hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Non-initializing writes should target post-update nodes

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-09-17 16:43:07 +01:00
parent 8a3bd8408b
commit cf6cfe2a1e
37 changed files with 374 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll
View File

@@ -118,6 +118,8 @@ module ControlFlow {
/** Gets the left-hand side of this write. */
IR::WriteTarget getLhs() { result = super.getLhs() }
private predicate isInitialization() { super.isInitialization() }
/** Gets the right-hand side of this write. */
DataFlow::Node getRhs() { super.getRhs() = result.asInstruction() }
@@ -134,13 +136,20 @@ module ControlFlow {
* Holds if this node sets the value of field `f` on `base` (or its implicit dereference) to
* `rhs`.
*
* For example, for the assignment `x.width = newWidth`, `base` is either the data-flow node
* corresponding to `x` or (if `x` is a pointer) the data-flow node corresponding to the
* implicit dereference `*x`, `f` is the field referenced by `width`, and `rhs` is the data-flow
* node corresponding to `newWidth`.
* For example, for the assignment `x.width = newWidth`, `base` is the post-update node of
* either the data-flow node corresponding to `x` or (if `x` is a pointer) the data-flow node
* corresponding to the implicit dereference `*x`, `f` is the field referenced by `width`, and
* `rhs` is the data-flow node corresponding to `newWidth`. If this `WriteNode` is a struct
* initialization then there is no need for a post-update node and `base` is the struct literal
* being initialized.
*/
predicate writesField(DataFlow::Node base, Field f, DataFlow::Node rhs) {
this.writesFieldInsn(base.asInstruction(), f, rhs.asInstruction())
exists(DataFlow::Node b | this.writesFieldInsn(b.asInstruction(), f, rhs.asInstruction()) |
this.isInitialization() and base = b
or
not this.isInitialization() and
b = base.(DataFlow::PostUpdateNode).getPreUpdateNode()
)
}
private predicate writesFieldInsn(IR::Instruction base, Field f, IR::Instruction rhs) {
@@ -158,13 +167,22 @@ module ControlFlow {
* Holds if this node sets the value of element `index` on `base` (or its implicit dereference)
* to `rhs`.
*
* For example, for the assignment `xs[i] = v`, `base` is either the data-flow node
* corresponding to `xs` or (if `xs` is a pointer) the data-flow node corresponding to the
* implicit dereference `*xs`, `index` is the data-flow node corresponding to `i`, and `rhs`
* is the data-flow node corresponding to `base`.
* For example, for the assignment `xs[i] = v`, `base` is the post-update node of the data-flow
* node corresponding to `xs` or (if `xs` is a pointer) the implicit dereference `*xs`, `index`
* is the data-flow node corresponding to `i`, and `rhs` is the data-flow node corresponding to
* `base`. If this `WriteNode` corresponds to the initialization of an array/slice/map then
* there is no need for a post-update node and `base` is the array/slice/map literal being
* initialized.
*/
predicate writesElement(DataFlow::Node base, DataFlow::Node index, DataFlow::Node rhs) {
this.writesElementInsn(base.asInstruction(), index.asInstruction(), rhs.asInstruction())
exists(DataFlow::Node b |
this.writesElementInsn(b.asInstruction(), index.asInstruction(), rhs.asInstruction())
|
this.isInitialization() and base = b
or
not this.isInitialization() and
b = base.(DataFlow::PostUpdateNode).getPreUpdateNode()
)
}
private predicate writesElementInsn(
@@ -184,7 +202,7 @@ module ControlFlow {
* Holds if this node sets any field or element of `base` to `rhs`.
*/
predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {
this.writesComponentInstruction(base.asInstruction(), rhs.asInstruction())
this.writesElement(base, _, rhs) or this.writesField(base, _, rhs)
}
/**

14
go/ql/lib/semmle/go/controlflow/IR.qll
View File

@@ -430,18 +430,24 @@ module IR {
*/
class WriteInstruction extends Instruction {
WriteTarget lhs;
Boolean initialization;
WriteInstruction() {
lhs = MkLhs(this, _)
(
lhs = MkLhs(this, _)
or
lhs = MkResultWriteTarget(this)
) and
initialization = false
or
lhs = MkLiteralElementTarget(this)
or
lhs = MkResultWriteTarget(this)
lhs = MkLiteralElementTarget(this) and initialization = true
}
/** Gets the target to which this instruction writes. */
WriteTarget getLhs() { result = lhs }
predicate isInitialization() { initialization = true }
/** Gets the instruction computing the value this instruction writes. */
Instruction getRhs() { none() }

6
go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll
View File

@@ -22,7 +22,7 @@ predicate containerStoreStep(Node node1, Node node2, Content c) {
t instanceof SliceType
) and
(
exists(Write w | w.writesElement(node2.(PostUpdateNode).getPreUpdateNode(), _, node1))
exists(Write w | w.writesElement(node2, _, node1))
or
node1 = node2.(ImplicitVarargsSlice).getCallNode().getAnImplicitVarargsArgument()
or
@@ -44,11 +44,11 @@ predicate containerStoreStep(Node node1, Node node2, Content c) {
or
c instanceof MapKeyContent and
t instanceof MapType and
exists(Write w | w.writesElement(node2.(PostUpdateNode).getPreUpdateNode(), node1, _))
exists(Write w | w.writesElement(node2, node1, _))
or
c instanceof MapValueContent and
t instanceof MapType and
exists(Write w | w.writesElement(node2.(PostUpdateNode).getPreUpdateNode(), _, node1))
exists(Write w | w.writesElement(node2, _, node1))
)
}

2
go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
View File

@@ -156,7 +156,7 @@ predicate storeStep(Node node1, ContentSet cs, Node node2) {
// which in turn flows into the pointer content of `p`
exists(Write w, Field f, DataFlow::Node base, DataFlow::Node rhs | w.writesField(base, f, rhs) |
node1 = rhs and
node2.(PostUpdateNode).getPreUpdateNode() = base and
node2 = base and
c = any(DataFlow::FieldContent fc | fc.getField() = f)
or
node1 = base and

11
go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -437,13 +437,20 @@ module SourceSinkInterpretationInput implements
mid.asCallable() = getNodeEnclosingCallable(ret)
)
or
exists(SourceOrSinkElement e, DataFlow::Write fw, DataFlow::Node base, Field f |
exists(
SourceOrSinkElement e, DataFlow::Write fw, DataFlow::Node base, DataFlow::Node qual, Field f
|
e = mid.asElement() and
f = e.asFieldEntity()
|
c = "" and
fw.writesField(base, f, node.asNode()) and
pragma[only_bind_into](e) = getElementWithQualifier(f, base)
pragma[only_bind_into](e) = getElementWithQualifier(f, qual) and
(
qual = base.(PostUpdateNode).getPreUpdateNode()
or
not base instanceof PostUpdateNode and qual = base
)
)
or
// A package-scope (or universe-scope) variable

2
go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -144,7 +144,7 @@ predicate referenceStep(DataFlow::Node pred, DataFlow::Node succ) {
* `succ`.
*/
predicate elementWriteStep(DataFlow::Node pred, DataFlow::Node succ) {
any(DataFlow::Write w).writesElement(succ.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, pred)
any(DataFlow::Write w).writesElement(succ, _, pred)
or
FlowSummaryImpl::Private::Steps::summaryStoreStep(pred.(DataFlowPrivate::FlowSummaryNode)
.getSummaryNode(), any(DataFlow::ArrayContent ac).asContentSet(),

44
go/ql/lib/semmle/go/frameworks/GinCors.qll
View File

@@ -25,10 +25,15 @@ module GinCors {
DataFlow::Node base;
AllowCredentialsWrite() {
exists(Field f, Write w |
exists(Field f, Write w, DataFlow::Node n |
f.hasQualifiedName(packagePath(), "Config", "AllowCredentials") and
w.writesField(base, f, this) and
this.getType() instanceof BoolType
w.writesField(n, f, this) and
this.getType() instanceof BoolType and
(
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
)
)
}
@@ -59,10 +64,15 @@ module GinCors {
DataFlow::Node base;
AllowOriginsWrite() {
exists(Field f, Write w |
exists(Field f, Write w, DataFlow::Node n |
f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
w.writesField(base, f, this) and
this.asExpr() instanceof SliceLit
w.writesField(n, f, this) and
this.asExpr() instanceof SliceLit and
(
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
)
)
}
@@ -93,10 +103,15 @@ module GinCors {
DataFlow::Node base;
AllowAllOriginsWrite() {
exists(Field f, Write w |
exists(Field f, Write w, DataFlow::Node n |
f.hasQualifiedName(packagePath(), "Config", "AllowAllOrigins") and
w.writesField(base, f, this) and
this.getType() instanceof BoolType
w.writesField(n, f, this) and
this.getType() instanceof BoolType and
(
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
)
)
}
@@ -109,14 +124,9 @@ module GinCors {
* Get config variable holding header values
*/
override GinConfig getConfig() {
exists(GinConfig gc |
(
gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
base.asInstruction() or
gc.getV().getAUse() = base
) and
result = gc
)
result.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
base.asInstruction() or
result.getV().getAUse() = base
}
}

5
go/ql/lib/semmle/go/frameworks/NoSQL.qll
View File

@@ -38,9 +38,8 @@ module NoSql {
*/
predicate isAdditionalMongoTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
// Taint an entry if the `Value` is tainted
exists(Write w, DataFlow::Node base, Field f | w.writesField(base, f, pred) |
base = succ.(DataFlow::PostUpdateNode).getPreUpdateNode() and
base.getType().hasQualifiedName(package("go.mongodb.org/mongo-driver", "bson/primitive"), "E") and
exists(Write w, Field f | w.writesField(succ, f, pred) |
succ.getType().hasQualifiedName(package("go.mongodb.org/mongo-driver", "bson/primitive"), "E") and
f.getName() = "Value"
)
}

12
go/ql/lib/semmle/go/frameworks/Protobuf.qll
View File

@@ -64,11 +64,10 @@ module Protobuf {
*/
private class MarshalStateStep extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(DataFlow::PostUpdateNode marshalInput, DataFlow::CallNode marshalStateCall |
exists(DataFlow::Node marshalInput, DataFlow::CallNode marshalStateCall |
marshalStateCall = marshalStateMethod().getACall() and
// pred -> marshalInput.Message
any(DataFlow::Write w)
.writesField(marshalInput.getPreUpdateNode(), inputMessageField(), pred) and
any(DataFlow::Write w).writesField(marshalInput, inputMessageField(), pred) and
// marshalInput -> marshalStateCall
marshalStateCall.getArgument(0) = globalValueNumber(marshalInput).getANode() and
// marshalStateCall -> succ
@@ -142,10 +141,13 @@ module Protobuf {
private class WriteMessageFieldStep extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
[succ.getType(), succ.getType().getPointerType()] instanceof MessageType and
exists(DataFlow::ReadNode base |
exists(DataFlow::Node n, DataFlow::ReadNode base |
succ.(DataFlow::PostUpdateNode).getPreUpdateNode() = getUnderlyingNode(base)
|
any(DataFlow::Write w).writesComponent(base, pred)
any(DataFlow::Write w).writesComponent(n, pred) and
// The below line only works because `base`'s type, `DataFlow::ReadNode`,
// is incompatible with `DataFlow::PostUpdateNode`.
base = [n, n.(DataFlow::PostUpdateNode).getPreUpdateNode()]
)
}
}

33
go/ql/lib/semmle/go/frameworks/RsCors.qll
View File

@@ -52,10 +52,15 @@ module RsCors {
DataFlow::Node base;
AllowCredentialsWrite() {
exists(Field f, Write w |
exists(Field f, Write w, DataFlow::Node n |
f.hasQualifiedName(packagePath(), "Options", "AllowCredentials") and
w.writesField(base, f, this) and
this.getType() instanceof BoolType
w.writesField(n, f, this) and
this.getType() instanceof BoolType and
(
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
)
)
}
@@ -80,10 +85,15 @@ module RsCors {
DataFlow::Node base;
AllowOriginsWrite() {
exists(Field f, Write w |
exists(Field f, Write w, DataFlow::Node n |
f.hasQualifiedName(packagePath(), "Options", "AllowedOrigins") and
w.writesField(base, f, this) and
this.asExpr() instanceof SliceLit
w.writesField(n, f, this) and
this.asExpr() instanceof SliceLit and
(
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
)
)
}
@@ -111,10 +121,15 @@ module RsCors {
DataFlow::Node base;
AllowAllOriginsWrite() {
exists(Field f, Write w |
exists(Field f, Write w, DataFlow::Node n |
f.hasQualifiedName(packagePath(), "Options", "AllowAllOrigins") and
w.writesField(base, f, this) and
this.getType() instanceof BoolType
w.writesField(n, f, this) and
this.getType() instanceof BoolType and
(
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
)
)
}

8
go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
View File

@@ -52,7 +52,13 @@ module NetHttp {
MapWrite() {
this.getType().hasQualifiedName("net/http", "Header") and
any(Write write).writesElement(this, index, rhs)
exists(Write write, DataFlow::Node base |
write.writesElement(base, index, rhs) and
// The following line works because `Http::HeaderWrite::Range` extends
// `DataFlow::ExprNode`, which is incompatible with
// `DataFlow::PostUpdateNode`.
this = [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()]
)
}
override DataFlow::Node getName() { result = index }

4
go/ql/lib/semmle/go/security/CleartextLogging.qll
View File

@@ -35,9 +35,7 @@ module CleartextLogging {
predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
// A taint propagating data-flow edge through structs: a tainted write taints the entire struct.
exists(Write write |
write.writesField(trg.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, src)
)
exists(Write write | write.writesField(trg, _, src))
or
// taint steps that do not include flow through fields. Field reads would produce FPs due to
// the additional taint step above that taints whole structs from individual field writes.

6
go/ql/lib/semmle/go/security/OpenUrlRedirect.qll
View File

@@ -33,8 +33,8 @@ module OpenUrlRedirect {
any(AdditionalStep s).hasTaintStep(pred, succ)
or
// propagate to a URL when its host is assigned to
exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(succ, f, pred)
)
or
// propagate out of most URL fields, but not `ForceQuery` and `Scheme`
@@ -49,7 +49,7 @@ module OpenUrlRedirect {
predicate isBarrierOut(DataFlow::Node node) {
// block propagation of this unsafe value when its host is overwritten
exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(node.getASuccessor(), f, _)
w.writesField(node.(DataFlow::PostUpdateNode).getPreUpdateNode(), f, _)
)
or
hostnameSanitizingPrefixEdge(node, _)

5
go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
View File

@@ -90,9 +90,10 @@ module OpenUrlRedirect {
*/
class PathAssignmentBarrier extends Barrier, Read {
PathAssignmentBarrier() {
exists(Write w, SsaWithFields var |
exists(Write w, DataFlow::Node base, SsaWithFields var |
hasHostnameSanitizingSubstring(w.getRhs()) and
w.writesField(var.getAUse(), any(Field f | f.getName() = "Path"), _) and
w.writesField(base, any(Field f | f.getName() = "Path"), _) and
[base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = var.getAUse() and
useIsDominated(var, w, this)
)
}

8
go/ql/lib/semmle/go/security/RequestForgery.qll
View File

@@ -27,8 +27,12 @@ module RequestForgery {
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
// propagate to a URL when its host is assigned to
exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
f.hasQualifiedName("net/url", "URL", "Host")
|
w.writesField(base, f, pred) and
[base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
succ = v.getAUse()
)
}

15
go/ql/lib/semmle/go/security/SafeUrlFlow.qll
View File

@@ -23,17 +23,20 @@ module SafeUrlFlow {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
// propagate to a URL when its host is assigned to
exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(v.getAUse(), f, node1) and node2 = v.getAUse()
exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
f.hasQualifiedName("net/url", "URL", "Host")
|
w.writesField(base, f, node1) and
[base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
node2 = v.getAUse()
)
}
predicate isBarrierOut(DataFlow::Node node) {
// block propagation of this safe value when its host is overwritten
exists(Write w, DataFlow::Node b, Field f |
f.hasQualifiedName("net/url", "URL", "Host") and
b = node.getASuccessor() and
w.writesField(b, f, _)
exists(Write w, DataFlow::Node base, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(base, f, _) and
[base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = node.getASuccessor()
)
or
node instanceof SanitizerEdge

5
go/ql/src/RedundantCode/DeadStoreOfField.ql
View File

@@ -86,10 +86,11 @@ Type getTypeEmbeddedViaPointer(Type t) {
result = getEmbeddedType*(getEmbeddedType(getEmbeddedType*(t), true))
}
from Write w, LocalVariable v, Field f
from Write w, DataFlow::Node base, LocalVariable v, Field f
where
// `w` writes `f` on `v`
w.writesField(v.getARead(), f, _) and
w.writesField(base, f, _) and
[base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getARead() and
// but `f` is never read on `v`
not exists(Read r | r.readsField(v.getARead(), f)) and
// exclude pointer-typed `v`; there may be reads through an alias

2
go/ql/src/Security/CWE-295/DisabledCertificateCheck.ql
View File

@@ -34,7 +34,7 @@ predicate becomesPartOf(DataFlow::Node part, DataFlow::Node whole) {
or
whole.(DataFlow::AddressOperationNode).getOperand() = part
or
exists(Write w | w.writesField(whole.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, part))
exists(Write w | w.writesField(whole, _, part))
}
/**

11
go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
View File

@@ -98,8 +98,15 @@ predicate hostCheckReachesSink(Flow::PathNode sink) {
Flow::flowPath(source, otherSink) and
Config::writeIsSink(sink.getNode(), sinkWrite) and
Config::writeIsSink(otherSink.getNode(), otherSinkWrite) and
sinkWrite.writesField(sinkAccessPath.getAUse(), _, sink.getNode()) and
otherSinkWrite.writesField(otherSinkAccessPath.getAUse(), _, otherSink.getNode()) and
exists(DataFlow::Node base1 |
sinkWrite.writesField(base1, _, sink.getNode()) and
[base1, base1.(DataFlow::PostUpdateNode).getPreUpdateNode()] = sinkAccessPath.getAUse()
) and
exists(DataFlow::Node base2 |
otherSinkWrite.writesField(base2, _, otherSink.getNode()) and
[base2, base2.(DataFlow::PostUpdateNode).getPreUpdateNode()] =
otherSinkAccessPath.getAUse()
) and
otherSinkAccessPath = sinkAccessPath.similar()
)
)

12
go/ql/src/Security/CWE-327/InsecureTLS.ql
View File

@@ -65,7 +65,11 @@ module TlsVersionFlowConfig implements DataFlow::ConfigSig {
*/
additional predicate isSink(DataFlow::Node sink, Field fld, DataFlow::Node base, Write fieldWrite) {
fld.hasQualifiedName("crypto/tls", "Config", ["MinVersion", "MaxVersion"]) and
fieldWrite.writesField(base, fld, sink)
exists(DataFlow::Node n | fieldWrite.writesField(n, fld, sink) |
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
)
}
predicate isSource(DataFlow::Node source) { intIsSource(source, _) }
@@ -190,7 +194,11 @@ module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig {
*/
additional predicate isSink(DataFlow::Node sink, Field fld, DataFlow::Node base, Write fieldWrite) {
fld.hasQualifiedName("crypto/tls", "Config", "CipherSuites") and
fieldWrite.writesField(base, fld, sink)
exists(DataFlow::Node n | fieldWrite.writesField(n, fld, sink) |
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
)
}
predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) }

2
go/ql/src/Security/CWE-352/ConstantOauth2State.ql
View File

@@ -61,7 +61,7 @@ predicate isUrlTaintingConfigStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(Write w, Field f |
f.hasQualifiedName(package("golang.org/x/oauth2", ""), "Config", "RedirectURL")
|
w.writesField(succ.(DataFlow::PostUpdateNode).getPreUpdateNode(), f, pred)
w.writesField(succ, f, pred)
)
}

19
go/ql/src/experimental/CWE-1004/AuthCookie.qll
View File

@@ -26,9 +26,14 @@ private class GorillaSessionOptionsField extends Field {
* This should cover most typical patterns...
*/
private DataFlow::Node getValueForFieldWrite(StructLit sl, string field) {
exists(Write w, DataFlow::Node base, Field f |
exists(Write w, DataFlow::Node base, DataFlow::Node n, Field f |
f.getName() = field and
w.writesField(base, f, result) and
w.writesField(n, f, result) and
(
base = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not n instanceof DataFlow::PostUpdateNode and base = n
) and
(
sl = base.asExpr()
or
@@ -209,10 +214,7 @@ private module GorillaSessionOptionsTrackingConfig implements DataFlow::ConfigSi
predicate isSink(DataFlow::Node sink) { sink instanceof GorillaSessionSaveSink }
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(GorillaSessionOptionsField f, DataFlow::Write w, DataFlow::Node base |
w.writesField(base, f, pred) and
succ = base
)
exists(GorillaSessionOptionsField f, DataFlow::Write w | w.writesField(succ, f, pred))
}
}
@@ -236,10 +238,7 @@ private module BoolToGorillaSessionOptionsTrackingConfig implements DataFlow::Co
sl = succ.asExpr()
)
or
exists(GorillaSessionOptionsField f, DataFlow::Write w, DataFlow::Node base |
w.writesField(base, f, pred) and
succ = base
)
exists(GorillaSessionOptionsField f, DataFlow::Write w | w.writesField(succ, f, pred))
}
}

8
go/ql/src/experimental/CWE-918/SSRF.qll
View File

@@ -22,8 +22,12 @@ module ServerSideRequestForgery {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
// propagate to a URL when its host is assigned to
exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(v.getAUse(), f, node1) and node2 = v.getAUse()
exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
f.hasQualifiedName("net/url", "URL", "Host")
|
w.writesField(base, f, node1) and
[base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
node2 = v.getAUse()
)
}

1
go/ql/test/example-tests/snippets/typeinfo.expected
View File

@@ -5,3 +5,4 @@
| main.go:18:12:18:14 | argument corresponding to req |
| main.go:18:12:18:14 | definition of req |
| main.go:20:5:20:7 | req |
| main.go:20:5:20:7 | req [postupdate] |

105
go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected
View File

@@ -154,51 +154,46 @@ edges
| CookieWithoutHttpOnly.go:133:14:133:18 | false | CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | provenance | |
| CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | provenance | Config |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | Config |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | Config |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | Config |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | Config |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | CookieWithoutHttpOnly.go:137:20:140:2 | &... | provenance | |
| CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | CookieWithoutHttpOnly.go:137:20:140:2 | &... | provenance | |
| CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | provenance | Config |
| CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | |
| CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | provenance | Config |
| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | |
| CookieWithoutHttpOnly.go:149:2:149:8 | session | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | |
| CookieWithoutHttpOnly.go:149:2:149:8 | session | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | |
| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | provenance | |
| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | |
| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | |
| CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | Config |
| CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance | Config |
| CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | CookieWithoutHttpOnly.go:149:20:151:2 | &... | provenance | |
| CookieWithoutHttpOnly.go:157:2:157:9 | definition of httpOnly | CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | provenance | |
| CookieWithoutHttpOnly.go:157:14:157:17 | true | CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | provenance | |
| CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | provenance | Config |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | Config |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | Config |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | Config |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | Config |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | CookieWithoutHttpOnly.go:161:20:164:2 | &... | provenance | |
| CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | CookieWithoutHttpOnly.go:161:20:164:2 | &... | provenance | |
| CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | provenance | Config |
@@ -206,20 +201,18 @@ edges
| CookieWithoutHttpOnly.go:169:56:169:63 | definition of httpOnly | CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | provenance | |
| CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | provenance | Config |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | Config |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | Config |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | Config |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | Config |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance | Config |
| CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | CookieWithoutHttpOnly.go:173:20:176:2 | &... | provenance | |
| CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | CookieWithoutHttpOnly.go:173:20:176:2 | &... | provenance | |
| CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | provenance | Config |
@@ -356,10 +349,10 @@ nodes
| CookieWithoutHttpOnly.go:133:14:133:18 | false | semmle.label | false |
| CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | semmle.label | ... := ...[0] |
| CookieWithoutHttpOnly.go:134:16:134:20 | store | semmle.label | store |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | semmle.label | implicit dereference |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | semmle.label | implicit dereference |
| CookieWithoutHttpOnly.go:137:2:137:8 | session | semmle.label | session |
| CookieWithoutHttpOnly.go:137:2:137:8 | session | semmle.label | session |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | semmle.label | session [postupdate] |
| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | semmle.label | session [postupdate] |
| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
| CookieWithoutHttpOnly.go:137:20:140:2 | &... | semmle.label | &... |
@@ -372,8 +365,8 @@ nodes
| CookieWithoutHttpOnly.go:142:2:142:8 | session | semmle.label | session |
| CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | semmle.label | ... := ...[0] |
| CookieWithoutHttpOnly.go:146:16:146:20 | store | semmle.label | store |
| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | semmle.label | implicit dereference |
| CookieWithoutHttpOnly.go:149:2:149:8 | session | semmle.label | session |
| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | semmle.label | session [postupdate] |
| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
| CookieWithoutHttpOnly.go:149:20:151:2 | &... | semmle.label | &... |
| CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | semmle.label | struct literal |
@@ -383,10 +376,10 @@ nodes
| CookieWithoutHttpOnly.go:157:14:157:17 | true | semmle.label | true |
| CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | semmle.label | ... := ...[0] |
| CookieWithoutHttpOnly.go:158:16:158:20 | store | semmle.label | store |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | semmle.label | implicit dereference |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | semmle.label | implicit dereference |
| CookieWithoutHttpOnly.go:161:2:161:8 | session | semmle.label | session |
| CookieWithoutHttpOnly.go:161:2:161:8 | session | semmle.label | session |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | semmle.label | session [postupdate] |
| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | semmle.label | session [postupdate] |
| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
| CookieWithoutHttpOnly.go:161:20:164:2 | &... | semmle.label | &... |
@@ -401,10 +394,10 @@ nodes
| CookieWithoutHttpOnly.go:169:56:169:63 | definition of httpOnly | semmle.label | definition of httpOnly |
| CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | semmle.label | ... := ...[0] |
| CookieWithoutHttpOnly.go:170:16:170:20 | store | semmle.label | store |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | semmle.label | implicit dereference |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | semmle.label | implicit dereference |
| CookieWithoutHttpOnly.go:173:2:173:8 | session | semmle.label | session |
| CookieWithoutHttpOnly.go:173:2:173:8 | session | semmle.label | session |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | semmle.label | session [postupdate] |
| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | semmle.label | session [postupdate] |
| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
| CookieWithoutHttpOnly.go:173:20:176:2 | &... | semmle.label | &... |

15
go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected
View File

@@ -85,12 +85,15 @@
| main.go:26:11:26:11 | x | main.go:26:2:26:17 | ... := ...[0] |
| main.go:38:2:38:2 | definition of s | main.go:39:15:39:15 | s |
| main.go:38:7:38:20 | slice literal | main.go:38:2:38:2 | definition of s |
| main.go:38:7:38:20 | slice literal [postupdate] | main.go:38:2:38:2 | definition of s |
| main.go:39:2:39:3 | definition of s1 | main.go:40:18:40:19 | s1 |
| main.go:39:8:39:25 | call to append | main.go:39:2:39:3 | definition of s1 |
| main.go:39:15:39:15 | s | main.go:40:15:40:15 | s |
| main.go:39:15:39:15 | s [postupdate] | main.go:40:15:40:15 | s |
| main.go:40:2:40:3 | definition of s2 | main.go:43:9:43:10 | s2 |
| main.go:40:8:40:23 | call to append | main.go:40:2:40:3 | definition of s2 |
| main.go:40:15:40:15 | s | main.go:42:7:42:7 | s |
| main.go:40:15:40:15 | s [postupdate] | main.go:42:7:42:7 | s |
| main.go:41:2:41:3 | definition of s4 | main.go:42:10:42:11 | s4 |
| main.go:41:8:41:21 | call to make | main.go:41:2:41:3 | definition of s4 |
| main.go:46:13:46:14 | argument corresponding to xs | main.go:46:13:46:14 | definition of xs |
@@ -114,6 +117,7 @@
| main.go:55:6:55:7 | definition of ch | main.go:56:2:56:3 | ch |
| main.go:55:6:55:7 | zero value for ch | main.go:55:6:55:7 | definition of ch |
| main.go:56:2:56:3 | ch | main.go:57:4:57:5 | ch |
| main.go:56:2:56:3 | ch [postupdate] | main.go:57:4:57:5 | ch |
| main.go:61:2:61:2 | definition of x | main.go:64:11:64:11 | x |
| main.go:61:7:61:7 | 1 | main.go:61:2:61:2 | definition of x |
| main.go:62:2:62:2 | definition of y | main.go:64:14:64:14 | y |
@@ -165,30 +169,41 @@
| url.go:27:2:27:2 | definition of u | url.go:28:14:28:14 | u |
| url.go:27:2:27:30 | ... = ...[0] | url.go:27:2:27:2 | definition of u |
| url.go:28:14:28:14 | u | url.go:29:14:29:14 | u |
| url.go:28:14:28:14 | u [postupdate] | url.go:29:14:29:14 | u |
| url.go:29:14:29:14 | u | url.go:30:11:30:11 | u |
| url.go:29:14:29:14 | u [postupdate] | url.go:30:11:30:11 | u |
| url.go:30:2:30:3 | definition of bs | url.go:31:14:31:15 | bs |
| url.go:30:2:30:27 | ... := ...[0] | url.go:30:2:30:3 | definition of bs |
| url.go:30:11:30:11 | u | url.go:32:9:32:9 | u |
| url.go:30:11:30:11 | u [postupdate] | url.go:32:9:32:9 | u |
| url.go:32:2:32:2 | definition of u | url.go:33:14:33:14 | u |
| url.go:32:2:32:23 | ... = ...[0] | url.go:32:2:32:2 | definition of u |
| url.go:33:14:33:14 | u | url.go:34:14:34:14 | u |
| url.go:33:14:33:14 | u [postupdate] | url.go:34:14:34:14 | u |
| url.go:34:14:34:14 | u | url.go:35:14:35:14 | u |
| url.go:34:14:34:14 | u [postupdate] | url.go:35:14:35:14 | u |
| url.go:35:14:35:14 | u | url.go:36:6:36:6 | u |
| url.go:35:14:35:14 | u [postupdate] | url.go:36:6:36:6 | u |
| url.go:36:2:36:2 | definition of u | url.go:37:9:37:9 | u |
| url.go:36:6:36:6 | u | url.go:36:25:36:25 | u |
| url.go:36:6:36:6 | u [postupdate] | url.go:36:25:36:25 | u |
| url.go:36:6:36:26 | call to ResolveReference | url.go:36:2:36:2 | definition of u |
| url.go:42:2:42:3 | definition of ui | url.go:43:11:43:12 | ui |
| url.go:42:7:42:38 | call to UserPassword | url.go:42:2:42:3 | definition of ui |
| url.go:43:2:43:3 | definition of pw | url.go:44:14:44:15 | pw |
| url.go:43:2:43:23 | ... := ...[0] | url.go:43:2:43:3 | definition of pw |
| url.go:43:11:43:12 | ui | url.go:45:14:45:15 | ui |
| url.go:43:11:43:12 | ui [postupdate] | url.go:45:14:45:15 | ui |
| url.go:45:14:45:15 | ui | url.go:46:9:46:10 | ui |
| url.go:45:14:45:15 | ui [postupdate] | url.go:46:9:46:10 | ui |
| url.go:49:12:49:12 | argument corresponding to q | url.go:49:12:49:12 | definition of q |
| url.go:49:12:49:12 | definition of q | url.go:50:25:50:25 | q |
| url.go:50:2:50:2 | definition of v | url.go:51:14:51:14 | v |
| url.go:50:2:50:26 | ... := ...[0] | url.go:50:2:50:2 | definition of v |
| url.go:51:14:51:14 | v | url.go:52:14:52:14 | v |
| url.go:51:14:51:14 | v [postupdate] | url.go:52:14:52:14 | v |
| url.go:52:14:52:14 | v | url.go:53:9:53:9 | v |
| url.go:52:14:52:14 | v [postupdate] | url.go:53:9:53:9 | v |
| url.go:56:12:56:12 | argument corresponding to q | url.go:56:12:56:12 | definition of q |
| url.go:56:12:56:12 | definition of q | url.go:57:29:57:29 | q |
| url.go:57:2:57:8 | definition of joined1 | url.go:58:38:58:44 | joined1 |

6
go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
View File

@@ -1,8 +1,8 @@
| main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[0] |
| main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[1] |
| main.go:38:13:38:13 | 1 | main.go:38:7:38:20 | slice literal [postupdate] |
| main.go:38:16:38:16 | 2 | main.go:38:7:38:20 | slice literal [postupdate] |
| main.go:38:19:38:19 | 3 | main.go:38:7:38:20 | slice literal [postupdate] |
| main.go:38:13:38:13 | 1 | main.go:38:7:38:20 | slice literal |
| main.go:38:16:38:16 | 2 | main.go:38:7:38:20 | slice literal |
| main.go:38:19:38:19 | 3 | main.go:38:7:38:20 | slice literal |
| main.go:39:8:39:25 | []type{args} | main.go:39:8:39:25 | call to append |
| main.go:39:15:39:15 | s | main.go:39:8:39:25 | call to append |
| main.go:40:15:40:15 | s | main.go:40:8:40:23 | call to append |

30
go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected
View File

@@ -80,105 +80,135 @@
| main.go:7:6:7:9 | function sink | main.go:150:2:150:5 | sink |
| main.go:22:2:22:6 | definition of outer | main.go:25:7:25:11 | outer |
| main.go:22:11:24:2 | struct literal | main.go:22:2:22:6 | definition of outer |
| main.go:22:11:24:2 | struct literal [postupdate] | main.go:22:2:22:6 | definition of outer |
| main.go:25:7:25:11 | outer | main.go:26:7:26:11 | outer |
| main.go:26:7:26:11 | outer | main.go:27:7:27:11 | outer |
| main.go:27:7:27:11 | outer | main.go:28:7:28:11 | outer |
| main.go:30:2:30:7 | definition of outerp | main.go:33:7:33:12 | outerp |
| main.go:30:12:32:2 | &... | main.go:30:2:30:7 | definition of outerp |
| main.go:30:12:32:2 | &... [postupdate] | main.go:30:2:30:7 | definition of outerp |
| main.go:33:7:33:12 | outerp | main.go:34:7:34:12 | outerp |
| main.go:33:7:33:12 | outerp [postupdate] | main.go:34:7:34:12 | outerp |
| main.go:34:7:34:12 | outerp | main.go:35:7:35:12 | outerp |
| main.go:34:7:34:12 | outerp [postupdate] | main.go:35:7:35:12 | outerp |
| main.go:35:7:35:12 | outerp | main.go:36:7:36:12 | outerp |
| main.go:35:7:35:12 | outerp [postupdate] | main.go:36:7:36:12 | outerp |
| main.go:40:2:40:6 | definition of outer | main.go:41:7:41:11 | outer |
| main.go:40:11:40:40 | struct literal | main.go:40:2:40:6 | definition of outer |
| main.go:40:11:40:40 | struct literal [postupdate] | main.go:40:2:40:6 | definition of outer |
| main.go:41:7:41:11 | outer | main.go:42:7:42:11 | outer |
| main.go:42:7:42:11 | outer | main.go:43:7:43:11 | outer |
| main.go:43:7:43:11 | outer | main.go:44:7:44:11 | outer |
| main.go:46:2:46:7 | definition of outerp | main.go:47:7:47:12 | outerp |
| main.go:46:12:46:42 | &... | main.go:46:2:46:7 | definition of outerp |
| main.go:46:12:46:42 | &... [postupdate] | main.go:46:2:46:7 | definition of outerp |
| main.go:47:7:47:12 | outerp | main.go:48:7:48:12 | outerp |
| main.go:47:7:47:12 | outerp [postupdate] | main.go:48:7:48:12 | outerp |
| main.go:48:7:48:12 | outerp | main.go:49:7:49:12 | outerp |
| main.go:48:7:48:12 | outerp [postupdate] | main.go:49:7:49:12 | outerp |
| main.go:49:7:49:12 | outerp | main.go:50:7:50:12 | outerp |
| main.go:49:7:49:12 | outerp [postupdate] | main.go:50:7:50:12 | outerp |
| main.go:54:2:54:6 | definition of inner | main.go:55:19:55:23 | inner |
| main.go:54:11:54:25 | struct literal | main.go:54:2:54:6 | definition of inner |
| main.go:54:11:54:25 | struct literal [postupdate] | main.go:54:2:54:6 | definition of inner |
| main.go:55:2:55:7 | definition of middle | main.go:56:17:56:22 | middle |
| main.go:55:12:55:24 | struct literal | main.go:55:2:55:7 | definition of middle |
| main.go:55:12:55:24 | struct literal [postupdate] | main.go:55:2:55:7 | definition of middle |
| main.go:56:2:56:6 | definition of outer | main.go:57:7:57:11 | outer |
| main.go:56:11:56:23 | struct literal | main.go:56:2:56:6 | definition of outer |
| main.go:56:11:56:23 | struct literal [postupdate] | main.go:56:2:56:6 | definition of outer |
| main.go:57:7:57:11 | outer | main.go:58:7:58:11 | outer |
| main.go:58:7:58:11 | outer | main.go:59:7:59:11 | outer |
| main.go:59:7:59:11 | outer | main.go:60:7:60:11 | outer |
| main.go:62:2:62:7 | definition of innerp | main.go:63:20:63:25 | innerp |
| main.go:62:12:62:26 | struct literal | main.go:62:2:62:7 | definition of innerp |
| main.go:62:12:62:26 | struct literal [postupdate] | main.go:62:2:62:7 | definition of innerp |
| main.go:63:2:63:8 | definition of middlep | main.go:64:18:64:24 | middlep |
| main.go:63:13:63:26 | struct literal | main.go:63:2:63:8 | definition of middlep |
| main.go:63:13:63:26 | struct literal [postupdate] | main.go:63:2:63:8 | definition of middlep |
| main.go:64:2:64:7 | definition of outerp | main.go:65:7:65:12 | outerp |
| main.go:64:12:64:25 | struct literal | main.go:64:2:64:7 | definition of outerp |
| main.go:64:12:64:25 | struct literal [postupdate] | main.go:64:2:64:7 | definition of outerp |
| main.go:65:7:65:12 | outerp | main.go:66:7:66:12 | outerp |
| main.go:66:7:66:12 | outerp | main.go:67:7:67:12 | outerp |
| main.go:67:7:67:12 | outerp | main.go:68:7:68:12 | outerp |
| main.go:72:2:72:6 | definition of inner | main.go:73:26:73:30 | inner |
| main.go:72:11:72:25 | struct literal | main.go:72:2:72:6 | definition of inner |
| main.go:72:11:72:25 | struct literal [postupdate] | main.go:72:2:72:6 | definition of inner |
| main.go:73:2:73:7 | definition of middle | main.go:74:25:74:30 | middle |
| main.go:73:12:73:31 | struct literal | main.go:73:2:73:7 | definition of middle |
| main.go:73:12:73:31 | struct literal [postupdate] | main.go:73:2:73:7 | definition of middle |
| main.go:74:2:74:6 | definition of outer | main.go:75:7:75:11 | outer |
| main.go:74:11:74:31 | struct literal | main.go:74:2:74:6 | definition of outer |
| main.go:74:11:74:31 | struct literal [postupdate] | main.go:74:2:74:6 | definition of outer |
| main.go:75:7:75:11 | outer | main.go:76:7:76:11 | outer |
| main.go:76:7:76:11 | outer | main.go:77:7:77:11 | outer |
| main.go:77:7:77:11 | outer | main.go:78:7:78:11 | outer |
| main.go:80:2:80:7 | definition of innerp | main.go:81:27:81:32 | innerp |
| main.go:80:12:80:26 | struct literal | main.go:80:2:80:7 | definition of innerp |
| main.go:80:12:80:26 | struct literal [postupdate] | main.go:80:2:80:7 | definition of innerp |
| main.go:81:2:81:8 | definition of middlep | main.go:82:26:82:32 | middlep |
| main.go:81:13:81:33 | struct literal | main.go:81:2:81:8 | definition of middlep |
| main.go:81:13:81:33 | struct literal [postupdate] | main.go:81:2:81:8 | definition of middlep |
| main.go:82:2:82:7 | definition of outerp | main.go:83:7:83:12 | outerp |
| main.go:82:12:82:33 | struct literal | main.go:82:2:82:7 | definition of outerp |
| main.go:82:12:82:33 | struct literal [postupdate] | main.go:82:2:82:7 | definition of outerp |
| main.go:83:7:83:12 | outerp | main.go:84:7:84:12 | outerp |
| main.go:84:7:84:12 | outerp | main.go:85:7:85:12 | outerp |
| main.go:85:7:85:12 | outerp | main.go:86:7:86:12 | outerp |
| main.go:90:6:90:10 | definition of outer | main.go:91:2:91:6 | outer |
| main.go:90:6:90:10 | zero value for outer | main.go:90:6:90:10 | definition of outer |
| main.go:91:2:91:6 | outer | main.go:92:7:92:11 | outer |
| main.go:91:2:91:6 | outer [postupdate] | main.go:92:7:92:11 | outer |
| main.go:92:7:92:11 | outer | main.go:93:7:93:11 | outer |
| main.go:93:7:93:11 | outer | main.go:94:7:94:11 | outer |
| main.go:94:7:94:11 | outer | main.go:95:7:95:11 | outer |
| main.go:97:6:97:11 | definition of outerp | main.go:98:2:98:7 | outerp |
| main.go:97:6:97:11 | zero value for outerp | main.go:97:6:97:11 | definition of outerp |
| main.go:98:2:98:7 | outerp | main.go:99:7:99:12 | outerp |
| main.go:98:2:98:7 | outerp [postupdate] | main.go:99:7:99:12 | outerp |
| main.go:99:7:99:12 | outerp | main.go:100:7:100:12 | outerp |
| main.go:100:7:100:12 | outerp | main.go:101:7:101:12 | outerp |
| main.go:101:7:101:12 | outerp | main.go:102:7:102:12 | outerp |
| main.go:106:6:106:10 | definition of outer | main.go:107:2:107:6 | outer |
| main.go:106:6:106:10 | zero value for outer | main.go:106:6:106:10 | definition of outer |
| main.go:107:2:107:6 | outer | main.go:108:7:108:11 | outer |
| main.go:107:2:107:6 | outer [postupdate] | main.go:108:7:108:11 | outer |
| main.go:108:7:108:11 | outer | main.go:109:7:109:11 | outer |
| main.go:109:7:109:11 | outer | main.go:110:7:110:11 | outer |
| main.go:110:7:110:11 | outer | main.go:111:7:111:11 | outer |
| main.go:113:6:113:11 | definition of outerp | main.go:114:2:114:7 | outerp |
| main.go:113:6:113:11 | zero value for outerp | main.go:113:6:113:11 | definition of outerp |
| main.go:114:2:114:7 | outerp | main.go:115:7:115:12 | outerp |
| main.go:114:2:114:7 | outerp [postupdate] | main.go:115:7:115:12 | outerp |
| main.go:115:7:115:12 | outerp | main.go:116:7:116:12 | outerp |
| main.go:116:7:116:12 | outerp | main.go:117:7:117:12 | outerp |
| main.go:117:7:117:12 | outerp | main.go:118:7:118:12 | outerp |
| main.go:122:6:122:10 | definition of outer | main.go:123:2:123:6 | outer |
| main.go:122:6:122:10 | zero value for outer | main.go:122:6:122:10 | definition of outer |
| main.go:123:2:123:6 | outer | main.go:124:7:124:11 | outer |
| main.go:123:2:123:6 | outer [postupdate] | main.go:124:7:124:11 | outer |
| main.go:124:7:124:11 | outer | main.go:125:7:125:11 | outer |
| main.go:125:7:125:11 | outer | main.go:126:7:126:11 | outer |
| main.go:126:7:126:11 | outer | main.go:127:7:127:11 | outer |
| main.go:129:6:129:11 | definition of outerp | main.go:130:2:130:7 | outerp |
| main.go:129:6:129:11 | zero value for outerp | main.go:129:6:129:11 | definition of outerp |
| main.go:130:2:130:7 | outerp | main.go:131:7:131:12 | outerp |
| main.go:130:2:130:7 | outerp [postupdate] | main.go:131:7:131:12 | outerp |
| main.go:131:7:131:12 | outerp | main.go:132:7:132:12 | outerp |
| main.go:132:7:132:12 | outerp | main.go:133:7:133:12 | outerp |
| main.go:133:7:133:12 | outerp | main.go:134:7:134:12 | outerp |
| main.go:138:6:138:10 | definition of outer | main.go:139:2:139:6 | outer |
| main.go:138:6:138:10 | zero value for outer | main.go:138:6:138:10 | definition of outer |
| main.go:139:2:139:6 | outer | main.go:140:7:140:11 | outer |
| main.go:139:2:139:6 | outer [postupdate] | main.go:140:7:140:11 | outer |
| main.go:140:7:140:11 | outer | main.go:141:7:141:11 | outer |
| main.go:141:7:141:11 | outer | main.go:142:7:142:11 | outer |
| main.go:142:7:142:11 | outer | main.go:143:7:143:11 | outer |
| main.go:145:6:145:11 | definition of outerp | main.go:146:2:146:7 | outerp |
| main.go:145:6:145:11 | zero value for outerp | main.go:145:6:145:11 | definition of outerp |
| main.go:146:2:146:7 | outerp | main.go:147:7:147:12 | outerp |
| main.go:146:2:146:7 | outerp [postupdate] | main.go:147:7:147:12 | outerp |
| main.go:147:7:147:12 | outerp | main.go:148:7:148:12 | outerp |
| main.go:148:7:148:12 | outerp | main.go:149:7:149:12 | outerp |
| main.go:149:7:149:12 | outerp | main.go:150:7:150:12 | outerp |

6
go/ql/test/library-tests/semmle/go/dataflow/ReadsAndWrites/writesElement.expected
View File

@@ -1,3 +1,3 @@
| tst.go:19:2:19:6 | assignment to element | tst.go:19:2:19:3 | xs | tst.go:19:5:19:5 | 0 | tst.go:19:10:19:14 | index expression |
| tst.go:20:2:20:6 | assignment to element | tst.go:20:2:20:3 | implicit dereference | tst.go:20:5:20:5 | 0 | tst.go:20:10:20:14 | index expression |
| tst.go:20:2:20:6 | assignment to element | tst.go:20:2:20:3 | ps | tst.go:20:5:20:5 | 0 | tst.go:20:10:20:14 | index expression |
| tst.go:19:2:19:6 | assignment to element | tst.go:19:2:19:3 | xs [postupdate] | tst.go:19:5:19:5 | 0 | tst.go:19:10:19:14 | index expression |
| tst.go:20:2:20:6 | assignment to element | tst.go:20:2:20:3 | implicit dereference [postupdate] | tst.go:20:5:20:5 | 0 | tst.go:20:10:20:14 | index expression |
| tst.go:20:2:20:6 | assignment to element | tst.go:20:2:20:3 | ps [postupdate] | tst.go:20:5:20:5 | 0 | tst.go:20:10:20:14 | index expression |

6
go/ql/test/library-tests/semmle/go/dataflow/ReadsAndWrites/writesField.expected
View File

@@ -1,3 +1,3 @@
| tst.go:8:2:8:4 | assignment to field f | tst.go:8:2:8:2 | implicit dereference | tst.go:4:2:4:2 | f | tst.go:8:8:8:14 | ...+... |
| tst.go:8:2:8:4 | assignment to field f | tst.go:8:2:8:2 | t | tst.go:4:2:4:2 | f | tst.go:8:8:8:14 | ...+... |
| tst.go:17:2:17:4 | assignment to field f | tst.go:17:2:17:2 | x | tst.go:4:2:4:2 | f | tst.go:17:8:17:14 | ...+... |
| tst.go:8:2:8:4 | assignment to field f | tst.go:8:2:8:2 | implicit dereference [postupdate] | tst.go:4:2:4:2 | f | tst.go:8:8:8:14 | ...+... |
| tst.go:8:2:8:4 | assignment to field f | tst.go:8:2:8:2 | t [postupdate] | tst.go:4:2:4:2 | f | tst.go:8:8:8:14 | ...+... |
| tst.go:17:2:17:4 | assignment to field f | tst.go:17:2:17:2 | x [postupdate] | tst.go:4:2:4:2 | f | tst.go:17:8:17:14 | ...+... |

3
go/ql/test/library-tests/semmle/go/frameworks/Email/EmailData.expected
View File

@@ -1,5 +1,8 @@
| mail.go:15:73:15:94 | type conversion |
| mail.go:18:19:18:23 | definition of write |
| mail.go:18:19:18:38 | ... := ...[0] |
| mail.go:20:17:20:21 | write |
| mail.go:20:17:20:21 | write [postupdate] |
| mail.go:26:49:26:52 | text |
| mail.go:26:76:26:79 | text |
| mail.go:27:20:27:23 | text |

18
go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected
View File

@@ -1,26 +1,8 @@
edges
| main.go:18:46:18:48 | definition of req | main.go:18:46:18:48 | definition of req [Return] | provenance | |
| main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | provenance | |
| main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | provenance | |
| main.go:18:46:18:48 | definition of req [Return] | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | provenance | |
| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in [Return] | provenance | |
| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:86:37:86:38 | in | provenance | |
| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:86:37:86:38 | in | provenance | |
| proto/Hello.pb.micro.go:85:53:85:54 | definition of in [Return] | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | provenance | |
| proto/Hello.pb.micro.go:86:37:86:38 | in | main.go:18:46:18:48 | definition of req | provenance | |
| proto/Hello.pb.micro.go:86:37:86:38 | in | main.go:18:46:18:48 | definition of req | provenance | |
| proto/Hello.pb.micro.go:86:37:86:38 | in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | provenance | |
| proto/Hello.pb.micro.go:86:37:86:38 | in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | provenance | |
nodes
| main.go:18:46:18:48 | definition of req | semmle.label | definition of req |
| main.go:18:46:18:48 | definition of req | semmle.label | definition of req |
| main.go:18:46:18:48 | definition of req [Return] | semmle.label | definition of req [Return] |
| main.go:21:28:21:31 | name | semmle.label | name |
| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | semmle.label | definition of in |
| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | semmle.label | definition of in |
| proto/Hello.pb.micro.go:85:53:85:54 | definition of in [Return] | semmle.label | definition of in [Return] |
| proto/Hello.pb.micro.go:86:37:86:38 | in | semmle.label | in |
| proto/Hello.pb.micro.go:86:37:86:38 | in | semmle.label | in |
subpaths
#select
| main.go:21:28:21:31 | name | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | This log entry depends on a $@. | main.go:18:46:18:48 | definition of req | user-provided value |

14
go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
View File

@@ -86,16 +86,16 @@ invalidModelRow
| main.go:13:33:13:33 | v | main.go:13:2:13:52 | ... := ...[0] |
| main.go:13:36:13:45 | "/*JSON*/" | main.go:13:2:13:52 | ... := ...[0] |
| main.go:13:48:13:51 | " " | main.go:13:2:13:52 | ... := ...[0] |
| main.go:14:25:14:25 | b | main.go:14:9:14:41 | slice literal [postupdate] |
| main.go:14:28:14:30 | err | main.go:14:9:14:41 | slice literal [postupdate] |
| main.go:14:33:14:34 | b2 | main.go:14:9:14:41 | slice literal [postupdate] |
| main.go:14:37:14:40 | err2 | main.go:14:9:14:41 | slice literal [postupdate] |
| main.go:14:25:14:25 | b | main.go:14:9:14:41 | slice literal |
| main.go:14:28:14:30 | err | main.go:14:9:14:41 | slice literal |
| main.go:14:33:14:34 | b2 | main.go:14:9:14:41 | slice literal |
| main.go:14:37:14:40 | err2 | main.go:14:9:14:41 | slice literal |
| main.go:19:18:19:42 | call to DecodeString | main.go:19:2:19:42 | ... := ...[0] |
| main.go:19:18:19:42 | call to DecodeString | main.go:19:2:19:42 | ... := ...[1] |
| main.go:19:35:19:41 | encoded | main.go:19:2:19:42 | ... := ...[0] |
| main.go:23:25:23:31 | decoded | main.go:23:9:23:48 | slice literal [postupdate] |
| main.go:23:34:23:36 | err | main.go:23:9:23:48 | slice literal [postupdate] |
| main.go:23:39:23:47 | reEncoded | main.go:23:9:23:48 | slice literal [postupdate] |
| main.go:23:25:23:31 | decoded | main.go:23:9:23:48 | slice literal |
| main.go:23:34:23:36 | err | main.go:23:9:23:48 | slice literal |
| main.go:23:39:23:47 | reEncoded | main.go:23:9:23:48 | slice literal |
| main.go:28:2:28:4 | implicit dereference | main.go:28:2:28:4 | req [postupdate] |
| main.go:28:2:28:4 | implicit dereference | main.go:28:2:28:9 | selection of Body |
| main.go:28:2:28:4 | req | main.go:28:2:28:4 | implicit dereference |

36
go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
View File

@@ -56,8 +56,8 @@ edges
| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance | Config |
| SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:9:13:9:27 | call to Query | provenance | Src:MaD:2 MaD:7 |
| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | provenance | |
| SanitizingDoubleDash.go:13:15:13:32 | array literal [postupdate] [array] | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:13:25:13:31 | tainted | SanitizingDoubleDash.go:13:15:13:32 | array literal [postupdate] [array] | provenance | |
| SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:13:25:13:31 | tainted | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | provenance | |
| SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | SanitizingDoubleDash.go:14:23:14:33 | slice element node | provenance | |
| SanitizingDoubleDash.go:14:23:14:33 | slice element node | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance | |
| SanitizingDoubleDash.go:39:14:39:44 | []type{args} [array] | SanitizingDoubleDash.go:39:14:39:44 | call to append | provenance | MaD:5 |
@@ -65,8 +65,8 @@ edges
| SanitizingDoubleDash.go:39:14:39:44 | call to append | SanitizingDoubleDash.go:40:23:40:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:39:14:39:44 | call to append [array] | SanitizingDoubleDash.go:40:23:40:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:39:31:39:37 | tainted | SanitizingDoubleDash.go:39:14:39:44 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:52:15:52:31 | slice literal [postupdate] [array] | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:52:15:52:31 | slice literal [postupdate] [array] | provenance | |
| SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | provenance | |
| SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | provenance | |
| SanitizingDoubleDash.go:53:14:53:35 | call to append | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | |
| SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | |
@@ -99,16 +99,16 @@ edges
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:142:31:142:37 | tainted | provenance | |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:148:30:148:36 | tainted | provenance | |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:152:24:152:30 | tainted | provenance | |
| SanitizingDoubleDash.go:95:15:95:32 | array literal [postupdate] [array] | SanitizingDoubleDash.go:96:24:96:31 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:95:25:95:31 | tainted | SanitizingDoubleDash.go:95:15:95:32 | array literal [postupdate] [array] | provenance | |
| SanitizingDoubleDash.go:95:15:95:32 | array literal [array] | SanitizingDoubleDash.go:96:24:96:31 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:95:25:95:31 | tainted | SanitizingDoubleDash.go:95:15:95:32 | array literal [array] | provenance | |
| SanitizingDoubleDash.go:96:24:96:31 | arrayLit [array] | SanitizingDoubleDash.go:96:24:96:34 | slice element node | provenance | |
| SanitizingDoubleDash.go:96:24:96:34 | slice element node | SanitizingDoubleDash.go:96:24:96:34 | slice expression | provenance | |
| SanitizingDoubleDash.go:100:15:100:38 | array literal [postupdate] [array] | SanitizingDoubleDash.go:101:24:101:31 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:100:31:100:37 | tainted | SanitizingDoubleDash.go:100:15:100:38 | array literal [postupdate] [array] | provenance | |
| SanitizingDoubleDash.go:100:15:100:38 | array literal [array] | SanitizingDoubleDash.go:101:24:101:31 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:100:31:100:37 | tainted | SanitizingDoubleDash.go:100:15:100:38 | array literal [array] | provenance | |
| SanitizingDoubleDash.go:101:24:101:31 | arrayLit [array] | SanitizingDoubleDash.go:101:24:101:34 | slice element node | provenance | |
| SanitizingDoubleDash.go:101:24:101:34 | slice element node | SanitizingDoubleDash.go:101:24:101:34 | slice expression | provenance | |
| SanitizingDoubleDash.go:105:15:105:37 | slice literal [postupdate] [array] | SanitizingDoubleDash.go:106:24:106:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:105:30:105:36 | tainted | SanitizingDoubleDash.go:105:15:105:37 | slice literal [postupdate] [array] | provenance | |
| SanitizingDoubleDash.go:105:15:105:37 | slice literal [array] | SanitizingDoubleDash.go:106:24:106:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:105:30:105:36 | tainted | SanitizingDoubleDash.go:105:15:105:37 | slice literal [array] | provenance | |
| SanitizingDoubleDash.go:111:14:111:44 | []type{args} [array] | SanitizingDoubleDash.go:111:14:111:44 | call to append | provenance | MaD:5 |
| SanitizingDoubleDash.go:111:14:111:44 | []type{args} [array] | SanitizingDoubleDash.go:111:14:111:44 | call to append [array] | provenance | MaD:5 |
| SanitizingDoubleDash.go:111:14:111:44 | call to append | SanitizingDoubleDash.go:112:24:112:31 | arrayLit | provenance | |
@@ -124,8 +124,8 @@ edges
| SanitizingDoubleDash.go:123:14:123:38 | call to append | SanitizingDoubleDash.go:124:24:124:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:123:14:123:38 | call to append [array] | SanitizingDoubleDash.go:124:24:124:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:123:31:123:37 | tainted | SanitizingDoubleDash.go:123:14:123:38 | []type{args} [array] | provenance | |
| SanitizingDoubleDash.go:128:15:128:31 | slice literal [postupdate] [array] | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:128:24:128:30 | tainted | SanitizingDoubleDash.go:128:15:128:31 | slice literal [postupdate] [array] | provenance | |
| SanitizingDoubleDash.go:128:15:128:31 | slice literal [array] | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | provenance | |
| SanitizingDoubleDash.go:128:24:128:30 | tainted | SanitizingDoubleDash.go:128:15:128:31 | slice literal [array] | provenance | |
| SanitizingDoubleDash.go:129:14:129:35 | call to append | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | provenance | |
| SanitizingDoubleDash.go:129:21:129:28 | arrayLit | SanitizingDoubleDash.go:129:14:129:35 | call to append | provenance | MaD:4 |
@@ -184,7 +184,7 @@ nodes
| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | semmle.label | definition of tainted |
| SanitizingDoubleDash.go:9:13:9:19 | selection of URL | semmle.label | selection of URL |
| SanitizingDoubleDash.go:9:13:9:27 | call to Query | semmle.label | call to Query |
| SanitizingDoubleDash.go:13:15:13:32 | array literal [postupdate] [array] | semmle.label | array literal [postupdate] [array] |
| SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | semmle.label | array literal [array] |
| SanitizingDoubleDash.go:13:25:13:31 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | semmle.label | arrayLit [array] |
| SanitizingDoubleDash.go:14:23:14:33 | slice element node | semmle.label | slice element node |
@@ -194,7 +194,7 @@ nodes
| SanitizingDoubleDash.go:39:14:39:44 | call to append [array] | semmle.label | call to append [array] |
| SanitizingDoubleDash.go:39:31:39:37 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:40:23:40:30 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:52:15:52:31 | slice literal [postupdate] [array] | semmle.label | slice literal [postupdate] [array] |
| SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | semmle.label | slice literal [array] |
| SanitizingDoubleDash.go:52:24:52:30 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:53:14:53:35 | call to append | semmle.label | call to append |
| SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | semmle.label | call to append [array] |
@@ -213,17 +213,17 @@ nodes
| SanitizingDoubleDash.go:80:23:80:29 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:92:13:92:19 | selection of URL | semmle.label | selection of URL |
| SanitizingDoubleDash.go:92:13:92:27 | call to Query | semmle.label | call to Query |
| SanitizingDoubleDash.go:95:15:95:32 | array literal [postupdate] [array] | semmle.label | array literal [postupdate] [array] |
| SanitizingDoubleDash.go:95:15:95:32 | array literal [array] | semmle.label | array literal [array] |
| SanitizingDoubleDash.go:95:25:95:31 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:96:24:96:31 | arrayLit [array] | semmle.label | arrayLit [array] |
| SanitizingDoubleDash.go:96:24:96:34 | slice element node | semmle.label | slice element node |
| SanitizingDoubleDash.go:96:24:96:34 | slice expression | semmle.label | slice expression |
| SanitizingDoubleDash.go:100:15:100:38 | array literal [postupdate] [array] | semmle.label | array literal [postupdate] [array] |
| SanitizingDoubleDash.go:100:15:100:38 | array literal [array] | semmle.label | array literal [array] |
| SanitizingDoubleDash.go:100:31:100:37 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:101:24:101:31 | arrayLit [array] | semmle.label | arrayLit [array] |
| SanitizingDoubleDash.go:101:24:101:34 | slice element node | semmle.label | slice element node |
| SanitizingDoubleDash.go:101:24:101:34 | slice expression | semmle.label | slice expression |
| SanitizingDoubleDash.go:105:15:105:37 | slice literal [postupdate] [array] | semmle.label | slice literal [postupdate] [array] |
| SanitizingDoubleDash.go:105:15:105:37 | slice literal [array] | semmle.label | slice literal [array] |
| SanitizingDoubleDash.go:105:30:105:36 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:106:24:106:31 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:111:14:111:44 | []type{args} [array] | semmle.label | []type{args} [array] |
@@ -241,7 +241,7 @@ nodes
| SanitizingDoubleDash.go:123:14:123:38 | call to append [array] | semmle.label | call to append [array] |
| SanitizingDoubleDash.go:123:31:123:37 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:124:24:124:31 | arrayLit | semmle.label | arrayLit |
| SanitizingDoubleDash.go:128:15:128:31 | slice literal [postupdate] [array] | semmle.label | slice literal [postupdate] [array] |
| SanitizingDoubleDash.go:128:15:128:31 | slice literal [array] | semmle.label | slice literal [array] |
| SanitizingDoubleDash.go:128:24:128:30 | tainted | semmle.label | tainted |
| SanitizingDoubleDash.go:129:14:129:35 | call to append | semmle.label | call to append |
| SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | semmle.label | call to append [array] |

57
go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
View File

@@ -33,24 +33,24 @@ edges
| SqlInjection.go:11:3:11:29 | index expression | SqlInjection.go:10:7:11:30 | call to Sprintf | provenance | FunctionModel |
| issue48.go:17:2:17:33 | ... := ...[0] | issue48.go:18:17:18:17 | b | provenance | |
| issue48.go:17:25:17:32 | selection of Body | issue48.go:17:2:17:33 | ... := ...[0] | provenance | Src:MaD:17 MaD:24 |
| issue48.go:18:17:18:17 | b | issue48.go:18:20:18:39 | &... | provenance | MaD:22 |
| issue48.go:18:20:18:39 | &... | issue48.go:21:3:21:33 | index expression | provenance | |
| issue48.go:18:17:18:17 | b | issue48.go:18:20:18:39 | &... [postupdate] | provenance | MaD:22 |
| issue48.go:18:20:18:39 | &... [postupdate] | issue48.go:21:3:21:33 | index expression | provenance | |
| issue48.go:20:8:21:34 | []type{args} [array] | issue48.go:20:8:21:34 | call to Sprintf | provenance | MaD:23 |
| issue48.go:20:8:21:34 | call to Sprintf | issue48.go:22:11:22:12 | q3 | provenance | Sink:MaD:1 |
| issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | []type{args} [array] | provenance | |
| issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | call to Sprintf | provenance | FunctionModel |
| issue48.go:27:2:27:34 | ... := ...[0] | issue48.go:28:17:28:18 | b2 | provenance | |
| issue48.go:27:26:27:33 | selection of Body | issue48.go:27:2:27:34 | ... := ...[0] | provenance | Src:MaD:17 MaD:24 |
| issue48.go:28:17:28:18 | b2 | issue48.go:28:21:28:41 | &... | provenance | MaD:22 |
| issue48.go:28:21:28:41 | &... | issue48.go:31:3:31:31 | selection of Category | provenance | |
| issue48.go:28:17:28:18 | b2 | issue48.go:28:21:28:41 | &... [postupdate] | provenance | MaD:22 |
| issue48.go:28:21:28:41 | &... [postupdate] | issue48.go:31:3:31:31 | selection of Category | provenance | |
| issue48.go:30:8:31:32 | []type{args} [array] | issue48.go:30:8:31:32 | call to Sprintf | provenance | MaD:23 |
| issue48.go:30:8:31:32 | call to Sprintf | issue48.go:32:11:32:12 | q4 | provenance | Sink:MaD:1 |
| issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | []type{args} [array] | provenance | |
| issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | call to Sprintf | provenance | FunctionModel |
| issue48.go:37:17:37:50 | type conversion | issue48.go:37:53:37:73 | &... | provenance | MaD:22 |
| issue48.go:37:17:37:50 | type conversion | issue48.go:37:53:37:73 | &... [postupdate] | provenance | MaD:22 |
| issue48.go:37:24:37:30 | selection of URL | issue48.go:37:24:37:38 | call to Query | provenance | Src:MaD:21 MaD:26 |
| issue48.go:37:24:37:38 | call to Query | issue48.go:37:17:37:50 | type conversion | provenance | |
| issue48.go:37:53:37:73 | &... | issue48.go:40:3:40:31 | selection of Category | provenance | |
| issue48.go:37:53:37:73 | &... [postupdate] | issue48.go:40:3:40:31 | selection of Category | provenance | |
| issue48.go:39:8:40:32 | []type{args} [array] | issue48.go:39:8:40:32 | call to Sprintf | provenance | MaD:23 |
| issue48.go:39:8:40:32 | call to Sprintf | issue48.go:41:11:41:12 | q5 | provenance | Sink:MaD:1 |
| issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | []type{args} [array] | provenance | |
@@ -76,39 +76,33 @@ edges
| main.go:34:3:34:13 | implicit dereference [Category] | main.go:34:3:34:22 | selection of Category | provenance | |
| main.go:34:3:34:22 | selection of Category | main.go:33:7:34:23 | []type{args} [array] | provenance | |
| main.go:34:3:34:22 | selection of Category | main.go:33:7:34:23 | call to Sprintf | provenance | FunctionModel |
| main.go:39:2:39:12 | definition of RequestData [pointer, Category] | main.go:40:2:40:12 | RequestData [pointer, Category] | provenance | |
| main.go:39:2:39:12 | definition of RequestData [pointer, Category] | main.go:43:3:43:13 | RequestData [pointer, Category] | provenance | |
| main.go:40:2:40:12 | RequestData [pointer, Category] | main.go:40:2:40:12 | implicit dereference [Category] | provenance | |
| main.go:40:2:40:12 | implicit dereference [Category] | main.go:39:2:39:12 | definition of RequestData [pointer, Category] | provenance | |
| main.go:40:2:40:12 | RequestData [postupdate] [pointer, Category] | main.go:43:3:43:13 | RequestData [pointer, Category] | provenance | |
| main.go:40:2:40:12 | implicit dereference [postupdate] [Category] | main.go:40:2:40:12 | RequestData [postupdate] [pointer, Category] | provenance | |
| main.go:40:25:40:31 | selection of URL | main.go:40:25:40:39 | call to Query | provenance | Src:MaD:21 MaD:26 |
| main.go:40:25:40:39 | call to Query | main.go:40:25:40:51 | index expression | provenance | |
| main.go:40:25:40:51 | index expression | main.go:40:2:40:12 | implicit dereference [Category] | provenance | |
| main.go:40:25:40:51 | index expression | main.go:40:2:40:12 | implicit dereference [postupdate] [Category] | provenance | |
| main.go:42:7:43:23 | []type{args} [array] | main.go:42:7:43:23 | call to Sprintf | provenance | MaD:23 |
| main.go:42:7:43:23 | call to Sprintf | main.go:44:11:44:11 | q | provenance | Sink:MaD:1 |
| main.go:43:3:43:13 | RequestData [pointer, Category] | main.go:43:3:43:13 | implicit dereference [Category] | provenance | |
| main.go:43:3:43:13 | implicit dereference [Category] | main.go:43:3:43:22 | selection of Category | provenance | |
| main.go:43:3:43:22 | selection of Category | main.go:42:7:43:23 | []type{args} [array] | provenance | |
| main.go:43:3:43:22 | selection of Category | main.go:42:7:43:23 | call to Sprintf | provenance | FunctionModel |
| main.go:48:2:48:12 | definition of RequestData [pointer, Category] | main.go:49:4:49:14 | RequestData [pointer, Category] | provenance | |
| main.go:48:2:48:12 | definition of RequestData [pointer, Category] | main.go:52:3:52:13 | RequestData [pointer, Category] | provenance | |
| main.go:49:3:49:14 | star expression [Category] | main.go:48:2:48:12 | definition of RequestData [pointer, Category] | provenance | |
| main.go:49:4:49:14 | RequestData [pointer, Category] | main.go:49:3:49:14 | star expression [Category] | provenance | |
| main.go:49:3:49:14 | star expression [postupdate] [Category] | main.go:49:4:49:14 | RequestData [postupdate] [pointer, Category] | provenance | |
| main.go:49:4:49:14 | RequestData [postupdate] [pointer, Category] | main.go:52:3:52:13 | RequestData [pointer, Category] | provenance | |
| main.go:49:28:49:34 | selection of URL | main.go:49:28:49:42 | call to Query | provenance | Src:MaD:21 MaD:26 |
| main.go:49:28:49:42 | call to Query | main.go:49:28:49:54 | index expression | provenance | |
| main.go:49:28:49:54 | index expression | main.go:49:3:49:14 | star expression [Category] | provenance | |
| main.go:49:28:49:54 | index expression | main.go:49:3:49:14 | star expression [postupdate] [Category] | provenance | |
| main.go:51:7:52:23 | []type{args} [array] | main.go:51:7:52:23 | call to Sprintf | provenance | MaD:23 |
| main.go:51:7:52:23 | call to Sprintf | main.go:53:11:53:11 | q | provenance | Sink:MaD:1 |
| main.go:52:3:52:13 | RequestData [pointer, Category] | main.go:52:3:52:13 | implicit dereference [Category] | provenance | |
| main.go:52:3:52:13 | implicit dereference [Category] | main.go:52:3:52:22 | selection of Category | provenance | |
| main.go:52:3:52:22 | selection of Category | main.go:51:7:52:23 | []type{args} [array] | provenance | |
| main.go:52:3:52:22 | selection of Category | main.go:51:7:52:23 | call to Sprintf | provenance | FunctionModel |
| main.go:57:2:57:12 | definition of RequestData [pointer, Category] | main.go:58:4:58:14 | RequestData [pointer, Category] | provenance | |
| main.go:57:2:57:12 | definition of RequestData [pointer, Category] | main.go:61:5:61:15 | RequestData [pointer, Category] | provenance | |
| main.go:58:3:58:14 | star expression [Category] | main.go:57:2:57:12 | definition of RequestData [pointer, Category] | provenance | |
| main.go:58:4:58:14 | RequestData [pointer, Category] | main.go:58:3:58:14 | star expression [Category] | provenance | |
| main.go:58:3:58:14 | star expression [postupdate] [Category] | main.go:58:4:58:14 | RequestData [postupdate] [pointer, Category] | provenance | |
| main.go:58:4:58:14 | RequestData [postupdate] [pointer, Category] | main.go:61:5:61:15 | RequestData [pointer, Category] | provenance | |
| main.go:58:28:58:34 | selection of URL | main.go:58:28:58:42 | call to Query | provenance | Src:MaD:21 MaD:26 |
| main.go:58:28:58:42 | call to Query | main.go:58:28:58:54 | index expression | provenance | |
| main.go:58:28:58:54 | index expression | main.go:58:3:58:14 | star expression [Category] | provenance | |
| main.go:58:28:58:54 | index expression | main.go:58:3:58:14 | star expression [postupdate] [Category] | provenance | |
| main.go:60:7:61:26 | []type{args} [array] | main.go:60:7:61:26 | call to Sprintf | provenance | MaD:23 |
| main.go:60:7:61:26 | call to Sprintf | main.go:62:11:62:11 | q | provenance | Sink:MaD:1 |
| main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | []type{args} [array] | provenance | |
@@ -170,7 +164,7 @@ nodes
| issue48.go:17:2:17:33 | ... := ...[0] | semmle.label | ... := ...[0] |
| issue48.go:17:25:17:32 | selection of Body | semmle.label | selection of Body |
| issue48.go:18:17:18:17 | b | semmle.label | b |
| issue48.go:18:20:18:39 | &... | semmle.label | &... |
| issue48.go:18:20:18:39 | &... [postupdate] | semmle.label | &... [postupdate] |
| issue48.go:20:8:21:34 | []type{args} [array] | semmle.label | []type{args} [array] |
| issue48.go:20:8:21:34 | call to Sprintf | semmle.label | call to Sprintf |
| issue48.go:21:3:21:33 | index expression | semmle.label | index expression |
@@ -178,7 +172,7 @@ nodes
| issue48.go:27:2:27:34 | ... := ...[0] | semmle.label | ... := ...[0] |
| issue48.go:27:26:27:33 | selection of Body | semmle.label | selection of Body |
| issue48.go:28:17:28:18 | b2 | semmle.label | b2 |
| issue48.go:28:21:28:41 | &... | semmle.label | &... |
| issue48.go:28:21:28:41 | &... [postupdate] | semmle.label | &... [postupdate] |
| issue48.go:30:8:31:32 | []type{args} [array] | semmle.label | []type{args} [array] |
| issue48.go:30:8:31:32 | call to Sprintf | semmle.label | call to Sprintf |
| issue48.go:31:3:31:31 | selection of Category | semmle.label | selection of Category |
@@ -186,7 +180,7 @@ nodes
| issue48.go:37:17:37:50 | type conversion | semmle.label | type conversion |
| issue48.go:37:24:37:30 | selection of URL | semmle.label | selection of URL |
| issue48.go:37:24:37:38 | call to Query | semmle.label | call to Query |
| issue48.go:37:53:37:73 | &... | semmle.label | &... |
| issue48.go:37:53:37:73 | &... [postupdate] | semmle.label | &... [postupdate] |
| issue48.go:39:8:40:32 | []type{args} [array] | semmle.label | []type{args} [array] |
| issue48.go:39:8:40:32 | call to Sprintf | semmle.label | call to Sprintf |
| issue48.go:40:3:40:31 | selection of Category | semmle.label | selection of Category |
@@ -213,9 +207,8 @@ nodes
| main.go:34:3:34:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
| main.go:34:3:34:22 | selection of Category | semmle.label | selection of Category |
| main.go:35:11:35:11 | q | semmle.label | q |
| main.go:39:2:39:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
| main.go:40:2:40:12 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:40:2:40:12 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
| main.go:40:2:40:12 | RequestData [postupdate] [pointer, Category] | semmle.label | RequestData [postupdate] [pointer, Category] |
| main.go:40:2:40:12 | implicit dereference [postupdate] [Category] | semmle.label | implicit dereference [postupdate] [Category] |
| main.go:40:25:40:31 | selection of URL | semmle.label | selection of URL |
| main.go:40:25:40:39 | call to Query | semmle.label | call to Query |
| main.go:40:25:40:51 | index expression | semmle.label | index expression |
@@ -225,9 +218,8 @@ nodes
| main.go:43:3:43:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
| main.go:43:3:43:22 | selection of Category | semmle.label | selection of Category |
| main.go:44:11:44:11 | q | semmle.label | q |
| main.go:48:2:48:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
| main.go:49:3:49:14 | star expression [Category] | semmle.label | star expression [Category] |
| main.go:49:4:49:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:49:3:49:14 | star expression [postupdate] [Category] | semmle.label | star expression [postupdate] [Category] |
| main.go:49:4:49:14 | RequestData [postupdate] [pointer, Category] | semmle.label | RequestData [postupdate] [pointer, Category] |
| main.go:49:28:49:34 | selection of URL | semmle.label | selection of URL |
| main.go:49:28:49:42 | call to Query | semmle.label | call to Query |
| main.go:49:28:49:54 | index expression | semmle.label | index expression |
@@ -237,9 +229,8 @@ nodes
| main.go:52:3:52:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
| main.go:52:3:52:22 | selection of Category | semmle.label | selection of Category |
| main.go:53:11:53:11 | q | semmle.label | q |
| main.go:57:2:57:12 | definition of RequestData [pointer, Category] | semmle.label | definition of RequestData [pointer, Category] |
| main.go:58:3:58:14 | star expression [Category] | semmle.label | star expression [Category] |
| main.go:58:4:58:14 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:58:3:58:14 | star expression [postupdate] [Category] | semmle.label | star expression [postupdate] [Category] |
| main.go:58:4:58:14 | RequestData [postupdate] [pointer, Category] | semmle.label | RequestData [postupdate] [pointer, Category] |
| main.go:58:28:58:34 | selection of URL | semmle.label | selection of URL |
| main.go:58:28:58:42 | call to Query | semmle.label | call to Query |
| main.go:58:28:58:54 | index expression | semmle.label | index expression |

21
go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/main.go
View File

@@ -64,9 +64,22 @@ func bad3() *http.Transport {
return transport
}
func good3() *http.Transport {
insecureTransport := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // OK
func good3(i int) *http.Transport {
if i == 0 {
insecureTransport := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // OK
}
return insecureTransport
} else if i == 1 {
temp1 := tls.Config{InsecureSkipVerify: true}
temp2 := &temp1
selfSignConfig := &http.Transport{TLSClientConfig: temp2} // OK
return selfSignConfig
} else if i == 2 {
temp1 := tls.Config{}
temp1.InsecureSkipVerify = true
untrustedTransport := &http.Transport{TLSClientConfig: &temp1} // OK
return untrustedTransport
}
return insecureTransport
return nil
}

40
go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
View File

@@ -187,10 +187,10 @@ edges
| passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance | |
| passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config |
| passwords.go:34:28:34:35 | password | passwords.go:42:6:42:13 | password | provenance | |
| passwords.go:36:10:38:2 | struct literal [postupdate] | passwords.go:39:14:39:17 | obj1 | provenance | |
| passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal [postupdate] | provenance | Config |
| passwords.go:41:10:43:2 | struct literal [postupdate] | passwords.go:44:14:44:17 | obj2 | provenance | |
| passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal [postupdate] | provenance | Config |
| passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance | |
| passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config |
| passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance | |
| passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config |
| passwords.go:42:6:42:13 | password | passwords.go:48:11:48:18 | password | provenance | |
| passwords.go:48:11:48:18 | password | passwords.go:92:23:92:28 | secret | provenance | |
| passwords.go:48:11:48:18 | password | passwords.go:102:33:102:40 | password | provenance | |
@@ -198,8 +198,8 @@ edges
| passwords.go:48:11:48:18 | password | passwords.go:113:33:113:40 | password | provenance | |
| passwords.go:48:11:48:18 | password | passwords.go:123:13:123:20 | password | provenance | |
| passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | provenance | |
| passwords.go:86:19:88:2 | struct literal [postupdate] | passwords.go:89:14:89:26 | utilityObject | provenance | |
| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal [postupdate] | provenance | Config |
| passwords.go:86:19:88:2 | struct literal | passwords.go:89:14:89:26 | utilityObject | provenance | |
| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal | provenance | Config |
| passwords.go:102:33:102:40 | password | passwords.go:102:15:102:40 | ...+... | provenance | Config |
| passwords.go:102:33:102:40 | password | passwords.go:108:34:108:41 | password | provenance | |
| passwords.go:102:33:102:40 | password | passwords.go:113:33:113:40 | password | provenance | |
@@ -212,14 +212,14 @@ edges
| passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:28:117:36 | password1 | provenance | |
| passwords.go:117:28:117:36 | password1 | passwords.go:117:28:117:45 | call to String | provenance | Config |
| passwords.go:117:28:117:45 | call to String | passwords.go:117:14:117:45 | ...+... | provenance | Config |
| passwords.go:120:12:125:2 | struct literal [postupdate] | passwords.go:127:14:127:19 | config | provenance | |
| passwords.go:120:12:125:2 | struct literal [postupdate] [x] | passwords.go:128:14:128:19 | config [x] | provenance | |
| passwords.go:120:12:125:2 | struct literal [postupdate] [y] | passwords.go:129:14:129:19 | config [y] | provenance | |
| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal [postupdate] | provenance | Config |
| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [postupdate] | provenance | Config |
| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [postupdate] [x] | provenance | |
| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [postupdate] | provenance | Config |
| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [postupdate] [y] | provenance | |
| passwords.go:120:12:125:2 | struct literal | passwords.go:127:14:127:19 | config | provenance | |
| passwords.go:120:12:125:2 | struct literal [x] | passwords.go:128:14:128:19 | config [x] | provenance | |
| passwords.go:120:12:125:2 | struct literal [y] | passwords.go:129:14:129:19 | config [y] | provenance | |
| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal | provenance | Config |
| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal | provenance | Config |
| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [x] | provenance | |
| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal | provenance | Config |
| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [y] | provenance | |
| passwords.go:128:14:128:19 | config [x] | passwords.go:128:14:128:21 | selection of x | provenance | |
| passwords.go:129:14:129:19 | config [y] | passwords.go:129:14:129:21 | selection of y | provenance | |
| protobuf.go:9:2:9:9 | definition of password | protobuf.go:12:22:12:29 | password | provenance | |
@@ -311,16 +311,16 @@ nodes
| passwords.go:32:12:32:19 | password | semmle.label | password |
| passwords.go:34:14:34:35 | ...+... | semmle.label | ...+... |
| passwords.go:34:28:34:35 | password | semmle.label | password |
| passwords.go:36:10:38:2 | struct literal [postupdate] | semmle.label | struct literal [postupdate] |
| passwords.go:36:10:38:2 | struct literal | semmle.label | struct literal |
| passwords.go:37:13:37:13 | x | semmle.label | x |
| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 |
| passwords.go:41:10:43:2 | struct literal [postupdate] | semmle.label | struct literal [postupdate] |
| passwords.go:41:10:43:2 | struct literal | semmle.label | struct literal |
| passwords.go:42:6:42:13 | password | semmle.label | password |
| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 |
| passwords.go:48:11:48:18 | password | semmle.label | password |
| passwords.go:50:2:50:15 | definition of fixed_password | semmle.label | definition of fixed_password |
| passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password |
| passwords.go:86:19:88:2 | struct literal [postupdate] | semmle.label | struct literal [postupdate] |
| passwords.go:86:19:88:2 | struct literal | semmle.label | struct literal |
| passwords.go:87:16:87:36 | call to make | semmle.label | call to make |
| passwords.go:89:14:89:26 | utilityObject | semmle.label | utilityObject |
| passwords.go:92:23:92:28 | secret | semmle.label | secret |
@@ -334,9 +334,9 @@ nodes
| passwords.go:117:14:117:45 | ...+... | semmle.label | ...+... |
| passwords.go:117:28:117:36 | password1 | semmle.label | password1 |
| passwords.go:117:28:117:45 | call to String | semmle.label | call to String |
| passwords.go:120:12:125:2 | struct literal [postupdate] | semmle.label | struct literal [postupdate] |
| passwords.go:120:12:125:2 | struct literal [postupdate] [x] | semmle.label | struct literal [postupdate] [x] |
| passwords.go:120:12:125:2 | struct literal [postupdate] [y] | semmle.label | struct literal [postupdate] [y] |
| passwords.go:120:12:125:2 | struct literal | semmle.label | struct literal |
| passwords.go:120:12:125:2 | struct literal [x] | semmle.label | struct literal [x] |
| passwords.go:120:12:125:2 | struct literal [y] | semmle.label | struct literal [y] |
| passwords.go:121:13:121:14 | x3 | semmle.label | x3 |
| passwords.go:123:13:123:20 | password | semmle.label | password |
| passwords.go:124:13:124:25 | call to getPassword | semmle.label | call to getPassword |