer_ids(&db, user.id)` call below must not be
// flagged. `user` is bound from `auth::require_auth(..)` so `user.id`
// is the caller's own id the call is self-referential, not a foreign
// is the caller's own id, the call is self-referential, not a foreign
// scoped id. The library-style helper below is a pass-through so its
// body contains no DB sinks (the internal `user_id` → DB flow is a
// separate pattern covered by helper-summary lifting).

View file

@ -2,7 +2,7 @@
// against an ACL table (`group_members`) with a WHERE clause that pins
// the row to the current user (`gm.user_id = ?1` bound to `user.id`).
// Every returned row is membership-gated by construction, so downstream
// uses of the row's columns (`group_id` here) are authorized the
// uses of the row's columns (`group_id` here) are authorized, the
// `realtime::publish_to_group` call MUST NOT be flagged as missing an
// ownership check after B3.
struct Ctx;

View file

@ -1,7 +1,7 @@
// B3 regression guard: the SELECT JOINs through `audit_log` (NOT in
// the configured ACL list) and the WHERE clause pins on
// `al.user_id = ?1`. The audit-log row's user is the audit subject,
// not the doc owner so this query does NOT prove caller ownership
// not the doc owner, so this query does NOT prove caller ownership
// of the returned `doc_id`. The downstream realtime publish MUST
// still flag for a missing ownership check after B3.
struct Ctx;

View file

@ -1,7 +1,7 @@
// target: authorization happens inside `validate_target`, which
// internally calls `authz::require_membership` against the same
// `group_id` the handler subsequently mutates. The current rule cannot
// see this transitively B4 lifts per-function auth-check summaries
// see this transitively, B4 lifts per-function auth-check summaries
// (which positional params are auth-checked) so the handler-level call
// to `validate_target(&db, group_id, user.id)` is recognised as an
// auth check covering `group_id`. Result: `db.exec(..)` MUST NOT flag
@ -45,7 +45,7 @@ pub async fn handle_create_comment(
let user = auth::require_auth(&req, &ctx).await?;
let db = Db;
// Authorization happens inside validate_target helper-summary
// Authorization happens inside validate_target, helper-summary
// lifting propagates the per-param auth check so this covers
// `group_id`.
validate_target(&db, group_id, user.id).await?;