From bcb65157e616add82879635c31a3a449c64df758 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Mon, 17 Aug 2020 16:14:29 +0100
Subject: [PATCH] Oauth2-state query: treat log calls the same as stdout
 printers

These presumably get to the user somehow, and in conjunction with stdin use are enough to identify use of oauth at the terminal.
---
 ql/src/experimental/CWE-352/ConstantOauth2State.ql | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ql/src/experimental/CWE-352/ConstantOauth2State.ql b/ql/src/experimental/CWE-352/ConstantOauth2State.ql
index dfb8ad1c368..c715bf60b1d 100644
--- a/ql/src/experimental/CWE-352/ConstantOauth2State.ql
+++ b/ql/src/experimental/CWE-352/ConstantOauth2State.ql
@@ -50,6 +50,8 @@ class FlowToPrint extends DataFlow::Configuration {
 
   predicate isSink(DataFlow::Node sink, DataFlow::CallNode call) {
     exists(Fmt::Printer printer | call = printer.getACall() | sink = call.getArgument(_))
+    or
+    exists(LoggerCall logCall | call = logCall | sink = logCall.getAMessageComponent())
   }
 
   override predicate isSource(DataFlow::Node source) { isSource(source, _) }