Re-optimise isSensitive routine

github · Oct 8, 2024 · bc49db4 · bc49db4
1 parent b290565
commit bc49db4
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/go/ql/src/Security/CWE-798/HardcodedCredentials.ql b/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -17,18 +17,14 @@ import go
 import semmle.go.security.HardcodedCredentials
 import semmle.go.security.SensitiveActions
 
-bindingset[write]
-pragma[inline_late]
-private predicate isWriteRhs(Write write, DataFlow::Node rhs) { write.getRhs() = rhs }
-
 /**
  * Holds if `sink` is used in a context that suggests it may hold sensitive data of
  * the given `type`.
  */
 predicate isSensitive(DataFlow::Node sink, SensitiveExpr::Classification type) {
   exists(Write write, string name |
-    isWriteRhs(write, sink) and
-    name = write.getLhs().getName() and
+    pragma[only_bind_out](write).getRhs() = sink and
+    name = pragma[only_bind_out](write).getLhs().getName() and
     // allow obvious test password variables
     not name.regexpMatch(HeuristicNames::notSensitive())
   |