Modernize tests

go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

@@ -30,10 +30,10 @@ edges
 | contenttype.go:73:10:73:28 | call to FormValue | contenttype.go:79:11:79:14 | data | provenance | Src:MaD:8  |
 | contenttype.go:88:10:88:28 | call to FormValue | contenttype.go:91:4:91:7 | data | provenance | Src:MaD:8  |
 | contenttype.go:113:10:113:28 | call to FormValue | contenttype.go:114:50:114:53 | data | provenance | Src:MaD:8  |
-| reflectedxsstest.go:31:2:31:44 | ... := ...[0] | reflectedxsstest.go:32:34:32:37 | file | provenance | Src:MaD:7  |
+| reflectedxsstest.go:31:2:31:44 | ... := ...[0] | reflectedxsstest.go:32:30:32:33 | file | provenance | Src:MaD:7  |
 | reflectedxsstest.go:31:2:31:44 | ... := ...[1] | reflectedxsstest.go:34:46:34:60 | selection of Filename | provenance | Src:MaD:7  |
-| reflectedxsstest.go:32:2:32:38 | ... := ...[0] | reflectedxsstest.go:33:49:33:55 | content | provenance |  |
-| reflectedxsstest.go:32:34:32:37 | file | reflectedxsstest.go:32:2:32:38 | ... := ...[0] | provenance | MaD:13 |
+| reflectedxsstest.go:32:2:32:34 | ... := ...[0] | reflectedxsstest.go:33:49:33:55 | content | provenance |  |
+| reflectedxsstest.go:32:30:32:33 | file | reflectedxsstest.go:32:2:32:34 | ... := ...[0] | provenance | MaD:13 |
 | reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:33:17:33:56 | call to Sprintf | provenance | MaD:12 |
 | reflectedxsstest.go:33:17:33:56 | call to Sprintf | reflectedxsstest.go:33:10:33:57 | type conversion | provenance |  |
 | reflectedxsstest.go:33:49:33:55 | content | reflectedxsstest.go:33:17:33:56 | []type{args} [array] | provenance |  |
@@ -81,7 +81,7 @@ models
 | 10 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
 | 11 | Source: nhooyr.io/websocket; Conn; true; Read; ; ; ReturnValue[1]; remote; manual |
 | 12 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
-| 13 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
+| 13 | Summary: io; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
 | 14 | Summary: io; Reader; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
 | 15 | Summary: mime/multipart; Part; true; FileName; ; ; Argument[receiver]; ReturnValue; taint; manual |
 | 16 | Summary: mime/multipart; Reader; true; NextPart; ; ; Argument[receiver]; ReturnValue[0]; taint; manual |
@@ -108,8 +108,8 @@ nodes
 | contenttype.go:114:50:114:53 | data | semmle.label | data |
 | reflectedxsstest.go:31:2:31:44 | ... := ...[0] | semmle.label | ... := ...[0] |
 | reflectedxsstest.go:31:2:31:44 | ... := ...[1] | semmle.label | ... := ...[1] |
-| reflectedxsstest.go:32:2:32:38 | ... := ...[0] | semmle.label | ... := ...[0] |
-| reflectedxsstest.go:32:34:32:37 | file | semmle.label | file |
+| reflectedxsstest.go:32:2:32:34 | ... := ...[0] | semmle.label | ... := ...[0] |
+| reflectedxsstest.go:32:30:32:33 | file | semmle.label | file |
 | reflectedxsstest.go:33:10:33:57 | type conversion | semmle.label | type conversion |
 | reflectedxsstest.go:33:17:33:56 | []type{args} [array] | semmle.label | []type{args} [array] |
 | reflectedxsstest.go:33:17:33:56 | call to Sprintf | semmle.label | call to Sprintf |

go/ql/test/query-tests/Security/CWE-079/StoredXss.expected

@@ -1,9 +1,7 @@
 #select
-| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
 | stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
 | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | definition of path | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | definition of path | stored value |
 edges
-| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance |  |
 | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1  |
 | stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... | provenance | FunctionModel |
 | stored.go:25:29:25:33 | &... | stored.go:30:22:30:25 | name | provenance |  |
@@ -11,8 +9,6 @@ edges
 models
 | 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
 nodes
-| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name |
-| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
 | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
 | stored.go:25:14:25:17 | rows | semmle.label | rows |
 | stored.go:25:29:25:33 | &... | semmle.label | &... |
@@ -20,3 +16,5 @@ nodes
 | stored.go:59:30:59:33 | definition of path | semmle.label | definition of path |
 | stored.go:61:22:61:25 | path | semmle.label | path |
 subpaths
+testFailures
+| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |

go/ql/test/query-tests/Security/CWE-079/StoredXss.go

@@ -2,12 +2,12 @@ package main
 
 import (
 	"io"
-	"io/ioutil"
 	"net/http"
+	"os"
 )
 
 func ListFiles(w http.ResponseWriter, r *http.Request) {
-	files, _ := ioutil.ReadDir(".")
+	files, _ := os.ReadDir(".")
 
 	for _, file := range files {
 		io.WriteString(w, file.Name()+"\n") // $ Alert[go/stored-xss]

go/ql/test/query-tests/Security/CWE-079/StoredXssGood.go

@@ -4,13 +4,13 @@ import (
 	"html"
 	"html/template"
 	"io"
-	"io/ioutil"
 	"net/http"
+	"os"
 )
 
 func ListFiles1(w http.ResponseWriter, r *http.Request) {
 	var template template.Template
-	files, _ := ioutil.ReadDir(".")
+	files, _ := os.ReadDir(".")
 
 	for _, file := range files {
 		io.WriteString(w, html.EscapeString(file.Name())+"\n")

go/ql/test/query-tests/Security/CWE-079/go.mod

@@ -1,6 +1,6 @@
 module codeql-go-tests/CWE-079
 
-go 1.14
+go 1.24
 
 require (
 	github.com/gobwas/ws v1.0.3

go/ql/test/query-tests/Security/CWE-079/reflectedxsstest.go

@@ -3,7 +3,7 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 )
 
@@ -29,7 +29,7 @@ func ErrTest(w http.ResponseWriter, r http.Request) {
 	w.Write([]byte(fmt.Sprintf("Cookie check error: %v", err)))  // GOOD: Cookie's err return is harmless
 	http.Error(w, fmt.Sprintf("Cookie result: %v", cookie), 500) // Good: only plain text is written.
 	file, header, err := r.FormFile("someFile")                  // $ Source[go/reflected-xss]
-	content, err2 := ioutil.ReadAll(file)
+	content, err2 := io.ReadAll(file)
 	w.Write([]byte(fmt.Sprintf("File content: %v", content)))      // $ Alert[go/reflected-xss] // BAD: file content is user-controlled
 	w.Write([]byte(fmt.Sprintf("File name: %v", header.Filename))) // $ Alert[go/reflected-xss] // BAD: file header is user-controlled
 	w.Write([]byte(fmt.Sprintf("FormFile error: %v", err)))        // GOOD: FormFile's err return is harmless

go/ql/test/query-tests/Security/CWE-079/websocketXss.go

@@ -15,10 +15,10 @@ import (
 	nhooyr "nhooyr.io/websocket"
 )
 
-func marshal(v interface{}) (data []byte, payloadType byte, err error) {
+func marshal(v any) (data []byte, payloadType byte, err error) {
 	return nil, 0, nil
 }
-func unmarshal(data []byte, payloadType byte, v interface{}) (err error) {
+func unmarshal(data []byte, payloadType byte, v any) (err error) {
 	return nil
 }
 
@@ -30,7 +30,7 @@ func xss(w http.ResponseWriter, r *http.Request) {
 		var xnet = make([]byte, 512) // $ Source[go/reflected-xss]
 		ws.Read(xnet)
 		fmt.Fprintf(w, "%v", xnet) // $ Alert[go/reflected-xss]
-		codec := &websocket.Codec{marshal, unmarshal}
+		codec := &websocket.Codec{Marshal: marshal, Unmarshal: unmarshal}
 		xnet2 := make([]byte, 512) // $ Source[go/reflected-xss]
 		codec.Receive(ws, xnet2)
 		fmt.Fprintf(w, "%v", xnet2) // $ Alert[go/reflected-xss]