hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into rb/sensitive-get-query

Browse Source
This commit is contained in:
Alex Ford
2022-10-09 12:26:44 +01:00
committed by GitHub
parent a28d7b64ea 5cadd3c0e6
commit 139d3868e5
248 changed files with 8443 additions and 3162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.1
No user-facing changes.
## 0.4.0
### Deprecated APIs

3
cpp/ql/lib/change-notes/released/0.4.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.1
No user-facing changes.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.0
lastReleaseVersion: 0.4.1

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.4.1-dev
version: 0.4.2-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

2
cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
View File

@@ -35,4 +35,4 @@ from LocalVariableOrParameter lv, GlobalVariable gv
where
lv.getName() = gv.getName() and
lv.getFile() = gv.getFile()
select lv, lv.type() + gv.getName() + " hides $@ with the same name.", gv, "a global variable"
select lv, lv.type() + gv.getName() + " hides a $@ with the same name.", gv, "global variable"

6
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.4.1
### Minor Analysis Improvements
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
## 0.4.0
### New Queries

1
cpp/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
View File

@@ -3,6 +3,7 @@
* @description Lists all files in the source code directory that were extracted without encountering a problem in the file.
* @kind diagnostic
* @id cpp/diagnostics/successfully-extracted-files
* @tags successfully-extracted-files
*/
import cpp

4
cpp/ql/src/Likely Bugs/ShortLoopVarName.ql
View File

@@ -48,5 +48,5 @@ where
not coordinatePair(iterationVar, innerVar)
select iterationVar,
"Iteration variable " + iterationVar.getName() +
" for $@ should have a descriptive name, since there is $@.", outer, "this loop", inner,
"a nested loop"
" for $@ should have a descriptive name, since there is a $@.", outer, "this loop", inner,
"nested loop"

2
cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
View File

@@ -135,5 +135,5 @@ where
sink.getNode().asExpr() = va and
missingGuard(va, effect)
select sink.getNode(), source, sink,
"Arithmetic expression depends on an $@, potentially causing an " + effect + ".",
"This arithmetic expression depends on an $@, potentially causing an " + effect + ".",
getExpr(source.getNode()), "uncontrolled value"

7
csharp/ql/src/change-notes/2022-09-29-alert-messages.md → cpp/ql/src/change-notes/released/0.4.1.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 0.4.1
### Minor Analysis Improvements
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.0
lastReleaseVersion: 0.4.1

17
cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.cpp Normal file
View File

@@ -0,0 +1,17 @@
#define MAX_SIZE 1024
struct FixedArray {
int buf[MAX_SIZE];
};
int main(){
FixedArray arr;
for(int i = 0; i <= MAX_SIZE; i++) {
arr.buf[i] = 0; // BAD
}
for(int i = 0; i < MAX_SIZE; i++) {
arr.buf[i] = 0; // GOOD
}
}

29
cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.qhelp Normal file
View File

@@ -0,0 +1,29 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>The program performs an out-of-bounds read or write operation. In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.</p>
</overview>
<recommendation>
<p>Ensure that pointer dereferences are properly guarded to ensure that they cannot be used to read or write past the end of the allocation.</p>
</recommendation>
<example>
<p>The first example uses a for loop which is improperly bounded by a non-strict less-than operation and will write one position past the end of the array. The second example bounds the for loop properly with a strict less-than operation.</p>
<sample src="ConstantSizeArrayOffByOne.cpp" />
</example>
<references>
<li>CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts">ARR30-C. Do not form or use out-of-bounds pointers or array subscripts</a>.</li>
<li>
OWASP:
<a href="https://owasp.org/www-community/vulnerabilities/Buffer_Overflow">Buffer Overflow</a>.
</li>
</references>
</qhelp>

107
cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Normal file
View File

@@ -0,0 +1,107 @@
/**
* @name Constant array overflow
* @description Dereferencing a pointer that points past a statically-sized array is undefined behavior
* and may lead to security vulnerabilities
* @kind path-problem
* @problem.severity error
* @id cpp/constant-array-overflow
* @tags reliability
* security
*/
import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
import experimental.semmle.code.cpp.semantic.SemanticBound
import experimental.semmle.code.cpp.semantic.SemanticExprSpecific
import semmle.code.cpp.ir.IR
import experimental.semmle.code.cpp.ir.dataflow.DataFlow
import experimental.semmle.code.cpp.ir.dataflow.DataFlow2
import DataFlow2::PathGraph
pragma[nomagic]
Instruction getABoundIn(SemBound b, IRFunction func) {
result = b.getExpr(0) and
result.getEnclosingIRFunction() = func
}
/**
* Holds if `i <= b + delta`.
*/
pragma[nomagic]
predicate bounded(Instruction i, Instruction b, int delta) {
exists(SemBound bound, IRFunction func |
semBounded(getSemanticExpr(i), bound, delta, true, _) and
b = getABoundIn(bound, func) and
i.getEnclosingIRFunction() = func
)
}
class FieldAddressToPointerArithmeticConf extends DataFlow::Configuration {
FieldAddressToPointerArithmeticConf() { this = "FieldAddressToPointerArithmeticConf" }
override predicate isSource(DataFlow::Node source) { isFieldAddressSource(_, source) }
override predicate isSink(DataFlow::Node sink) {
exists(PointerAddInstruction pai | pai.getLeft() = sink.asInstruction())
}
}
predicate isFieldAddressSource(Field f, DataFlow::Node source) {
source.asInstruction().(FieldAddressInstruction).getField() = f
}
/**
* Holds if `sink` is a sink for `InvalidPointerToDerefConf` and `i` is a `StoreInstruction` that
* writes to an address that non-strictly upper-bounds `sink`, or `i` is a `LoadInstruction` that
* reads from an address that non-strictly upper-bounds `sink`.
*/
predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation) {
exists(AddressOperand addr, int delta |
bounded(addr.getDef(), sink.asInstruction(), delta) and
delta >= 0 and
i.getAnOperand() = addr
|
i instanceof StoreInstruction and
operation = "write"
or
i instanceof LoadInstruction and
operation = "read"
)
}
predicate isConstantSizeOverflowSource(Field f, PointerAddInstruction pai, int delta) {
exists(
int size, int bound, FieldAddressToPointerArithmeticConf conf, DataFlow::Node source,
DataFlow::InstructionNode sink
|
conf.hasFlow(source, sink) and
isFieldAddressSource(f, source) and
pai.getLeft() = sink.asInstruction() and
f.getUnspecifiedType().(ArrayType).getArraySize() = size and
semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), bound, true, _) and
delta = bound - size and
delta >= 0 and
size != 0 and
size != 1
)
}
class PointerArithmeticToDerefConf extends DataFlow2::Configuration {
PointerArithmeticToDerefConf() { this = "PointerArithmeticToDerefConf" }
override predicate isSource(DataFlow::Node source) {
isConstantSizeOverflowSource(_, source.asInstruction(), _)
}
override predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
}
from
Field f, DataFlow2::PathNode source, DataFlow2::PathNode sink, Instruction deref,
PointerArithmeticToDerefConf conf, string operation, int delta
where
conf.hasFlowPath(source, sink) and
isInvalidPointerDerefSink(sink.getNode(), deref, operation) and
isConstantSizeOverflowSource(f, source.getNode().asInstruction(), delta)
select source, source, sink,
"This pointer arithmetic may have an off-by-" + (delta + 1) +
" error allowing it to overrun $@ at this $@.", f, f.getName(), deref, operation

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.4.1-dev
version: 0.4.2-dev
groups:
- cpp
- queries

2
cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.expected
View File

@@ -1 +1 @@
| UnintendedDeclaration.cpp:65:14:65:20 | definition of myMutex | Local variable myMutex hides $@ with the same name. | UnintendedDeclaration.cpp:40:7:40:13 | myMutex | a global variable |
| UnintendedDeclaration.cpp:65:14:65:20 | definition of myMutex | Local variable myMutex hides a $@ with the same name. | UnintendedDeclaration.cpp:40:7:40:13 | myMutex | global variable |

37
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected Normal file
View File

@@ -0,0 +1,37 @@
edges
| test.cpp:66:32:66:32 | p | test.cpp:66:32:66:32 | Load |
| test.cpp:66:32:66:32 | p | test.cpp:67:5:67:6 | * ... |
| test.cpp:66:32:66:32 | p | test.cpp:67:6:67:6 | Load |
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:26:77:44 | & ... |
nodes
| test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
| test.cpp:36:5:36:24 | access to array | semmle.label | access to array |
| test.cpp:43:9:43:19 | access to array | semmle.label | access to array |
| test.cpp:49:5:49:22 | access to array | semmle.label | access to array |
| test.cpp:50:5:50:24 | access to array | semmle.label | access to array |
| test.cpp:57:9:57:19 | access to array | semmle.label | access to array |
| test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
| test.cpp:66:32:66:32 | Load | semmle.label | Load |
| test.cpp:66:32:66:32 | p | semmle.label | p |
| test.cpp:66:32:66:32 | p | semmle.label | p |
| test.cpp:67:5:67:6 | * ... | semmle.label | * ... |
| test.cpp:67:6:67:6 | Load | semmle.label | Load |
| test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
| test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
| test.cpp:77:27:77:44 | access to array | semmle.label | access to array |
subpaths
#select
| test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
| test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
| test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
| test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
| test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
| test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
| test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
| test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | Load | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:6:67:6 | Load | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

80
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp Normal file
View File

@@ -0,0 +1,80 @@
#define MAX_SIZE 1024
struct ZeroArray {
int size;
int buf[0];
};
struct OneArray {
int size;
int buf[1];
};
struct BigArray {
int size;
int buf[MAX_SIZE];
};
struct ArrayAndFields {
int buf[MAX_SIZE];
int field1;
int field2;
};
// tests for dynamic-size trailing arrays
void testZeroArray(ZeroArray *arr) {
arr->buf[0] = 0;
}
void testOneArray(OneArray *arr) {
arr->buf[1] = 0;
}
void testBig(BigArray *arr) {
arr->buf[MAX_SIZE-1] = 0; // GOOD
arr->buf[MAX_SIZE] = 0; // BAD
arr->buf[MAX_SIZE+1] = 0; // BAD
for(int i = 0; i < MAX_SIZE; i++) {
arr->buf[i] = 0; // GOOD
}
for(int i = 0; i <= MAX_SIZE; i++) {
arr->buf[i] = 0; // BAD
}
}
void testFields(ArrayAndFields *arr) {
arr->buf[MAX_SIZE-1] = 0; // GOOD
arr->buf[MAX_SIZE] = 0; // BAD?
arr->buf[MAX_SIZE+1] = 0; // BAD?
for(int i = 0; i < MAX_SIZE; i++) {
arr->buf[i] = 0; // GOOD
}
for(int i = 0; i <= MAX_SIZE; i++) {
arr->buf[i] = 0; // BAD?
}
for(int i = 0; i < MAX_SIZE+2; i++) {
arr->buf[i] = 0; // BAD?
}
// is this different if it's a memcpy?
}
void assignThroughPointer(int *p) {
*p = 0; // ??? should the result go at a flow source?
}
void addToPointerAndAssign(int *p) {
p[MAX_SIZE-1] = 0; // GOOD
p[MAX_SIZE] = 0; // BAD
}
void testInterproc(BigArray *arr) {
assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
addToPointerAndAssign(arr->buf);
}

10
cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.expected
View File

@@ -1,5 +1,5 @@
| Hiding.c:22:25:22:26 | definition of gi | Local variable gi hides $@ with the same name. | Hiding.c:2:5:2:6 | gi | a global variable |
| Hiding.c:23:25:23:26 | definition of gj | Local variable gj hides $@ with the same name. | Hiding.c:3:12:3:13 | gj | a global variable |
| Hiding.c:24:25:24:26 | definition of gk | Local variable gk hides $@ with the same name. | Hiding.c:4:12:4:13 | gk | a global variable |
| Hiding.c:37:20:37:21 | definition of g3 | Parameter g3 hides $@ with the same name. | Hiding.c:33:13:33:14 | g3 | a global variable |
| Hiding.c:40:20:40:21 | definition of g5 | Parameter g5 hides $@ with the same name. | Hiding.c:33:21:33:22 | g5 | a global variable |
| Hiding.c:22:25:22:26 | definition of gi | Local variable gi hides a $@ with the same name. | Hiding.c:2:5:2:6 | gi | global variable |
| Hiding.c:23:25:23:26 | definition of gj | Local variable gj hides a $@ with the same name. | Hiding.c:3:12:3:13 | gj | global variable |
| Hiding.c:24:25:24:26 | definition of gk | Local variable gk hides a $@ with the same name. | Hiding.c:4:12:4:13 | gk | global variable |
| Hiding.c:37:20:37:21 | definition of g3 | Parameter g3 hides a $@ with the same name. | Hiding.c:33:13:33:14 | g3 | global variable |
| Hiding.c:40:20:40:21 | definition of g5 | Parameter g5 hides a $@ with the same name. | Hiding.c:33:21:33:22 | g5 | global variable |

8
cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.expected
View File

@@ -1,4 +1,4 @@
| ShortLoopVarName.cpp:6:6:6:6 | i | Iteration variable i for $@ should have a descriptive name, since there is $@. | ShortLoopVarName.cpp:12:2:18:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:14:3:17:3 | for(...;...;...) ... | a nested loop |
| ShortLoopVarName.cpp:30:13:30:13 | a | Iteration variable a for $@ should have a descriptive name, since there is $@. | ShortLoopVarName.cpp:30:2:38:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:34:3:37:3 | for(...;...;...) ... | a nested loop |
| ShortLoopVarName.cpp:73:11:73:11 | y | Iteration variable y for $@ should have a descriptive name, since there is $@. | ShortLoopVarName.cpp:73:2:80:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:75:3:79:3 | for(...;...;...) ... | a nested loop |
| ShortLoopVarName.cpp:96:12:96:12 | i | Iteration variable i for $@ should have a descriptive name, since there is $@. | ShortLoopVarName.cpp:96:3:102:3 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:98:4:101:4 | for(...;...;...) ... | a nested loop |
| ShortLoopVarName.cpp:6:6:6:6 | i | Iteration variable i for $@ should have a descriptive name, since there is a $@. | ShortLoopVarName.cpp:12:2:18:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:14:3:17:3 | for(...;...;...) ... | nested loop |
| ShortLoopVarName.cpp:30:13:30:13 | a | Iteration variable a for $@ should have a descriptive name, since there is a $@. | ShortLoopVarName.cpp:30:2:38:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:34:3:37:3 | for(...;...;...) ... | nested loop |
| ShortLoopVarName.cpp:73:11:73:11 | y | Iteration variable y for $@ should have a descriptive name, since there is a $@. | ShortLoopVarName.cpp:73:2:80:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:75:3:79:3 | for(...;...;...) ... | nested loop |
| ShortLoopVarName.cpp:96:12:96:12 | i | Iteration variable i for $@ should have a descriptive name, since there is a $@. | ShortLoopVarName.cpp:96:3:102:3 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:98:4:101:4 | for(...;...;...) ... | nested loop |

48
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected
View File

@@ -52,27 +52,27 @@ nodes
| examples.cpp:38:9:38:12 | data | semmle.label | data |
subpaths
#select
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |

56
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
View File

@@ -92,31 +92,31 @@ nodes
| test.cpp:219:8:219:8 | x | semmle.label | x |
subpaths
#select
| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value |
| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value |
| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value |
| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value |
| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value |
| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value |
| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value |
| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value |
| test.c:157:9:157:9 | r | test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r | Arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
| test.c:157:9:157:9 | r | test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r | Arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value |
| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value |
| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value |
| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value |
| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value |
| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value |
| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value |
| test.cpp:171:11:171:16 | (int)... | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | (int)... | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
| test.cpp:171:16:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:16:171:16 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value |
| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value |
| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value |
| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value |
| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value |
| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value |
| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value |
| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value |
| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value |
| test.c:157:9:157:9 | r | test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
| test.c:157:9:157:9 | r | test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value |
| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value |
| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value |
| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value |
| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value |
| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value |
| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value |
| test.cpp:171:11:171:16 | (int)... | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | (int)... | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
| test.cpp:171:16:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:16:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value |

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.3.1
No user-facing changes.
## 1.3.0
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.3.1
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.3.0
lastReleaseVersion: 1.3.1

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.3.1-dev
version: 1.3.2-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.3.1
No user-facing changes.
## 1.3.0
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.3.1
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.3.0
lastReleaseVersion: 1.3.1

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.3.1-dev
version: 1.3.2-dev
groups:
- csharp
- solorigate

7
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.4.1
### Minor Analysis Improvements
* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
* ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
## 0.4.0
### Deprecated APIs

4
csharp/ql/lib/change-notes/2022-09-23-simpletypesanitizer.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.

8
csharp/ql/lib/change-notes/2022-08-24-aps-net-core-controllers.md → csharp/ql/lib/change-notes/released/0.4.1.md
View File

@@ -1,4 +1,6 @@
---
category: minorAnalysis
---
## 0.4.1
### Minor Analysis Improvements
* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
* ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.0
lastReleaseVersion: 0.4.1

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.4.1-dev
version: 0.4.2-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

29
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -750,6 +750,27 @@ module Private {
)
}
/**
* Holds if `p` can reach `n` in a summarized callable, using only value-preserving
* local steps. `clearsOrExpects` records whether any node on the path from `p` to
* `n` either clears or expects contents.
*/
private predicate paramReachesLocal(ParamNode p, Node n, boolean clearsOrExpects) {
viableParam(_, _, _, p) and
n = p and
clearsOrExpects = false
or
exists(Node mid, boolean clearsOrExpectsMid |
paramReachesLocal(p, mid, clearsOrExpectsMid) and
summaryLocalStep(mid, n, true) and
if
summaryClearsContent(n, _) or
summaryExpectsContent(n, _)
then clearsOrExpects = true
else clearsOrExpects = clearsOrExpectsMid
)
}
/**
* Holds if use-use flow starting from `arg` should be prohibited.
*
@@ -759,15 +780,11 @@ module Private {
*/
pragma[nomagic]
predicate prohibitsUseUseFlow(ArgNode arg, SummarizedCallable sc) {
exists(ParamNode p, Node mid, ParameterPosition ppos, Node ret |
exists(ParamNode p, ParameterPosition ppos, Node ret |
paramReachesLocal(p, ret, true) and
p = summaryArgParam0(_, arg, sc) and
p.isParameterOf(_, pragma[only_bind_into](ppos)) and
summaryLocalStep(p, mid, true) and
summaryLocalStep(mid, ret, true) and
isParameterPostUpdate(ret, _, pragma[only_bind_into](ppos))
|
summaryClearsContent(mid, _) or
summaryExpectsContent(mid, _)
)
}

6
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.4.1
### Minor Analysis Improvements
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
## 0.4.0
### Minor Analysis Improvements

1
csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql
View File

@@ -4,6 +4,7 @@
* without encountering an extraction or compiler error in the file.
* @kind diagnostic
* @id cs/diagnostics/successfully-extracted-files
* @tags successfully-extracted-files
*/
import csharp

9
java/ql/src/change-notes/2022-09-23-alert-messages.md → csharp/ql/src/change-notes/released/0.4.1.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
## 0.4.1
### Minor Analysis Improvements
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.0
lastReleaseVersion: 0.4.1

4
csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
View File

@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in a method of WebClient.",
source.getNode(), "User-provided value"
select sink.getNode(), source, sink, "A method of WebClient depepends on a $@.", source.getNode(),
"user-provided value"

5
csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
View File

@@ -17,5 +17,6 @@ import JsonWebTokenHandlerLib
from TokenValidationParametersProperty p, CallableAlwaysReturnsTrueHigherPrecision e
where e = p.getAnAssignedValue()
select e, "JsonWebTokenHandler security-sensitive property $@ is being delegated to $@.", p,
p.getQualifiedName().toString(), e, "a callable that always returns \"true\""
select e,
"JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns \"true\".",
p, p.getQualifiedName().toString()

4
csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
View File

@@ -50,5 +50,5 @@ predicate isSuspiciousPropertyName(PropertyRead pr) {
from DataFlow::PathNode src, DataFlow::PathNode sink, DataFlowFromMethodToHash conf
where conf.hasFlow(src.getNode(), sink.getNode())
select src.getNode(), src, sink,
"The hash is calculated on the process name $@, may be related to a backdoor. Please review the code for possible malicious intent.",
sink.getNode(), "here"
"The hash is calculated on $@, may be related to a backdoor. Please review the code for possible malicious intent.",
sink.getNode(), "this process name"

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 0.4.1-dev
version: 0.4.2-dev
groups:
- csharp
- queries

14
csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.expected
View File

@@ -1,7 +1,7 @@
| delegation-test.cs:101:63:101:186 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:54:34:54:50 | LifetimeValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.LifetimeValidator | delegation-test.cs:101:63:101:186 | (...) => ... | a callable that always returns "true" |
| delegation-test.cs:102:63:102:178 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:102:63:102:178 | (...) => ... | a callable that always returns "true" |
| delegation-test.cs:115:63:115:190 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:115:63:115:190 | (...) => ... | a callable that always returns "true" |
| delegation-test.cs:116:63:116:180 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:116:63:116:180 | (...) => ... | a callable that always returns "true" |
| delegation-test.cs:117:63:117:217 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:117:63:117:217 | (...) => ... | a callable that always returns "true" |
| delegation-test.cs:118:63:118:248 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:118:63:118:248 | (...) => ... | a callable that always returns "true" |
| delegation-test.cs:119:63:119:177 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:119:63:119:177 | (...) => ... | a callable that always returns "true" |
| delegation-test.cs:101:63:101:186 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:54:34:54:50 | LifetimeValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.LifetimeValidator |
| delegation-test.cs:102:63:102:178 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
| delegation-test.cs:115:63:115:190 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
| delegation-test.cs:116:63:116:180 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
| delegation-test.cs:117:63:117:217 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
| delegation-test.cs:118:63:118:248 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
| delegation-test.cs:119:63:119:177 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |

6
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.3.1
### Minor Analysis Improvements
* Added support for `BeegoInput.RequestBody` as a source of untrusted data.
## 0.3.0
### Deprecated APIs

5
go/ql/lib/change-notes/released/0.3.1.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.3.1
### Minor Analysis Improvements
* Added support for `BeegoInput.RequestBody` as a source of untrusted data.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 0.3.1-dev
version: 0.3.2-dev
groups: go
dbscheme: go.dbscheme
extractor: go

11
go/ql/lib/semmle/go/frameworks/Beego.qll
View File

@@ -103,6 +103,17 @@ module Beego {
}
}
/**
* `BeegoInputRequestBody` sources of untrusted data.
*/
private class BeegoInputRequestBodySource extends UntrustedFlowSource::Range {
BeegoInputRequestBodySource() {
exists(DataFlow::FieldReadNode frn | this = frn |
frn.getField().hasQualifiedName(contextPackagePath(), "BeegoInput", "RequestBody")
)
}
}
/**
* `beego/context.Context` sources of untrusted data.
*/

4
go/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
View File

@@ -64,7 +64,7 @@ module InsecureRandomness {
)
}
override string getKind() { result = "this cryptographic algorithm" }
override string getKind() { result = "This cryptographic algorithm" }
}
/**
@@ -75,7 +75,7 @@ module InsecureRandomness {
this.getRoot().(FuncDef).getName().regexpMatch("(?i).*(gen(erate)?|salt|make|mk)Password.*")
}
override string getKind() { result = "a password-related function" }
override string getKind() { result = "A password-related function" }
}
/** Gets a package that implements hash algorithms. */

4
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.3.1
No user-facing changes.
## 0.3.0
### Query Metadata Changes

1
go/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
View File

@@ -3,6 +3,7 @@
* @name Successfully analyzed files
* @description List all files that were successfully extracted.
* @kind diagnostic
* @tags successfully-extracted-files
*/
import go

2
go/ql/src/InconsistentCode/WrappedErrorAlwaysNil.ql
View File

@@ -61,4 +61,4 @@ where
// }
n = DataFlow::BarrierGuard<nilTestGuard/3>::getABarrierNode()
)
select n, "The first argument to 'errors.Wrap' is always nil"
select n, "The first argument to 'errors.Wrap' is always nil."

2
go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql
View File

@@ -48,5 +48,5 @@ class Config extends DataFlow::Configuration {
from Config c, DataFlow::PathNode source, DataFlow::PathNode sink, string report
where c.hasFlowPath(source, sink) and c.isSource(source.getNode(), report)
select source, source, sink, "$@ that is $@ contains " + report, source, "A string literal", sink,
select source, source, sink, "This string literal that is $@ contains " + report, sink,
"used as a regular expression"

2
go/ql/src/Security/CWE-117/LogInjection.ql
View File

@@ -17,5 +17,5 @@ import DataFlow::PathGraph
from LogInjection::Configuration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Log entry depends on a $@.", source.getNode(),
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
"user-provided value"

6
go/ql/src/Security/CWE-338/InsecureRandomness.ql
View File

@@ -19,7 +19,7 @@ where
cfg.hasFlowPath(source, sink) and
cfg.isSink(sink.getNode(), kind) and
(
kind != "a password-related function"
kind != "A password-related function"
or
sink =
min(DataFlow::PathNode sink2, int line |
@@ -31,5 +31,5 @@ where
)
)
select sink.getNode(), source, sink,
"$@ generated with a cryptographically weak RNG is used in $@.", source.getNode(),
"A random number", sink.getNode(), kind
kind + " depends on a $@ generated with a cryptographically weak RNG.", source.getNode(),
"random number"

0
cpp/ql/src/change-notes/2022-09-23-alert-messages.md → go/ql/src/change-notes/2022-10-07-alert-messages.md
View File

3
go/ql/src/change-notes/released/0.3.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.3.1
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

3
go/ql/src/experimental/CWE-369/DivideByZero.ql
View File

@@ -54,5 +54,4 @@ class DivideByZeroCheckConfig extends TaintTracking::Configuration {
from DataFlow::PathNode source, DataFlow::PathNode sink, DivideByZeroCheckConfig cfg
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Variable $@ might be zero leading to a division-by-zero panic.", sink,
sink.getNode().toString()
select sink, source, sink, "This variable might be zero leading to a division-by-zero panic."

2
go/ql/src/experimental/CWE-400/DatabaseCallInLoop.ql
View File

@@ -66,4 +66,4 @@ query predicate edges(CallGraphNode pred, CallGraphNode succ) {
from LoopStmt loop, DatabaseAccess dbAccess
where edges*(loop, dbAccess.asExpr())
select dbAccess, loop, dbAccess, "$@ is called in $@", dbAccess, dbAccess.toString(), loop, "a loop"
select dbAccess, loop, dbAccess, "This calls " + dbAccess.toString() + " in a $@.", loop, "loop"

2
go/ql/src/experimental/CWE-918/SSRF.ql
View File

@@ -19,4 +19,4 @@ from
where
cfg.hasFlowPath(source, sink) and
request = sink.getNode().(ServerSideRequestForgery::Sink).getARequest()
select request, source, sink, "The URL of this request depends on a user-provided value"
select request, source, sink, "The URL of this request depends on a user-provided value."

2
go/ql/src/experimental/IntegerOverflow/IntegerOverflow.ql
View File

@@ -11,4 +11,4 @@ import RangeAnalysis
from Expr expr
where exprMayOverflow(expr) or exprMayUnderflow(expr)
select expr, "this expression may cause an integer overflow"
select expr, "This expression may cause an integer overflow."

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 0.3.1-dev
version: 0.3.2-dev
groups:
- go
- queries

12
go/ql/test/experimental/CWE-369/DivideByZero.expected
View File

@@ -24,9 +24,9 @@ nodes
| DivideByZero.go:57:17:57:21 | value | semmle.label | value |
subpaths
#select
| DivideByZero.go:12:16:12:20 | value | DivideByZero.go:10:12:10:16 | selection of URL : pointer type | DivideByZero.go:12:16:12:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:12:16:12:20 | value | value |
| DivideByZero.go:19:16:19:20 | value | DivideByZero.go:17:12:17:16 | selection of URL : pointer type | DivideByZero.go:19:16:19:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:19:16:19:20 | value | value |
| DivideByZero.go:26:16:26:20 | value | DivideByZero.go:24:12:24:16 | selection of URL : pointer type | DivideByZero.go:26:16:26:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:26:16:26:20 | value | value |
| DivideByZero.go:33:16:33:20 | value | DivideByZero.go:31:12:31:16 | selection of URL : pointer type | DivideByZero.go:33:16:33:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:33:16:33:20 | value | value |
| DivideByZero.go:40:16:40:20 | value | DivideByZero.go:38:12:38:16 | selection of URL : pointer type | DivideByZero.go:40:16:40:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:40:16:40:20 | value | value |
| DivideByZero.go:57:17:57:21 | value | DivideByZero.go:54:12:54:16 | selection of URL : pointer type | DivideByZero.go:57:17:57:21 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:57:17:57:21 | value | value |
| DivideByZero.go:12:16:12:20 | value | DivideByZero.go:10:12:10:16 | selection of URL : pointer type | DivideByZero.go:12:16:12:20 | value | This variable might be zero leading to a division-by-zero panic. |
| DivideByZero.go:19:16:19:20 | value | DivideByZero.go:17:12:17:16 | selection of URL : pointer type | DivideByZero.go:19:16:19:20 | value | This variable might be zero leading to a division-by-zero panic. |
| DivideByZero.go:26:16:26:20 | value | DivideByZero.go:24:12:24:16 | selection of URL : pointer type | DivideByZero.go:26:16:26:20 | value | This variable might be zero leading to a division-by-zero panic. |
| DivideByZero.go:33:16:33:20 | value | DivideByZero.go:31:12:31:16 | selection of URL : pointer type | DivideByZero.go:33:16:33:20 | value | This variable might be zero leading to a division-by-zero panic. |
| DivideByZero.go:40:16:40:20 | value | DivideByZero.go:38:12:38:16 | selection of URL : pointer type | DivideByZero.go:40:16:40:20 | value | This variable might be zero leading to a division-by-zero panic. |
| DivideByZero.go:57:17:57:21 | value | DivideByZero.go:54:12:54:16 | selection of URL : pointer type | DivideByZero.go:57:17:57:21 | value | This variable might be zero leading to a division-by-zero panic. |

6
go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected
View File

@@ -8,6 +8,6 @@ edges
| test.go:24:2:26:2 | for statement | test.go:25:3:25:17 | call to runRunQuery |
| test.go:25:3:25:17 | call to runRunQuery | test.go:14:1:16:1 | function declaration |
#select
| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | $@ is called in $@ | DatabaseCallInLoop.go:9:3:9:41 | call to First | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | a loop |
| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | $@ is called in $@ | test.go:11:2:11:13 | call to Take | call to Take | test.go:20:2:22:2 | for statement | a loop |
| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | $@ is called in $@ | test.go:11:2:11:13 | call to Take | call to Take | test.go:24:2:26:2 | for statement | a loop |
| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | This calls call to First in a $@. | DatabaseCallInLoop.go:7:2:11:2 | range statement | loop |
| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:20:2:22:2 | for statement | loop |
| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:24:2:26:2 | for statement | loop |

34
go/ql/test/experimental/CWE-918/SSRF.expected
View File

@@ -55,20 +55,20 @@ nodes
| new-tests.go:96:11:96:46 | ...+... | semmle.label | ...+... |
subpaths
#select
| builtin.go:22:12:22:63 | call to Get | builtin.go:19:12:19:34 | call to FormValue : string | builtin.go:22:21:22:62 | ...+... | The URL of this request depends on a user-provided value |
| builtin.go:88:12:88:53 | call to Dial | builtin.go:83:21:83:31 | call to Referer : string | builtin.go:88:27:88:40 | untrustedInput | The URL of this request depends on a user-provided value |
| builtin.go:102:13:102:40 | call to DialConfig | builtin.go:97:21:97:31 | call to Referer : string | builtin.go:101:36:101:49 | untrustedInput | The URL of this request depends on a user-provided value |
| builtin.go:114:3:114:39 | call to Dial | builtin.go:111:21:111:31 | call to Referer : string | builtin.go:114:15:114:28 | untrustedInput | The URL of this request depends on a user-provided value |
| builtin.go:132:3:132:62 | call to DialContext | builtin.go:129:21:129:31 | call to Referer : string | builtin.go:132:38:132:51 | untrustedInput | The URL of this request depends on a user-provided value |
| new-tests.go:31:2:31:58 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:31:11:31:57 | call to Sprintf | The URL of this request depends on a user-provided value |
| new-tests.go:32:2:32:58 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:32:11:32:57 | call to Sprintf | The URL of this request depends on a user-provided value |
| new-tests.go:35:3:35:59 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:35:12:35:58 | call to Sprintf | The URL of this request depends on a user-provided value |
| new-tests.go:47:2:47:47 | call to Get | new-tests.go:39:18:39:30 | call to Param : string | new-tests.go:47:11:47:46 | ...+... | The URL of this request depends on a user-provided value |
| new-tests.go:50:2:50:47 | call to Get | new-tests.go:49:18:49:30 | call to Query : string | new-tests.go:50:11:50:46 | ...+... | The URL of this request depends on a user-provided value |
| new-tests.go:68:2:68:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:68:11:68:57 | call to Sprintf | The URL of this request depends on a user-provided value |
| new-tests.go:69:2:69:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:69:11:69:57 | call to Sprintf | The URL of this request depends on a user-provided value |
| new-tests.go:74:3:74:59 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:74:12:74:58 | call to Sprintf | The URL of this request depends on a user-provided value |
| new-tests.go:79:2:79:47 | call to Get | new-tests.go:78:18:78:24 | selection of URL : pointer type | new-tests.go:79:11:79:46 | ...+... | The URL of this request depends on a user-provided value |
| new-tests.go:82:2:82:47 | call to Get | new-tests.go:81:37:81:43 | selection of URL : pointer type | new-tests.go:82:11:82:46 | ...+... | The URL of this request depends on a user-provided value |
| new-tests.go:88:2:88:47 | call to Get | new-tests.go:86:10:86:20 | call to Vars : map type | new-tests.go:88:11:88:46 | ...+... | The URL of this request depends on a user-provided value |
| new-tests.go:96:2:96:47 | call to Get | new-tests.go:95:18:95:45 | call to URLParam : string | new-tests.go:96:11:96:46 | ...+... | The URL of this request depends on a user-provided value |
| builtin.go:22:12:22:63 | call to Get | builtin.go:19:12:19:34 | call to FormValue : string | builtin.go:22:21:22:62 | ...+... | The URL of this request depends on a user-provided value. |
| builtin.go:88:12:88:53 | call to Dial | builtin.go:83:21:83:31 | call to Referer : string | builtin.go:88:27:88:40 | untrustedInput | The URL of this request depends on a user-provided value. |
| builtin.go:102:13:102:40 | call to DialConfig | builtin.go:97:21:97:31 | call to Referer : string | builtin.go:101:36:101:49 | untrustedInput | The URL of this request depends on a user-provided value. |
| builtin.go:114:3:114:39 | call to Dial | builtin.go:111:21:111:31 | call to Referer : string | builtin.go:114:15:114:28 | untrustedInput | The URL of this request depends on a user-provided value. |
| builtin.go:132:3:132:62 | call to DialContext | builtin.go:129:21:129:31 | call to Referer : string | builtin.go:132:38:132:51 | untrustedInput | The URL of this request depends on a user-provided value. |
| new-tests.go:31:2:31:58 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:31:11:31:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
| new-tests.go:32:2:32:58 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:32:11:32:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
| new-tests.go:35:3:35:59 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:35:12:35:58 | call to Sprintf | The URL of this request depends on a user-provided value. |
| new-tests.go:47:2:47:47 | call to Get | new-tests.go:39:18:39:30 | call to Param : string | new-tests.go:47:11:47:46 | ...+... | The URL of this request depends on a user-provided value. |
| new-tests.go:50:2:50:47 | call to Get | new-tests.go:49:18:49:30 | call to Query : string | new-tests.go:50:11:50:46 | ...+... | The URL of this request depends on a user-provided value. |
| new-tests.go:68:2:68:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:68:11:68:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
| new-tests.go:69:2:69:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:69:11:69:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
| new-tests.go:74:3:74:59 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:74:12:74:58 | call to Sprintf | The URL of this request depends on a user-provided value. |
| new-tests.go:79:2:79:47 | call to Get | new-tests.go:78:18:78:24 | selection of URL : pointer type | new-tests.go:79:11:79:46 | ...+... | The URL of this request depends on a user-provided value. |
| new-tests.go:82:2:82:47 | call to Get | new-tests.go:81:37:81:43 | selection of URL : pointer type | new-tests.go:82:11:82:46 | ...+... | The URL of this request depends on a user-provided value. |
| new-tests.go:88:2:88:47 | call to Get | new-tests.go:86:10:86:20 | call to Vars : map type | new-tests.go:88:11:88:46 | ...+... | The URL of this request depends on a user-provided value. |
| new-tests.go:96:2:96:47 | call to Get | new-tests.go:95:18:95:45 | call to URLParam : string | new-tests.go:96:11:96:46 | ...+... | The URL of this request depends on a user-provided value. |

132
go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected
View File

@@ -1,72 +1,72 @@
edges
nodes
| test.go:147:14:147:21 | password | semmle.label | password |
| test.go:148:17:148:24 | password | semmle.label | password |
| test.go:149:14:149:21 | password | semmle.label | password |
| test.go:150:18:150:25 | password | semmle.label | password |
| test.go:151:14:151:21 | password | semmle.label | password |
| test.go:152:13:152:20 | password | semmle.label | password |
| test.go:153:22:153:29 | password | semmle.label | password |
| test.go:154:15:154:22 | password | semmle.label | password |
| test.go:155:14:155:21 | password | semmle.label | password |
| test.go:156:13:156:20 | password | semmle.label | password |
| test.go:157:16:157:23 | password | semmle.label | password |
| test.go:158:13:158:20 | password | semmle.label | password |
| test.go:159:16:159:23 | password | semmle.label | password |
| test.go:160:13:160:20 | password | semmle.label | password |
| test.go:161:17:161:24 | password | semmle.label | password |
| test.go:162:13:162:20 | password | semmle.label | password |
| test.go:163:12:163:19 | password | semmle.label | password |
| test.go:164:21:164:28 | password | semmle.label | password |
| test.go:165:14:165:21 | password | semmle.label | password |
| test.go:166:13:166:20 | password | semmle.label | password |
| test.go:167:12:167:19 | password | semmle.label | password |
| test.go:168:15:168:22 | password | semmle.label | password |
| test.go:148:14:148:21 | password | semmle.label | password |
| test.go:149:17:149:24 | password | semmle.label | password |
| test.go:150:14:150:21 | password | semmle.label | password |
| test.go:151:18:151:25 | password | semmle.label | password |
| test.go:152:14:152:21 | password | semmle.label | password |
| test.go:153:13:153:20 | password | semmle.label | password |
| test.go:154:22:154:29 | password | semmle.label | password |
| test.go:155:15:155:22 | password | semmle.label | password |
| test.go:156:14:156:21 | password | semmle.label | password |
| test.go:157:13:157:20 | password | semmle.label | password |
| test.go:158:16:158:23 | password | semmle.label | password |
| test.go:159:13:159:20 | password | semmle.label | password |
| test.go:160:16:160:23 | password | semmle.label | password |
| test.go:161:13:161:20 | password | semmle.label | password |
| test.go:162:17:162:24 | password | semmle.label | password |
| test.go:163:13:163:20 | password | semmle.label | password |
| test.go:164:12:164:19 | password | semmle.label | password |
| test.go:165:21:165:28 | password | semmle.label | password |
| test.go:166:14:166:21 | password | semmle.label | password |
| test.go:167:13:167:20 | password | semmle.label | password |
| test.go:168:12:168:19 | password | semmle.label | password |
| test.go:169:15:169:22 | password | semmle.label | password |
| test.go:170:18:170:25 | password | semmle.label | password |
| test.go:171:15:171:22 | password | semmle.label | password |
| test.go:172:19:172:26 | password | semmle.label | password |
| test.go:173:15:173:22 | password | semmle.label | password |
| test.go:174:14:174:21 | password | semmle.label | password |
| test.go:175:23:175:30 | password | semmle.label | password |
| test.go:176:16:176:23 | password | semmle.label | password |
| test.go:177:15:177:22 | password | semmle.label | password |
| test.go:178:14:178:21 | password | semmle.label | password |
| test.go:179:17:179:24 | password | semmle.label | password |
| test.go:180:16:180:23 | password | semmle.label | password |
| test.go:170:15:170:22 | password | semmle.label | password |
| test.go:171:18:171:25 | password | semmle.label | password |
| test.go:172:15:172:22 | password | semmle.label | password |
| test.go:173:19:173:26 | password | semmle.label | password |
| test.go:174:15:174:22 | password | semmle.label | password |
| test.go:175:14:175:21 | password | semmle.label | password |
| test.go:176:23:176:30 | password | semmle.label | password |
| test.go:177:16:177:23 | password | semmle.label | password |
| test.go:178:15:178:22 | password | semmle.label | password |
| test.go:179:14:179:21 | password | semmle.label | password |
| test.go:180:17:180:24 | password | semmle.label | password |
| test.go:181:16:181:23 | password | semmle.label | password |
subpaths
#select
| test.go:147:14:147:21 | password | test.go:147:14:147:21 | password | test.go:147:14:147:21 | password | $@ flows to a logging call. | test.go:147:14:147:21 | password | Sensitive data returned by an access to password |
| test.go:148:17:148:24 | password | test.go:148:17:148:24 | password | test.go:148:17:148:24 | password | $@ flows to a logging call. | test.go:148:17:148:24 | password | Sensitive data returned by an access to password |
| test.go:149:14:149:21 | password | test.go:149:14:149:21 | password | test.go:149:14:149:21 | password | $@ flows to a logging call. | test.go:149:14:149:21 | password | Sensitive data returned by an access to password |
| test.go:150:18:150:25 | password | test.go:150:18:150:25 | password | test.go:150:18:150:25 | password | $@ flows to a logging call. | test.go:150:18:150:25 | password | Sensitive data returned by an access to password |
| test.go:151:14:151:21 | password | test.go:151:14:151:21 | password | test.go:151:14:151:21 | password | $@ flows to a logging call. | test.go:151:14:151:21 | password | Sensitive data returned by an access to password |
| test.go:152:13:152:20 | password | test.go:152:13:152:20 | password | test.go:152:13:152:20 | password | $@ flows to a logging call. | test.go:152:13:152:20 | password | Sensitive data returned by an access to password |
| test.go:153:22:153:29 | password | test.go:153:22:153:29 | password | test.go:153:22:153:29 | password | $@ flows to a logging call. | test.go:153:22:153:29 | password | Sensitive data returned by an access to password |
| test.go:154:15:154:22 | password | test.go:154:15:154:22 | password | test.go:154:15:154:22 | password | $@ flows to a logging call. | test.go:154:15:154:22 | password | Sensitive data returned by an access to password |
| test.go:155:14:155:21 | password | test.go:155:14:155:21 | password | test.go:155:14:155:21 | password | $@ flows to a logging call. | test.go:155:14:155:21 | password | Sensitive data returned by an access to password |
| test.go:156:13:156:20 | password | test.go:156:13:156:20 | password | test.go:156:13:156:20 | password | $@ flows to a logging call. | test.go:156:13:156:20 | password | Sensitive data returned by an access to password |
| test.go:157:16:157:23 | password | test.go:157:16:157:23 | password | test.go:157:16:157:23 | password | $@ flows to a logging call. | test.go:157:16:157:23 | password | Sensitive data returned by an access to password |
| test.go:158:13:158:20 | password | test.go:158:13:158:20 | password | test.go:158:13:158:20 | password | $@ flows to a logging call. | test.go:158:13:158:20 | password | Sensitive data returned by an access to password |
| test.go:159:16:159:23 | password | test.go:159:16:159:23 | password | test.go:159:16:159:23 | password | $@ flows to a logging call. | test.go:159:16:159:23 | password | Sensitive data returned by an access to password |
| test.go:160:13:160:20 | password | test.go:160:13:160:20 | password | test.go:160:13:160:20 | password | $@ flows to a logging call. | test.go:160:13:160:20 | password | Sensitive data returned by an access to password |
| test.go:161:17:161:24 | password | test.go:161:17:161:24 | password | test.go:161:17:161:24 | password | $@ flows to a logging call. | test.go:161:17:161:24 | password | Sensitive data returned by an access to password |
| test.go:162:13:162:20 | password | test.go:162:13:162:20 | password | test.go:162:13:162:20 | password | $@ flows to a logging call. | test.go:162:13:162:20 | password | Sensitive data returned by an access to password |
| test.go:163:12:163:19 | password | test.go:163:12:163:19 | password | test.go:163:12:163:19 | password | $@ flows to a logging call. | test.go:163:12:163:19 | password | Sensitive data returned by an access to password |
| test.go:164:21:164:28 | password | test.go:164:21:164:28 | password | test.go:164:21:164:28 | password | $@ flows to a logging call. | test.go:164:21:164:28 | password | Sensitive data returned by an access to password |
| test.go:165:14:165:21 | password | test.go:165:14:165:21 | password | test.go:165:14:165:21 | password | $@ flows to a logging call. | test.go:165:14:165:21 | password | Sensitive data returned by an access to password |
| test.go:166:13:166:20 | password | test.go:166:13:166:20 | password | test.go:166:13:166:20 | password | $@ flows to a logging call. | test.go:166:13:166:20 | password | Sensitive data returned by an access to password |
| test.go:167:12:167:19 | password | test.go:167:12:167:19 | password | test.go:167:12:167:19 | password | $@ flows to a logging call. | test.go:167:12:167:19 | password | Sensitive data returned by an access to password |
| test.go:168:15:168:22 | password | test.go:168:15:168:22 | password | test.go:168:15:168:22 | password | $@ flows to a logging call. | test.go:168:15:168:22 | password | Sensitive data returned by an access to password |
| test.go:148:14:148:21 | password | test.go:148:14:148:21 | password | test.go:148:14:148:21 | password | $@ flows to a logging call. | test.go:148:14:148:21 | password | Sensitive data returned by an access to password |
| test.go:149:17:149:24 | password | test.go:149:17:149:24 | password | test.go:149:17:149:24 | password | $@ flows to a logging call. | test.go:149:17:149:24 | password | Sensitive data returned by an access to password |
| test.go:150:14:150:21 | password | test.go:150:14:150:21 | password | test.go:150:14:150:21 | password | $@ flows to a logging call. | test.go:150:14:150:21 | password | Sensitive data returned by an access to password |
| test.go:151:18:151:25 | password | test.go:151:18:151:25 | password | test.go:151:18:151:25 | password | $@ flows to a logging call. | test.go:151:18:151:25 | password | Sensitive data returned by an access to password |
| test.go:152:14:152:21 | password | test.go:152:14:152:21 | password | test.go:152:14:152:21 | password | $@ flows to a logging call. | test.go:152:14:152:21 | password | Sensitive data returned by an access to password |
| test.go:153:13:153:20 | password | test.go:153:13:153:20 | password | test.go:153:13:153:20 | password | $@ flows to a logging call. | test.go:153:13:153:20 | password | Sensitive data returned by an access to password |
| test.go:154:22:154:29 | password | test.go:154:22:154:29 | password | test.go:154:22:154:29 | password | $@ flows to a logging call. | test.go:154:22:154:29 | password | Sensitive data returned by an access to password |
| test.go:155:15:155:22 | password | test.go:155:15:155:22 | password | test.go:155:15:155:22 | password | $@ flows to a logging call. | test.go:155:15:155:22 | password | Sensitive data returned by an access to password |
| test.go:156:14:156:21 | password | test.go:156:14:156:21 | password | test.go:156:14:156:21 | password | $@ flows to a logging call. | test.go:156:14:156:21 | password | Sensitive data returned by an access to password |
| test.go:157:13:157:20 | password | test.go:157:13:157:20 | password | test.go:157:13:157:20 | password | $@ flows to a logging call. | test.go:157:13:157:20 | password | Sensitive data returned by an access to password |
| test.go:158:16:158:23 | password | test.go:158:16:158:23 | password | test.go:158:16:158:23 | password | $@ flows to a logging call. | test.go:158:16:158:23 | password | Sensitive data returned by an access to password |
| test.go:159:13:159:20 | password | test.go:159:13:159:20 | password | test.go:159:13:159:20 | password | $@ flows to a logging call. | test.go:159:13:159:20 | password | Sensitive data returned by an access to password |
| test.go:160:16:160:23 | password | test.go:160:16:160:23 | password | test.go:160:16:160:23 | password | $@ flows to a logging call. | test.go:160:16:160:23 | password | Sensitive data returned by an access to password |
| test.go:161:13:161:20 | password | test.go:161:13:161:20 | password | test.go:161:13:161:20 | password | $@ flows to a logging call. | test.go:161:13:161:20 | password | Sensitive data returned by an access to password |
| test.go:162:17:162:24 | password | test.go:162:17:162:24 | password | test.go:162:17:162:24 | password | $@ flows to a logging call. | test.go:162:17:162:24 | password | Sensitive data returned by an access to password |
| test.go:163:13:163:20 | password | test.go:163:13:163:20 | password | test.go:163:13:163:20 | password | $@ flows to a logging call. | test.go:163:13:163:20 | password | Sensitive data returned by an access to password |
| test.go:164:12:164:19 | password | test.go:164:12:164:19 | password | test.go:164:12:164:19 | password | $@ flows to a logging call. | test.go:164:12:164:19 | password | Sensitive data returned by an access to password |
| test.go:165:21:165:28 | password | test.go:165:21:165:28 | password | test.go:165:21:165:28 | password | $@ flows to a logging call. | test.go:165:21:165:28 | password | Sensitive data returned by an access to password |
| test.go:166:14:166:21 | password | test.go:166:14:166:21 | password | test.go:166:14:166:21 | password | $@ flows to a logging call. | test.go:166:14:166:21 | password | Sensitive data returned by an access to password |
| test.go:167:13:167:20 | password | test.go:167:13:167:20 | password | test.go:167:13:167:20 | password | $@ flows to a logging call. | test.go:167:13:167:20 | password | Sensitive data returned by an access to password |
| test.go:168:12:168:19 | password | test.go:168:12:168:19 | password | test.go:168:12:168:19 | password | $@ flows to a logging call. | test.go:168:12:168:19 | password | Sensitive data returned by an access to password |
| test.go:169:15:169:22 | password | test.go:169:15:169:22 | password | test.go:169:15:169:22 | password | $@ flows to a logging call. | test.go:169:15:169:22 | password | Sensitive data returned by an access to password |
| test.go:170:18:170:25 | password | test.go:170:18:170:25 | password | test.go:170:18:170:25 | password | $@ flows to a logging call. | test.go:170:18:170:25 | password | Sensitive data returned by an access to password |
| test.go:171:15:171:22 | password | test.go:171:15:171:22 | password | test.go:171:15:171:22 | password | $@ flows to a logging call. | test.go:171:15:171:22 | password | Sensitive data returned by an access to password |
| test.go:172:19:172:26 | password | test.go:172:19:172:26 | password | test.go:172:19:172:26 | password | $@ flows to a logging call. | test.go:172:19:172:26 | password | Sensitive data returned by an access to password |
| test.go:173:15:173:22 | password | test.go:173:15:173:22 | password | test.go:173:15:173:22 | password | $@ flows to a logging call. | test.go:173:15:173:22 | password | Sensitive data returned by an access to password |
| test.go:174:14:174:21 | password | test.go:174:14:174:21 | password | test.go:174:14:174:21 | password | $@ flows to a logging call. | test.go:174:14:174:21 | password | Sensitive data returned by an access to password |
| test.go:175:23:175:30 | password | test.go:175:23:175:30 | password | test.go:175:23:175:30 | password | $@ flows to a logging call. | test.go:175:23:175:30 | password | Sensitive data returned by an access to password |
| test.go:176:16:176:23 | password | test.go:176:16:176:23 | password | test.go:176:16:176:23 | password | $@ flows to a logging call. | test.go:176:16:176:23 | password | Sensitive data returned by an access to password |
| test.go:177:15:177:22 | password | test.go:177:15:177:22 | password | test.go:177:15:177:22 | password | $@ flows to a logging call. | test.go:177:15:177:22 | password | Sensitive data returned by an access to password |
| test.go:178:14:178:21 | password | test.go:178:14:178:21 | password | test.go:178:14:178:21 | password | $@ flows to a logging call. | test.go:178:14:178:21 | password | Sensitive data returned by an access to password |
| test.go:179:17:179:24 | password | test.go:179:17:179:24 | password | test.go:179:17:179:24 | password | $@ flows to a logging call. | test.go:179:17:179:24 | password | Sensitive data returned by an access to password |
| test.go:180:16:180:23 | password | test.go:180:16:180:23 | password | test.go:180:16:180:23 | password | $@ flows to a logging call. | test.go:180:16:180:23 | password | Sensitive data returned by an access to password |
| test.go:170:15:170:22 | password | test.go:170:15:170:22 | password | test.go:170:15:170:22 | password | $@ flows to a logging call. | test.go:170:15:170:22 | password | Sensitive data returned by an access to password |
| test.go:171:18:171:25 | password | test.go:171:18:171:25 | password | test.go:171:18:171:25 | password | $@ flows to a logging call. | test.go:171:18:171:25 | password | Sensitive data returned by an access to password |
| test.go:172:15:172:22 | password | test.go:172:15:172:22 | password | test.go:172:15:172:22 | password | $@ flows to a logging call. | test.go:172:15:172:22 | password | Sensitive data returned by an access to password |
| test.go:173:19:173:26 | password | test.go:173:19:173:26 | password | test.go:173:19:173:26 | password | $@ flows to a logging call. | test.go:173:19:173:26 | password | Sensitive data returned by an access to password |
| test.go:174:15:174:22 | password | test.go:174:15:174:22 | password | test.go:174:15:174:22 | password | $@ flows to a logging call. | test.go:174:15:174:22 | password | Sensitive data returned by an access to password |
| test.go:175:14:175:21 | password | test.go:175:14:175:21 | password | test.go:175:14:175:21 | password | $@ flows to a logging call. | test.go:175:14:175:21 | password | Sensitive data returned by an access to password |
| test.go:176:23:176:30 | password | test.go:176:23:176:30 | password | test.go:176:23:176:30 | password | $@ flows to a logging call. | test.go:176:23:176:30 | password | Sensitive data returned by an access to password |
| test.go:177:16:177:23 | password | test.go:177:16:177:23 | password | test.go:177:16:177:23 | password | $@ flows to a logging call. | test.go:177:16:177:23 | password | Sensitive data returned by an access to password |
| test.go:178:15:178:22 | password | test.go:178:15:178:22 | password | test.go:178:15:178:22 | password | $@ flows to a logging call. | test.go:178:15:178:22 | password | Sensitive data returned by an access to password |
| test.go:179:14:179:21 | password | test.go:179:14:179:21 | password | test.go:179:14:179:21 | password | $@ flows to a logging call. | test.go:179:14:179:21 | password | Sensitive data returned by an access to password |
| test.go:180:17:180:24 | password | test.go:180:17:180:24 | password | test.go:180:17:180:24 | password | $@ flows to a logging call. | test.go:180:17:180:24 | password | Sensitive data returned by an access to password |
| test.go:181:16:181:23 | password | test.go:181:16:181:23 | password | test.go:181:16:181:23 | password | $@ flows to a logging call. | test.go:181:16:181:23 | password | Sensitive data returned by an access to password |

16
go/ql/test/library-tests/semmle/go/frameworks/Beego/OpenRedirect.expected
View File

@@ -1,12 +1,12 @@
edges
nodes
| test.go:246:13:246:34 | call to GetString | semmle.label | call to GetString |
| test.go:247:20:247:41 | call to GetString | semmle.label | call to GetString |
| test.go:310:13:310:27 | call to URI | semmle.label | call to URI |
| test.go:310:13:310:27 | call to URI | semmle.label | call to URI |
| test.go:311:20:311:34 | call to URL | semmle.label | call to URL |
| test.go:311:20:311:34 | call to URL | semmle.label | call to URL |
| test.go:247:13:247:34 | call to GetString | semmle.label | call to GetString |
| test.go:248:20:248:41 | call to GetString | semmle.label | call to GetString |
| test.go:311:13:311:27 | call to URI | semmle.label | call to URI |
| test.go:311:13:311:27 | call to URI | semmle.label | call to URI |
| test.go:312:20:312:34 | call to URL | semmle.label | call to URL |
| test.go:312:20:312:34 | call to URL | semmle.label | call to URL |
subpaths
#select
| test.go:246:13:246:34 | call to GetString | test.go:246:13:246:34 | call to GetString | test.go:246:13:246:34 | call to GetString | Untrusted URL redirection depends on a $@. | test.go:246:13:246:34 | call to GetString | user-provided value |
| test.go:247:20:247:41 | call to GetString | test.go:247:20:247:41 | call to GetString | test.go:247:20:247:41 | call to GetString | Untrusted URL redirection depends on a $@. | test.go:247:20:247:41 | call to GetString | user-provided value |
| test.go:247:13:247:34 | call to GetString | test.go:247:13:247:34 | call to GetString | test.go:247:13:247:34 | call to GetString | Untrusted URL redirection depends on a $@. | test.go:247:13:247:34 | call to GetString | user-provided value |
| test.go:248:20:248:41 | call to GetString | test.go:248:20:248:41 | call to GetString | test.go:248:20:248:41 | call to GetString | Untrusted URL redirection depends on a $@. | test.go:248:20:248:41 | call to GetString | user-provided value |

590
go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected
View File

@@ -1,317 +1,317 @@
edges
| test.go:26:6:26:10 | definition of bound : bindMe | test.go:28:13:28:30 | type conversion |
| test.go:26:6:26:10 | definition of bound : bindMe | test.go:28:20:28:26 | selection of a : slice type |
| test.go:26:6:26:10 | definition of bound : bindMe | test.go:29:13:29:27 | type conversion |
| test.go:26:6:26:10 | definition of bound : bindMe | test.go:30:13:30:29 | type conversion |
| test.go:26:6:26:10 | definition of bound : bindMe | test.go:30:20:30:26 | selection of c : subBindMe |
| test.go:28:20:28:26 | selection of a : slice type | test.go:28:13:28:30 | type conversion |
| test.go:30:20:30:26 | selection of c : subBindMe | test.go:30:13:30:29 | type conversion |
| test.go:35:20:35:42 | call to Cookie : string | test.go:35:13:35:43 | type conversion |
| test.go:40:20:40:31 | call to Data : map type | test.go:40:13:40:52 | type conversion |
| test.go:45:20:45:43 | call to GetData : basic interface type | test.go:45:13:45:53 | type conversion |
| test.go:50:20:50:42 | call to Header : string | test.go:50:13:50:43 | type conversion |
| test.go:55:20:55:41 | call to Param : string | test.go:55:13:55:42 | type conversion |
| test.go:60:20:60:33 | call to Params : map type | test.go:60:13:60:45 | type conversion |
| test.go:65:20:65:41 | call to Query : string | test.go:65:13:65:42 | type conversion |
| test.go:70:20:70:32 | call to Refer : string | test.go:70:13:70:33 | type conversion |
| test.go:75:20:75:34 | call to Referer : string | test.go:75:13:75:35 | type conversion |
| test.go:80:20:80:30 | call to URI : string | test.go:80:13:80:31 | type conversion |
| test.go:85:20:85:30 | call to URL : string | test.go:85:13:85:31 | type conversion |
| test.go:90:20:90:36 | call to UserAgent : string | test.go:90:13:90:37 | type conversion |
| test.go:95:14:95:25 | call to Data : map type | test.go:95:14:95:45 | type assertion |
| test.go:107:14:107:25 | call to Data : map type | test.go:107:14:107:45 | type assertion |
| test.go:119:14:119:25 | call to Data : map type | test.go:119:14:119:45 | type assertion |
| test.go:136:23:136:42 | call to Data : map type | test.go:136:23:136:62 | type assertion |
| test.go:192:15:192:26 | call to Data : map type | test.go:193:14:193:55 | type conversion |
| test.go:192:15:192:26 | call to Data : map type | test.go:194:14:194:58 | type conversion |
| test.go:192:15:192:26 | call to Data : map type | test.go:196:14:196:28 | type assertion |
| test.go:192:15:192:26 | call to Data : map type | test.go:197:14:197:55 | type conversion |
| test.go:192:15:192:26 | call to Data : map type | test.go:198:14:198:59 | type conversion |
| test.go:201:18:201:33 | selection of Form : Values | test.go:202:14:202:28 | type conversion |
| test.go:216:2:216:34 | ... := ...[0] : File | test.go:219:14:219:20 | content |
| test.go:216:2:216:34 | ... := ...[1] : pointer type | test.go:217:14:217:32 | type conversion |
| test.go:216:2:216:34 | ... := ...[1] : pointer type | test.go:217:21:217:22 | implicit dereference : FileHeader |
| test.go:217:21:217:22 | implicit dereference : FileHeader | test.go:217:14:217:32 | type conversion |
| test.go:217:21:217:22 | implicit dereference : FileHeader | test.go:217:21:217:22 | implicit dereference : FileHeader |
| test.go:221:2:221:40 | ... := ...[0] : slice type | test.go:222:14:222:38 | type conversion |
| test.go:221:2:221:40 | ... := ...[0] : slice type | test.go:222:21:222:28 | implicit dereference : FileHeader |
| test.go:221:2:221:40 | ... := ...[0] : slice type | test.go:222:21:222:28 | index expression : pointer type |
| test.go:222:21:222:28 | implicit dereference : FileHeader | test.go:222:14:222:38 | type conversion |
| test.go:222:21:222:28 | implicit dereference : FileHeader | test.go:222:21:222:28 | implicit dereference : FileHeader |
| test.go:222:21:222:28 | implicit dereference : FileHeader | test.go:222:21:222:28 | index expression : pointer type |
| test.go:222:21:222:28 | index expression : pointer type | test.go:222:14:222:38 | type conversion |
| test.go:222:21:222:28 | index expression : pointer type | test.go:222:21:222:28 | implicit dereference : FileHeader |
| test.go:222:21:222:28 | index expression : pointer type | test.go:222:21:222:28 | index expression : pointer type |
| test.go:224:7:224:28 | call to GetString : string | test.go:225:14:225:22 | type conversion |
| test.go:227:8:227:35 | call to GetStrings : slice type | test.go:228:14:228:26 | type conversion |
| test.go:230:9:230:17 | call to Input : Values | test.go:231:14:231:27 | type conversion |
| test.go:233:6:233:8 | definition of str : myStruct | test.go:235:14:235:30 | type conversion |
| test.go:239:15:239:36 | call to GetString : string | test.go:242:21:242:29 | untrusted |
| test.go:252:23:252:44 | call to GetCookie : string | test.go:252:16:252:45 | type conversion |
| test.go:263:62:263:83 | call to GetCookie : string | test.go:263:55:263:84 | type conversion |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:276:21:276:61 | call to GetDisplayString |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:276:44:276:51 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:276:44:276:51 | index expression : pointer type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:277:21:277:53 | call to SliceChunk : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:277:21:277:56 | index expression : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:277:21:277:83 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:277:21:277:92 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:278:21:278:60 | call to SliceDiff : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:278:21:278:87 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:278:21:278:96 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:283:3:285:44 | call to SliceFilter : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:283:3:285:71 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:283:3:285:80 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:286:21:286:65 | call to SliceIntersect : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:286:21:286:92 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:286:21:286:101 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:287:21:287:65 | call to SliceIntersect : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:287:21:287:92 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:287:21:287:101 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:288:21:288:61 | call to SliceMerge : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:288:21:288:88 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:288:21:288:97 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:289:21:289:61 | call to SliceMerge : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:289:21:289:88 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:289:21:289:97 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:290:21:290:66 | call to SlicePad : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:290:21:290:93 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:290:21:290:102 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:291:21:291:66 | call to SlicePad : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:291:21:291:93 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:291:21:291:102 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:292:21:292:73 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:292:21:292:82 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:294:21:294:97 | call to SliceReduce : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:294:21:294:124 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:294:21:294:133 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:295:21:295:52 | call to SliceShuffle : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:295:21:295:79 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:295:21:295:88 | selection of Filename |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:296:21:296:51 | call to SliceUnique : slice type |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:296:21:296:78 | implicit dereference : FileHeader |
| test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:296:21:296:87 | selection of Filename |
| test.go:276:44:276:51 | implicit dereference : FileHeader | test.go:276:21:276:61 | call to GetDisplayString |
| test.go:276:44:276:51 | implicit dereference : FileHeader | test.go:276:44:276:51 | implicit dereference : FileHeader |
| test.go:276:44:276:51 | implicit dereference : FileHeader | test.go:276:44:276:51 | index expression : pointer type |
| test.go:276:44:276:51 | index expression : pointer type | test.go:276:21:276:61 | call to GetDisplayString |
| test.go:276:44:276:51 | index expression : pointer type | test.go:276:44:276:51 | implicit dereference : FileHeader |
| test.go:276:44:276:51 | index expression : pointer type | test.go:276:44:276:51 | index expression : pointer type |
| test.go:277:21:277:53 | call to SliceChunk : slice type | test.go:277:21:277:56 | index expression : slice type |
| test.go:277:21:277:53 | call to SliceChunk : slice type | test.go:277:21:277:83 | implicit dereference : FileHeader |
| test.go:277:21:277:53 | call to SliceChunk : slice type | test.go:277:21:277:92 | selection of Filename |
| test.go:277:21:277:56 | index expression : slice type | test.go:277:21:277:83 | implicit dereference : FileHeader |
| test.go:277:21:277:56 | index expression : slice type | test.go:277:21:277:92 | selection of Filename |
| test.go:277:21:277:83 | implicit dereference : FileHeader | test.go:277:21:277:92 | selection of Filename |
| test.go:278:21:278:60 | call to SliceDiff : slice type | test.go:278:21:278:87 | implicit dereference : FileHeader |
| test.go:278:21:278:60 | call to SliceDiff : slice type | test.go:278:21:278:96 | selection of Filename |
| test.go:278:21:278:87 | implicit dereference : FileHeader | test.go:278:21:278:96 | selection of Filename |
| test.go:283:3:285:44 | call to SliceFilter : slice type | test.go:283:3:285:71 | implicit dereference : FileHeader |
| test.go:283:3:285:44 | call to SliceFilter : slice type | test.go:283:3:285:80 | selection of Filename |
| test.go:283:3:285:71 | implicit dereference : FileHeader | test.go:283:3:285:80 | selection of Filename |
| test.go:286:21:286:65 | call to SliceIntersect : slice type | test.go:286:21:286:92 | implicit dereference : FileHeader |
| test.go:286:21:286:65 | call to SliceIntersect : slice type | test.go:286:21:286:101 | selection of Filename |
| test.go:286:21:286:92 | implicit dereference : FileHeader | test.go:286:21:286:101 | selection of Filename |
| test.go:27:6:27:10 | definition of bound : bindMe | test.go:29:13:29:30 | type conversion |
| test.go:27:6:27:10 | definition of bound : bindMe | test.go:29:20:29:26 | selection of a : slice type |
| test.go:27:6:27:10 | definition of bound : bindMe | test.go:30:13:30:27 | type conversion |
| test.go:27:6:27:10 | definition of bound : bindMe | test.go:31:13:31:29 | type conversion |
| test.go:27:6:27:10 | definition of bound : bindMe | test.go:31:20:31:26 | selection of c : subBindMe |
| test.go:29:20:29:26 | selection of a : slice type | test.go:29:13:29:30 | type conversion |
| test.go:31:20:31:26 | selection of c : subBindMe | test.go:31:13:31:29 | type conversion |
| test.go:36:20:36:42 | call to Cookie : string | test.go:36:13:36:43 | type conversion |
| test.go:41:20:41:31 | call to Data : map type | test.go:41:13:41:52 | type conversion |
| test.go:46:20:46:43 | call to GetData : basic interface type | test.go:46:13:46:53 | type conversion |
| test.go:51:20:51:42 | call to Header : string | test.go:51:13:51:43 | type conversion |
| test.go:56:20:56:41 | call to Param : string | test.go:56:13:56:42 | type conversion |
| test.go:61:20:61:33 | call to Params : map type | test.go:61:13:61:45 | type conversion |
| test.go:66:20:66:41 | call to Query : string | test.go:66:13:66:42 | type conversion |
| test.go:71:20:71:32 | call to Refer : string | test.go:71:13:71:33 | type conversion |
| test.go:76:20:76:34 | call to Referer : string | test.go:76:13:76:35 | type conversion |
| test.go:81:20:81:30 | call to URI : string | test.go:81:13:81:31 | type conversion |
| test.go:86:20:86:30 | call to URL : string | test.go:86:13:86:31 | type conversion |
| test.go:91:20:91:36 | call to UserAgent : string | test.go:91:13:91:37 | type conversion |
| test.go:96:14:96:25 | call to Data : map type | test.go:96:14:96:45 | type assertion |
| test.go:108:14:108:25 | call to Data : map type | test.go:108:14:108:45 | type assertion |
| test.go:120:14:120:25 | call to Data : map type | test.go:120:14:120:45 | type assertion |
| test.go:137:23:137:42 | call to Data : map type | test.go:137:23:137:62 | type assertion |
| test.go:193:15:193:26 | call to Data : map type | test.go:194:14:194:55 | type conversion |
| test.go:193:15:193:26 | call to Data : map type | test.go:195:14:195:58 | type conversion |
| test.go:193:15:193:26 | call to Data : map type | test.go:197:14:197:28 | type assertion |
| test.go:193:15:193:26 | call to Data : map type | test.go:198:14:198:55 | type conversion |
| test.go:193:15:193:26 | call to Data : map type | test.go:199:14:199:59 | type conversion |
| test.go:202:18:202:33 | selection of Form : Values | test.go:203:14:203:28 | type conversion |
| test.go:217:2:217:34 | ... := ...[0] : File | test.go:220:14:220:20 | content |
| test.go:217:2:217:34 | ... := ...[1] : pointer type | test.go:218:14:218:32 | type conversion |
| test.go:217:2:217:34 | ... := ...[1] : pointer type | test.go:218:21:218:22 | implicit dereference : FileHeader |
| test.go:218:21:218:22 | implicit dereference : FileHeader | test.go:218:14:218:32 | type conversion |
| test.go:218:21:218:22 | implicit dereference : FileHeader | test.go:218:21:218:22 | implicit dereference : FileHeader |
| test.go:222:2:222:40 | ... := ...[0] : slice type | test.go:223:14:223:38 | type conversion |
| test.go:222:2:222:40 | ... := ...[0] : slice type | test.go:223:21:223:28 | implicit dereference : FileHeader |
| test.go:222:2:222:40 | ... := ...[0] : slice type | test.go:223:21:223:28 | index expression : pointer type |
| test.go:223:21:223:28 | implicit dereference : FileHeader | test.go:223:14:223:38 | type conversion |
| test.go:223:21:223:28 | implicit dereference : FileHeader | test.go:223:21:223:28 | implicit dereference : FileHeader |
| test.go:223:21:223:28 | implicit dereference : FileHeader | test.go:223:21:223:28 | index expression : pointer type |
| test.go:223:21:223:28 | index expression : pointer type | test.go:223:14:223:38 | type conversion |
| test.go:223:21:223:28 | index expression : pointer type | test.go:223:21:223:28 | implicit dereference : FileHeader |
| test.go:223:21:223:28 | index expression : pointer type | test.go:223:21:223:28 | index expression : pointer type |
| test.go:225:7:225:28 | call to GetString : string | test.go:226:14:226:22 | type conversion |
| test.go:228:8:228:35 | call to GetStrings : slice type | test.go:229:14:229:26 | type conversion |
| test.go:231:9:231:17 | call to Input : Values | test.go:232:14:232:27 | type conversion |
| test.go:234:6:234:8 | definition of str : myStruct | test.go:236:14:236:30 | type conversion |
| test.go:240:15:240:36 | call to GetString : string | test.go:243:21:243:29 | untrusted |
| test.go:253:23:253:44 | call to GetCookie : string | test.go:253:16:253:45 | type conversion |
| test.go:264:62:264:83 | call to GetCookie : string | test.go:264:55:264:84 | type conversion |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:277:21:277:61 | call to GetDisplayString |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:277:44:277:51 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:277:44:277:51 | index expression : pointer type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:278:21:278:53 | call to SliceChunk : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:278:21:278:56 | index expression : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:278:21:278:83 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:278:21:278:92 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:279:21:279:60 | call to SliceDiff : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:279:21:279:87 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:279:21:279:96 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:284:3:286:44 | call to SliceFilter : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:284:3:286:71 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:284:3:286:80 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:287:21:287:65 | call to SliceIntersect : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:287:21:287:92 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:287:21:287:101 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:288:21:288:65 | call to SliceIntersect : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:288:21:288:92 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:288:21:288:101 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:289:21:289:61 | call to SliceMerge : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:289:21:289:88 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:289:21:289:97 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:290:21:290:61 | call to SliceMerge : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:290:21:290:88 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:290:21:290:97 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:291:21:291:66 | call to SlicePad : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:291:21:291:93 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:291:21:291:102 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:292:21:292:66 | call to SlicePad : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:292:21:292:93 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:292:21:292:102 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:293:21:293:73 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:293:21:293:82 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:295:21:295:97 | call to SliceReduce : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:295:21:295:124 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:295:21:295:133 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:296:21:296:52 | call to SliceShuffle : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:296:21:296:79 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:296:21:296:88 | selection of Filename |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:297:21:297:51 | call to SliceUnique : slice type |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:297:21:297:78 | implicit dereference : FileHeader |
| test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:297:21:297:87 | selection of Filename |
| test.go:277:44:277:51 | implicit dereference : FileHeader | test.go:277:21:277:61 | call to GetDisplayString |
| test.go:277:44:277:51 | implicit dereference : FileHeader | test.go:277:44:277:51 | implicit dereference : FileHeader |
| test.go:277:44:277:51 | implicit dereference : FileHeader | test.go:277:44:277:51 | index expression : pointer type |
| test.go:277:44:277:51 | index expression : pointer type | test.go:277:21:277:61 | call to GetDisplayString |
| test.go:277:44:277:51 | index expression : pointer type | test.go:277:44:277:51 | implicit dereference : FileHeader |
| test.go:277:44:277:51 | index expression : pointer type | test.go:277:44:277:51 | index expression : pointer type |
| test.go:278:21:278:53 | call to SliceChunk : slice type | test.go:278:21:278:56 | index expression : slice type |
| test.go:278:21:278:53 | call to SliceChunk : slice type | test.go:278:21:278:83 | implicit dereference : FileHeader |
| test.go:278:21:278:53 | call to SliceChunk : slice type | test.go:278:21:278:92 | selection of Filename |
| test.go:278:21:278:56 | index expression : slice type | test.go:278:21:278:83 | implicit dereference : FileHeader |
| test.go:278:21:278:56 | index expression : slice type | test.go:278:21:278:92 | selection of Filename |
| test.go:278:21:278:83 | implicit dereference : FileHeader | test.go:278:21:278:92 | selection of Filename |
| test.go:279:21:279:60 | call to SliceDiff : slice type | test.go:279:21:279:87 | implicit dereference : FileHeader |
| test.go:279:21:279:60 | call to SliceDiff : slice type | test.go:279:21:279:96 | selection of Filename |
| test.go:279:21:279:87 | implicit dereference : FileHeader | test.go:279:21:279:96 | selection of Filename |
| test.go:284:3:286:44 | call to SliceFilter : slice type | test.go:284:3:286:71 | implicit dereference : FileHeader |
| test.go:284:3:286:44 | call to SliceFilter : slice type | test.go:284:3:286:80 | selection of Filename |
| test.go:284:3:286:71 | implicit dereference : FileHeader | test.go:284:3:286:80 | selection of Filename |
| test.go:287:21:287:65 | call to SliceIntersect : slice type | test.go:287:21:287:92 | implicit dereference : FileHeader |
| test.go:287:21:287:65 | call to SliceIntersect : slice type | test.go:287:21:287:101 | selection of Filename |
| test.go:287:21:287:92 | implicit dereference : FileHeader | test.go:287:21:287:101 | selection of Filename |
| test.go:288:21:288:61 | call to SliceMerge : slice type | test.go:288:21:288:88 | implicit dereference : FileHeader |
| test.go:288:21:288:61 | call to SliceMerge : slice type | test.go:288:21:288:97 | selection of Filename |
| test.go:288:21:288:88 | implicit dereference : FileHeader | test.go:288:21:288:97 | selection of Filename |
| test.go:288:21:288:65 | call to SliceIntersect : slice type | test.go:288:21:288:92 | implicit dereference : FileHeader |
| test.go:288:21:288:65 | call to SliceIntersect : slice type | test.go:288:21:288:101 | selection of Filename |
| test.go:288:21:288:92 | implicit dereference : FileHeader | test.go:288:21:288:101 | selection of Filename |
| test.go:289:21:289:61 | call to SliceMerge : slice type | test.go:289:21:289:88 | implicit dereference : FileHeader |
| test.go:289:21:289:61 | call to SliceMerge : slice type | test.go:289:21:289:97 | selection of Filename |
| test.go:289:21:289:88 | implicit dereference : FileHeader | test.go:289:21:289:97 | selection of Filename |
| test.go:290:21:290:66 | call to SlicePad : slice type | test.go:290:21:290:93 | implicit dereference : FileHeader |
| test.go:290:21:290:66 | call to SlicePad : slice type | test.go:290:21:290:102 | selection of Filename |
| test.go:290:21:290:93 | implicit dereference : FileHeader | test.go:290:21:290:102 | selection of Filename |
| test.go:290:21:290:61 | call to SliceMerge : slice type | test.go:290:21:290:88 | implicit dereference : FileHeader |
| test.go:290:21:290:61 | call to SliceMerge : slice type | test.go:290:21:290:97 | selection of Filename |
| test.go:290:21:290:88 | implicit dereference : FileHeader | test.go:290:21:290:97 | selection of Filename |
| test.go:291:21:291:66 | call to SlicePad : slice type | test.go:291:21:291:93 | implicit dereference : FileHeader |
| test.go:291:21:291:66 | call to SlicePad : slice type | test.go:291:21:291:102 | selection of Filename |
| test.go:291:21:291:93 | implicit dereference : FileHeader | test.go:291:21:291:102 | selection of Filename |
| test.go:292:21:292:73 | implicit dereference : FileHeader | test.go:292:21:292:82 | selection of Filename |
| test.go:294:21:294:97 | call to SliceReduce : slice type | test.go:294:21:294:124 | implicit dereference : FileHeader |
| test.go:294:21:294:97 | call to SliceReduce : slice type | test.go:294:21:294:133 | selection of Filename |
| test.go:294:21:294:124 | implicit dereference : FileHeader | test.go:294:21:294:133 | selection of Filename |
| test.go:295:21:295:52 | call to SliceShuffle : slice type | test.go:295:21:295:79 | implicit dereference : FileHeader |
| test.go:295:21:295:52 | call to SliceShuffle : slice type | test.go:295:21:295:88 | selection of Filename |
| test.go:295:21:295:79 | implicit dereference : FileHeader | test.go:295:21:295:88 | selection of Filename |
| test.go:296:21:296:51 | call to SliceUnique : slice type | test.go:296:21:296:78 | implicit dereference : FileHeader |
| test.go:296:21:296:51 | call to SliceUnique : slice type | test.go:296:21:296:87 | selection of Filename |
| test.go:296:21:296:78 | implicit dereference : FileHeader | test.go:296:21:296:87 | selection of Filename |
| test.go:302:15:302:36 | call to GetString : string | test.go:304:21:304:48 | type assertion |
| test.go:302:15:302:36 | call to GetString : string | test.go:305:21:305:32 | call to Items : map type |
| test.go:302:15:302:36 | call to GetString : string | test.go:305:21:305:52 | type assertion |
| test.go:305:21:305:32 | call to Items : map type | test.go:305:21:305:52 | type assertion |
| test.go:292:21:292:66 | call to SlicePad : slice type | test.go:292:21:292:93 | implicit dereference : FileHeader |
| test.go:292:21:292:66 | call to SlicePad : slice type | test.go:292:21:292:102 | selection of Filename |
| test.go:292:21:292:93 | implicit dereference : FileHeader | test.go:292:21:292:102 | selection of Filename |
| test.go:293:21:293:73 | implicit dereference : FileHeader | test.go:293:21:293:82 | selection of Filename |
| test.go:295:21:295:97 | call to SliceReduce : slice type | test.go:295:21:295:124 | implicit dereference : FileHeader |
| test.go:295:21:295:97 | call to SliceReduce : slice type | test.go:295:21:295:133 | selection of Filename |
| test.go:295:21:295:124 | implicit dereference : FileHeader | test.go:295:21:295:133 | selection of Filename |
| test.go:296:21:296:52 | call to SliceShuffle : slice type | test.go:296:21:296:79 | implicit dereference : FileHeader |
| test.go:296:21:296:52 | call to SliceShuffle : slice type | test.go:296:21:296:88 | selection of Filename |
| test.go:296:21:296:79 | implicit dereference : FileHeader | test.go:296:21:296:88 | selection of Filename |
| test.go:297:21:297:51 | call to SliceUnique : slice type | test.go:297:21:297:78 | implicit dereference : FileHeader |
| test.go:297:21:297:51 | call to SliceUnique : slice type | test.go:297:21:297:87 | selection of Filename |
| test.go:297:21:297:78 | implicit dereference : FileHeader | test.go:297:21:297:87 | selection of Filename |
| test.go:303:15:303:36 | call to GetString : string | test.go:305:21:305:48 | type assertion |
| test.go:303:15:303:36 | call to GetString : string | test.go:306:21:306:32 | call to Items : map type |
| test.go:303:15:303:36 | call to GetString : string | test.go:306:21:306:52 | type assertion |
| test.go:306:21:306:32 | call to Items : map type | test.go:306:21:306:52 | type assertion |
nodes
| test.go:26:6:26:10 | definition of bound : bindMe | semmle.label | definition of bound : bindMe |
| test.go:28:13:28:30 | type conversion | semmle.label | type conversion |
| test.go:28:20:28:26 | selection of a : slice type | semmle.label | selection of a : slice type |
| test.go:29:13:29:27 | type conversion | semmle.label | type conversion |
| test.go:30:13:30:29 | type conversion | semmle.label | type conversion |
| test.go:30:20:30:26 | selection of c : subBindMe | semmle.label | selection of c : subBindMe |
| test.go:35:13:35:43 | type conversion | semmle.label | type conversion |
| test.go:35:20:35:42 | call to Cookie : string | semmle.label | call to Cookie : string |
| test.go:40:13:40:52 | type conversion | semmle.label | type conversion |
| test.go:40:20:40:31 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:45:13:45:53 | type conversion | semmle.label | type conversion |
| test.go:45:20:45:43 | call to GetData : basic interface type | semmle.label | call to GetData : basic interface type |
| test.go:50:13:50:43 | type conversion | semmle.label | type conversion |
| test.go:50:20:50:42 | call to Header : string | semmle.label | call to Header : string |
| test.go:55:13:55:42 | type conversion | semmle.label | type conversion |
| test.go:55:20:55:41 | call to Param : string | semmle.label | call to Param : string |
| test.go:60:13:60:45 | type conversion | semmle.label | type conversion |
| test.go:60:20:60:33 | call to Params : map type | semmle.label | call to Params : map type |
| test.go:65:13:65:42 | type conversion | semmle.label | type conversion |
| test.go:65:20:65:41 | call to Query : string | semmle.label | call to Query : string |
| test.go:70:13:70:33 | type conversion | semmle.label | type conversion |
| test.go:70:20:70:32 | call to Refer : string | semmle.label | call to Refer : string |
| test.go:75:13:75:35 | type conversion | semmle.label | type conversion |
| test.go:75:20:75:34 | call to Referer : string | semmle.label | call to Referer : string |
| test.go:80:13:80:31 | type conversion | semmle.label | type conversion |
| test.go:80:20:80:30 | call to URI : string | semmle.label | call to URI : string |
| test.go:85:13:85:31 | type conversion | semmle.label | type conversion |
| test.go:85:20:85:30 | call to URL : string | semmle.label | call to URL : string |
| test.go:90:13:90:37 | type conversion | semmle.label | type conversion |
| test.go:90:20:90:36 | call to UserAgent : string | semmle.label | call to UserAgent : string |
| test.go:95:14:95:25 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:95:14:95:45 | type assertion | semmle.label | type assertion |
| test.go:107:14:107:25 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:107:14:107:45 | type assertion | semmle.label | type assertion |
| test.go:119:14:119:25 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:119:14:119:45 | type assertion | semmle.label | type assertion |
| test.go:136:23:136:42 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:136:23:136:62 | type assertion | semmle.label | type assertion |
| test.go:192:15:192:26 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:193:14:193:55 | type conversion | semmle.label | type conversion |
| test.go:194:14:194:58 | type conversion | semmle.label | type conversion |
| test.go:196:14:196:28 | type assertion | semmle.label | type assertion |
| test.go:197:14:197:55 | type conversion | semmle.label | type conversion |
| test.go:198:14:198:59 | type conversion | semmle.label | type conversion |
| test.go:201:18:201:33 | selection of Form : Values | semmle.label | selection of Form : Values |
| test.go:202:14:202:28 | type conversion | semmle.label | type conversion |
| test.go:216:2:216:34 | ... := ...[0] : File | semmle.label | ... := ...[0] : File |
| test.go:216:2:216:34 | ... := ...[1] : pointer type | semmle.label | ... := ...[1] : pointer type |
| test.go:217:14:217:32 | type conversion | semmle.label | type conversion |
| test.go:217:21:217:22 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:219:14:219:20 | content | semmle.label | content |
| test.go:221:2:221:40 | ... := ...[0] : slice type | semmle.label | ... := ...[0] : slice type |
| test.go:222:14:222:38 | type conversion | semmle.label | type conversion |
| test.go:222:21:222:28 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:222:21:222:28 | index expression : pointer type | semmle.label | index expression : pointer type |
| test.go:224:7:224:28 | call to GetString : string | semmle.label | call to GetString : string |
| test.go:225:14:225:22 | type conversion | semmle.label | type conversion |
| test.go:227:8:227:35 | call to GetStrings : slice type | semmle.label | call to GetStrings : slice type |
| test.go:228:14:228:26 | type conversion | semmle.label | type conversion |
| test.go:230:9:230:17 | call to Input : Values | semmle.label | call to Input : Values |
| test.go:231:14:231:27 | type conversion | semmle.label | type conversion |
| test.go:233:6:233:8 | definition of str : myStruct | semmle.label | definition of str : myStruct |
| test.go:235:14:235:30 | type conversion | semmle.label | type conversion |
| test.go:239:15:239:36 | call to GetString : string | semmle.label | call to GetString : string |
| test.go:242:21:242:29 | untrusted | semmle.label | untrusted |
| test.go:252:16:252:45 | type conversion | semmle.label | type conversion |
| test.go:252:23:252:44 | call to GetCookie : string | semmle.label | call to GetCookie : string |
| test.go:257:16:257:37 | call to GetCookie | semmle.label | call to GetCookie |
| test.go:258:15:258:41 | call to GetCookie | semmle.label | call to GetCookie |
| test.go:263:55:263:84 | type conversion | semmle.label | type conversion |
| test.go:263:62:263:83 | call to GetCookie : string | semmle.label | call to GetCookie : string |
| test.go:268:2:268:40 | ... := ...[0] : slice type | semmle.label | ... := ...[0] : slice type |
| test.go:276:21:276:61 | call to GetDisplayString | semmle.label | call to GetDisplayString |
| test.go:276:44:276:51 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:276:44:276:51 | index expression : pointer type | semmle.label | index expression : pointer type |
| test.go:277:21:277:53 | call to SliceChunk : slice type | semmle.label | call to SliceChunk : slice type |
| test.go:277:21:277:56 | index expression : slice type | semmle.label | index expression : slice type |
| test.go:277:21:277:83 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:277:21:277:92 | selection of Filename | semmle.label | selection of Filename |
| test.go:278:21:278:60 | call to SliceDiff : slice type | semmle.label | call to SliceDiff : slice type |
| test.go:278:21:278:87 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:278:21:278:96 | selection of Filename | semmle.label | selection of Filename |
| test.go:283:3:285:44 | call to SliceFilter : slice type | semmle.label | call to SliceFilter : slice type |
| test.go:283:3:285:71 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:283:3:285:80 | selection of Filename | semmle.label | selection of Filename |
| test.go:286:21:286:65 | call to SliceIntersect : slice type | semmle.label | call to SliceIntersect : slice type |
| test.go:286:21:286:92 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:286:21:286:101 | selection of Filename | semmle.label | selection of Filename |
| test.go:27:6:27:10 | definition of bound : bindMe | semmle.label | definition of bound : bindMe |
| test.go:29:13:29:30 | type conversion | semmle.label | type conversion |
| test.go:29:20:29:26 | selection of a : slice type | semmle.label | selection of a : slice type |
| test.go:30:13:30:27 | type conversion | semmle.label | type conversion |
| test.go:31:13:31:29 | type conversion | semmle.label | type conversion |
| test.go:31:20:31:26 | selection of c : subBindMe | semmle.label | selection of c : subBindMe |
| test.go:36:13:36:43 | type conversion | semmle.label | type conversion |
| test.go:36:20:36:42 | call to Cookie : string | semmle.label | call to Cookie : string |
| test.go:41:13:41:52 | type conversion | semmle.label | type conversion |
| test.go:41:20:41:31 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:46:13:46:53 | type conversion | semmle.label | type conversion |
| test.go:46:20:46:43 | call to GetData : basic interface type | semmle.label | call to GetData : basic interface type |
| test.go:51:13:51:43 | type conversion | semmle.label | type conversion |
| test.go:51:20:51:42 | call to Header : string | semmle.label | call to Header : string |
| test.go:56:13:56:42 | type conversion | semmle.label | type conversion |
| test.go:56:20:56:41 | call to Param : string | semmle.label | call to Param : string |
| test.go:61:13:61:45 | type conversion | semmle.label | type conversion |
| test.go:61:20:61:33 | call to Params : map type | semmle.label | call to Params : map type |
| test.go:66:13:66:42 | type conversion | semmle.label | type conversion |
| test.go:66:20:66:41 | call to Query : string | semmle.label | call to Query : string |
| test.go:71:13:71:33 | type conversion | semmle.label | type conversion |
| test.go:71:20:71:32 | call to Refer : string | semmle.label | call to Refer : string |
| test.go:76:13:76:35 | type conversion | semmle.label | type conversion |
| test.go:76:20:76:34 | call to Referer : string | semmle.label | call to Referer : string |
| test.go:81:13:81:31 | type conversion | semmle.label | type conversion |
| test.go:81:20:81:30 | call to URI : string | semmle.label | call to URI : string |
| test.go:86:13:86:31 | type conversion | semmle.label | type conversion |
| test.go:86:20:86:30 | call to URL : string | semmle.label | call to URL : string |
| test.go:91:13:91:37 | type conversion | semmle.label | type conversion |
| test.go:91:20:91:36 | call to UserAgent : string | semmle.label | call to UserAgent : string |
| test.go:96:14:96:25 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:96:14:96:45 | type assertion | semmle.label | type assertion |
| test.go:108:14:108:25 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:108:14:108:45 | type assertion | semmle.label | type assertion |
| test.go:120:14:120:25 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:120:14:120:45 | type assertion | semmle.label | type assertion |
| test.go:137:23:137:42 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:137:23:137:62 | type assertion | semmle.label | type assertion |
| test.go:193:15:193:26 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:194:14:194:55 | type conversion | semmle.label | type conversion |
| test.go:195:14:195:58 | type conversion | semmle.label | type conversion |
| test.go:197:14:197:28 | type assertion | semmle.label | type assertion |
| test.go:198:14:198:55 | type conversion | semmle.label | type conversion |
| test.go:199:14:199:59 | type conversion | semmle.label | type conversion |
| test.go:202:18:202:33 | selection of Form : Values | semmle.label | selection of Form : Values |
| test.go:203:14:203:28 | type conversion | semmle.label | type conversion |
| test.go:217:2:217:34 | ... := ...[0] : File | semmle.label | ... := ...[0] : File |
| test.go:217:2:217:34 | ... := ...[1] : pointer type | semmle.label | ... := ...[1] : pointer type |
| test.go:218:14:218:32 | type conversion | semmle.label | type conversion |
| test.go:218:21:218:22 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:220:14:220:20 | content | semmle.label | content |
| test.go:222:2:222:40 | ... := ...[0] : slice type | semmle.label | ... := ...[0] : slice type |
| test.go:223:14:223:38 | type conversion | semmle.label | type conversion |
| test.go:223:21:223:28 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:223:21:223:28 | index expression : pointer type | semmle.label | index expression : pointer type |
| test.go:225:7:225:28 | call to GetString : string | semmle.label | call to GetString : string |
| test.go:226:14:226:22 | type conversion | semmle.label | type conversion |
| test.go:228:8:228:35 | call to GetStrings : slice type | semmle.label | call to GetStrings : slice type |
| test.go:229:14:229:26 | type conversion | semmle.label | type conversion |
| test.go:231:9:231:17 | call to Input : Values | semmle.label | call to Input : Values |
| test.go:232:14:232:27 | type conversion | semmle.label | type conversion |
| test.go:234:6:234:8 | definition of str : myStruct | semmle.label | definition of str : myStruct |
| test.go:236:14:236:30 | type conversion | semmle.label | type conversion |
| test.go:240:15:240:36 | call to GetString : string | semmle.label | call to GetString : string |
| test.go:243:21:243:29 | untrusted | semmle.label | untrusted |
| test.go:253:16:253:45 | type conversion | semmle.label | type conversion |
| test.go:253:23:253:44 | call to GetCookie : string | semmle.label | call to GetCookie : string |
| test.go:258:16:258:37 | call to GetCookie | semmle.label | call to GetCookie |
| test.go:259:15:259:41 | call to GetCookie | semmle.label | call to GetCookie |
| test.go:264:55:264:84 | type conversion | semmle.label | type conversion |
| test.go:264:62:264:83 | call to GetCookie : string | semmle.label | call to GetCookie : string |
| test.go:269:2:269:40 | ... := ...[0] : slice type | semmle.label | ... := ...[0] : slice type |
| test.go:277:21:277:61 | call to GetDisplayString | semmle.label | call to GetDisplayString |
| test.go:277:44:277:51 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:277:44:277:51 | index expression : pointer type | semmle.label | index expression : pointer type |
| test.go:278:21:278:53 | call to SliceChunk : slice type | semmle.label | call to SliceChunk : slice type |
| test.go:278:21:278:56 | index expression : slice type | semmle.label | index expression : slice type |
| test.go:278:21:278:83 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:278:21:278:92 | selection of Filename | semmle.label | selection of Filename |
| test.go:279:21:279:60 | call to SliceDiff : slice type | semmle.label | call to SliceDiff : slice type |
| test.go:279:21:279:87 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:279:21:279:96 | selection of Filename | semmle.label | selection of Filename |
| test.go:284:3:286:44 | call to SliceFilter : slice type | semmle.label | call to SliceFilter : slice type |
| test.go:284:3:286:71 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:284:3:286:80 | selection of Filename | semmle.label | selection of Filename |
| test.go:287:21:287:65 | call to SliceIntersect : slice type | semmle.label | call to SliceIntersect : slice type |
| test.go:287:21:287:92 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:287:21:287:101 | selection of Filename | semmle.label | selection of Filename |
| test.go:288:21:288:61 | call to SliceMerge : slice type | semmle.label | call to SliceMerge : slice type |
| test.go:288:21:288:88 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:288:21:288:97 | selection of Filename | semmle.label | selection of Filename |
| test.go:288:21:288:65 | call to SliceIntersect : slice type | semmle.label | call to SliceIntersect : slice type |
| test.go:288:21:288:92 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:288:21:288:101 | selection of Filename | semmle.label | selection of Filename |
| test.go:289:21:289:61 | call to SliceMerge : slice type | semmle.label | call to SliceMerge : slice type |
| test.go:289:21:289:88 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:289:21:289:97 | selection of Filename | semmle.label | selection of Filename |
| test.go:290:21:290:66 | call to SlicePad : slice type | semmle.label | call to SlicePad : slice type |
| test.go:290:21:290:93 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:290:21:290:102 | selection of Filename | semmle.label | selection of Filename |
| test.go:290:21:290:61 | call to SliceMerge : slice type | semmle.label | call to SliceMerge : slice type |
| test.go:290:21:290:88 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:290:21:290:97 | selection of Filename | semmle.label | selection of Filename |
| test.go:291:21:291:66 | call to SlicePad : slice type | semmle.label | call to SlicePad : slice type |
| test.go:291:21:291:93 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:291:21:291:102 | selection of Filename | semmle.label | selection of Filename |
| test.go:292:21:292:73 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:292:21:292:82 | selection of Filename | semmle.label | selection of Filename |
| test.go:294:21:294:97 | call to SliceReduce : slice type | semmle.label | call to SliceReduce : slice type |
| test.go:294:21:294:124 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:294:21:294:133 | selection of Filename | semmle.label | selection of Filename |
| test.go:295:21:295:52 | call to SliceShuffle : slice type | semmle.label | call to SliceShuffle : slice type |
| test.go:295:21:295:79 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:295:21:295:88 | selection of Filename | semmle.label | selection of Filename |
| test.go:296:21:296:51 | call to SliceUnique : slice type | semmle.label | call to SliceUnique : slice type |
| test.go:296:21:296:78 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:296:21:296:87 | selection of Filename | semmle.label | selection of Filename |
| test.go:302:15:302:36 | call to GetString : string | semmle.label | call to GetString : string |
| test.go:304:21:304:48 | type assertion | semmle.label | type assertion |
| test.go:305:21:305:32 | call to Items : map type | semmle.label | call to Items : map type |
| test.go:305:21:305:52 | type assertion | semmle.label | type assertion |
| test.go:292:21:292:66 | call to SlicePad : slice type | semmle.label | call to SlicePad : slice type |
| test.go:292:21:292:93 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:292:21:292:102 | selection of Filename | semmle.label | selection of Filename |
| test.go:293:21:293:73 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:293:21:293:82 | selection of Filename | semmle.label | selection of Filename |
| test.go:295:21:295:97 | call to SliceReduce : slice type | semmle.label | call to SliceReduce : slice type |
| test.go:295:21:295:124 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:295:21:295:133 | selection of Filename | semmle.label | selection of Filename |
| test.go:296:21:296:52 | call to SliceShuffle : slice type | semmle.label | call to SliceShuffle : slice type |
| test.go:296:21:296:79 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:296:21:296:88 | selection of Filename | semmle.label | selection of Filename |
| test.go:297:21:297:51 | call to SliceUnique : slice type | semmle.label | call to SliceUnique : slice type |
| test.go:297:21:297:78 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| test.go:297:21:297:87 | selection of Filename | semmle.label | selection of Filename |
| test.go:303:15:303:36 | call to GetString : string | semmle.label | call to GetString : string |
| test.go:305:21:305:48 | type assertion | semmle.label | type assertion |
| test.go:306:21:306:32 | call to Items : map type | semmle.label | call to Items : map type |
| test.go:306:21:306:52 | type assertion | semmle.label | type assertion |
subpaths
#select
| test.go:28:13:28:30 | type conversion | test.go:26:6:26:10 | definition of bound : bindMe | test.go:28:13:28:30 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:26:6:26:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:29:13:29:27 | type conversion | test.go:26:6:26:10 | definition of bound : bindMe | test.go:29:13:29:27 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:26:6:26:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:30:13:30:29 | type conversion | test.go:26:6:26:10 | definition of bound : bindMe | test.go:30:13:30:29 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:26:6:26:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:35:13:35:43 | type conversion | test.go:35:20:35:42 | call to Cookie : string | test.go:35:13:35:43 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:35:20:35:42 | call to Cookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:40:13:40:52 | type conversion | test.go:40:20:40:31 | call to Data : map type | test.go:40:13:40:52 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:40:20:40:31 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:45:13:45:53 | type conversion | test.go:45:20:45:43 | call to GetData : basic interface type | test.go:45:13:45:53 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:45:20:45:43 | call to GetData | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:50:13:50:43 | type conversion | test.go:50:20:50:42 | call to Header : string | test.go:50:13:50:43 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:50:20:50:42 | call to Header | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:55:13:55:42 | type conversion | test.go:55:20:55:41 | call to Param : string | test.go:55:13:55:42 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:55:20:55:41 | call to Param | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:60:13:60:45 | type conversion | test.go:60:20:60:33 | call to Params : map type | test.go:60:13:60:45 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:60:20:60:33 | call to Params | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:65:13:65:42 | type conversion | test.go:65:20:65:41 | call to Query : string | test.go:65:13:65:42 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:65:20:65:41 | call to Query | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:70:13:70:33 | type conversion | test.go:70:20:70:32 | call to Refer : string | test.go:70:13:70:33 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:70:20:70:32 | call to Refer | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:75:13:75:35 | type conversion | test.go:75:20:75:34 | call to Referer : string | test.go:75:13:75:35 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:75:20:75:34 | call to Referer | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:80:13:80:31 | type conversion | test.go:80:20:80:30 | call to URI : string | test.go:80:13:80:31 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:80:20:80:30 | call to URI | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:85:13:85:31 | type conversion | test.go:85:20:85:30 | call to URL : string | test.go:85:13:85:31 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:85:20:85:30 | call to URL | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:90:13:90:37 | type conversion | test.go:90:20:90:36 | call to UserAgent : string | test.go:90:13:90:37 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:90:20:90:36 | call to UserAgent | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:95:14:95:45 | type assertion | test.go:95:14:95:25 | call to Data : map type | test.go:95:14:95:45 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:95:14:95:25 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:107:14:107:45 | type assertion | test.go:107:14:107:25 | call to Data : map type | test.go:107:14:107:45 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:107:14:107:25 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:119:14:119:45 | type assertion | test.go:119:14:119:25 | call to Data : map type | test.go:119:14:119:45 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:119:14:119:25 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:136:23:136:62 | type assertion | test.go:136:23:136:42 | call to Data : map type | test.go:136:23:136:62 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:136:23:136:42 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:193:14:193:55 | type conversion | test.go:192:15:192:26 | call to Data : map type | test.go:193:14:193:55 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:192:15:192:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:194:14:194:58 | type conversion | test.go:192:15:192:26 | call to Data : map type | test.go:194:14:194:58 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:192:15:192:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:196:14:196:28 | type assertion | test.go:192:15:192:26 | call to Data : map type | test.go:196:14:196:28 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:192:15:192:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:197:14:197:55 | type conversion | test.go:192:15:192:26 | call to Data : map type | test.go:197:14:197:55 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:192:15:192:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:198:14:198:59 | type conversion | test.go:192:15:192:26 | call to Data : map type | test.go:198:14:198:59 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:192:15:192:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:202:14:202:28 | type conversion | test.go:201:18:201:33 | selection of Form : Values | test.go:202:14:202:28 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:201:18:201:33 | selection of Form | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:217:14:217:32 | type conversion | test.go:216:2:216:34 | ... := ...[1] : pointer type | test.go:217:14:217:32 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:216:2:216:34 | ... := ...[1] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:219:14:219:20 | content | test.go:216:2:216:34 | ... := ...[0] : File | test.go:219:14:219:20 | content | Cross-site scripting vulnerability due to $@. | test.go:216:2:216:34 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:222:14:222:38 | type conversion | test.go:221:2:221:40 | ... := ...[0] : slice type | test.go:222:14:222:38 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:221:2:221:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:225:14:225:22 | type conversion | test.go:224:7:224:28 | call to GetString : string | test.go:225:14:225:22 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:224:7:224:28 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:228:14:228:26 | type conversion | test.go:227:8:227:35 | call to GetStrings : slice type | test.go:228:14:228:26 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:227:8:227:35 | call to GetStrings | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:231:14:231:27 | type conversion | test.go:230:9:230:17 | call to Input : Values | test.go:231:14:231:27 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:230:9:230:17 | call to Input | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:235:14:235:30 | type conversion | test.go:233:6:233:8 | definition of str : myStruct | test.go:235:14:235:30 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:233:6:233:8 | definition of str | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:242:21:242:29 | untrusted | test.go:239:15:239:36 | call to GetString : string | test.go:242:21:242:29 | untrusted | Cross-site scripting vulnerability due to $@. | test.go:239:15:239:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:252:16:252:45 | type conversion | test.go:252:23:252:44 | call to GetCookie : string | test.go:252:16:252:45 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:252:23:252:44 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:257:16:257:37 | call to GetCookie | test.go:257:16:257:37 | call to GetCookie | test.go:257:16:257:37 | call to GetCookie | Cross-site scripting vulnerability due to $@. | test.go:257:16:257:37 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:258:15:258:41 | call to GetCookie | test.go:258:15:258:41 | call to GetCookie | test.go:258:15:258:41 | call to GetCookie | Cross-site scripting vulnerability due to $@. | test.go:258:15:258:41 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:263:55:263:84 | type conversion | test.go:263:62:263:83 | call to GetCookie : string | test.go:263:55:263:84 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:263:62:263:83 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:276:21:276:61 | call to GetDisplayString | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:276:21:276:61 | call to GetDisplayString | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:277:21:277:92 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:277:21:277:92 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:278:21:278:96 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:278:21:278:96 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:283:3:285:80 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:283:3:285:80 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:286:21:286:101 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:286:21:286:101 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:287:21:287:101 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:287:21:287:101 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:288:21:288:97 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:288:21:288:97 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:289:21:289:97 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:289:21:289:97 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:290:21:290:102 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:290:21:290:102 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:291:21:291:102 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:291:21:291:102 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:292:21:292:82 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:292:21:292:82 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:294:21:294:133 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:294:21:294:133 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:295:21:295:88 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:295:21:295:88 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:296:21:296:87 | selection of Filename | test.go:268:2:268:40 | ... := ...[0] : slice type | test.go:296:21:296:87 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:268:2:268:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:304:21:304:48 | type assertion | test.go:302:15:302:36 | call to GetString : string | test.go:304:21:304:48 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:302:15:302:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:305:21:305:52 | type assertion | test.go:302:15:302:36 | call to GetString : string | test.go:305:21:305:52 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:302:15:302:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:29:13:29:30 | type conversion | test.go:27:6:27:10 | definition of bound : bindMe | test.go:29:13:29:30 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:27:6:27:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:30:13:30:27 | type conversion | test.go:27:6:27:10 | definition of bound : bindMe | test.go:30:13:30:27 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:27:6:27:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:31:13:31:29 | type conversion | test.go:27:6:27:10 | definition of bound : bindMe | test.go:31:13:31:29 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:27:6:27:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:36:13:36:43 | type conversion | test.go:36:20:36:42 | call to Cookie : string | test.go:36:13:36:43 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:36:20:36:42 | call to Cookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:41:13:41:52 | type conversion | test.go:41:20:41:31 | call to Data : map type | test.go:41:13:41:52 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:41:20:41:31 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:46:13:46:53 | type conversion | test.go:46:20:46:43 | call to GetData : basic interface type | test.go:46:13:46:53 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:46:20:46:43 | call to GetData | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:51:13:51:43 | type conversion | test.go:51:20:51:42 | call to Header : string | test.go:51:13:51:43 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:51:20:51:42 | call to Header | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:56:13:56:42 | type conversion | test.go:56:20:56:41 | call to Param : string | test.go:56:13:56:42 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:56:20:56:41 | call to Param | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:61:13:61:45 | type conversion | test.go:61:20:61:33 | call to Params : map type | test.go:61:13:61:45 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:61:20:61:33 | call to Params | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:66:13:66:42 | type conversion | test.go:66:20:66:41 | call to Query : string | test.go:66:13:66:42 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:66:20:66:41 | call to Query | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:71:13:71:33 | type conversion | test.go:71:20:71:32 | call to Refer : string | test.go:71:13:71:33 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:71:20:71:32 | call to Refer | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:76:13:76:35 | type conversion | test.go:76:20:76:34 | call to Referer : string | test.go:76:13:76:35 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:76:20:76:34 | call to Referer | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:81:13:81:31 | type conversion | test.go:81:20:81:30 | call to URI : string | test.go:81:13:81:31 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:81:20:81:30 | call to URI | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:86:13:86:31 | type conversion | test.go:86:20:86:30 | call to URL : string | test.go:86:13:86:31 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:86:20:86:30 | call to URL | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:91:13:91:37 | type conversion | test.go:91:20:91:36 | call to UserAgent : string | test.go:91:13:91:37 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:91:20:91:36 | call to UserAgent | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:96:14:96:45 | type assertion | test.go:96:14:96:25 | call to Data : map type | test.go:96:14:96:45 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:96:14:96:25 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:108:14:108:45 | type assertion | test.go:108:14:108:25 | call to Data : map type | test.go:108:14:108:45 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:108:14:108:25 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:120:14:120:45 | type assertion | test.go:120:14:120:25 | call to Data : map type | test.go:120:14:120:45 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:120:14:120:25 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:137:23:137:62 | type assertion | test.go:137:23:137:42 | call to Data : map type | test.go:137:23:137:62 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:137:23:137:42 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:194:14:194:55 | type conversion | test.go:193:15:193:26 | call to Data : map type | test.go:194:14:194:55 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:193:15:193:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:195:14:195:58 | type conversion | test.go:193:15:193:26 | call to Data : map type | test.go:195:14:195:58 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:193:15:193:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:197:14:197:28 | type assertion | test.go:193:15:193:26 | call to Data : map type | test.go:197:14:197:28 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:193:15:193:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:198:14:198:55 | type conversion | test.go:193:15:193:26 | call to Data : map type | test.go:198:14:198:55 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:193:15:193:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:199:14:199:59 | type conversion | test.go:193:15:193:26 | call to Data : map type | test.go:199:14:199:59 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:193:15:193:26 | call to Data | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:203:14:203:28 | type conversion | test.go:202:18:202:33 | selection of Form : Values | test.go:203:14:203:28 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:202:18:202:33 | selection of Form | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:218:14:218:32 | type conversion | test.go:217:2:217:34 | ... := ...[1] : pointer type | test.go:218:14:218:32 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:217:2:217:34 | ... := ...[1] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:220:14:220:20 | content | test.go:217:2:217:34 | ... := ...[0] : File | test.go:220:14:220:20 | content | Cross-site scripting vulnerability due to $@. | test.go:217:2:217:34 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:223:14:223:38 | type conversion | test.go:222:2:222:40 | ... := ...[0] : slice type | test.go:223:14:223:38 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:222:2:222:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:226:14:226:22 | type conversion | test.go:225:7:225:28 | call to GetString : string | test.go:226:14:226:22 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:225:7:225:28 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:229:14:229:26 | type conversion | test.go:228:8:228:35 | call to GetStrings : slice type | test.go:229:14:229:26 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:228:8:228:35 | call to GetStrings | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:232:14:232:27 | type conversion | test.go:231:9:231:17 | call to Input : Values | test.go:232:14:232:27 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:231:9:231:17 | call to Input | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:236:14:236:30 | type conversion | test.go:234:6:234:8 | definition of str : myStruct | test.go:236:14:236:30 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:234:6:234:8 | definition of str | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:243:21:243:29 | untrusted | test.go:240:15:240:36 | call to GetString : string | test.go:243:21:243:29 | untrusted | Cross-site scripting vulnerability due to $@. | test.go:240:15:240:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:253:16:253:45 | type conversion | test.go:253:23:253:44 | call to GetCookie : string | test.go:253:16:253:45 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:253:23:253:44 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:258:16:258:37 | call to GetCookie | test.go:258:16:258:37 | call to GetCookie | test.go:258:16:258:37 | call to GetCookie | Cross-site scripting vulnerability due to $@. | test.go:258:16:258:37 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:259:15:259:41 | call to GetCookie | test.go:259:15:259:41 | call to GetCookie | test.go:259:15:259:41 | call to GetCookie | Cross-site scripting vulnerability due to $@. | test.go:259:15:259:41 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:264:55:264:84 | type conversion | test.go:264:62:264:83 | call to GetCookie : string | test.go:264:55:264:84 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:264:62:264:83 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:277:21:277:61 | call to GetDisplayString | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:277:21:277:61 | call to GetDisplayString | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:278:21:278:92 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:278:21:278:92 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:279:21:279:96 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:279:21:279:96 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:284:3:286:80 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:284:3:286:80 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:287:21:287:101 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:287:21:287:101 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:288:21:288:101 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:288:21:288:101 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:289:21:289:97 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:289:21:289:97 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:290:21:290:97 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:290:21:290:97 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:291:21:291:102 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:291:21:291:102 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:292:21:292:102 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:292:21:292:102 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:293:21:293:82 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:293:21:293:82 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:295:21:295:133 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:295:21:295:133 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:296:21:296:88 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:296:21:296:88 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:297:21:297:87 | selection of Filename | test.go:269:2:269:40 | ... := ...[0] : slice type | test.go:297:21:297:87 | selection of Filename | Cross-site scripting vulnerability due to $@. | test.go:269:2:269:40 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:305:21:305:48 | type assertion | test.go:303:15:303:36 | call to GetString : string | test.go:305:21:305:48 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:303:15:303:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go | |
| test.go:306:21:306:52 | type assertion | test.go:303:15:303:36 | call to GetString : string | test.go:306:21:306:52 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:303:15:303:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go | |

24
go/ql/test/library-tests/semmle/go/frameworks/Beego/TaintedPath.expected
View File

@@ -1,14 +1,18 @@
edges
| test.go:208:15:208:26 | call to Data : map type | test.go:209:18:209:26 | untrusted |
| test.go:208:15:208:26 | call to Data : map type | test.go:210:10:210:18 | untrusted |
| test.go:208:15:208:26 | call to Data : map type | test.go:211:35:211:43 | untrusted |
| test.go:209:15:209:26 | call to Data : map type | test.go:210:18:210:26 | untrusted |
| test.go:209:15:209:26 | call to Data : map type | test.go:211:10:211:18 | untrusted |
| test.go:209:15:209:26 | call to Data : map type | test.go:212:35:212:43 | untrusted |
| test.go:318:17:318:37 | selection of RequestBody : slice type | test.go:320:35:320:43 | untrusted |
nodes
| test.go:208:15:208:26 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:209:18:209:26 | untrusted | semmle.label | untrusted |
| test.go:210:10:210:18 | untrusted | semmle.label | untrusted |
| test.go:211:35:211:43 | untrusted | semmle.label | untrusted |
| test.go:209:15:209:26 | call to Data : map type | semmle.label | call to Data : map type |
| test.go:210:18:210:26 | untrusted | semmle.label | untrusted |
| test.go:211:10:211:18 | untrusted | semmle.label | untrusted |
| test.go:212:35:212:43 | untrusted | semmle.label | untrusted |
| test.go:318:17:318:37 | selection of RequestBody : slice type | semmle.label | selection of RequestBody : slice type |
| test.go:320:35:320:43 | untrusted | semmle.label | untrusted |
subpaths
#select
| test.go:209:18:209:26 | untrusted | test.go:208:15:208:26 | call to Data : map type | test.go:209:18:209:26 | untrusted | This path depends on a $@. | test.go:208:15:208:26 | call to Data | user-provided value |
| test.go:210:10:210:18 | untrusted | test.go:208:15:208:26 | call to Data : map type | test.go:210:10:210:18 | untrusted | This path depends on a $@. | test.go:208:15:208:26 | call to Data | user-provided value |
| test.go:211:35:211:43 | untrusted | test.go:208:15:208:26 | call to Data : map type | test.go:211:35:211:43 | untrusted | This path depends on a $@. | test.go:208:15:208:26 | call to Data | user-provided value |
| test.go:210:18:210:26 | untrusted | test.go:209:15:209:26 | call to Data : map type | test.go:210:18:210:26 | untrusted | This path depends on a $@. | test.go:209:15:209:26 | call to Data | user-provided value |
| test.go:211:10:211:18 | untrusted | test.go:209:15:209:26 | call to Data : map type | test.go:211:10:211:18 | untrusted | This path depends on a $@. | test.go:209:15:209:26 | call to Data | user-provided value |
| test.go:212:35:212:43 | untrusted | test.go:209:15:209:26 | call to Data : map type | test.go:212:35:212:43 | untrusted | This path depends on a $@. | test.go:209:15:209:26 | call to Data | user-provided value |
| test.go:320:35:320:43 | untrusted | test.go:318:17:318:37 | selection of RequestBody : slice type | test.go:320:35:320:43 | untrusted | This path depends on a $@. | test.go:318:17:318:37 | selection of RequestBody | user-provided value |

9
go/ql/test/library-tests/semmle/go/frameworks/Beego/test.go
View File

@@ -1,6 +1,7 @@
package test
import (
"encoding/json"
"github.com/astaxie/beego"
"github.com/astaxie/beego/context"
"github.com/astaxie/beego/logs"
@@ -310,3 +311,11 @@ func testSafeRedirects(c *beego.Controller, ctx *context.Context) {
c.Redirect(ctx.Input.URI(), 304)
ctx.Redirect(304, ctx.Input.URL())
}
// BAD: using RequestBody data as path in a file-system operation
func requestBodySourceTest(ctx *context.Context, c *beego.Controller) {
var dat map[string]interface{}
json.Unmarshal(ctx.Input.RequestBody, &dat)
untrusted := dat["filepath"].(string)
c.SaveToFile("someReceviedFile", untrusted)
}

8
go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.expected
View File

@@ -1,4 +1,4 @@
| WrappedErrorAlwaysNil.go:31:22:31:24 | err | The first argument to 'errors.Wrap' is always nil |
| WrappedErrorAlwaysNil.go:41:14:41:16 | nil | The first argument to 'errors.Wrap' is always nil |
| WrappedErrorAlwaysNil.go:45:14:45:16 | err | The first argument to 'errors.Wrap' is always nil |
| WrappedErrorAlwaysNil.go:49:14:49:21 | localErr | The first argument to 'errors.Wrap' is always nil |
| WrappedErrorAlwaysNil.go:31:22:31:24 | err | The first argument to 'errors.Wrap' is always nil. |
| WrappedErrorAlwaysNil.go:41:14:41:16 | nil | The first argument to 'errors.Wrap' is always nil. |
| WrappedErrorAlwaysNil.go:45:14:45:16 | err | The first argument to 'errors.Wrap' is always nil. |
| WrappedErrorAlwaysNil.go:49:14:49:21 | localErr | The first argument to 'errors.Wrap' is always nil. |

22
go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected
View File

@@ -13,14 +13,14 @@ nodes
| test.go:23:21:23:36 | "hello\\\\\\bworld" | semmle.label | "hello\\\\\\bworld" |
subpaths
#select
| SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | $@ that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | A string literal | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | used as a regular expression |
| test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:7:21:7:24 | "\\a" | A string literal | test.go:7:21:7:24 | "\\a" | used as a regular expression |
| test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:9:21:9:26 | "\\\\\\a" | A string literal | test.go:9:21:9:26 | "\\\\\\a" | used as a regular expression |
| test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:10:21:10:27 | "x\\\\\\a" | A string literal | test.go:10:21:10:27 | "x\\\\\\a" | used as a regular expression |
| test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:12:21:12:28 | "\\\\\\\\\\a" | A string literal | test.go:12:21:12:28 | "\\\\\\\\\\a" | used as a regular expression |
| test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | A string literal | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | used as a regular expression |
| test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | A string literal | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | used as a regular expression |
| test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:20:21:20:34 | "hello\\aworld" | A string literal | test.go:20:21:20:34 | "hello\\aworld" | used as a regular expression |
| test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:21:21:21:36 | "hello\\\\\\aworld" | A string literal | test.go:21:21:21:36 | "hello\\\\\\aworld" | used as a regular expression |
| test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | $@ that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:22:21:22:34 | "hello\\bworld" | A string literal | test.go:22:21:22:34 | "hello\\bworld" | used as a regular expression |
| test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | $@ that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:23:21:23:36 | "hello\\\\\\bworld" | A string literal | test.go:23:21:23:36 | "hello\\\\\\bworld" | used as a regular expression |
| SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | This string literal that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | used as a regular expression |
| test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:7:21:7:24 | "\\a" | used as a regular expression |
| test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:9:21:9:26 | "\\\\\\a" | used as a regular expression |
| test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:10:21:10:27 | "x\\\\\\a" | used as a regular expression |
| test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:12:21:12:28 | "\\\\\\\\\\a" | used as a regular expression |
| test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | used as a regular expression |
| test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | used as a regular expression |
| test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:20:21:20:34 | "hello\\aworld" | used as a regular expression |
| test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:21:21:21:36 | "hello\\\\\\aworld" | used as a regular expression |
| test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | This string literal that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:22:21:22:34 | "hello\\bworld" | used as a regular expression |
| test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | This string literal that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:23:21:23:36 | "hello\\\\\\bworld" | used as a regular expression |

10
go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected
View File

@@ -20,8 +20,8 @@ nodes
| sample.go:47:17:47:39 | call to Intn | semmle.label | call to Intn |
subpaths
#select
| InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | $@ generated with a cryptographically weak RNG is used in $@. | InsecureRandomness.go:12:18:12:40 | call to Intn | A random number | InsecureRandomness.go:12:18:12:40 | call to Intn | a password-related function |
| sample.go:26:25:26:30 | call to Guid | sample.go:15:49:15:61 | call to Uint32 : uint32 | sample.go:26:25:26:30 | call to Guid | $@ generated with a cryptographically weak RNG is used in $@. | sample.go:15:49:15:61 | call to Uint32 | A random number | sample.go:26:25:26:30 | call to Guid | this cryptographic algorithm |
| sample.go:37:25:37:29 | nonce | sample.go:34:12:34:40 | call to New : pointer type | sample.go:37:25:37:29 | nonce | $@ generated with a cryptographically weak RNG is used in $@. | sample.go:34:12:34:40 | call to New | A random number | sample.go:37:25:37:29 | nonce | this cryptographic algorithm |
| sample.go:37:32:37:36 | nonce | sample.go:34:12:34:40 | call to New : pointer type | sample.go:37:32:37:36 | nonce | $@ generated with a cryptographically weak RNG is used in $@. | sample.go:34:12:34:40 | call to New | A random number | sample.go:37:32:37:36 | nonce | this cryptographic algorithm |
| sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | $@ generated with a cryptographically weak RNG is used in $@. | sample.go:43:17:43:39 | call to Intn | A random number | sample.go:43:17:43:39 | call to Intn | a password-related function |
| InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | InsecureRandomness.go:12:18:12:40 | call to Intn | random number |
| sample.go:26:25:26:30 | call to Guid | sample.go:15:49:15:61 | call to Uint32 : uint32 | sample.go:26:25:26:30 | call to Guid | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:15:49:15:61 | call to Uint32 | random number |
| sample.go:37:25:37:29 | nonce | sample.go:34:12:34:40 | call to New : pointer type | sample.go:37:25:37:29 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number |
| sample.go:37:32:37:36 | nonce | sample.go:34:12:34:40 | call to New : pointer type | sample.go:37:32:37:36 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number |
| sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | sample.go:43:17:43:39 | call to Intn | random number |

4
java/documentation/library-coverage/coverage.csv
View File

@@ -36,10 +36,10 @@ jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
java.io,37,,39,,15,,,,,,,,,,,,,,,,,,,,,,,,,22,,,,,,,,39,
java.io,37,,40,,15,,,,,,,,,,,,,,,,,,,,,,,,,22,,,,,,,,40,
java.lang,13,,66,,,,,,,,,,,8,,,,,4,,,1,,,,,,,,,,,,,,,,54,12
java.net,10,3,7,,,,,,,,,,,,,,10,,,,,,,,,,,,,,,,,,,,3,7,
java.nio,15,,11,,13,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,11,
java.nio,15,,14,,13,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,14,
java.sql,11,,,,,,,,,4,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
java.util,44,,461,,,,,,,,,,,34,,,,,,5,2,,1,2,,,,,,,,,,,,,,36,425
javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
1 package sink source summary sink:bean-validation sink:create-file sink:groovy sink:header-splitting sink:information-leak sink:intent-start sink:jdbc-url sink:jexl sink:jndi-injection sink:ldap sink:logging sink:mvel sink:ognl-injection sink:open-url sink:pending-intent-sent sink:regex-use[-1] sink:regex-use[0] sink:regex-use[] sink:regex-use[f-1] sink:regex-use[f1] sink:regex-use[f] sink:set-hostname-verifier sink:sql sink:ssti sink:url-open-stream sink:url-redirect sink:write-file sink:xpath sink:xslt sink:xss source:android-external-storage-dir source:android-widget source:contentprovider source:remote summary:taint summary:value
36 jakarta.ws.rs.container 9 9
37 jakarta.ws.rs.core 2 149 2 94 55
38 java.beans 1 1
39 java.io 37 39 40 15 22 39 40
40 java.lang 13 66 8 4 1 54 12
41 java.net 10 3 7 10 3 7
42 java.nio 15 11 14 13 2 11 14
43 java.sql 11 4 7
44 java.util 44 461 34 5 2 1 2 36 425
45 javax.faces.context 2 7 2 7

4
java/documentation/library-coverage/coverage.rst
View File

@@ -15,9 +15,9 @@ Java framework & library support
`Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
`Google Guava <https://guava.dev/>`_,``com.google.common.*``,,728,39,,6,,,,,
`JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
Java Standard Library,``java.*``,3,585,130,28,,,7,,,10
Java Standard Library,``java.*``,3,589,130,28,,,7,,,10
Java extensions,"``javax.*``, ``jakarta.*``",63,609,32,,,4,,1,1,2
`Spring <https://spring.io/>`_,``org.springframework.*``,29,477,101,,,,19,14,,29
Others,"``androidx.core.app``, ``androidx.slice``, ``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``kotlin``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.logging.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jboss.logging``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.mvel2``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",65,2326,972,10,,,14,18,,5
Totals,,217,8428,1524,129,6,10,107,33,1,86
Totals,,217,8432,1524,129,6,10,107,33,1,86

10
java/kotlin-extractor/build.py
View File

@@ -25,6 +25,8 @@ def parse_args():
dest='many', help='Build for a single version/kind')
parser.add_argument('--single-version',
help='Build for a specific version/kind')
parser.add_argument('--single-version-embeddable', action='store_true',
help='When building a single version, build an embeddable extractor (default is standalone)')
return parser.parse_args()
@@ -235,7 +237,13 @@ def compile_standalone(version):
if args.single_version:
compile_standalone(args.single_version)
if args.single_version_embeddable == True:
compile_embeddable(args.single_version)
else:
compile_standalone(args.single_version)
elif args.single_version_embeddable == True:
print("--single-version-embeddable requires --single-version", file=sys.stderr)
sys.exit(1)
elif args.many:
for version in kotlin_plugin_versions.many_versions:
compile_standalone(version)

871
java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
View File

File diff suppressed because it is too large Load Diff

56
java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt
View File

@@ -658,6 +658,26 @@ open class KotlinUsesExtractor(
RETURN, GENERIC_ARGUMENT, OTHER
}
private fun isOnDeclarationStackWithoutTypeParameters(f: IrFunction) =
this is KotlinFileExtractor && this.declarationStack.findOverriddenAttributes(f)?.typeParameters?.isEmpty() == true
private fun isStaticFunctionOnStackBeforeClass(c: IrClass) =
this is KotlinFileExtractor && (this.declarationStack.findFirst { it.first == c || it.second?.isStatic == true })?.second?.isStatic == true
private fun isUnavailableTypeParameter(t: IrType) =
t is IrSimpleType && t.classifier.owner.let { owner ->
owner is IrTypeParameter && owner.parent.let { parent ->
when (parent) {
is IrFunction -> isOnDeclarationStackWithoutTypeParameters(parent)
is IrClass -> isStaticFunctionOnStackBeforeClass(parent)
else -> false
}
}
}
private fun argIsUnavailableTypeParameter(t: IrTypeArgument) =
t is IrTypeProjection && isUnavailableTypeParameter(t.type)
private fun useSimpleType(s: IrSimpleType, context: TypeContext): TypeResults {
if (s.abbreviation != null) {
// TODO: Extract this information
@@ -729,11 +749,13 @@ open class KotlinUsesExtractor(
}
owner is IrClass -> {
val args = if (s.isRawType()) null else s.arguments
val args = if (s.isRawType() || s.arguments.any { argIsUnavailableTypeParameter(it) }) null else s.arguments
return useSimpleTypeClass(owner, args, s.isNullable())
}
owner is IrTypeParameter -> {
if (isUnavailableTypeParameter(s))
return useType(erase(s), context)
val javaResult = useTypeParameter(owner)
val aClassId = makeClass("kotlin", "TypeParam") // TODO: Wrong
val kotlinResult = if (true) TypeResult(fakeKotlinType(), "TODO", "TODO") else
@@ -1043,9 +1065,9 @@ open class KotlinUsesExtractor(
f.parent,
maybeParentId,
getFunctionShortName(f).nameInDB,
maybeParameterList ?: f.valueParameters,
(maybeParameterList ?: f.valueParameters).map { it.type },
getAdjustedReturnType(f),
f.extensionReceiverParameter,
f.extensionReceiverParameter?.type,
getFunctionTypeParameters(f),
classTypeArgsIncludingOuterClasses,
overridesCollectionsMethodWithAlteredParameterTypes(f),
@@ -1067,12 +1089,12 @@ open class KotlinUsesExtractor(
maybeParentId: Label<out DbElement>?,
// The name of the function; normally f.name.asString().
name: String,
// The value parameters that the functions takes; normally f.valueParameters.
parameters: List<IrValueParameter>,
// The types of the value parameters that the functions takes; normally f.valueParameters.map { it.type }.
parameterTypes: List<IrType>,
// The return type of the function; normally f.returnType.
returnType: IrType,
// The extension receiver of the function, if any; normally f.extensionReceiverParameter.
extensionReceiverParameter: IrValueParameter?,
// The extension receiver of the function, if any; normally f.extensionReceiverParameter?.type.
extensionParamType: IrType?,
// The type parameters of the function. This does not include type parameters of enclosing classes.
functionTypeParameters: List<IrTypeParameter>,
// The type arguments of enclosing classes of the function.
@@ -1089,11 +1111,7 @@ open class KotlinUsesExtractor(
prefix: String = "callable"
): String {
val parentId = maybeParentId ?: useDeclarationParent(parent, false, classTypeArgsIncludingOuterClasses, true)
val allParams = if (extensionReceiverParameter == null) {
parameters
} else {
listOf(extensionReceiverParameter) + parameters
}
val allParamTypes = if (extensionParamType == null) parameterTypes else listOf(extensionParamType) + parameterTypes
val substitutionMap = classTypeArgsIncludingOuterClasses?.let { notNullArgs ->
if (notNullArgs.isEmpty()) {
@@ -1103,11 +1121,11 @@ open class KotlinUsesExtractor(
enclosingClass?.let { notNullClass -> makeTypeGenericSubstitutionMap(notNullClass, notNullArgs) }
}
}
val getIdForFunctionLabel = { it: IndexedValue<IrValueParameter> ->
val getIdForFunctionLabel = { it: IndexedValue<IrType> ->
// Kotlin rewrites certain Java collections types adding additional generic constraints-- for example,
// Collection.remove(Object) because Collection.remove(Collection::E) in the Kotlin universe.
// If this has happened, erase the type again to get the correct Java signature.
val maybeAmendedForCollections = if (overridesCollectionsMethod) eraseCollectionsMethodParameterType(it.value.type, name, it.index) else it.value.type
val maybeAmendedForCollections = if (overridesCollectionsMethod) eraseCollectionsMethodParameterType(it.value, name, it.index) else it.value
// Add any wildcard types that the Kotlin compiler would add in the Java lowering of this function:
val withAddedWildcards = addJavaLoweringWildcards(maybeAmendedForCollections, addParameterWildcardsByDefault, javaSignature?.let { sig -> getJavaValueParameterType(sig, it.index) })
// Now substitute any class type parameters in:
@@ -1117,7 +1135,7 @@ open class KotlinUsesExtractor(
val maybeErased = if (functionTypeParameters.isEmpty()) maybeSubbed else erase(maybeSubbed)
"{${useType(maybeErased).javaResult.id}}"
}
val paramTypeIds = allParams.withIndex().joinToString(separator = ",", transform = getIdForFunctionLabel)
val paramTypeIds = allParamTypes.withIndex().joinToString(separator = ",", transform = getIdForFunctionLabel)
val labelReturnType =
if (name == "<init>")
pluginContext.irBuiltIns.unitType
@@ -1551,7 +1569,7 @@ open class KotlinUsesExtractor(
* Note that `Array<T>` is retained (with `T` itself erased) because these are expected to be lowered to Java
* arrays, which are not generic.
*/
private fun erase (t: IrType): IrType {
fun erase (t: IrType): IrType {
if (t is IrSimpleType) {
val classifier = t.classifier
val owner = classifier.owner
@@ -1578,6 +1596,8 @@ open class KotlinUsesExtractor(
private fun eraseTypeParameter(t: IrTypeParameter) =
erase(t.superTypes[0])
fun getValueParameterLabel(parentId: Label<out DbElement>?, idx: Int) = "@\"params;{$parentId};$idx\""
/**
* Gets the label for `vp` in the context of function instance `parent`, or in that of its declaring function if
* `parent` is null.
@@ -1607,7 +1627,7 @@ open class KotlinUsesExtractor(
logger.error("Unexpected negative index for parameter")
}
return "@\"params;{$parentId};$idx\""
return getValueParameterLabel(parentId, idx)
}
@@ -1669,7 +1689,7 @@ open class KotlinUsesExtractor(
val returnType = getter?.returnType ?: setter?.valueParameters?.singleOrNull()?.type ?: pluginContext.irBuiltIns.unitType
val typeParams = getFunctionTypeParameters(func)
getFunctionLabel(p.parent, parentId, p.name.asString(), listOf(), returnType, ext, typeParams, classTypeArgsIncludingOuterClasses, overridesCollectionsMethod = false, javaSignature = null, addParameterWildcardsByDefault = false, prefix = "property")
getFunctionLabel(p.parent, parentId, p.name.asString(), listOf(), returnType, ext.type, typeParams, classTypeArgsIncludingOuterClasses, overridesCollectionsMethod = false, javaSignature = null, addParameterWildcardsByDefault = false, prefix = "property")
}
}

5
java/ql/consistency-queries/visibility.ql
View File

@@ -10,6 +10,8 @@ string visibility(Method m) {
result = "internal" and m.isInternal()
}
predicate hasPackagePrivateVisibility(Method m) { not exists(visibility(m)) }
// TODO: This ought to check more than just methods
from Method m
where
@@ -19,5 +21,6 @@ where
// TODO: This ought to have visibility information
not m.getName() = "<clinit>" and
count(visibility(m)) != 1 and
not (count(visibility(m)) = 2 and visibility(m) = "public" and visibility(m) = "internal") // This is a reasonable result, since the JVM symbol is declared public, but Kotlin metadata flags it as internal
not (count(visibility(m)) = 2 and visibility(m) = "public" and visibility(m) = "internal") and // This is a reasonable result, since the JVM symbol is declared public, but Kotlin metadata flags it as internal
not (hasPackagePrivateVisibility(m) and m.getName().matches("%$default")) // This is a reasonable result because the $default forwarder methods corresponding to private methods are package-private.
select m, concat(visibility(m), ", ")

63
java/ql/integration-tests/posix-only/kotlin/gradle_kotlinx_serialization/PrintAst.expected
View File

@@ -65,7 +65,48 @@ app/src/main/kotlin/testProject/App.kt:
# 0| -3: [TypeAccess] Project
# 0| 0: [VarAccess] name
# 0| 1: [VarAccess] language
# 0| 5: [Method] equals
# 0| 5: [Method] copy$default
# 0| 3: [TypeAccess] Project
#-----| 4: (Parameters)
# 0| 0: [Parameter] p0
# 0| 0: [TypeAccess] Project
# 0| 1: [Parameter] p1
# 0| 0: [TypeAccess] String
# 0| 2: [Parameter] p2
# 0| 0: [TypeAccess] int
# 0| 3: [Parameter] p3
# 0| 0: [TypeAccess] int
# 0| 4: [Parameter] p4
# 0| 0: [TypeAccess] Object
# 0| 5: [BlockStmt] { ... }
# 0| 0: [IfStmt] if (...)
# 0| 0: [EQExpr] ... == ...
# 0| 0: [AndBitwiseExpr] ... & ...
# 0| 0: [IntegerLiteral] 1
# 0| 1: [VarAccess] p3
# 0| 1: [IntegerLiteral] 0
# 0| 1: [ExprStmt] <Expr>;
# 0| 0: [AssignExpr] ...=...
# 0| 0: [VarAccess] p1
# 0| 1: [VarAccess] p0.name
# 0| -1: [VarAccess] p0
# 0| 1: [IfStmt] if (...)
# 0| 0: [EQExpr] ... == ...
# 0| 0: [AndBitwiseExpr] ... & ...
# 0| 0: [IntegerLiteral] 2
# 0| 1: [VarAccess] p3
# 0| 1: [IntegerLiteral] 0
# 0| 1: [ExprStmt] <Expr>;
# 0| 0: [AssignExpr] ...=...
# 0| 0: [VarAccess] p2
# 0| 1: [VarAccess] p0.language
# 0| -1: [VarAccess] p0
# 0| 2: [ReturnStmt] return ...
# 0| 0: [MethodAccess] copy(...)
# 0| -1: [VarAccess] p0
# 0| 0: [VarAccess] p1
# 0| 1: [VarAccess] p2
# 0| 6: [Method] equals
# 0| 3: [TypeAccess] boolean
#-----| 4: (Parameters)
# 0| 0: [Parameter] other
@@ -114,7 +155,7 @@ app/src/main/kotlin/testProject/App.kt:
# 0| 0: [BooleanLiteral] false
# 0| 5: [ReturnStmt] return ...
# 0| 0: [BooleanLiteral] true
# 0| 6: [Method] hashCode
# 0| 7: [Method] hashCode
# 0| 3: [TypeAccess] int
# 0| 5: [BlockStmt] { ... }
# 0| 0: [LocalVariableDeclStmt] var ...;
@@ -134,7 +175,7 @@ app/src/main/kotlin/testProject/App.kt:
# 0| -1: [ThisAccess] this
# 0| 2: [ReturnStmt] return ...
# 0| 0: [VarAccess] result
# 0| 7: [Method] toString
# 0| 8: [Method] toString
# 0| 3: [TypeAccess] String
# 0| 5: [BlockStmt] { ... }
# 0| 0: [ReturnStmt] return ...
@@ -148,7 +189,7 @@ app/src/main/kotlin/testProject/App.kt:
# 0| 5: [VarAccess] this.language
# 0| -1: [ThisAccess] this
# 0| 6: [StringLiteral] )
# 0| 8: [Method] write$Self
# 0| 9: [Method] write$Self
# 0| 3: [TypeAccess] Unit
#-----| 4: (Parameters)
# 0| 0: [Parameter] self
@@ -172,7 +213,7 @@ app/src/main/kotlin/testProject/App.kt:
# 7| 1: [IntegerLiteral] 1
# 7| 2: [MethodAccess] getLanguage(...)
# 7| -1: [VarAccess] self
# 7| 9: [Class] $serializer
# 7| 10: [Class] $serializer
# 0| 1: [FieldDeclaration] SerialDescriptor descriptor;
# 0| -1: [TypeAccess] SerialDescriptor
# 0| 2: [Method] childSerializers
@@ -384,7 +425,7 @@ app/src/main/kotlin/testProject/App.kt:
# 7| -1: [ThisAccess] $serializer.this
# 7| 0: [TypeAccess] $serializer
# 7| 1: [VarAccess] tmp0_serialDesc
# 7| 10: [Class] Companion
# 7| 11: [Class] Companion
# 0| 1: [Method] serializer
# 0| 3: [TypeAccess] KSerializer<Project>
# 0| 0: [TypeAccess] Project
@@ -395,7 +436,7 @@ app/src/main/kotlin/testProject/App.kt:
# 7| 5: [BlockStmt] { ... }
# 7| 0: [SuperConstructorInvocationStmt] super(...)
# 7| 1: [BlockStmt] { ... }
# 8| 11: [Constructor] Project
# 8| 12: [Constructor] Project
#-----| 4: (Parameters)
# 8| 0: [Parameter] name
# 8| 0: [TypeAccess] String
@@ -410,21 +451,21 @@ app/src/main/kotlin/testProject/App.kt:
# 8| 1: [ExprStmt] <Expr>;
# 8| 0: [KtInitializerAssignExpr] ...=...
# 8| 0: [VarAccess] language
# 8| 12: [FieldDeclaration] String name;
# 8| 13: [FieldDeclaration] String name;
# 8| -1: [TypeAccess] String
# 8| 0: [VarAccess] name
# 8| 13: [Method] getName
# 8| 14: [Method] getName
# 8| 3: [TypeAccess] String
# 8| 5: [BlockStmt] { ... }
# 8| 0: [ReturnStmt] return ...
# 8| 0: [VarAccess] this.name
# 8| -1: [ThisAccess] this
# 8| 14: [Method] getLanguage
# 8| 15: [Method] getLanguage
# 8| 3: [TypeAccess] int
# 8| 5: [BlockStmt] { ... }
# 8| 0: [ReturnStmt] return ...
# 8| 0: [VarAccess] this.language
# 8| -1: [ThisAccess] this
# 8| 15: [FieldDeclaration] int language;
# 8| 16: [FieldDeclaration] int language;
# 8| -1: [TypeAccess] int
# 8| 0: [VarAccess] language

39
java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/User.java
View File

@@ -1,39 +0,0 @@
public class User {
public static String source() { return "taint"; }
public static void test(Test2 t2, GenericTest<Integer> gt) {
Test.taintSuppliedAsDefault(1, "no taint", 2);
Test.taintSuppliedAsDefault(1, 2);
Test.noTaintByDefault(1, source(), 2, 3);
Test.noTaintByDefault(1, source(), 2);
Test2.taintSuppliedAsDefaultStatic(1, "no taint", 2);
Test2.taintSuppliedAsDefaultStatic(1, 2);
Test2.noTaintByDefaultStatic(1, source(), 2, 3);
Test2.noTaintByDefaultStatic(1, source(), 2);
t2.taintSuppliedAsDefault(1, "no taint", 2);
t2.taintSuppliedAsDefault(1, 2);
t2.noTaintByDefault(1, source(), 2, 3);
t2.noTaintByDefault(1, source(), 2);
gt.taintSuppliedAsDefault(1, "no taint", 2);
gt.taintSuppliedAsDefault(1, 2);
gt.noTaintByDefault(1, source(), 2, 3);
gt.noTaintByDefault(1, source(), 2);
new ConstructorTaintsByDefault(1, "no taint", 2);
new ConstructorTaintsByDefault(1, 2);
new ConstructorDoesNotTaintByDefault(1, source(), 2, 3);
new ConstructorDoesNotTaintByDefault(1, source(), 2);
new GenericConstructorTaintsByDefault<Integer>(1, "no taint", 2);
new GenericConstructorTaintsByDefault<Integer>(1, 2);
new GenericConstructorDoesNotTaintByDefault<Integer>(1, source(), 2, 3);
new GenericConstructorDoesNotTaintByDefault<Integer>(1, source(), 2);
}
}

19
java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.expected
View File

@@ -1,19 +0,0 @@
| User.java:9:30:9:37 | source(...) | test.kt:13:97:13:97 | s |
| User.java:10:30:10:37 | source(...) | test.kt:13:97:13:97 | s |
| User.java:14:37:14:44 | source(...) | test.kt:25:105:25:105 | s |
| User.java:15:37:15:44 | source(...) | test.kt:25:105:25:105 | s |
| User.java:19:28:19:35 | source(...) | test.kt:33:97:33:97 | s |
| User.java:20:28:20:35 | source(...) | test.kt:33:97:33:97 | s |
| User.java:24:28:24:35 | source(...) | test.kt:43:93:43:93 | s |
| User.java:25:28:25:35 | source(...) | test.kt:43:93:43:93 | s |
| User.java:29:45:29:52 | source(...) | test.kt:58:10:58:10 | s |
| User.java:30:45:30:52 | source(...) | test.kt:58:10:58:10 | s |
| User.java:34:61:34:68 | source(...) | test.kt:74:10:74:10 | s |
| User.java:35:61:35:68 | source(...) | test.kt:74:10:74:10 | s |
| test.kt:10:55:10:62 | source(...) | test.kt:10:84:10:84 | s |
| test.kt:22:63:22:70 | source(...) | test.kt:22:92:22:92 | s |
| test.kt:22:63:22:70 | source(...) | test.kt:22:92:22:92 | s |
| test.kt:30:55:30:62 | source(...) | test.kt:30:84:30:84 | s |
| test.kt:40:53:40:60 | source(...) | test.kt:40:80:40:80 | s |
| test.kt:47:92:47:99 | source(...) | test.kt:50:10:50:10 | s |
| test.kt:63:100:63:107 | source(...) | test.kt:66:10:66:10 | s |

78
java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.kt
View File

@@ -1,78 +0,0 @@
fun getString() = "Hello world"
fun source() = "tainted"
fun sink(s: String) { }
object Test {
@JvmOverloads @JvmStatic
fun taintSuppliedAsDefault(before: Int, s: String = source(), after: Int) { sink(s) }
@JvmOverloads @JvmStatic
fun noTaintByDefault(before: Int, s: String = "no taint", after: Int, after2: Int = 1) { sink(s) }
}
public class Test2 {
companion object {
@JvmOverloads @JvmStatic
fun taintSuppliedAsDefaultStatic(before: Int, s: String = source(), after: Int) { sink(s) }
@JvmOverloads @JvmStatic
fun noTaintByDefaultStatic(before: Int, s: String = "no taint", after: Int, after2: Int = 1) { sink(s) }
}
@JvmOverloads
fun taintSuppliedAsDefault(before: Int, s: String = source(), after: Int) { sink(s) }
@JvmOverloads
fun noTaintByDefault(before: Int, s: String = "no taint", after: Int, after2: Int = 1) { sink(s) }
}
public class GenericTest<T> {
@JvmOverloads
fun taintSuppliedAsDefault(before: T, s: String = source(), after: T) { sink(s) }
@JvmOverloads
fun noTaintByDefault(before: T, s: String = "no taint", after: T, after2: Int = 1) { sink(s) }
}
public class ConstructorTaintsByDefault @JvmOverloads constructor(before: Int, s: String = source(), after: Int) {
init {
sink(s)
}
}
public class ConstructorDoesNotTaintByDefault @JvmOverloads constructor(before: Int, s: String = "no taint", after: Int, after2: Int = 1) {
init {
sink(s)
}
}
public class GenericConstructorTaintsByDefault<T> @JvmOverloads constructor(before: T, s: String = source(), after: T) {
init {
sink(s)
}
}
public class GenericConstructorDoesNotTaintByDefault<T> @JvmOverloads constructor(before: T, s: String = "no taint", after: T, after2: T? = null) {
init {
sink(s)
}
}

4
java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.py
View File

@@ -1,4 +0,0 @@
from create_database_utils import *
os.mkdir('kbuild')
run_codeql_database_create(["kotlinc test.kt -d kbuild", "javac User.java -cp kbuild"], lang="java")

18
java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.ql
View File

@@ -1,18 +0,0 @@
import java
import semmle.code.java.dataflow.DataFlow
class Config extends DataFlow::Configuration {
Config() { this = "config" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getCallee().getName() = "source"
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
}
}
from Config c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
select source, sink

6
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.4.1
### Minor Analysis Improvements
* Added external flow sources for the intents received in exported Android services.
## 0.4.0
### Breaking Changes

5
java/ql/lib/change-notes/2022-09-22-android-deeplink-flow-steps.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* Added data flow steps for tainted Android intents that are sent to services and receivers.
* Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered.

4
java/ql/lib/change-notes/2022-09-22-android-deprecate-contextstartactivitymethod.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: deprecated
---
* Deprecated `ContextStartActivityMethod`. Use `StartActivityMethod` instead.

7
java/ql/lib/change-notes/2022-09-23-android-service-sources.md → java/ql/lib/change-notes/released/0.4.1.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 0.4.1
### Minor Analysis Improvements
* Added external flow sources for the intents received in exported Android services.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.0
lastReleaseVersion: 0.4.1

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 0.4.1-dev
version: 0.4.2-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

2
java/ql/lib/semmle/code/java/Element.qll
View File

@@ -65,6 +65,8 @@ class Element extends @element, Top {
i = 8 and result = "Proxy static method for a @JvmStatic-annotated function or property"
or
i = 9 and result = "Forwarder for a @JvmOverloads-annotated function"
or
i = 10 and result = "Forwarder for Kotlin calls that need default arguments filling in"
)
}
}

1
java/ql/lib/semmle/code/java/controlflow/Guards.qll
View File

@@ -232,6 +232,7 @@ predicate guardControls_v2(Guard guard, BasicBlock controlled, boolean branch) {
)
}
pragma[nomagic]
private predicate guardControls_v3(Guard guard, BasicBlock controlled, boolean branch) {
guard.directlyControls(controlled, branch)
or

14
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -361,19 +361,7 @@ private class SummaryModelCsvBase extends SummaryModelCsv {
"java.net;URI;false;toURL;;;Argument[-1];ReturnValue;taint;manual",
"java.net;URI;false;toString;;;Argument[-1];ReturnValue;taint;manual",
"java.net;URI;false;toAsciiString;;;Argument[-1];ReturnValue;taint;manual",
"java.io;File;true;toURI;;;Argument[-1];ReturnValue;taint;manual",
"java.io;File;true;toPath;;;Argument[-1];ReturnValue;taint;manual",
"java.io;File;true;getAbsoluteFile;;;Argument[-1];ReturnValue;taint;manual",
"java.io;File;true;getCanonicalFile;;;Argument[-1];ReturnValue;taint;manual",
"java.io;File;true;getAbsolutePath;;;Argument[-1];ReturnValue;taint;manual",
"java.io;File;true;getCanonicalPath;;;Argument[-1];ReturnValue;taint;manual",
"java.nio;ByteBuffer;false;array;();;Argument[-1];ReturnValue;taint;manual",
"java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual",
"java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual",
"java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint;manual",
"java.nio.file;Path;true;toString;;;Argument[-1];ReturnValue;taint;manual",
"java.nio.file;Path;true;toUri;;;Argument[-1];ReturnValue;taint;manual",
"java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual",
"java.io;BufferedReader;true;readLine;;;Argument[-1];ReturnValue;taint;manual",
"java.io;Reader;true;read;();;Argument[-1];ReturnValue;taint;manual",
// arg to return
@@ -400,8 +388,6 @@ private class SummaryModelCsvBase extends SummaryModelCsv {
// arg to arg
"java.lang;System;false;arraycopy;;;Argument[0];Argument[2];taint;manual",
// constructor flow
"java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual",
"java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint;manual",
"java.net;URL;false;URL;(String);;Argument[0];Argument[-1];taint;manual",
"javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];Argument[-1];taint;manual",

29
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -750,6 +750,27 @@ module Private {
)
}
/**
* Holds if `p` can reach `n` in a summarized callable, using only value-preserving
* local steps. `clearsOrExpects` records whether any node on the path from `p` to
* `n` either clears or expects contents.
*/
private predicate paramReachesLocal(ParamNode p, Node n, boolean clearsOrExpects) {
viableParam(_, _, _, p) and
n = p and
clearsOrExpects = false
or
exists(Node mid, boolean clearsOrExpectsMid |
paramReachesLocal(p, mid, clearsOrExpectsMid) and
summaryLocalStep(mid, n, true) and
if
summaryClearsContent(n, _) or
summaryExpectsContent(n, _)
then clearsOrExpects = true
else clearsOrExpects = clearsOrExpectsMid
)
}
/**
* Holds if use-use flow starting from `arg` should be prohibited.
*
@@ -759,15 +780,11 @@ module Private {
*/
pragma[nomagic]
predicate prohibitsUseUseFlow(ArgNode arg, SummarizedCallable sc) {
exists(ParamNode p, Node mid, ParameterPosition ppos, Node ret |
exists(ParamNode p, ParameterPosition ppos, Node ret |
paramReachesLocal(p, ret, true) and
p = summaryArgParam0(_, arg, sc) and
p.isParameterOf(_, pragma[only_bind_into](ppos)) and
summaryLocalStep(p, mid, true) and
summaryLocalStep(mid, ret, true) and
isParameterPostUpdate(ret, _, pragma[only_bind_into](ppos))
|
summaryClearsContent(mid, _) or
summaryExpectsContent(mid, _)
)
}

51
java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -33,6 +33,57 @@ predicate localExprTaint(Expr src, Expr sink) {
localTaint(DataFlow::exprNode(src), DataFlow::exprNode(sink))
}
/** Holds if `node` is an endpoint for local taint flow. */
signature predicate nodeSig(DataFlow::Node node);
/** Provides local taint flow restricted to a given set of sources and sinks. */
module LocalTaintFlow<nodeSig/1 source, nodeSig/1 sink> {
private predicate reachRev(DataFlow::Node n) {
sink(n)
or
exists(DataFlow::Node mid |
localTaintStep(n, mid) and
reachRev(mid)
)
}
private predicate reachFwd(DataFlow::Node n) {
reachRev(n) and
(
source(n)
or
exists(DataFlow::Node mid |
localTaintStep(mid, n) and
reachFwd(mid)
)
)
}
private predicate step(DataFlow::Node n1, DataFlow::Node n2) {
localTaintStep(n1, n2) and
reachFwd(n1) and
reachFwd(n2)
}
/**
* Holds if taint can flow from `n1` to `n2` in zero or more local
* (intra-procedural) steps that are restricted to be part of a path between
* `source` and `sink`.
*/
pragma[inline]
predicate hasFlow(DataFlow::Node n1, DataFlow::Node n2) { step*(n1, n2) }
/**
* Holds if taint can flow from `n1` to `n2` in zero or more local
* (intra-procedural) steps that are restricted to be part of a path between
* `source` and `sink`.
*/
pragma[inline]
predicate hasExprFlow(Expr n1, Expr n2) {
hasFlow(DataFlow::exprNode(n1), DataFlow::exprNode(n2))
}
}
cached
private module Cached {
private import DataFlowImplCommon as DataFlowImplCommon

Some files were not shown because too many files have changed in this diff Show More