hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
co-authored-by: Owen Mansel-Chan <owen-mc@github.com>
This commit is contained in:
Tony Torralba
2024-01-10 12:22:12 +01:00
parent 3534f692dc
commit 78c0cdfa2c
3 changed files with 99 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
go/ql/lib/semmle/go/frameworks/stdlib/Log.qll
View File

@@ -8,7 +8,7 @@ import go
module Log {
private class LogFunction extends Function {
LogFunction() {
exists(string fn | fn.matches(["Fatal%", "Panic%", "Print%", "Output"]) |
exists(string fn | fn.matches(["Fatal%", "Panic%", "Print%"]) |
this.hasQualifiedName("log", fn)
or
this.(Method).hasQualifiedName("log", "Logger", fn)
@@ -16,6 +16,10 @@ module Log {
}
}
private class LogOutput extends Method {
LogOutput() { this.hasQualifiedName("log", "Logger", "Output") }
}
private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction {
LogFormatter() { this.getName().matches("%f") }
@@ -23,9 +27,19 @@ module Log {
}
private class LogCall extends LoggerCall::Range, DataFlow::CallNode {
LogCall() { this = any(LogFunction f).getACall() }
DataFlow::Node messageComponent;
override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
LogCall() {
exists(Function f | this = f.getACall() |
f instanceof LogFunction and
messageComponent = this.getASyntacticArgument()
or
f instanceof LogOutput and
messageComponent = this.getSyntacticArgument(1)
)
}
override DataFlow::Node getAMessageComponent() { result = messageComponent }
}
/** A fatal log function, which calls `os.Exit`. */

70
go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
View File

@@ -6,8 +6,6 @@ edges
| klog.go:21:11:21:16 | definition of header | klog.go:22:15:22:20 | header |
| klog.go:21:27:21:33 | headers | klog.go:21:4:24:4 | range statement[1] |
| klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get |
| main.go:20:2:20:7 | definition of fields | main.go:22:29:22:34 | fields |
| main.go:21:19:21:26 | password | main.go:20:2:20:7 | definition of fields |
| overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String |
| passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x |
| passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x |
@@ -63,13 +61,34 @@ nodes
| klog.go:22:15:22:20 | header | semmle.label | header |
| klog.go:28:13:28:20 | selection of Header | semmle.label | selection of Header |
| klog.go:28:13:28:41 | call to Get | semmle.label | call to Get |
| main.go:15:14:15:21 | password | semmle.label | password |
| main.go:17:12:17:19 | password | semmle.label | password |
| main.go:18:17:18:24 | password | semmle.label | password |
| main.go:20:2:20:7 | definition of fields | semmle.label | definition of fields |
| main.go:21:19:21:26 | password | semmle.label | password |
| main.go:22:29:22:34 | fields | semmle.label | fields |
| main.go:25:35:25:42 | password | semmle.label | password |
| main.go:15:12:15:19 | password | semmle.label | password |
| main.go:16:17:16:24 | password | semmle.label | password |
| main.go:17:13:17:20 | password | semmle.label | password |
| main.go:18:14:18:21 | password | semmle.label | password |
| main.go:19:12:19:19 | password | semmle.label | password |
| main.go:20:17:20:24 | password | semmle.label | password |
| main.go:21:13:21:20 | password | semmle.label | password |
| main.go:22:14:22:21 | password | semmle.label | password |
| main.go:23:12:23:19 | password | semmle.label | password |
| main.go:24:17:24:24 | password | semmle.label | password |
| main.go:25:13:25:20 | password | semmle.label | password |
| main.go:26:14:26:21 | password | semmle.label | password |
| main.go:29:10:29:17 | password | semmle.label | password |
| main.go:30:15:30:22 | password | semmle.label | password |
| main.go:31:11:31:18 | password | semmle.label | password |
| main.go:32:12:32:19 | password | semmle.label | password |
| main.go:33:10:33:17 | password | semmle.label | password |
| main.go:34:15:34:22 | password | semmle.label | password |
| main.go:35:11:35:18 | password | semmle.label | password |
| main.go:36:12:36:19 | password | semmle.label | password |
| main.go:37:10:37:17 | password | semmle.label | password |
| main.go:38:15:38:22 | password | semmle.label | password |
| main.go:39:11:39:18 | password | semmle.label | password |
| main.go:40:12:40:19 | password | semmle.label | password |
| main.go:41:14:41:21 | password | semmle.label | password |
| main.go:43:12:43:19 | password | semmle.label | password |
| main.go:44:17:44:24 | password | semmle.label | password |
| main.go:51:35:51:42 | password | semmle.label | password |
| overrides.go:9:9:9:16 | password | semmle.label | password |
| overrides.go:13:14:13:23 | call to String | semmle.label | call to String |
| passwords.go:8:12:8:12 | definition of x | semmle.label | definition of x |
@@ -139,11 +158,34 @@ subpaths
#select
| klog.go:22:15:22:20 | header | klog.go:20:30:20:37 | selection of Header | klog.go:22:15:22:20 | header | $@ flows to a logging call. | klog.go:20:30:20:37 | selection of Header | Sensitive data returned by HTTP request headers |
| klog.go:28:13:28:41 | call to Get | klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get | $@ flows to a logging call. | klog.go:28:13:28:20 | selection of Header | Sensitive data returned by HTTP request headers |
| main.go:15:14:15:21 | password | main.go:15:14:15:21 | password | main.go:15:14:15:21 | password | $@ flows to a logging call. | main.go:15:14:15:21 | password | Sensitive data returned by an access to password |
| main.go:17:12:17:19 | password | main.go:17:12:17:19 | password | main.go:17:12:17:19 | password | $@ flows to a logging call. | main.go:17:12:17:19 | password | Sensitive data returned by an access to password |
| main.go:18:17:18:24 | password | main.go:18:17:18:24 | password | main.go:18:17:18:24 | password | $@ flows to a logging call. | main.go:18:17:18:24 | password | Sensitive data returned by an access to password |
| main.go:22:29:22:34 | fields | main.go:21:19:21:26 | password | main.go:22:29:22:34 | fields | $@ flows to a logging call. | main.go:21:19:21:26 | password | Sensitive data returned by an access to password |
| main.go:25:35:25:42 | password | main.go:25:35:25:42 | password | main.go:25:35:25:42 | password | $@ flows to a logging call. | main.go:25:35:25:42 | password | Sensitive data returned by an access to password |
| main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | $@ flows to a logging call. | main.go:15:12:15:19 | password | Sensitive data returned by an access to password |
| main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | $@ flows to a logging call. | main.go:16:17:16:24 | password | Sensitive data returned by an access to password |
| main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | $@ flows to a logging call. | main.go:17:13:17:20 | password | Sensitive data returned by an access to password |
| main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | $@ flows to a logging call. | main.go:18:14:18:21 | password | Sensitive data returned by an access to password |
| main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | $@ flows to a logging call. | main.go:19:12:19:19 | password | Sensitive data returned by an access to password |
| main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | $@ flows to a logging call. | main.go:20:17:20:24 | password | Sensitive data returned by an access to password |
| main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | $@ flows to a logging call. | main.go:21:13:21:20 | password | Sensitive data returned by an access to password |
| main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | $@ flows to a logging call. | main.go:22:14:22:21 | password | Sensitive data returned by an access to password |
| main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | $@ flows to a logging call. | main.go:23:12:23:19 | password | Sensitive data returned by an access to password |
| main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | $@ flows to a logging call. | main.go:24:17:24:24 | password | Sensitive data returned by an access to password |
| main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | $@ flows to a logging call. | main.go:25:13:25:20 | password | Sensitive data returned by an access to password |
| main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | $@ flows to a logging call. | main.go:26:14:26:21 | password | Sensitive data returned by an access to password |
| main.go:29:10:29:17 | password | main.go:29:10:29:17 | password | main.go:29:10:29:17 | password | $@ flows to a logging call. | main.go:29:10:29:17 | password | Sensitive data returned by an access to password |
| main.go:30:15:30:22 | password | main.go:30:15:30:22 | password | main.go:30:15:30:22 | password | $@ flows to a logging call. | main.go:30:15:30:22 | password | Sensitive data returned by an access to password |
| main.go:31:11:31:18 | password | main.go:31:11:31:18 | password | main.go:31:11:31:18 | password | $@ flows to a logging call. | main.go:31:11:31:18 | password | Sensitive data returned by an access to password |
| main.go:32:12:32:19 | password | main.go:32:12:32:19 | password | main.go:32:12:32:19 | password | $@ flows to a logging call. | main.go:32:12:32:19 | password | Sensitive data returned by an access to password |
| main.go:33:10:33:17 | password | main.go:33:10:33:17 | password | main.go:33:10:33:17 | password | $@ flows to a logging call. | main.go:33:10:33:17 | password | Sensitive data returned by an access to password |
| main.go:34:15:34:22 | password | main.go:34:15:34:22 | password | main.go:34:15:34:22 | password | $@ flows to a logging call. | main.go:34:15:34:22 | password | Sensitive data returned by an access to password |
| main.go:35:11:35:18 | password | main.go:35:11:35:18 | password | main.go:35:11:35:18 | password | $@ flows to a logging call. | main.go:35:11:35:18 | password | Sensitive data returned by an access to password |
| main.go:36:12:36:19 | password | main.go:36:12:36:19 | password | main.go:36:12:36:19 | password | $@ flows to a logging call. | main.go:36:12:36:19 | password | Sensitive data returned by an access to password |
| main.go:37:10:37:17 | password | main.go:37:10:37:17 | password | main.go:37:10:37:17 | password | $@ flows to a logging call. | main.go:37:10:37:17 | password | Sensitive data returned by an access to password |
| main.go:38:15:38:22 | password | main.go:38:15:38:22 | password | main.go:38:15:38:22 | password | $@ flows to a logging call. | main.go:38:15:38:22 | password | Sensitive data returned by an access to password |
| main.go:39:11:39:18 | password | main.go:39:11:39:18 | password | main.go:39:11:39:18 | password | $@ flows to a logging call. | main.go:39:11:39:18 | password | Sensitive data returned by an access to password |
| main.go:40:12:40:19 | password | main.go:40:12:40:19 | password | main.go:40:12:40:19 | password | $@ flows to a logging call. | main.go:40:12:40:19 | password | Sensitive data returned by an access to password |
| main.go:41:14:41:21 | password | main.go:41:14:41:21 | password | main.go:41:14:41:21 | password | $@ flows to a logging call. | main.go:41:14:41:21 | password | Sensitive data returned by an access to password |
| main.go:43:12:43:19 | password | main.go:43:12:43:19 | password | main.go:43:12:43:19 | password | $@ flows to a logging call. | main.go:43:12:43:19 | password | Sensitive data returned by an access to password |
| main.go:44:17:44:24 | password | main.go:44:17:44:24 | password | main.go:44:17:44:24 | password | $@ flows to a logging call. | main.go:44:17:44:24 | password | Sensitive data returned by an access to password |
| main.go:51:35:51:42 | password | main.go:51:35:51:42 | password | main.go:51:35:51:42 | password | $@ flows to a logging call. | main.go:51:35:51:42 | password | Sensitive data returned by an access to password |
| overrides.go:13:14:13:23 | call to String | overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String | $@ flows to a logging call. | overrides.go:9:9:9:16 | password | Sensitive data returned by an access to password |
| passwords.go:9:14:9:14 | x | passwords.go:30:8:30:15 | password | passwords.go:9:14:9:14 | x | $@ flows to a logging call. | passwords.go:30:8:30:15 | password | Sensitive data returned by an access to password |
| passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | $@ flows to a logging call. | passwords.go:25:14:25:21 | password | Sensitive data returned by an access to password |

26
go/ql/test/query-tests/Security/CWE-312/main.go
View File

@@ -12,7 +12,33 @@ import (
func main() {
password := "P4ssw0rd"
log.Print(password)
log.Printf("", password)
log.Printf(password, "")
log.Println(password)
log.Fatal(password)
log.Fatalf("", password)
log.Fatalf(password, "")
log.Fatalln(password)
log.Panic(password)
log.Panicf("", password)
log.Panicf(password, "")
log.Panicln(password)
l := log.Default()
l.Print(password)
l.Printf("", password)
l.Printf(password, "")
l.Println(password)
l.Fatal(password)
l.Fatalf("", password)
l.Fatalf(password, "")
l.Fatalln(password)
l.Panic(password)
l.Panicf("", password)
l.Panicf(password, "")
l.Panicln(password)
l.Output(0, password)
glog.Info(password)
logrus.Warning(password)