diff --git a/go/ql/lib/change-notes/2026-06-01-non-returning-functions.md b/go/ql/lib/change-notes/2026-06-01-non-returning-functions.md new file mode 100644 index 00000000000..c48b2f32f83 --- /dev/null +++ b/go/ql/lib/change-notes/2026-06-01-non-returning-functions.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* More logging functions are now recognized as not returning or panicking. diff --git a/go/ql/lib/semmle/go/Concepts.qll b/go/ql/lib/semmle/go/Concepts.qll index c33fb0ae6bb..30214914952 100644 --- a/go/ql/lib/semmle/go/Concepts.qll +++ b/go/ql/lib/semmle/go/Concepts.qll @@ -413,17 +413,13 @@ private class ExternalLoggerCall extends LoggerCall::Range, DataFlow::CallNode { } } -/** - * A call to an interface that looks like a logger. It is common to use a - * locally-defined interface for logging to make it easy to changing logging - * library. - */ -private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode { - HeuristicLoggerCall() { - exists(Method m, string tp, string logFunctionPrefix, string name | - m = this.getTarget() and - m.hasQualifiedName(_, tp, name) and - m.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType +private class HeuristicLoggerFunction extends Method { + string logFunctionPrefix; + + HeuristicLoggerFunction() { + exists(string tp, string name | + this.hasQualifiedName(_, tp, name) and + this.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType | tp.regexpMatch(".*[lL]ogger") and logFunctionPrefix = @@ -435,6 +431,19 @@ private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode ) } + override predicate mayReturnNormally() { logFunctionPrefix != "Fatal" } + + override predicate mustPanic() { logFunctionPrefix = "Panic" } +} + +/** + * A call to an interface that looks like a logger. It is common to use a + * locally-defined interface for logging to make it easy to change logging + * library. + */ +private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode { + HeuristicLoggerCall() { this.getTarget() instanceof HeuristicLoggerFunction } + override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() } } diff --git a/go/ql/lib/semmle/go/frameworks/Glog.qll b/go/ql/lib/semmle/go/frameworks/Glog.qll index a9ffc432181..9715cc91073 100644 --- a/go/ql/lib/semmle/go/frameworks/Glog.qll +++ b/go/ql/lib/semmle/go/frameworks/Glog.qll @@ -12,17 +12,37 @@ import go * forks. */ module Glog { + /** Gets a package name for `glog` or `klog` (which is a fork). */ + string packagePath() { + result = + package([ + "github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog", "github.com/barakmich/glog" + ], "") + } + private class GlogFunction extends Function { int firstPrintedArg; + string format; + string level; GlogFunction() { - exists(string pkg, string fn, string level | - pkg = package(["github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog"], "") and + exists(string pkg, string context, int nContextArgs, string depth, int nDepthArgs, string fn | + pkg = packagePath() and level = ["Error", "Exit", "Fatal", "Info", "Warning"] and ( - fn = level + ["", "f", "ln"] and firstPrintedArg = 0 + context = "" and nContextArgs = 0 or - fn = level + "Depth" and firstPrintedArg = 1 + context = "Context" and nContextArgs = 1 + ) and + ( + depth = "" and nDepthArgs = 0 + or + depth = "Depth" and nDepthArgs = 1 + ) and + format = ["", "f", "ln"] and + ( + fn = level + context + depth + format and + firstPrintedArg = nContextArgs + nDepthArgs ) | this.hasQualifiedName(pkg, fn) @@ -35,10 +55,15 @@ module Glog { * Gets the index of the first argument that may be output, including a format string if one is present. */ int getFirstPrintedArg() { result = firstPrintedArg } + + /** Holds if this function takes a format string. */ + predicate formatter() { format = "f" } + + override predicate mayReturnNormally() { level != "Fatal" and level != "Exit" } } private class StringFormatter extends StringOps::Formatting::Range instanceof GlogFunction { - StringFormatter() { this.getName().matches("%f") } + StringFormatter() { this.formatter() } override int getFormatStringIndex() { result = super.getFirstPrintedArg() } } diff --git a/go/ql/lib/semmle/go/frameworks/Logrus.qll b/go/ql/lib/semmle/go/frameworks/Logrus.qll index 33287462c05..069764318d5 100644 --- a/go/ql/lib/semmle/go/frameworks/Logrus.qll +++ b/go/ql/lib/semmle/go/frameworks/Logrus.qll @@ -28,6 +28,12 @@ module Logrus { this.(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name) ) } + + override predicate mayReturnNormally() { + not exists(string level, string suffix | level = ["Fatal", "Panic"] | + this.getName() = level + suffix + ) + } } private class StringFormatters extends StringOps::Formatting::Range instanceof LogFunction { diff --git a/go/ql/lib/semmle/go/frameworks/Zap.qll b/go/ql/lib/semmle/go/frameworks/Zap.qll index b634d8e9795..cf0abcd9336 100644 --- a/go/ql/lib/semmle/go/frameworks/Zap.qll +++ b/go/ql/lib/semmle/go/frameworks/Zap.qll @@ -47,7 +47,7 @@ module Zap { } /** A Zap logging function which always panics. */ - private class FatalLogMethod extends Method { + private class FatalLogMethod extends ZapFunction { FatalLogMethod() { this.hasQualifiedName(packagePath(), "Logger", "Fatal") or @@ -58,7 +58,7 @@ module Zap { } /** A Zap logging function which always panics. */ - private class MustPanicLogMethod extends Method { + private class MustPanicLogMethod extends ZapFunction { MustPanicLogMethod() { this.hasQualifiedName(packagePath(), "Logger", "Panic") or diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll index a5ebca68be5..1ff1a4b320f 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll @@ -29,18 +29,37 @@ module Log { } private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction { - LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf"] } + LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf", "Panic", "Panicf", "Panicln"] } override int getFormatStringIndex() { result = 0 } } /** A fatal log function, which calls `os.Exit`. */ private class FatalLogFunction extends Function { - FatalLogFunction() { this.hasQualifiedName("log", ["Fatal", "Fatalf", "Fatalln"]) } + FatalLogFunction() { + exists(string fn | fn = ["Fatal", "Fatalf", "Fatalln"] | + this.hasQualifiedName("log", fn) + or + this.(Method).hasQualifiedName("log", "Logger", fn) + ) + } override predicate mayReturnNormally() { none() } } + /** A log function which must panic. */ + private class PanicLogFunction extends Function { + PanicLogFunction() { + exists(string fn | fn = ["Panic", "Panicf", "Panicln"] | + this.hasQualifiedName("log", fn) + or + this.(Method).hasQualifiedName("log", "Logger", fn) + ) + } + + override predicate mustPanic() { any() } + } + // These models are not implemented using Models-as-Data because they represent reverse flow. private class FunctionModels extends TaintTracking::FunctionModel { FunctionInput inp; @@ -63,30 +82,6 @@ module Log { FunctionOutput outp; MethodModels() { - // signature: func (*Logger) Fatal(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Fatal") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Fatalf(format string, v ...interface{}) - this.hasQualifiedName("log", "Logger", "Fatalf") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Fatalln(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Fatalln") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Panic(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Panic") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Panicf(format string, v ...interface{}) - this.hasQualifiedName("log", "Logger", "Panicf") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Panicln(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Panicln") and - (inp.isParameter(_) and outp.isReceiver()) - or // signature: func (*Logger) Print(v ...interface{}) this.hasQualifiedName("log", "Logger", "Print") and (inp.isParameter(_) and outp.isReceiver()) diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go index ab82527b5e0..25c245948f3 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go @@ -1,54 +1,181 @@ -//go:generate depstubber -vendor github.com/golang/glog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln -//go:generate depstubber -vendor k8s.io/klog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln +//go:generate depstubber -vendor github.com/golang/glog Level,Verbose Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln +//go:generate depstubber -vendor k8s.io/klog Level,Verbose Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln package main import ( + "context" + "github.com/golang/glog" "k8s.io/klog" ) -func glogTest() { - glog.Error(text) // $ logger=text - glog.ErrorDepth(0, text) // $ logger=text - glog.Errorf(fmt, text) // $ logger=fmt logger=text - glog.Errorln(text) // $ logger=text - glog.Exit(text) // $ logger=text - glog.ExitDepth(0, text) // $ logger=text - glog.Exitf(fmt, text) // $ logger=fmt logger=text - glog.Exitln(text) // $ logger=text - glog.Fatal(text) // $ logger=text - glog.FatalDepth(0, text) // $ logger=text - glog.Fatalf(fmt, text) // $ logger=fmt logger=text - glog.Fatalln(text) // $ logger=text - glog.Info(text) // $ logger=text - glog.InfoDepth(0, text) // $ logger=text - glog.Infof(fmt, text) // $ logger=fmt logger=text - glog.Infoln(text) // $ logger=text - glog.Warning(text) // $ logger=text - glog.WarningDepth(0, text) // $ logger=text - glog.Warningf(fmt, text) // $ logger=fmt logger=text - glog.Warningln(text) // $ logger=text +func glogTest(selector int) { + ctx := context.Background() + + glog.Error(text) // $ logger=text + glog.ErrorContext(ctx, text) // $ logger=text + glog.ErrorContextDepth(ctx, 0, text) // $ logger=text + glog.ErrorContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text + glog.ErrorContextf(ctx, fmt, text) // $ logger=fmt logger=text + glog.ErrorDepth(0, text) // $ logger=text + glog.ErrorDepthf(0, fmt, text) // $ logger=fmt logger=text + glog.Errorf(fmt, text) // $ logger=fmt logger=text + glog.Errorln(text) // $ logger=text + if selector == 1 { + glog.Exit(text) // $ logger=text + } + if selector == 2 { + glog.ExitContext(ctx, text) // $ logger=text + } + if selector == 3 { + glog.ExitContextDepth(ctx, 0, text) // $ logger=text + } + if selector == 4 { + glog.ExitContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text + } + if selector == 5 { + glog.ExitContextf(ctx, fmt, text) // $ logger=fmt logger=text + } + if selector == 6 { + glog.ExitDepth(0, text) // $ logger=text + } + if selector == 7 { + glog.ExitDepthf(0, fmt, text) // $ logger=fmt logger=text + } + if selector == 8 { + glog.Exitf(fmt, text) // $ logger=fmt logger=text + } + if selector == 9 { + glog.Exitln(text) // $ logger=text + } + if selector == 10 { + glog.Fatal(text) // $ logger=text + } + if selector == 11 { + glog.FatalContext(ctx, text) // $ logger=text + } + if selector == 12 { + glog.FatalContextDepth(ctx, 0, text) // $ logger=text + } + if selector == 13 { + glog.FatalContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text + } + if selector == 14 { + glog.FatalContextf(ctx, fmt, text) // $ logger=fmt logger=text + } + if selector == 15 { + glog.FatalDepth(0, text) // $ logger=text + } + if selector == 16 { + glog.FatalDepthf(0, fmt, text) // $ logger=fmt logger=text + } + if selector == 17 { + glog.Fatalf(fmt, text) // $ logger=fmt logger=text + } + if selector == 18 { + glog.Fatalln(text) // $ logger=text + } + glog.Info(text) // $ logger=text + glog.InfoContext(ctx, text) // $ logger=text + glog.InfoContextDepth(ctx, 0, text) // $ logger=text + glog.InfoContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text + glog.InfoContextf(ctx, fmt, text) // $ logger=fmt logger=text + glog.InfoDepth(0, text) // $ logger=text + glog.InfoDepthf(0, fmt, text) // $ logger=fmt logger=text + glog.Infof(fmt, text) // $ logger=fmt logger=text + glog.Infoln(text) // $ logger=text + glog.Warning(text) // $ logger=text + glog.WarningContext(ctx, text) // $ logger=text + glog.WarningContextDepth(ctx, 0, text) // $ logger=text + glog.WarningContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text + glog.WarningContextf(ctx, fmt, text) // $ logger=fmt logger=text + glog.WarningDepth(0, text) // $ logger=text + glog.WarningDepthf(0, fmt, text) // $ logger=fmt logger=text + glog.Warningf(fmt, text) // $ logger=fmt logger=text + glog.Warningln(text) // $ logger=text + + glog.V(0).Info(text) // $ logger=text + glog.V(0).InfoContext(ctx, text) // $ logger=text + glog.V(0).InfoContextDepth(ctx, 0, text) // $ logger=text + glog.V(0).InfoContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text + glog.V(0).InfoContextf(ctx, fmt, text) // $ logger=fmt logger=text + glog.V(0).InfoDepth(0, text) // $ logger=text + glog.V(0).InfoDepthf(0, fmt, text) // $ logger=fmt logger=text + glog.V(0).Infof(fmt, text) // $ logger=fmt logger=text + glog.V(0).Infoln(text) // $ logger=text + glog.VDepth(0, 0).Info(text) // $ logger=text // components corresponding to the format specifier "%T" are not considered vulnerable - glog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - glog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - glog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - glog.Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.ErrorContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.ErrorContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.ErrorDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + if selector == 19 { + glog.ExitContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + if selector == 20 { + glog.ExitContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + if selector == 21 { + glog.ExitDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + if selector == 22 { + glog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + if selector == 23 { + glog.FatalContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + if selector == 24 { + glog.FatalContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + if selector == 25 { + glog.FatalDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + if selector == 26 { + glog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + glog.InfoContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.InfoContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.InfoDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.WarningContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.WarningContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.WarningDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.V(0).InfoContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.V(0).InfoContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.V(0).InfoDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + glog.V(0).Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - klog.Error(text) // $ logger=text - klog.ErrorDepth(0, text) // $ logger=text - klog.Errorf(fmt, text) // $ logger=fmt logger=text - klog.Errorln(text) // $ logger=text - klog.Exit(text) // $ logger=text - klog.ExitDepth(0, text) // $ logger=text - klog.Exitf(fmt, text) // $ logger=fmt logger=text - klog.Exitln(text) // $ logger=text - klog.Fatal(text) // $ logger=text - klog.FatalDepth(0, text) // $ logger=text - klog.Fatalf(fmt, text) // $ logger=fmt logger=text - klog.Fatalln(text) // $ logger=text + klog.Error(text) // $ logger=text + klog.ErrorDepth(0, text) // $ logger=text + klog.Errorf(fmt, text) // $ logger=fmt logger=text + klog.Errorln(text) // $ logger=text + if selector == 27 { + klog.Exit(text) // $ logger=text + } + if selector == 28 { + klog.ExitDepth(0, text) // $ logger=text + } + if selector == 29 { + klog.Exitf(fmt, text) // $ logger=fmt logger=text + } + if selector == 30 { + klog.Exitln(text) // $ logger=text + } + if selector == 31 { + klog.Fatal(text) // $ logger=text + } + if selector == 32 { + klog.FatalDepth(0, text) // $ logger=text + } + if selector == 33 { + klog.Fatalf(fmt, text) // $ logger=fmt logger=text + } + if selector == 34 { + klog.Fatalln(text) // $ logger=text + } klog.Info(text) // $ logger=text klog.InfoDepth(0, text) // $ logger=text klog.Infof(fmt, text) // $ logger=fmt logger=text @@ -57,11 +184,19 @@ func glogTest() { klog.WarningDepth(0, text) // $ logger=text klog.Warningf(fmt, text) // $ logger=fmt logger=text klog.Warningln(text) // $ logger=text + klog.V(0).Info(text) // $ logger=text + klog.V(0).Infof(fmt, text) // $ logger=fmt logger=text + klog.V(0).Infoln(text) // $ logger=text // components corresponding to the format specifier "%T" are not considered vulnerable - klog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - klog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - klog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - klog.Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - klog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + klog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + if selector == 35 { + klog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + if selector == 36 { + klog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } + klog.Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + klog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + klog.V(0).Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v } diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod index 81d2785a409..0d3c053e7fe 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod @@ -3,7 +3,7 @@ module codeql-go-tests/concepts/loggercall go 1.15 require ( - github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b + github.com/golang/glog v1.2.5 github.com/sirupsen/logrus v1.7.0 k8s.io/klog v1.0.0 ) diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go index 5353d9155cc..688c59bc2ea 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go @@ -6,5 +6,6 @@ const text = "test" var v []byte func main() { + glogTest(len(v)) stdlib() } diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go index 49f90bc21af..64a0aef2bfc 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go @@ -2,47 +2,125 @@ // This is a simple stub for github.com/golang/glog, strictly for use in testing. // See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang/glog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln) +// Source: github.com/golang/glog (exports: Level,Verbose; functions: Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln) // Package glog is a stub of github.com/golang/glog, generated by depstubber. package glog +import "context" + +type Level int32 + +type Verbose bool + func Error(_ ...interface{}) {} +func ErrorContext(_ context.Context, _ ...interface{}) {} + +func ErrorContextDepth(_ context.Context, _ int, _ ...interface{}) {} + +func ErrorContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {} + +func ErrorContextf(_ context.Context, _ string, _ ...interface{}) {} + func ErrorDepth(_ int, _ ...interface{}) {} +func ErrorDepthf(_ int, _ string, _ ...interface{}) {} + func Errorf(_ string, _ ...interface{}) {} func Errorln(_ ...interface{}) {} func Exit(_ ...interface{}) {} +func ExitContext(_ context.Context, _ ...interface{}) {} + +func ExitContextDepth(_ context.Context, _ int, _ ...interface{}) {} + +func ExitContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {} + +func ExitContextf(_ context.Context, _ string, _ ...interface{}) {} + func ExitDepth(_ int, _ ...interface{}) {} +func ExitDepthf(_ int, _ string, _ ...interface{}) {} + func Exitf(_ string, _ ...interface{}) {} func Exitln(_ ...interface{}) {} func Fatal(_ ...interface{}) {} +func FatalContext(_ context.Context, _ ...interface{}) {} + +func FatalContextDepth(_ context.Context, _ int, _ ...interface{}) {} + +func FatalContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {} + +func FatalContextf(_ context.Context, _ string, _ ...interface{}) {} + func FatalDepth(_ int, _ ...interface{}) {} +func FatalDepthf(_ int, _ string, _ ...interface{}) {} + func Fatalf(_ string, _ ...interface{}) {} func Fatalln(_ ...interface{}) {} func Info(_ ...interface{}) {} +func InfoContext(_ context.Context, _ ...interface{}) {} + +func InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {} + +func InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {} + +func InfoContextf(_ context.Context, _ string, _ ...interface{}) {} + func InfoDepth(_ int, _ ...interface{}) {} +func InfoDepthf(_ int, _ string, _ ...interface{}) {} + func Infof(_ string, _ ...interface{}) {} func Infoln(_ ...interface{}) {} +func V(_ Level) Verbose { return false } + +func VDepth(_ int, _ Level) Verbose { return false } + func Warning(_ ...interface{}) {} +func WarningContext(_ context.Context, _ ...interface{}) {} + +func WarningContextDepth(_ context.Context, _ int, _ ...interface{}) {} + +func WarningContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {} + +func WarningContextf(_ context.Context, _ string, _ ...interface{}) {} + func WarningDepth(_ int, _ ...interface{}) {} +func WarningDepthf(_ int, _ string, _ ...interface{}) {} + func Warningf(_ string, _ ...interface{}) {} func Warningln(_ ...interface{}) {} + +func (_ Verbose) Info(_ ...interface{}) {} + +func (_ Verbose) InfoContext(_ context.Context, _ ...interface{}) {} + +func (_ Verbose) InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {} + +func (_ Verbose) InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {} + +func (_ Verbose) InfoContextf(_ context.Context, _ string, _ ...interface{}) {} + +func (_ Verbose) InfoDepth(_ int, _ ...interface{}) {} + +func (_ Verbose) InfoDepthf(_ int, _ string, _ ...interface{}) {} + +func (_ Verbose) Infof(_ string, _ ...interface{}) {} + +func (_ Verbose) Infoln(_ ...interface{}) {} diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go index 0c29992abcf..81eb6927c5b 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go @@ -2,11 +2,15 @@ // This is a simple stub for k8s.io/klog, strictly for use in testing. // See the LICENSE file for information about the licensing of the original library. -// Source: k8s.io/klog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln) +// Source: k8s.io/klog (exports: Level,Verbose; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln) // Package klog is a stub of k8s.io/klog, generated by depstubber. package klog +type Level int32 + +type Verbose bool + func Error(_ ...interface{}) {} func ErrorDepth(_ int, _ ...interface{}) {} @@ -39,6 +43,8 @@ func Infof(_ string, _ ...interface{}) {} func Infoln(_ ...interface{}) {} +func V(_ Level) Verbose { return false } + func Warning(_ ...interface{}) {} func WarningDepth(_ int, _ ...interface{}) {} @@ -46,3 +52,9 @@ func WarningDepth(_ int, _ ...interface{}) {} func Warningf(_ string, _ ...interface{}) {} func Warningln(_ ...interface{}) {} + +func (_ Verbose) Info(_ ...interface{}) {} + +func (_ Verbose) Infof(_ string, _ ...interface{}) {} + +func (_ Verbose) Infoln(_ ...interface{}) {} diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt index da35ae80c08..bf162a2d5a4 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b +# github.com/golang/glog v1.2.5 ## explicit github.com/golang/glog # github.com/sirupsen/logrus v1.7.0 diff --git a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected index abd09c52976..4e466b74504 100644 --- a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected +++ b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected @@ -1,11 +1,21 @@ -| file://:0:0:0:0 | Exit | package os | -| file://:0:0:0:0 | Fatal | package log | -| file://:0:0:0:0 | Fatalf | package log | -| file://:0:0:0:0 | Fatalln | package log | -| noretfunctions.go:8:6:8:12 | isNoRet | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph | -| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph | -| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph | -| stmts7.go:10:6:10:15 | canRecover | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph | -| stmts.go:10:6:10:10 | test5 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph | -| stmts.go:46:6:46:10 | test6 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph | -| stmts.go:112:6:112:10 | test9 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph | +| file://:0:0:0:0 | Exit | os.Exit | +| file://:0:0:0:0 | Fatal | log.Fatal | +| file://:0:0:0:0 | Fatal | log.Logger.Fatal | +| file://:0:0:0:0 | Fatalf | log.Fatalf | +| file://:0:0:0:0 | Fatalf | log.Logger.Fatalf | +| file://:0:0:0:0 | Fatalln | log.Fatalln | +| file://:0:0:0:0 | Fatalln | log.Logger.Fatalln | +| file://:0:0:0:0 | Panic | log.Logger.Panic | +| file://:0:0:0:0 | Panic | log.Panic | +| file://:0:0:0:0 | Panicf | log.Logger.Panicf | +| file://:0:0:0:0 | Panicf | log.Panicf | +| file://:0:0:0:0 | Panicln | log.Logger.Panicln | +| file://:0:0:0:0 | Panicln | log.Panicln | +| file://:0:0:0:0 | panic | panic | +| noretfunctions.go:8:6:8:12 | isNoRet | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.isNoRet | +| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatal | +| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatalf | +| stmts7.go:10:6:10:15 | canRecover | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.canRecover | +| stmts.go:10:6:10:10 | test5 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test5 | +| stmts.go:46:6:46:10 | test6 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test6 | +| stmts.go:112:6:112:10 | test9 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test9 | diff --git a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql index b61493abb9f..b525004752f 100644 --- a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql +++ b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql @@ -2,4 +2,4 @@ import go from Function f where not f.mayReturnNormally() -select f, f.getPackage() +select f, f.getQualifiedName() diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go index 703c4086ae1..50dcfd1170b 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go @@ -15,62 +15,6 @@ func TaintStepTest_LogNew_B0I0O0(sourceCQL interface{}) interface{} { return intoWriter414 } -func TaintStepTest_LogLoggerFatal_B0I0O0(sourceCQL interface{}) interface{} { - fromInterface518 := sourceCQL.(interface{}) - var intoLogger650 log.Logger - intoLogger650.Fatal(fromInterface518) - return intoLogger650 -} - -func TaintStepTest_LogLoggerFatalf_B0I0O0(sourceCQL interface{}) interface{} { - fromString784 := sourceCQL.(string) - var intoLogger957 log.Logger - intoLogger957.Fatalf(fromString784, nil) - return intoLogger957 -} - -func TaintStepTest_LogLoggerFatalf_B0I1O0(sourceCQL interface{}) interface{} { - fromInterface520 := sourceCQL.(interface{}) - var intoLogger443 log.Logger - intoLogger443.Fatalf("", fromInterface520) - return intoLogger443 -} - -func TaintStepTest_LogLoggerFatalln_B0I0O0(sourceCQL interface{}) interface{} { - fromInterface127 := sourceCQL.(interface{}) - var intoLogger483 log.Logger - intoLogger483.Fatalln(fromInterface127) - return intoLogger483 -} - -func TaintStepTest_LogLoggerPanic_B0I0O0(sourceCQL interface{}) interface{} { - fromInterface989 := sourceCQL.(interface{}) - var intoLogger982 log.Logger - intoLogger982.Panic(fromInterface989) - return intoLogger982 -} - -func TaintStepTest_LogLoggerPanicf_B0I0O0(sourceCQL interface{}) interface{} { - fromString417 := sourceCQL.(string) - var intoLogger584 log.Logger - intoLogger584.Panicf(fromString417, nil) - return intoLogger584 -} - -func TaintStepTest_LogLoggerPanicf_B0I1O0(sourceCQL interface{}) interface{} { - fromInterface991 := sourceCQL.(interface{}) - var intoLogger881 log.Logger - intoLogger881.Panicf("", fromInterface991) - return intoLogger881 -} - -func TaintStepTest_LogLoggerPanicln_B0I0O0(sourceCQL interface{}) interface{} { - fromInterface186 := sourceCQL.(interface{}) - var intoLogger284 log.Logger - intoLogger284.Panicln(fromInterface186) - return intoLogger284 -} - func TaintStepTest_LogLoggerPrint_B0I0O0(sourceCQL interface{}) interface{} { fromInterface908 := sourceCQL.(interface{}) var intoLogger137 log.Logger @@ -125,46 +69,6 @@ func RunAllTaints_Log() { out := TaintStepTest_LogNew_B0I0O0(source) sink(0, out) } - { - source := newSource(1) - out := TaintStepTest_LogLoggerFatal_B0I0O0(source) - sink(1, out) - } - { - source := newSource(2) - out := TaintStepTest_LogLoggerFatalf_B0I0O0(source) - sink(2, out) - } - { - source := newSource(3) - out := TaintStepTest_LogLoggerFatalf_B0I1O0(source) - sink(3, out) - } - { - source := newSource(4) - out := TaintStepTest_LogLoggerFatalln_B0I0O0(source) - sink(4, out) - } - { - source := newSource(5) - out := TaintStepTest_LogLoggerPanic_B0I0O0(source) - sink(5, out) - } - { - source := newSource(6) - out := TaintStepTest_LogLoggerPanicf_B0I0O0(source) - sink(6, out) - } - { - source := newSource(7) - out := TaintStepTest_LogLoggerPanicf_B0I1O0(source) - sink(7, out) - } - { - source := newSource(8) - out := TaintStepTest_LogLoggerPanicln_B0I0O0(source) - sink(8, out) - } { source := newSource(9) out := TaintStepTest_LogLoggerPrint_B0I0O0(source) diff --git a/go/ql/test/query-tests/Security/CWE-117/CONSISTENCY/DataFlowConsistency.expected b/go/ql/test/query-tests/Security/CWE-117/CONSISTENCY/DataFlowConsistency.expected index 2f4d9e320f8..a683e969167 100644 --- a/go/ql/test/query-tests/Security/CWE-117/CONSISTENCY/DataFlowConsistency.expected +++ b/go/ql/test/query-tests/Security/CWE-117/CONSISTENCY/DataFlowConsistency.expected @@ -3,9 +3,9 @@ reverseRead | LogInjection.go:33:14:33:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | | LogInjection.go:34:18:34:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | | LogInjection.go:35:14:35:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | -| LogInjection.go:447:14:447:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | -| LogInjection.go:455:14:455:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | -| LogInjection.go:463:14:463:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | -| LogInjection.go:498:14:498:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | -| LogInjection.go:499:14:499:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | -| LogInjection.go:724:12:724:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | +| LogInjection.go:551:14:551:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | +| LogInjection.go:559:14:559:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | +| LogInjection.go:567:14:567:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | +| LogInjection.go:602:14:602:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | +| LogInjection.go:603:14:603:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | +| LogInjection.go:828:12:828:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. | diff --git a/go/ql/test/query-tests/Security/CWE-117/LogInjection.go b/go/ql/test/query-tests/Security/CWE-117/LogInjection.go index fc9d7179158..fbd3b4a0610 100644 --- a/go/ql/test/query-tests/Security/CWE-117/LogInjection.go +++ b/go/ql/test/query-tests/Security/CWE-117/LogInjection.go @@ -49,22 +49,22 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { log.Printf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password" log.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" - if testFlag == "true" { + if testFlag == "1" { log.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" } - if testFlag == "true" { + if testFlag == "2" { log.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password" } - if testFlag == "true" { + if testFlag == "3" { log.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" } - if testFlag == "true" { + if testFlag == "4" { log.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" } - if testFlag == "true" { + if testFlag == "5" { log.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password" } - if testFlag == "true" { + if testFlag == "6" { log.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" } @@ -72,12 +72,24 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { logger.Print("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" logger.Printf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password" logger.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" - logger.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" - logger.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password" - logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" - logger.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" - logger.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password" - logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" + if testFlag == "7" { + logger.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" + } + if testFlag == "8" { + logger.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password" + } + if testFlag == "9" { + logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" + } + if testFlag == "10" { + logger.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" + } + if testFlag == "11" { + logger.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password" + } + if testFlag == "12" { + logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password" + } } // k8s.io/klog { @@ -91,12 +103,24 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { klog.Error(username) // $ hasTaintFlow="username" klog.Errorf(username) // $ hasTaintFlow="username" klog.Errorln(username) // $ hasTaintFlow="username" - klog.Fatal(username) // $ hasTaintFlow="username" - klog.Fatalf(username) // $ hasTaintFlow="username" - klog.Fatalln(username) // $ hasTaintFlow="username" - klog.Exit(username) // $ hasTaintFlow="username" - klog.Exitf(username) // $ hasTaintFlow="username" - klog.Exitln(username) // $ hasTaintFlow="username" + if testFlag == "77" { + klog.Fatal(username) // $ hasTaintFlow="username" + } + if testFlag == "78" { + klog.Fatalf(username) // $ hasTaintFlow="username" + } + if testFlag == "79" { + klog.Fatalln(username) // $ hasTaintFlow="username" + } + if testFlag == "80" { + klog.Exit(username) // $ hasTaintFlow="username" + } + if testFlag == "81" { + klog.Exitf(username) // $ hasTaintFlow="username" + } + if testFlag == "82" { + klog.Exitln(username) // $ hasTaintFlow="username" + } } // astaxie/beego { @@ -161,14 +185,30 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { glog.ErrorDepth(0, username) // $ hasTaintFlow="username" glog.Errorf(username) // $ hasTaintFlow="username" glog.Errorln(username) // $ hasTaintFlow="username" - glog.Fatal(username) // $ hasTaintFlow="username" - glog.FatalDepth(0, username) // $ hasTaintFlow="username" - glog.Fatalf(username) // $ hasTaintFlow="username" - glog.Fatalln(username) // $ hasTaintFlow="username" - glog.Exit(username) // $ hasTaintFlow="username" - glog.ExitDepth(0, username) // $ hasTaintFlow="username" - glog.Exitf(username) // $ hasTaintFlow="username" - glog.Exitln(username) // $ hasTaintFlow="username" + if testFlag == "83" { + glog.Fatal(username) // $ hasTaintFlow="username" + } + if testFlag == "84" { + glog.FatalDepth(0, username) // $ hasTaintFlow="username" + } + if testFlag == "85" { + glog.Fatalf(username) // $ hasTaintFlow="username" + } + if testFlag == "86" { + glog.Fatalln(username) // $ hasTaintFlow="username" + } + if testFlag == "87" { + glog.Exit(username) // $ hasTaintFlow="username" + } + if testFlag == "88" { + glog.ExitDepth(0, username) // $ hasTaintFlow="username" + } + if testFlag == "89" { + glog.Exitf(username) // $ hasTaintFlow="username" + } + if testFlag == "90" { + glog.Exitln(username) // $ hasTaintFlow="username" + } } // sirupsen/logrus @@ -179,26 +219,42 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { logger := logrus.New() entry := logrus.NewEntry(logger) - logrus.Debug(username) // $ hasTaintFlow="username" - logrus.Debugf(username, "") // $ hasTaintFlow="username" - logrus.Debugf("", username) // $ hasTaintFlow="username" - logrus.Debugln(username) // $ hasTaintFlow="username" - logrus.Error(username) // $ hasTaintFlow="username" - logrus.Errorf(username, "") // $ hasTaintFlow="username" - logrus.Errorf("", username) // $ hasTaintFlow="username" - logrus.Errorln(username) // $ hasTaintFlow="username" - logrus.Fatal(username) // $ hasTaintFlow="username" - logrus.Fatalf(username, "") // $ hasTaintFlow="username" - logrus.Fatalf("", username) // $ hasTaintFlow="username" - logrus.Fatalln(username) // $ hasTaintFlow="username" - logrus.Info(username) // $ hasTaintFlow="username" - logrus.Infof(username, "") // $ hasTaintFlow="username" - logrus.Infof("", username) // $ hasTaintFlow="username" - logrus.Infoln(username) // $ hasTaintFlow="username" - logrus.Panic(username) // $ hasTaintFlow="username" - logrus.Panicf(username, "") // $ hasTaintFlow="username" - logrus.Panicf("", username) // $ hasTaintFlow="username" - logrus.Panicln(username) // $ hasTaintFlow="username" + logrus.Debug(username) // $ hasTaintFlow="username" + logrus.Debugf(username, "") // $ hasTaintFlow="username" + logrus.Debugf("", username) // $ hasTaintFlow="username" + logrus.Debugln(username) // $ hasTaintFlow="username" + logrus.Error(username) // $ hasTaintFlow="username" + logrus.Errorf(username, "") // $ hasTaintFlow="username" + logrus.Errorf("", username) // $ hasTaintFlow="username" + logrus.Errorln(username) // $ hasTaintFlow="username" + if testFlag == "13" { + logrus.Fatal(username) // $ hasTaintFlow="username" + } + if testFlag == "14" { + logrus.Fatalf(username, "") // $ hasTaintFlow="username" + } + if testFlag == "15" { + logrus.Fatalf("", username) // $ hasTaintFlow="username" + } + if testFlag == "16" { + logrus.Fatalln(username) // $ hasTaintFlow="username" + } + logrus.Info(username) // $ hasTaintFlow="username" + logrus.Infof(username, "") // $ hasTaintFlow="username" + logrus.Infof("", username) // $ hasTaintFlow="username" + logrus.Infoln(username) // $ hasTaintFlow="username" + if testFlag == "17" { + logrus.Panic(username) // $ hasTaintFlow="username" + } + if testFlag == "18" { + logrus.Panicf(username, "") // $ hasTaintFlow="username" + } + if testFlag == "19" { + logrus.Panicf("", username) // $ hasTaintFlow="username" + } + if testFlag == "20" { + logrus.Panicln(username) // $ hasTaintFlow="username" + } logrus.Print(username) // $ hasTaintFlow="username" logrus.Printf(username, "") // $ hasTaintFlow="username" logrus.Printf("", username) // $ hasTaintFlow="username" @@ -220,30 +276,46 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { logrus.WithField("", username) // $ hasTaintFlow="username" logrus.WithFields(fields) // $ hasTaintFlow="fields" - entry.Debug(username) // $ hasTaintFlow="username" - entry.Debugf(username, "") // $ hasTaintFlow="username" - entry.Debugf("", username) // $ hasTaintFlow="username" - entry.Debugln(username) // $ hasTaintFlow="username" - entry.Error(username) // $ hasTaintFlow="username" - entry.Errorf(username, "") // $ hasTaintFlow="username" - entry.Errorf("", username) // $ hasTaintFlow="username" - entry.Errorln(username) // $ hasTaintFlow="username" - entry.Fatal(username) // $ hasTaintFlow="username" - entry.Fatalf(username, "") // $ hasTaintFlow="username" - entry.Fatalf("", username) // $ hasTaintFlow="username" - entry.Fatalln(username) // $ hasTaintFlow="username" - entry.Info(username) // $ hasTaintFlow="username" - entry.Infof(username, "") // $ hasTaintFlow="username" - entry.Infof("", username) // $ hasTaintFlow="username" - entry.Infoln(username) // $ hasTaintFlow="username" - entry.Log(0, username) // $ hasTaintFlow="username" - entry.Logf(0, username, "") // $ hasTaintFlow="username" - entry.Logf(0, "", username) // $ hasTaintFlow="username" - entry.Logln(0, username) // $ hasTaintFlow="username" - entry.Panic(username) // $ hasTaintFlow="username" - entry.Panicf(username, "") // $ hasTaintFlow="username" - entry.Panicf("", username) // $ hasTaintFlow="username" - entry.Panicln(username) // $ hasTaintFlow="username" + entry.Debug(username) // $ hasTaintFlow="username" + entry.Debugf(username, "") // $ hasTaintFlow="username" + entry.Debugf("", username) // $ hasTaintFlow="username" + entry.Debugln(username) // $ hasTaintFlow="username" + entry.Error(username) // $ hasTaintFlow="username" + entry.Errorf(username, "") // $ hasTaintFlow="username" + entry.Errorf("", username) // $ hasTaintFlow="username" + entry.Errorln(username) // $ hasTaintFlow="username" + if testFlag == "21" { + entry.Fatal(username) // $ hasTaintFlow="username" + } + if testFlag == "22" { + entry.Fatalf(username, "") // $ hasTaintFlow="username" + } + if testFlag == "23" { + entry.Fatalf("", username) // $ hasTaintFlow="username" + } + if testFlag == "24" { + entry.Fatalln(username) // $ hasTaintFlow="username" + } + entry.Info(username) // $ hasTaintFlow="username" + entry.Infof(username, "") // $ hasTaintFlow="username" + entry.Infof("", username) // $ hasTaintFlow="username" + entry.Infoln(username) // $ hasTaintFlow="username" + entry.Log(0, username) // $ hasTaintFlow="username" + entry.Logf(0, username, "") // $ hasTaintFlow="username" + entry.Logf(0, "", username) // $ hasTaintFlow="username" + entry.Logln(0, username) // $ hasTaintFlow="username" + if testFlag == "25" { + entry.Panic(username) // $ hasTaintFlow="username" + } + if testFlag == "26" { + entry.Panicf(username, "") // $ hasTaintFlow="username" + } + if testFlag == "27" { + entry.Panicf("", username) // $ hasTaintFlow="username" + } + if testFlag == "28" { + entry.Panicln(username) // $ hasTaintFlow="username" + } entry.Print(username) // $ hasTaintFlow="username" entry.Printf(username, "") // $ hasTaintFlow="username" entry.Printf("", username) // $ hasTaintFlow="username" @@ -265,30 +337,46 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { entry.WithField("", username) // $ hasTaintFlow="username" entry.WithFields(fields) // $ hasTaintFlow="fields" - logger.Debug(username) // $ hasTaintFlow="username" - logger.Debugf(username, "") // $ hasTaintFlow="username" - logger.Debugf("", username) // $ hasTaintFlow="username" - logger.Debugln(username) // $ hasTaintFlow="username" - logger.Error(username) // $ hasTaintFlow="username" - logger.Errorf(username, "") // $ hasTaintFlow="username" - logger.Errorf("", username) // $ hasTaintFlow="username" - logger.Errorln(username) // $ hasTaintFlow="username" - logger.Fatal(username) // $ hasTaintFlow="username" - logger.Fatalf(username, "") // $ hasTaintFlow="username" - logger.Fatalf("", username) // $ hasTaintFlow="username" - logger.Fatalln(username) // $ hasTaintFlow="username" - logger.Info(username) // $ hasTaintFlow="username" - logger.Infof(username, "") // $ hasTaintFlow="username" - logger.Infof("", username) // $ hasTaintFlow="username" - logger.Infoln(username) // $ hasTaintFlow="username" - logger.Log(0, username) // $ hasTaintFlow="username" - logger.Logf(0, username, "") // $ hasTaintFlow="username" - logger.Logf(0, "", username) // $ hasTaintFlow="username" - logger.Logln(0, username) // $ hasTaintFlow="username" - logger.Panic(username) // $ hasTaintFlow="username" - logger.Panicf(username, "") // $ hasTaintFlow="username" - logger.Panicf("", username) // $ hasTaintFlow="username" - logger.Panicln(username) // $ hasTaintFlow="username" + logger.Debug(username) // $ hasTaintFlow="username" + logger.Debugf(username, "") // $ hasTaintFlow="username" + logger.Debugf("", username) // $ hasTaintFlow="username" + logger.Debugln(username) // $ hasTaintFlow="username" + logger.Error(username) // $ hasTaintFlow="username" + logger.Errorf(username, "") // $ hasTaintFlow="username" + logger.Errorf("", username) // $ hasTaintFlow="username" + logger.Errorln(username) // $ hasTaintFlow="username" + if testFlag == "29" { + logger.Fatal(username) // $ hasTaintFlow="username" + } + if testFlag == "30" { + logger.Fatalf(username, "") // $ hasTaintFlow="username" + } + if testFlag == "31" { + logger.Fatalf("", username) // $ hasTaintFlow="username" + } + if testFlag == "32" { + logger.Fatalln(username) // $ hasTaintFlow="username" + } + logger.Info(username) // $ hasTaintFlow="username" + logger.Infof(username, "") // $ hasTaintFlow="username" + logger.Infof("", username) // $ hasTaintFlow="username" + logger.Infoln(username) // $ hasTaintFlow="username" + logger.Log(0, username) // $ hasTaintFlow="username" + logger.Logf(0, username, "") // $ hasTaintFlow="username" + logger.Logf(0, "", username) // $ hasTaintFlow="username" + logger.Logln(0, username) // $ hasTaintFlow="username" + if testFlag == "33" { + logger.Panic(username) // $ hasTaintFlow="username" + } + if testFlag == "34" { + logger.Panicf(username, "") // $ hasTaintFlow="username" + } + if testFlag == "35" { + logger.Panicf("", username) // $ hasTaintFlow="username" + } + if testFlag == "36" { + logger.Panicln(username) // $ hasTaintFlow="username" + } logger.Print(username) // $ hasTaintFlow="username" logger.Printf(username, "") // $ hasTaintFlow="username" logger.Printf("", username) // $ hasTaintFlow="username" @@ -311,26 +399,42 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { logger.WithFields(fields) // $ hasTaintFlow="fields" var fieldlogger logrus.FieldLogger = entry - fieldlogger.Debug(username) // $ hasTaintFlow="username" - fieldlogger.Debugf(username, "") // $ hasTaintFlow="username" - fieldlogger.Debugf("", username) // $ hasTaintFlow="username" - fieldlogger.Debugln(username) // $ hasTaintFlow="username" - fieldlogger.Error(username) // $ hasTaintFlow="username" - fieldlogger.Errorf(username, "") // $ hasTaintFlow="username" - fieldlogger.Errorf("", username) // $ hasTaintFlow="username" - fieldlogger.Errorln(username) // $ hasTaintFlow="username" - fieldlogger.Fatal(username) // $ hasTaintFlow="username" - fieldlogger.Fatalf(username, "") // $ hasTaintFlow="username" - fieldlogger.Fatalf("", username) // $ hasTaintFlow="username" - fieldlogger.Fatalln(username) // $ hasTaintFlow="username" - fieldlogger.Info(username) // $ hasTaintFlow="username" - fieldlogger.Infof(username, "") // $ hasTaintFlow="username" - fieldlogger.Infof("", username) // $ hasTaintFlow="username" - fieldlogger.Infoln(username) // $ hasTaintFlow="username" - fieldlogger.Panic(username) // $ hasTaintFlow="username" - fieldlogger.Panicf(username, "") // $ hasTaintFlow="username" - fieldlogger.Panicf("", username) // $ hasTaintFlow="username" - fieldlogger.Panicln(username) // $ hasTaintFlow="username" + fieldlogger.Debug(username) // $ hasTaintFlow="username" + fieldlogger.Debugf(username, "") // $ hasTaintFlow="username" + fieldlogger.Debugf("", username) // $ hasTaintFlow="username" + fieldlogger.Debugln(username) // $ hasTaintFlow="username" + fieldlogger.Error(username) // $ hasTaintFlow="username" + fieldlogger.Errorf(username, "") // $ hasTaintFlow="username" + fieldlogger.Errorf("", username) // $ hasTaintFlow="username" + fieldlogger.Errorln(username) // $ hasTaintFlow="username" + if testFlag == "37" { + fieldlogger.Fatal(username) // $ hasTaintFlow="username" + } + if testFlag == "38" { + fieldlogger.Fatalf(username, "") // $ hasTaintFlow="username" + } + if testFlag == "39" { + fieldlogger.Fatalf("", username) // $ hasTaintFlow="username" + } + if testFlag == "40" { + fieldlogger.Fatalln(username) // $ hasTaintFlow="username" + } + fieldlogger.Info(username) // $ hasTaintFlow="username" + fieldlogger.Infof(username, "") // $ hasTaintFlow="username" + fieldlogger.Infof("", username) // $ hasTaintFlow="username" + fieldlogger.Infoln(username) // $ hasTaintFlow="username" + if testFlag == "41" { + fieldlogger.Panic(username) // $ hasTaintFlow="username" + } + if testFlag == "42" { + fieldlogger.Panicf(username, "") // $ hasTaintFlow="username" + } + if testFlag == "43" { + fieldlogger.Panicf("", username) // $ hasTaintFlow="username" + } + if testFlag == "44" { + fieldlogger.Panicln(username) // $ hasTaintFlow="username" + } fieldlogger.Print(username) // $ hasTaintFlow="username" fieldlogger.Printf(username, "") // $ hasTaintFlow="username" fieldlogger.Printf("", username) // $ hasTaintFlow="username" @@ -366,11 +470,11 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { logger.DPanic(username) // $ hasTaintFlow="username" logger.Debug(username) // $ hasTaintFlow="username" logger.Error(username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "45" { logger.Fatal(username) // $ hasTaintFlow="username" } logger.Info(username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "46" { logger.Panic(username) // $ hasTaintFlow="username" } logger.Warn(username) // $ hasTaintFlow="username" @@ -382,33 +486,33 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { sLogger.DPanic(username) // $ hasTaintFlow="username" sLogger.Debug(username) // $ hasTaintFlow="username" sLogger.Error(username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "47" { sLogger.Fatal(username) // $ hasTaintFlow="username" } sLogger.Info(username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "48" { sLogger.Panic(username) // $ hasTaintFlow="username" } sLogger.Warn(username) // $ hasTaintFlow="username" sLogger.DPanicf(username) // $ hasTaintFlow="username" sLogger.Debugf(username) // $ hasTaintFlow="username" sLogger.Errorf(username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "49" { sLogger.Fatalf(username) // $ hasTaintFlow="username" } sLogger.Infof(username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "50" { sLogger.Panicf(username) // $ hasTaintFlow="username" } sLogger.Warnf(username) // $ hasTaintFlow="username" sLogger.DPanicw(username) // $ hasTaintFlow="username" sLogger.Debugw(username) // $ hasTaintFlow="username" sLogger.Errorw(username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "51" { sLogger.Fatalw(username) // $ hasTaintFlow="username" } sLogger.Infow(username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "52" { sLogger.Panicw(username) // $ hasTaintFlow="username" } sLogger.Warnw(username) // $ hasTaintFlow="username" @@ -515,10 +619,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { verbose.Infof("user %q logged in.\n", username) klog.Infof("user %q logged in.\n", username) klog.Errorf("user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "53" { klog.Fatalf("user %q logged in.\n", username) } - if testFlag == " true" { + if testFlag == "54" { klog.Exitf("user %q logged in.\n", username) } } @@ -534,10 +638,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { glog.Infof("user %q logged in.\n", username) glog.Errorf("user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "55" { glog.Fatalf("user %q logged in.\n", username) } - if testFlag == " true" { + if testFlag == "56" { glog.Exitf("user %q logged in.\n", username) } } @@ -545,11 +649,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { { logrus.Debugf("user %q logged in.\n", username) logrus.Errorf("user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "57" { logrus.Fatalf("user %q logged in.\n", username) } logrus.Infof("user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "58" { logrus.Panicf("user %q logged in.\n", username) } logrus.Printf("user %q logged in.\n", username) @@ -561,12 +665,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { entry := logrus.WithFields(fields) entry.Debugf("user %q logged in.\n", username) entry.Errorf("user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "59" { entry.Fatalf("user %q logged in.\n", username) } entry.Infof("user %q logged in.\n", username) entry.Logf(0, "user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "60" { entry.Panicf("user %q logged in.\n", username) } entry.Printf("user %q logged in.\n", username) @@ -577,12 +681,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { logger := entry.Logger logger.Debugf("user %q logged in.\n", username) logger.Errorf("user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "61" { logger.Fatalf("user %q logged in.\n", username) } logger.Infof("user %q logged in.\n", username) logger.Logf(0, "user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "62" { logger.Panicf("user %q logged in.\n", username) } logger.Printf("user %q logged in.\n", username) @@ -603,11 +707,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { sLogger.DPanicf("user %q logged in.\n", username) sLogger.Debugf("user %q logged in.\n", username) sLogger.Errorf("user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "63" { sLogger.Fatalf("user %q logged in.\n", username) } sLogger.Infof("user %q logged in.\n", username) - if testFlag == " true" { + if testFlag == "64" { sLogger.Panicf("user %q logged in.\n", username) } sLogger.Warnf("user %q logged in.\n", username) @@ -620,10 +724,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { verbose.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" klog.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" klog.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "65" { klog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } - if testFlag == " true" { + if testFlag == "66" { klog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } } @@ -639,10 +743,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { glog.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" glog.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "67" { glog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } - if testFlag == " true" { + if testFlag == "68" { glog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } } @@ -650,11 +754,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { { logrus.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username" logrus.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "69" { logrus.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } logrus.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "70" { logrus.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } logrus.Printf("user %#q logged in.\n", username) // $ hasTaintFlow="username" @@ -666,12 +770,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { entry := logrus.WithFields(fields) entry.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username" entry.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "71" { entry.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } entry.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" entry.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "72" { entry.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } entry.Printf("user %#q logged in.\n", username) // $ hasTaintFlow="username" @@ -682,12 +786,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { logger := entry.Logger logger.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username" logger.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "73" { logger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } logger.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" logger.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "74" { logger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } logger.Printf("user %#q logged in.\n", username) // $ hasTaintFlow="username" @@ -708,11 +812,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) { sLogger.DPanicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" sLogger.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username" sLogger.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "75" { sLogger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } sLogger.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" - if testFlag == " true" { + if testFlag == "76" { sLogger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" } sLogger.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username" diff --git a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected index f748c7a7773..66392b22752 100644 --- a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected +++ b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected @@ -37,22 +37,22 @@ | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | $@ flows to a logging call. | passwords.go:26:14:26:23 | selection of password | Sensitive data returned by an access to password | | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | $@ flows to a logging call. | passwords.go:27:14:27:26 | call to getPassword | Sensitive data returned by a call to getPassword | | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | $@ flows to a logging call. | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by a call to getPassword | -| passwords.go:32:12:32:19 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:34:14:34:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:39:14:39:17 | obj1 | passwords.go:37:13:37:13 | x | passwords.go:39:14:39:17 | obj1 | $@ flows to a logging call. | passwords.go:37:13:37:13 | x | Sensitive data returned by an access to password | -| passwords.go:44:14:44:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:51:14:51:27 | fixed_password | passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:50:2:50:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password | -| passwords.go:89:14:89:26 | utilityObject | passwords.go:87:16:87:36 | call to make | passwords.go:89:14:89:26 | utilityObject | $@ flows to a logging call. | passwords.go:87:16:87:36 | call to make | Sensitive data returned by an access to passwordSet | -| passwords.go:92:23:92:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:92:23:92:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:102:15:102:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:102:15:102:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:108:16:108:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:108:16:108:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:113:15:113:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:113:15:113:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:117:14:117:45 | ...+... | passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:14:117:45 | ...+... | $@ flows to a logging call. | passwords.go:116:6:116:14 | definition of password1 | Sensitive data returned by an access to password1 | -| passwords.go:127:14:127:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:127:14:127:19 | config | passwords.go:121:13:121:14 | x3 | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:14 | x3 | Sensitive data returned by an access to password | -| passwords.go:127:14:127:19 | config | passwords.go:124:13:124:25 | call to getPassword | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword | -| passwords.go:128:14:128:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:128:14:128:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | -| passwords.go:129:14:129:21 | selection of y | passwords.go:124:13:124:25 | call to getPassword | passwords.go:129:14:129:21 | selection of y | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword | +| passwords.go:33:13:33:20 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:36:14:36:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:36:14:36:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:41:14:41:17 | obj1 | passwords.go:39:13:39:13 | x | passwords.go:41:14:41:17 | obj1 | $@ flows to a logging call. | passwords.go:39:13:39:13 | x | Sensitive data returned by an access to password | +| passwords.go:46:14:46:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:46:14:46:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:53:14:53:27 | fixed_password | passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | $@ flows to a logging call. | passwords.go:52:2:52:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password | +| passwords.go:91:14:91:26 | utilityObject | passwords.go:89:16:89:36 | call to make | passwords.go:91:14:91:26 | utilityObject | $@ flows to a logging call. | passwords.go:89:16:89:36 | call to make | Sensitive data returned by an access to passwordSet | +| passwords.go:94:23:94:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:94:23:94:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:104:15:104:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:104:15:104:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:110:16:110:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:110:16:110:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:115:15:115:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:115:15:115:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:119:14:119:45 | ...+... | passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:14:119:45 | ...+... | $@ flows to a logging call. | passwords.go:118:6:118:14 | definition of password1 | Sensitive data returned by an access to password1 | +| passwords.go:129:14:129:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:129:14:129:19 | config | passwords.go:123:13:123:14 | x3 | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:123:13:123:14 | x3 | Sensitive data returned by an access to password | +| passwords.go:129:14:129:19 | config | passwords.go:126:13:126:25 | call to getPassword | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword | +| passwords.go:130:14:130:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:130:14:130:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:131:14:131:21 | selection of y | passwords.go:126:13:126:25 | call to getPassword | passwords.go:131:14:131:21 | selection of y | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword | | protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:9:2:9:9 | definition of password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:9:2:9:9 | definition of password | Sensitive data returned by an access to password | edges | klog.go:21:3:26:3 | range statement[1] | klog.go:22:27:22:33 | headers | provenance | | @@ -82,95 +82,15 @@ edges | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance | | | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance | | | main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance | | -| main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance | | | main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance | | -| main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance | | -| main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance | | | main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 | | main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance | | -| main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance | | -| main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance | | | main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance | | | main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance | | | main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 | | main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance | | | main.go:54:12:54:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | | main.go:54:12:54:19 | password | main.go:80:17:80:24 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 | -| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 | -| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:56:11:56:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | -| main.go:56:11:56:18 | password | main.go:80:17:80:24 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 | -| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 | -| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:59:18:59:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | -| main.go:59:18:59:25 | password | main.go:80:17:80:24 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 | -| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:62:12:62:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | -| main.go:62:12:62:19 | password | main.go:80:17:80:24 | password | provenance | | -| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance | | -| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance | | -| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance | | -| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 | -| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:65:13:65:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | -| main.go:65:13:65:20 | password | main.go:80:17:80:24 | password | provenance | | -| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance | | -| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance | | -| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 | -| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:68:11:68:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | -| main.go:68:11:68:18 | password | main.go:80:17:80:24 | password | provenance | | -| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance | | -| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 | -| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:71:18:71:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | -| main.go:71:18:71:25 | password | main.go:80:17:80:24 | password | provenance | | -| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance | | -| main.go:74:12:74:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | -| main.go:74:12:74:19 | password | main.go:80:17:80:24 | password | provenance | | -| main.go:77:13:77:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 | -| main.go:77:13:77:20 | password | main.go:80:17:80:24 | password | provenance | | | main.go:80:17:80:24 | password | main.go:82:12:82:19 | password | provenance | | | main.go:80:17:80:24 | password | main.go:83:17:83:24 | password | provenance | | | main.go:80:17:80:24 | password | main.go:86:19:86:26 | password | provenance | | @@ -182,46 +102,46 @@ edges | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance | | | passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | provenance | | | passwords.go:21:2:21:9 | definition of password | passwords.go:30:8:30:15 | password | provenance | | -| passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | provenance | | -| passwords.go:21:2:21:9 | definition of password | passwords.go:34:28:34:35 | password | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:36:28:36:35 | password | provenance | | | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance | | -| passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config | -| passwords.go:34:28:34:35 | password | passwords.go:42:6:42:13 | password | provenance | | -| passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance | | -| passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config | -| passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance | | -| passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config | -| passwords.go:42:6:42:13 | password | passwords.go:48:11:48:18 | password | provenance | | -| passwords.go:48:11:48:18 | password | passwords.go:92:23:92:28 | secret | provenance | | -| passwords.go:48:11:48:18 | password | passwords.go:102:33:102:40 | password | provenance | | -| passwords.go:48:11:48:18 | password | passwords.go:108:34:108:41 | password | provenance | | -| passwords.go:48:11:48:18 | password | passwords.go:113:33:113:40 | password | provenance | | -| passwords.go:48:11:48:18 | password | passwords.go:123:13:123:20 | password | provenance | | -| passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | provenance | | -| passwords.go:86:19:88:2 | struct literal | passwords.go:89:14:89:26 | utilityObject | provenance | | -| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal | provenance | Config | -| passwords.go:102:33:102:40 | password | passwords.go:102:15:102:40 | ...+... | provenance | Config | -| passwords.go:102:33:102:40 | password | passwords.go:108:34:108:41 | password | provenance | | -| passwords.go:102:33:102:40 | password | passwords.go:113:33:113:40 | password | provenance | | -| passwords.go:102:33:102:40 | password | passwords.go:123:13:123:20 | password | provenance | | -| passwords.go:108:34:108:41 | password | passwords.go:108:16:108:41 | ...+... | provenance | Config | -| passwords.go:108:34:108:41 | password | passwords.go:113:33:113:40 | password | provenance | | -| passwords.go:108:34:108:41 | password | passwords.go:123:13:123:20 | password | provenance | | -| passwords.go:113:33:113:40 | password | passwords.go:113:15:113:40 | ...+... | provenance | Config | -| passwords.go:113:33:113:40 | password | passwords.go:123:13:123:20 | password | provenance | | -| passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:28:117:36 | password1 | provenance | | -| passwords.go:117:28:117:36 | password1 | passwords.go:117:28:117:45 | call to String | provenance | Config | -| passwords.go:117:28:117:45 | call to String | passwords.go:117:14:117:45 | ...+... | provenance | Config | -| passwords.go:120:12:125:2 | struct literal | passwords.go:127:14:127:19 | config | provenance | | -| passwords.go:120:12:125:2 | struct literal [x] | passwords.go:128:14:128:19 | config [x] | provenance | | -| passwords.go:120:12:125:2 | struct literal [y] | passwords.go:129:14:129:19 | config [y] | provenance | | -| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal | provenance | Config | -| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal | provenance | Config | -| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [x] | provenance | | -| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal | provenance | Config | -| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [y] | provenance | | -| passwords.go:128:14:128:19 | config [x] | passwords.go:128:14:128:21 | selection of x | provenance | | -| passwords.go:129:14:129:19 | config [y] | passwords.go:129:14:129:21 | selection of y | provenance | | +| passwords.go:36:28:36:35 | password | passwords.go:36:14:36:35 | ...+... | provenance | Config | +| passwords.go:36:28:36:35 | password | passwords.go:44:6:44:13 | password | provenance | | +| passwords.go:38:10:40:2 | struct literal | passwords.go:41:14:41:17 | obj1 | provenance | | +| passwords.go:39:13:39:13 | x | passwords.go:38:10:40:2 | struct literal | provenance | Config | +| passwords.go:43:10:45:2 | struct literal | passwords.go:46:14:46:17 | obj2 | provenance | | +| passwords.go:44:6:44:13 | password | passwords.go:43:10:45:2 | struct literal | provenance | Config | +| passwords.go:44:6:44:13 | password | passwords.go:50:11:50:18 | password | provenance | | +| passwords.go:50:11:50:18 | password | passwords.go:94:23:94:28 | secret | provenance | | +| passwords.go:50:11:50:18 | password | passwords.go:104:33:104:40 | password | provenance | | +| passwords.go:50:11:50:18 | password | passwords.go:110:34:110:41 | password | provenance | | +| passwords.go:50:11:50:18 | password | passwords.go:115:33:115:40 | password | provenance | | +| passwords.go:50:11:50:18 | password | passwords.go:125:13:125:20 | password | provenance | | +| passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | provenance | | +| passwords.go:88:19:90:2 | struct literal | passwords.go:91:14:91:26 | utilityObject | provenance | | +| passwords.go:89:16:89:36 | call to make | passwords.go:88:19:90:2 | struct literal | provenance | Config | +| passwords.go:104:33:104:40 | password | passwords.go:104:15:104:40 | ...+... | provenance | Config | +| passwords.go:104:33:104:40 | password | passwords.go:110:34:110:41 | password | provenance | | +| passwords.go:104:33:104:40 | password | passwords.go:115:33:115:40 | password | provenance | | +| passwords.go:104:33:104:40 | password | passwords.go:125:13:125:20 | password | provenance | | +| passwords.go:110:34:110:41 | password | passwords.go:110:16:110:41 | ...+... | provenance | Config | +| passwords.go:110:34:110:41 | password | passwords.go:115:33:115:40 | password | provenance | | +| passwords.go:110:34:110:41 | password | passwords.go:125:13:125:20 | password | provenance | | +| passwords.go:115:33:115:40 | password | passwords.go:115:15:115:40 | ...+... | provenance | Config | +| passwords.go:115:33:115:40 | password | passwords.go:125:13:125:20 | password | provenance | | +| passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:28:119:36 | password1 | provenance | | +| passwords.go:119:28:119:36 | password1 | passwords.go:119:28:119:45 | call to String | provenance | Config | +| passwords.go:119:28:119:45 | call to String | passwords.go:119:14:119:45 | ...+... | provenance | Config | +| passwords.go:122:12:127:2 | struct literal | passwords.go:129:14:129:19 | config | provenance | | +| passwords.go:122:12:127:2 | struct literal [x] | passwords.go:130:14:130:19 | config [x] | provenance | | +| passwords.go:122:12:127:2 | struct literal [y] | passwords.go:131:14:131:19 | config [y] | provenance | | +| passwords.go:123:13:123:14 | x3 | passwords.go:122:12:127:2 | struct literal | provenance | Config | +| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal | provenance | Config | +| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal [x] | provenance | | +| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal | provenance | Config | +| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal [y] | provenance | | +| passwords.go:130:14:130:19 | config [x] | passwords.go:130:14:130:21 | selection of x | provenance | | +| passwords.go:131:14:131:19 | config [y] | passwords.go:131:14:131:21 | selection of y | provenance | | | protobuf.go:9:2:9:9 | definition of password | protobuf.go:12:22:12:29 | password | provenance | | | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | provenance | | | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance | | @@ -274,20 +194,12 @@ nodes | main.go:54:12:54:19 | password | semmle.label | password | | main.go:54:12:54:19 | password | semmle.label | password | | main.go:56:11:56:18 | password | semmle.label | password | -| main.go:56:11:56:18 | password | semmle.label | password | -| main.go:59:18:59:25 | password | semmle.label | password | | main.go:59:18:59:25 | password | semmle.label | password | | main.go:62:12:62:19 | password | semmle.label | password | -| main.go:62:12:62:19 | password | semmle.label | password | -| main.go:65:13:65:20 | password | semmle.label | password | | main.go:65:13:65:20 | password | semmle.label | password | | main.go:68:11:68:18 | password | semmle.label | password | -| main.go:68:11:68:18 | password | semmle.label | password | -| main.go:71:18:71:25 | password | semmle.label | password | | main.go:71:18:71:25 | password | semmle.label | password | | main.go:74:12:74:19 | password | semmle.label | password | -| main.go:74:12:74:19 | password | semmle.label | password | -| main.go:77:13:77:20 | password | semmle.label | password | | main.go:77:13:77:20 | password | semmle.label | password | | main.go:79:14:79:21 | password | semmle.label | password | | main.go:80:17:80:24 | password | semmle.label | password | @@ -308,43 +220,43 @@ nodes | passwords.go:27:14:27:26 | call to getPassword | semmle.label | call to getPassword | | passwords.go:28:14:28:28 | call to getPassword | semmle.label | call to getPassword | | passwords.go:30:8:30:15 | password | semmle.label | password | -| passwords.go:32:12:32:19 | password | semmle.label | password | -| passwords.go:34:14:34:35 | ...+... | semmle.label | ...+... | -| passwords.go:34:28:34:35 | password | semmle.label | password | -| passwords.go:36:10:38:2 | struct literal | semmle.label | struct literal | -| passwords.go:37:13:37:13 | x | semmle.label | x | -| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 | -| passwords.go:41:10:43:2 | struct literal | semmle.label | struct literal | -| passwords.go:42:6:42:13 | password | semmle.label | password | -| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 | -| passwords.go:48:11:48:18 | password | semmle.label | password | -| passwords.go:50:2:50:15 | definition of fixed_password | semmle.label | definition of fixed_password | -| passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password | -| passwords.go:86:19:88:2 | struct literal | semmle.label | struct literal | -| passwords.go:87:16:87:36 | call to make | semmle.label | call to make | -| passwords.go:89:14:89:26 | utilityObject | semmle.label | utilityObject | -| passwords.go:92:23:92:28 | secret | semmle.label | secret | -| passwords.go:102:15:102:40 | ...+... | semmle.label | ...+... | -| passwords.go:102:33:102:40 | password | semmle.label | password | -| passwords.go:108:16:108:41 | ...+... | semmle.label | ...+... | -| passwords.go:108:34:108:41 | password | semmle.label | password | -| passwords.go:113:15:113:40 | ...+... | semmle.label | ...+... | -| passwords.go:113:33:113:40 | password | semmle.label | password | -| passwords.go:116:6:116:14 | definition of password1 | semmle.label | definition of password1 | -| passwords.go:117:14:117:45 | ...+... | semmle.label | ...+... | -| passwords.go:117:28:117:36 | password1 | semmle.label | password1 | -| passwords.go:117:28:117:45 | call to String | semmle.label | call to String | -| passwords.go:120:12:125:2 | struct literal | semmle.label | struct literal | -| passwords.go:120:12:125:2 | struct literal [x] | semmle.label | struct literal [x] | -| passwords.go:120:12:125:2 | struct literal [y] | semmle.label | struct literal [y] | -| passwords.go:121:13:121:14 | x3 | semmle.label | x3 | -| passwords.go:123:13:123:20 | password | semmle.label | password | -| passwords.go:124:13:124:25 | call to getPassword | semmle.label | call to getPassword | -| passwords.go:127:14:127:19 | config | semmle.label | config | -| passwords.go:128:14:128:19 | config [x] | semmle.label | config [x] | -| passwords.go:128:14:128:21 | selection of x | semmle.label | selection of x | -| passwords.go:129:14:129:19 | config [y] | semmle.label | config [y] | -| passwords.go:129:14:129:21 | selection of y | semmle.label | selection of y | +| passwords.go:33:13:33:20 | password | semmle.label | password | +| passwords.go:36:14:36:35 | ...+... | semmle.label | ...+... | +| passwords.go:36:28:36:35 | password | semmle.label | password | +| passwords.go:38:10:40:2 | struct literal | semmle.label | struct literal | +| passwords.go:39:13:39:13 | x | semmle.label | x | +| passwords.go:41:14:41:17 | obj1 | semmle.label | obj1 | +| passwords.go:43:10:45:2 | struct literal | semmle.label | struct literal | +| passwords.go:44:6:44:13 | password | semmle.label | password | +| passwords.go:46:14:46:17 | obj2 | semmle.label | obj2 | +| passwords.go:50:11:50:18 | password | semmle.label | password | +| passwords.go:52:2:52:15 | definition of fixed_password | semmle.label | definition of fixed_password | +| passwords.go:53:14:53:27 | fixed_password | semmle.label | fixed_password | +| passwords.go:88:19:90:2 | struct literal | semmle.label | struct literal | +| passwords.go:89:16:89:36 | call to make | semmle.label | call to make | +| passwords.go:91:14:91:26 | utilityObject | semmle.label | utilityObject | +| passwords.go:94:23:94:28 | secret | semmle.label | secret | +| passwords.go:104:15:104:40 | ...+... | semmle.label | ...+... | +| passwords.go:104:33:104:40 | password | semmle.label | password | +| passwords.go:110:16:110:41 | ...+... | semmle.label | ...+... | +| passwords.go:110:34:110:41 | password | semmle.label | password | +| passwords.go:115:15:115:40 | ...+... | semmle.label | ...+... | +| passwords.go:115:33:115:40 | password | semmle.label | password | +| passwords.go:118:6:118:14 | definition of password1 | semmle.label | definition of password1 | +| passwords.go:119:14:119:45 | ...+... | semmle.label | ...+... | +| passwords.go:119:28:119:36 | password1 | semmle.label | password1 | +| passwords.go:119:28:119:45 | call to String | semmle.label | call to String | +| passwords.go:122:12:127:2 | struct literal | semmle.label | struct literal | +| passwords.go:122:12:127:2 | struct literal [x] | semmle.label | struct literal [x] | +| passwords.go:122:12:127:2 | struct literal [y] | semmle.label | struct literal [y] | +| passwords.go:123:13:123:14 | x3 | semmle.label | x3 | +| passwords.go:125:13:125:20 | password | semmle.label | password | +| passwords.go:126:13:126:25 | call to getPassword | semmle.label | call to getPassword | +| passwords.go:129:14:129:19 | config | semmle.label | config | +| passwords.go:130:14:130:19 | config [x] | semmle.label | config [x] | +| passwords.go:130:14:130:21 | selection of x | semmle.label | selection of x | +| passwords.go:131:14:131:19 | config [y] | semmle.label | config [y] | +| passwords.go:131:14:131:21 | selection of y | semmle.label | selection of y | | protobuf.go:9:2:9:9 | definition of password | semmle.label | definition of password | | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | semmle.label | implicit dereference [postupdate] [Description] | | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | semmle.label | query [postupdate] [pointer, Description] | diff --git a/go/ql/test/query-tests/Security/CWE-312/passwords.go b/go/ql/test/query-tests/Security/CWE-312/passwords.go index 38c977e41b8..dc569970a39 100644 --- a/go/ql/test/query-tests/Security/CWE-312/passwords.go +++ b/go/ql/test/query-tests/Security/CWE-312/passwords.go @@ -16,7 +16,7 @@ func redact(kind, value string) string { return value } -func test() { +func test(selector int) { name := "user" password := "P@ssw0rd" // $ Source x := "horsebatterystapleincorrect" @@ -29,7 +29,9 @@ func test() { myLog(password) - log.Panic(password) // $ Alert + if selector == 1 { + log.Panic(password) // $ Alert + } log.Println(name + ", " + password) // $ Alert