From af432c71ffad13f12f5fbee934d144d7bb1b2a48 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Fri, 20 Nov 2020 15:35:42 +0000 Subject: [PATCH 1/5] Add docstrings to all public elements. --- ql/src/semmle/go/Architectures.qll | 6 ++++++ ql/src/semmle/go/dataflow/FunctionInputsAndOutputs.qll | 2 ++ ql/src/semmle/go/dataflow/TaintTracking2.qll | 5 +++++ ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll | 3 +++ ql/src/semmle/go/frameworks/Revel.qll | 1 + ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll | 3 +++ 6 files changed, 20 insertions(+) diff --git a/ql/src/semmle/go/Architectures.qll b/ql/src/semmle/go/Architectures.qll index c2ea35acc4c..5bc1fef99b1 100644 --- a/ql/src/semmle/go/Architectures.qll +++ b/ql/src/semmle/go/Architectures.qll @@ -23,5 +23,11 @@ class Architecture extends string { bitSize = 64 } + /** + * Gets theĀ integer and pointer type width for this architecture. + * + * As of the time of writing, this appears to always be identical -- there aren't + * Go architectures with 64-bit pointers but 32-bit ints, for example. + */ int getBitSize() { result = bitSize } } diff --git a/ql/src/semmle/go/dataflow/FunctionInputsAndOutputs.qll b/ql/src/semmle/go/dataflow/FunctionInputsAndOutputs.qll index 7e884513066..1eb62da70c4 100644 --- a/ql/src/semmle/go/dataflow/FunctionInputsAndOutputs.qll +++ b/ql/src/semmle/go/dataflow/FunctionInputsAndOutputs.qll @@ -51,6 +51,7 @@ class FunctionInput extends TFunctionInput { abstract string toString(); } +/** Defines convenience methods that get particular `FunctionInput` instances. */ module FunctionInput { /** Gets a `FunctionInput` representing the `i`th parameter. */ FunctionInput parameter(int i) { result.isParameter(i) } @@ -191,6 +192,7 @@ class FunctionOutput extends TFunctionOutput { abstract string toString(); } +/** Defines convenience methods that get particular `FunctionOutput` instances. */ module FunctionOutput { /** Gets a `FunctionOutput` representing the result of a single-result function. */ FunctionOutput functionResult() { result.isResult() } diff --git a/ql/src/semmle/go/dataflow/TaintTracking2.qll b/ql/src/semmle/go/dataflow/TaintTracking2.qll index 1e6639d8539..6b1b2487e5b 100644 --- a/ql/src/semmle/go/dataflow/TaintTracking2.qll +++ b/ql/src/semmle/go/dataflow/TaintTracking2.qll @@ -1,3 +1,8 @@ +/** + * Provides classes for performing local (intra-procedural) and + * global (inter-procedural) taint-tracking analyses. + */ + /** * Provides classes for performing local (intra-procedural) and * global (inter-procedural) taint-tracking analyses. diff --git a/ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll b/ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll index d8b192951ef..94ccce8f869 100644 --- a/ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll +++ b/ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll @@ -177,6 +177,9 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) { localAdditionalTaintStep(src, sink) } +/** + * A sanitizer in all global taint flow configurations but not in local taint. + */ abstract class DefaultTaintSanitizer extends DataFlow::Node { } /** diff --git a/ql/src/semmle/go/frameworks/Revel.qll b/ql/src/semmle/go/frameworks/Revel.qll index 1bd33768b66..0a466b058d4 100644 --- a/ql/src/semmle/go/frameworks/Revel.qll +++ b/ql/src/semmle/go/frameworks/Revel.qll @@ -5,6 +5,7 @@ import go private import semmle.go.security.OpenUrlRedirectCustomizations +/** Provides classes and methods modelling the Revel web framework. */ module Revel { /** Gets the package name. */ bindingset[result] diff --git a/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll b/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll index d33754deb86..586f15b4c42 100644 --- a/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll +++ b/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll @@ -39,6 +39,9 @@ module OpenUrlRedirect { */ bindingset[this] abstract class AdditionalStep extends string { + /** + * Holds if `pred` to `succ` is an additional taint-propagating step for this query. + */ abstract predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ); } From e241f8469b6c67ea11d314b7f87dc6f12eac62d6 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Fri, 20 Nov 2020 16:15:12 +0000 Subject: [PATCH 2/5] Add change notes for PRs that omitted them --- change-notes/2020-08-27-protobufs.md | 2 ++ change-notes/2020-09-14-split-string-sanitizer.md | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 change-notes/2020-08-27-protobufs.md create mode 100644 change-notes/2020-09-14-split-string-sanitizer.md diff --git a/change-notes/2020-08-27-protobufs.md b/change-notes/2020-08-27-protobufs.md new file mode 100644 index 00000000000..2628fd12d91 --- /dev/null +++ b/change-notes/2020-08-27-protobufs.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Taint is now propagated across protocol buffer ("protobuf") marshalling and unmarshalling operations. This may result in more results from existing queries where the protocol buffer format is used. diff --git a/change-notes/2020-09-14-split-string-sanitizer.md b/change-notes/2020-09-14-split-string-sanitizer.md new file mode 100644 index 00000000000..970da425e87 --- /dev/null +++ b/change-notes/2020-09-14-split-string-sanitizer.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Splitting a string by whitespace or a colon is now considered sanitizing by the `go/clear-text-logging` query, because this is frequently used to split a username and password or other secret. From 568b365575dd762711b6ab29441d607560351bb8 Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Mon, 9 Nov 2020 10:05:13 -0800 Subject: [PATCH 3/5] Add isRaw to StringLit --- ql/src/semmle/go/Expr.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ql/src/semmle/go/Expr.qll b/ql/src/semmle/go/Expr.qll index af9a6aff0d5..a2bc9b21cba 100644 --- a/ql/src/semmle/go/Expr.qll +++ b/ql/src/semmle/go/Expr.qll @@ -343,6 +343,8 @@ class RuneLit = CharLit; */ class StringLit extends @stringlit, BasicLit { override string getAPrimaryQlClass() { result = "StringLit" } + + predicate isRaw() { this.getText().matches("`%`") } } /** From 09d41952dc5d6baaa628cee3acc094b08d318a4a Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Sun, 8 Nov 2020 09:20:07 -0800 Subject: [PATCH 4/5] SuspiciousCharacterInRegexp: Add fix for raw string literals --- ...9-suspicious-character-in-regexp-improvement.md | 2 ++ .../CWE-020/SuspiciousCharacterInRegexp.go | 1 + .../CWE-020/SuspiciousCharacterInRegexp.ql | 9 +++------ .../CWE-020/SuspiciousCharacterInRegexpGood.go | 3 ++- .../SuspiciousCharacterInRegexp.expected | 2 ++ .../SuspiciousCharacterInRegexp.go | 14 ++++++++++++++ .../SuspiciousCharacterInRegexpGood.go | 14 ++++++++++++++ .../CWE-020/SuspiciousCharacterInRegexp/test.go | 7 ++++--- 8 files changed, 42 insertions(+), 10 deletions(-) create mode 100644 change-notes/2020-11-09-suspicious-character-in-regexp-improvement.md create mode 100644 ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go create mode 100644 ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexpGood.go diff --git a/change-notes/2020-11-09-suspicious-character-in-regexp-improvement.md b/change-notes/2020-11-09-suspicious-character-in-regexp-improvement.md new file mode 100644 index 00000000000..3e5c9fce574 --- /dev/null +++ b/change-notes/2020-11-09-suspicious-character-in-regexp-improvement.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* The query "Suspicious characters in a regular expression" has been improved to recognize raw string literals, which should lead to fewer false positives. diff --git a/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.go b/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.go index 0a4b8a90794..d9f2199fd52 100644 --- a/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.go +++ b/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.go @@ -9,5 +9,6 @@ func broken(hostNames []byte) string { } else { // This will be reached even if hostNames is exactly "forbidden.host.org", // because the literal backspace is not matched + return "" } } diff --git a/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql b/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql index d39d667c22a..72afa79b758 100644 --- a/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql +++ b/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql @@ -20,13 +20,10 @@ import DataFlow::PathGraph */ predicate containsEscapedCharacter(DataFlow::Node source, string character) { character in ["a", "b"] and - exists( + exists(StringLit s | s = source.asExpr() | // Search for `character` preceded by an odd number of backslashes: - source - .asExpr() - .(BasicLit) - .getText() - .regexpFind("(?<=(^|[^\\\\])\\\\(\\\\{2}){0,10})" + character, _, _) + exists(s.getText().regexpFind("(?<=(^|[^\\\\])\\\\(\\\\{2}){0,10})" + character, _, _)) and + not s.isRaw() ) } diff --git a/ql/src/Security/CWE-020/SuspiciousCharacterInRegexpGood.go b/ql/src/Security/CWE-020/SuspiciousCharacterInRegexpGood.go index a311e66af8d..9af991d1666 100644 --- a/ql/src/Security/CWE-020/SuspiciousCharacterInRegexpGood.go +++ b/ql/src/Security/CWE-020/SuspiciousCharacterInRegexpGood.go @@ -3,11 +3,12 @@ package main import "regexp" func fixed(hostNames []byte) string { - var hostRe = regexp.MustCompile("\\bforbidden.host.org") + var hostRe = regexp.MustCompile(`\bforbidden.host.org`) if hostRe.Match(hostNames) { return "Must not target forbidden.host.org" } else { // hostNames definitely doesn't contain a word "forbidden.host.org", as "\\b" // is the start-of-word anchor, not a literal backspace. + return "" } } diff --git a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected index 81f5d768b0a..0d6d90255ee 100644 --- a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected +++ b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected @@ -1,10 +1,12 @@ edges nodes +| SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | semmle.label | "\\bforbidden.host.org" | | test.go:8:21:8:34 | "hello\\aworld" | semmle.label | "hello\\aworld" | | test.go:9:21:9:36 | "hello\\\\\\aworld" | semmle.label | "hello\\\\\\aworld" | | test.go:10:21:10:34 | "hello\\bworld" | semmle.label | "hello\\bworld" | | test.go:11:21:11:36 | "hello\\\\\\bworld" | semmle.label | "hello\\\\\\bworld" | #select +| SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | $@ used $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | A regular expression | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | here | | test.go:8:21:8:34 | "hello\\aworld" | test.go:8:21:8:34 | "hello\\aworld" | test.go:8:21:8:34 | "hello\\aworld" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:8:21:8:34 | "hello\\aworld" | A regular expression | test.go:8:21:8:34 | "hello\\aworld" | here | | test.go:9:21:9:36 | "hello\\\\\\aworld" | test.go:9:21:9:36 | "hello\\\\\\aworld" | test.go:9:21:9:36 | "hello\\\\\\aworld" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:9:21:9:36 | "hello\\\\\\aworld" | A regular expression | test.go:9:21:9:36 | "hello\\\\\\aworld" | here | | test.go:10:21:10:34 | "hello\\bworld" | test.go:10:21:10:34 | "hello\\bworld" | test.go:10:21:10:34 | "hello\\bworld" | $@ used $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:10:21:10:34 | "hello\\bworld" | A regular expression | test.go:10:21:10:34 | "hello\\bworld" | here | diff --git a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go new file mode 100644 index 00000000000..d9f2199fd52 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go @@ -0,0 +1,14 @@ +package main + +import "regexp" + +func broken(hostNames []byte) string { + var hostRe = regexp.MustCompile("\bforbidden.host.org") + if hostRe.Match(hostNames) { + return "Must not target forbidden.host.org" + } else { + // This will be reached even if hostNames is exactly "forbidden.host.org", + // because the literal backspace is not matched + return "" + } +} diff --git a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexpGood.go b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexpGood.go new file mode 100644 index 00000000000..9af991d1666 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexpGood.go @@ -0,0 +1,14 @@ +package main + +import "regexp" + +func fixed(hostNames []byte) string { + var hostRe = regexp.MustCompile(`\bforbidden.host.org`) + if hostRe.Match(hostNames) { + return "Must not target forbidden.host.org" + } else { + // hostNames definitely doesn't contain a word "forbidden.host.org", as "\\b" + // is the start-of-word anchor, not a literal backspace. + return "" + } +} diff --git a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go index 23eec481396..5e8d8c1576a 100644 --- a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go +++ b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go @@ -1,8 +1,8 @@ -package test +package main import "regexp" -func test() { +func main() { // BAD: probably a mistake: regexp.MustCompile("hello\aworld") @@ -20,5 +20,6 @@ func test() { regexp.MustCompile("hello\010world") regexp.MustCompile("hello\u0008world") regexp.MustCompile("hello\U00000008world") - + // GOOD: use of a raw string literal + regexp.MustCompile(`hello\b\sworld`) } From b2ae6550ec24d7339a3509efc110aa1e8653a525 Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Mon, 9 Nov 2020 10:36:27 -0800 Subject: [PATCH 5/5] Add additional tests for suspicious character in regexp regexp --- .../SuspiciousCharacterInRegexp.expected | 28 +++++++++++++------ .../SuspiciousCharacterInRegexp/test.go | 12 ++++++++ 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected index 0d6d90255ee..d001d1ab5b4 100644 --- a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected +++ b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected @@ -1,13 +1,25 @@ edges nodes | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | semmle.label | "\\bforbidden.host.org" | -| test.go:8:21:8:34 | "hello\\aworld" | semmle.label | "hello\\aworld" | -| test.go:9:21:9:36 | "hello\\\\\\aworld" | semmle.label | "hello\\\\\\aworld" | -| test.go:10:21:10:34 | "hello\\bworld" | semmle.label | "hello\\bworld" | -| test.go:11:21:11:36 | "hello\\\\\\bworld" | semmle.label | "hello\\\\\\bworld" | +| test.go:7:21:7:24 | "\\a" | semmle.label | "\\a" | +| test.go:9:21:9:26 | "\\\\\\a" | semmle.label | "\\\\\\a" | +| test.go:10:21:10:27 | "x\\\\\\a" | semmle.label | "x\\\\\\a" | +| test.go:12:21:12:28 | "\\\\\\\\\\a" | semmle.label | "\\\\\\\\\\a" | +| test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | semmle.label | "\\\\\\\\\\\\\\a" | +| test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | semmle.label | "\\\\\\\\\\\\\\\\\\a" | +| test.go:20:21:20:34 | "hello\\aworld" | semmle.label | "hello\\aworld" | +| test.go:21:21:21:36 | "hello\\\\\\aworld" | semmle.label | "hello\\\\\\aworld" | +| test.go:22:21:22:34 | "hello\\bworld" | semmle.label | "hello\\bworld" | +| test.go:23:21:23:36 | "hello\\\\\\bworld" | semmle.label | "hello\\\\\\bworld" | #select | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | $@ used $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | A regular expression | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | here | -| test.go:8:21:8:34 | "hello\\aworld" | test.go:8:21:8:34 | "hello\\aworld" | test.go:8:21:8:34 | "hello\\aworld" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:8:21:8:34 | "hello\\aworld" | A regular expression | test.go:8:21:8:34 | "hello\\aworld" | here | -| test.go:9:21:9:36 | "hello\\\\\\aworld" | test.go:9:21:9:36 | "hello\\\\\\aworld" | test.go:9:21:9:36 | "hello\\\\\\aworld" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:9:21:9:36 | "hello\\\\\\aworld" | A regular expression | test.go:9:21:9:36 | "hello\\\\\\aworld" | here | -| test.go:10:21:10:34 | "hello\\bworld" | test.go:10:21:10:34 | "hello\\bworld" | test.go:10:21:10:34 | "hello\\bworld" | $@ used $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:10:21:10:34 | "hello\\bworld" | A regular expression | test.go:10:21:10:34 | "hello\\bworld" | here | -| test.go:11:21:11:36 | "hello\\\\\\bworld" | test.go:11:21:11:36 | "hello\\\\\\bworld" | test.go:11:21:11:36 | "hello\\\\\\bworld" | $@ used $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:11:21:11:36 | "hello\\\\\\bworld" | A regular expression | test.go:11:21:11:36 | "hello\\\\\\bworld" | here | +| test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:7:21:7:24 | "\\a" | A regular expression | test.go:7:21:7:24 | "\\a" | here | +| test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:9:21:9:26 | "\\\\\\a" | A regular expression | test.go:9:21:9:26 | "\\\\\\a" | here | +| test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:10:21:10:27 | "x\\\\\\a" | A regular expression | test.go:10:21:10:27 | "x\\\\\\a" | here | +| test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:12:21:12:28 | "\\\\\\\\\\a" | A regular expression | test.go:12:21:12:28 | "\\\\\\\\\\a" | here | +| test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | A regular expression | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | here | +| test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | A regular expression | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | here | +| test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:20:21:20:34 | "hello\\aworld" | A regular expression | test.go:20:21:20:34 | "hello\\aworld" | here | +| test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | $@ used $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:21:21:21:36 | "hello\\\\\\aworld" | A regular expression | test.go:21:21:21:36 | "hello\\\\\\aworld" | here | +| test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | $@ used $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:22:21:22:34 | "hello\\bworld" | A regular expression | test.go:22:21:22:34 | "hello\\bworld" | here | +| test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | $@ used $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:23:21:23:36 | "hello\\\\\\bworld" | A regular expression | test.go:23:21:23:36 | "hello\\\\\\bworld" | here | diff --git a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go index 5e8d8c1576a..ff3da9b8496 100644 --- a/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go +++ b/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go @@ -3,6 +3,18 @@ package main import "regexp" func main() { + // many backslashes + regexp.MustCompile("\a") // BAD + regexp.MustCompile("\\a") + regexp.MustCompile("\\\a") // BAD + regexp.MustCompile("x\\\a") // BAD + regexp.MustCompile("\\\\a") + regexp.MustCompile("\\\\\a") // BAD + regexp.MustCompile("\\\\\\a") + regexp.MustCompile("\\\\\\\a") // BAD + regexp.MustCompile("\\\\\\\\a") + regexp.MustCompile("\\\\\\\\\a") // BAD + regexp.MustCompile("\\\\\\\\\\a") // BAD: probably a mistake: regexp.MustCompile("hello\aworld")