hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 00:35:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add log-injection test using strings.ReplaceAll

Browse Source
This commit is contained in:
Chris Smowton
2021-12-15 15:35:14 +00:00
committed by GitHub
parent f86510ee20
commit 9de1532735
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ql/test/query-tests/Security/CWE-117/LogInjection.go
View File

@@ -369,3 +369,11 @@ func handlerGood(req *http.Request) {
escapedUsername = strings.Replace(escapedUsername, "\r", "", -1)
log.Printf("user %s logged in.\n", escapedUsername)
}
// GOOD: The user-provided value is escaped before being written to the log.
func handlerGood2(req *http.Request) {
username := req.URL.Query()["username"][0]
escapedUsername := strings.ReplaceAll(username, "\n", "")
escapedUsername = strings.ReplaceAll(escapedUsername, "\r", "")
log.Printf("user %s logged in.\n", escapedUsername)
}