diff --git a/.codeqlmanifest.json b/.codeqlmanifest.json index 21d141d3988..c6df74dd3b5 100644 --- a/.codeqlmanifest.json +++ b/.codeqlmanifest.json @@ -4,7 +4,6 @@ "ql/lib/qlpack.yml", "ql/examples/qlpack.yml", "ql/test/qlpack.yml", - "upgrades/qlpack.yml", "ql/config/legacy-support/qlpack.yml", "build/codeql-extractor-go/codeql-extractor.yml" ], diff --git a/Makefile b/Makefile index 3f1289bf024..7c03d6e79da 100644 --- a/Makefile +++ b/Makefile @@ -125,14 +125,14 @@ test: all build/testdb/check-upgrade-path .PHONY: build/testdb/check-upgrade-path build/testdb/check-upgrade-path : build/testdb/go.dbscheme ql/lib/go.dbscheme - codeql dataset upgrade build/testdb --search-path upgrades + codeql dataset upgrade build/testdb --search-path ql/lib diff -q build/testdb/go.dbscheme ql/lib/go.dbscheme .PHONY: build/testdb/go.dbscheme -build/testdb/go.dbscheme: upgrades/initial/go.dbscheme +build/testdb/go.dbscheme: ql/lib/upgrades/initial/go.dbscheme rm -rf build/testdb echo >build/empty.trap - codeql dataset import -S upgrades/initial/go.dbscheme build/testdb build/empty.trap + codeql dataset import -S ql/lib/upgrades/initial/go.dbscheme build/testdb build/empty.trap .PHONY: sync-dataflow-libraries sync-dataflow-libraries: diff --git a/extractor/cli/go-autobuilder/go-autobuilder.go b/extractor/cli/go-autobuilder/go-autobuilder.go index d2306191370..daaf733f88a 100644 --- a/extractor/cli/go-autobuilder/go-autobuilder.go +++ b/extractor/cli/go-autobuilder/go-autobuilder.go @@ -374,7 +374,7 @@ func main() { log.Fatalf("Unable to create path transformer file: %s.", err.Error()) } defer os.Remove(pt.Name()) - _, err = pt.WriteString("#" + srcdir + "\n" + newdir + "//\n") + _, err = pt.WriteString("#" + realSrc + "\n" + newdir + "//\n") if err != nil { log.Fatalf("Unable to write path transformer file: %s.", err.Error()) } diff --git a/ql/examples/qlpack.yml b/ql/examples/qlpack.yml index 39eb537e673..b98541355f7 100644 --- a/ql/examples/qlpack.yml +++ b/ql/examples/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/go-examples version: 0.0.2 dependencies: - codeql/go-all: ^0.0.2 + codeql/go-all: "*" diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1b6b830ac7e..d2312e5b151 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,5 +4,4 @@ groups: go dbscheme: go.dbscheme extractor: go library: true -dependencies: - codeql/go-upgrades: ~0.0.3 +upgrades: upgrades diff --git a/ql/lib/semmle/go/StringOps.qll b/ql/lib/semmle/go/StringOps.qll index 45fdca6a7f7..70f83328c05 100644 --- a/ql/lib/semmle/go/StringOps.qll +++ b/ql/lib/semmle/go/StringOps.qll @@ -166,6 +166,75 @@ module StringOps { } } + /** Provides predicates and classes for working with Printf-style formatters. */ + module Formatting { + /** + * Gets a regular expression for matching simple format-string components, including flags, + * width and precision specifiers, not including explicit argument indices. + */ + pragma[noinline] + private string getFormatComponentRegex() { + exists( + string literal, string opt_flag, string width, string prec, string opt_width_and_prec, + string operator, string verb + | + literal = "([^%]|%%)+" and + opt_flag = "[-+ #0]?" and + width = "\\d+|\\*" and + prec = "\\.(\\d+|\\*)" and + opt_width_and_prec = "(" + width + ")?(" + prec + ")?" and + operator = "[bcdeEfFgGoOpqstTxXUv]" and + verb = "(%" + opt_flag + opt_width_and_prec + operator + ")" + | + result = "(" + literal + "|" + verb + ")" + ) + } + + /** + * A function that performs string formatting in the same manner as `fmt.Printf` etc. + */ + abstract class Range extends Function { + /** + * Gets the parameter index of the format string. + */ + abstract int getFormatStringIndex(); + + /** + * Gets the parameter index of the first parameter to be formatted. + */ + abstract int getFirstFormattedParameterIndex(); + } + + /** + * A call to a `fmt.Printf`-style string formatting function. + */ + class StringFormatCall extends DataFlow::CallNode { + string fmt; + Range f; + + StringFormatCall() { + this = f.getACall() and + fmt = this.getArgument(f.getFormatStringIndex()).getStringValue() and + fmt.regexpMatch(getFormatComponentRegex() + "*") + } + + /** + * Gets the `n`th component of this format string. + */ + string getComponent(int n) { result = fmt.regexpFind(getFormatComponentRegex(), n, _) } + + /** + * Gets the `n`th argument formatted by this format call, where `formatDirective` specifies how it will be formatted. + */ + DataFlow::Node getOperand(int n, string formatDirective) { + formatDirective = this.getComponent(n) and + formatDirective.charAt(0) = "%" and + formatDirective.charAt(1) != "%" and + result = this.getArgument((n / 2) + f.getFirstFormattedParameterIndex()) + } + } + } + /** * A data-flow node that performs string concatenation. * @@ -233,29 +302,6 @@ module StringOps { } } - /** - * Gets a regular expression for matching simple format-string components, including flags, - * width and precision specifiers, but not including `*` specifiers or explicit argument - * indices. - */ - pragma[noinline] - private string getFormatComponentRegex() { - exists( - string literal, string opt_flag, string width, string prec, string opt_width_and_prec, - string operator, string verb - | - literal = "([^%]|%%)+" and - opt_flag = "[-+ #0]?" and - width = "\\d+|\\*" and - prec = "\\.(\\d+|\\*)" and - opt_width_and_prec = "(" + width + ")?(" + prec + ")?" and - operator = "[bcdeEfFgGoOpqstTxXUv]" and - verb = "(%" + opt_flag + opt_width_and_prec + operator + ")" - | - result = "(" + literal + "|" + verb + ")" - ) - } - /** * A call to `fmt.Sprintf`, considered as a string concatenation. * @@ -272,42 +318,25 @@ module StringOps { * node nor a string value. This is because verbs like `%q` perform additional string * transformations that we cannot easily represent. */ - private class SprintfConcat extends Range, DataFlow::CallNode { - string fmt; - - SprintfConcat() { - exists(Function sprintf | sprintf.hasQualifiedName("fmt", "Sprintf") | - this = sprintf.getACall() and - fmt = this.getArgument(0).getStringValue() and - fmt.regexpMatch(getFormatComponentRegex() + "*") - ) - } - - /** - * Gets the `n`th component of this format string. - */ - private string getComponent(int n) { - result = fmt.regexpFind(getFormatComponentRegex(), n, _) - } + private class SprintfConcat extends Range instanceof Formatting::StringFormatCall { + SprintfConcat() { this = any(Function f | f.hasQualifiedName("fmt", "Sprintf")).getACall() } override DataFlow::Node getOperand(int n) { - exists(int i, string part | part = "%s" or part = "%v" | - part = this.getComponent(n) and - i = n / 2 and - result = this.getArgument(i + 1) - ) + result = Formatting::StringFormatCall.super.getOperand(n, ["%s", "%v"]) } override string getOperandStringValue(int n) { result = Range.super.getOperandStringValue(n) or - exists(string cmp | cmp = this.getComponent(n) | + exists(string cmp | cmp = Formatting::StringFormatCall.super.getComponent(n) | (cmp.charAt(0) != "%" or cmp.charAt(1) = "%") and result = cmp.replaceAll("%%", "%") ) } - override int getNumOperand() { result = max(int i | exists(this.getComponent(i))) + 1 } + override int getNumOperand() { + result = max(int i | exists(Formatting::StringFormatCall.super.getComponent(i))) + 1 + } } /** diff --git a/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll b/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll index 0ab4e48375b..0d49431e72b 100644 --- a/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll +++ b/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll @@ -3,6 +3,7 @@ */ import go +private import semmle.go.StringOps /** * Provides classes for working with concepts relating to the [github.com/elazarl/goproxy](https://pkg.go.dev/github.com/elazarl/goproxy) package. @@ -108,8 +109,16 @@ module ElazarlGoproxy { } } + private class ProxyLogFunction extends StringOps::Formatting::Range, Method { + ProxyLogFunction() { this.hasQualifiedName(packagePath(), "ProxyCtx", ["Logf", "Warnf"]) } + + override int getFormatStringIndex() { result = 0 } + + override int getFirstFormattedParameterIndex() { result = 1 } + } + private class ProxyLog extends LoggerCall::Range, DataFlow::MethodCallNode { - ProxyLog() { this.getTarget().hasQualifiedName(packagePath(), "ProxyCtx", ["Logf", "Warnf"]) } + ProxyLog() { this.getTarget() instanceof ProxyLogFunction } override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } } diff --git a/ql/lib/semmle/go/frameworks/Glog.qll b/ql/lib/semmle/go/frameworks/Glog.qll index fbcda396d82..70b117a71e6 100644 --- a/ql/lib/semmle/go/frameworks/Glog.qll +++ b/ql/lib/semmle/go/frameworks/Glog.qll @@ -4,34 +4,53 @@ */ import go +private import semmle.go.StringOps /** * Provides models of commonly used functions in the `github.com/golang/glog` packages and its * forks. */ module Glog { - private class GlogCall extends LoggerCall::Range, DataFlow::CallNode { + private class GlogFunction extends Function { int firstPrintedArg; - GlogCall() { - exists(string pkg, Function f, string fn, string level | + GlogFunction() { + exists(string pkg, string fn, string level | pkg = package(["github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog"], "") and level = ["Error", "Exit", "Fatal", "Info", "Warning"] and ( fn = level + ["", "f", "ln"] and firstPrintedArg = 0 or fn = level + "Depth" and firstPrintedArg = 1 - ) and - this = f.getACall() + ) | - f.hasQualifiedName(pkg, fn) + this.hasQualifiedName(pkg, fn) or - f.(Method).hasQualifiedName(pkg, "Verbose", fn) + this.(Method).hasQualifiedName(pkg, "Verbose", fn) ) } + /** + * Gets the index of the first argument that may be output, including a format string if one is present. + */ + int getFirstPrintedArg() { result = firstPrintedArg } + } + + private class StringFormatter extends StringOps::Formatting::Range instanceof GlogFunction { + StringFormatter() { this.getName().matches("%f") } + + override int getFormatStringIndex() { result = super.getFirstPrintedArg() } + + override int getFirstFormattedParameterIndex() { result = super.getFirstPrintedArg() + 1 } + } + + private class GlogCall extends LoggerCall::Range, DataFlow::CallNode { + GlogFunction callee; + + GlogCall() { this = callee.getACall() } + override DataFlow::Node getAMessageComponent() { - result = this.getArgument(any(int i | i >= firstPrintedArg)) + result = this.getArgument(any(int i | i >= callee.getFirstPrintedArg())) } } } diff --git a/ql/lib/semmle/go/frameworks/Logrus.qll b/ql/lib/semmle/go/frameworks/Logrus.qll index 2daa1370a93..9255b6767b5 100644 --- a/ql/lib/semmle/go/frameworks/Logrus.qll +++ b/ql/lib/semmle/go/frameworks/Logrus.qll @@ -1,6 +1,7 @@ /** Provides models of commonly used functions in the `github.com/sirupsen/logrus` package. */ import go +private import semmle.go.StringOps /** Provides models of commonly used functions in the `github.com/sirupsen/logrus` package. */ module Logrus { @@ -22,14 +23,31 @@ module Logrus { result.regexpMatch("With(Context|Error|Fields?|Time)") } - private class LogCall extends LoggerCall::Range, DataFlow::CallNode { - LogCall() { + private class LogFunction extends Function { + LogFunction() { exists(string name | name = getALogResultName() or name = getAnEntryUpdatingMethodName() | - this.getTarget().hasQualifiedName(packagePath(), name) or - this.getTarget().(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name) + this.hasQualifiedName(packagePath(), name) or + this.(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name) ) } + } + + private class LogCall extends LoggerCall::Range, DataFlow::CallNode { + LogCall() { this = any(LogFunction f).getACall() } override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } } + + private class StringFormatters extends StringOps::Formatting::Range instanceof LogFunction { + int argOffset; + + StringFormatters() { + this.getName().matches("%f") and + if this.getName() = "Logf" then argOffset = 1 else argOffset = 0 + } + + override int getFormatStringIndex() { result = argOffset } + + override int getFirstFormattedParameterIndex() { result = argOffset + 1 } + } } diff --git a/ql/lib/semmle/go/frameworks/Spew.qll b/ql/lib/semmle/go/frameworks/Spew.qll index ec722a1e86c..92c96d27c73 100644 --- a/ql/lib/semmle/go/frameworks/Spew.qll +++ b/ql/lib/semmle/go/frameworks/Spew.qll @@ -3,6 +3,7 @@ */ import go +private import semmle.go.StringOps /** * Provides models of commonly used functions in the `github.com/davecgh/go-spew/spew` package. @@ -11,21 +12,37 @@ module Spew { /** Gets the package path `github.com/davecgh/go-spew/spew`. */ private string packagePath() { result = package("github.com/davecgh/go-spew", "spew") } - private class SpewCall extends LoggerCall::Range, DataFlow::CallNode { + private class SpewFunction extends Function { int firstPrintedArg; - SpewCall() { + SpewFunction() { exists(string fn | fn in ["Dump", "Errorf", "Print", "Printf", "Println"] and firstPrintedArg = 0 or fn in ["Fdump", "Fprint", "Fprintf", "Fprintln"] and firstPrintedArg = 1 | - this.getTarget().hasQualifiedName(packagePath(), fn) + this.hasQualifiedName(packagePath(), fn) ) } + int getFirstPrintedArg() { result = firstPrintedArg } + } + + private class StringFormatter extends StringOps::Formatting::Range instanceof SpewFunction { + StringFormatter() { this.getName().matches("%f") } + + override int getFormatStringIndex() { result = super.getFirstPrintedArg() } + + override int getFirstFormattedParameterIndex() { result = super.getFirstPrintedArg() + 1 } + } + + private class SpewCall extends LoggerCall::Range, DataFlow::CallNode { + SpewFunction target; + + SpewCall() { this = target.getACall() } + override DataFlow::Node getAMessageComponent() { - result = this.getArgument(any(int i | i >= firstPrintedArg)) + result = this.getArgument(any(int i | i >= target.getFirstPrintedArg())) } } diff --git a/ql/lib/semmle/go/frameworks/Zap.qll b/ql/lib/semmle/go/frameworks/Zap.qll index c66e120e6ee..75366c18962 100644 --- a/ql/lib/semmle/go/frameworks/Zap.qll +++ b/ql/lib/semmle/go/frameworks/Zap.qll @@ -3,6 +3,7 @@ */ import go +private import semmle.go.StringOps /** * Provides models of commonly used functions in the `go.uber.org/zap` package. @@ -14,6 +15,28 @@ module Zap { /** Gets a suffix for a method on `zap.SugaredLogger`. */ private string getSuffix() { result in ["", "f", "w"] } + private class ZapFunction extends Method { + ZapFunction() { + exists(string fn | fn in ["DPanic", "Debug", "Error", "Fatal", "Info", "Panic", "Warn"] | + this.hasQualifiedName(packagePath(), "Logger", fn) + or + this.hasQualifiedName(packagePath(), "SugaredLogger", fn + getSuffix()) + ) + or + this.hasQualifiedName(packagePath(), "Logger", ["Named", "With", "WithOptions"]) + or + this.hasQualifiedName(packagePath(), "SugaredLogger", ["Named", "With"]) + } + } + + private class ZapFormatter extends StringOps::Formatting::Range instanceof ZapFunction { + ZapFormatter() { this.getName().matches("%f") } + + override int getFormatStringIndex() { result = 0 } + + override int getFirstFormattedParameterIndex() { result = 1 } + } + /** * A call to a logger function in Zap. * @@ -21,17 +44,7 @@ module Zap { * function is called are included. */ private class ZapCall extends LoggerCall::Range, DataFlow::MethodCallNode { - ZapCall() { - exists(string fn | fn in ["DPanic", "Debug", "Error", "Fatal", "Info", "Panic", "Warn"] | - this.getTarget().hasQualifiedName(packagePath(), "Logger", fn) - or - this.getTarget().hasQualifiedName(packagePath(), "SugaredLogger", fn + getSuffix()) - ) - or - this.getTarget().hasQualifiedName(packagePath(), "Logger", ["Named", "With", "WithOptions"]) - or - this.getTarget().hasQualifiedName(packagePath(), "SugaredLogger", ["Named", "With"]) - } + ZapCall() { this = any(ZapFunction f).getACall() } override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } } diff --git a/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll b/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll index e634a82a863..0f4dc079d79 100644 --- a/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll +++ b/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll @@ -3,6 +3,7 @@ */ import go +private import semmle.go.StringOps /** Provides models of commonly used functions in the `fmt` package. */ module Fmt { @@ -29,19 +30,11 @@ module Fmt { Printer() { this.hasQualifiedName("fmt", ["Print", "Printf", "Println"]) } } - /** A call to `Print`, `Fprint`, or similar. */ + /** A call to `Print` or similar. */ private class PrintCall extends LoggerCall::Range, DataFlow::CallNode { - int firstPrintedArg; + PrintCall() { this.getTarget() instanceof Printer } - PrintCall() { - this.getTarget() instanceof Printer and firstPrintedArg = 0 - or - this.getTarget() instanceof Fprinter and firstPrintedArg = 1 - } - - override DataFlow::Node getAMessageComponent() { - result = this.getArgument(any(int i | i >= firstPrintedArg)) - } + override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } } /** The `Fprint` function or one of its variants. */ @@ -62,6 +55,25 @@ module Fmt { } } + private class FmtStringFormatter extends StringOps::Formatting::Range { + int argOffset; + + FmtStringFormatter() { + exists(string fname | + this.hasQualifiedName("fmt", fname) and + ( + fname = ["Printf", "Sprintf"] and argOffset = 0 + or + fname = "Fprintf" and argOffset = 1 + ) + ) + } + + override int getFormatStringIndex() { result = argOffset } + + override int getFirstFormattedParameterIndex() { result = argOffset + 1 } + } + /** The `Sscan` function or one of its variants. */ private class Sscanner extends TaintTracking::FunctionModel { FunctionInput inp; diff --git a/ql/lib/semmle/go/frameworks/stdlib/Log.qll b/ql/lib/semmle/go/frameworks/stdlib/Log.qll index 11e1814c3ab..54b1612e6eb 100644 --- a/ql/lib/semmle/go/frameworks/stdlib/Log.qll +++ b/ql/lib/semmle/go/frameworks/stdlib/Log.qll @@ -3,17 +3,30 @@ */ import go +private import semmle.go.StringOps /** Provides models of commonly used functions in the `log` package. */ module Log { - private class LogCall extends LoggerCall::Range, DataFlow::CallNode { - LogCall() { + private class LogFunction extends Function { + LogFunction() { exists(string fn | fn.matches(["Fatal%", "Panic%", "Print%"]) | - this.getTarget().hasQualifiedName("log", fn) + this.hasQualifiedName("log", fn) or - this.getTarget().(Method).hasQualifiedName("log", "Logger", fn) + this.(Method).hasQualifiedName("log", "Logger", fn) ) } + } + + private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction { + LogFormatter() { this.getName().matches("%f") } + + override int getFormatStringIndex() { result = 0 } + + override int getFirstFormattedParameterIndex() { result = 1 } + } + + private class LogCall extends LoggerCall::Range, DataFlow::CallNode { + LogCall() { this = any(LogFunction f).getACall() } override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } } diff --git a/ql/lib/semmle/go/security/LogInjectionCustomizations.qll b/ql/lib/semmle/go/security/LogInjectionCustomizations.qll index 091d8a65b8e..af0d07f288b 100644 --- a/ql/lib/semmle/go/security/LogInjectionCustomizations.qll +++ b/ql/lib/semmle/go/security/LogInjectionCustomizations.qll @@ -4,6 +4,7 @@ */ import go +private import semmle.go.StringOps /** * Provides extension points for customizing the data-flow tracking configuration for reasoning @@ -58,4 +59,20 @@ module LogInjection { ) } } + + /** + * An argument that is formatted using the `%q` directive, considered as a sanitizer + * for log injection. + * + * This formatting directive replaces newline characters with escape sequences. + */ + private class SafeFormatArgumentSanitizer extends Sanitizer { + SafeFormatArgumentSanitizer() { + exists(StringOps::Formatting::StringFormatCall call, string safeDirective | + this = call.getOperand(_, safeDirective) and + // Mark "%q" formats as safe, but not "%#q", which would preserve newline characters. + safeDirective.regexpMatch("%[^%#]*q") + ) + } + } } diff --git a/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/go.dbscheme b/ql/lib/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/go.dbscheme similarity index 100% rename from upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/go.dbscheme rename to ql/lib/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/go.dbscheme diff --git a/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/old.dbscheme b/ql/lib/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/old.dbscheme similarity index 100% rename from upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/old.dbscheme rename to ql/lib/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/old.dbscheme diff --git a/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/upgrade.properties b/ql/lib/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/upgrade.properties similarity index 100% rename from upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/upgrade.properties rename to ql/lib/upgrades/2842941c6f9c6350b23351b33525fc5b19df4063/upgrade.properties diff --git a/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/go.dbscheme b/ql/lib/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/go.dbscheme similarity index 100% rename from upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/go.dbscheme rename to ql/lib/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/go.dbscheme diff --git a/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/old.dbscheme b/ql/lib/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/old.dbscheme similarity index 100% rename from upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/old.dbscheme rename to ql/lib/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/old.dbscheme diff --git a/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/upgrade.properties b/ql/lib/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/upgrade.properties similarity index 100% rename from upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/upgrade.properties rename to ql/lib/upgrades/4affa49dbe2bbab1a33f0e3ea6b045116abbcfda/upgrade.properties diff --git a/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/go.dbscheme b/ql/lib/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/go.dbscheme similarity index 100% rename from upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/go.dbscheme rename to ql/lib/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/go.dbscheme diff --git a/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/old.dbscheme b/ql/lib/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/old.dbscheme similarity index 100% rename from upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/old.dbscheme rename to ql/lib/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/old.dbscheme diff --git a/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/upgrade.properties b/ql/lib/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/upgrade.properties similarity index 100% rename from upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/upgrade.properties rename to ql/lib/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/upgrade.properties diff --git a/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/go.dbscheme b/ql/lib/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/go.dbscheme similarity index 100% rename from upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/go.dbscheme rename to ql/lib/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/go.dbscheme diff --git a/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/old.dbscheme b/ql/lib/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/old.dbscheme similarity index 100% rename from upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/old.dbscheme rename to ql/lib/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/old.dbscheme diff --git a/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/upgrade.properties b/ql/lib/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/upgrade.properties similarity index 100% rename from upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/upgrade.properties rename to ql/lib/upgrades/b9a2082d22aebdd102e11995a7cfd46e0268a813/upgrade.properties diff --git a/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/go.dbscheme b/ql/lib/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/go.dbscheme similarity index 100% rename from upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/go.dbscheme rename to ql/lib/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/go.dbscheme diff --git a/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/old.dbscheme b/ql/lib/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/old.dbscheme similarity index 100% rename from upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/old.dbscheme rename to ql/lib/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/old.dbscheme diff --git a/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/upgrade.properties b/ql/lib/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/upgrade.properties similarity index 100% rename from upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/upgrade.properties rename to ql/lib/upgrades/bcb9599aba6c9ac4d617fac314b9a999b3a5b40e/upgrade.properties diff --git a/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/go.dbscheme b/ql/lib/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/go.dbscheme similarity index 100% rename from upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/go.dbscheme rename to ql/lib/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/go.dbscheme diff --git a/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/old.dbscheme b/ql/lib/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/old.dbscheme similarity index 100% rename from upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/old.dbscheme rename to ql/lib/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/old.dbscheme diff --git a/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/upgrade.properties b/ql/lib/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/upgrade.properties similarity index 100% rename from upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/upgrade.properties rename to ql/lib/upgrades/bcbec1b0e44ae4365dd4e5bade5aec80135a4a00/upgrade.properties diff --git a/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/go.dbscheme b/ql/lib/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/go.dbscheme similarity index 100% rename from upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/go.dbscheme rename to ql/lib/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/go.dbscheme diff --git a/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/old.dbscheme b/ql/lib/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/old.dbscheme similarity index 100% rename from upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/old.dbscheme rename to ql/lib/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/old.dbscheme diff --git a/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/upgrade.properties b/ql/lib/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/upgrade.properties similarity index 100% rename from upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/upgrade.properties rename to ql/lib/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/upgrade.properties diff --git a/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/upgrade_comment_groups.ql b/ql/lib/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/upgrade_comment_groups.ql similarity index 100% rename from upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/upgrade_comment_groups.ql rename to ql/lib/upgrades/ee5c327face2866a7b3b12dcce5c291be52ebf52/upgrade_comment_groups.ql diff --git a/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/go.dbscheme b/ql/lib/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/go.dbscheme similarity index 100% rename from upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/go.dbscheme rename to ql/lib/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/go.dbscheme diff --git a/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/old.dbscheme b/ql/lib/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/old.dbscheme similarity index 100% rename from upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/old.dbscheme rename to ql/lib/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/old.dbscheme diff --git a/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/upgrade.properties b/ql/lib/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/upgrade.properties similarity index 100% rename from upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/upgrade.properties rename to ql/lib/upgrades/f1263a745347568af228ad3ddb2decb142c3a1a8/upgrade.properties diff --git a/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/go.dbscheme b/ql/lib/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/go.dbscheme similarity index 100% rename from upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/go.dbscheme rename to ql/lib/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/go.dbscheme diff --git a/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/old.dbscheme b/ql/lib/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/old.dbscheme similarity index 100% rename from upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/old.dbscheme rename to ql/lib/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/old.dbscheme diff --git a/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/upgrade.properties b/ql/lib/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/upgrade.properties similarity index 100% rename from upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/upgrade.properties rename to ql/lib/upgrades/f7fb4ff6229adffa2c2c4238ef72c82359d56be4/upgrade.properties diff --git a/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/go.dbscheme b/ql/lib/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/go.dbscheme similarity index 100% rename from upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/go.dbscheme rename to ql/lib/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/go.dbscheme diff --git a/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/old.dbscheme b/ql/lib/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/old.dbscheme similarity index 100% rename from upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/old.dbscheme rename to ql/lib/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/old.dbscheme diff --git a/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/upgrade.properties b/ql/lib/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/upgrade.properties similarity index 100% rename from upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/upgrade.properties rename to ql/lib/upgrades/ffced433fce33521f90c1b6c66b611902cdceac2/upgrade.properties diff --git a/upgrades/initial/go.dbscheme b/ql/lib/upgrades/initial/go.dbscheme similarity index 100% rename from upgrades/initial/go.dbscheme rename to ql/lib/upgrades/initial/go.dbscheme diff --git a/ql/test/query-tests/Security/CWE-117/LogInjection.go b/ql/test/query-tests/Security/CWE-117/LogInjection.go index 7beb055ad9a..b6dc9724759 100644 --- a/ql/test/query-tests/Security/CWE-117/LogInjection.go +++ b/ql/test/query-tests/Security/CWE-117/LogInjection.go @@ -32,12 +32,12 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) { testFlag := req.URL.Query()["testFlag"][0] { - fmt.Print(username) // $ hasTaintFlow="username" - fmt.Printf(username) // $ hasTaintFlow="username" - fmt.Println(username) // $ hasTaintFlow="username" - fmt.Fprint(nil, username) // $ hasTaintFlow="username" - fmt.Fprintf(nil, username) // $ hasTaintFlow="username" - fmt.Fprintln(nil, username) // $ hasTaintFlow="username" + fmt.Print(username) // $ hasTaintFlow="username" + fmt.Printf(username) // $ hasTaintFlow="username" + fmt.Println(username) // $ hasTaintFlow="username" + fmt.Fprint(nil, username) // Fprint functions are only loggers if they target stdout/stderr + fmt.Fprintf(nil, username) + fmt.Fprintln(nil, username) } // log { @@ -377,3 +377,190 @@ func handlerGood2(req *http.Request) { escapedUsername = strings.ReplaceAll(escapedUsername, "\r", "") log.Printf("user %s logged in.\n", escapedUsername) } + +// GOOD: User-provided values formatted using a %q directive, which escapes newlines +func handlerGood3(req *http.Request, ctx *goproxy.ProxyCtx) { + username := req.URL.Query()["username"][0] + testFlag := req.URL.Query()["testFlag"][0] + log.Printf("user %q logged in.\n", username) + // Flags shouldn't make a difference... + log.Printf("user %-50q logged in.\n", username) + // Except for the '#' flag that retains newlines, emitting a backtick-delimited string: + log.Printf("user %#10q logged in.\n", username) // $ hasTaintFlow="username" + + // Check this works with fmt: + log.Print(fmt.Sprintf("user %q logged in.\n", username)) + log.Print(fmt.Sprintf("user %-50q logged in.\n", username)) + log.Print(fmt.Sprintf("user %#10q logged in.\n", username)) // $ hasTaintFlow="call to Sprintf" + + // Check this works with a variety of other loggers: + // k8s.io/klog + { + verbose := klog.V(0) + verbose.Infof("user %q logged in.\n", username) + klog.Infof("user %q logged in.\n", username) + klog.Errorf("user %q logged in.\n", username) + klog.Fatalf("user %q logged in.\n", username) + klog.Exitf("user %q logged in.\n", username) + } + // elazarl/goproxy + { + ctx.Logf("user %q logged in.\n", username) + ctx.Warnf("user %q logged in.\n", username) + } + // golang/glog + { + verbose := glog.V(0) + verbose.Infof("user %q logged in.\n", username) + + glog.Infof("user %q logged in.\n", username) + glog.Errorf("user %q logged in.\n", username) + glog.Fatalf("user %q logged in.\n", username) + glog.Exitf("user %q logged in.\n", username) + } + // sirupsen/logrus + { + logrus.Debugf("user %q logged in.\n", username) + logrus.Errorf("user %q logged in.\n", username) + logrus.Fatalf("user %q logged in.\n", username) + logrus.Infof("user %q logged in.\n", username) + logrus.Panicf("user %q logged in.\n", username) + logrus.Printf("user %q logged in.\n", username) + logrus.Tracef("user %q logged in.\n", username) + logrus.Warnf("user %q logged in.\n", username) + logrus.Warningf("user %q logged in.\n", username) + + fields := make(logrus.Fields) + entry := logrus.WithFields(fields) + entry.Debugf("user %q logged in.\n", username) + entry.Errorf("user %q logged in.\n", username) + entry.Fatalf("user %q logged in.\n", username) + entry.Infof("user %q logged in.\n", username) + entry.Logf(0, "user %q logged in.\n", username) + entry.Panicf("user %q logged in.\n", username) + entry.Printf("user %q logged in.\n", username) + entry.Tracef("user %q logged in.\n", username) + entry.Warnf("user %q logged in.\n", username) + entry.Warningf("user %q logged in.\n", username) + + logger := entry.Logger + logger.Debugf("user %q logged in.\n", username) + logger.Errorf("user %q logged in.\n", username) + logger.Fatalf("user %q logged in.\n", username) + logger.Infof("user %q logged in.\n", username) + logger.Logf(0, "user %q logged in.\n", username) + logger.Panicf("user %q logged in.\n", username) + logger.Printf("user %q logged in.\n", username) + logger.Tracef("user %q logged in.\n", username) + logger.Warnf("user %q logged in.\n", username) + logger.Warningf("user %q logged in.\n", username) + } + // davecgh/go-spew/spew + { + spew.Errorf("user %q logged in.\n", username) + spew.Printf("user %q logged in.\n", username) + spew.Fprintf(nil, "user %q logged in.\n", username) + } + // zap + { + logger, _ := zap.NewProduction() + sLogger := logger.Sugar() + sLogger.DPanicf("user %q logged in.\n", username) + sLogger.Debugf("user %q logged in.\n", username) + sLogger.Errorf("user %q logged in.\n", username) + if testFlag == " true" { + sLogger.Fatalf("user %q logged in.\n", username) + } + sLogger.Infof("user %q logged in.\n", username) + if testFlag == " true" { + sLogger.Panicf("user %q logged in.\n", username) + } + sLogger.Warnf("user %q logged in.\n", username) + } + + // Check those same loggers recognise that %#q is still dangerous: + // k8s.io/klog + { + verbose := klog.V(0) + verbose.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" + klog.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" + klog.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + klog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + klog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + } + // elazarl/goproxy + { + ctx.Logf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + ctx.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + } + // golang/glog + { + verbose := glog.V(0) + verbose.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" + + glog.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" + glog.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + glog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + glog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + } + // sirupsen/logrus + { + logrus.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logrus.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logrus.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logrus.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logrus.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logrus.Printf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logrus.Tracef("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logrus.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logrus.Warningf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + + fields := make(logrus.Fields) + entry := logrus.WithFields(fields) + entry.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Printf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Tracef("user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + entry.Warningf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + + logger := entry.Logger + logger.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Printf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Tracef("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + logger.Warningf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + } + // davecgh/go-spew/spew + { + spew.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + spew.Printf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + spew.Fprintf(nil, "user %#q logged in.\n", username) // $ hasTaintFlow="username" + } + // zap + { + logger, _ := zap.NewProduction() + sLogger := logger.Sugar() + sLogger.DPanicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + sLogger.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + sLogger.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + if testFlag == " true" { + sLogger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + } + sLogger.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username" + if testFlag == " true" { + sLogger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + } + sLogger.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username" + } + +} diff --git a/scripts/install-deps.sh b/scripts/install-deps.sh index 6453847f60f..321e92957d5 100755 --- a/scripts/install-deps.sh +++ b/scripts/install-deps.sh @@ -16,7 +16,7 @@ else exit 1 fi -for d in ql/lib ql/src ql/test ql/examples upgrades +for d in ql/lib ql/src ql/test ql/examples do codeql pack install --mode ${LOCK_MODE} "${GO_ROOT}/${d}" -done \ No newline at end of file +done diff --git a/upgrades/CHANGELOG.md b/upgrades/CHANGELOG.md deleted file mode 100644 index 9337e2fa750..00000000000 --- a/upgrades/CHANGELOG.md +++ /dev/null @@ -1,5 +0,0 @@ -## 0.0.5 - -## 0.0.4 - -## 0.0.3 diff --git a/upgrades/change-notes/released/0.0.3.md b/upgrades/change-notes/released/0.0.3.md deleted file mode 100644 index e47c9f5700e..00000000000 --- a/upgrades/change-notes/released/0.0.3.md +++ /dev/null @@ -1 +0,0 @@ -## 0.0.3 diff --git a/upgrades/change-notes/released/0.0.4.md b/upgrades/change-notes/released/0.0.4.md deleted file mode 100644 index 3268fefb272..00000000000 --- a/upgrades/change-notes/released/0.0.4.md +++ /dev/null @@ -1 +0,0 @@ -## 0.0.4 diff --git a/upgrades/change-notes/released/0.0.5.md b/upgrades/change-notes/released/0.0.5.md deleted file mode 100644 index 259776640e3..00000000000 --- a/upgrades/change-notes/released/0.0.5.md +++ /dev/null @@ -1 +0,0 @@ -## 0.0.5 diff --git a/upgrades/codeql-pack.release.yml b/upgrades/codeql-pack.release.yml deleted file mode 100644 index bb45a1ab018..00000000000 --- a/upgrades/codeql-pack.release.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -lastReleaseVersion: 0.0.5 diff --git a/upgrades/qlpack.lock.yml b/upgrades/qlpack.lock.yml deleted file mode 100644 index 06dd07fc7dc..00000000000 --- a/upgrades/qlpack.lock.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: {} -compiled: false -lockVersion: 1.0.0 diff --git a/upgrades/qlpack.yml b/upgrades/qlpack.yml deleted file mode 100644 index 4564e50d918..00000000000 --- a/upgrades/qlpack.yml +++ /dev/null @@ -1,5 +0,0 @@ -name: codeql/go-upgrades -version: 0.0.6-dev -groups: go -upgrades: . -library: true