diff --git a/ql/test/TestUtilities/InlineExpectationsTest.qll b/ql/test/TestUtilities/InlineExpectationsTest.qll
index db70bc81ede..3d2dc05a5ef 100644
--- a/ql/test/TestUtilities/InlineExpectationsTest.qll
+++ b/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -1,6 +1,7 @@
/**
* Provides a library for writing QL tests whose success or failure is based on expected results
- * embedded in the test source code as comments, rather than a `.expected` file.
+ * embedded in the test source code as comments, rather than the contents of an `.expected` file
+ * (in that the `.expected` file should always be empty).
*
* To add this framework to a new language:
* - Add a file `InlineExpectationsTestPrivate.qll` that defines a `ExpectationComment` class. This class
@@ -43,15 +44,15 @@
* There is no need to write a `select` clause or query predicate. All of the differences between
* expected results and actual results will be reported in the `failures()` query predicate.
*
- * To annotate the test source code with an expected result, place a comment on the
+ * To annotate the test source code with an expected result, place a comment starting with a `$` on the
* same line as the expected result, with text of the following format as the body of the comment:
*
- * `$tag=expected-value`
+ * `tag=expected-value`
*
* Where `tag` is the value of the `tag` parameter from `hasActualResult()`, and `expected-value` is
* the value of the `value` parameter from `hasActualResult()`. The `=expected-value` portion may be
* omitted, in which case `expected-value` is treated as the empty string. Multiple expectations may
- * be placed in the same comment, as long as each is prefixed by a `$`. Any actual result that
+ * be placed in the same comment. Any actual result that
* appears on a line that does not contain a matching expected result comment will be reported with
* a message of the form "Unexpected result: tag=value". Any expected result comment for which there
* is no matching actual result will be reported with a message of the form
@@ -59,31 +60,34 @@
*
* Example:
* ```cpp
- * int i = x + 5; // $const=5
- * int j = y + (7 - 3) // $const=7 $const=3 $const=4 // The result of the subtraction is a constant.
+ * int i = x + 5; // $ const=5
+ * int j = y + (7 - 3) // $ const=7 const=3 const=4 // The result of the subtraction is a constant.
* ```
*
- * For tests that contain known false positives and false negatives, it is possible to further
- * annotate that a particular expected result is known to be a false positive, or that a particular
- * missing result is known to be a false negative:
+ * For tests that contain known missing and spurious results, it is possible to further
+ * annotate that a particular expected result is known to be spurious, or that a particular
+ * missing result is known to be missing:
*
- * `$f+:tag=expected-value` // False positive
- * `$f-:tag=expected-value` // False negative
+ * `$ SPURIOUS: tag=expected-value` // Spurious result
+ * `$ MISSING: tag=expected-value` // Missing result
*
- * A false positive expectation is treated as any other expected result, except that if there is no
- * matching actual result, the message will be of the form "Fixed false positive: tag=value". A
- * false negative expectation is treated as if there were no expected result, except that if a
+ * A spurious expectation is treated as any other expected result, except that if there is no
+ * matching actual result, the message will be of the form "Fixed spurious result: tag=value". A
+ * missing expectation is treated as if there were no expected result, except that if a
* matching expected result is found, the message will be of the form
- * "Fixed false negative: tag=value".
+ * "Fixed missing result: tag=value".
+ *
+ * A single line can contain all the expected, spurious and missing results of that line. For instance:
+ * `$ tag1=value1 SPURIOUS: tag2=value2 MISSING: tag3=value3`.
*
* If the same result value is expected for two or more tags on the same line, there is a shorthand
* notation available:
*
- * `$tag1,tag2=expected-value`
+ * `tag1,tag2=expected-value`
*
* is equivalent to:
*
- * `$tag1=expected-value $tag2=expected-value`
+ * `tag1=expected-value tag2=expected-value`
*/
private import InlineExpectationsTestPrivate
@@ -119,6 +123,11 @@ abstract class InlineExpectationsTest extends string {
*/
abstract predicate hasActualResult(string file, int line, string element, string tag, string value);
+ predicate hasActualResult(Location location, string element, string tag, string value) {
+ this.hasActualResult(location.getFile().getAbsolutePath(), location.getStartLine(), element,
+ tag, value)
+ }
+
final predicate hasFailureMessage(FailureLocatable element, string message) {
exists(ActualResult actualResult |
actualResult.getTest() = this and
@@ -126,7 +135,7 @@ abstract class InlineExpectationsTest extends string {
(
exists(FalseNegativeExpectation falseNegative |
falseNegative.matchesActualResult(actualResult) and
- message = "Fixed false negative:" + falseNegative.getExpectationText()
+ message = "Fixed missing result:" + falseNegative.getExpectationText()
)
or
not exists(ValidExpectation expectation | expectation.matchesActualResult(actualResult)) and
@@ -143,7 +152,7 @@ abstract class InlineExpectationsTest extends string {
message = "Missing result:" + expectation.getExpectationText()
or
expectation instanceof FalsePositiveExpectation and
- message = "Fixed false positive:" + expectation.getExpectationText()
+ message = "Fixed spurious result:" + expectation.getExpectationText()
)
)
or
@@ -160,54 +169,105 @@ abstract class InlineExpectationsTest extends string {
* is treated as part of the expected results, except that the comment may contain a `//` sequence
* to treat the remainder of the line as a regular (non-interpreted) comment.
*/
-private string expectationCommentPattern() { result = "\\s*(\\$(?:[^/]|/[^/])*)(?://.*)?" }
+private string expectationCommentPattern() { result = "\\s*\\$((?:[^/]|/[^/])*)(?://.*)?" }
/**
- * RegEx pattern to match a single expected result, not including the leading `$`. It starts with an
- * optional `f+:` or `f-:`, followed by one or more comma-separated tags containing only letters,
- * `-`, and `_`, optionally followed by `=` and the expected value.
+ * The possible columns in an expectation comment. The `TDefaultColumn` branch represents the first
+ * column in a comment. This column is not precedeeded by a name. `TNamedColumn(name)` represents a
+ * column containing expected results preceeded by the string `name:`.
*/
-private string expectationPattern() {
- result = "(?:(f(?:\\+|-)):)?((?:[A-Za-z-_]+)(?:\\s*,\\s*[A-Za-z-_]+)*)(?:=(.*))?"
+private newtype TColumn =
+ TDefaultColumn() or
+ TNamedColumn(string name) { name = ["MISSING", "SPURIOUS"] }
+
+bindingset[start, content]
+private int getEndOfColumnPosition(int start, string content) {
+ result =
+ min(string name, int cand |
+ exists(TNamedColumn(name)) and
+ cand = content.indexOf(name + ":") and
+ cand >= start
+ |
+ cand
+ )
+ or
+ not exists(string name |
+ exists(TNamedColumn(name)) and
+ content.indexOf(name + ":") >= start
+ ) and
+ result = content.length()
}
-private string getAnExpectation(ExpectationComment comment) {
- result = comment.getContents().regexpCapture(expectationCommentPattern(), 1).splitAt("$").trim() and
- result != ""
+private predicate getAnExpectation(
+ ExpectationComment comment, TColumn column, string expectation, string tags, string value
+) {
+ exists(string content |
+ content = comment.getContents().regexpCapture(expectationCommentPattern(), 1) and
+ (
+ column = TDefaultColumn() and
+ exists(int end |
+ end = getEndOfColumnPosition(0, content) and
+ expectation = content.prefix(end).regexpFind(expectationPattern(), _, _).trim()
+ )
+ or
+ exists(string name, int start, int end |
+ column = TNamedColumn(name) and
+ start = content.indexOf(name + ":") + name.length() + 1 and
+ end = getEndOfColumnPosition(start, content) and
+ expectation = content.substring(start, end).regexpFind(expectationPattern(), _, _).trim()
+ )
+ )
+ ) and
+ tags = expectation.regexpCapture(expectationPattern(), 1) and
+ if exists(expectation.regexpCapture(expectationPattern(), 2))
+ then value = expectation.regexpCapture(expectationPattern(), 2)
+ else value = ""
+}
+
+private string getColumnString(TColumn column) {
+ column = TDefaultColumn() and result = ""
+ or
+ column = TNamedColumn(result)
+}
+
+/**
+ * RegEx pattern to match a single expected result, not including the leading `$`. It consists of one or
+ * more comma-separated tags containing only letters, digits, `-` and `_` (note that the first character
+ * must not be a digit), optionally followed by `=` and the expected value.
+ */
+private string expectationPattern() {
+ exists(string tag, string tags, string value |
+ tag = "[A-Za-z-_][A-Za-z-_0-9]*" and
+ tags = "((?:" + tag + ")(?:\\s*,\\s*" + tag + ")*)" and
+ // In Python, we allow both `"` and `'` for strings, as well as the prefixes `bru`.
+ // For example, `b"foo"`.
+ value = "((?:[bru]*\"[^\"]*\"|[bru]*'[^']*'|\\S+)*)" and
+ result = tags + "(?:=" + value + ")?"
+ )
}
private newtype TFailureLocatable =
TActualResult(
- InlineExpectationsTest test, string file, int line, string element, string tag, string value
+ InlineExpectationsTest test, Location location, string element, string tag, string value
) {
- test.hasActualResult(file, line, element, tag, value)
+ test.hasActualResult(location, element, tag, value)
} or
TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) {
- exists(string expectation |
- expectation = getAnExpectation(comment) and
- expectation.regexpMatch(expectationPattern()) and
- tag = expectation.regexpCapture(expectationPattern(), 2).splitAt(",").trim() and
- (
- if exists(expectation.regexpCapture(expectationPattern(), 3))
- then value = expectation.regexpCapture(expectationPattern(), 3)
- else value = ""
- ) and
- (
- if exists(expectation.regexpCapture(expectationPattern(), 1))
- then knownFailure = expectation.regexpCapture(expectationPattern(), 1)
- else knownFailure = ""
- )
+ exists(TColumn column, string tags |
+ getAnExpectation(comment, column, _, tags, value) and
+ tag = tags.splitAt(",") and
+ knownFailure = getColumnString(column)
)
} or
TInvalidExpectation(ExpectationComment comment, string expectation) {
- expectation = getAnExpectation(comment) and
+ getAnExpectation(comment, _, expectation, _, _) and
not expectation.regexpMatch(expectationPattern())
}
class FailureLocatable extends TFailureLocatable {
string toString() { none() }
- predicate hasLocation(string file, int line) { none() }
+ Location getLocation() { none() }
final string getExpectationText() { result = this.getTag() + "=" + this.getValue() }
@@ -218,17 +278,16 @@ class FailureLocatable extends TFailureLocatable {
class ActualResult extends FailureLocatable, TActualResult {
InlineExpectationsTest test;
- string file;
- int line;
+ Location location;
string element;
string tag;
string value;
- ActualResult() { this = TActualResult(test, file, line, element, tag, value) }
+ ActualResult() { this = TActualResult(test, location, element, tag, value) }
override string toString() { result = element }
- override predicate hasLocation(string f, int l) { f = file and l = line }
+ override Location getLocation() { result = location }
InlineExpectationsTest getTest() { result = test }
@@ -242,9 +301,7 @@ abstract private class Expectation extends FailureLocatable {
override string toString() { result = comment.toString() }
- override predicate hasLocation(string file, int line) {
- comment.hasLocationInfo(file, line, _, _, _)
- }
+ override Location getLocation() { result = comment.getLocation() }
}
private class ValidExpectation extends Expectation, TValidExpectation {
@@ -261,24 +318,24 @@ private class ValidExpectation extends Expectation, TValidExpectation {
string getKnownFailure() { result = knownFailure }
predicate matchesActualResult(ActualResult actualResult) {
- exists(string file, int line | actualResult.hasLocation(file, line) |
- this.hasLocation(file, line)
- ) and
+ this.getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
+ this.getLocation().getFile() = actualResult.getLocation().getFile() and
this.getTag() = actualResult.getTag() and
this.getValue() = actualResult.getValue()
}
}
+/* Note: These next three classes correspond to all the possible values of type `TColumn`. */
class GoodExpectation extends ValidExpectation {
GoodExpectation() { this.getKnownFailure() = "" }
}
class FalsePositiveExpectation extends ValidExpectation {
- FalsePositiveExpectation() { this.getKnownFailure() = "f+" }
+ FalsePositiveExpectation() { this.getKnownFailure() = "SPURIOUS" }
}
class FalseNegativeExpectation extends ValidExpectation {
- FalseNegativeExpectation() { this.getKnownFailure() = "f-" }
+ FalseNegativeExpectation() { this.getKnownFailure() = "MISSING" }
}
class InvalidExpectation extends Expectation, TInvalidExpectation {
@@ -289,8 +346,6 @@ class InvalidExpectation extends Expectation, TInvalidExpectation {
string getExpectation() { result = expectation }
}
-query predicate failures(string file, int line, FailureLocatable element, string message) {
- exists(InlineExpectationsTest test | test.hasFailureMessage(element, message) |
- element.hasLocation(file, line)
- )
+query predicate failures(FailureLocatable element, string message) {
+ exists(InlineExpectationsTest test | test.hasFailureMessage(element, message))
}
diff --git a/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go b/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go
index f14e30e8038..a02923da4ee 100644
--- a/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go
+++ b/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go
@@ -15,7 +15,7 @@ func HeaderWrite_ClevergoTechClevergoV052() {
keyString506 := source().(string)
valString213 := source().(string)
var rece clevergo.Context
- rece.SetHeader(keyString506, valString213) // $headerKeyNode=keyString506 $headerValNode=valString213
+ rece.SetHeader(keyString506, valString213) // $ headerKeyNode=keyString506 headerValNode=valString213
}
}
}
@@ -27,7 +27,7 @@ func HeaderWrite_ClevergoTechClevergoV052() {
{
valString468 := source().(string)
var rece clevergo.Context
- rece.SetContentType(valString468) // $headerKey=content-type $headerValNode=valString468
+ rece.SetContentType(valString468) // $ headerKey=content-type headerValNode=valString468
}
}
}
@@ -38,22 +38,22 @@ func HeaderWrite_ClevergoTechClevergoV052() {
// func (*Context).SetContentTypeHTML()
{
var rece clevergo.Context
- rece.SetContentTypeHTML() // $headerKey=content-type $headerVal=text/html
+ rece.SetContentTypeHTML() // $ headerKey=content-type headerVal=text/html
}
// func (*Context).SetContentTypeJSON()
{
var rece clevergo.Context
- rece.SetContentTypeJSON() // $headerKey=content-type $headerVal=application/json
+ rece.SetContentTypeJSON() // $ headerKey=content-type headerVal=application/json
}
// func (*Context).SetContentTypeText()
{
var rece clevergo.Context
- rece.SetContentTypeText() // $headerKey=content-type $headerVal=text/plain
+ rece.SetContentTypeText() // $ headerKey=content-type headerVal=text/plain
}
// func (*Context).SetContentTypeXML()
{
var rece clevergo.Context
- rece.SetContentTypeXML() // $headerKey=content-type $headerVal=text/xml
+ rece.SetContentTypeXML() // $ headerKey=content-type headerVal=text/xml
}
}
}
diff --git a/ql/test/experimental/frameworks/CleverGo/HttpRedirect.go b/ql/test/experimental/frameworks/CleverGo/HttpRedirect.go
index f9ab6e443e1..4e21407988b 100644
--- a/ql/test/experimental/frameworks/CleverGo/HttpRedirect.go
+++ b/ql/test/experimental/frameworks/CleverGo/HttpRedirect.go
@@ -14,7 +14,7 @@ func HttpRedirect_ClevergoTechClevergoV052() {
{
urlString316 := source().(string)
var rece clevergo.Context
- rece.Redirect(0, urlString316) // $redirectUrl=urlString316
+ rece.Redirect(0, urlString316) // $ redirectUrl=urlString316
}
}
}
diff --git a/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go b/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go
index c27b1fc0097..ff5e0d50031 100644
--- a/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go
+++ b/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go
@@ -14,86 +14,86 @@ func HttpResponseBody_ClevergoTechClevergoV052() {
{
bodyString145 := source().(string)
var rece clevergo.Context
- rece.Error(0, bodyString145) // $contentType=text/plain $responseBody=bodyString145
+ rece.Error(0, bodyString145) // $ contentType=text/plain responseBody=bodyString145
}
// func (*Context).HTML(code int, html string) error
{
bodyString817 := source().(string)
var rece clevergo.Context
- rece.HTML(0, bodyString817) // $contentType=text/html $responseBody=bodyString817
+ rece.HTML(0, bodyString817) // $ contentType=text/html responseBody=bodyString817
}
// func (*Context).HTMLBlob(code int, bs []byte) error
{
bodyByte474 := source().([]byte)
var rece clevergo.Context
- rece.HTMLBlob(0, bodyByte474) // $contentType=text/html $responseBody=bodyByte474
+ rece.HTMLBlob(0, bodyByte474) // $ contentType=text/html responseBody=bodyByte474
}
// func (*Context).JSON(code int, data interface{}) error
{
bodyInterface832 := source().(interface{})
var rece clevergo.Context
- rece.JSON(0, bodyInterface832) // $contentType=application/json $responseBody=bodyInterface832
+ rece.JSON(0, bodyInterface832) // $ contentType=application/json responseBody=bodyInterface832
}
// func (*Context).JSONBlob(code int, bs []byte) error
{
bodyByte378 := source().([]byte)
var rece clevergo.Context
- rece.JSONBlob(0, bodyByte378) // $contentType=application/json $responseBody=bodyByte378
+ rece.JSONBlob(0, bodyByte378) // $ contentType=application/json responseBody=bodyByte378
}
// func (*Context).JSONP(code int, data interface{}) error
{
bodyInterface541 := source().(interface{})
var rece clevergo.Context
- rece.JSONP(0, bodyInterface541) // $contentType=application/javascript $responseBody=bodyInterface541
+ rece.JSONP(0, bodyInterface541) // $ contentType=application/javascript responseBody=bodyInterface541
}
// func (*Context).JSONPBlob(code int, bs []byte) error
{
bodyByte139 := source().([]byte)
var rece clevergo.Context
- rece.JSONPBlob(0, bodyByte139) // $contentType=application/javascript $responseBody=bodyByte139
+ rece.JSONPBlob(0, bodyByte139) // $ contentType=application/javascript responseBody=bodyByte139
}
// func (*Context).JSONPCallback(code int, callback string, data interface{}) error
{
bodyInterface814 := source().(interface{})
var rece clevergo.Context
- rece.JSONPCallback(0, "", bodyInterface814) // $contentType=application/javascript $responseBody=bodyInterface814
+ rece.JSONPCallback(0, "", bodyInterface814) // $ contentType=application/javascript responseBody=bodyInterface814
}
// func (*Context).JSONPCallbackBlob(code int, callback string, bs []byte) (err error)
{
bodyByte768 := source().([]byte)
var rece clevergo.Context
- rece.JSONPCallbackBlob(0, "", bodyByte768) // $contentType=application/javascript $responseBody=bodyByte768
+ rece.JSONPCallbackBlob(0, "", bodyByte768) // $ contentType=application/javascript responseBody=bodyByte768
}
// func (*Context).String(code int, s string) error
{
bodyString468 := source().(string)
var rece clevergo.Context
- rece.String(0, bodyString468) // $contentType=text/plain $responseBody=bodyString468
+ rece.String(0, bodyString468) // $ contentType=text/plain responseBody=bodyString468
}
// func (*Context).StringBlob(code int, bs []byte) error
{
bodyByte736 := source().([]byte)
var rece clevergo.Context
- rece.StringBlob(0, bodyByte736) // $contentType=text/plain $responseBody=bodyByte736
+ rece.StringBlob(0, bodyByte736) // $ contentType=text/plain responseBody=bodyByte736
}
// func (*Context).Stringf(code int, format string, a ...interface{}) error
{
bodyString516 := source().(string)
bodyInterface246 := source().(interface{})
var rece clevergo.Context
- rece.Stringf(0, bodyString516, bodyInterface246) // $contentType=text/plain $responseBody=bodyString516 $responseBody=bodyInterface246
+ rece.Stringf(0, bodyString516, bodyInterface246) // $ contentType=text/plain responseBody=bodyString516 responseBody=bodyInterface246
}
// func (*Context).XML(code int, data interface{}) error
{
bodyInterface679 := source().(interface{})
var rece clevergo.Context
- rece.XML(0, bodyInterface679) // $contentType=text/xml $responseBody=bodyInterface679
+ rece.XML(0, bodyInterface679) // $ contentType=text/xml responseBody=bodyInterface679
}
// func (*Context).XMLBlob(code int, bs []byte) error
{
bodyByte736 := source().([]byte)
var rece clevergo.Context
- rece.XMLBlob(0, bodyByte736) // $contentType=text/xml $responseBody=bodyByte736
+ rece.XMLBlob(0, bodyByte736) // $ contentType=text/xml responseBody=bodyByte736
}
}
}
@@ -105,13 +105,13 @@ func HttpResponseBody_ClevergoTechClevergoV052() {
{
bodyByte839 := source().([]byte)
var rece clevergo.Context
- rece.Blob(0, "application/json", bodyByte839) // $contentType=application/json $responseBody=bodyByte839
+ rece.Blob(0, "application/json", bodyByte839) // $ contentType=application/json responseBody=bodyByte839
}
// func (*Context).Emit(code int, contentType string, body string) (err error)
{
bodyString273 := source().(string)
var rece clevergo.Context
- rece.Emit(0, "application/json", bodyString273) // $contentType=application/json $responseBody=bodyString273
+ rece.Emit(0, "application/json", bodyString273) // $ contentType=application/json responseBody=bodyString273
}
}
}
@@ -123,13 +123,13 @@ func HttpResponseBody_ClevergoTechClevergoV052() {
{
bodyByte982 := source().([]byte)
var rece clevergo.Context
- rece.Write(bodyByte982) // $responseBody=bodyByte982
+ rece.Write(bodyByte982) // $ responseBody=bodyByte982
}
// func (*Context).WriteString(data string) (int, error)
{
bodyString458 := source().(string)
var rece clevergo.Context
- rece.WriteString(bodyString458) // $responseBody=bodyString458
+ rece.WriteString(bodyString458) // $ responseBody=bodyString458
}
}
}
diff --git a/ql/test/experimental/frameworks/CleverGo/TaintTracking.go b/ql/test/experimental/frameworks/CleverGo/TaintTracking.go
index 614e0fed03d..362eedf785a 100644
--- a/ql/test/experimental/frameworks/CleverGo/TaintTracking.go
+++ b/ql/test/experimental/frameworks/CleverGo/TaintTracking.go
@@ -17,7 +17,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
{
fromString598 := source().(string)
intoString631 := clevergo.CleanPath(fromString598)
- sink(intoString631) // $taintSink
+ sink(intoString631) // $ taintSink
}
}
// Taint-tracking through method calls.
@@ -30,13 +30,13 @@ func TaintTracking_ClevergoTechClevergoV052() {
fromString165 := source().(string)
var mediumObjCQL clevergo.Application
intoURL150, _ := mediumObjCQL.RouteURL(fromString165, "")
- sink(intoURL150) // $taintSink
+ sink(intoURL150) // $ taintSink
}
{
fromString340 := source().(string)
var mediumObjCQL clevergo.Application
intoURL471, _ := mediumObjCQL.RouteURL("", fromString340)
- sink(intoURL471) // $taintSink
+ sink(intoURL471) // $ taintSink
}
}
}
@@ -46,7 +46,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
{
fromContext290 := source().(clevergo.Context)
intoContext758 := fromContext290.Context()
- sink(intoContext758) // $taintSink
+ sink(intoContext758) // $ taintSink
}
}
// Taint-tracking through method calls on clevergo.tech/clevergo.Params.
@@ -55,7 +55,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
{
fromParams396 := source().(clevergo.Params)
intoString707 := fromParams396.String("")
- sink(intoString707) // $taintSink $untrustedFlowSource
+ sink(intoString707) // $ taintSink untrustedFlowSource
}
}
}
@@ -69,7 +69,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
var intoInterface718 interface{}
var mediumObjCQL clevergo.Decoder
mediumObjCQL.Decode(fromRequest912, intoInterface718)
- sink(intoInterface718) // $taintSink $untrustedFlowSource
+ sink(intoInterface718) // $ taintSink untrustedFlowSource
}
}
// Taint-tracking through method calls on clevergo.tech/clevergo.Renderer interface.
@@ -80,7 +80,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
var intoWriter633 io.Writer
var mediumObjCQL clevergo.Renderer
mediumObjCQL.Render(intoWriter633, "", fromInterface972, nil)
- sink(intoWriter633) // $taintSink
+ sink(intoWriter633) // $ taintSink
}
}
}
diff --git a/ql/test/experimental/frameworks/CleverGo/UntrustedSources.go b/ql/test/experimental/frameworks/CleverGo/UntrustedSources.go
index 30b939ed902..4df9ddabd89 100644
--- a/ql/test/experimental/frameworks/CleverGo/UntrustedSources.go
+++ b/ql/test/experimental/frameworks/CleverGo/UntrustedSources.go
@@ -15,8 +15,8 @@ func UntrustedSources_ClevergoTechClevergoV052() {
var receiverContext656 clevergo.Context
resultUsername414, resultPassword518, _ := receiverContext656.BasicAuth()
sink(
- resultUsername414, // $untrustedFlowSource
- resultPassword518, // $untrustedFlowSource
+ resultUsername414, // $ untrustedFlowSource
+ resultPassword518, // $ untrustedFlowSource
)
}
// func (*Context).Decode(v interface{}) (err error)
@@ -24,49 +24,49 @@ func UntrustedSources_ClevergoTechClevergoV052() {
var receiverContext650 clevergo.Context
var paramV784 interface{}
receiverContext650.Decode(paramV784)
- sink(paramV784) // $untrustedFlowSource
+ sink(paramV784) // $ untrustedFlowSource
}
// func (*Context).DefaultQuery(key string, defaultVlue string) string
{
var receiverContext957 clevergo.Context
result520 := receiverContext957.DefaultQuery("", "")
- sink(result520) // $untrustedFlowSource
+ sink(result520) // $ untrustedFlowSource
}
// func (*Context).FormValue(key string) string
{
var receiverContext443 clevergo.Context
result127 := receiverContext443.FormValue("")
- sink(result127) // $untrustedFlowSource
+ sink(result127) // $ untrustedFlowSource
}
// func (*Context).GetHeader(name string) string
{
var receiverContext483 clevergo.Context
result989 := receiverContext483.GetHeader("")
- sink(result989) // $untrustedFlowSource
+ sink(result989) // $ untrustedFlowSource
}
// func (*Context).PostFormValue(key string) string
{
var receiverContext982 clevergo.Context
result417 := receiverContext982.PostFormValue("")
- sink(result417) // $untrustedFlowSource
+ sink(result417) // $ untrustedFlowSource
}
// func (*Context).QueryParam(key string) string
{
var receiverContext584 clevergo.Context
result991 := receiverContext584.QueryParam("")
- sink(result991) // $untrustedFlowSource
+ sink(result991) // $ untrustedFlowSource
}
// func (*Context).QueryParams() net/url.Values
{
var receiverContext881 clevergo.Context
result186 := receiverContext881.QueryParams()
- sink(result186) // $untrustedFlowSource
+ sink(result186) // $ untrustedFlowSource
}
// func (*Context).QueryString() string
{
var receiverContext284 clevergo.Context
result908 := receiverContext284.QueryString()
- sink(result908) // $untrustedFlowSource
+ sink(result908) // $ untrustedFlowSource
}
}
// Untrusted flow sources from method calls on clevergo.tech/clevergo.Params.
@@ -75,7 +75,7 @@ func UntrustedSources_ClevergoTechClevergoV052() {
{
var receiverParams137 clevergo.Params
result494 := receiverParams137.String("")
- sink(result494) // $untrustedFlowSource
+ sink(result494) // $ untrustedFlowSource
}
}
}
@@ -88,7 +88,7 @@ func UntrustedSources_ClevergoTechClevergoV052() {
var receiverDecoder873 clevergo.Decoder
var paramV599 interface{}
receiverDecoder873.Decode(nil, paramV599)
- sink(paramV599) // $untrustedFlowSource
+ sink(paramV599) // $ untrustedFlowSource
}
}
}
@@ -97,14 +97,14 @@ func UntrustedSources_ClevergoTechClevergoV052() {
// Untrusted flow sources from clevergo.tech/clevergo.Context struct fields.
{
structContext409 := new(clevergo.Context)
- sink(structContext409.Params) // $untrustedFlowSource
+ sink(structContext409.Params) // $ untrustedFlowSource
}
// Untrusted flow sources from clevergo.tech/clevergo.Param struct fields.
{
structParam246 := new(clevergo.Param)
sink(
- structParam246.Key, // $untrustedFlowSource
- structParam246.Value, // $untrustedFlowSource
+ structParam246.Key, // $ untrustedFlowSource
+ structParam246.Value, // $ untrustedFlowSource
)
}
}
@@ -112,7 +112,7 @@ func UntrustedSources_ClevergoTechClevergoV052() {
{
{
var typeParams898 clevergo.Params
- sink(typeParams898) // $untrustedFlowSource
+ sink(typeParams898) // $ untrustedFlowSource
}
}
}
diff --git a/ql/test/experimental/frameworks/Fiber/HeaderWrite.go b/ql/test/experimental/frameworks/Fiber/HeaderWrite.go
index d32002dfcd6..3a797b1ddcb 100644
--- a/ql/test/experimental/frameworks/Fiber/HeaderWrite.go
+++ b/ql/test/experimental/frameworks/Fiber/HeaderWrite.go
@@ -15,14 +15,14 @@ func HeaderWrite_GithubComGofiberFiberV1146() {
keyString378 := source().(string)
valString541 := source().(string)
var rece fiber.Ctx
- rece.Append(keyString378, valString541) // $headerKeyNode=keyString378 $headerValNode=valString541
+ rece.Append(keyString378, valString541) // $ headerKeyNode=keyString378 headerValNode=valString541
}
// func (*Ctx).Set(key string, val string)
{
keyString139 := source().(string)
valString814 := source().(string)
var rece fiber.Ctx
- rece.Set(keyString139, valString814) // $headerKeyNode=keyString139 $headerValNode=valString814
+ rece.Set(keyString139, valString814) // $ headerKeyNode=keyString139 headerValNode=valString814
}
}
}
diff --git a/ql/test/experimental/frameworks/Fiber/Redirect.go b/ql/test/experimental/frameworks/Fiber/Redirect.go
index 1c92cb941d1..6833702c710 100644
--- a/ql/test/experimental/frameworks/Fiber/Redirect.go
+++ b/ql/test/experimental/frameworks/Fiber/Redirect.go
@@ -14,7 +14,7 @@ func Redirect_GithubComGofiberFiberV1146() {
{
urlString832 := source().(string)
var rece fiber.Ctx
- rece.Redirect(urlString832, 0) // $redirectUrl=urlString832
+ rece.Redirect(urlString832, 0) // $ redirectUrl=urlString832
}
}
}
diff --git a/ql/test/experimental/frameworks/Fiber/ResponseBody.go b/ql/test/experimental/frameworks/Fiber/ResponseBody.go
index 74f6bf451a5..3d270168790 100644
--- a/ql/test/experimental/frameworks/Fiber/ResponseBody.go
+++ b/ql/test/experimental/frameworks/Fiber/ResponseBody.go
@@ -18,13 +18,13 @@ func ResponseBody_GithubComGofiberFiberV1146() {
{
bodyInterface768 := source().(interface{})
var rece fiber.Ctx
- rece.JSON(bodyInterface768) // $contentType=application/json $responseBody=bodyInterface768
+ rece.JSON(bodyInterface768) // $ contentType=application/json responseBody=bodyInterface768
}
// func (*Ctx).JSONP(data interface{}, callback ...string) error
{
bodyInterface468 := source().(interface{})
var rece fiber.Ctx
- rece.JSONP(bodyInterface468, "") // $contentType=application/javascript $responseBody=bodyInterface468
+ rece.JSONP(bodyInterface468, "") // $ contentType=application/javascript responseBody=bodyInterface468
}
}
}
@@ -36,37 +36,37 @@ func ResponseBody_GithubComGofiberFiberV1146() {
{
bodyInterface736 := source().(interface{})
var rece fiber.Ctx
- rece.Format(bodyInterface736) // $responseBody=bodyInterface736
+ rece.Format(bodyInterface736) // $ responseBody=bodyInterface736
}
// func (*Ctx).Send(bodies ...interface{})
{
bodyInterface516 := source().(interface{})
var rece fiber.Ctx
- rece.Send(bodyInterface516) // $responseBody=bodyInterface516
+ rece.Send(bodyInterface516) // $ responseBody=bodyInterface516
}
// func (*Ctx).SendBytes(body []byte)
{
bodyByte246 := source().([]byte)
var rece fiber.Ctx
- rece.SendBytes(bodyByte246) // $responseBody=bodyByte246
+ rece.SendBytes(bodyByte246) // $ responseBody=bodyByte246
}
// func (*Ctx).SendStream(stream io.Reader, size ...int)
{
bodyReader679 := source().(io.Reader)
var rece fiber.Ctx
- rece.SendStream(bodyReader679, 0) // $responseBody=bodyReader679
+ rece.SendStream(bodyReader679, 0) // $ responseBody=bodyReader679
}
// func (*Ctx).SendString(body string)
{
bodyString736 := source().(string)
var rece fiber.Ctx
- rece.SendString(bodyString736) // $responseBody=bodyString736
+ rece.SendString(bodyString736) // $ responseBody=bodyString736
}
// func (*Ctx).Write(bodies ...interface{})
{
bodyInterface839 := source().(interface{})
var rece fiber.Ctx
- rece.Write(bodyInterface839) // $responseBody=bodyInterface839
+ rece.Write(bodyInterface839) // $ responseBody=bodyInterface839
}
}
}
diff --git a/ql/test/experimental/frameworks/Fiber/TaintTracking.go b/ql/test/experimental/frameworks/Fiber/TaintTracking.go
index 0dd551d7425..3b15aa1ea39 100644
--- a/ql/test/experimental/frameworks/Fiber/TaintTracking.go
+++ b/ql/test/experimental/frameworks/Fiber/TaintTracking.go
@@ -15,7 +15,7 @@ func TaintTracking_GithubComGofiberFiberV1146() {
{
fromString656 := source().(string)
intoError414 := fiber.NewError(0, fromString656)
- sink(intoError414) // $taintSink
+ sink(intoError414) // $ taintSink
}
}
}
@@ -28,79 +28,79 @@ func TaintTracking_GithubComGofiberUtilsV0010() {
{
fromString989 := source().(string)
intoByte982 := utils.GetBytes(fromString989)
- sink(intoByte982) // $taintSink
+ sink(intoByte982) // $ taintSink
}
// func GetString(b []byte) string
{
fromByte417 := source().([]byte)
intoString584 := utils.GetString(fromByte417)
- sink(intoString584) // $taintSink
+ sink(intoString584) // $ taintSink
}
// func ImmutableString(s string) string
{
fromString991 := source().(string)
intoString881 := utils.ImmutableString(fromString991)
- sink(intoString881) // $taintSink
+ sink(intoString881) // $ taintSink
}
// func ToLower(b string) string
{
fromString494 := source().(string)
intoString873 := utils.ToLower(fromString494)
- sink(intoString873) // $taintSink
+ sink(intoString873) // $ taintSink
}
// func ToLowerBytes(b []byte) []byte
{
fromByte599 := source().([]byte)
intoByte409 := utils.ToLowerBytes(fromByte599)
- sink(intoByte409) // $taintSink
+ sink(intoByte409) // $ taintSink
}
// func ToUpper(b string) string
{
fromString246 := source().(string)
intoString898 := utils.ToUpper(fromString246)
- sink(intoString898) // $taintSink
+ sink(intoString898) // $ taintSink
}
// func ToUpperBytes(b []byte) []byte
{
fromByte598 := source().([]byte)
intoByte631 := utils.ToUpperBytes(fromByte598)
- sink(intoByte631) // $taintSink
+ sink(intoByte631) // $ taintSink
}
// func Trim(s string, cutset byte) string
{
fromString165 := source().(string)
intoString150 := utils.Trim(fromString165, 0)
- sink(intoString150) // $taintSink
+ sink(intoString150) // $ taintSink
}
// func TrimBytes(b []byte, cutset byte) []byte
{
fromByte340 := source().([]byte)
intoByte471 := utils.TrimBytes(fromByte340, 0)
- sink(intoByte471) // $taintSink
+ sink(intoByte471) // $ taintSink
}
// func TrimLeft(s string, cutset byte) string
{
fromString290 := source().(string)
intoString758 := utils.TrimLeft(fromString290, 0)
- sink(intoString758) // $taintSink
+ sink(intoString758) // $ taintSink
}
// func TrimLeftBytes(b []byte, cutset byte) []byte
{
fromByte396 := source().([]byte)
intoByte707 := utils.TrimLeftBytes(fromByte396, 0)
- sink(intoByte707) // $taintSink
+ sink(intoByte707) // $ taintSink
}
// func TrimRight(s string, cutset byte) string
{
fromString912 := source().(string)
intoString718 := utils.TrimRight(fromString912, 0)
- sink(intoString718) // $taintSink
+ sink(intoString718) // $ taintSink
}
// func TrimRightBytes(b []byte, cutset byte) []byte
{
fromByte972 := source().([]byte)
intoByte633 := utils.TrimRightBytes(fromByte972, 0)
- sink(intoByte633) // $taintSink
+ sink(intoByte633) // $ taintSink
}
}
}
diff --git a/ql/test/experimental/frameworks/Fiber/UntrustedFlowSources.go b/ql/test/experimental/frameworks/Fiber/UntrustedFlowSources.go
index 23f2afe87a2..3e09a633694 100644
--- a/ql/test/experimental/frameworks/Fiber/UntrustedFlowSources.go
+++ b/ql/test/experimental/frameworks/Fiber/UntrustedFlowSources.go
@@ -14,105 +14,105 @@ func UntrustedFlowSources_GithubComGofiberFiberV1146() {
{
var receiverCtx273 fiber.Ctx
result982 := receiverCtx273.BaseURL()
- sink(result982) // $untrustedFlowSource
+ sink(result982) // $ untrustedFlowSource
}
// func (*Ctx).Body() string
{
var receiverCtx458 fiber.Ctx
result506 := receiverCtx458.Body()
- sink(result506) // $untrustedFlowSource
+ sink(result506) // $ untrustedFlowSource
}
// func (*Ctx).BodyParser(out interface{}) error
{
var receiverCtx213 fiber.Ctx
var paramOut468 interface{}
receiverCtx213.BodyParser(paramOut468)
- sink(paramOut468) // $untrustedFlowSource
+ sink(paramOut468) // $ untrustedFlowSource
}
// func (*Ctx).Cookies(key string, defaultValue ...string) string
{
var receiverCtx219 fiber.Ctx
result265 := receiverCtx219.Cookies("", "")
- sink(result265) // $untrustedFlowSource
+ sink(result265) // $ untrustedFlowSource
}
// func (*Ctx).FormFile(key string) (*mime/multipart.FileHeader, error)
{
var receiverCtx971 fiber.Ctx
result320, _ := receiverCtx971.FormFile("")
- sink(result320) // $untrustedFlowSource
+ sink(result320) // $ untrustedFlowSource
}
// func (*Ctx).FormValue(key string) (value string)
{
var receiverCtx545 fiber.Ctx
resultValue566 := receiverCtx545.FormValue("")
- sink(resultValue566) // $untrustedFlowSource
+ sink(resultValue566) // $ untrustedFlowSource
}
// func (*Ctx).Get(key string, defaultValue ...string) string
{
var receiverCtx497 fiber.Ctx
result274 := receiverCtx497.Get("", "")
- sink(result274) // $untrustedFlowSource
+ sink(result274) // $ untrustedFlowSource
}
// func (*Ctx).Hostname() string
{
var receiverCtx783 fiber.Ctx
result905 := receiverCtx783.Hostname()
- sink(result905) // $untrustedFlowSource
+ sink(result905) // $ untrustedFlowSource
}
// func (*Ctx).Method(override ...string) string
{
var receiverCtx389 fiber.Ctx
result198 := receiverCtx389.Method("")
- sink(result198) // $untrustedFlowSource
+ sink(result198) // $ untrustedFlowSource
}
// func (*Ctx).MultipartForm() (*mime/multipart.Form, error)
{
var receiverCtx477 fiber.Ctx
result544, _ := receiverCtx477.MultipartForm()
- sink(result544) // $untrustedFlowSource
+ sink(result544) // $ untrustedFlowSource
}
// func (*Ctx).OriginalURL() string
{
var receiverCtx382 fiber.Ctx
result715 := receiverCtx382.OriginalURL()
- sink(result715) // $untrustedFlowSource
+ sink(result715) // $ untrustedFlowSource
}
// func (*Ctx).Params(key string, defaultValue ...string) string
{
var receiverCtx179 fiber.Ctx
result366 := receiverCtx179.Params("", "")
- sink(result366) // $untrustedFlowSource
+ sink(result366) // $ untrustedFlowSource
}
// func (*Ctx).Path(override ...string) string
{
var receiverCtx648 fiber.Ctx
result544 := receiverCtx648.Path("")
- sink(result544) // $untrustedFlowSource
+ sink(result544) // $ untrustedFlowSource
}
// func (*Ctx).Query(key string, defaultValue ...string) string
{
var receiverCtx754 fiber.Ctx
result680 := receiverCtx754.Query("", "")
- sink(result680) // $untrustedFlowSource
+ sink(result680) // $ untrustedFlowSource
}
// func (*Ctx).QueryParser(out interface{}) error
{
var receiverCtx722 fiber.Ctx
var paramOut506 interface{}
receiverCtx722.QueryParser(paramOut506)
- sink(paramOut506) // $untrustedFlowSource
+ sink(paramOut506) // $ untrustedFlowSource
}
// func (*Ctx).Range(size int) (rangeData Range, err error)
{
var receiverCtx121 fiber.Ctx
resultRangeData293, _ := receiverCtx121.Range(0)
- sink(resultRangeData293) // $untrustedFlowSource
+ sink(resultRangeData293) // $ untrustedFlowSource
}
// func (*Ctx).Subdomains(offset ...int) []string
{
var receiverCtx151 fiber.Ctx
result849 := receiverCtx151.Subdomains(0)
- sink(result849) // $untrustedFlowSource
+ sink(result849) // $ untrustedFlowSource
}
}
}
@@ -122,17 +122,17 @@ func UntrustedFlowSources_GithubComGofiberFiberV1146() {
{
structCookie322 := new(fiber.Cookie)
sink(
- structCookie322.Domain, // $untrustedFlowSource
- structCookie322.Name, // $untrustedFlowSource
- structCookie322.Path, // $untrustedFlowSource
- structCookie322.SameSite, // $untrustedFlowSource
- structCookie322.Value, // $untrustedFlowSource
+ structCookie322.Domain, // $ untrustedFlowSource
+ structCookie322.Name, // $ untrustedFlowSource
+ structCookie322.Path, // $ untrustedFlowSource
+ structCookie322.SameSite, // $ untrustedFlowSource
+ structCookie322.Value, // $ untrustedFlowSource
)
}
// Untrusted flow sources from github.com/gofiber/fiber.Error struct fields.
{
structError339 := new(fiber.Error)
- sink(structError339.Message) // $untrustedFlowSource
+ sink(structError339.Message) // $ untrustedFlowSource
}
}
}
diff --git a/ql/test/library-tests/semmle/go/concepts/HTTP/main.go b/ql/test/library-tests/semmle/go/concepts/HTTP/main.go
index 7abf0a170c0..12a3929cec6 100644
--- a/ql/test/library-tests/semmle/go/concepts/HTTP/main.go
+++ b/ql/test/library-tests/semmle/go/concepts/HTTP/main.go
@@ -57,9 +57,9 @@ func main() {
resp, _ := http.Get("https://example.com")
resp.Header.Set("This-Makes", "No sense")
- http.HandleFunc("/foo", handler) // $handler="/foo"
+ http.HandleFunc("/foo", handler) // $ handler="/foo"
- http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { // $handler="/bar"
+ http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { // $ handler="/bar"
fmt.Fprintf(w, "Hello, %q", html.EscapeString(r.URL.Path))
})
}
diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go
index f73e44fa7bd..28f5be2b067 100644
--- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go
+++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go
@@ -9,45 +9,45 @@ import (
)
func glogTest() {
- glog.Error(text) // $logger=text
- glog.ErrorDepth(0, text) // $f-:logger=text
- glog.Errorf(fmt, text) // $logger=fmt $logger=text
- glog.Errorln(text) // $logger=text
- glog.Exit(text) // $logger=text
- glog.ExitDepth(0, text) // $f-:logger=text
- glog.Exitf(fmt, text) // $logger=fmt $logger=text
- glog.Exitln(text) // $logger=text
- glog.Fatal(text) // $logger=text
- glog.FatalDepth(0, text) // $f-:logger=text
- glog.Fatalf(fmt, text) // $logger=fmt $logger=text
- glog.Fatalln(text) // $logger=text
- glog.Info(text) // $logger=text
- glog.InfoDepth(0, text) // $f-:logger=text
- glog.Infof(fmt, text) // $logger=fmt $logger=text
- glog.Infoln(text) // $logger=text
- glog.Warning(text) // $logger=text
- glog.WarningDepth(0, text) // $f-:logger=text
- glog.Warningf(fmt, text) // $logger=fmt $logger=text
- glog.Warningln(text) // $logger=text
+ glog.Error(text) // $ logger=text
+ glog.ErrorDepth(0, text) // $ MISSING: logger=text
+ glog.Errorf(fmt, text) // $ logger=fmt logger=text
+ glog.Errorln(text) // $ logger=text
+ glog.Exit(text) // $ logger=text
+ glog.ExitDepth(0, text) // $ MISSING: logger=text
+ glog.Exitf(fmt, text) // $ logger=fmt logger=text
+ glog.Exitln(text) // $ logger=text
+ glog.Fatal(text) // $ logger=text
+ glog.FatalDepth(0, text) // $ MISSING: logger=text
+ glog.Fatalf(fmt, text) // $ logger=fmt logger=text
+ glog.Fatalln(text) // $ logger=text
+ glog.Info(text) // $ logger=text
+ glog.InfoDepth(0, text) // $ MISSING: logger=text
+ glog.Infof(fmt, text) // $ logger=fmt logger=text
+ glog.Infoln(text) // $ logger=text
+ glog.Warning(text) // $ logger=text
+ glog.WarningDepth(0, text) // $ MISSING: logger=text
+ glog.Warningf(fmt, text) // $ logger=fmt logger=text
+ glog.Warningln(text) // $ logger=text
- klog.Error(text) // $logger=text
- klog.ErrorDepth(0, text) // $f-:logger=text
- klog.Errorf(fmt, text) // $logger=fmt $logger=text
- klog.Errorln(text) // $logger=text
- klog.Exit(text) // $logger=text
- klog.ExitDepth(0, text) // $f-:logger=text
- klog.Exitf(fmt, text) // $logger=fmt $logger=text
- klog.Exitln(text) // $logger=text
- klog.Fatal(text) // $logger=text
- klog.FatalDepth(0, text) // $f-:logger=text
- klog.Fatalf(fmt, text) // $logger=fmt $logger=text
- klog.Fatalln(text) // $logger=text
- klog.Info(text) // $logger=text
- klog.InfoDepth(0, text) // $f-:logger=text
- klog.Infof(fmt, text) // $logger=fmt $logger=text
- klog.Infoln(text) // $logger=text
- klog.Warning(text) // $logger=text
- klog.WarningDepth(0, text) // $f-:logger=text
- klog.Warningf(fmt, text) // $logger=fmt $logger=text
- klog.Warningln(text) // $logger=text
+ klog.Error(text) // $ logger=text
+ klog.ErrorDepth(0, text) // $ MISSING: logger=text
+ klog.Errorf(fmt, text) // $ logger=fmt logger=text
+ klog.Errorln(text) // $ logger=text
+ klog.Exit(text) // $ logger=text
+ klog.ExitDepth(0, text) // $ MISSING: logger=text
+ klog.Exitf(fmt, text) // $ logger=fmt logger=text
+ klog.Exitln(text) // $ logger=text
+ klog.Fatal(text) // $ logger=text
+ klog.FatalDepth(0, text) // $ MISSING: logger=text
+ klog.Fatalf(fmt, text) // $ logger=fmt logger=text
+ klog.Fatalln(text) // $ logger=text
+ klog.Info(text) // $ logger=text
+ klog.InfoDepth(0, text) // $ MISSING: logger=text
+ klog.Infof(fmt, text) // $ logger=fmt logger=text
+ klog.Infoln(text) // $ logger=text
+ klog.Warning(text) // $ logger=text
+ klog.WarningDepth(0, text) // $ MISSING: logger=text
+ klog.Warningf(fmt, text) // $ logger=fmt logger=text
+ klog.Warningln(text) // $ logger=text
}
diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go
index 3dd4da3ef0d..9f85565ad42 100644
--- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go
+++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go
@@ -10,7 +10,7 @@ import (
)
func logSomething(entry *logrus.Entry) {
- entry.Traceln(text) // $logger=text
+ entry.Traceln(text) // $ logger=text
}
func logrusCalls() {
@@ -18,18 +18,18 @@ func logrusCalls() {
var fields logrus.Fields = nil
var fn logrus.LogFunction = nil
var ctx context.Context
- tmp := logrus.WithContext(ctx) // $logger=ctx
- tmp.Debugf(fmt, text) // $logger=fmt $logger=text
- tmp = logrus.WithError(err) // $logger=err
- tmp.Warn(text) // $logger=text
- tmp = logrus.WithFields(fields) // $logger=fields
- tmp.Infoln(text) // $logger=text
- tmp = logrus.WithFields(fields) // $logger=fields
+ tmp := logrus.WithContext(ctx) // $ logger=ctx
+ tmp.Debugf(fmt, text) // $ logger=fmt logger=text
+ tmp = logrus.WithError(err) // $ logger=err
+ tmp.Warn(text) // $ logger=text
+ tmp = logrus.WithFields(fields) // $ logger=fields
+ tmp.Infoln(text) // $ logger=text
+ tmp = logrus.WithFields(fields) // $ logger=fields
logSomething(tmp)
- logrus.Error(text) // $logger=text
- logrus.Fatalf(fmt, text) // $logger=fmt $logger=text
- logrus.Panicln(text) // $logger=text
- logrus.Infof(fmt, text) // $logger=fmt $logger=text
- logrus.FatalFn(fn) // $logger=fn
+ logrus.Error(text) // $ logger=text
+ logrus.Fatalf(fmt, text) // $ logger=fmt logger=text
+ logrus.Panicln(text) // $ logger=text
+ logrus.Infof(fmt, text) // $ logger=fmt logger=text
+ logrus.FatalFn(fn) // $ logger=fn
}
diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go
index 22e2e5de3d5..f8401865b49 100644
--- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go
+++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go
@@ -7,24 +7,24 @@ import (
func stdlib() {
var logger log.Logger
logger.SetPrefix("prefix: ")
- logger.Fatal(text) // $logger=text
- logger.Fatalf(fmt, text) // $logger=fmt $logger=text
- logger.Fatalln(text) // $logger=text
- logger.Panic(text) // $logger=text
- logger.Panicf(fmt, text) // $logger=fmt $logger=text
- logger.Panicln(text) // $logger=text
- logger.Print(text) // $logger=text
- logger.Printf(fmt, text) // $logger=fmt $logger=text
- logger.Println(text) // $logger=text
+ logger.Fatal(text) // $ logger=text
+ logger.Fatalf(fmt, text) // $ logger=fmt logger=text
+ logger.Fatalln(text) // $ logger=text
+ logger.Panic(text) // $ logger=text
+ logger.Panicf(fmt, text) // $ logger=fmt logger=text
+ logger.Panicln(text) // $ logger=text
+ logger.Print(text) // $ logger=text
+ logger.Printf(fmt, text) // $ logger=fmt logger=text
+ logger.Println(text) // $ logger=text
log.SetPrefix("prefix: ")
- log.Fatal(text) // $logger=text
- log.Fatalf(fmt, text) // $logger=fmt $logger=text
- log.Fatalln(text) // $logger=text
- log.Panic(text) // $logger=text
- log.Panicf(fmt, text) // $logger=fmt $logger=text
- log.Panicln(text) // $logger=text
- log.Print(text) // $logger=text
- log.Printf(fmt, text) // $logger=fmt $logger=text
- log.Println(text) // $logger=text
+ log.Fatal(text) // $ logger=text
+ log.Fatalf(fmt, text) // $ logger=fmt logger=text
+ log.Fatalln(text) // $ logger=text
+ log.Panic(text) // $ logger=text
+ log.Panicf(fmt, text) // $ logger=fmt logger=text
+ log.Panicln(text) // $ logger=text
+ log.Print(text) // $ logger=text
+ log.Printf(fmt, text) // $ logger=fmt logger=text
+ log.Println(text) // $ logger=text
}
diff --git a/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go b/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go
index 4924d0e79be..285985c76f1 100644
--- a/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go
+++ b/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go
@@ -342,7 +342,7 @@ func test() {
{
s := source()
if guardBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -351,7 +351,7 @@ func test() {
{
s := source()
if guardBoolStmt(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -362,7 +362,7 @@ func test() {
if juggleParams("other arg", s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -371,14 +371,14 @@ func test() {
if guardBoolNeg(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolCmp(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -389,14 +389,14 @@ func test() {
if guardBoolNegCmp(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLOrLhs(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -405,16 +405,16 @@ func test() {
{
s := source()
if guardBoolLOrNegLhs(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLOrRhs(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -423,18 +423,18 @@ func test() {
{
s := source()
if guardBoolLOrNegRhs(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLAndLhs(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -443,16 +443,16 @@ func test() {
if guardBoolLAndNegLhs(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLAndRhs(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -461,14 +461,14 @@ func test() {
if guardBoolLAndNegRhs(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolProxy(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -479,14 +479,14 @@ func test() {
if guardBoolNegProxy(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolCmpProxy(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -497,14 +497,14 @@ func test() {
if guardBoolNegCmpProxy(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLOrLhsProxy(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -513,16 +513,16 @@ func test() {
{
s := source()
if guardBoolLOrNegLhsProxy(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLOrRhsProxy(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -531,18 +531,18 @@ func test() {
{
s := source()
if guardBoolLOrNegRhsProxy(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLAndLhsProxy(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -551,16 +551,16 @@ func test() {
if guardBoolLAndNegLhsProxy(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLAndRhsProxy(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -569,7 +569,7 @@ func test() {
if guardBoolLAndNegRhsProxy(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -578,14 +578,14 @@ func test() {
if guardProxyNilToBool(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardNeqProxyNilToBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -594,7 +594,7 @@ func test() {
{
s := source()
if guardNotEqProxyNilToBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -603,7 +603,7 @@ func test() {
{
s := source()
if guardLOrLhsProxyNilToBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -612,16 +612,16 @@ func test() {
{
s := source()
if guardLOrNegLhsProxyNilToBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardLOrRhsProxyNilToBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -630,18 +630,18 @@ func test() {
{
s := source()
if guardLOrNegRhsProxyNilToBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardLAndLhsProxyNilToBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -650,16 +650,16 @@ func test() {
if guardLAndNegLhsProxyNilToBool(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardLAndRhsProxyNilToBool(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -668,7 +668,7 @@ func test() {
if guardLAndNegRhsProxyNilToBool(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -677,7 +677,7 @@ func test() {
if guard(s) == nil {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -686,14 +686,14 @@ func test() {
if guardBoolProxyToNil(s) == nil {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolNegProxyToNil(s) == nil {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -704,14 +704,14 @@ func test() {
if guardBoolCmpProxyToNil(s) == nil {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolNegCmpProxyToNil(s) == nil {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -722,16 +722,16 @@ func test() {
if guardBoolLOrLhsProxyToNil(s) == nil {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLOrNegLhsProxyToNil(s) == nil {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -740,32 +740,32 @@ func test() {
if guardBoolLOrRhsProxyToNil(s) == nil {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLOrNegRhsProxyToNil(s) == nil {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLAndLhsProxyToNil(s) == nil {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLAndNegLhsProxyToNil(s) == nil {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -774,16 +774,16 @@ func test() {
{
s := source()
if guardBoolLAndRhsProxyToNil(s) == nil {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if guardBoolLAndNegRhsProxyToNil(s) == nil {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -794,7 +794,7 @@ func test() {
if directProxyNil(s) == nil {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -803,7 +803,7 @@ func test() {
if deeplyNestedConditionalLeft(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -812,7 +812,7 @@ func test() {
if deeplyNestedConditionalMiddle(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -821,7 +821,7 @@ func test() {
if deeplyNestedConditionalRight(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -832,7 +832,7 @@ func test() {
s := source()
isInvalid := guardBool(s)
if isInvalid {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -842,9 +842,9 @@ func test() {
s := source()
isValid := !guardBool(s)
if isValid {
- sink(s) // $f+:dataflow=s
+ sink(s) // $ SPURIOUS: dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
diff --git a/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go b/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go
index ceab5488627..93be90027c3 100644
--- a/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go
+++ b/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go
@@ -138,14 +138,14 @@ func main() {
if switchStatementReturningTrueOnlyWhenConstant(s) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if switchStatementReturningFalseOnlyWhenConstant("", s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
sink(s)
}
@@ -157,7 +157,7 @@ func main() {
if err != nil {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -166,7 +166,7 @@ func main() {
if switchStatementReturningNilOnlyWhenConstant(s) == nil {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
@@ -175,25 +175,25 @@ func main() {
if multipleSwitchStatementReturningTrueOnlyWhenConstant(s, getRandomString()) {
sink(s)
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if switchStatementWithoutUsefulInfo(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
{
s := source()
if switchStatementOverRandomString(s) {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
} else {
- sink(s) // $dataflow=s
+ sink(s) // $ dataflow=s
}
}
diff --git a/ql/test/library-tests/semmle/go/dataflow/PromotedFields/main.go b/ql/test/library-tests/semmle/go/dataflow/PromotedFields/main.go
index 97bb5eb8a2c..d0272646eb1 100644
--- a/ql/test/library-tests/semmle/go/dataflow/PromotedFields/main.go
+++ b/ql/test/library-tests/semmle/go/dataflow/PromotedFields/main.go
@@ -22,130 +22,130 @@ func testPromotedFieldNamedInitialization() {
outer := Outer{
Middle: Middle{Inner: Inner{source()}},
}
- sink(outer.field) // $promotedfields
- sink(outer.Inner.field) // $promotedfields
- sink(outer.Middle.field) // $promotedfields
- sink(outer.Middle.Inner.field) // $promotedfields
+ sink(outer.field) // $ promotedfields
+ sink(outer.Inner.field) // $ promotedfields
+ sink(outer.Middle.field) // $ promotedfields
+ sink(outer.Middle.Inner.field) // $ promotedfields
outerp := &Outer{
Middle: Middle{Inner: Inner{source()}},
}
- sink(outerp.field) // $promotedfields
- sink(outerp.Inner.field) // $promotedfields
- sink(outerp.Middle.field) // $promotedfields
- sink(outerp.Middle.Inner.field) // $promotedfields
+ sink(outerp.field) // $ promotedfields
+ sink(outerp.Inner.field) // $ promotedfields
+ sink(outerp.Middle.field) // $ promotedfields
+ sink(outerp.Middle.Inner.field) // $ promotedfields
}
func testPromotedFieldUnnamedInitialization() {
outer := Outer{Middle{Inner{source()}}}
- sink(outer.field) // $promotedfields
- sink(outer.Inner.field) // $promotedfields
- sink(outer.Middle.field) // $promotedfields
- sink(outer.Middle.Inner.field) // $promotedfields
+ sink(outer.field) // $ promotedfields
+ sink(outer.Inner.field) // $ promotedfields
+ sink(outer.Middle.field) // $ promotedfields
+ sink(outer.Middle.Inner.field) // $ promotedfields
outerp := &Outer{Middle{Inner{source()}}}
- sink(outerp.field) // $promotedfields
- sink(outerp.Inner.field) // $promotedfields
- sink(outerp.Middle.field) // $promotedfields
- sink(outerp.Middle.Inner.field) // $promotedfields
+ sink(outerp.field) // $ promotedfields
+ sink(outerp.Inner.field) // $ promotedfields
+ sink(outerp.Middle.field) // $ promotedfields
+ sink(outerp.Middle.Inner.field) // $ promotedfields
}
func testPromotedFieldUnnamedInitializationFromVariable() {
inner := Inner{source()}
middle := Middle{inner}
outer := Outer{middle}
- sink(outer.field) // $promotedfields
- sink(outer.Inner.field) // $promotedfields
- sink(outer.Middle.field) // $promotedfields
- sink(outer.Middle.Inner.field) // $promotedfields
+ sink(outer.field) // $ promotedfields
+ sink(outer.Inner.field) // $ promotedfields
+ sink(outer.Middle.field) // $ promotedfields
+ sink(outer.Middle.Inner.field) // $ promotedfields
innerp := Inner{source()}
middlep := Middle{innerp}
outerp := Outer{middlep}
- sink(outerp.field) // $promotedfields
- sink(outerp.Inner.field) // $promotedfields
- sink(outerp.Middle.field) // $promotedfields
- sink(outerp.Middle.Inner.field) // $promotedfields
+ sink(outerp.field) // $ promotedfields
+ sink(outerp.Inner.field) // $ promotedfields
+ sink(outerp.Middle.field) // $ promotedfields
+ sink(outerp.Middle.Inner.field) // $ promotedfields
}
func testPromotedFieldNamedInitializationFromVariable() {
inner := Inner{source()}
middle := Middle{Inner: inner}
outer := Outer{Middle: middle}
- sink(outer.field) // $promotedfields
- sink(outer.Inner.field) // $promotedfields
- sink(outer.Middle.field) // $promotedfields
- sink(outer.Middle.Inner.field) // $promotedfields
+ sink(outer.field) // $ promotedfields
+ sink(outer.Inner.field) // $ promotedfields
+ sink(outer.Middle.field) // $ promotedfields
+ sink(outer.Middle.Inner.field) // $ promotedfields
innerp := Inner{source()}
middlep := Middle{Inner: innerp}
outerp := Outer{Middle: middlep}
- sink(outerp.field) // $promotedfields
- sink(outerp.Inner.field) // $promotedfields
- sink(outerp.Middle.field) // $promotedfields
- sink(outerp.Middle.Inner.field) // $promotedfields
+ sink(outerp.field) // $ promotedfields
+ sink(outerp.Inner.field) // $ promotedfields
+ sink(outerp.Middle.field) // $ promotedfields
+ sink(outerp.Middle.Inner.field) // $ promotedfields
}
func testPromotedFieldDirectAssignment() {
var outer Outer
outer.field = source()
- sink(outer.field) // $promotedfields
- sink(outer.Inner.field) // $promotedfields
- sink(outer.Middle.field) // $promotedfields
- sink(outer.Middle.Inner.field) // $promotedfields
+ sink(outer.field) // $ promotedfields
+ sink(outer.Inner.field) // $ promotedfields
+ sink(outer.Middle.field) // $ promotedfields
+ sink(outer.Middle.Inner.field) // $ promotedfields
var outerp Outer
outerp.field = source()
- sink(outerp.field) // $promotedfields
- sink(outerp.Inner.field) // $promotedfields
- sink(outerp.Middle.field) // $promotedfields
- sink(outerp.Middle.Inner.field) // $promotedfields
+ sink(outerp.field) // $ promotedfields
+ sink(outerp.Inner.field) // $ promotedfields
+ sink(outerp.Middle.field) // $ promotedfields
+ sink(outerp.Middle.Inner.field) // $ promotedfields
}
func testPromotedFieldIndirectAssignment1() {
var outer Outer
outer.Inner.field = source()
- sink(outer.field) // $promotedfields
- sink(outer.Inner.field) // $promotedfields
- sink(outer.Middle.field) // $promotedfields
- sink(outer.Middle.Inner.field) // $promotedfields
+ sink(outer.field) // $ promotedfields
+ sink(outer.Inner.field) // $ promotedfields
+ sink(outer.Middle.field) // $ promotedfields
+ sink(outer.Middle.Inner.field) // $ promotedfields
var outerp Outer
outerp.Inner.field = source()
- sink(outerp.field) // $promotedfields
- sink(outerp.Inner.field) // $promotedfields
- sink(outerp.Middle.field) // $promotedfields
- sink(outerp.Middle.Inner.field) // $promotedfields
+ sink(outerp.field) // $ promotedfields
+ sink(outerp.Inner.field) // $ promotedfields
+ sink(outerp.Middle.field) // $ promotedfields
+ sink(outerp.Middle.Inner.field) // $ promotedfields
}
func testPromotedFieldIndirectAssignment2() {
var outer Outer
outer.Middle.field = source()
- sink(outer.field) // $promotedfields
- sink(outer.Inner.field) // $promotedfields
- sink(outer.Middle.field) // $promotedfields
- sink(outer.Middle.Inner.field) // $promotedfields
+ sink(outer.field) // $ promotedfields
+ sink(outer.Inner.field) // $ promotedfields
+ sink(outer.Middle.field) // $ promotedfields
+ sink(outer.Middle.Inner.field) // $ promotedfields
var outerp Outer
outerp.Middle.field = source()
- sink(outerp.field) // $promotedfields
- sink(outerp.Inner.field) // $promotedfields
- sink(outerp.Middle.field) // $promotedfields
- sink(outerp.Middle.Inner.field) // $promotedfields
+ sink(outerp.field) // $ promotedfields
+ sink(outerp.Inner.field) // $ promotedfields
+ sink(outerp.Middle.field) // $ promotedfields
+ sink(outerp.Middle.Inner.field) // $ promotedfields
}
func testPromotedFieldIndirectAssignment3() {
var outer Outer
outer.Middle.Inner.field = source()
- sink(outer.field) // $promotedfields
- sink(outer.Inner.field) // $promotedfields
- sink(outer.Middle.field) // $promotedfields
- sink(outer.Middle.Inner.field) // $promotedfields
+ sink(outer.field) // $ promotedfields
+ sink(outer.Inner.field) // $ promotedfields
+ sink(outer.Middle.field) // $ promotedfields
+ sink(outer.Middle.Inner.field) // $ promotedfields
var outerp Outer
outerp.Middle.Inner.field = source()
- sink(outerp.field) // $promotedfields
- sink(outerp.Inner.field) // $promotedfields
- sink(outerp.Middle.field) // $promotedfields
- sink(outerp.Middle.Inner.field) // $promotedfields
+ sink(outerp.field) // $ promotedfields
+ sink(outerp.Inner.field) // $ promotedfields
+ sink(outerp.Middle.field) // $ promotedfields
+ sink(outerp.Middle.Inner.field) // $ promotedfields
}
diff --git a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go
index 41debd07a8a..04ed9772319 100644
--- a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go
+++ b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go
@@ -19,27 +19,27 @@ type Base2 struct {
}
func (e Embedded) sinkFieldOnEmbeddedNonPointerReceiver() {
- sink(e.field) // $promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2
+ sink(e.field) // $ promotedmethods=nonPointerSender1 promotedmethods=pointerSender1 promotedmethods=nonPointerSender2 promotedmethods=pointerSender2
}
func (e *Embedded) sinkFieldOnEmbeddedPointerReceiver() {
- sink(e.field) // $f-:promotedmethods=nonPointerSender1 $f-:promotedmethods=pointerSender1 $f-:promotedmethods=nonPointerSender2 $f-:promotedmethods=pointerSender2
+ sink(e.field) // $ MISSING: promotedmethods=nonPointerSender1 promotedmethods=pointerSender1 promotedmethods=nonPointerSender2 promotedmethods=pointerSender2
}
func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() {
- sink(base1.field) // $promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1
+ sink(base1.field) // $ promotedmethods=nonPointerSender1 promotedmethods=pointerSender1
}
func (base1 *Base1) sinkFieldOnBase1PointerReceiver() {
- sink(base1.field) // $f-:promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1
+ sink(base1.field) // $ promotedmethods=pointerSender1 MISSING: promotedmethods=nonPointerSender1
}
func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() {
- sink(base2.field) // $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2
+ sink(base2.field) // $ promotedmethods=nonPointerSender2 promotedmethods=pointerSender2
}
func (base2 *Base2) sinkFieldOnBase2PointerReceiver() {
- sink(base2.field) // $f-:promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2
+ sink(base2.field) // $ promotedmethods=pointerSender2 MISSING: promotedmethods=nonPointerSender2
}
func nonPointerSender1() {
diff --git a/ql/test/library-tests/semmle/go/dataflow/TypeAssertions/test.go b/ql/test/library-tests/semmle/go/dataflow/TypeAssertions/test.go
index c0e97e4387b..36bc65aa023 100644
--- a/ql/test/library-tests/semmle/go/dataflow/TypeAssertions/test.go
+++ b/ql/test/library-tests/semmle/go/dataflow/TypeAssertions/test.go
@@ -8,23 +8,23 @@ func sink(p interface{}) {}
func test() (bool, *string) {
ptr := src()
- sink(ptr) // $dataflow=ptr
+ sink(ptr) // $ dataflow=ptr
cast := ptr.(*string)
- sink(cast) // $dataflow=cast
+ sink(cast) // $ dataflow=cast
cast2, ok := ptr.(*string)
if !ok {
return true, nil
}
- sink(cast2) // $dataflow=cast2
+ sink(cast2) // $ dataflow=cast2
var cast3, ok2 = ptr.(*string)
if !ok2 {
return true, nil
}
- sink(cast3) // $dataflow=cast3
+ sink(cast3) // $ dataflow=cast3
cast2, ok = ptr.(*string)
if !ok {
return true, nil
}
- sink(cast2) // $dataflow=cast2
+ sink(cast2) // $ dataflow=cast2
return true, nil
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.go b/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.go
index f81ff812b35..31c5693ca62 100644
--- a/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.go
+++ b/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.go
@@ -19,7 +19,7 @@ func analyticsQuery(bucket gocb.Bucket, untrustedSource *http.Request) {
q5 := q4.RawParam("name", nil)
duration, _ := time.ParseDuration("300s")
q6 := q5.ServerSideTimeout(duration)
- bucket.ExecuteAnalyticsQuery(q6, nil) // $sqlinjection=q6
+ bucket.ExecuteAnalyticsQuery(q6, nil) // $ sqlinjection=q6
}
func n1qlQuery(cluster gocb.Cluster, untrustedSource *http.Request) {
@@ -36,5 +36,5 @@ func n1qlQuery(cluster gocb.Cluster, untrustedSource *http.Request) {
q9 := q8.ScanCap(10)
duration, _ := time.ParseDuration("300s")
q10 := q9.Timeout(duration)
- cluster.ExecuteN1qlQuery(q10, nil) // $sqlinjection=q10
+ cluster.ExecuteN1qlQuery(q10, nil) // $ sqlinjection=q10
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go
index 5c5f104e1b2..521e5968221 100644
--- a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go
@@ -4,22 +4,23 @@ package main
import (
"fmt"
- "github.com/elazarl/goproxy"
"net/http"
+
+ "github.com/elazarl/goproxy"
)
func handler(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
- data := ctx.UserData // $untrustedflowsource=selection of UserData
+ data := ctx.UserData // $ untrustedflowsource="selection of UserData"
// note no content type result here because we don't seem to extract the value of `ContentTypeHtml`
- return r, goproxy.NewResponse(r, goproxy.ContentTypeHtml, http.StatusForbidden, fmt.Sprintf("Bad request: %v", data)) // $headerwrite=status:403
+ return r, goproxy.NewResponse(r, goproxy.ContentTypeHtml, http.StatusForbidden, fmt.Sprintf("Bad request: %v", data)) // $ headerwrite=status:403
}
func handler1(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
- ctx.Logf("test") // $logger="test"
- ctx.Warnf("test1") // $logger="test1"
+ ctx.Logf("test") // $ logger="test"
+ ctx.Warnf("test1") // $ logger="test1"
- return r, goproxy.TextResponse(r, "Hello!") // $headerwrite=status:200 $headerwrite=content-type:text/plain
+ return r, goproxy.TextResponse(r, "Hello!") // $ headerwrite=status:200 headerwrite=content-type:text/plain
}
func main() {
diff --git a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql
index cf7ff09fb3f..1ee889d8dc9 100644
--- a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql
+++ b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql
@@ -9,7 +9,7 @@ class UntrustedFlowSourceTest extends InlineExpectationsTest {
override predicate hasActualResult(string file, int line, string element, string tag, string value) {
tag = "untrustedflowsource" and
value = element and
- exists(UntrustedFlowSource src | value = src.toString() |
+ exists(UntrustedFlowSource src | value = "\"" + src.toString() + "\"" |
src.hasLocationInfo(file, line, _, _, _)
)
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go b/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go
index 10e8c9a5139..5f53dafcc0e 100644
--- a/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go
@@ -25,40 +25,40 @@ func main() {
// func MergeMergePatches(patch1Data, patch2Data []byte) ([]byte, error)
b1, _ := patch.MergeMergePatches(getTaintedByteArray(), untaintedByteArray)
- sinkByteArray(b1) // $taintflow
+ sinkByteArray(b1) // $ taintflow
b2, _ := patch.MergeMergePatches(untaintedByteArray, getTaintedByteArray())
- sinkByteArray(b2) // $taintflow
+ sinkByteArray(b2) // $ taintflow
// func MergePatch(docData, patchData []byte) ([]byte, error)
b3, _ := patch.MergePatch(getTaintedByteArray(), untaintedByteArray)
- sinkByteArray(b3) // $taintflow
+ sinkByteArray(b3) // $ taintflow
b4, _ := patch.MergePatch(untaintedByteArray, getTaintedByteArray())
- sinkByteArray(b4) // $taintflow
+ sinkByteArray(b4) // $ taintflow
// func CreateMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error)
b5, _ := patch.CreateMergePatch(getTaintedByteArray(), untaintedByteArray)
- sinkByteArray(b5) // $taintflow
+ sinkByteArray(b5) // $ taintflow
b6, _ := patch.CreateMergePatch(untaintedByteArray, getTaintedByteArray())
- sinkByteArray(b6) // $taintflow
+ sinkByteArray(b6) // $ taintflow
// func DecodePatch(buf []byte) (Patch, error)
p7, _ := patch.DecodePatch(getTaintedByteArray())
- sinkPatch(p7) // $taintflow
+ sinkPatch(p7) // $ taintflow
// func (p Patch) Apply(doc []byte) ([]byte, error)
b8, _ := untaintedPatch.Apply(getTaintedByteArray())
- sinkByteArray(b8) // $taintflow
+ sinkByteArray(b8) // $ taintflow
b9, _ := getTaintedPatch().Apply(untaintedByteArray)
- sinkByteArray(b9) // $taintflow
+ sinkByteArray(b9) // $ taintflow
// func (p Patch) ApplyIndent(doc []byte, indent string) ([]byte, error)
b10, _ := untaintedPatch.ApplyIndent(getTaintedByteArray(), " ")
- sinkByteArray(b10) // $taintflow
+ sinkByteArray(b10) // $ taintflow
b11, _ := getTaintedPatch().ApplyIndent(untaintedByteArray, " ")
- sinkByteArray(b11) // $taintflow
+ sinkByteArray(b11) // $ taintflow
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go b/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go
index 17228a994da..1d0edf14c4d 100644
--- a/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go
@@ -2,6 +2,7 @@ package main
import (
"context"
+
"github.com/go-kit/kit/endpoint"
)
@@ -11,12 +12,12 @@ type MyService interface {
}
func makeEndpointLit(svc MyService) endpoint.Endpoint {
- return func(_ context.Context, request interface{}) (interface{}, error) { // $source=definition of request
+ return func(_ context.Context, request interface{}) (interface{}, error) { // $ source="definition of request"
return request, nil
}
}
-func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $source=definition of request
+func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $ source="definition of request"
return request, nil
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql b/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql
index 08a5973a458..7533bff89cb 100644
--- a/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql
+++ b/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql
@@ -11,7 +11,7 @@ class UntrustedFlowSourceTest extends InlineExpectationsTest {
exists(UntrustedFlowSource source |
source.hasLocationInfo(file, line, _, _, _) and
element = source.toString() and
- value = source.toString() and
+ value = "\"" + source.toString() + "\"" and
tag = "source"
)
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go
index 16db50cc342..4518342c171 100644
--- a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go
@@ -19,76 +19,76 @@ func main() {
{
// func (in *Secret) DeepCopy() *Secret
- sink(source().(*corev1.Secret).DeepCopy()) // $KsIoApiCoreV
+ sink(source().(*corev1.Secret).DeepCopy()) // $ KsIoApiCoreV
}
{
// func (in *Secret) DeepCopyInto(out *Secret)
var out *corev1.Secret
source().(*corev1.Secret).DeepCopyInto(out)
- sink(out) // $KsIoApiCoreV
+ sink(out) // $ KsIoApiCoreV
}
{
// func (in *Secret) DeepCopyObject() runtime.Object
- sink(source().(*corev1.Secret).DeepCopyObject()) // $KsIoApiCoreV
+ sink(source().(*corev1.Secret).DeepCopyObject()) // $ KsIoApiCoreV
}
{
// func (m *Secret) Marshal() (dAtA []byte, err error)
- sink(source().(*corev1.Secret).Marshal()) // $KsIoApiCoreV
+ sink(source().(*corev1.Secret).Marshal()) // $ KsIoApiCoreV
}
{
// func (m *Secret) MarshalTo(dAtA []byte) (int, error)
var dAtA []byte
source().(*corev1.Secret).MarshalTo(dAtA)
- sink(dAtA) // $KsIoApiCoreV
+ sink(dAtA) // $ KsIoApiCoreV
}
{
// func (m *Secret) MarshalToSizedBuffer(dAtA []byte) (int, error)
var dAtA []byte
source().(*corev1.Secret).MarshalToSizedBuffer(dAtA)
- sink(dAtA) // $KsIoApiCoreV
+ sink(dAtA) // $ KsIoApiCoreV
}
{
// func (m *Secret) Unmarshal(dAtA []byte) error
var dAtA []byte
source().(*corev1.Secret).Unmarshal(dAtA)
- sink(dAtA) // $KsIoApiCoreV
+ sink(dAtA) // $ KsIoApiCoreV
}
{
// func (in *SecretList) DeepCopy() *SecretList
- sink(source().(*corev1.SecretList).DeepCopy()) // $KsIoApiCoreV
+ sink(source().(*corev1.SecretList).DeepCopy()) // $ KsIoApiCoreV
}
{
// func (in *SecretList) DeepCopyInto(out *SecretList)
var out *corev1.SecretList
source().(*corev1.SecretList).DeepCopyInto(out)
- sink(out) // $KsIoApiCoreV
+ sink(out) // $ KsIoApiCoreV
}
{
// func (in *SecretList) DeepCopyObject() runtime.Object
- sink(source().(*corev1.SecretList).DeepCopyObject()) // $KsIoApiCoreV
+ sink(source().(*corev1.SecretList).DeepCopyObject()) // $ KsIoApiCoreV
}
{
// func (m *SecretList) Marshal() (dAtA []byte, err error)
- sink(source().(*corev1.SecretList).Marshal()) // $KsIoApiCoreV
+ sink(source().(*corev1.SecretList).Marshal()) // $ KsIoApiCoreV
}
{
// func (m *SecretList) MarshalTo(dAtA []byte) (int, error)
var dAtA []byte
source().(*corev1.SecretList).MarshalTo(dAtA)
- sink(dAtA) // $KsIoApiCoreV
+ sink(dAtA) // $ KsIoApiCoreV
}
{
// func (m *SecretList) MarshalToSizedBuffer(dAtA []byte) (int, error)
var dAtA []byte
source().(*corev1.SecretList).MarshalToSizedBuffer(dAtA)
- sink(dAtA) // $KsIoApiCoreV
+ sink(dAtA) // $ KsIoApiCoreV
}
{
// func (m *SecretList) Unmarshal(dAtA []byte) error
var dAtA []byte
source().(*corev1.SecretList).Unmarshal(dAtA)
- sink(dAtA) // $KsIoApiCoreV
+ sink(dAtA) // $ KsIoApiCoreV
}
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go
index 7da200410f8..dd213c214e2 100644
--- a/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go
@@ -31,93 +31,93 @@ func main() {
// func Convert_Slice_string_To_Pointer_int64(in *[]string, out **int64, s conversion.Scope) error
var out **int64
runtime.Convert_Slice_string_To_Pointer_int64(source().(*[]string), out, s)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func Convert_Slice_string_To_int(in *[]string, out *int, s conversion.Scope) error
var out *int
runtime.Convert_Slice_string_To_int(source().(*[]string), out, s)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func Convert_Slice_string_To_int64(in *[]string, out *int64, s conversion.Scope) error
var out *int64
runtime.Convert_Slice_string_To_int64(source().(*[]string), out, s)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func Convert_Slice_string_To_string(in *[]string, out *string, s conversion.Scope) error
var out *string
runtime.Convert_Slice_string_To_string(source().(*[]string), out, s)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func Convert_runtime_Object_To_runtime_RawExtension(in *Object, out *RawExtension, s conversion.Scope) error
var out *runtime.RawExtension
runtime.Convert_runtime_Object_To_runtime_RawExtension(source().(*runtime.Object), out, s)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func Convert_runtime_RawExtension_To_runtime_Object(in *RawExtension, out *Object, s conversion.Scope) error
var out *runtime.Object
runtime.Convert_runtime_RawExtension_To_runtime_Object(source().(*runtime.RawExtension), out, s)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func Convert_string_To_Pointer_int64(in *string, out **int64, s conversion.Scope) error
var out **int64
runtime.Convert_string_To_Pointer_int64(source().(*string), out, s)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func Convert_string_To_int64(in *string, out *int64, s conversion.Scope) error
var out *int64
runtime.Convert_string_To_int64(source().(*string), out, s)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func DecodeInto(d Decoder, data []byte, into Object) error
var o runtime.Object
runtime.DecodeInto(decoder, source().([]byte), o)
- sink(o) // $KsIoApimachineryPkgRuntime
+ sink(o) // $ KsIoApimachineryPkgRuntime
}
{
// func DeepCopyJSON(x map[string]interface{}) map[string]interface{}
- sink(runtime.DeepCopyJSON(source().(map[string]interface{}))) // $KsIoApimachineryPkgRuntime
+ sink(runtime.DeepCopyJSON(source().(map[string]interface{}))) // $ KsIoApimachineryPkgRuntime
}
{
// func DeepCopyJSONValue(x interface{}) interface{}
- sink(runtime.DeepCopyJSONValue(source().(map[string]interface{}))) // $KsIoApimachineryPkgRuntime
+ sink(runtime.DeepCopyJSONValue(source().(map[string]interface{}))) // $ KsIoApimachineryPkgRuntime
}
{
// func Encode(e Encoder, obj Object) ([]byte, error)
x, _ := runtime.Encode(encoder, source().(runtime.Object))
- sink(x) // $KsIoApimachineryPkgRuntime
+ sink(x) // $ KsIoApimachineryPkgRuntime
}
{
// func EncodeOrDie(e Encoder, obj Object) string
- sink(runtime.EncodeOrDie(encoder, source().(runtime.Object))) // $KsIoApimachineryPkgRuntime
+ sink(runtime.EncodeOrDie(encoder, source().(runtime.Object))) // $ KsIoApimachineryPkgRuntime
}
{
// func Field(v reflect.Value, fieldName string, dest interface{}) error
var fieldName string
var dest interface{}
runtime.Field(source().(reflect.Value), fieldName, dest)
- sink(dest) // $KsIoApimachineryPkgRuntime
+ sink(dest) // $ KsIoApimachineryPkgRuntime
}
{
// func FieldPtr(v reflect.Value, fieldName string, dest interface{}) error
var fieldName string
var dest interface{}
runtime.FieldPtr(source().(reflect.Value), fieldName, dest)
- sink(dest) // $KsIoApimachineryPkgRuntime
+ sink(dest) // $ KsIoApimachineryPkgRuntime
}
{
// func SetField(src interface{}, v reflect.Value, fieldName string) error
var v reflect.Value
var fieldName string
runtime.SetField(source(), v, fieldName)
- sink(v) // $KsIoApimachineryPkgRuntime
+ sink(v) // $ KsIoApimachineryPkgRuntime
}
{
// CacheEncode(id Identifier, encode func(Object, io.Writer) error, w io.Writer) error
@@ -125,19 +125,19 @@ func main() {
var encode func(runtime.Object, io.Writer) error
var w io.Writer
source().(myCacheableObject).CacheEncode(id, encode, w)
- sink(w) // $KsIoApimachineryPkgRuntime
+ sink(w) // $ KsIoApimachineryPkgRuntime
}
{
// GetObject() Object
- sink(source().(myCacheableObject).GetObject()) // $KsIoApimachineryPkgRuntime
+ sink(source().(myCacheableObject).GetObject()) // $ KsIoApimachineryPkgRuntime
}
{
// Decode(data []byte, defaults *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error)
var defaults *schema.GroupVersionKind
var into runtime.Object
x, _, _ := decoder.Decode(source().([]byte), defaults, into)
- sink(x) // $KsIoApimachineryPkgRuntime
- sink(into) // $KsIoApimachineryPkgRuntime
+ sink(x) // $ KsIoApimachineryPkgRuntime
+ sink(into) // $ KsIoApimachineryPkgRuntime
}
{
// Decode(data []byte, defaults *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error)
@@ -145,47 +145,47 @@ func main() {
var into runtime.Object
var withoutVersionDecoder runtime.WithoutVersionDecoder
x, _, _ := withoutVersionDecoder.Decode(source().([]byte), defaults, into)
- sink(x) // $KsIoApimachineryPkgRuntime
- sink(into) // $KsIoApimachineryPkgRuntime
+ sink(x) // $ KsIoApimachineryPkgRuntime
+ sink(into) // $ KsIoApimachineryPkgRuntime
}
{
// Encode(obj Object, w io.Writer) error
var w io.Writer
encoder.Encode(source().(runtime.Object), w)
- sink(w) // $KsIoApimachineryPkgRuntime
+ sink(w) // $ KsIoApimachineryPkgRuntime
}
{
// Encode(obj Object, w io.Writer) error
var w io.Writer
var withVersionEncoder runtime.WithVersionEncoder
withVersionEncoder.Encode(source().(runtime.Object), w)
- sink(w) // $KsIoApimachineryPkgRuntime
+ sink(w) // $ KsIoApimachineryPkgRuntime
}
{
var framer myFramer
// NewFrameReader(r io.ReadCloser) io.ReadCloser
- sink(framer.NewFrameReader(source().(io.ReadCloser))) // $KsIoApimachineryPkgRuntime
+ sink(framer.NewFrameReader(source().(io.ReadCloser))) // $ KsIoApimachineryPkgRuntime
// NewFrameWriter(w io.Writer) io.Writer
- sink(framer.NewFrameWriter(source().(io.Writer))) // $KsIoApimachineryPkgRuntime
+ sink(framer.NewFrameWriter(source().(io.Writer))) // $ KsIoApimachineryPkgRuntime
}
{
// DeepCopyObject() Object
- sink(source().(runtime.Object).DeepCopyObject()) // $KsIoApimachineryPkgRuntime
+ sink(source().(runtime.Object).DeepCopyObject()) // $ KsIoApimachineryPkgRuntime
}
{
// func Decode(d Decoder, data []byte) (Object, error)
o, _ := runtime.Decode(decoder, source().([]byte))
- sink(o) // $KsIoApimachineryPkgRuntime
+ sink(o) // $ KsIoApimachineryPkgRuntime
}
{
// func NewEncodable(e Encoder, obj Object, versions ...schema.GroupVersion) Object
- sink(runtime.NewEncodable(encoder, source().(runtime.Object))) // $KsIoApimachineryPkgRuntime
+ sink(runtime.NewEncodable(encoder, source().(runtime.Object))) // $ KsIoApimachineryPkgRuntime
}
{
// func NewEncodableList(e Encoder, objects []Object, versions ...schema.GroupVersion) []Object
- sink(runtime.NewEncodableList(encoder, source().([]runtime.Object))) // $KsIoApimachineryPkgRuntime
+ sink(runtime.NewEncodableList(encoder, source().([]runtime.Object))) // $ KsIoApimachineryPkgRuntime
}
{
// func UseOrCreateObject(t ObjectTyper, c ObjectCreater, gvk schema.GroupVersionKind, obj Object) (Object, error)
@@ -193,7 +193,7 @@ func main() {
var c runtime.ObjectCreater
var gvk schema.GroupVersionKind
o, _ := runtime.UseOrCreateObject(t, c, gvk, source().(runtime.Object))
- sink(o) // $KsIoApimachineryPkgRuntime
+ sink(o) // $ KsIoApimachineryPkgRuntime
}
{
var objectConverter myObjectConverter
@@ -201,12 +201,12 @@ func main() {
// Convert(in, out, context interface{}) error
var out, context interface{}
objectConverter.Convert(source(), out, context)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
// ConvertToVersion(in Object, gv GroupVersioner) (out Object, err error)
var gv runtime.GroupVersioner
o, _ := objectConverter.ConvertToVersion(source().(runtime.Object), gv)
- sink(o) // $KsIoApimachineryPkgRuntime
+ sink(o) // $ KsIoApimachineryPkgRuntime
}
{
var parameterCodec myParameterCodec
@@ -215,110 +215,110 @@ func main() {
var gv schema.GroupVersion
var into runtime.Object
parameterCodec.DecodeParameters(source().(url.Values), gv, into)
- sink(into) // $KsIoApimachineryPkgRuntime
+ sink(into) // $ KsIoApimachineryPkgRuntime
// EncodeParameters(obj Object, to schema.GroupVersion) (url.Values, error)
urlValues, _ := parameterCodec.EncodeParameters(source().(runtime.Object), gv)
- sink(urlValues) // $KsIoApimachineryPkgRuntime
+ sink(urlValues) // $ KsIoApimachineryPkgRuntime
}
{
// MarshalTo(data []byte) (int, error)
var data []byte
source().(myProtobufMarshaller).MarshalTo(data)
- sink(data) // $KsIoApimachineryPkgRuntime
+ sink(data) // $ KsIoApimachineryPkgRuntime
}
{
// MarshalToSizedBuffer(data []byte) (int, error)
var data []byte
source().(myProtobufReverseMarshaller).MarshalToSizedBuffer(data)
- sink(data) // $KsIoApimachineryPkgRuntime
+ sink(data) // $ KsIoApimachineryPkgRuntime
}
{
// func (in *RawExtension) DeepCopy() *RawExtension
- sink(source().(*runtime.RawExtension).DeepCopy()) // $KsIoApimachineryPkgRuntime
+ sink(source().(*runtime.RawExtension).DeepCopy()) // $ KsIoApimachineryPkgRuntime
}
{
// func (in *RawExtension) DeepCopyInto(out *RawExtension)
var out *runtime.RawExtension
source().(*runtime.RawExtension).DeepCopyInto(out)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *RawExtension) Marshal() (dAtA []byte, err error)
dAtA, _ := source().(*runtime.RawExtension).Marshal()
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *RawExtension) MarshalTo(dAtA []byte) (int, error)
var dAtA []byte
source().(*runtime.RawExtension).MarshalTo(dAtA)
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *RawExtension) MarshalToSizedBuffer(dAtA []byte) (int, error)
var dAtA []byte
source().(*runtime.RawExtension).MarshalToSizedBuffer(dAtA)
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *RawExtension) Unmarshal(dAtA []byte) error
var dAtA []byte
source().(*runtime.RawExtension).Unmarshal(dAtA)
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// func (in *Unknown) DeepCopy() *Unknown
- sink(source().(*runtime.Unknown).DeepCopy()) // $KsIoApimachineryPkgRuntime
+ sink(source().(*runtime.Unknown).DeepCopy()) // $ KsIoApimachineryPkgRuntime
}
{
// func (in *Unknown) DeepCopyObject() Object
- sink(source().(*runtime.Unknown).DeepCopyObject()) // $KsIoApimachineryPkgRuntime
+ sink(source().(*runtime.Unknown).DeepCopyObject()) // $ KsIoApimachineryPkgRuntime
}
{
// func (in *Unknown) DeepCopyInto(out *Unknown)
var out *runtime.Unknown
source().(*runtime.Unknown).DeepCopyInto(out)
- sink(out) // $KsIoApimachineryPkgRuntime
+ sink(out) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *Unknown) Marshal() (dAtA []byte, err error)
dAtA, _ := source().(*runtime.Unknown).Marshal()
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *Unknown) MarshalTo(dAtA []byte) (int, error)
var dAtA []byte
source().(*runtime.Unknown).MarshalTo(dAtA)
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *Unknown) MarshalToSizedBuffer(dAtA []byte) (int, error)
var dAtA []byte
source().(*runtime.Unknown).MarshalToSizedBuffer(dAtA)
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *Unknown) NestedMarshalTo(data []byte, b ProtobufMarshaller, size uint64) (int, error)
var dAtA []byte
var b myProtobufMarshaller
source().(*runtime.Unknown).NestedMarshalTo(dAtA, b, 1)
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// func (m *Unknown) Unmarshal(dAtA []byte) error
var dAtA []byte
source().(*runtime.Unknown).Unmarshal(dAtA)
- sink(dAtA) // $KsIoApimachineryPkgRuntime
+ sink(dAtA) // $ KsIoApimachineryPkgRuntime
}
{
// UnstructuredContent() map[string]interface{}
- sink(source().(myUnstructured).UnstructuredContent()) // $KsIoApimachineryPkgRuntime
+ sink(source().(myUnstructured).UnstructuredContent()) // $ KsIoApimachineryPkgRuntime
}
{
// SetUnstructuredContent(map[string]interface{})
var unstructured myUnstructured
unstructured.SetUnstructuredContent(source().(map[string]interface{}))
- sink(unstructured) // $KsIoApimachineryPkgRuntime
+ sink(unstructured) // $ KsIoApimachineryPkgRuntime
}
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/main.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/main.go
index 530248f51bd..8d2d275cd67 100644
--- a/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/main.go
@@ -27,14 +27,14 @@ func main() {
use(t.Delete(ctx, name, opts))
use(s.DeleteCollection(ctx, opts, listOpts))
use(t.DeleteCollection(ctx, opts, listOpts))
- use(s.Get(ctx, name, opts)) // $KsIoClientGo
- use(t.Get(ctx, name, opts)) // $KsIoClientGo
- use(s.List(ctx, opts)) // $KsIoClientGo
- use(t.List(ctx, opts)) // $KsIoClientGo
+ use(s.Get(ctx, name, opts)) // $ KsIoClientGo
+ use(t.Get(ctx, name, opts)) // $ KsIoClientGo
+ use(s.List(ctx, opts)) // $ KsIoClientGo
+ use(t.List(ctx, opts)) // $ KsIoClientGo
use(s.Watch(ctx, opts))
use(t.Watch(ctx, opts))
- use(s.Patch(ctx, name, pt, data, opts)) // $KsIoClientGo
- use(t.Patch(ctx, name, pt, data, opts)) // $KsIoClientGo
+ use(s.Patch(ctx, name, pt, data, opts)) // $ KsIoClientGo
+ use(t.Patch(ctx, name, pt, data, opts)) // $ KsIoClientGo
}
func use(arg ...interface{}) {}
diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go b/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go
index c1ed47119da..e192ac77db4 100644
--- a/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go
@@ -26,46 +26,46 @@ func test(coll *mongo.Collection, filter interface{}, models []mongo.WriteModel,
matchStage := bson.D{{"$match", filter}}
pipeline := mongo.Pipeline{matchStage}
- coll.Aggregate(ctx, pipeline, nil) // $nosqlquery=pipeline
+ coll.Aggregate(ctx, pipeline, nil) // $ nosqlquery=pipeline
coll.BulkWrite(ctx, models, nil)
coll.Clone(nil)
- coll.CountDocuments(ctx, filter, nil) // $nosqlquery=filter
+ coll.CountDocuments(ctx, filter, nil) // $ nosqlquery=filter
coll.Database()
- coll.DeleteMany(ctx, filter, nil) // $nosqlquery=filter
- coll.DeleteOne(ctx, filter, nil) // $nosqlquery=filter
+ coll.DeleteMany(ctx, filter, nil) // $ nosqlquery=filter
+ coll.DeleteOne(ctx, filter, nil) // $ nosqlquery=filter
- coll.Distinct(ctx, fieldName, filter) // $nosqlquery=filter
+ coll.Distinct(ctx, fieldName, filter) // $ nosqlquery=filter
coll.Drop(ctx)
coll.EstimatedDocumentCount(ctx, nil)
- coll.Find(ctx, filter, nil) // $nosqlquery=filter
- coll.FindOne(ctx, filter, nil) // $nosqlquery=filter
- coll.FindOneAndDelete(ctx, filter, nil) // $nosqlquery=filter
- coll.FindOneAndReplace(ctx, filter, nil) // $nosqlquery=filter
- coll.FindOneAndUpdate(ctx, filter, nil) // $nosqlquery=filter
+ coll.Find(ctx, filter, nil) // $ nosqlquery=filter
+ coll.FindOne(ctx, filter, nil) // $ nosqlquery=filter
+ coll.FindOneAndDelete(ctx, filter, nil) // $ nosqlquery=filter
+ coll.FindOneAndReplace(ctx, filter, nil) // $ nosqlquery=filter
+ coll.FindOneAndUpdate(ctx, filter, nil) // $ nosqlquery=filter
coll.Indexes()
coll.InsertMany(ctx, documents)
coll.InsertOne(ctx, document, nil)
coll.Name()
replacement := bson.D{{"location", "NYC"}}
- coll.ReplaceOne(ctx, filter, replacement) // $nosqlquery=filter
+ coll.ReplaceOne(ctx, filter, replacement) // $ nosqlquery=filter
update := bson.D{{"$inc", bson.D{{"age", 1}}}}
- coll.UpdateMany(ctx, filter, update) // $nosqlquery=filter
- coll.UpdateOne(ctx, filter, update) // $nosqlquery=filter
- coll.Watch(ctx, pipeline) // $nosqlquery=pipeline
+ coll.UpdateMany(ctx, filter, update) // $ nosqlquery=filter
+ coll.UpdateOne(ctx, filter, update) // $ nosqlquery=filter
+ coll.Watch(ctx, pipeline) // $ nosqlquery=pipeline
}
func testGocbV1(bucket gocbv1.Bucket, cluster gocbv1.Cluster, aq *gocbv1.AnalyticsQuery, nq *gocbv1.N1qlQuery) {
- bucket.ExecuteAnalyticsQuery(aq, nil) // $nosqlquery=aq
- cluster.ExecuteAnalyticsQuery(aq, nil) // $nosqlquery=aq
- bucket.ExecuteN1qlQuery(nq, nil) // $nosqlquery=nq
- cluster.ExecuteN1qlQuery(nq, nil) // $nosqlquery=nq
+ bucket.ExecuteAnalyticsQuery(aq, nil) // $ nosqlquery=aq
+ cluster.ExecuteAnalyticsQuery(aq, nil) // $ nosqlquery=aq
+ bucket.ExecuteN1qlQuery(nq, nil) // $ nosqlquery=nq
+ cluster.ExecuteN1qlQuery(nq, nil) // $ nosqlquery=nq
}
func testGocbV2(cluster gocbv2.Cluster, scope gocbv2.Scope) {
- cluster.AnalyticsQuery("a", nil) // $nosqlquery="a"
- scope.AnalyticsQuery("b", nil) // $nosqlquery="b"
- cluster.Query("c", nil) // $nosqlquery="c"
- scope.Query("d", nil) // $nosqlquery="d"
+ cluster.AnalyticsQuery("a", nil) // $ nosqlquery="a"
+ scope.AnalyticsQuery("b", nil) // $ nosqlquery="b"
+ cluster.Query("c", nil) // $ nosqlquery="c"
+ scope.Query("d", nil) // $ nosqlquery="d"
}
func main() {}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go
index 05cac01673f..a21911f3beb 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go
@@ -27,69 +27,69 @@ type MyRoute struct {
func (c MyRoute) Handler1() revel.Result {
// GOOD: the Render function is likely to properly escape the user-controlled parameter.
- return c.Render("someviewparam", c.Params.Form.Get("someField")) // $source=selection of Params
+ return c.Render("someviewparam", c.Params.Form.Get("someField"))
}
func (c MyRoute) Handler2() revel.Result {
// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
buf := &bytes.Buffer{}
- buf.WriteString(c.Params.Form.Get("someField")) // $source=selection of Params
- return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $responsebody=buf
+ buf.WriteString(c.Params.Form.Get("someField"))
+ return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf'
}
func (c MyRoute) Handler3() revel.Result {
// GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename
// means it will be given a safe content-type.
buf := &bytes.Buffer{}
- buf.WriteString(c.Params.Form.Get("someField")) // $source=selection of Params
- return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $responsebody=buf
+ buf.WriteString(c.Params.Form.Get("someField"))
+ return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $ responsebody='buf'
}
func (c MyRoute) Handler4() revel.Result {
// GOOD: the RenderError function either uses an HTML template with probable escaping,
// or it uses content-type text/plain.
- err := errors.New(c.Params.Form.Get("someField")) // $source=selection of Params
- return c.RenderError(err) // $responsebody=err
+ err := errors.New(c.Params.Form.Get("someField"))
+ return c.RenderError(err) // $ responsebody='err'
}
func (c MyRoute) Handler5() revel.Result {
// BAD: returning an arbitrary file (but this is detected at the os.Open call, not
// due to modelling Revel)
- f, _ := os.Open(c.Params.Form.Get("someField")) // $source=selection of Params
+ f, _ := os.Open(c.Params.Form.Get("someField"))
return c.RenderFile(f, revel.Inline)
}
func (c MyRoute) Handler6() revel.Result {
// BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS)
- return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $source=selection of Params
+ return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline)
}
func (c MyRoute) Handler7() revel.Result {
// BAD: straightforward XSS
- return c.RenderHTML(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
+ return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
}
func (c MyRoute) Handler8() revel.Result {
// GOOD: uses JSON content-type
- return c.RenderJSON(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
+ return c.RenderJSON(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
}
func (c MyRoute) Handler9() revel.Result {
// GOOD: uses Javascript content-type
- return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
+ return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $ responsebody='call to Get'
}
func (c MyRoute) Handler10() revel.Result {
// GOOD: uses text content-type
- return c.RenderText(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
+ return c.RenderText(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
}
func (c MyRoute) Handler11() revel.Result {
// GOOD: uses xml content-type
- return c.RenderXML(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
+ return c.RenderXML(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
}
func (c MyRoute) Handler12() revel.Result {
// BAD: open redirect
- return c.Redirect(c.Params.Form.Get("someField")) // $source=selection of Params
+ return c.Redirect(c.Params.Form.Get("someField"))
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go b/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go
index be4c08e6725..80e52937465 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go
@@ -24,18 +24,18 @@ func sink(_ ...interface{}) {}
func (c myAppController) accessingParamsDirectlyIsUnsafe() {
sink(c.Params.Get("key"))
- sink(c.Params.Values) // $source=selection of Params
+ sink(c.Params.Values)
val4 := ""
- c.Params.Bind(&val4, "key") // $source=selection of Params
+ c.Params.Bind(&val4, "key")
sink(val4)
sink(c.Request.FormValue("key"))
}
func (c myAppController) accessingFixedIsSafe(mainRouter *revel.Router) {
- sink(c.Params.Fixed.Get("key")) // $noflow
- sink(mainRouter.Route(c.Request).FixedParams[0]) // $noflow
+ sink(c.Params.Fixed.Get("key")) // $ noflow
+ sink(mainRouter.Route(c.Request).FixedParams[0]) // $ noflow
}
func (c myAppController) accessingRouteIsUnsafe(mainRouter *revel.Router) {
@@ -64,10 +64,10 @@ func (c myAppController) accessingParamsJSONIsUnsafe() {
sink(val2["name"].(string))
}
-func (c myAppController) rawRead() { // $responsebody=argument corresponding to c
- c.ViewArgs["Foo"] = "raw HTML
" // $responsebody="raw HTML
"
+func (c myAppController) rawRead() { // $ responsebody='argument corresponding to c'
+ c.ViewArgs["Foo"] = "raw HTML
" // $ responsebody='"raw HTML
"'
c.ViewArgs["Bar"] = "not raw HTML
"
- c.ViewArgs["Foo"] = c.Params.Query // $responsebody=selection of Query
+ c.ViewArgs["Foo"] = c.Params.Query // $ responsebody='selection of Query'
c.Render()
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go
index b4752fa8fc9..d8aabc5efe3 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go
@@ -31,6 +31,7 @@ import (
"strings"
"codeql-go-tests/frameworks/Revel/examples/booking/app/models"
+
"github.com/revel/revel"
)
@@ -104,7 +105,7 @@ func (c Hotels) ListJson(search string, size, page uint64) revel.Result {
var hotels []*models.Hotel
- return c.RenderJSON(map[string]interface{}{"hotels": hotels, "search": search, "size": size, "page": page, "nextPage": nextPage}) // $responsebody=map literal
+ return c.RenderJSON(map[string]interface{}{"hotels": hotels, "search": search, "size": size, "page": page, "nextPage": nextPage}) // $ responsebody='map literal'
}
func (c Hotels) List(search string, size, page uint64) revel.Result {
if page == 0 {
@@ -155,7 +156,7 @@ func (c Hotels) SaveSettings(password, verifyPassword string) revel.Result {
}
func (c Hotels) ConfirmBooking(id int, booking models.Booking) revel.Result {
- hotel := c.loadHotelById(id) // $responsebody=call to loadHotelById
+ hotel := c.loadHotelById(id) // $ responsebody='call to loadHotelById'
if hotel == nil {
return c.NotFound("Hotel %d does not exist", id)
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go
index ef5b74fa507..2f7fef73fc2 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go
@@ -33,11 +33,11 @@ func init() {
switch event {
case revel.ENGINE_BEFORE_INITIALIZED:
revel.AddHTTPMux("/this/is/a/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $responsebody=selection of Path $responsebody="Hi there, it worked"
+ fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, it worked"'
w.WriteHeader(200)
}))
revel.AddHTTPMux("/this/is/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $responsebody=selection of Path $responsebody="Hi there, shorter prefix"
+ fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, shorter prefix"'
w.WriteHeader(200)
}))
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql b/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql
index b63817f371c..6ec1ec4717c 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql
+++ b/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql
@@ -41,7 +41,7 @@ class HttpResponseBodyTest extends InlineExpectationsTest {
exists(HTTP::ResponseBody rb |
rb.hasLocationInfo(file, line, _, _, _) and
element = rb.toString() and
- value = rb.toString()
+ value = "'" + rb.toString() + "'"
)
}
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go
index 3458e337abe..f1597f3c123 100644
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go
@@ -32,43 +32,43 @@ var (
)
func test(db *sql.DB, ctx context.Context) {
- db.Exec(query1) // $query=query1
- db.ExecContext(ctx, query2) // $query=query2
- db.Prepare(query3) // $querystring=query3
- db.PrepareContext(ctx, query4) // $querystring=query4
- db.Query(query5) // $query=query5
- db.QueryContext(ctx, query6) // $query=query6
- db.QueryRow(query7) // $query=query7
- db.QueryRowContext(ctx, query8) // $query=query8
+ db.Exec(query1) // $ query=query1
+ db.ExecContext(ctx, query2) // $ query=query2
+ db.Prepare(query3) // $ querystring=query3
+ db.PrepareContext(ctx, query4) // $ querystring=query4
+ db.Query(query5) // $ query=query5
+ db.QueryContext(ctx, query6) // $ query=query6
+ db.QueryRow(query7) // $ query=query7
+ db.QueryRowContext(ctx, query8) // $ query=query8
}
func squirrelTest(querypart string) {
- squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $querystring=querypart
- squirrel.Select("*").From("users").Suffix(querypart) // $querystring=querypart
+ squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart
+ squirrel.Select("*").From("users").Suffix(querypart) // $ querystring=querypart
}
func test2(tx *sql.Tx, query string, ctx context.Context) {
- tx.Exec(query11) // $query=query11
- tx.ExecContext(ctx, query12) // $query=query12
- tx.Prepare(query13) // $querystring=query13
- tx.PrepareContext(ctx, query14) // $querystring=query14
- tx.Query(query15) // $query=query15
- tx.QueryContext(ctx, query16) // $query=query16
- tx.QueryRow(query17) // $query=query17
- tx.QueryRowContext(ctx, query18) // $query=query18
+ tx.Exec(query11) // $ query=query11
+ tx.ExecContext(ctx, query12) // $ query=query12
+ tx.Prepare(query13) // $ querystring=query13
+ tx.PrepareContext(ctx, query14) // $ querystring=query14
+ tx.Query(query15) // $ query=query15
+ tx.QueryContext(ctx, query16) // $ query=query16
+ tx.QueryRow(query17) // $ query=query17
+ tx.QueryRowContext(ctx, query18) // $ query=query18
}
func test3(db *sql.DB, ctx context.Context) {
- stmt1, _ := db.Prepare(query21) // $f+:querystring=query21
- stmt1.Exec() // $f-:query=query21
- stmt2, _ := db.PrepareContext(ctx, query22) // $f+:querystring=query22
- stmt2.ExecContext(ctx) // $f-:query=query22
- stmt3, _ := db.Prepare(query23) // $f+:querystring=query23
+ stmt1, _ := db.Prepare(query21) // $ SPURIOUS: querystring=query21
+ stmt1.Exec() // $ MISSING: query=query21
+ stmt2, _ := db.PrepareContext(ctx, query22) // $ SPURIOUS: querystring=query22
+ stmt2.ExecContext(ctx) // $ MISSING: query=query22
+ stmt3, _ := db.Prepare(query23) // $ SPURIOUS: querystring=query23
runQuery(stmt3)
}
func runQuery(stmt *sql.Stmt) {
- stmt.Exec() // $f-:query=query23
+ stmt.Exec() // $ MISSING: query=query23
}
func main() {}
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go b/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go
index ecd20c01f76..24c381b06ef 100644
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go
@@ -11,31 +11,31 @@ import (
)
func pgtest(query string, conn pg.Conn, db pg.DB, tx pg.Tx) {
- pg.Q(query) // $querystring=query
+ pg.Q(query) // $ querystring=query
var dst []byte
- conn.FormatQuery(dst, query) // $querystring=query
- conn.Prepare(query) // $querystring=query
- db.FormatQuery(dst, query) // $querystring=query
- db.Prepare(query) // $querystring=query
- tx.FormatQuery(dst, query) // $querystring=query
- tx.Prepare(query) // $querystring=query
+ conn.FormatQuery(dst, query) // $ querystring=query
+ conn.Prepare(query) // $ querystring=query
+ db.FormatQuery(dst, query) // $ querystring=query
+ db.Prepare(query) // $ querystring=query
+ tx.FormatQuery(dst, query) // $ querystring=query
+ tx.Prepare(query) // $ querystring=query
}
// go-pg v9 dropped support for `FormatQuery`
func newpgtest(query string, conn newpg.Conn, db newpg.DB, tx newpg.Tx) {
- newpg.Q(query) // $querystring=query
- conn.Prepare(query) // $querystring=query
- db.Prepare(query) // $querystring=query
- tx.Prepare(query) // $querystring=query
+ newpg.Q(query) // $ querystring=query
+ conn.Prepare(query) // $ querystring=query
+ db.Prepare(query) // $ querystring=query
+ tx.Prepare(query) // $ querystring=query
}
func pgormtest(query string, q orm.Query) {
- orm.Q(query) // $querystring=query
- q.ColumnExpr(query) // $querystring=query
- q.For(query) // $querystring=query
+ orm.Q(query) // $ querystring=query
+ q.ColumnExpr(query) // $ querystring=query
+ q.For(query) // $ querystring=query
var b []byte
- q.FormatQuery(b, query) // $querystring=query
- q.Having(query) // $querystring=query
- q.Where(query) // $querystring=query
- q.WhereInMulti(query) // $querystring=query
- q.WhereOr(query) // $querystring=query
+ q.FormatQuery(b, query) // $ querystring=query
+ q.Having(query) // $ querystring=query
+ q.Where(query) // $ querystring=query
+ q.WhereInMulti(query) // $ querystring=query
+ q.WhereOr(query) // $ querystring=query
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go b/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go
index 3aa8857a61b..6b4dbb116ee 100644
--- a/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go
+++ b/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go
@@ -12,66 +12,66 @@ func xormtest() {
query := "UntrustedString"
engine1 := xorm1.Engine{}
- engine1.Query(query) // $querystring=query
- engine1.QueryString(query) // $querystring=query
- engine1.QueryInterface(query) // $querystring=query
- engine1.SQL(query) // $querystring=query
- engine1.Where(query) // $querystring=query
- engine1.Alias(query) // $querystring=query
- engine1.NotIn(query) // $querystring=query
- engine1.In(query) // $querystring=query
- engine1.Select(query) // $querystring=query
- engine1.SetExpr(query, nil) // $querystring=query
- engine1.OrderBy(query) // $querystring=query
- engine1.Having(query) // $querystring=query
- engine1.GroupBy(query) // $querystring=query
+ engine1.Query(query) // $ querystring=query
+ engine1.QueryString(query) // $ querystring=query
+ engine1.QueryInterface(query) // $ querystring=query
+ engine1.SQL(query) // $ querystring=query
+ engine1.Where(query) // $ querystring=query
+ engine1.Alias(query) // $ querystring=query
+ engine1.NotIn(query) // $ querystring=query
+ engine1.In(query) // $ querystring=query
+ engine1.Select(query) // $ querystring=query
+ engine1.SetExpr(query, nil) // $ querystring=query
+ engine1.OrderBy(query) // $ querystring=query
+ engine1.Having(query) // $ querystring=query
+ engine1.GroupBy(query) // $ querystring=query
engine2 := xorm2.Engine{}
- engine2.Query(query) // $querystring=query
- engine2.QueryString(query) // $querystring=query
- engine2.QueryInterface(query) // $querystring=query
- engine2.SQL(query) // $querystring=query
- engine2.Where(query) // $querystring=query
- engine2.Alias(query) // $querystring=query
- engine2.NotIn(query) // $querystring=query
- engine2.In(query) // $querystring=query
- engine2.Select(query) // $querystring=query
- engine2.SetExpr(query, nil) // $querystring=query
- engine2.OrderBy(query) // $querystring=query
- engine2.Having(query) // $querystring=query
- engine2.GroupBy(query) // $querystring=query
+ engine2.Query(query) // $ querystring=query
+ engine2.QueryString(query) // $ querystring=query
+ engine2.QueryInterface(query) // $ querystring=query
+ engine2.SQL(query) // $ querystring=query
+ engine2.Where(query) // $ querystring=query
+ engine2.Alias(query) // $ querystring=query
+ engine2.NotIn(query) // $ querystring=query
+ engine2.In(query) // $ querystring=query
+ engine2.Select(query) // $ querystring=query
+ engine2.SetExpr(query, nil) // $ querystring=query
+ engine2.OrderBy(query) // $ querystring=query
+ engine2.Having(query) // $ querystring=query
+ engine2.GroupBy(query) // $ querystring=query
session1 := xorm1.Session{}
- session1.Query(query) // $querystring=query
- session1.QueryString(query) // $querystring=query
- session1.QueryInterface(query) // $querystring=query
- session1.SQL(query) // $querystring=query
- session1.Where(query) // $querystring=query
- session1.Alias(query) // $querystring=query
- session1.NotIn(query) // $querystring=query
- session1.In(query) // $querystring=query
- session1.Select(query) // $querystring=query
- session1.SetExpr(query, nil) // $querystring=query
- session1.OrderBy(query) // $querystring=query
- session1.Having(query) // $querystring=query
- session1.GroupBy(query) // $querystring=query
- session1.And(query) // $querystring=query
- session1.Or(query) // $querystring=query
+ session1.Query(query) // $ querystring=query
+ session1.QueryString(query) // $ querystring=query
+ session1.QueryInterface(query) // $ querystring=query
+ session1.SQL(query) // $ querystring=query
+ session1.Where(query) // $ querystring=query
+ session1.Alias(query) // $ querystring=query
+ session1.NotIn(query) // $ querystring=query
+ session1.In(query) // $ querystring=query
+ session1.Select(query) // $ querystring=query
+ session1.SetExpr(query, nil) // $ querystring=query
+ session1.OrderBy(query) // $ querystring=query
+ session1.Having(query) // $ querystring=query
+ session1.GroupBy(query) // $ querystring=query
+ session1.And(query) // $ querystring=query
+ session1.Or(query) // $ querystring=query
session2 := xorm2.Session{}
- session2.Query(query) // $querystring=query
- session2.QueryString(query) // $querystring=query
- session2.QueryInterface(query) // $querystring=query
- session2.SQL(query) // $querystring=query
- session2.Where(query) // $querystring=query
- session2.Alias(query) // $querystring=query
- session2.NotIn(query) // $querystring=query
- session2.In(query) // $querystring=query
- session2.Select(query) // $querystring=query
- session2.SetExpr(query, nil) // $querystring=query
- session2.OrderBy(query) // $querystring=query
- session2.Having(query) // $querystring=query
- session2.GroupBy(query) // $querystring=query
- session2.And(query) // $querystring=query
- session2.Or(query) // $querystring=query
+ session2.Query(query) // $ querystring=query
+ session2.QueryString(query) // $ querystring=query
+ session2.QueryInterface(query) // $ querystring=query
+ session2.SQL(query) // $ querystring=query
+ session2.Where(query) // $ querystring=query
+ session2.Alias(query) // $ querystring=query
+ session2.NotIn(query) // $ querystring=query
+ session2.In(query) // $ querystring=query
+ session2.Select(query) // $ querystring=query
+ session2.SetExpr(query, nil) // $ querystring=query
+ session2.OrderBy(query) // $ querystring=query
+ session2.Having(query) // $ querystring=query
+ session2.GroupBy(query) // $ querystring=query
+ session2.And(query) // $ querystring=query
+ session2.Or(query) // $ querystring=query
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go
index a930c2d435f..b27c5d1f47c 100644
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go
@@ -22,7 +22,7 @@ func TaintStepTest_OsExpandEnv_B0I0O0(sourceCQL interface{}) interface{} {
func TaintStepTest_OsNewFile_B0I0O0(sourceCQL interface{}) interface{} {
fromUintptr784 := sourceCQL.(uintptr)
- intoFile957 := os.NewFile(fromUintptr784, "") // $fsaccess=""
+ intoFile957 := os.NewFile(fromUintptr784, "") // $ fsaccess=""
return intoFile957
}
@@ -154,30 +154,30 @@ func RunAllTaints_Os() {
func fsAccesses() {
var path, path1, part string
var time time.Time
- os.Chdir(path) // $fsaccess=path
- os.Chmod(path, 0600) // $fsaccess=path
- os.Chown(path, 1000, 1000) // $fsaccess=path
- os.Chtimes(path, time, time) // $fsaccess=path
- os.Create(path) // $fsaccess=path
- os.Lchown(path, 1000, 1000) // $fsaccess=path
- os.Link(path, path1) // $fsaccess=path $fsaccess=path1
- os.Lstat(path) // $fsaccess=path
- os.Mkdir(path, 0600) // $fsaccess=path
- os.MkdirAll(path, 0600) // $fsaccess=path
- os.NewFile(124, path) // $fsaccess=path
- os.Open(path) // $fsaccess=path
- os.OpenFile(path, os.O_RDONLY, 0600) // $fsaccess=path
- os.Readlink(path) // $fsaccess=path
- os.Remove(path) // $fsaccess=path
- os.RemoveAll(path) // $fsaccess=path
- os.Rename(path, path1) // $fsaccess=path $fsaccess=path1
- os.Stat(path) // $fsaccess=path
- os.Symlink(path, path1) // $fsaccess=path $fsaccess=path1
- os.Truncate(path, 1000) // $fsaccess=path
- os.DirFS(path) // $fsaccess=path
- os.ReadDir(path) // $fsaccess=path
- os.ReadFile(path) // $fsaccess=path
- os.MkdirTemp(path, part) // $fsaccess=path $fsaccess=part
- os.CreateTemp(path, part) // $fsaccess=path $fsaccess=part
- os.WriteFile(path, []byte{}, 0600) // $fsaccess=path
+ os.Chdir(path) // $ fsaccess=path
+ os.Chmod(path, 0600) // $ fsaccess=path
+ os.Chown(path, 1000, 1000) // $ fsaccess=path
+ os.Chtimes(path, time, time) // $ fsaccess=path
+ os.Create(path) // $ fsaccess=path
+ os.Lchown(path, 1000, 1000) // $ fsaccess=path
+ os.Link(path, path1) // $ fsaccess=path fsaccess=path1
+ os.Lstat(path) // $ fsaccess=path
+ os.Mkdir(path, 0600) // $ fsaccess=path
+ os.MkdirAll(path, 0600) // $ fsaccess=path
+ os.NewFile(124, path) // $ fsaccess=path
+ os.Open(path) // $ fsaccess=path
+ os.OpenFile(path, os.O_RDONLY, 0600) // $ fsaccess=path
+ os.Readlink(path) // $ fsaccess=path
+ os.Remove(path) // $ fsaccess=path
+ os.RemoveAll(path) // $ fsaccess=path
+ os.Rename(path, path1) // $ fsaccess=path fsaccess=path1
+ os.Stat(path) // $ fsaccess=path
+ os.Symlink(path, path1) // $ fsaccess=path fsaccess=path1
+ os.Truncate(path, 1000) // $ fsaccess=path
+ os.DirFS(path) // $ fsaccess=path
+ os.ReadDir(path) // $ fsaccess=path
+ os.ReadFile(path) // $ fsaccess=path
+ os.MkdirTemp(path, part) // $ fsaccess=path fsaccess=part
+ os.CreateTemp(path, part) // $ fsaccess=path fsaccess=part
+ os.WriteFile(path, []byte{}, 0600) // $ fsaccess=path
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Yaml/tests.ql b/ql/test/library-tests/semmle/go/frameworks/Yaml/tests.ql
index 9c76068a9a0..5aa7aeac95f 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Yaml/tests.ql
+++ b/ql/test/library-tests/semmle/go/frameworks/Yaml/tests.ql
@@ -11,7 +11,7 @@ class TaintFunctionModelTest extends InlineExpectationsTest {
exists(TaintTracking::FunctionModel model, DataFlow::CallNode call | call = model.getACall() |
call.hasLocationInfo(file, line, _, _, _) and
element = call.toString() and
- value = model.getAnInputNode(call) + " -> " + model.getAnOutputNode(call)
+ value = "\"" + model.getAnInputNode(call) + " -> " + model.getAnOutputNode(call) + "\""
)
}
}
@@ -27,7 +27,8 @@ class MarshalerTest extends InlineExpectationsTest {
call.hasLocationInfo(file, line, _, _, _) and
element = call.toString() and
value =
- m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " + m.getOutput().getNode(call)
+ "\"" + m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " +
+ m.getOutput().getNode(call) + "\""
)
}
}
@@ -43,7 +44,8 @@ class UnmarshalerTest extends InlineExpectationsTest {
call.hasLocationInfo(file, line, _, _, _) and
element = call.toString() and
value =
- m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " + m.getOutput().getNode(call)
+ "\"" + m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " +
+ m.getOutput().getNode(call) + "\""
)
}
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go b/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go
index d2796eb9997..9861acf33e6 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go
@@ -1,41 +1,42 @@
package main
import (
+ "io"
+
yaml1 "gopkg.in/yaml.v1"
yaml2 "gopkg.in/yaml.v2"
yaml3 "gopkg.in/yaml.v3"
- "io"
)
func main() {
var in, out interface{}
var inb []byte
- out, _ = yaml1.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0]
- yaml1.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out
+ out, _ = yaml1.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]"
+ yaml1.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out"
- out, _ = yaml2.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0]
- yaml2.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out
- yaml2.UnmarshalStrict(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out
+ out, _ = yaml2.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]"
+ yaml2.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out"
+ yaml2.UnmarshalStrict(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out"
var r io.Reader
- d := yaml2.NewDecoder(r) // $ttfnmodelstep=r -> call to NewDecoder
- d.Decode(out) // $ttfnmodelstep=d -> definition of out
+ d := yaml2.NewDecoder(r) // $ ttfnmodelstep="r -> call to NewDecoder"
+ d.Decode(out) // $ ttfnmodelstep="d -> definition of out"
var w io.Writer
- e := yaml2.NewEncoder(w) // $ttfnmodelstep=definition of e -> definition of w
- e.Encode(in) // $ttfnmodelstep=in -> definition of e
+ e := yaml2.NewEncoder(w) // $ ttfnmodelstep="definition of e -> definition of w"
+ e.Encode(in) // $ ttfnmodelstep="in -> definition of e"
- out, _ = yaml3.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0]
- yaml3.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out
+ out, _ = yaml3.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]"
+ yaml3.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out"
- d1 := yaml3.NewDecoder(r) // $ttfnmodelstep=r -> call to NewDecoder
- d1.Decode(out) // $ttfnmodelstep=d1 -> definition of out
+ d1 := yaml3.NewDecoder(r) // $ ttfnmodelstep="r -> call to NewDecoder"
+ d1.Decode(out) // $ ttfnmodelstep="d1 -> definition of out"
- e1 := yaml3.NewEncoder(w) // $ttfnmodelstep=definition of e1 -> definition of w
- e1.Encode(in) // $ttfnmodelstep=in -> definition of e1
+ e1 := yaml3.NewEncoder(w) // $ ttfnmodelstep="definition of e1 -> definition of w"
+ e1.Encode(in) // $ ttfnmodelstep="in -> definition of e1"
var n1 yaml3.Node
- n1.Decode(out) // $ttfnmodelstep=n1 -> definition of out
- n1.Encode(in) // $ttfnmodelstep=in -> definition of n1
+ n1.Decode(out) // $ ttfnmodelstep="n1 -> definition of out"
+ n1.Encode(in) // $ ttfnmodelstep="in -> definition of n1"
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql b/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql
index a423807e2e7..390ef7a60de 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql
+++ b/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql
@@ -22,7 +22,7 @@ class ZapTest extends InlineExpectationsTest {
tag = "zap" and
exists(DataFlow::Node sink | any(TestConfig c).hasFlow(_, sink) |
element = sink.toString() and
- value = sink.toString() and
+ value = "\"" + sink.toString() + "\"" and
sink.hasLocationInfo(file, line, _, _, _)
)
}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go
index 249038fb1b9..d39dfbedb2b 100644
--- a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go
@@ -18,72 +18,72 @@ func getUntrustedString() string {
func testZapLoggerDPanic() {
logger, _ := zap.NewProduction()
- logger.DPanic(getUntrustedString()) // $zap=call to getUntrustedString
+ logger.DPanic(getUntrustedString()) // $ zap="call to getUntrustedString"
}
func testZapLoggerFatal() {
logger := zap.NewExample()
- logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $zap=call to String
+ logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $ zap="call to String"
}
func testZapLoggerPanic() {
logger, _ := zap.NewDevelopment()
- logger.Panic("msg", zap.Any("key", getUntrustedData())) // $zap=call to Any
+ logger.Panic("msg", zap.Any("key", getUntrustedData())) // $ zap="call to Any"
}
func testZapLoggerDebug(core zapcore.Core, byteArray []byte) {
logger := zap.New(core)
- logger.Debug(getUntrustedString()) // $zap=call to getUntrustedString
- logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray)) // $zap=call to Binary
- logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $zap=call to ByteString
+ logger.Debug(getUntrustedString()) // $ zap="call to getUntrustedString"
+ logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray)) // $ zap="call to Binary"
+ logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $ zap="call to ByteString"
}
func testZapLoggerError(bss [][]byte) {
logger := zap.L()
- logger.Error(getUntrustedString()) // $zap=call to getUntrustedString
- logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $zap=call to ByteStrings
- logger.Error("msg", zap.Error(getUntrustedData().(error))) // $zap=call to Error
+ logger.Error(getUntrustedString()) // $ zap="call to getUntrustedString"
+ logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $ zap="call to ByteStrings"
+ logger.Error("msg", zap.Error(getUntrustedData().(error))) // $ zap="call to Error"
}
func testZapLoggerInfo(logger *zap.Logger, errs []error) {
- logger.Info(getUntrustedString()) // $zap=call to getUntrustedString
- logger.Info("msg", zap.Errors(getUntrustedString(), errs)) // $zap=call to Errors
- logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $zap=call to NamedError
+ logger.Info(getUntrustedString()) // $ zap="call to getUntrustedString"
+ logger.Info("msg", zap.Errors(getUntrustedString(), errs)) // $ zap="call to Errors"
+ logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $ zap="call to NamedError"
}
func testZapLoggerWarn(logger *zap.Logger) {
- logger.Warn(getUntrustedString()) // $zap=call to getUntrustedString
- logger.Warn("msg", zap.Reflect(getUntrustedString(), nil)) // $zap=call to Reflect
- logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string))) // $zap=call to Stringp
- logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $zap=call to Strings
+ logger.Warn(getUntrustedString()) // $ zap="call to getUntrustedString"
+ logger.Warn("msg", zap.Reflect(getUntrustedString(), nil)) // $ zap="call to Reflect"
+ logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string))) // $ zap="call to Stringp"
+ logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $ zap="call to Strings"
}
func testZapLoggerNop() {
// We do not currently recognise that a logger made using NewNop() does not actually do any logging
logger := zap.NewNop()
- logger.Debug(getUntrustedString()) // $f+:zap=call to getUntrustedString
+ logger.Debug(getUntrustedString()) // $ SPURIOUS: zap="call to getUntrustedString"
}
func testLoggerNamed(logger *zap.Logger) {
- namedLogger := logger.Named(getUntrustedString()) // $zap=call to getUntrustedString
+ namedLogger := logger.Named(getUntrustedString()) // $ zap="call to getUntrustedString"
namedLogger.Info("hello world")
}
func testLoggerWith(logger *zap.Logger) *zap.Logger {
- logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $zap=call to Any
+ logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $ zap="call to Any"
logger1.Info("hello world")
- logger2 := logger.With(zap.String("key", getUntrustedString())) // $zap=call to String
+ logger2 := logger.With(zap.String("key", getUntrustedString())) // $ zap="call to String"
logger2.Info("hello world")
- logger3 := logger.With(zap.String("key", getUntrustedString())) // $f+:zap=call to String
+ logger3 := logger.With(zap.String("key", getUntrustedString())) // $ SPURIOUS: zap="call to String"
return logger3
}
func getLoggerWithUntrustedField() *zap.Logger {
- return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $zap=call to NamedError
+ return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ zap="call to NamedError"
}
func getLoggerWithUntrustedFieldUnused() *zap.Logger {
- return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $f+:zap=call to NamedError
+ return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ SPURIOUS: zap="call to NamedError"
}
func testLoggerWithAcrossFunctionBoundary() {
@@ -91,91 +91,91 @@ func testLoggerWithAcrossFunctionBoundary() {
}
func testLoggerWithOptions(logger *zap.Logger) *zap.Logger {
- logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $zap=call to Fields
+ logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $ zap="call to Fields"
logger1.Info("hello world")
- logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $zap=call to Fields
+ logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ zap="call to Fields"
logger2.Info("hello world")
- logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $f+:zap=call to Fields
+ logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ SPURIOUS: zap="call to Fields"
return logger3
}
func testZapSugaredLoggerDPanic(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.DPanic(getUntrustedData()) // $zap=call to getUntrustedData
+ sugaredLogger.DPanic(getUntrustedData()) // $ zap="call to getUntrustedData"
}
func testZapSugaredLoggerDPanicf(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.DPanicf(getUntrustedString()) // $zap=call to getUntrustedString
+ sugaredLogger.DPanicf(getUntrustedString()) // $ zap="call to getUntrustedString"
}
func testZapSugaredLoggerDPanicw(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.DPanicw(getUntrustedString()) // $zap=call to getUntrustedString
+ sugaredLogger.DPanicw(getUntrustedString()) // $ zap="call to getUntrustedString"
}
func testZapSugaredLoggerFatal(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.Fatal(getUntrustedData()) // $zap=call to getUntrustedData
+ sugaredLogger.Fatal(getUntrustedData()) // $ zap="call to getUntrustedData"
}
func testZapSugaredLoggerFatalf(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.Fatalf(getUntrustedString()) // $zap=call to getUntrustedString
+ sugaredLogger.Fatalf(getUntrustedString()) // $ zap="call to getUntrustedString"
}
func testZapSugaredLoggerFatalw(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.Fatalw(getUntrustedString()) // $zap=call to getUntrustedString
+ sugaredLogger.Fatalw(getUntrustedString()) // $ zap="call to getUntrustedString"
}
func testZapSugaredLoggerPanic(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.Panic(getUntrustedData()) // $zap=call to getUntrustedData
+ sugaredLogger.Panic(getUntrustedData()) // $ zap="call to getUntrustedData"
}
func testZapSugaredLoggerPanicf(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.Panicf(getUntrustedString()) // $zap=call to getUntrustedString
+ sugaredLogger.Panicf(getUntrustedString()) // $ zap="call to getUntrustedString"
}
func testZapSugaredLoggerPanicw(sugaredLogger *zap.SugaredLogger) {
- sugaredLogger.Panicw(getUntrustedString()) // $zap=call to getUntrustedString
+ sugaredLogger.Panicw(getUntrustedString()) // $ zap="call to getUntrustedString"
}
func testZapSugaredLoggerDebug() {
sugaredLogger := zap.S()
- sugaredLogger.Debug(getUntrustedData()) // $zap=call to getUntrustedData
- sugaredLogger.Debugf("msg", getUntrustedData()) // $zap=call to getUntrustedData
- sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData
+ sugaredLogger.Debug(getUntrustedData()) // $ zap="call to getUntrustedData"
+ sugaredLogger.Debugf("msg", getUntrustedData()) // $ zap="call to getUntrustedData"
+ sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData"
}
func testZapSugaredLoggerError() {
logger, _ := zap.NewProduction()
sugaredLogger := logger.Sugar()
- sugaredLogger.Error(getUntrustedData()) // $zap=call to getUntrustedData
- sugaredLogger.Errorf("msg", getUntrustedData()) // $zap=call to getUntrustedData
- sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData
+ sugaredLogger.Error(getUntrustedData()) // $ zap="call to getUntrustedData"
+ sugaredLogger.Errorf("msg", getUntrustedData()) // $ zap="call to getUntrustedData"
+ sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData"
}
func testZapSugaredLoggerInfo() {
logger := zap.NewExample()
sugaredLogger := logger.Sugar()
- sugaredLogger.Info(getUntrustedData()) // $zap=call to getUntrustedData
- sugaredLogger.Infof("msg", getUntrustedData()) // $zap=call to getUntrustedData
- sugaredLogger.Infow("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData
+ sugaredLogger.Info(getUntrustedData()) // $ zap="call to getUntrustedData"
+ sugaredLogger.Infof("msg", getUntrustedData()) // $ zap="call to getUntrustedData"
+ sugaredLogger.Infow("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData"
}
func testZapSugaredLoggerWarn() {
logger, _ := zap.NewDevelopment()
sugaredLogger := logger.Sugar()
- sugaredLogger.Warn(getUntrustedData()) // $zap=call to getUntrustedData
- sugaredLogger.Warnf("msg", getUntrustedData()) // $zap=call to getUntrustedData
- sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData
+ sugaredLogger.Warn(getUntrustedData()) // $ zap="call to getUntrustedData"
+ sugaredLogger.Warnf("msg", getUntrustedData()) // $ zap="call to getUntrustedData"
+ sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData"
}
func testZapSugaredLoggerNamed() {
logger := zap.L()
sugaredLogger := logger.Sugar()
- sugaredLogger.Named(getUntrustedString()) // $zap=call to getUntrustedString
+ sugaredLogger.Named(getUntrustedString()) // $ zap="call to getUntrustedString"
sugaredLogger.Info("msg")
}
func testZapSugaredLoggerWith() {
logger := zap.L()
sugaredLogger := logger.Sugar()
- sugaredLogger.With("key", getUntrustedData()) // $zap=call to getUntrustedData
+ sugaredLogger.With("key", getUntrustedData()) // $ zap="call to getUntrustedData"
sugaredLogger.Info("msg")
}