hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Address reviews - update comments, remove unneeded stubs

Browse Source
This commit is contained in:
Joe Farebrother
2025-11-19 06:01:30 +00:00
parent c6110ed541
commit c7b16a043e
7 changed files with 6 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
go/ql/lib/semmle/go/concepts/HTTP.qll
View File

@@ -427,10 +427,10 @@ module Http {
/** Provides a class for modeling the new APIs for writes to options of an HTTP cookie. */ /** Provides a class for modeling the new APIs for writes to options of an HTTP cookie. */
module CookieOptionWrite { module CookieOptionWrite {
/** /**
* A write to an HTTP cookie object. * A write to an option of an HTTP cookie object.
* *
* Extend this class to model new APIs. If you want to refine existing API models, * Extend this class to model new APIs. If you want to refine existing API models,
* extend `HTTP::CookieOptions` instead. * extend `HTTP::CookieOptionWrite` instead.
*/ */
abstract class Range extends DataFlow::Node { abstract class Range extends DataFlow::Node {
/** Gets the node representing the cookie object for the options being set. */ /** Gets the node representing the cookie object for the options being set. */
@@ -451,10 +451,10 @@ module Http {
} }
/** /**
* A write to an HTTP cookie object. * A write to an option of an HTTP cookie object.
* *
* Extend this class to refine existing API models. If you want to model new APIs, * Extend this class to refine existing API models. If you want to model new APIs,
* extend `HTTP::CookieOptions::Range` instead. * extend `HTTP::CookieOptionWrite::Range` instead.
*/ */
class CookieOptionWrite extends DataFlow::Node instanceof CookieOptionWrite::Range { class CookieOptionWrite extends DataFlow::Node instanceof CookieOptionWrite::Range {
/** Gets the node representing the cookie object for the options being set. */ /** Gets the node representing the cookie object for the options being set. */

2
go/ql/lib/semmle/go/security/CookieWithoutHttpOnly.qll
View File

@@ -48,7 +48,7 @@ module BooleanCookieHttpOnlyFlow = TaintTracking::Global<BooleanCookieHttpOnlyCo
/** Holds if `cw` has the `HttpOnly` attribute left at its default value of `false`. */ /** Holds if `cw` has the `HttpOnly` attribute left at its default value of `false`. */
predicate isNonHttpOnlyDefault(Http::CookieWrite cw) { predicate isNonHttpOnlyDefault(Http::CookieWrite cw) {
not BooleanCookieHttpOnlyFlow::flow(_, cw.getHttpOnly()) not BooleanCookieHttpOnlyFlow::flowTo(cw.getHttpOnly())
} }
/** Holds if `cw` has the `HttpOnly` attribute explicitly set to `false`, from the expression `boolFalse`. */ /** Holds if `cw` has the `HttpOnly` attribute explicitly set to `false`, from the expression `boolFalse`. */

2
go/ql/lib/semmle/go/security/CookieWithoutSecure.qll
View File

@@ -21,7 +21,7 @@ module BooleanCookieSecureFlow = TaintTracking::Global<BooleanCookieSecureConfig
/** Holds if `cw` has the `Secure` attribute left at its default value of `false`. */ /** Holds if `cw` has the `Secure` attribute left at its default value of `false`. */
predicate isInsecureDefault(Http::CookieWrite cw) { predicate isInsecureDefault(Http::CookieWrite cw) {
not BooleanCookieSecureFlow::flow(_, cw.getSecure()) not BooleanCookieSecureFlow::flowTo(cw.getSecure())
} }
/** Holds if `cw` has the `Secure` attribute explicitly set to `false`, from the expression `boolFalse`. */ /** Holds if `cw` has the `Secure` attribute explicitly set to `false`, from the expression `boolFalse`. */

75
go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go generated vendored
View File

@@ -1,75 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
package sessions
import (
http "net/http"
)
type CookieStore struct {
Codecs []interface{}
Options *Options
}
func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
return nil, nil
}
func (_ *CookieStore) MaxAge(_ int) {}
func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
return nil, nil
}
func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
return nil
}
func NewCookieStore(_ ...[]byte) *CookieStore {
return nil
}
type Options struct {
Path string
Domain string
MaxAge int
Secure bool
HttpOnly bool
SameSite http.SameSite
}
type Session struct {
ID string
Values map[interface{}]interface{}
Options *Options
IsNew bool
}
func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
func (_ *Session) Flashes(_ ...string) []interface{} {
return nil
}
func (_ *Session) Name() string {
return ""
}
func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
return nil
}
func (_ *Session) Store() Store {
return nil
}
type Store interface {
Get(_ *http.Request, _ string) (*Session, error)
New(_ *http.Request, _ string) (*Session, error)
Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
}

3
go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt vendored
View File

@@ -1,6 +1,3 @@
# github.com/gin-gonic/gin v1.7.1 # github.com/gin-gonic/gin v1.7.1
## explicit ## explicit
github.com/gin-gonic/gin github.com/gin-gonic/gin
# github.com/gorilla/sessions v1.2.1
## explicit
github.com/gorilla/sessions

75
go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go generated vendored
View File

@@ -1,75 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
package sessions
import (
http "net/http"
)
type CookieStore struct {
Codecs []interface{}
Options *Options
}
func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
return nil, nil
}
func (_ *CookieStore) MaxAge(_ int) {}
func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
return nil, nil
}
func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
return nil
}
func NewCookieStore(_ ...[]byte) *CookieStore {
return nil
}
type Options struct {
Path string
Domain string
MaxAge int
Secure bool
HttpOnly bool
SameSite http.SameSite
}
type Session struct {
ID string
Values map[interface{}]interface{}
Options *Options
IsNew bool
}
func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
func (_ *Session) Flashes(_ ...string) []interface{} {
return nil
}
func (_ *Session) Name() string {
return ""
}
func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
return nil
}
func (_ *Session) Store() Store {
return nil
}
type Store interface {
Get(_ *http.Request, _ string) (*Session, error)
New(_ *http.Request, _ string) (*Session, error)
Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
}

3
go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt vendored
View File

@@ -1,6 +1,3 @@
# github.com/gin-gonic/gin v1.7.1 # github.com/gin-gonic/gin v1.7.1
## explicit ## explicit
github.com/gin-gonic/gin github.com/gin-gonic/gin
# github.com/gorilla/sessions v1.2.1
## explicit
github.com/gorilla/sessions