hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

reword alert-message go/user-controlled-bypass to avoid using "here"

Browse Source
This commit is contained in:
erik-krogh
2022-09-20 22:46:38 +02:00
parent 83bedc0320
commit 175d3acf4d
2 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
go/ql/src/experimental/CWE-840/ConditionalBypass.ql
View File

@@ -35,6 +35,5 @@ where
rhs.getNode().asExpr() = c.getRightOperand() and
config.hasFlowPath(lhsSource, lhs) and
lhs.getNode().asExpr() = c.getLeftOperand()
select c,
"This comparison compares user-controlled values from $@ and $@, and hence can be bypassed.",
lhsSource, "here", rhsSource, "here"
select c, "This comparison of a $@ with another $@ can be bypassed by a malicious user.",
lhsSource.getNode(), "user-controlled value", rhsSource.getNode(), "user-controlled value"

6
go/ql/test/experimental/CWE-840/ConditionalBypass.expected
View File

@@ -1,3 +1,3 @@
| ConditionalBypassBad.go:9:5:9:46 | ...!=... | This comparison compares user-controlled values from $@ and $@, and hence can be bypassed. | ConditionalBypassBad.go:9:5:9:12 | selection of Header : Header | here | ConditionalBypassBad.go:9:41:9:46 | selection of Host : string | here |
| condition.go:9:5:9:46 | ...!=... | This comparison compares user-controlled values from $@ and $@, and hence can be bypassed. | condition.go:9:5:9:12 | selection of Header : Header | here | condition.go:9:41:9:46 | selection of Host : string | here |
| condition.go:16:5:16:62 | ...!=... | This comparison compares user-controlled values from $@ and $@, and hence can be bypassed. | condition.go:16:5:16:12 | selection of Header : Header | here | condition.go:16:41:16:48 | selection of Header : Header | here |
| ConditionalBypassBad.go:9:5:9:46 | ...!=... | This comparison of a $@ with another $@ can be bypassed by a malicious user. | ConditionalBypassBad.go:9:5:9:12 | selection of Header | user-controlled value | ConditionalBypassBad.go:9:41:9:46 | selection of Host | user-controlled value |
| condition.go:9:5:9:46 | ...!=... | This comparison of a $@ with another $@ can be bypassed by a malicious user. | condition.go:9:5:9:12 | selection of Header | user-controlled value | condition.go:9:41:9:46 | selection of Host | user-controlled value |
| condition.go:16:5:16:62 | ...!=... | This comparison of a $@ with another $@ can be bypassed by a malicious user. | condition.go:16:5:16:12 | selection of Header | user-controlled value | condition.go:16:41:16:48 | selection of Header | user-controlled value |