diff --git a/ql/src/Security/CWE-312/CleartextLoggingGood.go b/ql/src/Security/CWE-312/CleartextLoggingGood.go index 3b4e193775c..5bc6b7302d0 100644 --- a/ql/src/Security/CWE-312/CleartextLoggingGood.go +++ b/ql/src/Security/CWE-312/CleartextLoggingGood.go @@ -1,5 +1,3 @@ -// +build ignore - package main import ( @@ -14,6 +12,9 @@ func serve1() { pw := r.Form.Get("password") log.Printf("Registering new user %s.\n", user) + + // ... + use(pw) }) http.ListenAndServe(":80", nil) } diff --git a/ql/src/Security/CWE-798/HardcodedCredentials.go b/ql/src/Security/CWE-798/HardcodedCredentials.go index 417b078266c..9324325bbd5 100644 --- a/ql/src/Security/CWE-798/HardcodedCredentials.go +++ b/ql/src/Security/CWE-798/HardcodedCredentials.go @@ -1,5 +1,3 @@ -// +build ignore - package main import ( diff --git a/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/squirrel.go b/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/squirrel.go index 8058595eb01..78a19d3a6f2 100644 --- a/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/squirrel.go +++ b/ql/test/query-tests/Security/CWE-089/vendor/github.com/Masterminds/squirrel/squirrel.go @@ -2,8 +2,8 @@ package squirrel type StatementBuilderType struct{} -func Expr(e string) string { - return Expr(e) +func Expr(e string, args ...interface{}) string { + return Expr(e, args...) } var StatementBuilder = &StatementBuilderType{} diff --git a/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected index 3c4f58fbe4d..d733441b08e 100644 --- a/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected +++ b/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected @@ -20,8 +20,9 @@ edges | passwords.go:122:13:122:25 | call to getPassword : string | passwords.go:125:14:125:19 | config | | passwords.go:126:14:126:19 | config [x] : string | passwords.go:126:14:126:21 | selection of x | | passwords.go:127:14:127:19 | config [y] : string | passwords.go:127:14:127:21 | selection of y | -| util.go:14:9:14:18 | selection of password : string | passwords.go:28:14:28:28 | call to getPassword | +| util.go:16:9:16:18 | selection of password : string | passwords.go:28:14:28:28 | call to getPassword | nodes +| main.go:12:14:12:21 | password | semmle.label | password | | passwords.go:8:12:8:12 | definition of x : string | semmle.label | definition of x : string | | passwords.go:9:14:9:14 | x | semmle.label | x | | passwords.go:25:14:25:21 | password | semmle.label | password | @@ -61,14 +62,15 @@ nodes | passwords.go:126:14:126:21 | selection of x | semmle.label | selection of x | | passwords.go:127:14:127:19 | config [y] : string | semmle.label | config [y] : string | | passwords.go:127:14:127:21 | selection of y | semmle.label | selection of y | -| util.go:14:9:14:18 | selection of password : string | semmle.label | selection of password : string | +| util.go:16:9:16:18 | selection of password : string | semmle.label | selection of password : string | #select +| main.go:12:14:12:21 | password | main.go:12:14:12:21 | password | main.go:12:14:12:21 | password | Sensitive data returned by $@ is logged here. | main.go:12:14:12:21 | password | an access to password | | passwords.go:9:14:9:14 | x | passwords.go:30:8:30:15 | password : string | passwords.go:9:14:9:14 | x | Sensitive data returned by $@ is logged here. | passwords.go:30:8:30:15 | password | an access to password | | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | Sensitive data returned by $@ is logged here. | passwords.go:25:14:25:21 | password | an access to password | | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | Sensitive data returned by $@ is logged here. | passwords.go:26:14:26:23 | selection of password | an access to password | | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | Sensitive data returned by $@ is logged here. | passwords.go:27:14:27:26 | call to getPassword | a call to getPassword | | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by $@ is logged here. | passwords.go:28:14:28:28 | call to getPassword | a call to getPassword | -| passwords.go:28:14:28:28 | call to getPassword | util.go:14:9:14:18 | selection of password : string | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by $@ is logged here. | util.go:14:9:14:18 | selection of password | an access to password | +| passwords.go:28:14:28:28 | call to getPassword | util.go:16:9:16:18 | selection of password : string | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by $@ is logged here. | util.go:16:9:16:18 | selection of password | an access to password | | passwords.go:32:12:32:19 | password | passwords.go:32:12:32:19 | password | passwords.go:32:12:32:19 | password | Sensitive data returned by $@ is logged here. | passwords.go:32:12:32:19 | password | an access to password | | passwords.go:34:14:34:35 | ...+... | passwords.go:34:28:34:35 | password : string | passwords.go:34:14:34:35 | ...+... | Sensitive data returned by $@ is logged here. | passwords.go:34:28:34:35 | password | an access to password | | passwords.go:39:14:39:17 | obj1 | passwords.go:36:10:38:2 | composite literal : passStruct | passwords.go:39:14:39:17 | obj1 | Sensitive data returned by $@ is logged here. | passwords.go:36:10:38:2 | composite literal | an access to password | diff --git a/ql/test/query-tests/Security/CWE-312/CleartextLoggingGood.go b/ql/test/query-tests/Security/CWE-312/CleartextLoggingGood.go index 3b4e193775c..5bc6b7302d0 100644 --- a/ql/test/query-tests/Security/CWE-312/CleartextLoggingGood.go +++ b/ql/test/query-tests/Security/CWE-312/CleartextLoggingGood.go @@ -1,5 +1,3 @@ -// +build ignore - package main import ( @@ -14,6 +12,9 @@ func serve1() { pw := r.Form.Get("password") log.Printf("Registering new user %s.\n", user) + + // ... + use(pw) }) http.ListenAndServe(":80", nil) } diff --git a/ql/test/query-tests/Security/CWE-312/CleartextStorage.go b/ql/test/query-tests/Security/CWE-312/CleartextStorage.go deleted file mode 100644 index df59e07a9cd..00000000000 --- a/ql/test/query-tests/Security/CWE-312/CleartextStorage.go +++ /dev/null @@ -1,21 +0,0 @@ -package main - -import ( - "net/http" -) - -func serve2() { - http.HandleFunc("/register", func(w http.ResponseWriter, r *http.Request) { - r.ParseForm() - user := r.Form.Get("user") - pw := r.Form.Get("password") - - userdb.Store(user, pw) - - var pwCookie http.Cookie - pwCookie.Name = "password" - pwCookie.Value = pw - http.SetCookie(w, &pwCookie) - }) - http.ListenAndServe(":80", nil) -} diff --git a/ql/test/query-tests/Security/CWE-312/CleartextStorageGood.go b/ql/test/query-tests/Security/CWE-312/CleartextStorageGood.go deleted file mode 100644 index 5fc7a4789c8..00000000000 --- a/ql/test/query-tests/Security/CWE-312/CleartextStorageGood.go +++ /dev/null @@ -1,62 +0,0 @@ -// +build ignore - -package main - -import ( - "crypto/rand" - "encoding/base64" - "fmt" - "log" - "net/http" - - "golang.org/x/crypto/scrypt" -) - -var tokens = make(map[string]string) - -func saltAndHash(pw string) ([]byte, []byte) { - salt := make([]byte, 64) - _, err := io.ReadFull(rand.Reader, salt) - if err != nil { - log.Fatal(err) - } - - hash, err := scrypt.Key([]byte(password), salt, 32768, 8, 1, 64) - - return hash, salt -} - -func genToken(user string) { - res := make([]byte, 32) - _, err := io.ReadFull(rand.Reader, salt) - if err != nil { - log.Fatal(err) - } - - base64, err := base64.EncodeToString(res) - if err != nil { - log.Fatal(err) - } - - return base64 -} - -func serve1() { - http.HandleFunc("/register", func(w http.ResponseWriter, r *http.Request) { - r.ParseForm() - user := r.Form.Get("user") - pw := r.Form.Get("password") - - log.Printf("Registering new user %s.\n", user) - - hash, salt = saltAndHash(pw) - - userdb.Store(user, hash, salt) - - var tokenCookie Cookie - tokenCookie.Name = "auth" - tokenCookie.Value = genToken(user) - http.SetCookie(w, encrypt(pwCookie)) - }) - http.ListenAndServe(":80", nil) -} diff --git a/ql/test/query-tests/Security/CWE-312/go.mod b/ql/test/query-tests/Security/CWE-312/go.mod index 98d9f66c07c..42d2d04ca9f 100644 --- a/ql/test/query-tests/Security/CWE-312/go.mod +++ b/ql/test/query-tests/Security/CWE-312/go.mod @@ -1,3 +1,8 @@ module main go 1.13 + +require ( + github.com/golang/glog v0.0.0 + github.com/sirupsen/logrus v0.0.0 +) diff --git a/ql/test/query-tests/Security/CWE-312/main.go b/ql/test/query-tests/Security/CWE-312/main.go index 4500b805c05..012159ceba5 100644 --- a/ql/test/query-tests/Security/CWE-312/main.go +++ b/ql/test/query-tests/Security/CWE-312/main.go @@ -1,10 +1,7 @@ -// +build ignore - package main import ( - "fmt" - "github.com/google/glog" + "github.com/golang/glog" "github.com/sirupsen/logrus" "log" ) diff --git a/ql/test/query-tests/Security/CWE-312/server1.go b/ql/test/query-tests/Security/CWE-312/server1.go index f7fd4b1b015..18845b2530a 100644 --- a/ql/test/query-tests/Security/CWE-312/server1.go +++ b/ql/test/query-tests/Security/CWE-312/server1.go @@ -5,7 +5,7 @@ import ( "net/http" ) -func serve1() { +func serve2() { http.HandleFunc("/some/path", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() logStrs(r.Form.Get("password")) diff --git a/ql/test/query-tests/Security/CWE-312/util.go b/ql/test/query-tests/Security/CWE-312/util.go index 22af3af9fe5..9ec861d3391 100644 --- a/ql/test/query-tests/Security/CWE-312/util.go +++ b/ql/test/query-tests/Security/CWE-312/util.go @@ -1,5 +1,7 @@ package main +func use(args ...interface{}) {} + var userdb *UserDB = &UserDB{} type UserDB struct{} diff --git a/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/LICENSE b/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/LICENSE new file mode 100644 index 00000000000..37ec93a14fd --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/LICENSE @@ -0,0 +1,191 @@ +Apache License +Version 2.0, January 2004 +http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, and +distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by the copyright +owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all other entities +that control, are controlled by, or are under common control with that entity. +For the purposes of this definition, "control" means (i) the power, direct or +indirect, to cause the direction or management of such entity, whether by +contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the +outstanding shares, or (iii) beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity exercising +permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, including +but not limited to software source code, documentation source, and configuration +files. + +"Object" form shall mean any form resulting from mechanical transformation or +translation of a Source form, including but not limited to compiled object code, +generated documentation, and conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or Object form, made +available under the License, as indicated by a copyright notice that is included +in or attached to the work (an example is provided in the Appendix below). + +"Derivative Works" shall mean any work, whether in Source or Object form, that +is based on (or derived from) the Work and for which the editorial revisions, +annotations, elaborations, or other modifications represent, as a whole, an +original work of authorship. For the purposes of this License, Derivative Works +shall not include works that remain separable from, or merely link (or bind by +name) to the interfaces of, the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including the original version +of the Work and any modifications or additions to that Work or Derivative Works +thereof, that is intentionally submitted to Licensor for inclusion in the Work +by the copyright owner or by an individual or Legal Entity authorized to submit +on behalf of the copyright owner. For the purposes of this definition, +"submitted" means any form of electronic, verbal, or written communication sent +to the Licensor or its representatives, including but not limited to +communication on electronic mailing lists, source code control systems, and +issue tracking systems that are managed by, or on behalf of, the Licensor for +the purpose of discussing and improving the Work, but excluding communication +that is conspicuously marked or otherwise designated in writing by the copyright +owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity on behalf +of whom a Contribution has been received by Licensor and subsequently +incorporated within the Work. + +2. Grant of Copyright License. + +Subject to the terms and conditions of this License, each Contributor hereby +grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, +irrevocable copyright license to reproduce, prepare Derivative Works of, +publicly display, publicly perform, sublicense, and distribute the Work and such +Derivative Works in Source or Object form. + +3. Grant of Patent License. + +Subject to the terms and conditions of this License, each Contributor hereby +grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, +irrevocable (except as stated in this section) patent license to make, have +made, use, offer to sell, sell, import, and otherwise transfer the Work, where +such license applies only to those patent claims licensable by such Contributor +that are necessarily infringed by their Contribution(s) alone or by combination +of their Contribution(s) with the Work to which such Contribution(s) was +submitted. If You institute patent litigation against any entity (including a +cross-claim or counterclaim in a lawsuit) alleging that the Work or a +Contribution incorporated within the Work constitutes direct or contributory +patent infringement, then any patent licenses granted to You under this License +for that Work shall terminate as of the date such litigation is filed. + +4. Redistribution. + +You may reproduce and distribute copies of the Work or Derivative Works thereof +in any medium, with or without modifications, and in Source or Object form, +provided that You meet the following conditions: + +You must give any other recipients of the Work or Derivative Works a copy of +this License; and +You must cause any modified files to carry prominent notices stating that You +changed the files; and +You must retain, in the Source form of any Derivative Works that You distribute, +all copyright, patent, trademark, and attribution notices from the Source form +of the Work, excluding those notices that do not pertain to any part of the +Derivative Works; and +If the Work includes a "NOTICE" text file as part of its distribution, then any +Derivative Works that You distribute must include a readable copy of the +attribution notices contained within such NOTICE file, excluding those notices +that do not pertain to any part of the Derivative Works, in at least one of the +following places: within a NOTICE text file distributed as part of the +Derivative Works; within the Source form or documentation, if provided along +with the Derivative Works; or, within a display generated by the Derivative +Works, if and wherever such third-party notices normally appear. The contents of +the NOTICE file are for informational purposes only and do not modify the +License. You may add Your own attribution notices within Derivative Works that +You distribute, alongside or as an addendum to the NOTICE text from the Work, +provided that such additional attribution notices cannot be construed as +modifying the License. +You may add Your own copyright statement to Your modifications and may provide +additional or different license terms and conditions for use, reproduction, or +distribution of Your modifications, or for any such Derivative Works as a whole, +provided Your use, reproduction, and distribution of the Work otherwise complies +with the conditions stated in this License. + +5. Submission of Contributions. + +Unless You explicitly state otherwise, any Contribution intentionally submitted +for inclusion in the Work by You to the Licensor shall be under the terms and +conditions of this License, without any additional terms or conditions. +Notwithstanding the above, nothing herein shall supersede or modify the terms of +any separate license agreement you may have executed with Licensor regarding +such Contributions. + +6. Trademarks. + +This License does not grant permission to use the trade names, trademarks, +service marks, or product names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. + +Unless required by applicable law or agreed to in writing, Licensor provides the +Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, +including, without limitation, any warranties or conditions of TITLE, +NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are +solely responsible for determining the appropriateness of using or +redistributing the Work and assume any risks associated with Your exercise of +permissions under this License. + +8. Limitation of Liability. + +In no event and under no legal theory, whether in tort (including negligence), +contract, or otherwise, unless required by applicable law (such as deliberate +and grossly negligent acts) or agreed to in writing, shall any Contributor be +liable to You for damages, including any direct, indirect, special, incidental, +or consequential damages of any character arising as a result of this License or +out of the use or inability to use the Work (including but not limited to +damages for loss of goodwill, work stoppage, computer failure or malfunction, or +any and all other commercial damages or losses), even if such Contributor has +been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. + +While redistributing the Work or Derivative Works thereof, You may choose to +offer, and charge a fee for, acceptance of support, warranty, indemnity, or +other liability obligations and/or rights consistent with this License. However, +in accepting such obligations, You may act only on Your own behalf and on Your +sole responsibility, not on behalf of any other Contributor, and only if You +agree to indemnify, defend, and hold each Contributor harmless for any liability +incurred by, or claims asserted against, such Contributor by reason of your +accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work + +To apply the Apache License to your work, attach the following boilerplate +notice, with the fields enclosed by brackets "[]" replaced with your own +identifying information. (Don't include the brackets!) The text should be +enclosed in the appropriate comment syntax for the file format. We also +recommend that a file or class name and description of purpose be included on +the same "printed page" as the copyright notice for easier identification within +third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/README.md b/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/README.md new file mode 100644 index 00000000000..b8c2f481f4f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/README.md @@ -0,0 +1,3 @@ +This is a simple stub for https://github.com/golang/glog, strictly for use in query testing. + +See the LICENSE file in this folder for information about the licensing of the original library. diff --git a/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/glog.go b/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/glog.go new file mode 100644 index 00000000000..d8211e7dde5 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/glog.go @@ -0,0 +1,3 @@ +package glog + +func Info(args ...interface{}) {} diff --git a/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/LICENSE b/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/LICENSE new file mode 100644 index 00000000000..f090cb42f37 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Simon Eskildsen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/README.md b/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/README.md new file mode 100644 index 00000000000..e22804a6a0d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/README.md @@ -0,0 +1,3 @@ +This is a simple stub for https://github.com/sirupsen/logrus, strictly for use in query testing. + +See the LICENSE file in this folder for information about the licensing of the original library. diff --git a/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/logrus.go b/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/logrus.go new file mode 100644 index 00000000000..e612008610f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/vendor/github.com/sirupsen/logrus/logrus.go @@ -0,0 +1,13 @@ +package logrus + +func Warning(args ...interface{}) {} + +type Fields map[interface{}]interface{} + +type Entry struct{} + +func WithFields(args ...interface{}) Entry { return Entry{} } +func WithField(args ...interface{}) Entry { return Entry{} } + +func (e Entry) Errorf(args ...interface{}) {} +func (e Entry) Panic(args ...interface{}) {} diff --git a/ql/test/query-tests/Security/CWE-312/vendor/modules.txt b/ql/test/query-tests/Security/CWE-312/vendor/modules.txt new file mode 100644 index 00000000000..13334996f0e --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/vendor/modules.txt @@ -0,0 +1,4 @@ +# github.com/golang/glog v0.0.0 +github.com/golang/glog +# github.com/sirupsen/logrus v0.0.0 +github.com/sirupsen/logrus