diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected index ee3137d73ee..4c252dadb93 100644 --- a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected +++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected @@ -1,14 +1,14 @@ -| gorestful.go:13:15:13:47 | index expression | gorestful.go:13:15:13:44 | call to QueryParameters : slice type | gorestful.go:13:15:13:47 | index expression | This command depends on $@. | gorestful.go:13:15:13:44 | call to QueryParameters | a user-provided value | -| gorestful.go:14:15:14:43 | call to QueryParameter | gorestful.go:14:15:14:43 | call to QueryParameter | gorestful.go:14:15:14:43 | call to QueryParameter | This command depends on $@. | gorestful.go:14:15:14:43 | call to QueryParameter | a user-provided value | -| gorestful.go:16:15:16:17 | val | gorestful.go:15:12:15:39 | call to BodyParameter : tuple type | gorestful.go:16:15:16:17 | val | This command depends on $@. | gorestful.go:15:12:15:39 | call to BodyParameter | a user-provided value | -| gorestful.go:17:15:17:44 | call to HeaderParameter | gorestful.go:17:15:17:44 | call to HeaderParameter | gorestful.go:17:15:17:44 | call to HeaderParameter | This command depends on $@. | gorestful.go:17:15:17:44 | call to HeaderParameter | a user-provided value | -| gorestful.go:18:15:18:42 | call to PathParameter | gorestful.go:18:15:18:42 | call to PathParameter | gorestful.go:18:15:18:42 | call to PathParameter | This command depends on $@. | gorestful.go:18:15:18:42 | call to PathParameter | a user-provided value | -| gorestful.go:19:15:19:45 | index expression | gorestful.go:19:15:19:38 | call to PathParameters : map type | gorestful.go:19:15:19:45 | index expression | This command depends on $@. | gorestful.go:19:15:19:38 | call to PathParameters | a user-provided value | -| gorestful.go:22:15:22:21 | selection of cmd | gorestful.go:21:21:21:24 | &... : pointer type | gorestful.go:22:15:22:21 | selection of cmd | This command depends on $@. | gorestful.go:21:21:21:24 | &... | a user-provided value | -| gorestful_v2.go:13:15:13:47 | index expression | gorestful_v2.go:13:15:13:44 | call to QueryParameters : slice type | gorestful_v2.go:13:15:13:47 | index expression | This command depends on $@. | gorestful_v2.go:13:15:13:44 | call to QueryParameters | a user-provided value | -| gorestful_v2.go:14:15:14:43 | call to QueryParameter | gorestful_v2.go:14:15:14:43 | call to QueryParameter | gorestful_v2.go:14:15:14:43 | call to QueryParameter | This command depends on $@. | gorestful_v2.go:14:15:14:43 | call to QueryParameter | a user-provided value | -| gorestful_v2.go:16:15:16:17 | val | gorestful_v2.go:15:12:15:39 | call to BodyParameter : tuple type | gorestful_v2.go:16:15:16:17 | val | This command depends on $@. | gorestful_v2.go:15:12:15:39 | call to BodyParameter | a user-provided value | -| gorestful_v2.go:17:15:17:44 | call to HeaderParameter | gorestful_v2.go:17:15:17:44 | call to HeaderParameter | gorestful_v2.go:17:15:17:44 | call to HeaderParameter | This command depends on $@. | gorestful_v2.go:17:15:17:44 | call to HeaderParameter | a user-provided value | -| gorestful_v2.go:18:15:18:42 | call to PathParameter | gorestful_v2.go:18:15:18:42 | call to PathParameter | gorestful_v2.go:18:15:18:42 | call to PathParameter | This command depends on $@. | gorestful_v2.go:18:15:18:42 | call to PathParameter | a user-provided value | -| gorestful_v2.go:19:15:19:45 | index expression | gorestful_v2.go:19:15:19:38 | call to PathParameters : map type | gorestful_v2.go:19:15:19:45 | index expression | This command depends on $@. | gorestful_v2.go:19:15:19:38 | call to PathParameters | a user-provided value | -| gorestful_v2.go:22:15:22:21 | selection of cmd | gorestful_v2.go:21:21:21:24 | &... : pointer type | gorestful_v2.go:22:15:22:21 | selection of cmd | This command depends on $@. | gorestful_v2.go:21:21:21:24 | &... | a user-provided value | +| gorestful.go:15:15:15:47 | index expression | gorestful.go:15:15:15:44 | call to QueryParameters : slice type | gorestful.go:15:15:15:47 | index expression | This command depends on $@. | gorestful.go:15:15:15:44 | call to QueryParameters | a user-provided value | +| gorestful.go:16:15:16:43 | call to QueryParameter | gorestful.go:16:15:16:43 | call to QueryParameter | gorestful.go:16:15:16:43 | call to QueryParameter | This command depends on $@. | gorestful.go:16:15:16:43 | call to QueryParameter | a user-provided value | +| gorestful.go:18:15:18:17 | val | gorestful.go:17:12:17:39 | call to BodyParameter : tuple type | gorestful.go:18:15:18:17 | val | This command depends on $@. | gorestful.go:17:12:17:39 | call to BodyParameter | a user-provided value | +| gorestful.go:19:15:19:44 | call to HeaderParameter | gorestful.go:19:15:19:44 | call to HeaderParameter | gorestful.go:19:15:19:44 | call to HeaderParameter | This command depends on $@. | gorestful.go:19:15:19:44 | call to HeaderParameter | a user-provided value | +| gorestful.go:20:15:20:42 | call to PathParameter | gorestful.go:20:15:20:42 | call to PathParameter | gorestful.go:20:15:20:42 | call to PathParameter | This command depends on $@. | gorestful.go:20:15:20:42 | call to PathParameter | a user-provided value | +| gorestful.go:21:15:21:45 | index expression | gorestful.go:21:15:21:38 | call to PathParameters : map type | gorestful.go:21:15:21:45 | index expression | This command depends on $@. | gorestful.go:21:15:21:38 | call to PathParameters | a user-provided value | +| gorestful.go:24:15:24:21 | selection of cmd | gorestful.go:23:21:23:24 | &... : pointer type | gorestful.go:24:15:24:21 | selection of cmd | This command depends on $@. | gorestful.go:23:21:23:24 | &... | a user-provided value | +| gorestful_v2.go:15:15:15:47 | index expression | gorestful_v2.go:15:15:15:44 | call to QueryParameters : slice type | gorestful_v2.go:15:15:15:47 | index expression | This command depends on $@. | gorestful_v2.go:15:15:15:44 | call to QueryParameters | a user-provided value | +| gorestful_v2.go:16:15:16:43 | call to QueryParameter | gorestful_v2.go:16:15:16:43 | call to QueryParameter | gorestful_v2.go:16:15:16:43 | call to QueryParameter | This command depends on $@. | gorestful_v2.go:16:15:16:43 | call to QueryParameter | a user-provided value | +| gorestful_v2.go:18:15:18:17 | val | gorestful_v2.go:17:12:17:39 | call to BodyParameter : tuple type | gorestful_v2.go:18:15:18:17 | val | This command depends on $@. | gorestful_v2.go:17:12:17:39 | call to BodyParameter | a user-provided value | +| gorestful_v2.go:19:15:19:44 | call to HeaderParameter | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | This command depends on $@. | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | a user-provided value | +| gorestful_v2.go:20:15:20:42 | call to PathParameter | gorestful_v2.go:20:15:20:42 | call to PathParameter | gorestful_v2.go:20:15:20:42 | call to PathParameter | This command depends on $@. | gorestful_v2.go:20:15:20:42 | call to PathParameter | a user-provided value | +| gorestful_v2.go:21:15:21:45 | index expression | gorestful_v2.go:21:15:21:38 | call to PathParameters : map type | gorestful_v2.go:21:15:21:45 | index expression | This command depends on $@. | gorestful_v2.go:21:15:21:38 | call to PathParameters | a user-provided value | +| gorestful_v2.go:24:15:24:21 | selection of cmd | gorestful_v2.go:23:21:23:24 | &... : pointer type | gorestful_v2.go:24:15:24:21 | selection of cmd | This command depends on $@. | gorestful_v2.go:23:21:23:24 | &... | a user-provided value | diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go index fa2a1959aa8..95efc52f483 100644 --- a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go +++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go @@ -1,5 +1,7 @@ package gorestfultest +//go:generate depstubber -vendor github.com/emicklei/go-restful/v3 Request,Response + import ( restful "github.com/emicklei/go-restful/v3" "os/exec" diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go index 884c037b052..3ddf3871625 100644 --- a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go +++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go @@ -1,5 +1,7 @@ package gorestfultest +//go:generate depstubber -vendor github.com/emicklei/go-restful Request,Response + import ( restful "github.com/emicklei/go-restful" "os/exec" diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/stub.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/stub.go index 7cde3962a7f..7fd52cf1eee 100644 --- a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/stub.go +++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/stub.go @@ -1,16 +1,23 @@ // Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/emicklei/go-restful/v3, strictly for use in testing. +// This is a simple stub for github.com/emicklei/go-restful, strictly for use in testing. // See the LICENSE file for information about the licensing of the original library. -// Source: github.com/emicklei/go-restful/v3 (exports: Request; functions: ) +// Source: github.com/emicklei/go-restful (exports: Request,Response; functions: ) -// Package gorestfulstub is a stub of github.com/emicklei/go-restful, generated by depstubber. -package gorestfulstub +// Package gopkg is a stub of github.com/emicklei/go-restful, generated by depstubber. +package gopkg import ( + bufio "bufio" + net "net" http "net/http" ) +type EntityReaderWriter interface { + Read(_ *Request, _ interface{}) error + Write(_ *Response, _ int, _ interface{}) error +} + type Request struct { Request *http.Request } @@ -52,3 +59,105 @@ func (_ *Request) ReadEntity(_ interface{}) error { } func (_ *Request) SetAttribute(_ string, _ interface{}) {} + +type Response struct { + ResponseWriter http.ResponseWriter +} + +func (_ Response) AddHeader(_ string, _ string) Response { + return Response{} +} + +func (_ Response) CloseNotify() <-chan bool { + return nil +} + +func (_ Response) ContentLength() int { + return 0 +} + +func (_ Response) Error() error { + return nil +} + +func (_ Response) Header() http.Header { + return nil +} + +func (_ Response) InternalServerError() Response { + return Response{} +} + +func (_ Response) StatusCode() int { + return 0 +} + +func (_ *Response) EntityWriter() (EntityReaderWriter, bool) { + return nil, false +} + +func (_ *Response) Flush() {} + +func (_ *Response) Hijack() (net.Conn, *bufio.ReadWriter, error) { + return nil, nil, nil +} + +func (_ *Response) PrettyPrint(_ bool) {} + +func (_ *Response) SetRequestAccepts(_ string) {} + +func (_ *Response) Write(_ []byte) (int, error) { + return 0, nil +} + +func (_ *Response) WriteAsJson(_ interface{}) error { + return nil +} + +func (_ *Response) WriteAsXml(_ interface{}) error { + return nil +} + +func (_ *Response) WriteEntity(_ interface{}) error { + return nil +} + +func (_ *Response) WriteError(_ int, _ error) error { + return nil +} + +func (_ *Response) WriteErrorString(_ int, _ string) error { + return nil +} + +func (_ *Response) WriteHeader(_ int) {} + +func (_ *Response) WriteHeaderAndEntity(_ int, _ interface{}) error { + return nil +} + +func (_ *Response) WriteHeaderAndJson(_ int, _ interface{}, _ string) error { + return nil +} + +func (_ *Response) WriteHeaderAndXml(_ int, _ interface{}) error { + return nil +} + +func (_ *Response) WriteJson(_ interface{}, _ string) error { + return nil +} + +func (_ *Response) WriteServiceError(_ int, _ ServiceError) error { + return nil +} + +type ServiceError struct { + Code int + Message string + Header http.Header +} + +func (_ ServiceError) Error() string { + return "" +} diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/v3/stub.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/v3/stub.go index 71d25f095e8..6aab549f432 100644 --- a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/v3/stub.go +++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/v3/stub.go @@ -2,15 +2,22 @@ // This is a simple stub for github.com/emicklei/go-restful/v3, strictly for use in testing. // See the LICENSE file for information about the licensing of the original library. -// Source: github.com/emicklei/go-restful/v3 (exports: Request; functions: ) +// Source: github.com/emicklei/go-restful/v3 (exports: Request,Response; functions: ) -// Package gorestfulstub is a stub of github.com/emicklei/go-restful/v3, generated by depstubber. -package gorestfulstub +// Package gopkg is a stub of github.com/emicklei/go-restful/v3, generated by depstubber. +package gopkg import ( + bufio "bufio" + net "net" http "net/http" ) +type EntityReaderWriter interface { + Read(_ *Request, _ interface{}) error + Write(_ *Response, _ int, _ interface{}) error +} + type Request struct { Request *http.Request } @@ -52,3 +59,105 @@ func (_ *Request) ReadEntity(_ interface{}) error { } func (_ *Request) SetAttribute(_ string, _ interface{}) {} + +type Response struct { + ResponseWriter http.ResponseWriter +} + +func (_ Response) AddHeader(_ string, _ string) Response { + return Response{} +} + +func (_ Response) CloseNotify() <-chan bool { + return nil +} + +func (_ Response) ContentLength() int { + return 0 +} + +func (_ Response) Error() error { + return nil +} + +func (_ Response) Header() http.Header { + return nil +} + +func (_ Response) InternalServerError() Response { + return Response{} +} + +func (_ Response) StatusCode() int { + return 0 +} + +func (_ *Response) EntityWriter() (EntityReaderWriter, bool) { + return nil, false +} + +func (_ *Response) Flush() {} + +func (_ *Response) Hijack() (net.Conn, *bufio.ReadWriter, error) { + return nil, nil, nil +} + +func (_ *Response) PrettyPrint(_ bool) {} + +func (_ *Response) SetRequestAccepts(_ string) {} + +func (_ *Response) Write(_ []byte) (int, error) { + return 0, nil +} + +func (_ *Response) WriteAsJson(_ interface{}) error { + return nil +} + +func (_ *Response) WriteAsXml(_ interface{}) error { + return nil +} + +func (_ *Response) WriteEntity(_ interface{}) error { + return nil +} + +func (_ *Response) WriteError(_ int, _ error) error { + return nil +} + +func (_ *Response) WriteErrorString(_ int, _ string) error { + return nil +} + +func (_ *Response) WriteHeader(_ int) {} + +func (_ *Response) WriteHeaderAndEntity(_ int, _ interface{}) error { + return nil +} + +func (_ *Response) WriteHeaderAndJson(_ int, _ interface{}, _ string) error { + return nil +} + +func (_ *Response) WriteHeaderAndXml(_ int, _ interface{}) error { + return nil +} + +func (_ *Response) WriteJson(_ interface{}, _ string) error { + return nil +} + +func (_ *Response) WriteServiceError(_ int, _ ServiceError) error { + return nil +} + +type ServiceError struct { + Code int + Message string + Header http.Header +} + +func (_ ServiceError) Error() string { + return "" +} diff --git a/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.expected b/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.expected index 0e851d743b2..2953f3a9310 100644 --- a/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.expected +++ b/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.expected @@ -6,7 +6,7 @@ edges | InsecureHostKeyCallbackExample.go:58:39:58:46 | definition of callback : HostKeyCallback | InsecureHostKeyCallbackExample.go:62:20:62:27 | callback | | InsecureHostKeyCallbackExample.go:58:39:58:46 | definition of callback : signature type | InsecureHostKeyCallbackExample.go:62:20:62:27 | callback | | InsecureHostKeyCallbackExample.go:68:48:68:55 | definition of callback : signature type | InsecureHostKeyCallbackExample.go:78:28:78:35 | callback | -| InsecureHostKeyCallbackExample.go:94:3:94:45 | ... := ...[0] : HostKeyCallback | InsecureHostKeyCallbackExample.go:95:28:95:35 | callback | +| InsecureHostKeyCallbackExample.go:94:3:94:43 | ... := ...[0] : HostKeyCallback | InsecureHostKeyCallbackExample.go:95:28:95:35 | callback | | InsecureHostKeyCallbackExample.go:102:22:105:4 | type conversion : signature type | InsecureHostKeyCallbackExample.go:107:35:107:50 | insecureCallback : signature type | | InsecureHostKeyCallbackExample.go:103:3:105:3 | function literal : signature type | InsecureHostKeyCallbackExample.go:102:22:105:4 | type conversion : signature type | | InsecureHostKeyCallbackExample.go:107:35:107:50 | insecureCallback : signature type | InsecureHostKeyCallbackExample.go:58:39:58:46 | definition of callback : signature type | @@ -32,7 +32,7 @@ nodes | InsecureHostKeyCallbackExample.go:76:28:76:54 | call to InsecureIgnoreHostKey | semmle.label | call to InsecureIgnoreHostKey | | InsecureHostKeyCallbackExample.go:78:28:78:35 | callback | semmle.label | callback | | InsecureHostKeyCallbackExample.go:92:28:92:54 | call to InsecureIgnoreHostKey | semmle.label | call to InsecureIgnoreHostKey | -| InsecureHostKeyCallbackExample.go:94:3:94:45 | ... := ...[0] : HostKeyCallback | semmle.label | ... := ...[0] : HostKeyCallback | +| InsecureHostKeyCallbackExample.go:94:3:94:43 | ... := ...[0] : HostKeyCallback | semmle.label | ... := ...[0] : HostKeyCallback | | InsecureHostKeyCallbackExample.go:95:28:95:35 | callback | semmle.label | callback | | InsecureHostKeyCallbackExample.go:102:22:105:4 | type conversion : signature type | semmle.label | type conversion : signature type | | InsecureHostKeyCallbackExample.go:103:3:105:3 | function literal : signature type | semmle.label | function literal : signature type | diff --git a/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go b/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go index 0c7f9466488..d13bda30a5e 100644 --- a/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go +++ b/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go @@ -91,7 +91,7 @@ func potentialInsecureSSHClientConfigUsingKnownHosts(x bool) { if x { config.HostKeyCallback = ssh.InsecureIgnoreHostKey() // OK } else { - callback, err := knownhosts.New("somefile") + callback, _ := knownhosts.New("somefile") config.HostKeyCallback = callback } }