hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18437 from github/post-release-prep/codeql-cli-2.20.1

Browse Source 
Post-release preparation for codeql-cli-2.20.1
This commit is contained in:
Dave Bartolomeo
2025-01-08 14:33:34 -05:00
committed by GitHub
parent 3363235b1c 0f8f5d2793
commit 554ea29547
197 changed files with 467 additions and 630 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
actions/ql/lib/CHANGELOG.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.4.0
### New Features
* Initial public preview release

5
actions/ql/lib/change-notes/released/0.4.0.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.4.0
### New Features
* Initial public preview release

2
actions/ql/lib/codeql-pack.release.yml Normal file
View File

@@ -0,0 +1,2 @@
---
lastReleaseVersion: 0.4.0

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.0-dev
version: 0.4.1-dev
library: true
warnOnImplicitThis: true
dependencies:

7
actions/ql/lib/change-notes/2024-12-19-initial-release.md → actions/ql/src/CHANGELOG.md
View File

@@ -1,4 +1,5 @@
---
category: feature
---
## 0.4.0
### New Queries
* Initial public preview release

7
actions/ql/src/change-notes/2024-12-19-initial-release.md → actions/ql/src/change-notes/released/0.4.0.md
View File

@@ -1,4 +1,5 @@
---
category: newQuery
---
## 0.4.0
### New Queries
* Initial public preview release

2
actions/ql/src/codeql-pack.release.yml Normal file
View File

@@ -0,0 +1,2 @@
---
lastReleaseVersion: 0.4.0

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.4.0-dev
version: 0.4.1-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

19
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,22 @@
## 3.1.0
### Deprecated APIs
* The `TemplateParameter` class, representing C++ type template parameters has been deprecated. Use `TypeTemplateParameter` instead.
### New Features
* New classes `SizeofPackExprOperator` and `SizeofPackTypeOperator` were introduced, which represent the C++ `sizeof...` operator taking expressions and type arguments, respectively.
* A new class `TemplateTemplateParameterInstantiation` was introduced, which represents instantiations of template template parameters.
* A new predicate `getAnInstantiation` was added to the `TemplateTemplateParameter` class, which yields instantiations of template template parameters.
* The `getTemplateArgumentType` and `getTemplateArgumentValue` predicates of the `Declaration` class now also yield template arguments of template template parameters.
* A new class `NonTypeTemplateParameter` was introduced, which represents C++ non-type template parameters.
* A new class `TemplateParameterBase` was introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters.
### Minor Analysis Improvements
* The `Guards` library (`semmle.code.cpp.controlflow.Guards`) has been improved to recognize more guard conditions.
## 3.0.0
### Breaking Changes

4
cpp/ql/lib/change-notes/2024-12-04-guard-conditions.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `Guards` library (`semmle.code.cpp.controlflow.Guards`) has been improved to recognize more guard conditions.

4
cpp/ql/lib/change-notes/2024-12-17-template-parameter-base.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* A new class `TemplateParameterBase` was introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters.

4
cpp/ql/lib/change-notes/2024-12-17-template-parameter.md
View File

@@ -1,4 +0,0 @@
---
category: deprecated
---
* The `TemplateParameter` class, representing C++ type template parameters has been deprecated. Use `TypeTemplateParameter` instead.

4
cpp/ql/lib/change-notes/2024-12-18-non-type-template-parameter.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* A new class `NonTypeTemplateParameter` was introduced, which represents C++ non-type template parameters.

4
cpp/ql/lib/change-notes/2024-12-20-sizeof-pack.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* New classes `SizeofPackExprOperator` and `SizeofPackTypeOperator` were introduced, which represent the C++ `sizeof...` operator taking expressions and type arguments, respectively.

6
cpp/ql/lib/change-notes/2024-12-20-template-template-instantiation.md
View File

@@ -1,6 +0,0 @@
---
category: feature
---
* A new class `TemplateTemplateParameterInstantiation` was introduced, which represents instantiations of template template parameters.
* A new predicate `getAnInstantiation` was added to the `TemplateTemplateParameter` class, which yields instantiations of template template parameters.
* The `getTemplateArgumentType` and `getTemplateArgumentValue` predicates of the `Declaration` class now also yield template arguments of template template parameters.

18
cpp/ql/lib/change-notes/released/3.1.0.md Normal file
View File

@@ -0,0 +1,18 @@
## 3.1.0
### Deprecated APIs
* The `TemplateParameter` class, representing C++ type template parameters has been deprecated. Use `TypeTemplateParameter` instead.
### New Features
* New classes `SizeofPackExprOperator` and `SizeofPackTypeOperator` were introduced, which represent the C++ `sizeof...` operator taking expressions and type arguments, respectively.
* A new class `TemplateTemplateParameterInstantiation` was introduced, which represents instantiations of template template parameters.
* A new predicate `getAnInstantiation` was added to the `TemplateTemplateParameter` class, which yields instantiations of template template parameters.
* The `getTemplateArgumentType` and `getTemplateArgumentValue` predicates of the `Declaration` class now also yield template arguments of template template parameters.
* A new class `NonTypeTemplateParameter` was introduced, which represents C++ non-type template parameters.
* A new class `TemplateParameterBase` was introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters.
### Minor Analysis Improvements
* The `Guards` library (`semmle.code.cpp.controlflow.Guards`) has been improved to recognize more guard conditions.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 3.0.0
lastReleaseVersion: 3.1.0

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 3.0.1-dev
version: 3.1.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

10
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 1.3.1
### Minor Analysis Improvements
* The "Returning stack-allocated memory" query (`cpp/return-stack-allocated-memory`) no longer produces results if there is an extraction error in the returned expression.
* The "Badly bounded write" query (`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer.
* The "Too few arguments to formatting function" query (`cpp/wrong-number-format-arguments`) no longer produces results if an argument has an extraction error.
* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) no longer produces results when an argument type has an extraction error.
* Added dataflow models and flow sources for Microsoft's Active Template Library (ATL).
## 1.3.0
### New Queries

4
cpp/ql/src/change-notes/2024-11-27-active-template-library.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added dataflow models and flow sources for Microsoft's Active Template Library (ATL).

4
cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Badly bounded write" query (`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer.

4
cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Too few arguments to formatting function" query (`cpp/wrong-number-format-arguments`) no longer produces results if an argument has an extraction error.

4
cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) no longer produces results when an argument type has an extraction error.

4
cpp/ql/src/change-notes/2024-12-18-return-stack-allocated-memory.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Returning stack-allocated memory" query (`cpp/return-stack-allocated-memory`) no longer produces results if there is an extraction error in the returned expression.

9
cpp/ql/src/change-notes/released/1.3.1.md Normal file
View File

@@ -0,0 +1,9 @@
## 1.3.1
### Minor Analysis Improvements
* The "Returning stack-allocated memory" query (`cpp/return-stack-allocated-memory`) no longer produces results if there is an extraction error in the returned expression.
* The "Badly bounded write" query (`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer.
* The "Too few arguments to formatting function" query (`cpp/wrong-number-format-arguments`) no longer produces results if an argument has an extraction error.
* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) no longer produces results when an argument type has an extraction error.
* Added dataflow models and flow sources for Microsoft's Active Template Library (ATL).

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.3.0
lastReleaseVersion: 1.3.1

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.3.1-dev
version: 1.3.2-dev
groups:
- cpp
- queries

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.31
No user-facing changes.
## 1.7.30
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.31.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.31
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.30
lastReleaseVersion: 1.7.31

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.31-dev
version: 1.7.32-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.31
No user-facing changes.
## 1.7.30
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.31.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.31
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.30
lastReleaseVersion: 1.7.31

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.31-dev
version: 1.7.32-dev
groups:
- csharp
- solorigate

13
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,16 @@
## 4.0.1
### Minor Analysis Improvements
* C# 13: Added QL library support for *collection* like type `params` parameters.
* Added `remote` flow source models for properties of Blazor components annotated with any of the following attributes from `Microsoft.AspNetCore.Components`:
- `[SupplyParameterFromForm]`
- `[SupplyParameterFromQuery]`
* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`.
* Added flow summaries for the `Microsoft.AspNetCore.Mvc.Controller::View` method.
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
* The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.
## 4.0.0
### Breaking Changes

4
csharp/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.

4
csharp/ql/lib/change-notes/2024-12-04-dotnet9.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.

4
csharp/ql/lib/change-notes/2024-12-05-aspnetcore-mvc-model.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added flow summaries for the `Microsoft.AspNetCore.Mvc.Controller::View` method.

4
csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`.

6
csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md
View File

@@ -1,6 +0,0 @@
---
category: minorAnalysis
---
* Added `remote` flow source models for properties of Blazor components annotated with any of the following attributes from `Microsoft.AspNetCore.Components`:
- `[SupplyParameterFromForm]`
- `[SupplyParameterFromQuery]`

4
csharp/ql/lib/change-notes/2024-12-20-collection-params.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* C# 13: Added QL library support for *collection* like type `params` parameters.

12
csharp/ql/lib/change-notes/released/4.0.1.md Normal file
View File

@@ -0,0 +1,12 @@
## 4.0.1
### Minor Analysis Improvements
* C# 13: Added QL library support for *collection* like type `params` parameters.
* Added `remote` flow source models for properties of Blazor components annotated with any of the following attributes from `Microsoft.AspNetCore.Components`:
- `[SupplyParameterFromForm]`
- `[SupplyParameterFromQuery]`
* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`.
* Added flow summaries for the `Microsoft.AspNetCore.Mvc.Controller::View` method.
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
* The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.0.0
lastReleaseVersion: 4.0.1

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 4.0.1-dev
version: 4.0.2-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

6
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 1.0.14
### Minor Analysis Improvements
* The `ExternalApi` and `TestLibrary` modules have been moved to the library pack.
## 1.0.13
### Minor Analysis Improvements

7
csharp/ql/src/change-notes/2024-12-17-move-libraries.md → csharp/ql/src/change-notes/released/1.0.14.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.0.14
### Minor Analysis Improvements
* The `ExternalApi` and `TestLibrary` modules have been moved to the library pack.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.13
lastReleaseVersion: 1.0.14

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.0.14-dev
version: 1.0.15-dev
groups:
- csharp
- queries

4
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.14
No user-facing changes.
## 1.0.13
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.14.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.14
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.13
lastReleaseVersion: 1.0.14

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.14-dev
version: 1.0.15-dev
groups:
- go
- queries

6
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 3.0.1
### Minor Analysis Improvements
* Added a `commandargs` local source model for the `os.Args` variable.
## 3.0.0
### Breaking Changes

4
go/ql/lib/change-notes/2024-12-06-improve-flow-out-of-variadic-parameter.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Data flow out of variadic parameters now works in more situations. Summary models defined using models-as-data work. Source models defined using models-as-data do not work yet.

4
go/ql/lib/change-notes/2024-12-12-variadic-parameter-sources.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Source models defined using models-as-data now work for variadic parameters.

8
go/ql/lib/change-notes/2024-12-13-os-args-model.md → go/ql/lib/change-notes/released/3.0.1.md
View File

@@ -1,5 +1,5 @@
---
category: minorAnalysis
---
* Added a `commandargs` local source model for the `os.Args` variable.
## 3.0.1
### Minor Analysis Improvements
* Added a `commandargs` local source model for the `os.Args` variable.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 3.0.0
lastReleaseVersion: 3.0.1

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 3.0.1-dev
version: 3.0.2-dev
groups: go
dbscheme: go.dbscheme
extractor: go

5
go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll
View File

@@ -66,11 +66,6 @@ predicate containerReadStep(Node node1, Node node2, Content c) {
(
node2.(Read).readsElement(node1, _)
or
exists(ImplicitVarargsSlice ivs |
node1.(PostUpdateNode).getPreUpdateNode() = ivs and
node2.(PostUpdateNode).getPreUpdateNode() = ivs.getCallNode().getAnImplicitVarargsArgument()
)
or
node2.(RangeElementNode).getBase() = node1
or
// To model data flow from array elements of the base of a `SliceNode` to

3
go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll
View File

@@ -845,9 +845,6 @@ module Public {
or
preupd = getAWrittenNode()
or
preupd instanceof ImplicitVarargsSlice and
mutableType(preupd.(ImplicitVarargsSlice).getType().(SliceType).getElementType())
or
preupd = any(ArgumentNode arg).getACorrespondingSyntacticArgument() and
mutableType(preupd.getType())
) and

10
go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
View File

@@ -458,13 +458,3 @@ class ContentApprox = Unit;
/** Gets an approximated value for content `c`. */
pragma[inline]
ContentApprox getContentApprox(Content c) { any() }
/**
* Holds if the the content `c` is a container.
*/
predicate containerContent(ContentSet c) {
c instanceof ArrayContent or
c instanceof CollectionContent or
c instanceof MapKeyContent or
c instanceof MapValueContent
}

38
go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -27,21 +27,11 @@ predicate localExprTaint(Expr src, Expr sink) {
* Holds if taint can flow in one local step from `src` to `sink`.
*/
predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
DataFlow::localFlowStep(src, sink)
or
localAdditionalTaintStep(src, sink, _)
or
DataFlow::localFlowStep(src, sink) or
localAdditionalTaintStep(src, sink, _) or
// Simple flow through library code is included in the exposed local
// step relation, even though flow is technically inter-procedural
FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(src, sink, _)
or
// Treat container flow as taint for the local taint flow relation
exists(DataFlow::Content c | DataFlowPrivate::containerContent(c) |
DataFlowPrivate::readStep(src, c, sink) or
DataFlowPrivate::storeStep(src, c, sink) or
FlowSummaryImpl::Private::Steps::summaryGetterStep(src, c, sink, _) or
FlowSummaryImpl::Private::Steps::summarySetterStep(src, c, sink, _)
)
}
private Type getElementType(Type containerType) {
@@ -98,18 +88,12 @@ class AdditionalTaintStep extends Unit {
*/
predicate localAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ, string model) {
(
referenceStep(pred, succ)
or
elementWriteStep(pred, succ)
or
fieldReadStep(pred, succ)
or
elementStep(pred, succ)
or
tupleStep(pred, succ)
or
stringConcatStep(pred, succ)
or
referenceStep(pred, succ) or
elementWriteStep(pred, succ) or
fieldReadStep(pred, succ) or
elementStep(pred, succ) or
tupleStep(pred, succ) or
stringConcatStep(pred, succ) or
sliceStep(pred, succ)
) and
model = ""
@@ -179,12 +163,6 @@ predicate elementStep(DataFlow::Node pred, DataFlow::Node succ) {
// only step into the value, not the index
succ.asInstruction() = IR::extractTupleElement(nextEntry, 1)
)
or
exists(DataFlow::ImplicitVarargsSlice ivs |
pred.(DataFlow::PostUpdateNode).getPreUpdateNode() = ivs and
succ.(DataFlow::PostUpdateNode).getPreUpdateNode() =
ivs.getCallNode().getAnImplicitVarargsArgument()
)
}
/** Holds if taint flows from `pred` to `succ` via an extract tuple operation. */

4
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.1.5
No user-facing changes.
## 1.1.4
### Minor Analysis Improvements

3
go/ql/src/change-notes/released/1.1.5.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.1.5
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.1.4
lastReleaseVersion: 1.1.5

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.1.5-dev
version: 1.1.6-dev
groups:
- go
- queries

4
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql
View File

@@ -9,9 +9,9 @@ import semmle.go.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
import utils.test.InlineFlowTest
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { sourceNode(source, "qltest") }
predicate isSource(DataFlow::Node src) { sourceNode(src, "qltest") }
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "qltest") }
predicate isSink(DataFlow::Node src) { sinkNode(src, "qltest") }
}
import ValueFlowTest<Config>

28
go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
View File

@@ -5,36 +5,24 @@
| main.go:38:19:38:19 | 3 | main.go:38:7:38:20 | slice literal |
| main.go:39:8:39:25 | []type{args} | main.go:39:8:39:25 | call to append |
| main.go:39:15:39:15 | s | main.go:39:8:39:25 | call to append |
| main.go:39:18:39:18 | 4 | main.go:39:8:39:25 | []type{args} |
| main.go:39:21:39:21 | 5 | main.go:39:8:39:25 | []type{args} |
| main.go:39:24:39:24 | 6 | main.go:39:8:39:25 | []type{args} |
| main.go:40:15:40:15 | s | main.go:40:8:40:23 | call to append |
| main.go:40:18:40:19 | s1 | main.go:40:8:40:23 | call to append |
| main.go:42:10:42:11 | s4 | main.go:38:2:38:2 | definition of s |
| main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[0] |
| main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[1] |
| main.go:47:20:47:21 | xs | main.go:47:2:50:2 | range statement[1] |
| main.go:56:8:56:11 | true | main.go:56:2:56:3 | ch |
| main.go:57:4:57:5 | ch | main.go:57:2:57:5 | <-... |
| strings.go:9:24:9:24 | s | strings.go:9:8:9:38 | call to Replace |
| strings.go:9:32:9:34 | "_" | strings.go:9:8:9:38 | call to Replace |
| strings.go:10:27:10:27 | s | strings.go:10:8:10:42 | call to ReplaceAll |
| strings.go:10:35:10:41 | "&amp;" | strings.go:10:8:10:42 | call to ReplaceAll |
| strings.go:11:9:11:26 | []type{args} | strings.go:11:9:11:26 | call to Sprint |
| strings.go:11:9:11:26 | call to Sprint | strings.go:11:9:11:50 | ...+... |
| strings.go:11:9:11:50 | ...+... | strings.go:11:9:11:69 | ...+... |
| strings.go:11:20:11:21 | s2 | strings.go:11:9:11:26 | []type{args} |
| strings.go:11:20:11:21 | s2 | strings.go:11:9:11:26 | call to Sprint |
| strings.go:11:24:11:25 | s3 | strings.go:11:9:11:26 | []type{args} |
| strings.go:11:24:11:25 | s3 | strings.go:11:9:11:26 | call to Sprint |
| strings.go:11:30:11:50 | []type{args} | strings.go:11:30:11:50 | call to Sprintf |
| strings.go:11:30:11:50 | call to Sprintf | strings.go:11:9:11:50 | ...+... |
| strings.go:11:42:11:45 | "%q" | strings.go:11:30:11:50 | call to Sprintf |
| strings.go:11:48:11:49 | s2 | strings.go:11:30:11:50 | []type{args} |
| strings.go:11:48:11:49 | s2 | strings.go:11:30:11:50 | call to Sprintf |
| strings.go:11:54:11:69 | []type{args} | strings.go:11:54:11:69 | call to Sprintln |
| strings.go:11:54:11:69 | call to Sprintln | strings.go:11:9:11:69 | ...+... |
| strings.go:11:67:11:68 | s3 | strings.go:11:54:11:69 | []type{args} |
| strings.go:11:67:11:68 | s3 | strings.go:11:54:11:69 | call to Sprintln |
| url.go:12:14:12:48 | call to PathUnescape | url.go:12:3:12:48 | ... = ...[0] |
| url.go:12:14:12:48 | call to PathUnescape | url.go:12:3:12:48 | ... = ...[1] |
@@ -51,25 +39,17 @@
| url.go:27:9:27:30 | call to ParseRequestURI | url.go:27:2:27:30 | ... = ...[1] |
| url.go:27:29:27:29 | s | url.go:27:2:27:30 | ... = ...[0] |
| url.go:28:14:28:14 | u | url.go:28:14:28:28 | call to EscapedPath |
| url.go:28:14:28:28 | call to EscapedPath | url.go:28:2:28:29 | []type{args} |
| url.go:29:14:29:14 | u | url.go:29:14:29:25 | call to Hostname |
| url.go:29:14:29:25 | call to Hostname | url.go:29:2:29:26 | []type{args} |
| url.go:30:11:30:11 | u | url.go:30:2:30:27 | ... := ...[0] |
| url.go:30:11:30:27 | call to MarshalBinary | url.go:30:2:30:27 | ... := ...[0] |
| url.go:30:11:30:27 | call to MarshalBinary | url.go:30:2:30:27 | ... := ...[1] |
| url.go:31:2:31:16 | []type{args} | url.go:30:2:30:3 | definition of bs |
| url.go:31:14:31:15 | bs | url.go:31:2:31:16 | []type{args} |
| url.go:32:9:32:9 | u | url.go:32:2:32:23 | ... = ...[0] |
| url.go:32:9:32:23 | call to Parse | url.go:32:2:32:23 | ... = ...[0] |
| url.go:32:9:32:23 | call to Parse | url.go:32:2:32:23 | ... = ...[1] |
| url.go:32:17:32:22 | "/foo" | url.go:32:2:32:23 | ... = ...[0] |
| url.go:33:14:33:14 | u | url.go:33:14:33:21 | call to Port |
| url.go:33:14:33:21 | call to Port | url.go:33:2:33:22 | []type{args} |
| url.go:34:2:34:23 | []type{args} | url.go:34:14:34:22 | call to Query |
| url.go:34:14:34:14 | u | url.go:34:14:34:22 | call to Query |
| url.go:34:14:34:22 | call to Query | url.go:34:2:34:23 | []type{args} |
| url.go:35:14:35:14 | u | url.go:35:14:35:27 | call to RequestURI |
| url.go:35:14:35:27 | call to RequestURI | url.go:35:2:35:28 | []type{args} |
| url.go:36:6:36:6 | u | url.go:36:6:36:26 | call to ResolveReference |
| url.go:36:25:36:25 | u | url.go:36:6:36:26 | call to ResolveReference |
| url.go:41:17:41:20 | "me" | url.go:41:8:41:21 | call to User |
@@ -78,35 +58,27 @@
| url.go:43:11:43:12 | ui | url.go:43:2:43:23 | ... := ...[0] |
| url.go:43:11:43:23 | call to Password | url.go:43:2:43:23 | ... := ...[0] |
| url.go:43:11:43:23 | call to Password | url.go:43:2:43:23 | ... := ...[1] |
| url.go:44:14:44:15 | pw | url.go:44:2:44:16 | []type{args} |
| url.go:45:14:45:15 | ui | url.go:45:14:45:26 | call to Username |
| url.go:45:14:45:26 | call to Username | url.go:45:2:45:27 | []type{args} |
| url.go:50:10:50:26 | call to ParseQuery | url.go:50:2:50:26 | ... := ...[0] |
| url.go:50:10:50:26 | call to ParseQuery | url.go:50:2:50:26 | ... := ...[1] |
| url.go:50:25:50:25 | q | url.go:50:2:50:26 | ... := ...[0] |
| url.go:51:14:51:14 | v | url.go:51:14:51:23 | call to Encode |
| url.go:51:14:51:23 | call to Encode | url.go:51:2:51:24 | []type{args} |
| url.go:52:14:52:14 | v | url.go:52:14:52:26 | call to Get |
| url.go:52:14:52:26 | call to Get | url.go:52:2:52:27 | []type{args} |
| url.go:57:16:57:39 | call to JoinPath | url.go:57:2:57:39 | ... := ...[0] |
| url.go:57:16:57:39 | call to JoinPath | url.go:57:2:57:39 | ... := ...[1] |
| url.go:57:29:57:29 | q | url.go:57:2:57:39 | ... := ...[0] |
| url.go:57:32:57:38 | "clean" | url.go:57:2:57:39 | ... := ...[0] |
| url.go:57:32:57:38 | "clean" | url.go:57:16:57:39 | []type{args} |
| url.go:58:16:58:45 | call to JoinPath | url.go:58:2:58:45 | ... := ...[0] |
| url.go:58:16:58:45 | call to JoinPath | url.go:58:2:58:45 | ... := ...[1] |
| url.go:58:29:58:35 | "clean" | url.go:58:2:58:45 | ... := ...[0] |
| url.go:58:38:58:44 | joined1 | url.go:58:2:58:45 | ... := ...[0] |
| url.go:58:38:58:44 | joined1 | url.go:58:16:58:45 | []type{args} |
| url.go:59:14:59:31 | call to Parse | url.go:59:2:59:31 | ... := ...[0] |
| url.go:59:14:59:31 | call to Parse | url.go:59:2:59:31 | ... := ...[1] |
| url.go:59:24:59:30 | joined2 | url.go:59:2:59:31 | ... := ...[0] |
| url.go:60:15:60:19 | asUrl | url.go:60:15:60:37 | call to JoinPath |
| url.go:60:30:60:36 | "clean" | url.go:60:15:60:37 | []type{args} |
| url.go:60:30:60:36 | "clean" | url.go:60:15:60:37 | call to JoinPath |
| url.go:65:17:65:48 | call to Parse | url.go:65:2:65:48 | ... := ...[0] |
| url.go:65:17:65:48 | call to Parse | url.go:65:2:65:48 | ... := ...[1] |
| url.go:65:27:65:47 | "http://harmless.org" | url.go:65:2:65:48 | ... := ...[0] |
| url.go:66:9:66:16 | cleanUrl | url.go:66:9:66:28 | call to JoinPath |
| url.go:66:27:66:27 | q | url.go:66:9:66:28 | []type{args} |
| url.go:66:27:66:27 | q | url.go:66:9:66:28 | call to JoinPath |

12
go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go
View File

@@ -4,7 +4,7 @@ func source() string {
return "untrusted data"
}
func sink(any) {
func sink(string) {
}
type A struct {
@@ -19,10 +19,6 @@ func functionWithVarArgsParameter(s ...string) string {
return s[1]
}
func functionWithVarArgsOutParameter(in string, out ...*string) {
*out[0] = in
}
func functionWithSliceOfStructsParameter(s []A) string {
return s[1].f
}
@@ -42,12 +38,6 @@ func main() {
sink(functionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to functionWithVarArgsParameter"
sink(functionWithVarArgsParameter(s0, s1)) // $ hasValueFlow="call to functionWithVarArgsParameter"
var out1 *string
var out2 *string
functionWithVarArgsOutParameter(source(), out1, out2)
sink(out1) // $ MISSING: hasValueFlow="out1"
sink(out2) // $ MISSING: hasValueFlow="out2"
sliceOfStructs := []A{{f: source()}}
sink(sliceOfStructs[0].f) // $ hasValueFlow="selection of f"

2
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected
View File

@@ -1,2 +0,0 @@
testFailures
invalidModelRow

21
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml
View File

@@ -1,21 +0,0 @@
extensions:
- addsTo:
pack: codeql/go-all
extensible: summaryModel
data:
- ["github.com/nonexistent/test", "", False, "FunctionWithParameter", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "FunctionWithSliceParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOutParameter", "", "", "Argument[0]", "Argument[1].ArrayElement", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "FunctionWithSliceOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
- ["github.com/nonexistent/test", "", False, "VariadicSource", "", "", "Argument[0]", "qltest", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sinkModel
data:
- ["github.com/nonexistent/test", "", False, "VariadicSink", "", "", "Argument[0]", "qltest", "manual"]

22
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql
View File

@@ -1,22 +0,0 @@
import go
import semmle.go.dataflow.ExternalFlow
import ModelValidation
import utils.test.InlineFlowTest
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
sourceNode(source, "qltest")
or
exists(Function fn | fn.hasQualifiedName(_, ["source", "taint"]) |
source = fn.getACall().getResult()
)
}
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "qltest")
or
exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
}
}
import FlowTest<Config, Config>

5
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod
View File

@@ -1,5 +0,0 @@
module semmle.go.Packages
go 1.23
require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

57
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go
View File

@@ -1,57 +0,0 @@
package main
import (
"github.com/nonexistent/test"
)
func source() string {
return "untrusted data"
}
func sink(any) {
}
func main() {
s := source()
sink(test.FunctionWithParameter(s)) // $ hasValueFlow="call to FunctionWithParameter"
stringSlice := []string{source()}
sink(stringSlice[0]) // $ hasValueFlow="index expression"
s0 := ""
s1 := source()
sSlice := []string{s0, s1}
sink(test.FunctionWithParameter(sSlice[1])) // $ hasValueFlow="call to FunctionWithParameter"
sink(test.FunctionWithSliceParameter(sSlice)) // $ hasValueFlow="call to FunctionWithSliceParameter"
sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
sink(test.FunctionWithVarArgsParameter(s0, s1)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
var out1 *string
var out2 *string
test.FunctionWithVarArgsOutParameter(source(), out1, out2)
sink(out1) // $ hasValueFlow="out1"
sink(out2) // $ hasValueFlow="out2"
sliceOfStructs := []test.A{{Field: source()}}
sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
a0 := test.A{Field: ""}
a1 := test.A{Field: source()}
aSlice := []test.A{a0, a1}
sink(test.FunctionWithSliceOfStructsParameter(aSlice)) // $ hasValueFlow="call to FunctionWithSliceOfStructsParameter"
sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
var variadicSource string
test.VariadicSource(&variadicSource)
sink(variadicSource) // $ hasTaintFlow="variadicSource"
sink(&variadicSource) // $ hasTaintFlow="&..."
var variadicSourcePtr *string
test.VariadicSource(variadicSourcePtr)
sink(variadicSourcePtr) // $ hasTaintFlow="variadicSourcePtr"
sink(*variadicSourcePtr) // $ hasTaintFlow="star expression"
test.VariadicSink(source()) // $ hasTaintFlow="[]type{args}"
}

31
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go generated vendored
View File

@@ -1,31 +0,0 @@
package test
type A struct {
Field string
}
func FunctionWithParameter(s string) string {
return ""
}
func FunctionWithSliceParameter(s []string) string {
return ""
}
func FunctionWithVarArgsParameter(s ...string) string {
return ""
}
func FunctionWithVarArgsOutParameter(in string, out ...*string) {
}
func FunctionWithSliceOfStructsParameter(s []A) string {
return ""
}
func FunctionWithVarArgsOfStructsParameter(s ...A) string {
return ""
}
func VariadicSource(s ...*string) {}
func VariadicSink(s ...string) {}

3
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt vendored
View File

@@ -1,3 +0,0 @@
# github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
## explicit
github.com/nonexistent/test

3
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql
View File

@@ -19,9 +19,6 @@ class SummaryModelTest extends DataFlow::FunctionModel {
this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsParameter") and
(inp.isParameter(_) and outp.isResult())
or
this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsOutParameter") and
(inp.isParameter(0) and outp.isParameter(any(int i | i >= 1)))
or
this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithSliceOfStructsParameter") and
(inp.isParameter(0) and outp.isResult())
or

2
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod
View File

@@ -1,5 +1,5 @@
module semmle.go.Packages
go 1.23
go 1.17
require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

20
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go
View File

@@ -8,7 +8,7 @@ func source() string {
return "untrusted data"
}
func sink(any) {
func sink(string) {
}
func main() {
@@ -21,17 +21,10 @@ func main() {
s0 := ""
s1 := source()
sSlice := []string{s0, s1}
sink(test.FunctionWithParameter(sSlice[1])) // $ hasValueFlow="call to FunctionWithParameter"
sink(test.FunctionWithSliceParameter(sSlice)) // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
randomFunctionWithMoreThanOneParameter(1, 2, 3, 4, 5) // This is needed to make the next line pass, because we need to have seen a call to a function with at least 2 parameters for ParameterInput to exist with index 1.
sink(test.FunctionWithVarArgsParameter(s0, s1)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
var out1 *string
var out2 *string
test.FunctionWithVarArgsOutParameter(source(), out1, out2)
sink(out1) // $ hasValueFlow="out1"
sink(out2) // $ hasValueFlow="out2"
sink(test.FunctionWithParameter(sSlice[1])) // $ hasValueFlow="call to FunctionWithParameter"
sink(test.FunctionWithSliceParameter(sSlice)) // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
sink(test.FunctionWithVarArgsParameter(s0, s1)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
sliceOfStructs := []test.A{{Field: source()}}
sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
@@ -44,6 +37,3 @@ func main() {
sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
}
func randomFunctionWithMoreThanOneParameter(i1, i2, i3, i4, i5 int) {
}

BIN
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/semmle.go.Packages Executable file
View File

Binary file not shown.

2
go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go generated vendored
View File

@@ -15,8 +15,6 @@ func FunctionWithSliceParameter(s []string) string {
func FunctionWithVarArgsParameter(s ...string) string {
return ""
}
func FunctionWithVarArgsOutParameter(in string, out ...*string) {
}
func FunctionWithSliceOfStructsParameter(s []A) string {
return ""

6
go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected
View File

@@ -24,11 +24,7 @@ edges
| test.go:148:16:148:23 | &... | test.go:149:13:149:39 | type conversion | provenance | |
| test.go:152:15:152:24 | &... | test.go:153:13:153:47 | type conversion | provenance | |
| test.go:156:18:156:30 | &... | test.go:157:13:157:38 | type conversion | provenance | |
| test.go:160:2:160:23 | []type{args} [array] | test.go:160:14:160:22 | &... | provenance | |
| test.go:160:14:160:22 | &... | test.go:160:2:160:23 | []type{args} [array] | provenance | |
| test.go:160:14:160:22 | &... | test.go:161:13:161:28 | type conversion | provenance | |
| test.go:164:2:164:25 | []type{args} [array] | test.go:164:15:164:24 | &... | provenance | |
| test.go:164:15:164:24 | &... | test.go:164:2:164:25 | []type{args} [array] | provenance | |
| test.go:164:15:164:24 | &... | test.go:165:13:165:32 | type conversion | provenance | |
nodes
| test.go:80:13:80:16 | &... | semmle.label | &... |
@@ -80,10 +76,8 @@ nodes
| test.go:153:13:153:47 | type conversion | semmle.label | type conversion |
| test.go:156:18:156:30 | &... | semmle.label | &... |
| test.go:157:13:157:38 | type conversion | semmle.label | type conversion |
| test.go:160:2:160:23 | []type{args} [array] | semmle.label | []type{args} [array] |
| test.go:160:14:160:22 | &... | semmle.label | &... |
| test.go:161:13:161:28 | type conversion | semmle.label | type conversion |
| test.go:164:2:164:25 | []type{args} [array] | semmle.label | []type{args} [array] |
| test.go:164:15:164:24 | &... | semmle.label | &... |
| test.go:165:13:165:32 | type conversion | semmle.label | type conversion |
subpaths

12
go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
View File

@@ -10,13 +10,9 @@ invalidModelRow
| io.go:14:31:14:43 | "some string" | io.go:14:13:14:44 | call to NewReader |
| io.go:16:3:16:3 | definition of w | io.go:16:23:16:27 | &... |
| io.go:16:3:16:3 | definition of w | io.go:16:30:16:34 | &... |
| io.go:16:8:16:35 | []type{args} | io.go:16:23:16:27 | &... |
| io.go:16:8:16:35 | []type{args} | io.go:16:30:16:34 | &... |
| io.go:16:23:16:27 | &... | io.go:15:7:15:10 | definition of buf1 |
| io.go:16:23:16:27 | &... | io.go:16:8:16:35 | []type{args} |
| io.go:16:24:16:27 | buf1 | io.go:16:23:16:27 | &... |
| io.go:16:30:16:34 | &... | io.go:15:13:15:16 | definition of buf2 |
| io.go:16:30:16:34 | &... | io.go:16:8:16:35 | []type{args} |
| io.go:16:31:16:34 | buf2 | io.go:16:30:16:34 | &... |
| io.go:18:14:18:19 | reader | io.go:16:3:16:3 | definition of w |
| io.go:22:31:22:43 | "some string" | io.go:22:13:22:44 | call to NewReader |
@@ -31,10 +27,8 @@ invalidModelRow
| io.go:39:11:39:19 | call to Pipe | io.go:39:3:39:19 | ... := ...[0] |
| io.go:39:11:39:19 | call to Pipe | io.go:39:3:39:19 | ... := ...[1] |
| io.go:40:17:40:31 | "some string\\n" | io.go:39:6:39:6 | definition of w |
| io.go:40:17:40:31 | "some string\\n" | io.go:40:3:40:32 | []type{args} |
| io.go:43:16:43:16 | r | io.go:42:3:42:5 | definition of buf |
| io.go:44:13:44:15 | buf | io.go:44:13:44:24 | call to String |
| io.go:44:13:44:24 | call to String | io.go:44:3:44:25 | []type{args} |
| io.go:48:31:48:43 | "some string" | io.go:48:13:48:44 | call to NewReader |
| io.go:50:18:50:23 | reader | io.go:49:3:49:5 | definition of buf |
| io.go:54:31:54:43 | "some string" | io.go:54:13:54:44 | call to NewReader |
@@ -52,14 +46,8 @@ invalidModelRow
| io.go:82:27:82:36 | "reader1 " | io.go:82:9:82:37 | call to NewReader |
| io.go:83:27:83:36 | "reader2 " | io.go:83:9:83:37 | call to NewReader |
| io.go:84:27:84:35 | "reader3" | io.go:84:9:84:36 | call to NewReader |
| io.go:85:8:85:33 | []type{args} | io.go:82:3:82:4 | definition of r1 |
| io.go:85:8:85:33 | []type{args} | io.go:83:3:83:4 | definition of r2 |
| io.go:85:8:85:33 | []type{args} | io.go:84:3:84:4 | definition of r3 |
| io.go:85:23:85:24 | r1 | io.go:85:8:85:33 | []type{args} |
| io.go:85:23:85:24 | r1 | io.go:85:8:85:33 | call to MultiReader |
| io.go:85:27:85:28 | r2 | io.go:85:8:85:33 | []type{args} |
| io.go:85:27:85:28 | r2 | io.go:85:8:85:33 | call to MultiReader |
| io.go:85:31:85:32 | r3 | io.go:85:8:85:33 | []type{args} |
| io.go:85:31:85:32 | r3 | io.go:85:8:85:33 | call to MultiReader |
| io.go:86:22:86:22 | r | io.go:86:11:86:19 | selection of Stdout |
| io.go:89:26:89:38 | "some string" | io.go:89:8:89:39 | call to NewReader |

3
go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected
View File

@@ -3,8 +3,6 @@
edges
| StoredCommand.go:11:2:11:27 | ... := ...[0] | StoredCommand.go:13:2:13:5 | rows | provenance | Src:MaD:2 |
| StoredCommand.go:13:2:13:5 | rows | StoredCommand.go:13:12:13:19 | &... | provenance | FunctionModel |
| StoredCommand.go:13:2:13:20 | []type{args} [array] | StoredCommand.go:13:12:13:19 | &... | provenance | |
| StoredCommand.go:13:12:13:19 | &... | StoredCommand.go:13:2:13:20 | []type{args} [array] | provenance | |
| StoredCommand.go:13:12:13:19 | &... | StoredCommand.go:14:22:14:28 | cmdName | provenance | Sink:MaD:1 |
models
| 1 | Sink: os/exec; ; false; Command; ; ; Argument[0]; command-injection; manual |
@@ -12,7 +10,6 @@ models
nodes
| StoredCommand.go:11:2:11:27 | ... := ...[0] | semmle.label | ... := ...[0] |
| StoredCommand.go:13:2:13:5 | rows | semmle.label | rows |
| StoredCommand.go:13:2:13:20 | []type{args} [array] | semmle.label | []type{args} [array] |
| StoredCommand.go:13:12:13:19 | &... | semmle.label | &... |
| StoredCommand.go:14:22:14:28 | cmdName | semmle.label | cmdName |
subpaths

39
go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
View File

@@ -32,10 +32,8 @@ edges
| contenttype.go:113:10:113:28 | call to FormValue | contenttype.go:114:50:114:53 | data | provenance | Src:MaD:8 |
| reflectedxsstest.go:31:2:31:44 | ... := ...[0] | reflectedxsstest.go:32:34:32:37 | file | provenance | Src:MaD:7 |
| reflectedxsstest.go:31:2:31:44 | ... := ...[1] | reflectedxsstest.go:34:46:34:60 | selection of Filename | provenance | Src:MaD:7 |
| reflectedxsstest.go:32:2:32:8 | definition of content | reflectedxsstest.go:33:49:33:55 | content | provenance | |
| reflectedxsstest.go:32:2:32:38 | ... := ...[0] | reflectedxsstest.go:33:49:33:55 | content | provenance | |
| reflectedxsstest.go:32:34:32:37 | file | reflectedxsstest.go:32:2:32:38 | ... := ...[0] | provenance | MaD:13 |
| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:32:2:32:8 | definition of content | provenance | |
| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:33:17:33:56 | call to Sprintf | provenance | MaD:12 |
| reflectedxsstest.go:33:17:33:56 | call to Sprintf | reflectedxsstest.go:33:10:33:57 | type conversion | provenance | |
| reflectedxsstest.go:33:49:33:55 | content | reflectedxsstest.go:33:17:33:56 | []type{args} [array] | provenance | |
@@ -65,33 +63,11 @@ edges
| tst.go:48:14:48:19 | selection of Form | tst.go:48:14:48:34 | call to Get | provenance | Src:MaD:6 MaD:18 |
| tst.go:48:14:48:34 | call to Get | tst.go:53:12:53:26 | type conversion | provenance | |
| websocketXss.go:30:7:30:10 | definition of xnet | websocketXss.go:32:24:32:27 | xnet | provenance | Src:MaD:5 |
| websocketXss.go:30:7:30:10 | definition of xnet | websocketXss.go:32:24:32:27 | xnet | provenance | Src:MaD:5 |
| websocketXss.go:32:3:32:28 | []type{args} [array] | websocketXss.go:30:7:30:10 | definition of xnet | provenance | |
| websocketXss.go:32:24:32:27 | xnet | websocketXss.go:32:3:32:28 | []type{args} [array] | provenance | |
| websocketXss.go:34:3:34:7 | definition of xnet2 | websocketXss.go:36:24:36:28 | xnet2 | provenance | Src:MaD:4 |
| websocketXss.go:34:3:34:7 | definition of xnet2 | websocketXss.go:36:24:36:28 | xnet2 | provenance | Src:MaD:4 |
| websocketXss.go:36:3:36:29 | []type{args} [array] | websocketXss.go:34:3:34:7 | definition of xnet2 | provenance | |
| websocketXss.go:36:24:36:28 | xnet2 | websocketXss.go:36:3:36:29 | []type{args} [array] | provenance | |
| websocketXss.go:40:3:40:40 | ... := ...[1] | websocketXss.go:41:24:41:29 | nhooyr | provenance | Src:MaD:11 |
| websocketXss.go:40:3:40:40 | ... := ...[1] | websocketXss.go:41:24:41:29 | nhooyr | provenance | Src:MaD:11 |
| websocketXss.go:40:6:40:11 | definition of nhooyr | websocketXss.go:41:24:41:29 | nhooyr | provenance | |
| websocketXss.go:40:6:40:11 | definition of nhooyr | websocketXss.go:41:24:41:29 | nhooyr | provenance | |
| websocketXss.go:41:3:41:30 | []type{args} [array] | websocketXss.go:40:6:40:11 | definition of nhooyr | provenance | |
| websocketXss.go:41:24:41:29 | nhooyr | websocketXss.go:41:3:41:30 | []type{args} [array] | provenance | |
| websocketXss.go:46:7:46:16 | definition of gorillaMsg | websocketXss.go:48:24:48:33 | gorillaMsg | provenance | Src:MaD:1 |
| websocketXss.go:46:7:46:16 | definition of gorillaMsg | websocketXss.go:48:24:48:33 | gorillaMsg | provenance | Src:MaD:1 |
| websocketXss.go:48:3:48:34 | []type{args} [array] | websocketXss.go:46:7:46:16 | definition of gorillaMsg | provenance | |
| websocketXss.go:48:24:48:33 | gorillaMsg | websocketXss.go:48:3:48:34 | []type{args} [array] | provenance | |
| websocketXss.go:50:3:50:10 | definition of gorilla2 | websocketXss.go:52:24:52:31 | gorilla2 | provenance | Src:MaD:2 |
| websocketXss.go:50:3:50:10 | definition of gorilla2 | websocketXss.go:52:24:52:31 | gorilla2 | provenance | Src:MaD:2 |
| websocketXss.go:52:3:52:32 | []type{args} [array] | websocketXss.go:50:3:50:10 | definition of gorilla2 | provenance | |
| websocketXss.go:52:24:52:31 | gorilla2 | websocketXss.go:52:3:52:32 | []type{args} [array] | provenance | |
| websocketXss.go:54:3:54:38 | ... := ...[1] | websocketXss.go:55:24:55:31 | gorilla3 | provenance | Src:MaD:3 |
| websocketXss.go:54:3:54:38 | ... := ...[1] | websocketXss.go:55:24:55:31 | gorilla3 | provenance | Src:MaD:3 |
| websocketXss.go:54:6:54:13 | definition of gorilla3 | websocketXss.go:55:24:55:31 | gorilla3 | provenance | |
| websocketXss.go:54:6:54:13 | definition of gorilla3 | websocketXss.go:55:24:55:31 | gorilla3 | provenance | |
| websocketXss.go:55:3:55:32 | []type{args} [array] | websocketXss.go:54:6:54:13 | definition of gorilla3 | provenance | |
| websocketXss.go:55:24:55:31 | gorilla3 | websocketXss.go:55:3:55:32 | []type{args} [array] | provenance | |
models
| 1 | Source: github.com/gorilla/websocket; ; false; ReadJSON; ; ; Argument[1]; remote; manual |
| 2 | Source: github.com/gorilla/websocket; Conn; true; ReadJSON; ; ; Argument[0]; remote; manual |
@@ -132,7 +108,6 @@ nodes
| contenttype.go:114:50:114:53 | data | semmle.label | data |
| reflectedxsstest.go:31:2:31:44 | ... := ...[0] | semmle.label | ... := ...[0] |
| reflectedxsstest.go:31:2:31:44 | ... := ...[1] | semmle.label | ... := ...[1] |
| reflectedxsstest.go:32:2:32:8 | definition of content | semmle.label | definition of content |
| reflectedxsstest.go:32:2:32:38 | ... := ...[0] | semmle.label | ... := ...[0] |
| reflectedxsstest.go:32:34:32:37 | file | semmle.label | file |
| reflectedxsstest.go:33:10:33:57 | type conversion | semmle.label | type conversion |
@@ -167,29 +142,15 @@ nodes
| tst.go:48:14:48:34 | call to Get | semmle.label | call to Get |
| tst.go:53:12:53:26 | type conversion | semmle.label | type conversion |
| websocketXss.go:30:7:30:10 | definition of xnet | semmle.label | definition of xnet |
| websocketXss.go:32:3:32:28 | []type{args} [array] | semmle.label | []type{args} [array] |
| websocketXss.go:32:24:32:27 | xnet | semmle.label | xnet |
| websocketXss.go:32:24:32:27 | xnet | semmle.label | xnet |
| websocketXss.go:34:3:34:7 | definition of xnet2 | semmle.label | definition of xnet2 |
| websocketXss.go:36:3:36:29 | []type{args} [array] | semmle.label | []type{args} [array] |
| websocketXss.go:36:24:36:28 | xnet2 | semmle.label | xnet2 |
| websocketXss.go:36:24:36:28 | xnet2 | semmle.label | xnet2 |
| websocketXss.go:40:3:40:40 | ... := ...[1] | semmle.label | ... := ...[1] |
| websocketXss.go:40:6:40:11 | definition of nhooyr | semmle.label | definition of nhooyr |
| websocketXss.go:41:3:41:30 | []type{args} [array] | semmle.label | []type{args} [array] |
| websocketXss.go:41:24:41:29 | nhooyr | semmle.label | nhooyr |
| websocketXss.go:41:24:41:29 | nhooyr | semmle.label | nhooyr |
| websocketXss.go:46:7:46:16 | definition of gorillaMsg | semmle.label | definition of gorillaMsg |
| websocketXss.go:48:3:48:34 | []type{args} [array] | semmle.label | []type{args} [array] |
| websocketXss.go:48:24:48:33 | gorillaMsg | semmle.label | gorillaMsg |
| websocketXss.go:48:24:48:33 | gorillaMsg | semmle.label | gorillaMsg |
| websocketXss.go:50:3:50:10 | definition of gorilla2 | semmle.label | definition of gorilla2 |
| websocketXss.go:52:3:52:32 | []type{args} [array] | semmle.label | []type{args} [array] |
| websocketXss.go:52:24:52:31 | gorilla2 | semmle.label | gorilla2 |
| websocketXss.go:52:24:52:31 | gorilla2 | semmle.label | gorilla2 |
| websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] |
| websocketXss.go:54:6:54:13 | definition of gorilla3 | semmle.label | definition of gorilla3 |
| websocketXss.go:55:3:55:32 | []type{args} [array] | semmle.label | []type{args} [array] |
| websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
| websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
subpaths

7
go/ql/test/query-tests/Security/CWE-079/StoredXss.expected
View File

@@ -5,12 +5,7 @@
edges
| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance | |
| stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1 |
| stored.go:25:14:25:17 | rows | stored.go:25:24:25:26 | &... | provenance | FunctionModel |
| stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... | provenance | FunctionModel |
| stored.go:25:14:25:34 | []type{args} [array] | stored.go:25:24:25:26 | &... | provenance | |
| stored.go:25:14:25:34 | []type{args} [array] | stored.go:25:29:25:33 | &... | provenance | |
| stored.go:25:24:25:26 | &... | stored.go:25:14:25:34 | []type{args} [array] | provenance | |
| stored.go:25:29:25:33 | &... | stored.go:25:14:25:34 | []type{args} [array] | provenance | |
| stored.go:25:29:25:33 | &... | stored.go:30:22:30:25 | name | provenance | |
| stored.go:59:30:59:33 | definition of path | stored.go:61:22:61:25 | path | provenance | |
models
@@ -20,8 +15,6 @@ nodes
| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
| stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
| stored.go:25:14:25:17 | rows | semmle.label | rows |
| stored.go:25:14:25:34 | []type{args} [array] | semmle.label | []type{args} [array] |
| stored.go:25:24:25:26 | &... | semmle.label | &... |
| stored.go:25:29:25:33 | &... | semmle.label | &... |
| stored.go:30:22:30:25 | name | semmle.label | name |
| stored.go:59:30:59:33 | definition of path | semmle.label | definition of path |

9
go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
View File

@@ -26,7 +26,6 @@
| mongoDB.go:81:18:81:25 | pipeline | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:81:18:81:25 | pipeline | This query depends on a $@. | mongoDB.go:40:20:40:30 | call to Referer | user-provided value |
edges
| SqlInjection.go:10:7:11:30 | []type{args} [array] | SqlInjection.go:10:7:11:30 | call to Sprintf | provenance | MaD:23 |
| SqlInjection.go:10:7:11:30 | []type{args} [array] | SqlInjection.go:11:3:11:29 | index expression | provenance | |
| SqlInjection.go:10:7:11:30 | call to Sprintf | SqlInjection.go:12:11:12:11 | q | provenance | Sink:MaD:1 |
| SqlInjection.go:11:3:11:9 | selection of URL | SqlInjection.go:11:3:11:17 | call to Query | provenance | Src:MaD:21 MaD:26 |
| SqlInjection.go:11:3:11:17 | call to Query | SqlInjection.go:11:3:11:29 | index expression | provenance | |
@@ -37,7 +36,6 @@ edges
| issue48.go:18:17:18:17 | b | issue48.go:18:20:18:39 | &... | provenance | MaD:22 |
| issue48.go:18:20:18:39 | &... | issue48.go:21:3:21:33 | index expression | provenance | |
| issue48.go:20:8:21:34 | []type{args} [array] | issue48.go:20:8:21:34 | call to Sprintf | provenance | MaD:23 |
| issue48.go:20:8:21:34 | []type{args} [array] | issue48.go:21:3:21:33 | index expression | provenance | |
| issue48.go:20:8:21:34 | call to Sprintf | issue48.go:22:11:22:12 | q3 | provenance | Sink:MaD:1 |
| issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | []type{args} [array] | provenance | |
| issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | call to Sprintf | provenance | FunctionModel |
@@ -46,7 +44,6 @@ edges
| issue48.go:28:17:28:18 | b2 | issue48.go:28:21:28:41 | &... | provenance | MaD:22 |
| issue48.go:28:21:28:41 | &... | issue48.go:31:3:31:31 | selection of Category | provenance | |
| issue48.go:30:8:31:32 | []type{args} [array] | issue48.go:30:8:31:32 | call to Sprintf | provenance | MaD:23 |
| issue48.go:30:8:31:32 | []type{args} [array] | issue48.go:31:3:31:31 | selection of Category | provenance | |
| issue48.go:30:8:31:32 | call to Sprintf | issue48.go:32:11:32:12 | q4 | provenance | Sink:MaD:1 |
| issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | []type{args} [array] | provenance | |
| issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | call to Sprintf | provenance | FunctionModel |
@@ -55,13 +52,11 @@ edges
| issue48.go:37:24:37:38 | call to Query | issue48.go:37:17:37:50 | type conversion | provenance | |
| issue48.go:37:53:37:73 | &... | issue48.go:40:3:40:31 | selection of Category | provenance | |
| issue48.go:39:8:40:32 | []type{args} [array] | issue48.go:39:8:40:32 | call to Sprintf | provenance | MaD:23 |
| issue48.go:39:8:40:32 | []type{args} [array] | issue48.go:40:3:40:31 | selection of Category | provenance | |
| issue48.go:39:8:40:32 | call to Sprintf | issue48.go:41:11:41:12 | q5 | provenance | Sink:MaD:1 |
| issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | []type{args} [array] | provenance | |
| issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | call to Sprintf | provenance | FunctionModel |
| main.go:11:11:11:16 | selection of Form | main.go:11:11:11:28 | index expression | provenance | Src:MaD:18 Sink:MaD:1 |
| main.go:15:11:15:84 | []type{args} [array] | main.go:15:11:15:84 | call to Sprintf | provenance | MaD:23 Sink:MaD:2 |
| main.go:15:11:15:84 | []type{args} [array] | main.go:15:63:15:83 | index expression | provenance | |
| main.go:15:63:15:67 | selection of URL | main.go:15:63:15:75 | call to Query | provenance | Src:MaD:21 MaD:26 |
| main.go:15:63:15:75 | call to Query | main.go:15:63:15:83 | index expression | provenance | |
| main.go:15:63:15:83 | index expression | main.go:15:11:15:84 | []type{args} [array] | provenance | |
@@ -76,7 +71,6 @@ edges
| main.go:30:13:30:27 | call to Query | main.go:30:13:30:39 | index expression | provenance | |
| main.go:30:13:30:39 | index expression | main.go:28:18:31:2 | struct literal [Category] | provenance | |
| main.go:33:7:34:23 | []type{args} [array] | main.go:33:7:34:23 | call to Sprintf | provenance | MaD:23 |
| main.go:33:7:34:23 | []type{args} [array] | main.go:34:3:34:22 | selection of Category | provenance | |
| main.go:33:7:34:23 | call to Sprintf | main.go:35:11:35:11 | q | provenance | Sink:MaD:1 |
| main.go:34:3:34:13 | RequestData [pointer, Category] | main.go:34:3:34:13 | implicit dereference [Category] | provenance | |
| main.go:34:3:34:13 | implicit dereference [Category] | main.go:34:3:34:22 | selection of Category | provenance | |
@@ -90,7 +84,6 @@ edges
| main.go:40:25:40:39 | call to Query | main.go:40:25:40:51 | index expression | provenance | |
| main.go:40:25:40:51 | index expression | main.go:40:2:40:12 | implicit dereference [Category] | provenance | |
| main.go:42:7:43:23 | []type{args} [array] | main.go:42:7:43:23 | call to Sprintf | provenance | MaD:23 |
| main.go:42:7:43:23 | []type{args} [array] | main.go:43:3:43:22 | selection of Category | provenance | |
| main.go:42:7:43:23 | call to Sprintf | main.go:44:11:44:11 | q | provenance | Sink:MaD:1 |
| main.go:43:3:43:13 | RequestData [pointer, Category] | main.go:43:3:43:13 | implicit dereference [Category] | provenance | |
| main.go:43:3:43:13 | implicit dereference [Category] | main.go:43:3:43:22 | selection of Category | provenance | |
@@ -104,7 +97,6 @@ edges
| main.go:49:28:49:42 | call to Query | main.go:49:28:49:54 | index expression | provenance | |
| main.go:49:28:49:54 | index expression | main.go:49:3:49:14 | star expression [Category] | provenance | |
| main.go:51:7:52:23 | []type{args} [array] | main.go:51:7:52:23 | call to Sprintf | provenance | MaD:23 |
| main.go:51:7:52:23 | []type{args} [array] | main.go:52:3:52:22 | selection of Category | provenance | |
| main.go:51:7:52:23 | call to Sprintf | main.go:53:11:53:11 | q | provenance | Sink:MaD:1 |
| main.go:52:3:52:13 | RequestData [pointer, Category] | main.go:52:3:52:13 | implicit dereference [Category] | provenance | |
| main.go:52:3:52:13 | implicit dereference [Category] | main.go:52:3:52:22 | selection of Category | provenance | |
@@ -118,7 +110,6 @@ edges
| main.go:58:28:58:42 | call to Query | main.go:58:28:58:54 | index expression | provenance | |
| main.go:58:28:58:54 | index expression | main.go:58:3:58:14 | star expression [Category] | provenance | |
| main.go:60:7:61:26 | []type{args} [array] | main.go:60:7:61:26 | call to Sprintf | provenance | MaD:23 |
| main.go:60:7:61:26 | []type{args} [array] | main.go:61:3:61:25 | selection of Category | provenance | |
| main.go:60:7:61:26 | call to Sprintf | main.go:62:11:62:11 | q | provenance | Sink:MaD:1 |
| main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | []type{args} [array] | provenance | |
| main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | call to Sprintf | provenance | FunctionModel |

8
go/ql/test/query-tests/Security/CWE-089/StringBreak.expected
View File

@@ -3,12 +3,7 @@
| StringBreakMismatched.go:17:26:17:32 | escaped | StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | StringBreakMismatched.go:17:26:17:32 | escaped | If this $@ contains a single quote, it could break out of the enclosing quotes. | StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | JSON value |
| StringBreakMismatched.go:29:27:29:33 | escaped | StringBreakMismatched.go:24:2:24:40 | ... := ...[0] | StringBreakMismatched.go:29:27:29:33 | escaped | If this $@ contains a double quote, it could break out of the enclosing quotes. | StringBreakMismatched.go:24:2:24:40 | ... := ...[0] | JSON value |
edges
| StringBreak.go:10:2:10:12 | definition of versionJSON | StringBreak.go:14:47:14:57 | versionJSON | provenance | |
| StringBreak.go:10:2:10:12 | definition of versionJSON | StringBreak.go:14:47:14:57 | versionJSON | provenance | |
| StringBreak.go:10:2:10:40 | ... := ...[0] | StringBreak.go:14:47:14:57 | versionJSON | provenance | |
| StringBreak.go:10:2:10:40 | ... := ...[0] | StringBreak.go:14:47:14:57 | versionJSON | provenance | |
| StringBreak.go:14:22:14:58 | []type{args} [array] | StringBreak.go:10:2:10:12 | definition of versionJSON | provenance | |
| StringBreak.go:14:47:14:57 | versionJSON | StringBreak.go:14:22:14:58 | []type{args} [array] | provenance | |
| StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | StringBreakMismatched.go:13:29:13:47 | type conversion | provenance | |
| StringBreakMismatched.go:13:13:13:62 | call to Replace | StringBreakMismatched.go:17:26:17:32 | escaped | provenance | |
| StringBreakMismatched.go:13:29:13:47 | type conversion | StringBreakMismatched.go:13:13:13:62 | call to Replace | provenance | MaD:1 |
@@ -18,10 +13,7 @@ edges
models
| 1 | Summary: strings; ; false; Replace; ; ; Argument[0]; ReturnValue; taint; manual |
nodes
| StringBreak.go:10:2:10:12 | definition of versionJSON | semmle.label | definition of versionJSON |
| StringBreak.go:10:2:10:40 | ... := ...[0] | semmle.label | ... := ...[0] |
| StringBreak.go:14:22:14:58 | []type{args} [array] | semmle.label | []type{args} [array] |
| StringBreak.go:14:47:14:57 | versionJSON | semmle.label | versionJSON |
| StringBreak.go:14:47:14:57 | versionJSON | semmle.label | versionJSON |
| StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | semmle.label | ... := ...[0] |
| StringBreakMismatched.go:13:13:13:62 | call to Replace | semmle.label | call to Replace |

8
go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected
View File

@@ -1,16 +1,8 @@
edges
| test.go:14:2:14:4 | definition of buf | test.go:17:10:17:12 | buf | provenance | |
| test.go:14:2:14:4 | definition of buf | test.go:20:29:20:31 | buf | provenance | |
| test.go:15:2:15:4 | definition of buf | test.go:17:10:17:12 | buf | provenance | |
| test.go:15:2:15:4 | definition of buf | test.go:20:29:20:31 | buf | provenance | |
| test.go:20:2:20:32 | []type{args} [array] | test.go:15:2:15:4 | definition of buf | provenance | |
| test.go:20:29:20:31 | buf | test.go:20:2:20:32 | []type{args} [array] | provenance | |
nodes
| test.go:14:2:14:4 | definition of buf | semmle.label | definition of buf |
| test.go:15:2:15:4 | definition of buf | semmle.label | definition of buf |
| test.go:17:10:17:12 | buf | semmle.label | buf |
| test.go:20:2:20:32 | []type{args} [array] | semmle.label | []type{args} [array] |
| test.go:20:29:20:31 | buf | semmle.label | buf |
subpaths
#select
| test.go:17:10:17:12 | buf | test.go:14:2:14:4 | definition of buf | test.go:17:10:17:12 | buf | HTTP response depends on $@ and may be exposed to an external user. | test.go:14:2:14:4 | definition of buf | stack trace information |

59
go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
View File

@@ -64,55 +64,28 @@ edges
| passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance | |
| passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance | |
| passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config |
| passwords.go:36:2:36:5 | definition of obj1 | passwords.go:39:14:39:17 | obj1 | provenance | |
| passwords.go:36:2:36:5 | definition of obj1 | passwords.go:39:14:39:17 | obj1 | provenance | |
| passwords.go:36:10:38:2 | struct literal | passwords.go:36:2:36:5 | definition of obj1 | provenance | |
| passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance | |
| passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config |
| passwords.go:39:2:39:18 | []type{args} [array] | passwords.go:36:2:36:5 | definition of obj1 | provenance | |
| passwords.go:39:14:39:17 | obj1 | passwords.go:39:2:39:18 | []type{args} [array] | provenance | |
| passwords.go:41:2:41:5 | definition of obj2 | passwords.go:44:14:44:17 | obj2 | provenance | |
| passwords.go:41:2:41:5 | definition of obj2 | passwords.go:44:14:44:17 | obj2 | provenance | |
| passwords.go:41:10:43:2 | struct literal | passwords.go:41:2:41:5 | definition of obj2 | provenance | |
| passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance | |
| passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config |
| passwords.go:44:2:44:18 | []type{args} [array] | passwords.go:41:2:41:5 | definition of obj2 | provenance | |
| passwords.go:44:14:44:17 | obj2 | passwords.go:44:2:44:18 | []type{args} [array] | provenance | |
| passwords.go:46:6:46:9 | definition of obj3 | passwords.go:47:14:47:17 | obj3 | provenance | |
| passwords.go:46:6:46:9 | definition of obj3 | passwords.go:47:14:47:17 | obj3 | provenance | |
| passwords.go:47:2:47:18 | []type{args} [array] | passwords.go:46:6:46:9 | definition of obj3 | provenance | |
| passwords.go:47:14:47:17 | obj3 | passwords.go:47:2:47:18 | []type{args} [array] | provenance | |
| passwords.go:48:11:48:18 | password | passwords.go:46:6:46:9 | definition of obj3 | provenance | Config |
| passwords.go:85:2:85:14 | definition of utilityObject | passwords.go:88:14:88:26 | utilityObject | provenance | |
| passwords.go:85:2:85:14 | definition of utilityObject | passwords.go:88:14:88:26 | utilityObject | provenance | |
| passwords.go:85:19:87:2 | struct literal | passwords.go:85:2:85:14 | definition of utilityObject | provenance | |
| passwords.go:85:19:87:2 | struct literal | passwords.go:88:14:88:26 | utilityObject | provenance | |
| passwords.go:86:16:86:36 | call to make | passwords.go:85:19:87:2 | struct literal | provenance | Config |
| passwords.go:88:2:88:27 | []type{args} [array] | passwords.go:85:2:85:14 | definition of utilityObject | provenance | |
| passwords.go:88:14:88:26 | utilityObject | passwords.go:88:2:88:27 | []type{args} [array] | provenance | |
| passwords.go:90:12:90:19 | password | passwords.go:91:23:91:28 | secret | provenance | |
| passwords.go:101:33:101:40 | password | passwords.go:101:15:101:40 | ...+... | provenance | Config |
| passwords.go:107:34:107:41 | password | passwords.go:107:16:107:41 | ...+... | provenance | Config |
| passwords.go:112:33:112:40 | password | passwords.go:112:15:112:40 | ...+... | provenance | Config |
| passwords.go:116:28:116:36 | password1 | passwords.go:116:28:116:45 | call to String | provenance | Config |
| passwords.go:116:28:116:45 | call to String | passwords.go:116:14:116:45 | ...+... | provenance | Config |
| passwords.go:118:2:118:7 | definition of config | passwords.go:125:14:125:19 | config | provenance | |
| passwords.go:118:2:118:7 | definition of config | passwords.go:125:14:125:19 | config | provenance | |
| passwords.go:118:2:118:7 | definition of config [x] | passwords.go:125:14:125:19 | config [x] | provenance | |
| passwords.go:118:2:118:7 | definition of config [x] | passwords.go:126:14:126:19 | config [x] | provenance | |
| passwords.go:118:2:118:7 | definition of config [y] | passwords.go:125:14:125:19 | config [y] | provenance | |
| passwords.go:118:2:118:7 | definition of config [y] | passwords.go:127:14:127:19 | config [y] | provenance | |
| passwords.go:118:12:123:2 | struct literal | passwords.go:118:2:118:7 | definition of config | provenance | |
| passwords.go:118:12:123:2 | struct literal [x] | passwords.go:118:2:118:7 | definition of config [x] | provenance | |
| passwords.go:118:12:123:2 | struct literal [y] | passwords.go:118:2:118:7 | definition of config [y] | provenance | |
| passwords.go:118:12:123:2 | struct literal | passwords.go:125:14:125:19 | config | provenance | |
| passwords.go:118:12:123:2 | struct literal [x] | passwords.go:126:14:126:19 | config [x] | provenance | |
| passwords.go:118:12:123:2 | struct literal [y] | passwords.go:127:14:127:19 | config [y] | provenance | |
| passwords.go:119:13:119:13 | x | passwords.go:118:12:123:2 | struct literal | provenance | Config |
| passwords.go:121:13:121:20 | password | passwords.go:118:12:123:2 | struct literal | provenance | Config |
| passwords.go:121:13:121:20 | password | passwords.go:118:12:123:2 | struct literal [x] | provenance | |
| passwords.go:122:13:122:25 | call to getPassword | passwords.go:118:12:123:2 | struct literal | provenance | Config |
| passwords.go:122:13:122:25 | call to getPassword | passwords.go:118:12:123:2 | struct literal [y] | provenance | |
| passwords.go:125:2:125:20 | []type{args} [array, x] | passwords.go:118:2:118:7 | definition of config [x] | provenance | |
| passwords.go:125:2:125:20 | []type{args} [array, y] | passwords.go:118:2:118:7 | definition of config [y] | provenance | |
| passwords.go:125:2:125:20 | []type{args} [array] | passwords.go:118:2:118:7 | definition of config | provenance | |
| passwords.go:125:14:125:19 | config | passwords.go:125:2:125:20 | []type{args} [array] | provenance | |
| passwords.go:125:14:125:19 | config [x] | passwords.go:125:2:125:20 | []type{args} [array, x] | provenance | |
| passwords.go:125:14:125:19 | config [y] | passwords.go:125:2:125:20 | []type{args} [array, y] | provenance | |
| passwords.go:126:14:126:19 | config [x] | passwords.go:126:14:126:21 | selection of x | provenance | |
| passwords.go:127:14:127:19 | config [y] | passwords.go:127:14:127:21 | selection of y | provenance | |
| protobuf.go:11:2:11:6 | definition of query [pointer, Description] | protobuf.go:12:2:12:6 | query [pointer, Description] | provenance | |
@@ -176,29 +149,18 @@ nodes
| passwords.go:32:12:32:19 | password | semmle.label | password |
| passwords.go:34:14:34:35 | ...+... | semmle.label | ...+... |
| passwords.go:34:28:34:35 | password | semmle.label | password |
| passwords.go:36:2:36:5 | definition of obj1 | semmle.label | definition of obj1 |
| passwords.go:36:10:38:2 | struct literal | semmle.label | struct literal |
| passwords.go:37:13:37:13 | x | semmle.label | x |
| passwords.go:39:2:39:18 | []type{args} [array] | semmle.label | []type{args} [array] |
| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 |
| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 |
| passwords.go:41:2:41:5 | definition of obj2 | semmle.label | definition of obj2 |
| passwords.go:41:10:43:2 | struct literal | semmle.label | struct literal |
| passwords.go:42:6:42:13 | password | semmle.label | password |
| passwords.go:44:2:44:18 | []type{args} [array] | semmle.label | []type{args} [array] |
| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 |
| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 |
| passwords.go:46:6:46:9 | definition of obj3 | semmle.label | definition of obj3 |
| passwords.go:47:2:47:18 | []type{args} [array] | semmle.label | []type{args} [array] |
| passwords.go:47:14:47:17 | obj3 | semmle.label | obj3 |
| passwords.go:47:14:47:17 | obj3 | semmle.label | obj3 |
| passwords.go:48:11:48:18 | password | semmle.label | password |
| passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password |
| passwords.go:85:2:85:14 | definition of utilityObject | semmle.label | definition of utilityObject |
| passwords.go:85:19:87:2 | struct literal | semmle.label | struct literal |
| passwords.go:86:16:86:36 | call to make | semmle.label | call to make |
| passwords.go:88:2:88:27 | []type{args} [array] | semmle.label | []type{args} [array] |
| passwords.go:88:14:88:26 | utilityObject | semmle.label | utilityObject |
| passwords.go:88:14:88:26 | utilityObject | semmle.label | utilityObject |
| passwords.go:90:12:90:19 | password | semmle.label | password |
| passwords.go:91:23:91:28 | secret | semmle.label | secret |
@@ -211,22 +173,13 @@ nodes
| passwords.go:116:14:116:45 | ...+... | semmle.label | ...+... |
| passwords.go:116:28:116:36 | password1 | semmle.label | password1 |
| passwords.go:116:28:116:45 | call to String | semmle.label | call to String |
| passwords.go:118:2:118:7 | definition of config | semmle.label | definition of config |
| passwords.go:118:2:118:7 | definition of config [x] | semmle.label | definition of config [x] |
| passwords.go:118:2:118:7 | definition of config [y] | semmle.label | definition of config [y] |
| passwords.go:118:12:123:2 | struct literal | semmle.label | struct literal |
| passwords.go:118:12:123:2 | struct literal [x] | semmle.label | struct literal [x] |
| passwords.go:118:12:123:2 | struct literal [y] | semmle.label | struct literal [y] |
| passwords.go:119:13:119:13 | x | semmle.label | x |
| passwords.go:121:13:121:20 | password | semmle.label | password |
| passwords.go:122:13:122:25 | call to getPassword | semmle.label | call to getPassword |
| passwords.go:125:2:125:20 | []type{args} [array, x] | semmle.label | []type{args} [array, x] |
| passwords.go:125:2:125:20 | []type{args} [array, y] | semmle.label | []type{args} [array, y] |
| passwords.go:125:2:125:20 | []type{args} [array] | semmle.label | []type{args} [array] |
| passwords.go:125:14:125:19 | config | semmle.label | config |
| passwords.go:125:14:125:19 | config | semmle.label | config |
| passwords.go:125:14:125:19 | config [x] | semmle.label | config [x] |
| passwords.go:125:14:125:19 | config [y] | semmle.label | config [y] |
| passwords.go:126:14:126:19 | config [x] | semmle.label | config [x] |
| passwords.go:126:14:126:21 | selection of x | semmle.label | selection of x |
| passwords.go:127:14:127:19 | config [y] | semmle.label | config [y] |

36
go/ql/test/query-tests/Security/CWE-640/EmailInjection.expected
View File

@@ -19,41 +19,17 @@ edges
| main.go:46:21:46:31 | call to Referer | main.go:52:46:52:59 | untrustedInput | provenance | Src:MaD:2 |
| main.go:46:21:46:31 | call to Referer | main.go:53:52:53:65 | untrustedInput | provenance | Src:MaD:2 |
| main.go:58:21:58:31 | call to Referer | main.go:60:47:60:60 | untrustedInput | provenance | Src:MaD:2 |
| main.go:60:3:60:9 | definition of content | main.go:63:16:63:22 | content | provenance | |
| main.go:60:3:60:9 | definition of content | main.go:63:16:63:22 | content | provenance | |
| main.go:60:14:60:61 | call to NewContent | main.go:63:16:63:22 | content | provenance | |
| main.go:60:14:60:61 | call to NewContent | main.go:63:16:63:22 | content | provenance | |
| main.go:60:47:60:60 | untrustedInput | main.go:60:14:60:61 | call to NewContent | provenance | MaD:3 |
| main.go:63:3:63:23 | []type{args} [array] | main.go:60:3:60:9 | definition of content | provenance | |
| main.go:63:16:63:22 | content | main.go:63:3:63:23 | []type{args} [array] | provenance | |
| main.go:68:21:68:31 | call to Referer | main.go:74:47:74:60 | untrustedInput | provenance | Src:MaD:2 |
| main.go:74:3:74:9 | definition of content | main.go:76:50:76:56 | content | provenance | |
| main.go:74:3:74:9 | definition of content | main.go:76:50:76:56 | content | provenance | |
| main.go:74:3:74:9 | definition of content | main.go:76:59:76:65 | content | provenance | |
| main.go:74:3:74:9 | definition of content | main.go:76:59:76:65 | content | provenance | |
| main.go:74:3:74:9 | definition of content | main.go:77:16:77:22 | content | provenance | |
| main.go:74:3:74:9 | definition of content | main.go:77:16:77:22 | content | provenance | |
| main.go:74:14:74:61 | call to NewContent | main.go:76:50:76:56 | content | provenance | |
| main.go:74:14:74:61 | call to NewContent | main.go:76:50:76:56 | content | provenance | |
| main.go:74:14:74:61 | call to NewContent | main.go:76:59:76:65 | content | provenance | |
| main.go:74:14:74:61 | call to NewContent | main.go:76:59:76:65 | content | provenance | |
| main.go:74:14:74:61 | call to NewContent | main.go:77:16:77:22 | content | provenance | |
| main.go:74:14:74:61 | call to NewContent | main.go:77:16:77:22 | content | provenance | |
| main.go:74:47:74:60 | untrustedInput | main.go:74:14:74:61 | call to NewContent | provenance | MaD:3 |
| main.go:76:8:76:66 | []type{args} [array] | main.go:74:3:74:9 | definition of content | provenance | |
| main.go:76:50:76:56 | content | main.go:76:8:76:66 | []type{args} [array] | provenance | |
| main.go:76:59:76:65 | content | main.go:76:8:76:66 | []type{args} [array] | provenance | |
| main.go:77:3:77:23 | []type{args} [array] | main.go:74:3:74:9 | definition of content | provenance | |
| main.go:77:16:77:22 | content | main.go:77:3:77:23 | []type{args} [array] | provenance | |
| main.go:82:21:82:31 | call to Referer | main.go:89:37:89:50 | untrustedInput | provenance | Src:MaD:2 |
| main.go:82:21:82:31 | call to Referer | main.go:91:48:91:61 | untrustedInput | provenance | Src:MaD:2 |
| main.go:91:3:91:10 | definition of content2 | main.go:93:16:93:23 | content2 | provenance | |
| main.go:91:3:91:10 | definition of content2 | main.go:93:16:93:23 | content2 | provenance | |
| main.go:91:15:91:62 | call to NewContent | main.go:93:16:93:23 | content2 | provenance | |
| main.go:91:15:91:62 | call to NewContent | main.go:93:16:93:23 | content2 | provenance | |
| main.go:91:48:91:61 | untrustedInput | main.go:91:15:91:62 | call to NewContent | provenance | MaD:3 |
| main.go:93:3:93:24 | []type{args} [array] | main.go:91:3:91:10 | definition of content2 | provenance | |
| main.go:93:16:93:23 | content2 | main.go:93:3:93:24 | []type{args} [array] | provenance | |
models
| 1 | Source: net/http; Request; true; Header; ; ; ; remote; manual |
| 2 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual |
@@ -73,30 +49,18 @@ nodes
| main.go:52:46:52:59 | untrustedInput | semmle.label | untrustedInput |
| main.go:53:52:53:65 | untrustedInput | semmle.label | untrustedInput |
| main.go:58:21:58:31 | call to Referer | semmle.label | call to Referer |
| main.go:60:3:60:9 | definition of content | semmle.label | definition of content |
| main.go:60:14:60:61 | call to NewContent | semmle.label | call to NewContent |
| main.go:60:47:60:60 | untrustedInput | semmle.label | untrustedInput |
| main.go:63:3:63:23 | []type{args} [array] | semmle.label | []type{args} [array] |
| main.go:63:16:63:22 | content | semmle.label | content |
| main.go:63:16:63:22 | content | semmle.label | content |
| main.go:68:21:68:31 | call to Referer | semmle.label | call to Referer |
| main.go:74:3:74:9 | definition of content | semmle.label | definition of content |
| main.go:74:14:74:61 | call to NewContent | semmle.label | call to NewContent |
| main.go:74:47:74:60 | untrustedInput | semmle.label | untrustedInput |
| main.go:76:8:76:66 | []type{args} [array] | semmle.label | []type{args} [array] |
| main.go:76:50:76:56 | content | semmle.label | content |
| main.go:76:50:76:56 | content | semmle.label | content |
| main.go:76:59:76:65 | content | semmle.label | content |
| main.go:76:59:76:65 | content | semmle.label | content |
| main.go:77:3:77:23 | []type{args} [array] | semmle.label | []type{args} [array] |
| main.go:77:16:77:22 | content | semmle.label | content |
| main.go:77:16:77:22 | content | semmle.label | content |
| main.go:82:21:82:31 | call to Referer | semmle.label | call to Referer |
| main.go:89:37:89:50 | untrustedInput | semmle.label | untrustedInput |
| main.go:91:3:91:10 | definition of content2 | semmle.label | definition of content2 |
| main.go:91:15:91:62 | call to NewContent | semmle.label | call to NewContent |
| main.go:91:48:91:61 | untrustedInput | semmle.label | untrustedInput |
| main.go:93:3:93:24 | []type{args} [array] | semmle.label | []type{args} [array] |
| main.go:93:16:93:23 | content2 | semmle.label | content2 |
| main.go:93:16:93:23 | content2 | semmle.label | content2 |
subpaths

21
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,24 @@
## 6.0.0
### Breaking Changes
* The class `ControlFlowNode` (and by extension `BasicBlock`) is no longer
directly equatable to `Expr` and `Stmt`. Any queries that have been
exploiting these equalities, for example by using casts, will need minor
updates in order to fix any compilation errors. Conversions can be inserted
in either direction depending on what is most convenient. Available
conversions include `Expr.getControlFlowNode()`, `Stmt.getControlFlowNode()`,
`ControlFlowNode.asExpr()`, `ControlFlowNode.asStmt()`, and
`ControlFlowNode.asCall()`. Exit nodes were until now modelled as a
`ControlFlowNode` equal to its enclosing `Callable`; these are now instead
modelled by the class `ControlFlow::ExitNode`.
### Minor Analysis Improvements
* Added `java.io.File.getName()` as a path injection sanitizer.
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
* Added a sink for "Server-side request forgery" (`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL.
## 5.0.0
### Breaking Changes

4
java/ql/lib/change-notes/2024-11-28-model-resttemplate-getforobject-third-parameter.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added a sink for "Server-side request forgery" (`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL.

4
java/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.

4
java/ql/lib/change-notes/2024-12-06-file-getname.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added `java.io.File.getName()` as a path injection sanitizer.

13
java/ql/lib/change-notes/2024-11-14-control-flow-graph-lightweight-IR-layer.md → java/ql/lib/change-notes/released/6.0.0.md
View File

@@ -1,6 +1,7 @@
---
category: breaking
---
## 6.0.0
### Breaking Changes
* The class `ControlFlowNode` (and by extension `BasicBlock`) is no longer
directly equatable to `Expr` and `Stmt`. Any queries that have been
exploiting these equalities, for example by using casts, will need minor
@@ -11,3 +12,9 @@ category: breaking
`ControlFlowNode.asCall()`. Exit nodes were until now modelled as a
`ControlFlowNode` equal to its enclosing `Callable`; these are now instead
modelled by the class `ControlFlow::ExitNode`.
### Minor Analysis Improvements
* Added `java.io.File.getName()` as a path injection sanitizer.
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
* Added a sink for "Server-side request forgery" (`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.0.0
lastReleaseVersion: 6.0.0

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 5.0.1-dev
version: 6.0.1-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

4
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.1.11
No user-facing changes.
## 1.1.10
### Minor Analysis Improvements

Some files were not shown because too many files have changed in this diff Show More