From a9165ce4a64195996722a5b79f4470f9eec43f80 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 18 Oct 2021 13:36:10 +0100 Subject: [PATCH 1/9] Sync InlineExpectationsTest.qll --- .../TestUtilities/InlineExpectationsTest.qll | 176 +++++++++++------- 1 file changed, 113 insertions(+), 63 deletions(-) diff --git a/ql/test/TestUtilities/InlineExpectationsTest.qll b/ql/test/TestUtilities/InlineExpectationsTest.qll index db70bc81ede..21d9889ba6d 100644 --- a/ql/test/TestUtilities/InlineExpectationsTest.qll +++ b/ql/test/TestUtilities/InlineExpectationsTest.qll @@ -1,6 +1,7 @@ /** * Provides a library for writing QL tests whose success or failure is based on expected results - * embedded in the test source code as comments, rather than a `.expected` file. + * embedded in the test source code as comments, rather than the contents of an `.expected` file + * (in that the `.expected` file should always be empty). * * To add this framework to a new language: * - Add a file `InlineExpectationsTestPrivate.qll` that defines a `ExpectationComment` class. This class @@ -43,15 +44,15 @@ * There is no need to write a `select` clause or query predicate. All of the differences between * expected results and actual results will be reported in the `failures()` query predicate. * - * To annotate the test source code with an expected result, place a comment on the + * To annotate the test source code with an expected result, place a comment starting with a `$` on the * same line as the expected result, with text of the following format as the body of the comment: * - * `$tag=expected-value` + * `tag=expected-value` * * Where `tag` is the value of the `tag` parameter from `hasActualResult()`, and `expected-value` is * the value of the `value` parameter from `hasActualResult()`. The `=expected-value` portion may be * omitted, in which case `expected-value` is treated as the empty string. Multiple expectations may - * be placed in the same comment, as long as each is prefixed by a `$`. Any actual result that + * be placed in the same comment. Any actual result that * appears on a line that does not contain a matching expected result comment will be reported with * a message of the form "Unexpected result: tag=value". Any expected result comment for which there * is no matching actual result will be reported with a message of the form @@ -59,31 +60,34 @@ * * Example: * ```cpp - * int i = x + 5; // $const=5 - * int j = y + (7 - 3) // $const=7 $const=3 $const=4 // The result of the subtraction is a constant. + * int i = x + 5; // $ const=5 + * int j = y + (7 - 3) // $ const=7 const=3 const=4 // The result of the subtraction is a constant. * ``` * - * For tests that contain known false positives and false negatives, it is possible to further - * annotate that a particular expected result is known to be a false positive, or that a particular - * missing result is known to be a false negative: + * For tests that contain known missing and spurious results, it is possible to further + * annotate that a particular expected result is known to be spurious, or that a particular + * missing result is known to be missing: * - * `$f+:tag=expected-value` // False positive - * `$f-:tag=expected-value` // False negative + * `$ SPURIOUS: tag=expected-value` // Spurious result + * `$ MISSING: tag=expected-value` // Missing result * - * A false positive expectation is treated as any other expected result, except that if there is no - * matching actual result, the message will be of the form "Fixed false positive: tag=value". A - * false negative expectation is treated as if there were no expected result, except that if a + * A spurious expectation is treated as any other expected result, except that if there is no + * matching actual result, the message will be of the form "Fixed spurious result: tag=value". A + * missing expectation is treated as if there were no expected result, except that if a * matching expected result is found, the message will be of the form - * "Fixed false negative: tag=value". + * "Fixed missing result: tag=value". + * + * A single line can contain all the expected, spurious and missing results of that line. For instance: + * `$ tag1=value1 SPURIOUS: tag2=value2 MISSING: tag3=value3`. * * If the same result value is expected for two or more tags on the same line, there is a shorthand * notation available: * - * `$tag1,tag2=expected-value` + * `tag1,tag2=expected-value` * * is equivalent to: * - * `$tag1=expected-value $tag2=expected-value` + * `tag1=expected-value tag2=expected-value` */ private import InlineExpectationsTestPrivate @@ -117,7 +121,7 @@ abstract class InlineExpectationsTest extends string { * - `value` - The value of the result, which will be matched against the value associated with * `tag` in any expected result comment on that line. */ - abstract predicate hasActualResult(string file, int line, string element, string tag, string value); + abstract predicate hasActualResult(Location location, string element, string tag, string value); final predicate hasFailureMessage(FailureLocatable element, string message) { exists(ActualResult actualResult | @@ -126,7 +130,7 @@ abstract class InlineExpectationsTest extends string { ( exists(FalseNegativeExpectation falseNegative | falseNegative.matchesActualResult(actualResult) and - message = "Fixed false negative:" + falseNegative.getExpectationText() + message = "Fixed missing result:" + falseNegative.getExpectationText() ) or not exists(ValidExpectation expectation | expectation.matchesActualResult(actualResult)) and @@ -143,7 +147,7 @@ abstract class InlineExpectationsTest extends string { message = "Missing result:" + expectation.getExpectationText() or expectation instanceof FalsePositiveExpectation and - message = "Fixed false positive:" + expectation.getExpectationText() + message = "Fixed spurious result:" + expectation.getExpectationText() ) ) or @@ -160,54 +164,105 @@ abstract class InlineExpectationsTest extends string { * is treated as part of the expected results, except that the comment may contain a `//` sequence * to treat the remainder of the line as a regular (non-interpreted) comment. */ -private string expectationCommentPattern() { result = "\\s*(\\$(?:[^/]|/[^/])*)(?://.*)?" } +private string expectationCommentPattern() { result = "\\s*\\$((?:[^/]|/[^/])*)(?://.*)?" } /** - * RegEx pattern to match a single expected result, not including the leading `$`. It starts with an - * optional `f+:` or `f-:`, followed by one or more comma-separated tags containing only letters, - * `-`, and `_`, optionally followed by `=` and the expected value. + * The possible columns in an expectation comment. The `TDefaultColumn` branch represents the first + * column in a comment. This column is not precedeeded by a name. `TNamedColumn(name)` represents a + * column containing expected results preceeded by the string `name:`. */ -private string expectationPattern() { - result = "(?:(f(?:\\+|-)):)?((?:[A-Za-z-_]+)(?:\\s*,\\s*[A-Za-z-_]+)*)(?:=(.*))?" +private newtype TColumn = + TDefaultColumn() or + TNamedColumn(string name) { name = ["MISSING", "SPURIOUS"] } + +bindingset[start, content] +private int getEndOfColumnPosition(int start, string content) { + result = + min(string name, int cand | + exists(TNamedColumn(name)) and + cand = content.indexOf(name + ":") and + cand >= start + | + cand + ) + or + not exists(string name | + exists(TNamedColumn(name)) and + content.indexOf(name + ":") >= start + ) and + result = content.length() } -private string getAnExpectation(ExpectationComment comment) { - result = comment.getContents().regexpCapture(expectationCommentPattern(), 1).splitAt("$").trim() and - result != "" +private predicate getAnExpectation( + ExpectationComment comment, TColumn column, string expectation, string tags, string value +) { + exists(string content | + content = comment.getContents().regexpCapture(expectationCommentPattern(), 1) and + ( + column = TDefaultColumn() and + exists(int end | + end = getEndOfColumnPosition(0, content) and + expectation = content.prefix(end).regexpFind(expectationPattern(), _, _).trim() + ) + or + exists(string name, int start, int end | + column = TNamedColumn(name) and + start = content.indexOf(name + ":") + name.length() + 1 and + end = getEndOfColumnPosition(start, content) and + expectation = content.substring(start, end).regexpFind(expectationPattern(), _, _).trim() + ) + ) + ) and + tags = expectation.regexpCapture(expectationPattern(), 1) and + if exists(expectation.regexpCapture(expectationPattern(), 2)) + then value = expectation.regexpCapture(expectationPattern(), 2) + else value = "" +} + +private string getColumnString(TColumn column) { + column = TDefaultColumn() and result = "" + or + column = TNamedColumn(result) +} + +/** + * RegEx pattern to match a single expected result, not including the leading `$`. It consists of one or + * more comma-separated tags containing only letters, digits, `-` and `_` (note that the first character + * must not be a digit), optionally followed by `=` and the expected value. + */ +private string expectationPattern() { + exists(string tag, string tags, string value | + tag = "[A-Za-z-_][A-Za-z-_0-9]*" and + tags = "((?:" + tag + ")(?:\\s*,\\s*" + tag + ")*)" and + // In Python, we allow both `"` and `'` for strings, as well as the prefixes `bru`. + // For example, `b"foo"`. + value = "((?:[bru]*\"[^\"]*\"|[bru]*'[^']*'|\\S+)*)" and + result = tags + "(?:=" + value + ")?" + ) } private newtype TFailureLocatable = TActualResult( - InlineExpectationsTest test, string file, int line, string element, string tag, string value + InlineExpectationsTest test, Location location, string element, string tag, string value ) { - test.hasActualResult(file, line, element, tag, value) + test.hasActualResult(location, element, tag, value) } or TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) { - exists(string expectation | - expectation = getAnExpectation(comment) and - expectation.regexpMatch(expectationPattern()) and - tag = expectation.regexpCapture(expectationPattern(), 2).splitAt(",").trim() and - ( - if exists(expectation.regexpCapture(expectationPattern(), 3)) - then value = expectation.regexpCapture(expectationPattern(), 3) - else value = "" - ) and - ( - if exists(expectation.regexpCapture(expectationPattern(), 1)) - then knownFailure = expectation.regexpCapture(expectationPattern(), 1) - else knownFailure = "" - ) + exists(TColumn column, string tags | + getAnExpectation(comment, column, _, tags, value) and + tag = tags.splitAt(",") and + knownFailure = getColumnString(column) ) } or TInvalidExpectation(ExpectationComment comment, string expectation) { - expectation = getAnExpectation(comment) and + getAnExpectation(comment, _, expectation, _, _) and not expectation.regexpMatch(expectationPattern()) } class FailureLocatable extends TFailureLocatable { string toString() { none() } - predicate hasLocation(string file, int line) { none() } + Location getLocation() { none() } final string getExpectationText() { result = this.getTag() + "=" + this.getValue() } @@ -218,17 +273,16 @@ class FailureLocatable extends TFailureLocatable { class ActualResult extends FailureLocatable, TActualResult { InlineExpectationsTest test; - string file; - int line; + Location location; string element; string tag; string value; - ActualResult() { this = TActualResult(test, file, line, element, tag, value) } + ActualResult() { this = TActualResult(test, location, element, tag, value) } override string toString() { result = element } - override predicate hasLocation(string f, int l) { f = file and l = line } + override Location getLocation() { result = location } InlineExpectationsTest getTest() { result = test } @@ -242,9 +296,7 @@ abstract private class Expectation extends FailureLocatable { override string toString() { result = comment.toString() } - override predicate hasLocation(string file, int line) { - comment.hasLocationInfo(file, line, _, _, _) - } + override Location getLocation() { result = comment.getLocation() } } private class ValidExpectation extends Expectation, TValidExpectation { @@ -261,24 +313,24 @@ private class ValidExpectation extends Expectation, TValidExpectation { string getKnownFailure() { result = knownFailure } predicate matchesActualResult(ActualResult actualResult) { - exists(string file, int line | actualResult.hasLocation(file, line) | - this.hasLocation(file, line) - ) and + this.getLocation().getStartLine() = actualResult.getLocation().getStartLine() and + this.getLocation().getFile() = actualResult.getLocation().getFile() and this.getTag() = actualResult.getTag() and this.getValue() = actualResult.getValue() } } +/* Note: These next three classes correspond to all the possible values of type `TColumn`. */ class GoodExpectation extends ValidExpectation { GoodExpectation() { this.getKnownFailure() = "" } } class FalsePositiveExpectation extends ValidExpectation { - FalsePositiveExpectation() { this.getKnownFailure() = "f+" } + FalsePositiveExpectation() { this.getKnownFailure() = "SPURIOUS" } } class FalseNegativeExpectation extends ValidExpectation { - FalseNegativeExpectation() { this.getKnownFailure() = "f-" } + FalseNegativeExpectation() { this.getKnownFailure() = "MISSING" } } class InvalidExpectation extends Expectation, TInvalidExpectation { @@ -289,8 +341,6 @@ class InvalidExpectation extends Expectation, TInvalidExpectation { string getExpectation() { result = expectation } } -query predicate failures(string file, int line, FailureLocatable element, string message) { - exists(InlineExpectationsTest test | test.hasFailureMessage(element, message) | - element.hasLocation(file, line) - ) +query predicate failures(FailureLocatable element, string message) { + exists(InlineExpectationsTest test | test.hasFailureMessage(element, message)) } From 7961ba6b931b8eeb8a2375e943f4516f5d5b9130 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 18 Oct 2021 13:43:05 +0100 Subject: [PATCH 2/9] Add hasActualResult predicate not using Location --- ql/test/TestUtilities/InlineExpectationsTest.qll | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ql/test/TestUtilities/InlineExpectationsTest.qll b/ql/test/TestUtilities/InlineExpectationsTest.qll index 21d9889ba6d..3d2dc05a5ef 100644 --- a/ql/test/TestUtilities/InlineExpectationsTest.qll +++ b/ql/test/TestUtilities/InlineExpectationsTest.qll @@ -121,7 +121,12 @@ abstract class InlineExpectationsTest extends string { * - `value` - The value of the result, which will be matched against the value associated with * `tag` in any expected result comment on that line. */ - abstract predicate hasActualResult(Location location, string element, string tag, string value); + abstract predicate hasActualResult(string file, int line, string element, string tag, string value); + + predicate hasActualResult(Location location, string element, string tag, string value) { + this.hasActualResult(location.getFile().getAbsolutePath(), location.getStartLine(), element, + tag, value) + } final predicate hasFailureMessage(FailureLocatable element, string message) { exists(ActualResult actualResult | From 5f0f04de1cec793e54975d77edda77881f0f9fe3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 18 Oct 2021 13:43:45 +0100 Subject: [PATCH 3/9] Update labels for missing and spurious results --- .../semmle/go/concepts/LoggerCall/glog.go | 20 +++++++++---------- .../go/dataflow/GuardingFunctions/test.go | 2 +- .../go/dataflow/PromotedMethods/methods.go | 6 +++--- .../semmle/go/frameworks/SQL/main.go | 12 +++++------ .../semmle/go/frameworks/Zap/test.go | 8 ++++---- 5 files changed, 24 insertions(+), 24 deletions(-) diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go index f73e44fa7bd..bbf1c56a06f 100644 --- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go +++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go @@ -10,44 +10,44 @@ import ( func glogTest() { glog.Error(text) // $logger=text - glog.ErrorDepth(0, text) // $f-:logger=text + glog.ErrorDepth(0, text) // $MISSING:logger=text glog.Errorf(fmt, text) // $logger=fmt $logger=text glog.Errorln(text) // $logger=text glog.Exit(text) // $logger=text - glog.ExitDepth(0, text) // $f-:logger=text + glog.ExitDepth(0, text) // $MISSING:logger=text glog.Exitf(fmt, text) // $logger=fmt $logger=text glog.Exitln(text) // $logger=text glog.Fatal(text) // $logger=text - glog.FatalDepth(0, text) // $f-:logger=text + glog.FatalDepth(0, text) // $MISSING:logger=text glog.Fatalf(fmt, text) // $logger=fmt $logger=text glog.Fatalln(text) // $logger=text glog.Info(text) // $logger=text - glog.InfoDepth(0, text) // $f-:logger=text + glog.InfoDepth(0, text) // $MISSING:logger=text glog.Infof(fmt, text) // $logger=fmt $logger=text glog.Infoln(text) // $logger=text glog.Warning(text) // $logger=text - glog.WarningDepth(0, text) // $f-:logger=text + glog.WarningDepth(0, text) // $MISSING:logger=text glog.Warningf(fmt, text) // $logger=fmt $logger=text glog.Warningln(text) // $logger=text klog.Error(text) // $logger=text - klog.ErrorDepth(0, text) // $f-:logger=text + klog.ErrorDepth(0, text) // $MISSING:logger=text klog.Errorf(fmt, text) // $logger=fmt $logger=text klog.Errorln(text) // $logger=text klog.Exit(text) // $logger=text - klog.ExitDepth(0, text) // $f-:logger=text + klog.ExitDepth(0, text) // $MISSING:logger=text klog.Exitf(fmt, text) // $logger=fmt $logger=text klog.Exitln(text) // $logger=text klog.Fatal(text) // $logger=text - klog.FatalDepth(0, text) // $f-:logger=text + klog.FatalDepth(0, text) // $MISSING:logger=text klog.Fatalf(fmt, text) // $logger=fmt $logger=text klog.Fatalln(text) // $logger=text klog.Info(text) // $logger=text - klog.InfoDepth(0, text) // $f-:logger=text + klog.InfoDepth(0, text) // $MISSING:logger=text klog.Infof(fmt, text) // $logger=fmt $logger=text klog.Infoln(text) // $logger=text klog.Warning(text) // $logger=text - klog.WarningDepth(0, text) // $f-:logger=text + klog.WarningDepth(0, text) // $MISSING:logger=text klog.Warningf(fmt, text) // $logger=fmt $logger=text klog.Warningln(text) // $logger=text } diff --git a/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go b/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go index 4924d0e79be..2f657e6168d 100644 --- a/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go +++ b/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go @@ -842,7 +842,7 @@ func test() { s := source() isValid := !guardBool(s) if isValid { - sink(s) // $f+:dataflow=s + sink(s) // $SPURIOUS:dataflow=s } else { sink(s) // $dataflow=s } diff --git a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go index 41debd07a8a..3cbdbf58c98 100644 --- a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go +++ b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go @@ -23,7 +23,7 @@ func (e Embedded) sinkFieldOnEmbeddedNonPointerReceiver() { } func (e *Embedded) sinkFieldOnEmbeddedPointerReceiver() { - sink(e.field) // $f-:promotedmethods=nonPointerSender1 $f-:promotedmethods=pointerSender1 $f-:promotedmethods=nonPointerSender2 $f-:promotedmethods=pointerSender2 + sink(e.field) // $MISSING:promotedmethods=nonPointerSender1 $MISSING:promotedmethods=pointerSender1 $MISSING:promotedmethods=nonPointerSender2 $MISSING:promotedmethods=pointerSender2 } func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() { @@ -31,7 +31,7 @@ func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() { } func (base1 *Base1) sinkFieldOnBase1PointerReceiver() { - sink(base1.field) // $f-:promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 + sink(base1.field) // $MISSING:promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 } func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() { @@ -39,7 +39,7 @@ func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() { } func (base2 *Base2) sinkFieldOnBase2PointerReceiver() { - sink(base2.field) // $f-:promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 + sink(base2.field) // $MISSING:promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 } func nonPointerSender1() { diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go index 3458e337abe..f5a62e556e9 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go @@ -59,16 +59,16 @@ func test2(tx *sql.Tx, query string, ctx context.Context) { } func test3(db *sql.DB, ctx context.Context) { - stmt1, _ := db.Prepare(query21) // $f+:querystring=query21 - stmt1.Exec() // $f-:query=query21 - stmt2, _ := db.PrepareContext(ctx, query22) // $f+:querystring=query22 - stmt2.ExecContext(ctx) // $f-:query=query22 - stmt3, _ := db.Prepare(query23) // $f+:querystring=query23 + stmt1, _ := db.Prepare(query21) // $SPURIOUS:querystring=query21 + stmt1.Exec() // $MISSING:query=query21 + stmt2, _ := db.PrepareContext(ctx, query22) // $SPURIOUS:querystring=query22 + stmt2.ExecContext(ctx) // $MISSING:query=query22 + stmt3, _ := db.Prepare(query23) // $SPURIOUS:querystring=query23 runQuery(stmt3) } func runQuery(stmt *sql.Stmt) { - stmt.Exec() // $f-:query=query23 + stmt.Exec() // $MISSING:query=query23 } func main() {} diff --git a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go index 249038fb1b9..0e1932ba696 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go +++ b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go @@ -61,7 +61,7 @@ func testZapLoggerWarn(logger *zap.Logger) { func testZapLoggerNop() { // We do not currently recognise that a logger made using NewNop() does not actually do any logging logger := zap.NewNop() - logger.Debug(getUntrustedString()) // $f+:zap=call to getUntrustedString + logger.Debug(getUntrustedString()) // $SPURIOUS:zap=call to getUntrustedString } func testLoggerNamed(logger *zap.Logger) { @@ -74,7 +74,7 @@ func testLoggerWith(logger *zap.Logger) *zap.Logger { logger1.Info("hello world") logger2 := logger.With(zap.String("key", getUntrustedString())) // $zap=call to String logger2.Info("hello world") - logger3 := logger.With(zap.String("key", getUntrustedString())) // $f+:zap=call to String + logger3 := logger.With(zap.String("key", getUntrustedString())) // $SPURIOUS:zap=call to String return logger3 } @@ -83,7 +83,7 @@ func getLoggerWithUntrustedField() *zap.Logger { } func getLoggerWithUntrustedFieldUnused() *zap.Logger { - return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $f+:zap=call to NamedError + return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $SPURIOUS:zap=call to NamedError } func testLoggerWithAcrossFunctionBoundary() { @@ -95,7 +95,7 @@ func testLoggerWithOptions(logger *zap.Logger) *zap.Logger { logger1.Info("hello world") logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $zap=call to Fields logger2.Info("hello world") - logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $f+:zap=call to Fields + logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $SPURIOUS:zap=call to Fields return logger3 } From f28539928afdfc72e0e38be5e0ef80e2fa34e52d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 20 Oct 2021 09:28:15 +0100 Subject: [PATCH 4/9] Quote expected values that have spaces --- .../go/frameworks/ElazarlGoproxy/main.go | 2 +- .../go/frameworks/ElazarlGoproxy/test.ql | 2 +- .../semmle/go/frameworks/GoKit/main.go | 4 +- .../frameworks/GoKit/untrustedflowsource.ql | 2 +- .../semmle/go/frameworks/Revel/EndToEnd.go | 30 +++--- .../semmle/go/frameworks/Revel/Revel.go | 10 +- .../booking/app/controllers/hotels.go | 4 +- .../Revel/examples/booking/app/init.go | 4 +- .../semmle/go/frameworks/Revel/test.ql | 2 +- .../semmle/go/frameworks/Yaml/tests.ql | 8 +- .../semmle/go/frameworks/Yaml/yaml.go | 34 +++---- .../semmle/go/frameworks/Zap/TaintFlows.ql | 2 +- .../semmle/go/frameworks/Zap/test.go | 98 +++++++++---------- 13 files changed, 102 insertions(+), 100 deletions(-) diff --git a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go index 5c5f104e1b2..2a4bb634234 100644 --- a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go @@ -9,7 +9,7 @@ import ( ) func handler(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) { - data := ctx.UserData // $untrustedflowsource=selection of UserData + data := ctx.UserData // $ untrustedflowsource="selection of UserData" // note no content type result here because we don't seem to extract the value of `ContentTypeHtml` return r, goproxy.NewResponse(r, goproxy.ContentTypeHtml, http.StatusForbidden, fmt.Sprintf("Bad request: %v", data)) // $headerwrite=status:403 diff --git a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql index cf7ff09fb3f..1ee889d8dc9 100644 --- a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql +++ b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql @@ -9,7 +9,7 @@ class UntrustedFlowSourceTest extends InlineExpectationsTest { override predicate hasActualResult(string file, int line, string element, string tag, string value) { tag = "untrustedflowsource" and value = element and - exists(UntrustedFlowSource src | value = src.toString() | + exists(UntrustedFlowSource src | value = "\"" + src.toString() + "\"" | src.hasLocationInfo(file, line, _, _, _) ) } diff --git a/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go b/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go index 17228a994da..93693cad8b1 100644 --- a/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go @@ -11,12 +11,12 @@ type MyService interface { } func makeEndpointLit(svc MyService) endpoint.Endpoint { - return func(_ context.Context, request interface{}) (interface{}, error) { // $source=definition of request + return func(_ context.Context, request interface{}) (interface{}, error) { // $source="definition of request" return request, nil } } -func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $source=definition of request +func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $source="definition of request" return request, nil } diff --git a/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql b/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql index 08a5973a458..7533bff89cb 100644 --- a/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql +++ b/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql @@ -11,7 +11,7 @@ class UntrustedFlowSourceTest extends InlineExpectationsTest { exists(UntrustedFlowSource source | source.hasLocationInfo(file, line, _, _, _) and element = source.toString() and - value = source.toString() and + value = "\"" + source.toString() + "\"" and tag = "source" ) } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go index 05cac01673f..85d0d785e93 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go @@ -27,69 +27,69 @@ type MyRoute struct { func (c MyRoute) Handler1() revel.Result { // GOOD: the Render function is likely to properly escape the user-controlled parameter. - return c.Render("someviewparam", c.Params.Form.Get("someField")) // $source=selection of Params + return c.Render("someviewparam", c.Params.Form.Get("someField")) // $source="selection of Params" } func (c MyRoute) Handler2() revel.Result { // BAD: the RenderBinary function copies an `io.Reader` to the user's browser. buf := &bytes.Buffer{} - buf.WriteString(c.Params.Form.Get("someField")) // $source=selection of Params - return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $responsebody=buf + buf.WriteString(c.Params.Form.Get("someField")) // $source="selection of Params" + return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $responsebody='buf' } func (c MyRoute) Handler3() revel.Result { // GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename // means it will be given a safe content-type. buf := &bytes.Buffer{} - buf.WriteString(c.Params.Form.Get("someField")) // $source=selection of Params - return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $responsebody=buf + buf.WriteString(c.Params.Form.Get("someField")) // $source="selection of Params" + return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $responsebody='buf' } func (c MyRoute) Handler4() revel.Result { // GOOD: the RenderError function either uses an HTML template with probable escaping, // or it uses content-type text/plain. - err := errors.New(c.Params.Form.Get("someField")) // $source=selection of Params - return c.RenderError(err) // $responsebody=err + err := errors.New(c.Params.Form.Get("someField")) // $source="selection of Params" + return c.RenderError(err) // $responsebody='err' } func (c MyRoute) Handler5() revel.Result { // BAD: returning an arbitrary file (but this is detected at the os.Open call, not // due to modelling Revel) - f, _ := os.Open(c.Params.Form.Get("someField")) // $source=selection of Params + f, _ := os.Open(c.Params.Form.Get("someField")) // $source="selection of Params" return c.RenderFile(f, revel.Inline) } func (c MyRoute) Handler6() revel.Result { // BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS) - return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $source=selection of Params + return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $source="selection of Params" } func (c MyRoute) Handler7() revel.Result { // BAD: straightforward XSS - return c.RenderHTML(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params + return c.RenderHTML(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler8() revel.Result { // GOOD: uses JSON content-type - return c.RenderJSON(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params + return c.RenderJSON(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler9() revel.Result { // GOOD: uses Javascript content-type - return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params + return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler10() revel.Result { // GOOD: uses text content-type - return c.RenderText(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params + return c.RenderText(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler11() revel.Result { // GOOD: uses xml content-type - return c.RenderXML(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params + return c.RenderXML(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler12() revel.Result { // BAD: open redirect - return c.Redirect(c.Params.Form.Get("someField")) // $source=selection of Params + return c.Redirect(c.Params.Form.Get("someField")) // $source="selection of Params" } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go b/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go index be4c08e6725..999891e432d 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go @@ -24,10 +24,10 @@ func sink(_ ...interface{}) {} func (c myAppController) accessingParamsDirectlyIsUnsafe() { sink(c.Params.Get("key")) - sink(c.Params.Values) // $source=selection of Params + sink(c.Params.Values) // $source="selection of Params" val4 := "" - c.Params.Bind(&val4, "key") // $source=selection of Params + c.Params.Bind(&val4, "key") // $source="selection of Params" sink(val4) sink(c.Request.FormValue("key")) @@ -64,10 +64,10 @@ func (c myAppController) accessingParamsJSONIsUnsafe() { sink(val2["name"].(string)) } -func (c myAppController) rawRead() { // $responsebody=argument corresponding to c - c.ViewArgs["Foo"] = "

raw HTML

" // $responsebody="

raw HTML

" +func (c myAppController) rawRead() { // $responsebody='argument corresponding to c' + c.ViewArgs["Foo"] = "

raw HTML

" // $responsebody='"

raw HTML

"' c.ViewArgs["Bar"] = "

not raw HTML

" - c.ViewArgs["Foo"] = c.Params.Query // $responsebody=selection of Query + c.ViewArgs["Foo"] = c.Params.Query // $responsebody='selection of Query' c.Render() } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go index b4752fa8fc9..c4b42533e37 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go @@ -104,7 +104,7 @@ func (c Hotels) ListJson(search string, size, page uint64) revel.Result { var hotels []*models.Hotel - return c.RenderJSON(map[string]interface{}{"hotels": hotels, "search": search, "size": size, "page": page, "nextPage": nextPage}) // $responsebody=map literal + return c.RenderJSON(map[string]interface{}{"hotels": hotels, "search": search, "size": size, "page": page, "nextPage": nextPage}) // $responsebody='map literal' } func (c Hotels) List(search string, size, page uint64) revel.Result { if page == 0 { @@ -155,7 +155,7 @@ func (c Hotels) SaveSettings(password, verifyPassword string) revel.Result { } func (c Hotels) ConfirmBooking(id int, booking models.Booking) revel.Result { - hotel := c.loadHotelById(id) // $responsebody=call to loadHotelById + hotel := c.loadHotelById(id) // $responsebody='call to loadHotelById' if hotel == nil { return c.NotFound("Hotel %d does not exist", id) } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go index ef5b74fa507..2d9d9fbf7f1 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go @@ -33,11 +33,11 @@ func init() { switch event { case revel.ENGINE_BEFORE_INITIALIZED: revel.AddHTTPMux("/this/is/a/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $responsebody=selection of Path $responsebody="Hi there, it worked" + fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $responsebody='selection of Path' $responsebody='"Hi there, it worked"' w.WriteHeader(200) })) revel.AddHTTPMux("/this/is/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $responsebody=selection of Path $responsebody="Hi there, shorter prefix" + fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $responsebody='selection of Path' $responsebody='"Hi there, shorter prefix"' w.WriteHeader(200) })) } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql b/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql index b63817f371c..6ec1ec4717c 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql @@ -41,7 +41,7 @@ class HttpResponseBodyTest extends InlineExpectationsTest { exists(HTTP::ResponseBody rb | rb.hasLocationInfo(file, line, _, _, _) and element = rb.toString() and - value = rb.toString() + value = "'" + rb.toString() + "'" ) } } diff --git a/ql/test/library-tests/semmle/go/frameworks/Yaml/tests.ql b/ql/test/library-tests/semmle/go/frameworks/Yaml/tests.ql index 9c76068a9a0..5aa7aeac95f 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Yaml/tests.ql +++ b/ql/test/library-tests/semmle/go/frameworks/Yaml/tests.ql @@ -11,7 +11,7 @@ class TaintFunctionModelTest extends InlineExpectationsTest { exists(TaintTracking::FunctionModel model, DataFlow::CallNode call | call = model.getACall() | call.hasLocationInfo(file, line, _, _, _) and element = call.toString() and - value = model.getAnInputNode(call) + " -> " + model.getAnOutputNode(call) + value = "\"" + model.getAnInputNode(call) + " -> " + model.getAnOutputNode(call) + "\"" ) } } @@ -27,7 +27,8 @@ class MarshalerTest extends InlineExpectationsTest { call.hasLocationInfo(file, line, _, _, _) and element = call.toString() and value = - m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " + m.getOutput().getNode(call) + "\"" + m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " + + m.getOutput().getNode(call) + "\"" ) } } @@ -43,7 +44,8 @@ class UnmarshalerTest extends InlineExpectationsTest { call.hasLocationInfo(file, line, _, _, _) and element = call.toString() and value = - m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " + m.getOutput().getNode(call) + "\"" + m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " + + m.getOutput().getNode(call) + "\"" ) } } diff --git a/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go b/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go index d2796eb9997..cf3d29500b2 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go +++ b/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go @@ -11,31 +11,31 @@ func main() { var in, out interface{} var inb []byte - out, _ = yaml1.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0] - yaml1.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out + out, _ = yaml1.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" + yaml1.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" - out, _ = yaml2.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0] - yaml2.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out - yaml2.UnmarshalStrict(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out + out, _ = yaml2.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" + yaml2.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" + yaml2.UnmarshalStrict(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" var r io.Reader - d := yaml2.NewDecoder(r) // $ttfnmodelstep=r -> call to NewDecoder - d.Decode(out) // $ttfnmodelstep=d -> definition of out + d := yaml2.NewDecoder(r) // $ttfnmodelstep="r -> call to NewDecoder" + d.Decode(out) // $ttfnmodelstep="d -> definition of out" var w io.Writer - e := yaml2.NewEncoder(w) // $ttfnmodelstep=definition of e -> definition of w - e.Encode(in) // $ttfnmodelstep=in -> definition of e + e := yaml2.NewEncoder(w) // $ttfnmodelstep="definition of e -> definition of w" + e.Encode(in) // $ttfnmodelstep="in -> definition of e" - out, _ = yaml3.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0] - yaml3.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out + out, _ = yaml3.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" + yaml3.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" - d1 := yaml3.NewDecoder(r) // $ttfnmodelstep=r -> call to NewDecoder - d1.Decode(out) // $ttfnmodelstep=d1 -> definition of out + d1 := yaml3.NewDecoder(r) // $ttfnmodelstep="r -> call to NewDecoder" + d1.Decode(out) // $ttfnmodelstep="d1 -> definition of out" - e1 := yaml3.NewEncoder(w) // $ttfnmodelstep=definition of e1 -> definition of w - e1.Encode(in) // $ttfnmodelstep=in -> definition of e1 + e1 := yaml3.NewEncoder(w) // $ttfnmodelstep="definition of e1 -> definition of w" + e1.Encode(in) // $ttfnmodelstep="in -> definition of e1" var n1 yaml3.Node - n1.Decode(out) // $ttfnmodelstep=n1 -> definition of out - n1.Encode(in) // $ttfnmodelstep=in -> definition of n1 + n1.Decode(out) // $ttfnmodelstep="n1 -> definition of out" + n1.Encode(in) // $ttfnmodelstep="in -> definition of n1" } diff --git a/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql b/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql index a423807e2e7..390ef7a60de 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql +++ b/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql @@ -22,7 +22,7 @@ class ZapTest extends InlineExpectationsTest { tag = "zap" and exists(DataFlow::Node sink | any(TestConfig c).hasFlow(_, sink) | element = sink.toString() and - value = sink.toString() and + value = "\"" + sink.toString() + "\"" and sink.hasLocationInfo(file, line, _, _, _) ) } diff --git a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go index 0e1932ba696..63f10b5273e 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go +++ b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go @@ -18,72 +18,72 @@ func getUntrustedString() string { func testZapLoggerDPanic() { logger, _ := zap.NewProduction() - logger.DPanic(getUntrustedString()) // $zap=call to getUntrustedString + logger.DPanic(getUntrustedString()) // $zap="call to getUntrustedString" } func testZapLoggerFatal() { logger := zap.NewExample() - logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $zap=call to String + logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $zap="call to String" } func testZapLoggerPanic() { logger, _ := zap.NewDevelopment() - logger.Panic("msg", zap.Any("key", getUntrustedData())) // $zap=call to Any + logger.Panic("msg", zap.Any("key", getUntrustedData())) // $zap="call to Any" } func testZapLoggerDebug(core zapcore.Core, byteArray []byte) { logger := zap.New(core) - logger.Debug(getUntrustedString()) // $zap=call to getUntrustedString - logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray)) // $zap=call to Binary - logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $zap=call to ByteString + logger.Debug(getUntrustedString()) // $zap="call to getUntrustedString" + logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray)) // $zap="call to Binary" + logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $zap="call to ByteString" } func testZapLoggerError(bss [][]byte) { logger := zap.L() - logger.Error(getUntrustedString()) // $zap=call to getUntrustedString - logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $zap=call to ByteStrings - logger.Error("msg", zap.Error(getUntrustedData().(error))) // $zap=call to Error + logger.Error(getUntrustedString()) // $zap="call to getUntrustedString" + logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $zap="call to ByteStrings" + logger.Error("msg", zap.Error(getUntrustedData().(error))) // $zap="call to Error" } func testZapLoggerInfo(logger *zap.Logger, errs []error) { - logger.Info(getUntrustedString()) // $zap=call to getUntrustedString - logger.Info("msg", zap.Errors(getUntrustedString(), errs)) // $zap=call to Errors - logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $zap=call to NamedError + logger.Info(getUntrustedString()) // $zap="call to getUntrustedString" + logger.Info("msg", zap.Errors(getUntrustedString(), errs)) // $zap="call to Errors" + logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $zap="call to NamedError" } func testZapLoggerWarn(logger *zap.Logger) { - logger.Warn(getUntrustedString()) // $zap=call to getUntrustedString - logger.Warn("msg", zap.Reflect(getUntrustedString(), nil)) // $zap=call to Reflect - logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string))) // $zap=call to Stringp - logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $zap=call to Strings + logger.Warn(getUntrustedString()) // $zap="call to getUntrustedString" + logger.Warn("msg", zap.Reflect(getUntrustedString(), nil)) // $zap="call to Reflect" + logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string))) // $zap="call to Stringp" + logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $zap="call to Strings" } func testZapLoggerNop() { // We do not currently recognise that a logger made using NewNop() does not actually do any logging logger := zap.NewNop() - logger.Debug(getUntrustedString()) // $SPURIOUS:zap=call to getUntrustedString + logger.Debug(getUntrustedString()) // $SPURIOUS:zap="call to getUntrustedString" } func testLoggerNamed(logger *zap.Logger) { - namedLogger := logger.Named(getUntrustedString()) // $zap=call to getUntrustedString + namedLogger := logger.Named(getUntrustedString()) // $zap="call to getUntrustedString" namedLogger.Info("hello world") } func testLoggerWith(logger *zap.Logger) *zap.Logger { - logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $zap=call to Any + logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $zap="call to Any" logger1.Info("hello world") - logger2 := logger.With(zap.String("key", getUntrustedString())) // $zap=call to String + logger2 := logger.With(zap.String("key", getUntrustedString())) // $zap="call to String" logger2.Info("hello world") - logger3 := logger.With(zap.String("key", getUntrustedString())) // $SPURIOUS:zap=call to String + logger3 := logger.With(zap.String("key", getUntrustedString())) // $SPURIOUS:zap="call to String" return logger3 } func getLoggerWithUntrustedField() *zap.Logger { - return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $zap=call to NamedError + return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $zap="call to NamedError" } func getLoggerWithUntrustedFieldUnused() *zap.Logger { - return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $SPURIOUS:zap=call to NamedError + return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $SPURIOUS:zap="call to NamedError" } func testLoggerWithAcrossFunctionBoundary() { @@ -91,91 +91,91 @@ func testLoggerWithAcrossFunctionBoundary() { } func testLoggerWithOptions(logger *zap.Logger) *zap.Logger { - logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $zap=call to Fields + logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $zap="call to Fields" logger1.Info("hello world") - logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $zap=call to Fields + logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $zap="call to Fields" logger2.Info("hello world") - logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $SPURIOUS:zap=call to Fields + logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $SPURIOUS:zap="call to Fields" return logger3 } func testZapSugaredLoggerDPanic(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.DPanic(getUntrustedData()) // $zap=call to getUntrustedData + sugaredLogger.DPanic(getUntrustedData()) // $zap="call to getUntrustedData" } func testZapSugaredLoggerDPanicf(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.DPanicf(getUntrustedString()) // $zap=call to getUntrustedString + sugaredLogger.DPanicf(getUntrustedString()) // $zap="call to getUntrustedString" } func testZapSugaredLoggerDPanicw(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.DPanicw(getUntrustedString()) // $zap=call to getUntrustedString + sugaredLogger.DPanicw(getUntrustedString()) // $zap="call to getUntrustedString" } func testZapSugaredLoggerFatal(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Fatal(getUntrustedData()) // $zap=call to getUntrustedData + sugaredLogger.Fatal(getUntrustedData()) // $zap="call to getUntrustedData" } func testZapSugaredLoggerFatalf(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Fatalf(getUntrustedString()) // $zap=call to getUntrustedString + sugaredLogger.Fatalf(getUntrustedString()) // $zap="call to getUntrustedString" } func testZapSugaredLoggerFatalw(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Fatalw(getUntrustedString()) // $zap=call to getUntrustedString + sugaredLogger.Fatalw(getUntrustedString()) // $zap="call to getUntrustedString" } func testZapSugaredLoggerPanic(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Panic(getUntrustedData()) // $zap=call to getUntrustedData + sugaredLogger.Panic(getUntrustedData()) // $zap="call to getUntrustedData" } func testZapSugaredLoggerPanicf(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Panicf(getUntrustedString()) // $zap=call to getUntrustedString + sugaredLogger.Panicf(getUntrustedString()) // $zap="call to getUntrustedString" } func testZapSugaredLoggerPanicw(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Panicw(getUntrustedString()) // $zap=call to getUntrustedString + sugaredLogger.Panicw(getUntrustedString()) // $zap="call to getUntrustedString" } func testZapSugaredLoggerDebug() { sugaredLogger := zap.S() - sugaredLogger.Debug(getUntrustedData()) // $zap=call to getUntrustedData - sugaredLogger.Debugf("msg", getUntrustedData()) // $zap=call to getUntrustedData - sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData + sugaredLogger.Debug(getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Debugf("msg", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData" } func testZapSugaredLoggerError() { logger, _ := zap.NewProduction() sugaredLogger := logger.Sugar() - sugaredLogger.Error(getUntrustedData()) // $zap=call to getUntrustedData - sugaredLogger.Errorf("msg", getUntrustedData()) // $zap=call to getUntrustedData - sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData + sugaredLogger.Error(getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Errorf("msg", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData" } func testZapSugaredLoggerInfo() { logger := zap.NewExample() sugaredLogger := logger.Sugar() - sugaredLogger.Info(getUntrustedData()) // $zap=call to getUntrustedData - sugaredLogger.Infof("msg", getUntrustedData()) // $zap=call to getUntrustedData - sugaredLogger.Infow("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData + sugaredLogger.Info(getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Infof("msg", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Infow("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData" } func testZapSugaredLoggerWarn() { logger, _ := zap.NewDevelopment() sugaredLogger := logger.Sugar() - sugaredLogger.Warn(getUntrustedData()) // $zap=call to getUntrustedData - sugaredLogger.Warnf("msg", getUntrustedData()) // $zap=call to getUntrustedData - sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData + sugaredLogger.Warn(getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Warnf("msg", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData" } func testZapSugaredLoggerNamed() { logger := zap.L() sugaredLogger := logger.Sugar() - sugaredLogger.Named(getUntrustedString()) // $zap=call to getUntrustedString + sugaredLogger.Named(getUntrustedString()) // $zap="call to getUntrustedString" sugaredLogger.Info("msg") } func testZapSugaredLoggerWith() { logger := zap.L() sugaredLogger := logger.Sugar() - sugaredLogger.With("key", getUntrustedData()) // $zap=call to getUntrustedData + sugaredLogger.With("key", getUntrustedData()) // $zap="call to getUntrustedData" sugaredLogger.Info("msg") } From b8bd40463e1c2c1f7195ca933c8e303ef62c6dfb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 20 Oct 2021 09:30:54 +0100 Subject: [PATCH 5/9] Reorder MISSING labels The behaviour has changed: previously, "f+:" and "f-:" only affected the following entry, but "MISSING:" and "SPURIOUS:" affect all following --- .../semmle/go/dataflow/PromotedMethods/methods.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go index 3cbdbf58c98..ab523f9bc0e 100644 --- a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go +++ b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go @@ -23,7 +23,7 @@ func (e Embedded) sinkFieldOnEmbeddedNonPointerReceiver() { } func (e *Embedded) sinkFieldOnEmbeddedPointerReceiver() { - sink(e.field) // $MISSING:promotedmethods=nonPointerSender1 $MISSING:promotedmethods=pointerSender1 $MISSING:promotedmethods=nonPointerSender2 $MISSING:promotedmethods=pointerSender2 + sink(e.field) // $MISSING:promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 } func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() { @@ -31,7 +31,7 @@ func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() { } func (base1 *Base1) sinkFieldOnBase1PointerReceiver() { - sink(base1.field) // $MISSING:promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 + sink(base1.field) // $promotedmethods=pointerSender1 $MISSING:promotedmethods=nonPointerSender1 } func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() { @@ -39,7 +39,7 @@ func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() { } func (base2 *Base2) sinkFieldOnBase2PointerReceiver() { - sink(base2.field) // $MISSING:promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 + sink(base2.field) // $promotedmethods=pointerSender2 $MISSING:promotedmethods=nonPointerSender2 } func nonPointerSender1() { From 09ef621b2f5049e9b713e5836126db1a99fd7bab Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 20 Oct 2021 09:34:29 +0100 Subject: [PATCH 6/9] Put space after first dollar sign --- .../frameworks/CleverGo/HeaderWrite.go | 12 +- .../frameworks/CleverGo/HttpRedirect.go | 2 +- .../frameworks/CleverGo/HttpResponseBody.go | 36 ++--- .../frameworks/CleverGo/TaintTracking.go | 14 +- .../frameworks/CleverGo/UntrustedSources.go | 32 ++-- .../frameworks/Fiber/HeaderWrite.go | 4 +- .../experimental/frameworks/Fiber/Redirect.go | 2 +- .../frameworks/Fiber/ResponseBody.go | 16 +- .../frameworks/Fiber/TaintTracking.go | 28 ++-- .../frameworks/Fiber/UntrustedFlowSources.go | 46 +++--- .../semmle/go/concepts/HTTP/main.go | 4 +- .../semmle/go/concepts/LoggerCall/glog.go | 80 +++++----- .../semmle/go/concepts/LoggerCall/logrus.go | 26 ++-- .../semmle/go/concepts/LoggerCall/stdlib.go | 36 ++--- .../go/dataflow/GuardingFunctions/test.go | 146 +++++++++--------- .../ListOfConstantsSanitizerGuards/test.go | 18 +-- .../semmle/go/dataflow/PromotedFields/main.go | 128 +++++++-------- .../go/dataflow/PromotedMethods/methods.go | 12 +- .../semmle/go/dataflow/TypeAssertions/test.go | 10 +- .../semmle/go/frameworks/CouchbaseV1/test.go | 4 +- .../go/frameworks/ElazarlGoproxy/main.go | 11 +- .../go/frameworks/EvanphxJsonPatch/main.go | 22 +-- .../semmle/go/frameworks/GoKit/main.go | 5 +- .../go/frameworks/K8sIoApiCoreV1/main.go | 28 ++-- .../K8sIoApimachineryPkgRuntime/main.go | 106 ++++++------- .../go/frameworks/K8sIoClientGo/main.go | 12 +- .../semmle/go/frameworks/NoSQL/main.go | 44 +++--- .../semmle/go/frameworks/Revel/EndToEnd.go | 30 ++-- .../semmle/go/frameworks/Revel/Revel.go | 14 +- .../booking/app/controllers/hotels.go | 5 +- .../Revel/examples/booking/app/init.go | 4 +- .../semmle/go/frameworks/SQL/main.go | 48 +++--- .../semmle/go/frameworks/SQL/pg.go | 38 ++--- .../semmle/go/frameworks/SQL/xorm.go | 112 +++++++------- .../go/frameworks/StdlibTaintFlow/Os.go | 54 +++---- .../semmle/go/frameworks/Yaml/yaml.go | 37 ++--- .../semmle/go/frameworks/Zap/test.go | 98 ++++++------ 37 files changed, 664 insertions(+), 660 deletions(-) diff --git a/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go b/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go index f14e30e8038..217e1a5bc87 100644 --- a/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go +++ b/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go @@ -15,7 +15,7 @@ func HeaderWrite_ClevergoTechClevergoV052() { keyString506 := source().(string) valString213 := source().(string) var rece clevergo.Context - rece.SetHeader(keyString506, valString213) // $headerKeyNode=keyString506 $headerValNode=valString213 + rece.SetHeader(keyString506, valString213) // $ headerKeyNode=keyString506 $headerValNode=valString213 } } } @@ -27,7 +27,7 @@ func HeaderWrite_ClevergoTechClevergoV052() { { valString468 := source().(string) var rece clevergo.Context - rece.SetContentType(valString468) // $headerKey=content-type $headerValNode=valString468 + rece.SetContentType(valString468) // $ headerKey=content-type $headerValNode=valString468 } } } @@ -38,22 +38,22 @@ func HeaderWrite_ClevergoTechClevergoV052() { // func (*Context).SetContentTypeHTML() { var rece clevergo.Context - rece.SetContentTypeHTML() // $headerKey=content-type $headerVal=text/html + rece.SetContentTypeHTML() // $ headerKey=content-type $headerVal=text/html } // func (*Context).SetContentTypeJSON() { var rece clevergo.Context - rece.SetContentTypeJSON() // $headerKey=content-type $headerVal=application/json + rece.SetContentTypeJSON() // $ headerKey=content-type $headerVal=application/json } // func (*Context).SetContentTypeText() { var rece clevergo.Context - rece.SetContentTypeText() // $headerKey=content-type $headerVal=text/plain + rece.SetContentTypeText() // $ headerKey=content-type $headerVal=text/plain } // func (*Context).SetContentTypeXML() { var rece clevergo.Context - rece.SetContentTypeXML() // $headerKey=content-type $headerVal=text/xml + rece.SetContentTypeXML() // $ headerKey=content-type $headerVal=text/xml } } } diff --git a/ql/test/experimental/frameworks/CleverGo/HttpRedirect.go b/ql/test/experimental/frameworks/CleverGo/HttpRedirect.go index f9ab6e443e1..4e21407988b 100644 --- a/ql/test/experimental/frameworks/CleverGo/HttpRedirect.go +++ b/ql/test/experimental/frameworks/CleverGo/HttpRedirect.go @@ -14,7 +14,7 @@ func HttpRedirect_ClevergoTechClevergoV052() { { urlString316 := source().(string) var rece clevergo.Context - rece.Redirect(0, urlString316) // $redirectUrl=urlString316 + rece.Redirect(0, urlString316) // $ redirectUrl=urlString316 } } } diff --git a/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go b/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go index c27b1fc0097..12401a37e34 100644 --- a/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go +++ b/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go @@ -14,86 +14,86 @@ func HttpResponseBody_ClevergoTechClevergoV052() { { bodyString145 := source().(string) var rece clevergo.Context - rece.Error(0, bodyString145) // $contentType=text/plain $responseBody=bodyString145 + rece.Error(0, bodyString145) // $ contentType=text/plain $responseBody=bodyString145 } // func (*Context).HTML(code int, html string) error { bodyString817 := source().(string) var rece clevergo.Context - rece.HTML(0, bodyString817) // $contentType=text/html $responseBody=bodyString817 + rece.HTML(0, bodyString817) // $ contentType=text/html $responseBody=bodyString817 } // func (*Context).HTMLBlob(code int, bs []byte) error { bodyByte474 := source().([]byte) var rece clevergo.Context - rece.HTMLBlob(0, bodyByte474) // $contentType=text/html $responseBody=bodyByte474 + rece.HTMLBlob(0, bodyByte474) // $ contentType=text/html $responseBody=bodyByte474 } // func (*Context).JSON(code int, data interface{}) error { bodyInterface832 := source().(interface{}) var rece clevergo.Context - rece.JSON(0, bodyInterface832) // $contentType=application/json $responseBody=bodyInterface832 + rece.JSON(0, bodyInterface832) // $ contentType=application/json $responseBody=bodyInterface832 } // func (*Context).JSONBlob(code int, bs []byte) error { bodyByte378 := source().([]byte) var rece clevergo.Context - rece.JSONBlob(0, bodyByte378) // $contentType=application/json $responseBody=bodyByte378 + rece.JSONBlob(0, bodyByte378) // $ contentType=application/json $responseBody=bodyByte378 } // func (*Context).JSONP(code int, data interface{}) error { bodyInterface541 := source().(interface{}) var rece clevergo.Context - rece.JSONP(0, bodyInterface541) // $contentType=application/javascript $responseBody=bodyInterface541 + rece.JSONP(0, bodyInterface541) // $ contentType=application/javascript $responseBody=bodyInterface541 } // func (*Context).JSONPBlob(code int, bs []byte) error { bodyByte139 := source().([]byte) var rece clevergo.Context - rece.JSONPBlob(0, bodyByte139) // $contentType=application/javascript $responseBody=bodyByte139 + rece.JSONPBlob(0, bodyByte139) // $ contentType=application/javascript $responseBody=bodyByte139 } // func (*Context).JSONPCallback(code int, callback string, data interface{}) error { bodyInterface814 := source().(interface{}) var rece clevergo.Context - rece.JSONPCallback(0, "", bodyInterface814) // $contentType=application/javascript $responseBody=bodyInterface814 + rece.JSONPCallback(0, "", bodyInterface814) // $ contentType=application/javascript $responseBody=bodyInterface814 } // func (*Context).JSONPCallbackBlob(code int, callback string, bs []byte) (err error) { bodyByte768 := source().([]byte) var rece clevergo.Context - rece.JSONPCallbackBlob(0, "", bodyByte768) // $contentType=application/javascript $responseBody=bodyByte768 + rece.JSONPCallbackBlob(0, "", bodyByte768) // $ contentType=application/javascript $responseBody=bodyByte768 } // func (*Context).String(code int, s string) error { bodyString468 := source().(string) var rece clevergo.Context - rece.String(0, bodyString468) // $contentType=text/plain $responseBody=bodyString468 + rece.String(0, bodyString468) // $ contentType=text/plain $responseBody=bodyString468 } // func (*Context).StringBlob(code int, bs []byte) error { bodyByte736 := source().([]byte) var rece clevergo.Context - rece.StringBlob(0, bodyByte736) // $contentType=text/plain $responseBody=bodyByte736 + rece.StringBlob(0, bodyByte736) // $ contentType=text/plain $responseBody=bodyByte736 } // func (*Context).Stringf(code int, format string, a ...interface{}) error { bodyString516 := source().(string) bodyInterface246 := source().(interface{}) var rece clevergo.Context - rece.Stringf(0, bodyString516, bodyInterface246) // $contentType=text/plain $responseBody=bodyString516 $responseBody=bodyInterface246 + rece.Stringf(0, bodyString516, bodyInterface246) // $ contentType=text/plain $responseBody=bodyString516 $responseBody=bodyInterface246 } // func (*Context).XML(code int, data interface{}) error { bodyInterface679 := source().(interface{}) var rece clevergo.Context - rece.XML(0, bodyInterface679) // $contentType=text/xml $responseBody=bodyInterface679 + rece.XML(0, bodyInterface679) // $ contentType=text/xml $responseBody=bodyInterface679 } // func (*Context).XMLBlob(code int, bs []byte) error { bodyByte736 := source().([]byte) var rece clevergo.Context - rece.XMLBlob(0, bodyByte736) // $contentType=text/xml $responseBody=bodyByte736 + rece.XMLBlob(0, bodyByte736) // $ contentType=text/xml $responseBody=bodyByte736 } } } @@ -105,13 +105,13 @@ func HttpResponseBody_ClevergoTechClevergoV052() { { bodyByte839 := source().([]byte) var rece clevergo.Context - rece.Blob(0, "application/json", bodyByte839) // $contentType=application/json $responseBody=bodyByte839 + rece.Blob(0, "application/json", bodyByte839) // $ contentType=application/json $responseBody=bodyByte839 } // func (*Context).Emit(code int, contentType string, body string) (err error) { bodyString273 := source().(string) var rece clevergo.Context - rece.Emit(0, "application/json", bodyString273) // $contentType=application/json $responseBody=bodyString273 + rece.Emit(0, "application/json", bodyString273) // $ contentType=application/json $responseBody=bodyString273 } } } @@ -123,13 +123,13 @@ func HttpResponseBody_ClevergoTechClevergoV052() { { bodyByte982 := source().([]byte) var rece clevergo.Context - rece.Write(bodyByte982) // $responseBody=bodyByte982 + rece.Write(bodyByte982) // $ responseBody=bodyByte982 } // func (*Context).WriteString(data string) (int, error) { bodyString458 := source().(string) var rece clevergo.Context - rece.WriteString(bodyString458) // $responseBody=bodyString458 + rece.WriteString(bodyString458) // $ responseBody=bodyString458 } } } diff --git a/ql/test/experimental/frameworks/CleverGo/TaintTracking.go b/ql/test/experimental/frameworks/CleverGo/TaintTracking.go index 614e0fed03d..92c6a501361 100644 --- a/ql/test/experimental/frameworks/CleverGo/TaintTracking.go +++ b/ql/test/experimental/frameworks/CleverGo/TaintTracking.go @@ -17,7 +17,7 @@ func TaintTracking_ClevergoTechClevergoV052() { { fromString598 := source().(string) intoString631 := clevergo.CleanPath(fromString598) - sink(intoString631) // $taintSink + sink(intoString631) // $ taintSink } } // Taint-tracking through method calls. @@ -30,13 +30,13 @@ func TaintTracking_ClevergoTechClevergoV052() { fromString165 := source().(string) var mediumObjCQL clevergo.Application intoURL150, _ := mediumObjCQL.RouteURL(fromString165, "") - sink(intoURL150) // $taintSink + sink(intoURL150) // $ taintSink } { fromString340 := source().(string) var mediumObjCQL clevergo.Application intoURL471, _ := mediumObjCQL.RouteURL("", fromString340) - sink(intoURL471) // $taintSink + sink(intoURL471) // $ taintSink } } } @@ -46,7 +46,7 @@ func TaintTracking_ClevergoTechClevergoV052() { { fromContext290 := source().(clevergo.Context) intoContext758 := fromContext290.Context() - sink(intoContext758) // $taintSink + sink(intoContext758) // $ taintSink } } // Taint-tracking through method calls on clevergo.tech/clevergo.Params. @@ -55,7 +55,7 @@ func TaintTracking_ClevergoTechClevergoV052() { { fromParams396 := source().(clevergo.Params) intoString707 := fromParams396.String("") - sink(intoString707) // $taintSink $untrustedFlowSource + sink(intoString707) // $ taintSink $untrustedFlowSource } } } @@ -69,7 +69,7 @@ func TaintTracking_ClevergoTechClevergoV052() { var intoInterface718 interface{} var mediumObjCQL clevergo.Decoder mediumObjCQL.Decode(fromRequest912, intoInterface718) - sink(intoInterface718) // $taintSink $untrustedFlowSource + sink(intoInterface718) // $ taintSink $untrustedFlowSource } } // Taint-tracking through method calls on clevergo.tech/clevergo.Renderer interface. @@ -80,7 +80,7 @@ func TaintTracking_ClevergoTechClevergoV052() { var intoWriter633 io.Writer var mediumObjCQL clevergo.Renderer mediumObjCQL.Render(intoWriter633, "", fromInterface972, nil) - sink(intoWriter633) // $taintSink + sink(intoWriter633) // $ taintSink } } } diff --git a/ql/test/experimental/frameworks/CleverGo/UntrustedSources.go b/ql/test/experimental/frameworks/CleverGo/UntrustedSources.go index 30b939ed902..4df9ddabd89 100644 --- a/ql/test/experimental/frameworks/CleverGo/UntrustedSources.go +++ b/ql/test/experimental/frameworks/CleverGo/UntrustedSources.go @@ -15,8 +15,8 @@ func UntrustedSources_ClevergoTechClevergoV052() { var receiverContext656 clevergo.Context resultUsername414, resultPassword518, _ := receiverContext656.BasicAuth() sink( - resultUsername414, // $untrustedFlowSource - resultPassword518, // $untrustedFlowSource + resultUsername414, // $ untrustedFlowSource + resultPassword518, // $ untrustedFlowSource ) } // func (*Context).Decode(v interface{}) (err error) @@ -24,49 +24,49 @@ func UntrustedSources_ClevergoTechClevergoV052() { var receiverContext650 clevergo.Context var paramV784 interface{} receiverContext650.Decode(paramV784) - sink(paramV784) // $untrustedFlowSource + sink(paramV784) // $ untrustedFlowSource } // func (*Context).DefaultQuery(key string, defaultVlue string) string { var receiverContext957 clevergo.Context result520 := receiverContext957.DefaultQuery("", "") - sink(result520) // $untrustedFlowSource + sink(result520) // $ untrustedFlowSource } // func (*Context).FormValue(key string) string { var receiverContext443 clevergo.Context result127 := receiverContext443.FormValue("") - sink(result127) // $untrustedFlowSource + sink(result127) // $ untrustedFlowSource } // func (*Context).GetHeader(name string) string { var receiverContext483 clevergo.Context result989 := receiverContext483.GetHeader("") - sink(result989) // $untrustedFlowSource + sink(result989) // $ untrustedFlowSource } // func (*Context).PostFormValue(key string) string { var receiverContext982 clevergo.Context result417 := receiverContext982.PostFormValue("") - sink(result417) // $untrustedFlowSource + sink(result417) // $ untrustedFlowSource } // func (*Context).QueryParam(key string) string { var receiverContext584 clevergo.Context result991 := receiverContext584.QueryParam("") - sink(result991) // $untrustedFlowSource + sink(result991) // $ untrustedFlowSource } // func (*Context).QueryParams() net/url.Values { var receiverContext881 clevergo.Context result186 := receiverContext881.QueryParams() - sink(result186) // $untrustedFlowSource + sink(result186) // $ untrustedFlowSource } // func (*Context).QueryString() string { var receiverContext284 clevergo.Context result908 := receiverContext284.QueryString() - sink(result908) // $untrustedFlowSource + sink(result908) // $ untrustedFlowSource } } // Untrusted flow sources from method calls on clevergo.tech/clevergo.Params. @@ -75,7 +75,7 @@ func UntrustedSources_ClevergoTechClevergoV052() { { var receiverParams137 clevergo.Params result494 := receiverParams137.String("") - sink(result494) // $untrustedFlowSource + sink(result494) // $ untrustedFlowSource } } } @@ -88,7 +88,7 @@ func UntrustedSources_ClevergoTechClevergoV052() { var receiverDecoder873 clevergo.Decoder var paramV599 interface{} receiverDecoder873.Decode(nil, paramV599) - sink(paramV599) // $untrustedFlowSource + sink(paramV599) // $ untrustedFlowSource } } } @@ -97,14 +97,14 @@ func UntrustedSources_ClevergoTechClevergoV052() { // Untrusted flow sources from clevergo.tech/clevergo.Context struct fields. { structContext409 := new(clevergo.Context) - sink(structContext409.Params) // $untrustedFlowSource + sink(structContext409.Params) // $ untrustedFlowSource } // Untrusted flow sources from clevergo.tech/clevergo.Param struct fields. { structParam246 := new(clevergo.Param) sink( - structParam246.Key, // $untrustedFlowSource - structParam246.Value, // $untrustedFlowSource + structParam246.Key, // $ untrustedFlowSource + structParam246.Value, // $ untrustedFlowSource ) } } @@ -112,7 +112,7 @@ func UntrustedSources_ClevergoTechClevergoV052() { { { var typeParams898 clevergo.Params - sink(typeParams898) // $untrustedFlowSource + sink(typeParams898) // $ untrustedFlowSource } } } diff --git a/ql/test/experimental/frameworks/Fiber/HeaderWrite.go b/ql/test/experimental/frameworks/Fiber/HeaderWrite.go index d32002dfcd6..e4798e60532 100644 --- a/ql/test/experimental/frameworks/Fiber/HeaderWrite.go +++ b/ql/test/experimental/frameworks/Fiber/HeaderWrite.go @@ -15,14 +15,14 @@ func HeaderWrite_GithubComGofiberFiberV1146() { keyString378 := source().(string) valString541 := source().(string) var rece fiber.Ctx - rece.Append(keyString378, valString541) // $headerKeyNode=keyString378 $headerValNode=valString541 + rece.Append(keyString378, valString541) // $ headerKeyNode=keyString378 $headerValNode=valString541 } // func (*Ctx).Set(key string, val string) { keyString139 := source().(string) valString814 := source().(string) var rece fiber.Ctx - rece.Set(keyString139, valString814) // $headerKeyNode=keyString139 $headerValNode=valString814 + rece.Set(keyString139, valString814) // $ headerKeyNode=keyString139 $headerValNode=valString814 } } } diff --git a/ql/test/experimental/frameworks/Fiber/Redirect.go b/ql/test/experimental/frameworks/Fiber/Redirect.go index 1c92cb941d1..6833702c710 100644 --- a/ql/test/experimental/frameworks/Fiber/Redirect.go +++ b/ql/test/experimental/frameworks/Fiber/Redirect.go @@ -14,7 +14,7 @@ func Redirect_GithubComGofiberFiberV1146() { { urlString832 := source().(string) var rece fiber.Ctx - rece.Redirect(urlString832, 0) // $redirectUrl=urlString832 + rece.Redirect(urlString832, 0) // $ redirectUrl=urlString832 } } } diff --git a/ql/test/experimental/frameworks/Fiber/ResponseBody.go b/ql/test/experimental/frameworks/Fiber/ResponseBody.go index 74f6bf451a5..f9465b68dee 100644 --- a/ql/test/experimental/frameworks/Fiber/ResponseBody.go +++ b/ql/test/experimental/frameworks/Fiber/ResponseBody.go @@ -18,13 +18,13 @@ func ResponseBody_GithubComGofiberFiberV1146() { { bodyInterface768 := source().(interface{}) var rece fiber.Ctx - rece.JSON(bodyInterface768) // $contentType=application/json $responseBody=bodyInterface768 + rece.JSON(bodyInterface768) // $ contentType=application/json $responseBody=bodyInterface768 } // func (*Ctx).JSONP(data interface{}, callback ...string) error { bodyInterface468 := source().(interface{}) var rece fiber.Ctx - rece.JSONP(bodyInterface468, "") // $contentType=application/javascript $responseBody=bodyInterface468 + rece.JSONP(bodyInterface468, "") // $ contentType=application/javascript $responseBody=bodyInterface468 } } } @@ -36,37 +36,37 @@ func ResponseBody_GithubComGofiberFiberV1146() { { bodyInterface736 := source().(interface{}) var rece fiber.Ctx - rece.Format(bodyInterface736) // $responseBody=bodyInterface736 + rece.Format(bodyInterface736) // $ responseBody=bodyInterface736 } // func (*Ctx).Send(bodies ...interface{}) { bodyInterface516 := source().(interface{}) var rece fiber.Ctx - rece.Send(bodyInterface516) // $responseBody=bodyInterface516 + rece.Send(bodyInterface516) // $ responseBody=bodyInterface516 } // func (*Ctx).SendBytes(body []byte) { bodyByte246 := source().([]byte) var rece fiber.Ctx - rece.SendBytes(bodyByte246) // $responseBody=bodyByte246 + rece.SendBytes(bodyByte246) // $ responseBody=bodyByte246 } // func (*Ctx).SendStream(stream io.Reader, size ...int) { bodyReader679 := source().(io.Reader) var rece fiber.Ctx - rece.SendStream(bodyReader679, 0) // $responseBody=bodyReader679 + rece.SendStream(bodyReader679, 0) // $ responseBody=bodyReader679 } // func (*Ctx).SendString(body string) { bodyString736 := source().(string) var rece fiber.Ctx - rece.SendString(bodyString736) // $responseBody=bodyString736 + rece.SendString(bodyString736) // $ responseBody=bodyString736 } // func (*Ctx).Write(bodies ...interface{}) { bodyInterface839 := source().(interface{}) var rece fiber.Ctx - rece.Write(bodyInterface839) // $responseBody=bodyInterface839 + rece.Write(bodyInterface839) // $ responseBody=bodyInterface839 } } } diff --git a/ql/test/experimental/frameworks/Fiber/TaintTracking.go b/ql/test/experimental/frameworks/Fiber/TaintTracking.go index 0dd551d7425..3b15aa1ea39 100644 --- a/ql/test/experimental/frameworks/Fiber/TaintTracking.go +++ b/ql/test/experimental/frameworks/Fiber/TaintTracking.go @@ -15,7 +15,7 @@ func TaintTracking_GithubComGofiberFiberV1146() { { fromString656 := source().(string) intoError414 := fiber.NewError(0, fromString656) - sink(intoError414) // $taintSink + sink(intoError414) // $ taintSink } } } @@ -28,79 +28,79 @@ func TaintTracking_GithubComGofiberUtilsV0010() { { fromString989 := source().(string) intoByte982 := utils.GetBytes(fromString989) - sink(intoByte982) // $taintSink + sink(intoByte982) // $ taintSink } // func GetString(b []byte) string { fromByte417 := source().([]byte) intoString584 := utils.GetString(fromByte417) - sink(intoString584) // $taintSink + sink(intoString584) // $ taintSink } // func ImmutableString(s string) string { fromString991 := source().(string) intoString881 := utils.ImmutableString(fromString991) - sink(intoString881) // $taintSink + sink(intoString881) // $ taintSink } // func ToLower(b string) string { fromString494 := source().(string) intoString873 := utils.ToLower(fromString494) - sink(intoString873) // $taintSink + sink(intoString873) // $ taintSink } // func ToLowerBytes(b []byte) []byte { fromByte599 := source().([]byte) intoByte409 := utils.ToLowerBytes(fromByte599) - sink(intoByte409) // $taintSink + sink(intoByte409) // $ taintSink } // func ToUpper(b string) string { fromString246 := source().(string) intoString898 := utils.ToUpper(fromString246) - sink(intoString898) // $taintSink + sink(intoString898) // $ taintSink } // func ToUpperBytes(b []byte) []byte { fromByte598 := source().([]byte) intoByte631 := utils.ToUpperBytes(fromByte598) - sink(intoByte631) // $taintSink + sink(intoByte631) // $ taintSink } // func Trim(s string, cutset byte) string { fromString165 := source().(string) intoString150 := utils.Trim(fromString165, 0) - sink(intoString150) // $taintSink + sink(intoString150) // $ taintSink } // func TrimBytes(b []byte, cutset byte) []byte { fromByte340 := source().([]byte) intoByte471 := utils.TrimBytes(fromByte340, 0) - sink(intoByte471) // $taintSink + sink(intoByte471) // $ taintSink } // func TrimLeft(s string, cutset byte) string { fromString290 := source().(string) intoString758 := utils.TrimLeft(fromString290, 0) - sink(intoString758) // $taintSink + sink(intoString758) // $ taintSink } // func TrimLeftBytes(b []byte, cutset byte) []byte { fromByte396 := source().([]byte) intoByte707 := utils.TrimLeftBytes(fromByte396, 0) - sink(intoByte707) // $taintSink + sink(intoByte707) // $ taintSink } // func TrimRight(s string, cutset byte) string { fromString912 := source().(string) intoString718 := utils.TrimRight(fromString912, 0) - sink(intoString718) // $taintSink + sink(intoString718) // $ taintSink } // func TrimRightBytes(b []byte, cutset byte) []byte { fromByte972 := source().([]byte) intoByte633 := utils.TrimRightBytes(fromByte972, 0) - sink(intoByte633) // $taintSink + sink(intoByte633) // $ taintSink } } } diff --git a/ql/test/experimental/frameworks/Fiber/UntrustedFlowSources.go b/ql/test/experimental/frameworks/Fiber/UntrustedFlowSources.go index 23f2afe87a2..3e09a633694 100644 --- a/ql/test/experimental/frameworks/Fiber/UntrustedFlowSources.go +++ b/ql/test/experimental/frameworks/Fiber/UntrustedFlowSources.go @@ -14,105 +14,105 @@ func UntrustedFlowSources_GithubComGofiberFiberV1146() { { var receiverCtx273 fiber.Ctx result982 := receiverCtx273.BaseURL() - sink(result982) // $untrustedFlowSource + sink(result982) // $ untrustedFlowSource } // func (*Ctx).Body() string { var receiverCtx458 fiber.Ctx result506 := receiverCtx458.Body() - sink(result506) // $untrustedFlowSource + sink(result506) // $ untrustedFlowSource } // func (*Ctx).BodyParser(out interface{}) error { var receiverCtx213 fiber.Ctx var paramOut468 interface{} receiverCtx213.BodyParser(paramOut468) - sink(paramOut468) // $untrustedFlowSource + sink(paramOut468) // $ untrustedFlowSource } // func (*Ctx).Cookies(key string, defaultValue ...string) string { var receiverCtx219 fiber.Ctx result265 := receiverCtx219.Cookies("", "") - sink(result265) // $untrustedFlowSource + sink(result265) // $ untrustedFlowSource } // func (*Ctx).FormFile(key string) (*mime/multipart.FileHeader, error) { var receiverCtx971 fiber.Ctx result320, _ := receiverCtx971.FormFile("") - sink(result320) // $untrustedFlowSource + sink(result320) // $ untrustedFlowSource } // func (*Ctx).FormValue(key string) (value string) { var receiverCtx545 fiber.Ctx resultValue566 := receiverCtx545.FormValue("") - sink(resultValue566) // $untrustedFlowSource + sink(resultValue566) // $ untrustedFlowSource } // func (*Ctx).Get(key string, defaultValue ...string) string { var receiverCtx497 fiber.Ctx result274 := receiverCtx497.Get("", "") - sink(result274) // $untrustedFlowSource + sink(result274) // $ untrustedFlowSource } // func (*Ctx).Hostname() string { var receiverCtx783 fiber.Ctx result905 := receiverCtx783.Hostname() - sink(result905) // $untrustedFlowSource + sink(result905) // $ untrustedFlowSource } // func (*Ctx).Method(override ...string) string { var receiverCtx389 fiber.Ctx result198 := receiverCtx389.Method("") - sink(result198) // $untrustedFlowSource + sink(result198) // $ untrustedFlowSource } // func (*Ctx).MultipartForm() (*mime/multipart.Form, error) { var receiverCtx477 fiber.Ctx result544, _ := receiverCtx477.MultipartForm() - sink(result544) // $untrustedFlowSource + sink(result544) // $ untrustedFlowSource } // func (*Ctx).OriginalURL() string { var receiverCtx382 fiber.Ctx result715 := receiverCtx382.OriginalURL() - sink(result715) // $untrustedFlowSource + sink(result715) // $ untrustedFlowSource } // func (*Ctx).Params(key string, defaultValue ...string) string { var receiverCtx179 fiber.Ctx result366 := receiverCtx179.Params("", "") - sink(result366) // $untrustedFlowSource + sink(result366) // $ untrustedFlowSource } // func (*Ctx).Path(override ...string) string { var receiverCtx648 fiber.Ctx result544 := receiverCtx648.Path("") - sink(result544) // $untrustedFlowSource + sink(result544) // $ untrustedFlowSource } // func (*Ctx).Query(key string, defaultValue ...string) string { var receiverCtx754 fiber.Ctx result680 := receiverCtx754.Query("", "") - sink(result680) // $untrustedFlowSource + sink(result680) // $ untrustedFlowSource } // func (*Ctx).QueryParser(out interface{}) error { var receiverCtx722 fiber.Ctx var paramOut506 interface{} receiverCtx722.QueryParser(paramOut506) - sink(paramOut506) // $untrustedFlowSource + sink(paramOut506) // $ untrustedFlowSource } // func (*Ctx).Range(size int) (rangeData Range, err error) { var receiverCtx121 fiber.Ctx resultRangeData293, _ := receiverCtx121.Range(0) - sink(resultRangeData293) // $untrustedFlowSource + sink(resultRangeData293) // $ untrustedFlowSource } // func (*Ctx).Subdomains(offset ...int) []string { var receiverCtx151 fiber.Ctx result849 := receiverCtx151.Subdomains(0) - sink(result849) // $untrustedFlowSource + sink(result849) // $ untrustedFlowSource } } } @@ -122,17 +122,17 @@ func UntrustedFlowSources_GithubComGofiberFiberV1146() { { structCookie322 := new(fiber.Cookie) sink( - structCookie322.Domain, // $untrustedFlowSource - structCookie322.Name, // $untrustedFlowSource - structCookie322.Path, // $untrustedFlowSource - structCookie322.SameSite, // $untrustedFlowSource - structCookie322.Value, // $untrustedFlowSource + structCookie322.Domain, // $ untrustedFlowSource + structCookie322.Name, // $ untrustedFlowSource + structCookie322.Path, // $ untrustedFlowSource + structCookie322.SameSite, // $ untrustedFlowSource + structCookie322.Value, // $ untrustedFlowSource ) } // Untrusted flow sources from github.com/gofiber/fiber.Error struct fields. { structError339 := new(fiber.Error) - sink(structError339.Message) // $untrustedFlowSource + sink(structError339.Message) // $ untrustedFlowSource } } } diff --git a/ql/test/library-tests/semmle/go/concepts/HTTP/main.go b/ql/test/library-tests/semmle/go/concepts/HTTP/main.go index 7abf0a170c0..12a3929cec6 100644 --- a/ql/test/library-tests/semmle/go/concepts/HTTP/main.go +++ b/ql/test/library-tests/semmle/go/concepts/HTTP/main.go @@ -57,9 +57,9 @@ func main() { resp, _ := http.Get("https://example.com") resp.Header.Set("This-Makes", "No sense") - http.HandleFunc("/foo", handler) // $handler="/foo" + http.HandleFunc("/foo", handler) // $ handler="/foo" - http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { // $handler="/bar" + http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { // $ handler="/bar" fmt.Fprintf(w, "Hello, %q", html.EscapeString(r.URL.Path)) }) } diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go index bbf1c56a06f..93d245f05b2 100644 --- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go +++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go @@ -9,45 +9,45 @@ import ( ) func glogTest() { - glog.Error(text) // $logger=text - glog.ErrorDepth(0, text) // $MISSING:logger=text - glog.Errorf(fmt, text) // $logger=fmt $logger=text - glog.Errorln(text) // $logger=text - glog.Exit(text) // $logger=text - glog.ExitDepth(0, text) // $MISSING:logger=text - glog.Exitf(fmt, text) // $logger=fmt $logger=text - glog.Exitln(text) // $logger=text - glog.Fatal(text) // $logger=text - glog.FatalDepth(0, text) // $MISSING:logger=text - glog.Fatalf(fmt, text) // $logger=fmt $logger=text - glog.Fatalln(text) // $logger=text - glog.Info(text) // $logger=text - glog.InfoDepth(0, text) // $MISSING:logger=text - glog.Infof(fmt, text) // $logger=fmt $logger=text - glog.Infoln(text) // $logger=text - glog.Warning(text) // $logger=text - glog.WarningDepth(0, text) // $MISSING:logger=text - glog.Warningf(fmt, text) // $logger=fmt $logger=text - glog.Warningln(text) // $logger=text + glog.Error(text) // $ logger=text + glog.ErrorDepth(0, text) // $ MISSING:logger=text + glog.Errorf(fmt, text) // $ logger=fmt $logger=text + glog.Errorln(text) // $ logger=text + glog.Exit(text) // $ logger=text + glog.ExitDepth(0, text) // $ MISSING:logger=text + glog.Exitf(fmt, text) // $ logger=fmt $logger=text + glog.Exitln(text) // $ logger=text + glog.Fatal(text) // $ logger=text + glog.FatalDepth(0, text) // $ MISSING:logger=text + glog.Fatalf(fmt, text) // $ logger=fmt $logger=text + glog.Fatalln(text) // $ logger=text + glog.Info(text) // $ logger=text + glog.InfoDepth(0, text) // $ MISSING:logger=text + glog.Infof(fmt, text) // $ logger=fmt $logger=text + glog.Infoln(text) // $ logger=text + glog.Warning(text) // $ logger=text + glog.WarningDepth(0, text) // $ MISSING:logger=text + glog.Warningf(fmt, text) // $ logger=fmt $logger=text + glog.Warningln(text) // $ logger=text - klog.Error(text) // $logger=text - klog.ErrorDepth(0, text) // $MISSING:logger=text - klog.Errorf(fmt, text) // $logger=fmt $logger=text - klog.Errorln(text) // $logger=text - klog.Exit(text) // $logger=text - klog.ExitDepth(0, text) // $MISSING:logger=text - klog.Exitf(fmt, text) // $logger=fmt $logger=text - klog.Exitln(text) // $logger=text - klog.Fatal(text) // $logger=text - klog.FatalDepth(0, text) // $MISSING:logger=text - klog.Fatalf(fmt, text) // $logger=fmt $logger=text - klog.Fatalln(text) // $logger=text - klog.Info(text) // $logger=text - klog.InfoDepth(0, text) // $MISSING:logger=text - klog.Infof(fmt, text) // $logger=fmt $logger=text - klog.Infoln(text) // $logger=text - klog.Warning(text) // $logger=text - klog.WarningDepth(0, text) // $MISSING:logger=text - klog.Warningf(fmt, text) // $logger=fmt $logger=text - klog.Warningln(text) // $logger=text + klog.Error(text) // $ logger=text + klog.ErrorDepth(0, text) // $ MISSING:logger=text + klog.Errorf(fmt, text) // $ logger=fmt $logger=text + klog.Errorln(text) // $ logger=text + klog.Exit(text) // $ logger=text + klog.ExitDepth(0, text) // $ MISSING:logger=text + klog.Exitf(fmt, text) // $ logger=fmt $logger=text + klog.Exitln(text) // $ logger=text + klog.Fatal(text) // $ logger=text + klog.FatalDepth(0, text) // $ MISSING:logger=text + klog.Fatalf(fmt, text) // $ logger=fmt $logger=text + klog.Fatalln(text) // $ logger=text + klog.Info(text) // $ logger=text + klog.InfoDepth(0, text) // $ MISSING:logger=text + klog.Infof(fmt, text) // $ logger=fmt $logger=text + klog.Infoln(text) // $ logger=text + klog.Warning(text) // $ logger=text + klog.WarningDepth(0, text) // $ MISSING:logger=text + klog.Warningf(fmt, text) // $ logger=fmt $logger=text + klog.Warningln(text) // $ logger=text } diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go index 3dd4da3ef0d..dd42b8576a7 100644 --- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go +++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go @@ -10,7 +10,7 @@ import ( ) func logSomething(entry *logrus.Entry) { - entry.Traceln(text) // $logger=text + entry.Traceln(text) // $ logger=text } func logrusCalls() { @@ -18,18 +18,18 @@ func logrusCalls() { var fields logrus.Fields = nil var fn logrus.LogFunction = nil var ctx context.Context - tmp := logrus.WithContext(ctx) // $logger=ctx - tmp.Debugf(fmt, text) // $logger=fmt $logger=text - tmp = logrus.WithError(err) // $logger=err - tmp.Warn(text) // $logger=text - tmp = logrus.WithFields(fields) // $logger=fields - tmp.Infoln(text) // $logger=text - tmp = logrus.WithFields(fields) // $logger=fields + tmp := logrus.WithContext(ctx) // $ logger=ctx + tmp.Debugf(fmt, text) // $ logger=fmt $logger=text + tmp = logrus.WithError(err) // $ logger=err + tmp.Warn(text) // $ logger=text + tmp = logrus.WithFields(fields) // $ logger=fields + tmp.Infoln(text) // $ logger=text + tmp = logrus.WithFields(fields) // $ logger=fields logSomething(tmp) - logrus.Error(text) // $logger=text - logrus.Fatalf(fmt, text) // $logger=fmt $logger=text - logrus.Panicln(text) // $logger=text - logrus.Infof(fmt, text) // $logger=fmt $logger=text - logrus.FatalFn(fn) // $logger=fn + logrus.Error(text) // $ logger=text + logrus.Fatalf(fmt, text) // $ logger=fmt $logger=text + logrus.Panicln(text) // $ logger=text + logrus.Infof(fmt, text) // $ logger=fmt $logger=text + logrus.FatalFn(fn) // $ logger=fn } diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go index 22e2e5de3d5..9b7242e078f 100644 --- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go +++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go @@ -7,24 +7,24 @@ import ( func stdlib() { var logger log.Logger logger.SetPrefix("prefix: ") - logger.Fatal(text) // $logger=text - logger.Fatalf(fmt, text) // $logger=fmt $logger=text - logger.Fatalln(text) // $logger=text - logger.Panic(text) // $logger=text - logger.Panicf(fmt, text) // $logger=fmt $logger=text - logger.Panicln(text) // $logger=text - logger.Print(text) // $logger=text - logger.Printf(fmt, text) // $logger=fmt $logger=text - logger.Println(text) // $logger=text + logger.Fatal(text) // $ logger=text + logger.Fatalf(fmt, text) // $ logger=fmt $logger=text + logger.Fatalln(text) // $ logger=text + logger.Panic(text) // $ logger=text + logger.Panicf(fmt, text) // $ logger=fmt $logger=text + logger.Panicln(text) // $ logger=text + logger.Print(text) // $ logger=text + logger.Printf(fmt, text) // $ logger=fmt $logger=text + logger.Println(text) // $ logger=text log.SetPrefix("prefix: ") - log.Fatal(text) // $logger=text - log.Fatalf(fmt, text) // $logger=fmt $logger=text - log.Fatalln(text) // $logger=text - log.Panic(text) // $logger=text - log.Panicf(fmt, text) // $logger=fmt $logger=text - log.Panicln(text) // $logger=text - log.Print(text) // $logger=text - log.Printf(fmt, text) // $logger=fmt $logger=text - log.Println(text) // $logger=text + log.Fatal(text) // $ logger=text + log.Fatalf(fmt, text) // $ logger=fmt $logger=text + log.Fatalln(text) // $ logger=text + log.Panic(text) // $ logger=text + log.Panicf(fmt, text) // $ logger=fmt $logger=text + log.Panicln(text) // $ logger=text + log.Print(text) // $ logger=text + log.Printf(fmt, text) // $ logger=fmt $logger=text + log.Println(text) // $ logger=text } diff --git a/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go b/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go index 2f657e6168d..7b636ab61cb 100644 --- a/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go +++ b/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go @@ -342,7 +342,7 @@ func test() { { s := source() if guardBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -351,7 +351,7 @@ func test() { { s := source() if guardBoolStmt(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -362,7 +362,7 @@ func test() { if juggleParams("other arg", s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -371,14 +371,14 @@ func test() { if guardBoolNeg(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolCmp(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -389,14 +389,14 @@ func test() { if guardBoolNegCmp(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLOrLhs(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -405,16 +405,16 @@ func test() { { s := source() if guardBoolLOrNegLhs(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLOrRhs(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -423,18 +423,18 @@ func test() { { s := source() if guardBoolLOrNegRhs(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLAndLhs(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -443,16 +443,16 @@ func test() { if guardBoolLAndNegLhs(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLAndRhs(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -461,14 +461,14 @@ func test() { if guardBoolLAndNegRhs(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolProxy(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -479,14 +479,14 @@ func test() { if guardBoolNegProxy(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolCmpProxy(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -497,14 +497,14 @@ func test() { if guardBoolNegCmpProxy(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLOrLhsProxy(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -513,16 +513,16 @@ func test() { { s := source() if guardBoolLOrNegLhsProxy(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLOrRhsProxy(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -531,18 +531,18 @@ func test() { { s := source() if guardBoolLOrNegRhsProxy(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLAndLhsProxy(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -551,16 +551,16 @@ func test() { if guardBoolLAndNegLhsProxy(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLAndRhsProxy(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -569,7 +569,7 @@ func test() { if guardBoolLAndNegRhsProxy(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -578,14 +578,14 @@ func test() { if guardProxyNilToBool(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardNeqProxyNilToBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -594,7 +594,7 @@ func test() { { s := source() if guardNotEqProxyNilToBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -603,7 +603,7 @@ func test() { { s := source() if guardLOrLhsProxyNilToBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -612,16 +612,16 @@ func test() { { s := source() if guardLOrNegLhsProxyNilToBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardLOrRhsProxyNilToBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -630,18 +630,18 @@ func test() { { s := source() if guardLOrNegRhsProxyNilToBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardLAndLhsProxyNilToBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -650,16 +650,16 @@ func test() { if guardLAndNegLhsProxyNilToBool(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardLAndRhsProxyNilToBool(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -668,7 +668,7 @@ func test() { if guardLAndNegRhsProxyNilToBool(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -677,7 +677,7 @@ func test() { if guard(s) == nil { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -686,14 +686,14 @@ func test() { if guardBoolProxyToNil(s) == nil { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolNegProxyToNil(s) == nil { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -704,14 +704,14 @@ func test() { if guardBoolCmpProxyToNil(s) == nil { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolNegCmpProxyToNil(s) == nil { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -722,16 +722,16 @@ func test() { if guardBoolLOrLhsProxyToNil(s) == nil { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLOrNegLhsProxyToNil(s) == nil { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -740,32 +740,32 @@ func test() { if guardBoolLOrRhsProxyToNil(s) == nil { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLOrNegRhsProxyToNil(s) == nil { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLAndLhsProxyToNil(s) == nil { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLAndNegLhsProxyToNil(s) == nil { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -774,16 +774,16 @@ func test() { { s := source() if guardBoolLAndRhsProxyToNil(s) == nil { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if guardBoolLAndNegRhsProxyToNil(s) == nil { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -794,7 +794,7 @@ func test() { if directProxyNil(s) == nil { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -803,7 +803,7 @@ func test() { if deeplyNestedConditionalLeft(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -812,7 +812,7 @@ func test() { if deeplyNestedConditionalMiddle(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -821,7 +821,7 @@ func test() { if deeplyNestedConditionalRight(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -832,7 +832,7 @@ func test() { s := source() isInvalid := guardBool(s) if isInvalid { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -842,9 +842,9 @@ func test() { s := source() isValid := !guardBool(s) if isValid { - sink(s) // $SPURIOUS:dataflow=s + sink(s) // $ SPURIOUS:dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } diff --git a/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go b/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go index ceab5488627..93be90027c3 100644 --- a/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go +++ b/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go @@ -138,14 +138,14 @@ func main() { if switchStatementReturningTrueOnlyWhenConstant(s) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if switchStatementReturningFalseOnlyWhenConstant("", s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { sink(s) } @@ -157,7 +157,7 @@ func main() { if err != nil { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -166,7 +166,7 @@ func main() { if switchStatementReturningNilOnlyWhenConstant(s) == nil { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } @@ -175,25 +175,25 @@ func main() { if multipleSwitchStatementReturningTrueOnlyWhenConstant(s, getRandomString()) { sink(s) } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if switchStatementWithoutUsefulInfo(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } { s := source() if switchStatementOverRandomString(s) { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } else { - sink(s) // $dataflow=s + sink(s) // $ dataflow=s } } diff --git a/ql/test/library-tests/semmle/go/dataflow/PromotedFields/main.go b/ql/test/library-tests/semmle/go/dataflow/PromotedFields/main.go index 97bb5eb8a2c..d0272646eb1 100644 --- a/ql/test/library-tests/semmle/go/dataflow/PromotedFields/main.go +++ b/ql/test/library-tests/semmle/go/dataflow/PromotedFields/main.go @@ -22,130 +22,130 @@ func testPromotedFieldNamedInitialization() { outer := Outer{ Middle: Middle{Inner: Inner{source()}}, } - sink(outer.field) // $promotedfields - sink(outer.Inner.field) // $promotedfields - sink(outer.Middle.field) // $promotedfields - sink(outer.Middle.Inner.field) // $promotedfields + sink(outer.field) // $ promotedfields + sink(outer.Inner.field) // $ promotedfields + sink(outer.Middle.field) // $ promotedfields + sink(outer.Middle.Inner.field) // $ promotedfields outerp := &Outer{ Middle: Middle{Inner: Inner{source()}}, } - sink(outerp.field) // $promotedfields - sink(outerp.Inner.field) // $promotedfields - sink(outerp.Middle.field) // $promotedfields - sink(outerp.Middle.Inner.field) // $promotedfields + sink(outerp.field) // $ promotedfields + sink(outerp.Inner.field) // $ promotedfields + sink(outerp.Middle.field) // $ promotedfields + sink(outerp.Middle.Inner.field) // $ promotedfields } func testPromotedFieldUnnamedInitialization() { outer := Outer{Middle{Inner{source()}}} - sink(outer.field) // $promotedfields - sink(outer.Inner.field) // $promotedfields - sink(outer.Middle.field) // $promotedfields - sink(outer.Middle.Inner.field) // $promotedfields + sink(outer.field) // $ promotedfields + sink(outer.Inner.field) // $ promotedfields + sink(outer.Middle.field) // $ promotedfields + sink(outer.Middle.Inner.field) // $ promotedfields outerp := &Outer{Middle{Inner{source()}}} - sink(outerp.field) // $promotedfields - sink(outerp.Inner.field) // $promotedfields - sink(outerp.Middle.field) // $promotedfields - sink(outerp.Middle.Inner.field) // $promotedfields + sink(outerp.field) // $ promotedfields + sink(outerp.Inner.field) // $ promotedfields + sink(outerp.Middle.field) // $ promotedfields + sink(outerp.Middle.Inner.field) // $ promotedfields } func testPromotedFieldUnnamedInitializationFromVariable() { inner := Inner{source()} middle := Middle{inner} outer := Outer{middle} - sink(outer.field) // $promotedfields - sink(outer.Inner.field) // $promotedfields - sink(outer.Middle.field) // $promotedfields - sink(outer.Middle.Inner.field) // $promotedfields + sink(outer.field) // $ promotedfields + sink(outer.Inner.field) // $ promotedfields + sink(outer.Middle.field) // $ promotedfields + sink(outer.Middle.Inner.field) // $ promotedfields innerp := Inner{source()} middlep := Middle{innerp} outerp := Outer{middlep} - sink(outerp.field) // $promotedfields - sink(outerp.Inner.field) // $promotedfields - sink(outerp.Middle.field) // $promotedfields - sink(outerp.Middle.Inner.field) // $promotedfields + sink(outerp.field) // $ promotedfields + sink(outerp.Inner.field) // $ promotedfields + sink(outerp.Middle.field) // $ promotedfields + sink(outerp.Middle.Inner.field) // $ promotedfields } func testPromotedFieldNamedInitializationFromVariable() { inner := Inner{source()} middle := Middle{Inner: inner} outer := Outer{Middle: middle} - sink(outer.field) // $promotedfields - sink(outer.Inner.field) // $promotedfields - sink(outer.Middle.field) // $promotedfields - sink(outer.Middle.Inner.field) // $promotedfields + sink(outer.field) // $ promotedfields + sink(outer.Inner.field) // $ promotedfields + sink(outer.Middle.field) // $ promotedfields + sink(outer.Middle.Inner.field) // $ promotedfields innerp := Inner{source()} middlep := Middle{Inner: innerp} outerp := Outer{Middle: middlep} - sink(outerp.field) // $promotedfields - sink(outerp.Inner.field) // $promotedfields - sink(outerp.Middle.field) // $promotedfields - sink(outerp.Middle.Inner.field) // $promotedfields + sink(outerp.field) // $ promotedfields + sink(outerp.Inner.field) // $ promotedfields + sink(outerp.Middle.field) // $ promotedfields + sink(outerp.Middle.Inner.field) // $ promotedfields } func testPromotedFieldDirectAssignment() { var outer Outer outer.field = source() - sink(outer.field) // $promotedfields - sink(outer.Inner.field) // $promotedfields - sink(outer.Middle.field) // $promotedfields - sink(outer.Middle.Inner.field) // $promotedfields + sink(outer.field) // $ promotedfields + sink(outer.Inner.field) // $ promotedfields + sink(outer.Middle.field) // $ promotedfields + sink(outer.Middle.Inner.field) // $ promotedfields var outerp Outer outerp.field = source() - sink(outerp.field) // $promotedfields - sink(outerp.Inner.field) // $promotedfields - sink(outerp.Middle.field) // $promotedfields - sink(outerp.Middle.Inner.field) // $promotedfields + sink(outerp.field) // $ promotedfields + sink(outerp.Inner.field) // $ promotedfields + sink(outerp.Middle.field) // $ promotedfields + sink(outerp.Middle.Inner.field) // $ promotedfields } func testPromotedFieldIndirectAssignment1() { var outer Outer outer.Inner.field = source() - sink(outer.field) // $promotedfields - sink(outer.Inner.field) // $promotedfields - sink(outer.Middle.field) // $promotedfields - sink(outer.Middle.Inner.field) // $promotedfields + sink(outer.field) // $ promotedfields + sink(outer.Inner.field) // $ promotedfields + sink(outer.Middle.field) // $ promotedfields + sink(outer.Middle.Inner.field) // $ promotedfields var outerp Outer outerp.Inner.field = source() - sink(outerp.field) // $promotedfields - sink(outerp.Inner.field) // $promotedfields - sink(outerp.Middle.field) // $promotedfields - sink(outerp.Middle.Inner.field) // $promotedfields + sink(outerp.field) // $ promotedfields + sink(outerp.Inner.field) // $ promotedfields + sink(outerp.Middle.field) // $ promotedfields + sink(outerp.Middle.Inner.field) // $ promotedfields } func testPromotedFieldIndirectAssignment2() { var outer Outer outer.Middle.field = source() - sink(outer.field) // $promotedfields - sink(outer.Inner.field) // $promotedfields - sink(outer.Middle.field) // $promotedfields - sink(outer.Middle.Inner.field) // $promotedfields + sink(outer.field) // $ promotedfields + sink(outer.Inner.field) // $ promotedfields + sink(outer.Middle.field) // $ promotedfields + sink(outer.Middle.Inner.field) // $ promotedfields var outerp Outer outerp.Middle.field = source() - sink(outerp.field) // $promotedfields - sink(outerp.Inner.field) // $promotedfields - sink(outerp.Middle.field) // $promotedfields - sink(outerp.Middle.Inner.field) // $promotedfields + sink(outerp.field) // $ promotedfields + sink(outerp.Inner.field) // $ promotedfields + sink(outerp.Middle.field) // $ promotedfields + sink(outerp.Middle.Inner.field) // $ promotedfields } func testPromotedFieldIndirectAssignment3() { var outer Outer outer.Middle.Inner.field = source() - sink(outer.field) // $promotedfields - sink(outer.Inner.field) // $promotedfields - sink(outer.Middle.field) // $promotedfields - sink(outer.Middle.Inner.field) // $promotedfields + sink(outer.field) // $ promotedfields + sink(outer.Inner.field) // $ promotedfields + sink(outer.Middle.field) // $ promotedfields + sink(outer.Middle.Inner.field) // $ promotedfields var outerp Outer outerp.Middle.Inner.field = source() - sink(outerp.field) // $promotedfields - sink(outerp.Inner.field) // $promotedfields - sink(outerp.Middle.field) // $promotedfields - sink(outerp.Middle.Inner.field) // $promotedfields + sink(outerp.field) // $ promotedfields + sink(outerp.Inner.field) // $ promotedfields + sink(outerp.Middle.field) // $ promotedfields + sink(outerp.Middle.Inner.field) // $ promotedfields } diff --git a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go index ab523f9bc0e..8601b221ca2 100644 --- a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go +++ b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go @@ -19,27 +19,27 @@ type Base2 struct { } func (e Embedded) sinkFieldOnEmbeddedNonPointerReceiver() { - sink(e.field) // $promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 + sink(e.field) // $ promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 } func (e *Embedded) sinkFieldOnEmbeddedPointerReceiver() { - sink(e.field) // $MISSING:promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 + sink(e.field) // $ MISSING:promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 } func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() { - sink(base1.field) // $promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 + sink(base1.field) // $ promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 } func (base1 *Base1) sinkFieldOnBase1PointerReceiver() { - sink(base1.field) // $promotedmethods=pointerSender1 $MISSING:promotedmethods=nonPointerSender1 + sink(base1.field) // $ promotedmethods=pointerSender1 $MISSING:promotedmethods=nonPointerSender1 } func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() { - sink(base2.field) // $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 + sink(base2.field) // $ promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 } func (base2 *Base2) sinkFieldOnBase2PointerReceiver() { - sink(base2.field) // $promotedmethods=pointerSender2 $MISSING:promotedmethods=nonPointerSender2 + sink(base2.field) // $ promotedmethods=pointerSender2 $MISSING:promotedmethods=nonPointerSender2 } func nonPointerSender1() { diff --git a/ql/test/library-tests/semmle/go/dataflow/TypeAssertions/test.go b/ql/test/library-tests/semmle/go/dataflow/TypeAssertions/test.go index c0e97e4387b..36bc65aa023 100644 --- a/ql/test/library-tests/semmle/go/dataflow/TypeAssertions/test.go +++ b/ql/test/library-tests/semmle/go/dataflow/TypeAssertions/test.go @@ -8,23 +8,23 @@ func sink(p interface{}) {} func test() (bool, *string) { ptr := src() - sink(ptr) // $dataflow=ptr + sink(ptr) // $ dataflow=ptr cast := ptr.(*string) - sink(cast) // $dataflow=cast + sink(cast) // $ dataflow=cast cast2, ok := ptr.(*string) if !ok { return true, nil } - sink(cast2) // $dataflow=cast2 + sink(cast2) // $ dataflow=cast2 var cast3, ok2 = ptr.(*string) if !ok2 { return true, nil } - sink(cast3) // $dataflow=cast3 + sink(cast3) // $ dataflow=cast3 cast2, ok = ptr.(*string) if !ok { return true, nil } - sink(cast2) // $dataflow=cast2 + sink(cast2) // $ dataflow=cast2 return true, nil } diff --git a/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.go b/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.go index f81ff812b35..31c5693ca62 100644 --- a/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.go +++ b/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.go @@ -19,7 +19,7 @@ func analyticsQuery(bucket gocb.Bucket, untrustedSource *http.Request) { q5 := q4.RawParam("name", nil) duration, _ := time.ParseDuration("300s") q6 := q5.ServerSideTimeout(duration) - bucket.ExecuteAnalyticsQuery(q6, nil) // $sqlinjection=q6 + bucket.ExecuteAnalyticsQuery(q6, nil) // $ sqlinjection=q6 } func n1qlQuery(cluster gocb.Cluster, untrustedSource *http.Request) { @@ -36,5 +36,5 @@ func n1qlQuery(cluster gocb.Cluster, untrustedSource *http.Request) { q9 := q8.ScanCap(10) duration, _ := time.ParseDuration("300s") q10 := q9.Timeout(duration) - cluster.ExecuteN1qlQuery(q10, nil) // $sqlinjection=q10 + cluster.ExecuteN1qlQuery(q10, nil) // $ sqlinjection=q10 } diff --git a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go index 2a4bb634234..99d2fba45e1 100644 --- a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go @@ -4,22 +4,23 @@ package main import ( "fmt" - "github.com/elazarl/goproxy" "net/http" + + "github.com/elazarl/goproxy" ) func handler(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) { data := ctx.UserData // $ untrustedflowsource="selection of UserData" // note no content type result here because we don't seem to extract the value of `ContentTypeHtml` - return r, goproxy.NewResponse(r, goproxy.ContentTypeHtml, http.StatusForbidden, fmt.Sprintf("Bad request: %v", data)) // $headerwrite=status:403 + return r, goproxy.NewResponse(r, goproxy.ContentTypeHtml, http.StatusForbidden, fmt.Sprintf("Bad request: %v", data)) // $ headerwrite=status:403 } func handler1(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) { - ctx.Logf("test") // $logger="test" - ctx.Warnf("test1") // $logger="test1" + ctx.Logf("test") // $ logger="test" + ctx.Warnf("test1") // $ logger="test1" - return r, goproxy.TextResponse(r, "Hello!") // $headerwrite=status:200 $headerwrite=content-type:text/plain + return r, goproxy.TextResponse(r, "Hello!") // $ headerwrite=status:200 $headerwrite=content-type:text/plain } func main() { diff --git a/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go b/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go index 10e8c9a5139..5f53dafcc0e 100644 --- a/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go @@ -25,40 +25,40 @@ func main() { // func MergeMergePatches(patch1Data, patch2Data []byte) ([]byte, error) b1, _ := patch.MergeMergePatches(getTaintedByteArray(), untaintedByteArray) - sinkByteArray(b1) // $taintflow + sinkByteArray(b1) // $ taintflow b2, _ := patch.MergeMergePatches(untaintedByteArray, getTaintedByteArray()) - sinkByteArray(b2) // $taintflow + sinkByteArray(b2) // $ taintflow // func MergePatch(docData, patchData []byte) ([]byte, error) b3, _ := patch.MergePatch(getTaintedByteArray(), untaintedByteArray) - sinkByteArray(b3) // $taintflow + sinkByteArray(b3) // $ taintflow b4, _ := patch.MergePatch(untaintedByteArray, getTaintedByteArray()) - sinkByteArray(b4) // $taintflow + sinkByteArray(b4) // $ taintflow // func CreateMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error) b5, _ := patch.CreateMergePatch(getTaintedByteArray(), untaintedByteArray) - sinkByteArray(b5) // $taintflow + sinkByteArray(b5) // $ taintflow b6, _ := patch.CreateMergePatch(untaintedByteArray, getTaintedByteArray()) - sinkByteArray(b6) // $taintflow + sinkByteArray(b6) // $ taintflow // func DecodePatch(buf []byte) (Patch, error) p7, _ := patch.DecodePatch(getTaintedByteArray()) - sinkPatch(p7) // $taintflow + sinkPatch(p7) // $ taintflow // func (p Patch) Apply(doc []byte) ([]byte, error) b8, _ := untaintedPatch.Apply(getTaintedByteArray()) - sinkByteArray(b8) // $taintflow + sinkByteArray(b8) // $ taintflow b9, _ := getTaintedPatch().Apply(untaintedByteArray) - sinkByteArray(b9) // $taintflow + sinkByteArray(b9) // $ taintflow // func (p Patch) ApplyIndent(doc []byte, indent string) ([]byte, error) b10, _ := untaintedPatch.ApplyIndent(getTaintedByteArray(), " ") - sinkByteArray(b10) // $taintflow + sinkByteArray(b10) // $ taintflow b11, _ := getTaintedPatch().ApplyIndent(untaintedByteArray, " ") - sinkByteArray(b11) // $taintflow + sinkByteArray(b11) // $ taintflow } diff --git a/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go b/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go index 93693cad8b1..1d0edf14c4d 100644 --- a/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/GoKit/main.go @@ -2,6 +2,7 @@ package main import ( "context" + "github.com/go-kit/kit/endpoint" ) @@ -11,12 +12,12 @@ type MyService interface { } func makeEndpointLit(svc MyService) endpoint.Endpoint { - return func(_ context.Context, request interface{}) (interface{}, error) { // $source="definition of request" + return func(_ context.Context, request interface{}) (interface{}, error) { // $ source="definition of request" return request, nil } } -func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $source="definition of request" +func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $ source="definition of request" return request, nil } diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go index 16db50cc342..4518342c171 100644 --- a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go @@ -19,76 +19,76 @@ func main() { { // func (in *Secret) DeepCopy() *Secret - sink(source().(*corev1.Secret).DeepCopy()) // $KsIoApiCoreV + sink(source().(*corev1.Secret).DeepCopy()) // $ KsIoApiCoreV } { // func (in *Secret) DeepCopyInto(out *Secret) var out *corev1.Secret source().(*corev1.Secret).DeepCopyInto(out) - sink(out) // $KsIoApiCoreV + sink(out) // $ KsIoApiCoreV } { // func (in *Secret) DeepCopyObject() runtime.Object - sink(source().(*corev1.Secret).DeepCopyObject()) // $KsIoApiCoreV + sink(source().(*corev1.Secret).DeepCopyObject()) // $ KsIoApiCoreV } { // func (m *Secret) Marshal() (dAtA []byte, err error) - sink(source().(*corev1.Secret).Marshal()) // $KsIoApiCoreV + sink(source().(*corev1.Secret).Marshal()) // $ KsIoApiCoreV } { // func (m *Secret) MarshalTo(dAtA []byte) (int, error) var dAtA []byte source().(*corev1.Secret).MarshalTo(dAtA) - sink(dAtA) // $KsIoApiCoreV + sink(dAtA) // $ KsIoApiCoreV } { // func (m *Secret) MarshalToSizedBuffer(dAtA []byte) (int, error) var dAtA []byte source().(*corev1.Secret).MarshalToSizedBuffer(dAtA) - sink(dAtA) // $KsIoApiCoreV + sink(dAtA) // $ KsIoApiCoreV } { // func (m *Secret) Unmarshal(dAtA []byte) error var dAtA []byte source().(*corev1.Secret).Unmarshal(dAtA) - sink(dAtA) // $KsIoApiCoreV + sink(dAtA) // $ KsIoApiCoreV } { // func (in *SecretList) DeepCopy() *SecretList - sink(source().(*corev1.SecretList).DeepCopy()) // $KsIoApiCoreV + sink(source().(*corev1.SecretList).DeepCopy()) // $ KsIoApiCoreV } { // func (in *SecretList) DeepCopyInto(out *SecretList) var out *corev1.SecretList source().(*corev1.SecretList).DeepCopyInto(out) - sink(out) // $KsIoApiCoreV + sink(out) // $ KsIoApiCoreV } { // func (in *SecretList) DeepCopyObject() runtime.Object - sink(source().(*corev1.SecretList).DeepCopyObject()) // $KsIoApiCoreV + sink(source().(*corev1.SecretList).DeepCopyObject()) // $ KsIoApiCoreV } { // func (m *SecretList) Marshal() (dAtA []byte, err error) - sink(source().(*corev1.SecretList).Marshal()) // $KsIoApiCoreV + sink(source().(*corev1.SecretList).Marshal()) // $ KsIoApiCoreV } { // func (m *SecretList) MarshalTo(dAtA []byte) (int, error) var dAtA []byte source().(*corev1.SecretList).MarshalTo(dAtA) - sink(dAtA) // $KsIoApiCoreV + sink(dAtA) // $ KsIoApiCoreV } { // func (m *SecretList) MarshalToSizedBuffer(dAtA []byte) (int, error) var dAtA []byte source().(*corev1.SecretList).MarshalToSizedBuffer(dAtA) - sink(dAtA) // $KsIoApiCoreV + sink(dAtA) // $ KsIoApiCoreV } { // func (m *SecretList) Unmarshal(dAtA []byte) error var dAtA []byte source().(*corev1.SecretList).Unmarshal(dAtA) - sink(dAtA) // $KsIoApiCoreV + sink(dAtA) // $ KsIoApiCoreV } } diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go index 7da200410f8..dd213c214e2 100644 --- a/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go @@ -31,93 +31,93 @@ func main() { // func Convert_Slice_string_To_Pointer_int64(in *[]string, out **int64, s conversion.Scope) error var out **int64 runtime.Convert_Slice_string_To_Pointer_int64(source().(*[]string), out, s) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func Convert_Slice_string_To_int(in *[]string, out *int, s conversion.Scope) error var out *int runtime.Convert_Slice_string_To_int(source().(*[]string), out, s) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func Convert_Slice_string_To_int64(in *[]string, out *int64, s conversion.Scope) error var out *int64 runtime.Convert_Slice_string_To_int64(source().(*[]string), out, s) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func Convert_Slice_string_To_string(in *[]string, out *string, s conversion.Scope) error var out *string runtime.Convert_Slice_string_To_string(source().(*[]string), out, s) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func Convert_runtime_Object_To_runtime_RawExtension(in *Object, out *RawExtension, s conversion.Scope) error var out *runtime.RawExtension runtime.Convert_runtime_Object_To_runtime_RawExtension(source().(*runtime.Object), out, s) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func Convert_runtime_RawExtension_To_runtime_Object(in *RawExtension, out *Object, s conversion.Scope) error var out *runtime.Object runtime.Convert_runtime_RawExtension_To_runtime_Object(source().(*runtime.RawExtension), out, s) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func Convert_string_To_Pointer_int64(in *string, out **int64, s conversion.Scope) error var out **int64 runtime.Convert_string_To_Pointer_int64(source().(*string), out, s) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func Convert_string_To_int64(in *string, out *int64, s conversion.Scope) error var out *int64 runtime.Convert_string_To_int64(source().(*string), out, s) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func DecodeInto(d Decoder, data []byte, into Object) error var o runtime.Object runtime.DecodeInto(decoder, source().([]byte), o) - sink(o) // $KsIoApimachineryPkgRuntime + sink(o) // $ KsIoApimachineryPkgRuntime } { // func DeepCopyJSON(x map[string]interface{}) map[string]interface{} - sink(runtime.DeepCopyJSON(source().(map[string]interface{}))) // $KsIoApimachineryPkgRuntime + sink(runtime.DeepCopyJSON(source().(map[string]interface{}))) // $ KsIoApimachineryPkgRuntime } { // func DeepCopyJSONValue(x interface{}) interface{} - sink(runtime.DeepCopyJSONValue(source().(map[string]interface{}))) // $KsIoApimachineryPkgRuntime + sink(runtime.DeepCopyJSONValue(source().(map[string]interface{}))) // $ KsIoApimachineryPkgRuntime } { // func Encode(e Encoder, obj Object) ([]byte, error) x, _ := runtime.Encode(encoder, source().(runtime.Object)) - sink(x) // $KsIoApimachineryPkgRuntime + sink(x) // $ KsIoApimachineryPkgRuntime } { // func EncodeOrDie(e Encoder, obj Object) string - sink(runtime.EncodeOrDie(encoder, source().(runtime.Object))) // $KsIoApimachineryPkgRuntime + sink(runtime.EncodeOrDie(encoder, source().(runtime.Object))) // $ KsIoApimachineryPkgRuntime } { // func Field(v reflect.Value, fieldName string, dest interface{}) error var fieldName string var dest interface{} runtime.Field(source().(reflect.Value), fieldName, dest) - sink(dest) // $KsIoApimachineryPkgRuntime + sink(dest) // $ KsIoApimachineryPkgRuntime } { // func FieldPtr(v reflect.Value, fieldName string, dest interface{}) error var fieldName string var dest interface{} runtime.FieldPtr(source().(reflect.Value), fieldName, dest) - sink(dest) // $KsIoApimachineryPkgRuntime + sink(dest) // $ KsIoApimachineryPkgRuntime } { // func SetField(src interface{}, v reflect.Value, fieldName string) error var v reflect.Value var fieldName string runtime.SetField(source(), v, fieldName) - sink(v) // $KsIoApimachineryPkgRuntime + sink(v) // $ KsIoApimachineryPkgRuntime } { // CacheEncode(id Identifier, encode func(Object, io.Writer) error, w io.Writer) error @@ -125,19 +125,19 @@ func main() { var encode func(runtime.Object, io.Writer) error var w io.Writer source().(myCacheableObject).CacheEncode(id, encode, w) - sink(w) // $KsIoApimachineryPkgRuntime + sink(w) // $ KsIoApimachineryPkgRuntime } { // GetObject() Object - sink(source().(myCacheableObject).GetObject()) // $KsIoApimachineryPkgRuntime + sink(source().(myCacheableObject).GetObject()) // $ KsIoApimachineryPkgRuntime } { // Decode(data []byte, defaults *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error) var defaults *schema.GroupVersionKind var into runtime.Object x, _, _ := decoder.Decode(source().([]byte), defaults, into) - sink(x) // $KsIoApimachineryPkgRuntime - sink(into) // $KsIoApimachineryPkgRuntime + sink(x) // $ KsIoApimachineryPkgRuntime + sink(into) // $ KsIoApimachineryPkgRuntime } { // Decode(data []byte, defaults *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error) @@ -145,47 +145,47 @@ func main() { var into runtime.Object var withoutVersionDecoder runtime.WithoutVersionDecoder x, _, _ := withoutVersionDecoder.Decode(source().([]byte), defaults, into) - sink(x) // $KsIoApimachineryPkgRuntime - sink(into) // $KsIoApimachineryPkgRuntime + sink(x) // $ KsIoApimachineryPkgRuntime + sink(into) // $ KsIoApimachineryPkgRuntime } { // Encode(obj Object, w io.Writer) error var w io.Writer encoder.Encode(source().(runtime.Object), w) - sink(w) // $KsIoApimachineryPkgRuntime + sink(w) // $ KsIoApimachineryPkgRuntime } { // Encode(obj Object, w io.Writer) error var w io.Writer var withVersionEncoder runtime.WithVersionEncoder withVersionEncoder.Encode(source().(runtime.Object), w) - sink(w) // $KsIoApimachineryPkgRuntime + sink(w) // $ KsIoApimachineryPkgRuntime } { var framer myFramer // NewFrameReader(r io.ReadCloser) io.ReadCloser - sink(framer.NewFrameReader(source().(io.ReadCloser))) // $KsIoApimachineryPkgRuntime + sink(framer.NewFrameReader(source().(io.ReadCloser))) // $ KsIoApimachineryPkgRuntime // NewFrameWriter(w io.Writer) io.Writer - sink(framer.NewFrameWriter(source().(io.Writer))) // $KsIoApimachineryPkgRuntime + sink(framer.NewFrameWriter(source().(io.Writer))) // $ KsIoApimachineryPkgRuntime } { // DeepCopyObject() Object - sink(source().(runtime.Object).DeepCopyObject()) // $KsIoApimachineryPkgRuntime + sink(source().(runtime.Object).DeepCopyObject()) // $ KsIoApimachineryPkgRuntime } { // func Decode(d Decoder, data []byte) (Object, error) o, _ := runtime.Decode(decoder, source().([]byte)) - sink(o) // $KsIoApimachineryPkgRuntime + sink(o) // $ KsIoApimachineryPkgRuntime } { // func NewEncodable(e Encoder, obj Object, versions ...schema.GroupVersion) Object - sink(runtime.NewEncodable(encoder, source().(runtime.Object))) // $KsIoApimachineryPkgRuntime + sink(runtime.NewEncodable(encoder, source().(runtime.Object))) // $ KsIoApimachineryPkgRuntime } { // func NewEncodableList(e Encoder, objects []Object, versions ...schema.GroupVersion) []Object - sink(runtime.NewEncodableList(encoder, source().([]runtime.Object))) // $KsIoApimachineryPkgRuntime + sink(runtime.NewEncodableList(encoder, source().([]runtime.Object))) // $ KsIoApimachineryPkgRuntime } { // func UseOrCreateObject(t ObjectTyper, c ObjectCreater, gvk schema.GroupVersionKind, obj Object) (Object, error) @@ -193,7 +193,7 @@ func main() { var c runtime.ObjectCreater var gvk schema.GroupVersionKind o, _ := runtime.UseOrCreateObject(t, c, gvk, source().(runtime.Object)) - sink(o) // $KsIoApimachineryPkgRuntime + sink(o) // $ KsIoApimachineryPkgRuntime } { var objectConverter myObjectConverter @@ -201,12 +201,12 @@ func main() { // Convert(in, out, context interface{}) error var out, context interface{} objectConverter.Convert(source(), out, context) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime // ConvertToVersion(in Object, gv GroupVersioner) (out Object, err error) var gv runtime.GroupVersioner o, _ := objectConverter.ConvertToVersion(source().(runtime.Object), gv) - sink(o) // $KsIoApimachineryPkgRuntime + sink(o) // $ KsIoApimachineryPkgRuntime } { var parameterCodec myParameterCodec @@ -215,110 +215,110 @@ func main() { var gv schema.GroupVersion var into runtime.Object parameterCodec.DecodeParameters(source().(url.Values), gv, into) - sink(into) // $KsIoApimachineryPkgRuntime + sink(into) // $ KsIoApimachineryPkgRuntime // EncodeParameters(obj Object, to schema.GroupVersion) (url.Values, error) urlValues, _ := parameterCodec.EncodeParameters(source().(runtime.Object), gv) - sink(urlValues) // $KsIoApimachineryPkgRuntime + sink(urlValues) // $ KsIoApimachineryPkgRuntime } { // MarshalTo(data []byte) (int, error) var data []byte source().(myProtobufMarshaller).MarshalTo(data) - sink(data) // $KsIoApimachineryPkgRuntime + sink(data) // $ KsIoApimachineryPkgRuntime } { // MarshalToSizedBuffer(data []byte) (int, error) var data []byte source().(myProtobufReverseMarshaller).MarshalToSizedBuffer(data) - sink(data) // $KsIoApimachineryPkgRuntime + sink(data) // $ KsIoApimachineryPkgRuntime } { // func (in *RawExtension) DeepCopy() *RawExtension - sink(source().(*runtime.RawExtension).DeepCopy()) // $KsIoApimachineryPkgRuntime + sink(source().(*runtime.RawExtension).DeepCopy()) // $ KsIoApimachineryPkgRuntime } { // func (in *RawExtension) DeepCopyInto(out *RawExtension) var out *runtime.RawExtension source().(*runtime.RawExtension).DeepCopyInto(out) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func (m *RawExtension) Marshal() (dAtA []byte, err error) dAtA, _ := source().(*runtime.RawExtension).Marshal() - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // func (m *RawExtension) MarshalTo(dAtA []byte) (int, error) var dAtA []byte source().(*runtime.RawExtension).MarshalTo(dAtA) - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // func (m *RawExtension) MarshalToSizedBuffer(dAtA []byte) (int, error) var dAtA []byte source().(*runtime.RawExtension).MarshalToSizedBuffer(dAtA) - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // func (m *RawExtension) Unmarshal(dAtA []byte) error var dAtA []byte source().(*runtime.RawExtension).Unmarshal(dAtA) - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // func (in *Unknown) DeepCopy() *Unknown - sink(source().(*runtime.Unknown).DeepCopy()) // $KsIoApimachineryPkgRuntime + sink(source().(*runtime.Unknown).DeepCopy()) // $ KsIoApimachineryPkgRuntime } { // func (in *Unknown) DeepCopyObject() Object - sink(source().(*runtime.Unknown).DeepCopyObject()) // $KsIoApimachineryPkgRuntime + sink(source().(*runtime.Unknown).DeepCopyObject()) // $ KsIoApimachineryPkgRuntime } { // func (in *Unknown) DeepCopyInto(out *Unknown) var out *runtime.Unknown source().(*runtime.Unknown).DeepCopyInto(out) - sink(out) // $KsIoApimachineryPkgRuntime + sink(out) // $ KsIoApimachineryPkgRuntime } { // func (m *Unknown) Marshal() (dAtA []byte, err error) dAtA, _ := source().(*runtime.Unknown).Marshal() - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // func (m *Unknown) MarshalTo(dAtA []byte) (int, error) var dAtA []byte source().(*runtime.Unknown).MarshalTo(dAtA) - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // func (m *Unknown) MarshalToSizedBuffer(dAtA []byte) (int, error) var dAtA []byte source().(*runtime.Unknown).MarshalToSizedBuffer(dAtA) - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // func (m *Unknown) NestedMarshalTo(data []byte, b ProtobufMarshaller, size uint64) (int, error) var dAtA []byte var b myProtobufMarshaller source().(*runtime.Unknown).NestedMarshalTo(dAtA, b, 1) - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // func (m *Unknown) Unmarshal(dAtA []byte) error var dAtA []byte source().(*runtime.Unknown).Unmarshal(dAtA) - sink(dAtA) // $KsIoApimachineryPkgRuntime + sink(dAtA) // $ KsIoApimachineryPkgRuntime } { // UnstructuredContent() map[string]interface{} - sink(source().(myUnstructured).UnstructuredContent()) // $KsIoApimachineryPkgRuntime + sink(source().(myUnstructured).UnstructuredContent()) // $ KsIoApimachineryPkgRuntime } { // SetUnstructuredContent(map[string]interface{}) var unstructured myUnstructured unstructured.SetUnstructuredContent(source().(map[string]interface{})) - sink(unstructured) // $KsIoApimachineryPkgRuntime + sink(unstructured) // $ KsIoApimachineryPkgRuntime } } diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/main.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/main.go index 530248f51bd..8d2d275cd67 100644 --- a/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/main.go @@ -27,14 +27,14 @@ func main() { use(t.Delete(ctx, name, opts)) use(s.DeleteCollection(ctx, opts, listOpts)) use(t.DeleteCollection(ctx, opts, listOpts)) - use(s.Get(ctx, name, opts)) // $KsIoClientGo - use(t.Get(ctx, name, opts)) // $KsIoClientGo - use(s.List(ctx, opts)) // $KsIoClientGo - use(t.List(ctx, opts)) // $KsIoClientGo + use(s.Get(ctx, name, opts)) // $ KsIoClientGo + use(t.Get(ctx, name, opts)) // $ KsIoClientGo + use(s.List(ctx, opts)) // $ KsIoClientGo + use(t.List(ctx, opts)) // $ KsIoClientGo use(s.Watch(ctx, opts)) use(t.Watch(ctx, opts)) - use(s.Patch(ctx, name, pt, data, opts)) // $KsIoClientGo - use(t.Patch(ctx, name, pt, data, opts)) // $KsIoClientGo + use(s.Patch(ctx, name, pt, data, opts)) // $ KsIoClientGo + use(t.Patch(ctx, name, pt, data, opts)) // $ KsIoClientGo } func use(arg ...interface{}) {} diff --git a/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go b/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go index c1ed47119da..e192ac77db4 100644 --- a/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/NoSQL/main.go @@ -26,46 +26,46 @@ func test(coll *mongo.Collection, filter interface{}, models []mongo.WriteModel, matchStage := bson.D{{"$match", filter}} pipeline := mongo.Pipeline{matchStage} - coll.Aggregate(ctx, pipeline, nil) // $nosqlquery=pipeline + coll.Aggregate(ctx, pipeline, nil) // $ nosqlquery=pipeline coll.BulkWrite(ctx, models, nil) coll.Clone(nil) - coll.CountDocuments(ctx, filter, nil) // $nosqlquery=filter + coll.CountDocuments(ctx, filter, nil) // $ nosqlquery=filter coll.Database() - coll.DeleteMany(ctx, filter, nil) // $nosqlquery=filter - coll.DeleteOne(ctx, filter, nil) // $nosqlquery=filter + coll.DeleteMany(ctx, filter, nil) // $ nosqlquery=filter + coll.DeleteOne(ctx, filter, nil) // $ nosqlquery=filter - coll.Distinct(ctx, fieldName, filter) // $nosqlquery=filter + coll.Distinct(ctx, fieldName, filter) // $ nosqlquery=filter coll.Drop(ctx) coll.EstimatedDocumentCount(ctx, nil) - coll.Find(ctx, filter, nil) // $nosqlquery=filter - coll.FindOne(ctx, filter, nil) // $nosqlquery=filter - coll.FindOneAndDelete(ctx, filter, nil) // $nosqlquery=filter - coll.FindOneAndReplace(ctx, filter, nil) // $nosqlquery=filter - coll.FindOneAndUpdate(ctx, filter, nil) // $nosqlquery=filter + coll.Find(ctx, filter, nil) // $ nosqlquery=filter + coll.FindOne(ctx, filter, nil) // $ nosqlquery=filter + coll.FindOneAndDelete(ctx, filter, nil) // $ nosqlquery=filter + coll.FindOneAndReplace(ctx, filter, nil) // $ nosqlquery=filter + coll.FindOneAndUpdate(ctx, filter, nil) // $ nosqlquery=filter coll.Indexes() coll.InsertMany(ctx, documents) coll.InsertOne(ctx, document, nil) coll.Name() replacement := bson.D{{"location", "NYC"}} - coll.ReplaceOne(ctx, filter, replacement) // $nosqlquery=filter + coll.ReplaceOne(ctx, filter, replacement) // $ nosqlquery=filter update := bson.D{{"$inc", bson.D{{"age", 1}}}} - coll.UpdateMany(ctx, filter, update) // $nosqlquery=filter - coll.UpdateOne(ctx, filter, update) // $nosqlquery=filter - coll.Watch(ctx, pipeline) // $nosqlquery=pipeline + coll.UpdateMany(ctx, filter, update) // $ nosqlquery=filter + coll.UpdateOne(ctx, filter, update) // $ nosqlquery=filter + coll.Watch(ctx, pipeline) // $ nosqlquery=pipeline } func testGocbV1(bucket gocbv1.Bucket, cluster gocbv1.Cluster, aq *gocbv1.AnalyticsQuery, nq *gocbv1.N1qlQuery) { - bucket.ExecuteAnalyticsQuery(aq, nil) // $nosqlquery=aq - cluster.ExecuteAnalyticsQuery(aq, nil) // $nosqlquery=aq - bucket.ExecuteN1qlQuery(nq, nil) // $nosqlquery=nq - cluster.ExecuteN1qlQuery(nq, nil) // $nosqlquery=nq + bucket.ExecuteAnalyticsQuery(aq, nil) // $ nosqlquery=aq + cluster.ExecuteAnalyticsQuery(aq, nil) // $ nosqlquery=aq + bucket.ExecuteN1qlQuery(nq, nil) // $ nosqlquery=nq + cluster.ExecuteN1qlQuery(nq, nil) // $ nosqlquery=nq } func testGocbV2(cluster gocbv2.Cluster, scope gocbv2.Scope) { - cluster.AnalyticsQuery("a", nil) // $nosqlquery="a" - scope.AnalyticsQuery("b", nil) // $nosqlquery="b" - cluster.Query("c", nil) // $nosqlquery="c" - scope.Query("d", nil) // $nosqlquery="d" + cluster.AnalyticsQuery("a", nil) // $ nosqlquery="a" + scope.AnalyticsQuery("b", nil) // $ nosqlquery="b" + cluster.Query("c", nil) // $ nosqlquery="c" + scope.Query("d", nil) // $ nosqlquery="d" } func main() {} diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go index 85d0d785e93..125bd661de8 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go @@ -27,69 +27,69 @@ type MyRoute struct { func (c MyRoute) Handler1() revel.Result { // GOOD: the Render function is likely to properly escape the user-controlled parameter. - return c.Render("someviewparam", c.Params.Form.Get("someField")) // $source="selection of Params" + return c.Render("someviewparam", c.Params.Form.Get("someField")) // $ source="selection of Params" } func (c MyRoute) Handler2() revel.Result { // BAD: the RenderBinary function copies an `io.Reader` to the user's browser. buf := &bytes.Buffer{} - buf.WriteString(c.Params.Form.Get("someField")) // $source="selection of Params" - return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $responsebody='buf' + buf.WriteString(c.Params.Form.Get("someField")) // $ source="selection of Params" + return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf' } func (c MyRoute) Handler3() revel.Result { // GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename // means it will be given a safe content-type. buf := &bytes.Buffer{} - buf.WriteString(c.Params.Form.Get("someField")) // $source="selection of Params" - return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $responsebody='buf' + buf.WriteString(c.Params.Form.Get("someField")) // $ source="selection of Params" + return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $ responsebody='buf' } func (c MyRoute) Handler4() revel.Result { // GOOD: the RenderError function either uses an HTML template with probable escaping, // or it uses content-type text/plain. - err := errors.New(c.Params.Form.Get("someField")) // $source="selection of Params" - return c.RenderError(err) // $responsebody='err' + err := errors.New(c.Params.Form.Get("someField")) // $ source="selection of Params" + return c.RenderError(err) // $ responsebody='err' } func (c MyRoute) Handler5() revel.Result { // BAD: returning an arbitrary file (but this is detected at the os.Open call, not // due to modelling Revel) - f, _ := os.Open(c.Params.Form.Get("someField")) // $source="selection of Params" + f, _ := os.Open(c.Params.Form.Get("someField")) // $ source="selection of Params" return c.RenderFile(f, revel.Inline) } func (c MyRoute) Handler6() revel.Result { // BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS) - return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $source="selection of Params" + return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $ source="selection of Params" } func (c MyRoute) Handler7() revel.Result { // BAD: straightforward XSS - return c.RenderHTML(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" + return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler8() revel.Result { // GOOD: uses JSON content-type - return c.RenderJSON(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" + return c.RenderJSON(c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler9() revel.Result { // GOOD: uses Javascript content-type - return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" + return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler10() revel.Result { // GOOD: uses text content-type - return c.RenderText(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" + return c.RenderText(c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler11() revel.Result { // GOOD: uses xml content-type - return c.RenderXML(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params" + return c.RenderXML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" } func (c MyRoute) Handler12() revel.Result { // BAD: open redirect - return c.Redirect(c.Params.Form.Get("someField")) // $source="selection of Params" + return c.Redirect(c.Params.Form.Get("someField")) // $ source="selection of Params" } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go b/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go index 999891e432d..f1568e7791d 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go @@ -24,18 +24,18 @@ func sink(_ ...interface{}) {} func (c myAppController) accessingParamsDirectlyIsUnsafe() { sink(c.Params.Get("key")) - sink(c.Params.Values) // $source="selection of Params" + sink(c.Params.Values) // $ source="selection of Params" val4 := "" - c.Params.Bind(&val4, "key") // $source="selection of Params" + c.Params.Bind(&val4, "key") // $ source="selection of Params" sink(val4) sink(c.Request.FormValue("key")) } func (c myAppController) accessingFixedIsSafe(mainRouter *revel.Router) { - sink(c.Params.Fixed.Get("key")) // $noflow - sink(mainRouter.Route(c.Request).FixedParams[0]) // $noflow + sink(c.Params.Fixed.Get("key")) // $ noflow + sink(mainRouter.Route(c.Request).FixedParams[0]) // $ noflow } func (c myAppController) accessingRouteIsUnsafe(mainRouter *revel.Router) { @@ -64,10 +64,10 @@ func (c myAppController) accessingParamsJSONIsUnsafe() { sink(val2["name"].(string)) } -func (c myAppController) rawRead() { // $responsebody='argument corresponding to c' - c.ViewArgs["Foo"] = "

raw HTML

" // $responsebody='"

raw HTML

"' +func (c myAppController) rawRead() { // $ responsebody='argument corresponding to c' + c.ViewArgs["Foo"] = "

raw HTML

" // $ responsebody='"

raw HTML

"' c.ViewArgs["Bar"] = "

not raw HTML

" - c.ViewArgs["Foo"] = c.Params.Query // $responsebody='selection of Query' + c.ViewArgs["Foo"] = c.Params.Query // $ responsebody='selection of Query' c.Render() } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go index c4b42533e37..d8aabc5efe3 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/controllers/hotels.go @@ -31,6 +31,7 @@ import ( "strings" "codeql-go-tests/frameworks/Revel/examples/booking/app/models" + "github.com/revel/revel" ) @@ -104,7 +105,7 @@ func (c Hotels) ListJson(search string, size, page uint64) revel.Result { var hotels []*models.Hotel - return c.RenderJSON(map[string]interface{}{"hotels": hotels, "search": search, "size": size, "page": page, "nextPage": nextPage}) // $responsebody='map literal' + return c.RenderJSON(map[string]interface{}{"hotels": hotels, "search": search, "size": size, "page": page, "nextPage": nextPage}) // $ responsebody='map literal' } func (c Hotels) List(search string, size, page uint64) revel.Result { if page == 0 { @@ -155,7 +156,7 @@ func (c Hotels) SaveSettings(password, verifyPassword string) revel.Result { } func (c Hotels) ConfirmBooking(id int, booking models.Booking) revel.Result { - hotel := c.loadHotelById(id) // $responsebody='call to loadHotelById' + hotel := c.loadHotelById(id) // $ responsebody='call to loadHotelById' if hotel == nil { return c.NotFound("Hotel %d does not exist", id) } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go index 2d9d9fbf7f1..c49c0ca27fe 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go @@ -33,11 +33,11 @@ func init() { switch event { case revel.ENGINE_BEFORE_INITIALIZED: revel.AddHTTPMux("/this/is/a/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $responsebody='selection of Path' $responsebody='"Hi there, it worked"' + fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $ responsebody='selection of Path' $responsebody='"Hi there, it worked"' w.WriteHeader(200) })) revel.AddHTTPMux("/this/is/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $responsebody='selection of Path' $responsebody='"Hi there, shorter prefix"' + fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $ responsebody='selection of Path' $responsebody='"Hi there, shorter prefix"' w.WriteHeader(200) })) } diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go index f5a62e556e9..d564fe0e03d 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go @@ -32,43 +32,43 @@ var ( ) func test(db *sql.DB, ctx context.Context) { - db.Exec(query1) // $query=query1 - db.ExecContext(ctx, query2) // $query=query2 - db.Prepare(query3) // $querystring=query3 - db.PrepareContext(ctx, query4) // $querystring=query4 - db.Query(query5) // $query=query5 - db.QueryContext(ctx, query6) // $query=query6 - db.QueryRow(query7) // $query=query7 - db.QueryRowContext(ctx, query8) // $query=query8 + db.Exec(query1) // $ query=query1 + db.ExecContext(ctx, query2) // $ query=query2 + db.Prepare(query3) // $ querystring=query3 + db.PrepareContext(ctx, query4) // $ querystring=query4 + db.Query(query5) // $ query=query5 + db.QueryContext(ctx, query6) // $ query=query6 + db.QueryRow(query7) // $ query=query7 + db.QueryRowContext(ctx, query8) // $ query=query8 } func squirrelTest(querypart string) { - squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $querystring=querypart - squirrel.Select("*").From("users").Suffix(querypart) // $querystring=querypart + squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart + squirrel.Select("*").From("users").Suffix(querypart) // $ querystring=querypart } func test2(tx *sql.Tx, query string, ctx context.Context) { - tx.Exec(query11) // $query=query11 - tx.ExecContext(ctx, query12) // $query=query12 - tx.Prepare(query13) // $querystring=query13 - tx.PrepareContext(ctx, query14) // $querystring=query14 - tx.Query(query15) // $query=query15 - tx.QueryContext(ctx, query16) // $query=query16 - tx.QueryRow(query17) // $query=query17 - tx.QueryRowContext(ctx, query18) // $query=query18 + tx.Exec(query11) // $ query=query11 + tx.ExecContext(ctx, query12) // $ query=query12 + tx.Prepare(query13) // $ querystring=query13 + tx.PrepareContext(ctx, query14) // $ querystring=query14 + tx.Query(query15) // $ query=query15 + tx.QueryContext(ctx, query16) // $ query=query16 + tx.QueryRow(query17) // $ query=query17 + tx.QueryRowContext(ctx, query18) // $ query=query18 } func test3(db *sql.DB, ctx context.Context) { - stmt1, _ := db.Prepare(query21) // $SPURIOUS:querystring=query21 - stmt1.Exec() // $MISSING:query=query21 - stmt2, _ := db.PrepareContext(ctx, query22) // $SPURIOUS:querystring=query22 - stmt2.ExecContext(ctx) // $MISSING:query=query22 - stmt3, _ := db.Prepare(query23) // $SPURIOUS:querystring=query23 + stmt1, _ := db.Prepare(query21) // $ SPURIOUS:querystring=query21 + stmt1.Exec() // $ MISSING:query=query21 + stmt2, _ := db.PrepareContext(ctx, query22) // $ SPURIOUS:querystring=query22 + stmt2.ExecContext(ctx) // $ MISSING:query=query22 + stmt3, _ := db.Prepare(query23) // $ SPURIOUS:querystring=query23 runQuery(stmt3) } func runQuery(stmt *sql.Stmt) { - stmt.Exec() // $MISSING:query=query23 + stmt.Exec() // $ MISSING:query=query23 } func main() {} diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go b/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go index ecd20c01f76..24c381b06ef 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go @@ -11,31 +11,31 @@ import ( ) func pgtest(query string, conn pg.Conn, db pg.DB, tx pg.Tx) { - pg.Q(query) // $querystring=query + pg.Q(query) // $ querystring=query var dst []byte - conn.FormatQuery(dst, query) // $querystring=query - conn.Prepare(query) // $querystring=query - db.FormatQuery(dst, query) // $querystring=query - db.Prepare(query) // $querystring=query - tx.FormatQuery(dst, query) // $querystring=query - tx.Prepare(query) // $querystring=query + conn.FormatQuery(dst, query) // $ querystring=query + conn.Prepare(query) // $ querystring=query + db.FormatQuery(dst, query) // $ querystring=query + db.Prepare(query) // $ querystring=query + tx.FormatQuery(dst, query) // $ querystring=query + tx.Prepare(query) // $ querystring=query } // go-pg v9 dropped support for `FormatQuery` func newpgtest(query string, conn newpg.Conn, db newpg.DB, tx newpg.Tx) { - newpg.Q(query) // $querystring=query - conn.Prepare(query) // $querystring=query - db.Prepare(query) // $querystring=query - tx.Prepare(query) // $querystring=query + newpg.Q(query) // $ querystring=query + conn.Prepare(query) // $ querystring=query + db.Prepare(query) // $ querystring=query + tx.Prepare(query) // $ querystring=query } func pgormtest(query string, q orm.Query) { - orm.Q(query) // $querystring=query - q.ColumnExpr(query) // $querystring=query - q.For(query) // $querystring=query + orm.Q(query) // $ querystring=query + q.ColumnExpr(query) // $ querystring=query + q.For(query) // $ querystring=query var b []byte - q.FormatQuery(b, query) // $querystring=query - q.Having(query) // $querystring=query - q.Where(query) // $querystring=query - q.WhereInMulti(query) // $querystring=query - q.WhereOr(query) // $querystring=query + q.FormatQuery(b, query) // $ querystring=query + q.Having(query) // $ querystring=query + q.Where(query) // $ querystring=query + q.WhereInMulti(query) // $ querystring=query + q.WhereOr(query) // $ querystring=query } diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go b/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go index 3aa8857a61b..6b4dbb116ee 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/xorm.go @@ -12,66 +12,66 @@ func xormtest() { query := "UntrustedString" engine1 := xorm1.Engine{} - engine1.Query(query) // $querystring=query - engine1.QueryString(query) // $querystring=query - engine1.QueryInterface(query) // $querystring=query - engine1.SQL(query) // $querystring=query - engine1.Where(query) // $querystring=query - engine1.Alias(query) // $querystring=query - engine1.NotIn(query) // $querystring=query - engine1.In(query) // $querystring=query - engine1.Select(query) // $querystring=query - engine1.SetExpr(query, nil) // $querystring=query - engine1.OrderBy(query) // $querystring=query - engine1.Having(query) // $querystring=query - engine1.GroupBy(query) // $querystring=query + engine1.Query(query) // $ querystring=query + engine1.QueryString(query) // $ querystring=query + engine1.QueryInterface(query) // $ querystring=query + engine1.SQL(query) // $ querystring=query + engine1.Where(query) // $ querystring=query + engine1.Alias(query) // $ querystring=query + engine1.NotIn(query) // $ querystring=query + engine1.In(query) // $ querystring=query + engine1.Select(query) // $ querystring=query + engine1.SetExpr(query, nil) // $ querystring=query + engine1.OrderBy(query) // $ querystring=query + engine1.Having(query) // $ querystring=query + engine1.GroupBy(query) // $ querystring=query engine2 := xorm2.Engine{} - engine2.Query(query) // $querystring=query - engine2.QueryString(query) // $querystring=query - engine2.QueryInterface(query) // $querystring=query - engine2.SQL(query) // $querystring=query - engine2.Where(query) // $querystring=query - engine2.Alias(query) // $querystring=query - engine2.NotIn(query) // $querystring=query - engine2.In(query) // $querystring=query - engine2.Select(query) // $querystring=query - engine2.SetExpr(query, nil) // $querystring=query - engine2.OrderBy(query) // $querystring=query - engine2.Having(query) // $querystring=query - engine2.GroupBy(query) // $querystring=query + engine2.Query(query) // $ querystring=query + engine2.QueryString(query) // $ querystring=query + engine2.QueryInterface(query) // $ querystring=query + engine2.SQL(query) // $ querystring=query + engine2.Where(query) // $ querystring=query + engine2.Alias(query) // $ querystring=query + engine2.NotIn(query) // $ querystring=query + engine2.In(query) // $ querystring=query + engine2.Select(query) // $ querystring=query + engine2.SetExpr(query, nil) // $ querystring=query + engine2.OrderBy(query) // $ querystring=query + engine2.Having(query) // $ querystring=query + engine2.GroupBy(query) // $ querystring=query session1 := xorm1.Session{} - session1.Query(query) // $querystring=query - session1.QueryString(query) // $querystring=query - session1.QueryInterface(query) // $querystring=query - session1.SQL(query) // $querystring=query - session1.Where(query) // $querystring=query - session1.Alias(query) // $querystring=query - session1.NotIn(query) // $querystring=query - session1.In(query) // $querystring=query - session1.Select(query) // $querystring=query - session1.SetExpr(query, nil) // $querystring=query - session1.OrderBy(query) // $querystring=query - session1.Having(query) // $querystring=query - session1.GroupBy(query) // $querystring=query - session1.And(query) // $querystring=query - session1.Or(query) // $querystring=query + session1.Query(query) // $ querystring=query + session1.QueryString(query) // $ querystring=query + session1.QueryInterface(query) // $ querystring=query + session1.SQL(query) // $ querystring=query + session1.Where(query) // $ querystring=query + session1.Alias(query) // $ querystring=query + session1.NotIn(query) // $ querystring=query + session1.In(query) // $ querystring=query + session1.Select(query) // $ querystring=query + session1.SetExpr(query, nil) // $ querystring=query + session1.OrderBy(query) // $ querystring=query + session1.Having(query) // $ querystring=query + session1.GroupBy(query) // $ querystring=query + session1.And(query) // $ querystring=query + session1.Or(query) // $ querystring=query session2 := xorm2.Session{} - session2.Query(query) // $querystring=query - session2.QueryString(query) // $querystring=query - session2.QueryInterface(query) // $querystring=query - session2.SQL(query) // $querystring=query - session2.Where(query) // $querystring=query - session2.Alias(query) // $querystring=query - session2.NotIn(query) // $querystring=query - session2.In(query) // $querystring=query - session2.Select(query) // $querystring=query - session2.SetExpr(query, nil) // $querystring=query - session2.OrderBy(query) // $querystring=query - session2.Having(query) // $querystring=query - session2.GroupBy(query) // $querystring=query - session2.And(query) // $querystring=query - session2.Or(query) // $querystring=query + session2.Query(query) // $ querystring=query + session2.QueryString(query) // $ querystring=query + session2.QueryInterface(query) // $ querystring=query + session2.SQL(query) // $ querystring=query + session2.Where(query) // $ querystring=query + session2.Alias(query) // $ querystring=query + session2.NotIn(query) // $ querystring=query + session2.In(query) // $ querystring=query + session2.Select(query) // $ querystring=query + session2.SetExpr(query, nil) // $ querystring=query + session2.OrderBy(query) // $ querystring=query + session2.Having(query) // $ querystring=query + session2.GroupBy(query) // $ querystring=query + session2.And(query) // $ querystring=query + session2.Or(query) // $ querystring=query } diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go index a930c2d435f..55be54c83b6 100644 --- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go +++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go @@ -22,7 +22,7 @@ func TaintStepTest_OsExpandEnv_B0I0O0(sourceCQL interface{}) interface{} { func TaintStepTest_OsNewFile_B0I0O0(sourceCQL interface{}) interface{} { fromUintptr784 := sourceCQL.(uintptr) - intoFile957 := os.NewFile(fromUintptr784, "") // $fsaccess="" + intoFile957 := os.NewFile(fromUintptr784, "") // $ fsaccess="" return intoFile957 } @@ -154,30 +154,30 @@ func RunAllTaints_Os() { func fsAccesses() { var path, path1, part string var time time.Time - os.Chdir(path) // $fsaccess=path - os.Chmod(path, 0600) // $fsaccess=path - os.Chown(path, 1000, 1000) // $fsaccess=path - os.Chtimes(path, time, time) // $fsaccess=path - os.Create(path) // $fsaccess=path - os.Lchown(path, 1000, 1000) // $fsaccess=path - os.Link(path, path1) // $fsaccess=path $fsaccess=path1 - os.Lstat(path) // $fsaccess=path - os.Mkdir(path, 0600) // $fsaccess=path - os.MkdirAll(path, 0600) // $fsaccess=path - os.NewFile(124, path) // $fsaccess=path - os.Open(path) // $fsaccess=path - os.OpenFile(path, os.O_RDONLY, 0600) // $fsaccess=path - os.Readlink(path) // $fsaccess=path - os.Remove(path) // $fsaccess=path - os.RemoveAll(path) // $fsaccess=path - os.Rename(path, path1) // $fsaccess=path $fsaccess=path1 - os.Stat(path) // $fsaccess=path - os.Symlink(path, path1) // $fsaccess=path $fsaccess=path1 - os.Truncate(path, 1000) // $fsaccess=path - os.DirFS(path) // $fsaccess=path - os.ReadDir(path) // $fsaccess=path - os.ReadFile(path) // $fsaccess=path - os.MkdirTemp(path, part) // $fsaccess=path $fsaccess=part - os.CreateTemp(path, part) // $fsaccess=path $fsaccess=part - os.WriteFile(path, []byte{}, 0600) // $fsaccess=path + os.Chdir(path) // $ fsaccess=path + os.Chmod(path, 0600) // $ fsaccess=path + os.Chown(path, 1000, 1000) // $ fsaccess=path + os.Chtimes(path, time, time) // $ fsaccess=path + os.Create(path) // $ fsaccess=path + os.Lchown(path, 1000, 1000) // $ fsaccess=path + os.Link(path, path1) // $ fsaccess=path $fsaccess=path1 + os.Lstat(path) // $ fsaccess=path + os.Mkdir(path, 0600) // $ fsaccess=path + os.MkdirAll(path, 0600) // $ fsaccess=path + os.NewFile(124, path) // $ fsaccess=path + os.Open(path) // $ fsaccess=path + os.OpenFile(path, os.O_RDONLY, 0600) // $ fsaccess=path + os.Readlink(path) // $ fsaccess=path + os.Remove(path) // $ fsaccess=path + os.RemoveAll(path) // $ fsaccess=path + os.Rename(path, path1) // $ fsaccess=path $fsaccess=path1 + os.Stat(path) // $ fsaccess=path + os.Symlink(path, path1) // $ fsaccess=path $fsaccess=path1 + os.Truncate(path, 1000) // $ fsaccess=path + os.DirFS(path) // $ fsaccess=path + os.ReadDir(path) // $ fsaccess=path + os.ReadFile(path) // $ fsaccess=path + os.MkdirTemp(path, part) // $ fsaccess=path $fsaccess=part + os.CreateTemp(path, part) // $ fsaccess=path $fsaccess=part + os.WriteFile(path, []byte{}, 0600) // $ fsaccess=path } diff --git a/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go b/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go index cf3d29500b2..6949542c731 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go +++ b/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go @@ -1,41 +1,42 @@ package main import ( + "io" + yaml1 "gopkg.in/yaml.v1" yaml2 "gopkg.in/yaml.v2" yaml3 "gopkg.in/yaml.v3" - "io" ) func main() { var in, out interface{} var inb []byte - out, _ = yaml1.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" - yaml1.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" + out, _ = yaml1.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" + yaml1.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" - out, _ = yaml2.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" - yaml2.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" - yaml2.UnmarshalStrict(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" + out, _ = yaml2.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" + yaml2.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" + yaml2.UnmarshalStrict(inb, out) // $ unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" var r io.Reader - d := yaml2.NewDecoder(r) // $ttfnmodelstep="r -> call to NewDecoder" - d.Decode(out) // $ttfnmodelstep="d -> definition of out" + d := yaml2.NewDecoder(r) // $ ttfnmodelstep="r -> call to NewDecoder" + d.Decode(out) // $ ttfnmodelstep="d -> definition of out" var w io.Writer - e := yaml2.NewEncoder(w) // $ttfnmodelstep="definition of e -> definition of w" - e.Encode(in) // $ttfnmodelstep="in -> definition of e" + e := yaml2.NewEncoder(w) // $ ttfnmodelstep="definition of e -> definition of w" + e.Encode(in) // $ ttfnmodelstep="in -> definition of e" - out, _ = yaml3.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" - yaml3.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" + out, _ = yaml3.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" + yaml3.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" - d1 := yaml3.NewDecoder(r) // $ttfnmodelstep="r -> call to NewDecoder" - d1.Decode(out) // $ttfnmodelstep="d1 -> definition of out" + d1 := yaml3.NewDecoder(r) // $ ttfnmodelstep="r -> call to NewDecoder" + d1.Decode(out) // $ ttfnmodelstep="d1 -> definition of out" - e1 := yaml3.NewEncoder(w) // $ttfnmodelstep="definition of e1 -> definition of w" - e1.Encode(in) // $ttfnmodelstep="in -> definition of e1" + e1 := yaml3.NewEncoder(w) // $ ttfnmodelstep="definition of e1 -> definition of w" + e1.Encode(in) // $ ttfnmodelstep="in -> definition of e1" var n1 yaml3.Node - n1.Decode(out) // $ttfnmodelstep="n1 -> definition of out" - n1.Encode(in) // $ttfnmodelstep="in -> definition of n1" + n1.Decode(out) // $ ttfnmodelstep="n1 -> definition of out" + n1.Encode(in) // $ ttfnmodelstep="in -> definition of n1" } diff --git a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go index 63f10b5273e..522f51c8693 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go +++ b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go @@ -18,72 +18,72 @@ func getUntrustedString() string { func testZapLoggerDPanic() { logger, _ := zap.NewProduction() - logger.DPanic(getUntrustedString()) // $zap="call to getUntrustedString" + logger.DPanic(getUntrustedString()) // $ zap="call to getUntrustedString" } func testZapLoggerFatal() { logger := zap.NewExample() - logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $zap="call to String" + logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $ zap="call to String" } func testZapLoggerPanic() { logger, _ := zap.NewDevelopment() - logger.Panic("msg", zap.Any("key", getUntrustedData())) // $zap="call to Any" + logger.Panic("msg", zap.Any("key", getUntrustedData())) // $ zap="call to Any" } func testZapLoggerDebug(core zapcore.Core, byteArray []byte) { logger := zap.New(core) - logger.Debug(getUntrustedString()) // $zap="call to getUntrustedString" - logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray)) // $zap="call to Binary" - logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $zap="call to ByteString" + logger.Debug(getUntrustedString()) // $ zap="call to getUntrustedString" + logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray)) // $ zap="call to Binary" + logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $ zap="call to ByteString" } func testZapLoggerError(bss [][]byte) { logger := zap.L() - logger.Error(getUntrustedString()) // $zap="call to getUntrustedString" - logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $zap="call to ByteStrings" - logger.Error("msg", zap.Error(getUntrustedData().(error))) // $zap="call to Error" + logger.Error(getUntrustedString()) // $ zap="call to getUntrustedString" + logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $ zap="call to ByteStrings" + logger.Error("msg", zap.Error(getUntrustedData().(error))) // $ zap="call to Error" } func testZapLoggerInfo(logger *zap.Logger, errs []error) { - logger.Info(getUntrustedString()) // $zap="call to getUntrustedString" - logger.Info("msg", zap.Errors(getUntrustedString(), errs)) // $zap="call to Errors" - logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $zap="call to NamedError" + logger.Info(getUntrustedString()) // $ zap="call to getUntrustedString" + logger.Info("msg", zap.Errors(getUntrustedString(), errs)) // $ zap="call to Errors" + logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $ zap="call to NamedError" } func testZapLoggerWarn(logger *zap.Logger) { - logger.Warn(getUntrustedString()) // $zap="call to getUntrustedString" - logger.Warn("msg", zap.Reflect(getUntrustedString(), nil)) // $zap="call to Reflect" - logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string))) // $zap="call to Stringp" - logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $zap="call to Strings" + logger.Warn(getUntrustedString()) // $ zap="call to getUntrustedString" + logger.Warn("msg", zap.Reflect(getUntrustedString(), nil)) // $ zap="call to Reflect" + logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string))) // $ zap="call to Stringp" + logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $ zap="call to Strings" } func testZapLoggerNop() { // We do not currently recognise that a logger made using NewNop() does not actually do any logging logger := zap.NewNop() - logger.Debug(getUntrustedString()) // $SPURIOUS:zap="call to getUntrustedString" + logger.Debug(getUntrustedString()) // $ SPURIOUS:zap="call to getUntrustedString" } func testLoggerNamed(logger *zap.Logger) { - namedLogger := logger.Named(getUntrustedString()) // $zap="call to getUntrustedString" + namedLogger := logger.Named(getUntrustedString()) // $ zap="call to getUntrustedString" namedLogger.Info("hello world") } func testLoggerWith(logger *zap.Logger) *zap.Logger { - logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $zap="call to Any" + logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $ zap="call to Any" logger1.Info("hello world") - logger2 := logger.With(zap.String("key", getUntrustedString())) // $zap="call to String" + logger2 := logger.With(zap.String("key", getUntrustedString())) // $ zap="call to String" logger2.Info("hello world") - logger3 := logger.With(zap.String("key", getUntrustedString())) // $SPURIOUS:zap="call to String" + logger3 := logger.With(zap.String("key", getUntrustedString())) // $ SPURIOUS:zap="call to String" return logger3 } func getLoggerWithUntrustedField() *zap.Logger { - return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $zap="call to NamedError" + return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ zap="call to NamedError" } func getLoggerWithUntrustedFieldUnused() *zap.Logger { - return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $SPURIOUS:zap="call to NamedError" + return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ SPURIOUS:zap="call to NamedError" } func testLoggerWithAcrossFunctionBoundary() { @@ -91,91 +91,91 @@ func testLoggerWithAcrossFunctionBoundary() { } func testLoggerWithOptions(logger *zap.Logger) *zap.Logger { - logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $zap="call to Fields" + logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $ zap="call to Fields" logger1.Info("hello world") - logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $zap="call to Fields" + logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ zap="call to Fields" logger2.Info("hello world") - logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $SPURIOUS:zap="call to Fields" + logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ SPURIOUS:zap="call to Fields" return logger3 } func testZapSugaredLoggerDPanic(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.DPanic(getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.DPanic(getUntrustedData()) // $ zap="call to getUntrustedData" } func testZapSugaredLoggerDPanicf(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.DPanicf(getUntrustedString()) // $zap="call to getUntrustedString" + sugaredLogger.DPanicf(getUntrustedString()) // $ zap="call to getUntrustedString" } func testZapSugaredLoggerDPanicw(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.DPanicw(getUntrustedString()) // $zap="call to getUntrustedString" + sugaredLogger.DPanicw(getUntrustedString()) // $ zap="call to getUntrustedString" } func testZapSugaredLoggerFatal(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Fatal(getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Fatal(getUntrustedData()) // $ zap="call to getUntrustedData" } func testZapSugaredLoggerFatalf(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Fatalf(getUntrustedString()) // $zap="call to getUntrustedString" + sugaredLogger.Fatalf(getUntrustedString()) // $ zap="call to getUntrustedString" } func testZapSugaredLoggerFatalw(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Fatalw(getUntrustedString()) // $zap="call to getUntrustedString" + sugaredLogger.Fatalw(getUntrustedString()) // $ zap="call to getUntrustedString" } func testZapSugaredLoggerPanic(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Panic(getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Panic(getUntrustedData()) // $ zap="call to getUntrustedData" } func testZapSugaredLoggerPanicf(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Panicf(getUntrustedString()) // $zap="call to getUntrustedString" + sugaredLogger.Panicf(getUntrustedString()) // $ zap="call to getUntrustedString" } func testZapSugaredLoggerPanicw(sugaredLogger *zap.SugaredLogger) { - sugaredLogger.Panicw(getUntrustedString()) // $zap="call to getUntrustedString" + sugaredLogger.Panicw(getUntrustedString()) // $ zap="call to getUntrustedString" } func testZapSugaredLoggerDebug() { sugaredLogger := zap.S() - sugaredLogger.Debug(getUntrustedData()) // $zap="call to getUntrustedData" - sugaredLogger.Debugf("msg", getUntrustedData()) // $zap="call to getUntrustedData" - sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Debug(getUntrustedData()) // $ zap="call to getUntrustedData" + sugaredLogger.Debugf("msg", getUntrustedData()) // $ zap="call to getUntrustedData" + sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData" } func testZapSugaredLoggerError() { logger, _ := zap.NewProduction() sugaredLogger := logger.Sugar() - sugaredLogger.Error(getUntrustedData()) // $zap="call to getUntrustedData" - sugaredLogger.Errorf("msg", getUntrustedData()) // $zap="call to getUntrustedData" - sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Error(getUntrustedData()) // $ zap="call to getUntrustedData" + sugaredLogger.Errorf("msg", getUntrustedData()) // $ zap="call to getUntrustedData" + sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData" } func testZapSugaredLoggerInfo() { logger := zap.NewExample() sugaredLogger := logger.Sugar() - sugaredLogger.Info(getUntrustedData()) // $zap="call to getUntrustedData" - sugaredLogger.Infof("msg", getUntrustedData()) // $zap="call to getUntrustedData" - sugaredLogger.Infow("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Info(getUntrustedData()) // $ zap="call to getUntrustedData" + sugaredLogger.Infof("msg", getUntrustedData()) // $ zap="call to getUntrustedData" + sugaredLogger.Infow("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData" } func testZapSugaredLoggerWarn() { logger, _ := zap.NewDevelopment() sugaredLogger := logger.Sugar() - sugaredLogger.Warn(getUntrustedData()) // $zap="call to getUntrustedData" - sugaredLogger.Warnf("msg", getUntrustedData()) // $zap="call to getUntrustedData" - sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.Warn(getUntrustedData()) // $ zap="call to getUntrustedData" + sugaredLogger.Warnf("msg", getUntrustedData()) // $ zap="call to getUntrustedData" + sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData" } func testZapSugaredLoggerNamed() { logger := zap.L() sugaredLogger := logger.Sugar() - sugaredLogger.Named(getUntrustedString()) // $zap="call to getUntrustedString" + sugaredLogger.Named(getUntrustedString()) // $ zap="call to getUntrustedString" sugaredLogger.Info("msg") } func testZapSugaredLoggerWith() { logger := zap.L() sugaredLogger := logger.Sugar() - sugaredLogger.With("key", getUntrustedData()) // $zap="call to getUntrustedData" + sugaredLogger.With("key", getUntrustedData()) // $ zap="call to getUntrustedData" sugaredLogger.Info("msg") } From f38fd5722f3901d3f32ba08f1918b3059c952486 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 20 Oct 2021 09:36:33 +0100 Subject: [PATCH 7/9] Only one dollar sign in each comment --- .../frameworks/CleverGo/HeaderWrite.go | 12 +++---- .../frameworks/CleverGo/HttpResponseBody.go | 32 +++++++++---------- .../frameworks/CleverGo/TaintTracking.go | 4 +-- .../frameworks/Fiber/HeaderWrite.go | 4 +-- .../frameworks/Fiber/ResponseBody.go | 4 +-- .../semmle/go/concepts/LoggerCall/glog.go | 20 ++++++------ .../semmle/go/concepts/LoggerCall/logrus.go | 6 ++-- .../semmle/go/concepts/LoggerCall/stdlib.go | 12 +++---- .../go/dataflow/PromotedMethods/methods.go | 12 +++---- .../go/frameworks/ElazarlGoproxy/main.go | 2 +- .../semmle/go/frameworks/Revel/EndToEnd.go | 10 +++--- .../Revel/examples/booking/app/init.go | 4 +-- .../go/frameworks/StdlibTaintFlow/Os.go | 10 +++--- .../semmle/go/frameworks/Yaml/yaml.go | 14 ++++---- 14 files changed, 73 insertions(+), 73 deletions(-) diff --git a/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go b/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go index 217e1a5bc87..a02923da4ee 100644 --- a/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go +++ b/ql/test/experimental/frameworks/CleverGo/HeaderWrite.go @@ -15,7 +15,7 @@ func HeaderWrite_ClevergoTechClevergoV052() { keyString506 := source().(string) valString213 := source().(string) var rece clevergo.Context - rece.SetHeader(keyString506, valString213) // $ headerKeyNode=keyString506 $headerValNode=valString213 + rece.SetHeader(keyString506, valString213) // $ headerKeyNode=keyString506 headerValNode=valString213 } } } @@ -27,7 +27,7 @@ func HeaderWrite_ClevergoTechClevergoV052() { { valString468 := source().(string) var rece clevergo.Context - rece.SetContentType(valString468) // $ headerKey=content-type $headerValNode=valString468 + rece.SetContentType(valString468) // $ headerKey=content-type headerValNode=valString468 } } } @@ -38,22 +38,22 @@ func HeaderWrite_ClevergoTechClevergoV052() { // func (*Context).SetContentTypeHTML() { var rece clevergo.Context - rece.SetContentTypeHTML() // $ headerKey=content-type $headerVal=text/html + rece.SetContentTypeHTML() // $ headerKey=content-type headerVal=text/html } // func (*Context).SetContentTypeJSON() { var rece clevergo.Context - rece.SetContentTypeJSON() // $ headerKey=content-type $headerVal=application/json + rece.SetContentTypeJSON() // $ headerKey=content-type headerVal=application/json } // func (*Context).SetContentTypeText() { var rece clevergo.Context - rece.SetContentTypeText() // $ headerKey=content-type $headerVal=text/plain + rece.SetContentTypeText() // $ headerKey=content-type headerVal=text/plain } // func (*Context).SetContentTypeXML() { var rece clevergo.Context - rece.SetContentTypeXML() // $ headerKey=content-type $headerVal=text/xml + rece.SetContentTypeXML() // $ headerKey=content-type headerVal=text/xml } } } diff --git a/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go b/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go index 12401a37e34..ff5e0d50031 100644 --- a/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go +++ b/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.go @@ -14,86 +14,86 @@ func HttpResponseBody_ClevergoTechClevergoV052() { { bodyString145 := source().(string) var rece clevergo.Context - rece.Error(0, bodyString145) // $ contentType=text/plain $responseBody=bodyString145 + rece.Error(0, bodyString145) // $ contentType=text/plain responseBody=bodyString145 } // func (*Context).HTML(code int, html string) error { bodyString817 := source().(string) var rece clevergo.Context - rece.HTML(0, bodyString817) // $ contentType=text/html $responseBody=bodyString817 + rece.HTML(0, bodyString817) // $ contentType=text/html responseBody=bodyString817 } // func (*Context).HTMLBlob(code int, bs []byte) error { bodyByte474 := source().([]byte) var rece clevergo.Context - rece.HTMLBlob(0, bodyByte474) // $ contentType=text/html $responseBody=bodyByte474 + rece.HTMLBlob(0, bodyByte474) // $ contentType=text/html responseBody=bodyByte474 } // func (*Context).JSON(code int, data interface{}) error { bodyInterface832 := source().(interface{}) var rece clevergo.Context - rece.JSON(0, bodyInterface832) // $ contentType=application/json $responseBody=bodyInterface832 + rece.JSON(0, bodyInterface832) // $ contentType=application/json responseBody=bodyInterface832 } // func (*Context).JSONBlob(code int, bs []byte) error { bodyByte378 := source().([]byte) var rece clevergo.Context - rece.JSONBlob(0, bodyByte378) // $ contentType=application/json $responseBody=bodyByte378 + rece.JSONBlob(0, bodyByte378) // $ contentType=application/json responseBody=bodyByte378 } // func (*Context).JSONP(code int, data interface{}) error { bodyInterface541 := source().(interface{}) var rece clevergo.Context - rece.JSONP(0, bodyInterface541) // $ contentType=application/javascript $responseBody=bodyInterface541 + rece.JSONP(0, bodyInterface541) // $ contentType=application/javascript responseBody=bodyInterface541 } // func (*Context).JSONPBlob(code int, bs []byte) error { bodyByte139 := source().([]byte) var rece clevergo.Context - rece.JSONPBlob(0, bodyByte139) // $ contentType=application/javascript $responseBody=bodyByte139 + rece.JSONPBlob(0, bodyByte139) // $ contentType=application/javascript responseBody=bodyByte139 } // func (*Context).JSONPCallback(code int, callback string, data interface{}) error { bodyInterface814 := source().(interface{}) var rece clevergo.Context - rece.JSONPCallback(0, "", bodyInterface814) // $ contentType=application/javascript $responseBody=bodyInterface814 + rece.JSONPCallback(0, "", bodyInterface814) // $ contentType=application/javascript responseBody=bodyInterface814 } // func (*Context).JSONPCallbackBlob(code int, callback string, bs []byte) (err error) { bodyByte768 := source().([]byte) var rece clevergo.Context - rece.JSONPCallbackBlob(0, "", bodyByte768) // $ contentType=application/javascript $responseBody=bodyByte768 + rece.JSONPCallbackBlob(0, "", bodyByte768) // $ contentType=application/javascript responseBody=bodyByte768 } // func (*Context).String(code int, s string) error { bodyString468 := source().(string) var rece clevergo.Context - rece.String(0, bodyString468) // $ contentType=text/plain $responseBody=bodyString468 + rece.String(0, bodyString468) // $ contentType=text/plain responseBody=bodyString468 } // func (*Context).StringBlob(code int, bs []byte) error { bodyByte736 := source().([]byte) var rece clevergo.Context - rece.StringBlob(0, bodyByte736) // $ contentType=text/plain $responseBody=bodyByte736 + rece.StringBlob(0, bodyByte736) // $ contentType=text/plain responseBody=bodyByte736 } // func (*Context).Stringf(code int, format string, a ...interface{}) error { bodyString516 := source().(string) bodyInterface246 := source().(interface{}) var rece clevergo.Context - rece.Stringf(0, bodyString516, bodyInterface246) // $ contentType=text/plain $responseBody=bodyString516 $responseBody=bodyInterface246 + rece.Stringf(0, bodyString516, bodyInterface246) // $ contentType=text/plain responseBody=bodyString516 responseBody=bodyInterface246 } // func (*Context).XML(code int, data interface{}) error { bodyInterface679 := source().(interface{}) var rece clevergo.Context - rece.XML(0, bodyInterface679) // $ contentType=text/xml $responseBody=bodyInterface679 + rece.XML(0, bodyInterface679) // $ contentType=text/xml responseBody=bodyInterface679 } // func (*Context).XMLBlob(code int, bs []byte) error { bodyByte736 := source().([]byte) var rece clevergo.Context - rece.XMLBlob(0, bodyByte736) // $ contentType=text/xml $responseBody=bodyByte736 + rece.XMLBlob(0, bodyByte736) // $ contentType=text/xml responseBody=bodyByte736 } } } @@ -105,13 +105,13 @@ func HttpResponseBody_ClevergoTechClevergoV052() { { bodyByte839 := source().([]byte) var rece clevergo.Context - rece.Blob(0, "application/json", bodyByte839) // $ contentType=application/json $responseBody=bodyByte839 + rece.Blob(0, "application/json", bodyByte839) // $ contentType=application/json responseBody=bodyByte839 } // func (*Context).Emit(code int, contentType string, body string) (err error) { bodyString273 := source().(string) var rece clevergo.Context - rece.Emit(0, "application/json", bodyString273) // $ contentType=application/json $responseBody=bodyString273 + rece.Emit(0, "application/json", bodyString273) // $ contentType=application/json responseBody=bodyString273 } } } diff --git a/ql/test/experimental/frameworks/CleverGo/TaintTracking.go b/ql/test/experimental/frameworks/CleverGo/TaintTracking.go index 92c6a501361..362eedf785a 100644 --- a/ql/test/experimental/frameworks/CleverGo/TaintTracking.go +++ b/ql/test/experimental/frameworks/CleverGo/TaintTracking.go @@ -55,7 +55,7 @@ func TaintTracking_ClevergoTechClevergoV052() { { fromParams396 := source().(clevergo.Params) intoString707 := fromParams396.String("") - sink(intoString707) // $ taintSink $untrustedFlowSource + sink(intoString707) // $ taintSink untrustedFlowSource } } } @@ -69,7 +69,7 @@ func TaintTracking_ClevergoTechClevergoV052() { var intoInterface718 interface{} var mediumObjCQL clevergo.Decoder mediumObjCQL.Decode(fromRequest912, intoInterface718) - sink(intoInterface718) // $ taintSink $untrustedFlowSource + sink(intoInterface718) // $ taintSink untrustedFlowSource } } // Taint-tracking through method calls on clevergo.tech/clevergo.Renderer interface. diff --git a/ql/test/experimental/frameworks/Fiber/HeaderWrite.go b/ql/test/experimental/frameworks/Fiber/HeaderWrite.go index e4798e60532..3a797b1ddcb 100644 --- a/ql/test/experimental/frameworks/Fiber/HeaderWrite.go +++ b/ql/test/experimental/frameworks/Fiber/HeaderWrite.go @@ -15,14 +15,14 @@ func HeaderWrite_GithubComGofiberFiberV1146() { keyString378 := source().(string) valString541 := source().(string) var rece fiber.Ctx - rece.Append(keyString378, valString541) // $ headerKeyNode=keyString378 $headerValNode=valString541 + rece.Append(keyString378, valString541) // $ headerKeyNode=keyString378 headerValNode=valString541 } // func (*Ctx).Set(key string, val string) { keyString139 := source().(string) valString814 := source().(string) var rece fiber.Ctx - rece.Set(keyString139, valString814) // $ headerKeyNode=keyString139 $headerValNode=valString814 + rece.Set(keyString139, valString814) // $ headerKeyNode=keyString139 headerValNode=valString814 } } } diff --git a/ql/test/experimental/frameworks/Fiber/ResponseBody.go b/ql/test/experimental/frameworks/Fiber/ResponseBody.go index f9465b68dee..3d270168790 100644 --- a/ql/test/experimental/frameworks/Fiber/ResponseBody.go +++ b/ql/test/experimental/frameworks/Fiber/ResponseBody.go @@ -18,13 +18,13 @@ func ResponseBody_GithubComGofiberFiberV1146() { { bodyInterface768 := source().(interface{}) var rece fiber.Ctx - rece.JSON(bodyInterface768) // $ contentType=application/json $responseBody=bodyInterface768 + rece.JSON(bodyInterface768) // $ contentType=application/json responseBody=bodyInterface768 } // func (*Ctx).JSONP(data interface{}, callback ...string) error { bodyInterface468 := source().(interface{}) var rece fiber.Ctx - rece.JSONP(bodyInterface468, "") // $ contentType=application/javascript $responseBody=bodyInterface468 + rece.JSONP(bodyInterface468, "") // $ contentType=application/javascript responseBody=bodyInterface468 } } } diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go index 93d245f05b2..c2e4b91a869 100644 --- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go +++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go @@ -11,43 +11,43 @@ import ( func glogTest() { glog.Error(text) // $ logger=text glog.ErrorDepth(0, text) // $ MISSING:logger=text - glog.Errorf(fmt, text) // $ logger=fmt $logger=text + glog.Errorf(fmt, text) // $ logger=fmt logger=text glog.Errorln(text) // $ logger=text glog.Exit(text) // $ logger=text glog.ExitDepth(0, text) // $ MISSING:logger=text - glog.Exitf(fmt, text) // $ logger=fmt $logger=text + glog.Exitf(fmt, text) // $ logger=fmt logger=text glog.Exitln(text) // $ logger=text glog.Fatal(text) // $ logger=text glog.FatalDepth(0, text) // $ MISSING:logger=text - glog.Fatalf(fmt, text) // $ logger=fmt $logger=text + glog.Fatalf(fmt, text) // $ logger=fmt logger=text glog.Fatalln(text) // $ logger=text glog.Info(text) // $ logger=text glog.InfoDepth(0, text) // $ MISSING:logger=text - glog.Infof(fmt, text) // $ logger=fmt $logger=text + glog.Infof(fmt, text) // $ logger=fmt logger=text glog.Infoln(text) // $ logger=text glog.Warning(text) // $ logger=text glog.WarningDepth(0, text) // $ MISSING:logger=text - glog.Warningf(fmt, text) // $ logger=fmt $logger=text + glog.Warningf(fmt, text) // $ logger=fmt logger=text glog.Warningln(text) // $ logger=text klog.Error(text) // $ logger=text klog.ErrorDepth(0, text) // $ MISSING:logger=text - klog.Errorf(fmt, text) // $ logger=fmt $logger=text + klog.Errorf(fmt, text) // $ logger=fmt logger=text klog.Errorln(text) // $ logger=text klog.Exit(text) // $ logger=text klog.ExitDepth(0, text) // $ MISSING:logger=text - klog.Exitf(fmt, text) // $ logger=fmt $logger=text + klog.Exitf(fmt, text) // $ logger=fmt logger=text klog.Exitln(text) // $ logger=text klog.Fatal(text) // $ logger=text klog.FatalDepth(0, text) // $ MISSING:logger=text - klog.Fatalf(fmt, text) // $ logger=fmt $logger=text + klog.Fatalf(fmt, text) // $ logger=fmt logger=text klog.Fatalln(text) // $ logger=text klog.Info(text) // $ logger=text klog.InfoDepth(0, text) // $ MISSING:logger=text - klog.Infof(fmt, text) // $ logger=fmt $logger=text + klog.Infof(fmt, text) // $ logger=fmt logger=text klog.Infoln(text) // $ logger=text klog.Warning(text) // $ logger=text klog.WarningDepth(0, text) // $ MISSING:logger=text - klog.Warningf(fmt, text) // $ logger=fmt $logger=text + klog.Warningf(fmt, text) // $ logger=fmt logger=text klog.Warningln(text) // $ logger=text } diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go index dd42b8576a7..9f85565ad42 100644 --- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go +++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go @@ -19,7 +19,7 @@ func logrusCalls() { var fn logrus.LogFunction = nil var ctx context.Context tmp := logrus.WithContext(ctx) // $ logger=ctx - tmp.Debugf(fmt, text) // $ logger=fmt $logger=text + tmp.Debugf(fmt, text) // $ logger=fmt logger=text tmp = logrus.WithError(err) // $ logger=err tmp.Warn(text) // $ logger=text tmp = logrus.WithFields(fields) // $ logger=fields @@ -28,8 +28,8 @@ func logrusCalls() { logSomething(tmp) logrus.Error(text) // $ logger=text - logrus.Fatalf(fmt, text) // $ logger=fmt $logger=text + logrus.Fatalf(fmt, text) // $ logger=fmt logger=text logrus.Panicln(text) // $ logger=text - logrus.Infof(fmt, text) // $ logger=fmt $logger=text + logrus.Infof(fmt, text) // $ logger=fmt logger=text logrus.FatalFn(fn) // $ logger=fn } diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go index 9b7242e078f..f8401865b49 100644 --- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go +++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go @@ -8,23 +8,23 @@ func stdlib() { var logger log.Logger logger.SetPrefix("prefix: ") logger.Fatal(text) // $ logger=text - logger.Fatalf(fmt, text) // $ logger=fmt $logger=text + logger.Fatalf(fmt, text) // $ logger=fmt logger=text logger.Fatalln(text) // $ logger=text logger.Panic(text) // $ logger=text - logger.Panicf(fmt, text) // $ logger=fmt $logger=text + logger.Panicf(fmt, text) // $ logger=fmt logger=text logger.Panicln(text) // $ logger=text logger.Print(text) // $ logger=text - logger.Printf(fmt, text) // $ logger=fmt $logger=text + logger.Printf(fmt, text) // $ logger=fmt logger=text logger.Println(text) // $ logger=text log.SetPrefix("prefix: ") log.Fatal(text) // $ logger=text - log.Fatalf(fmt, text) // $ logger=fmt $logger=text + log.Fatalf(fmt, text) // $ logger=fmt logger=text log.Fatalln(text) // $ logger=text log.Panic(text) // $ logger=text - log.Panicf(fmt, text) // $ logger=fmt $logger=text + log.Panicf(fmt, text) // $ logger=fmt logger=text log.Panicln(text) // $ logger=text log.Print(text) // $ logger=text - log.Printf(fmt, text) // $ logger=fmt $logger=text + log.Printf(fmt, text) // $ logger=fmt logger=text log.Println(text) // $ logger=text } diff --git a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go index 8601b221ca2..124d94b9560 100644 --- a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go +++ b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go @@ -19,27 +19,27 @@ type Base2 struct { } func (e Embedded) sinkFieldOnEmbeddedNonPointerReceiver() { - sink(e.field) // $ promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 + sink(e.field) // $ promotedmethods=nonPointerSender1 promotedmethods=pointerSender1 promotedmethods=nonPointerSender2 promotedmethods=pointerSender2 } func (e *Embedded) sinkFieldOnEmbeddedPointerReceiver() { - sink(e.field) // $ MISSING:promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 $promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 + sink(e.field) // $ MISSING:promotedmethods=nonPointerSender1 promotedmethods=pointerSender1 promotedmethods=nonPointerSender2 promotedmethods=pointerSender2 } func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() { - sink(base1.field) // $ promotedmethods=nonPointerSender1 $promotedmethods=pointerSender1 + sink(base1.field) // $ promotedmethods=nonPointerSender1 promotedmethods=pointerSender1 } func (base1 *Base1) sinkFieldOnBase1PointerReceiver() { - sink(base1.field) // $ promotedmethods=pointerSender1 $MISSING:promotedmethods=nonPointerSender1 + sink(base1.field) // $ promotedmethods=pointerSender1 MISSING:promotedmethods=nonPointerSender1 } func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() { - sink(base2.field) // $ promotedmethods=nonPointerSender2 $promotedmethods=pointerSender2 + sink(base2.field) // $ promotedmethods=nonPointerSender2 promotedmethods=pointerSender2 } func (base2 *Base2) sinkFieldOnBase2PointerReceiver() { - sink(base2.field) // $ promotedmethods=pointerSender2 $MISSING:promotedmethods=nonPointerSender2 + sink(base2.field) // $ promotedmethods=pointerSender2 MISSING:promotedmethods=nonPointerSender2 } func nonPointerSender1() { diff --git a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go index 99d2fba45e1..521e5968221 100644 --- a/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go @@ -20,7 +20,7 @@ func handler1(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Resp ctx.Logf("test") // $ logger="test" ctx.Warnf("test1") // $ logger="test1" - return r, goproxy.TextResponse(r, "Hello!") // $ headerwrite=status:200 $headerwrite=content-type:text/plain + return r, goproxy.TextResponse(r, "Hello!") // $ headerwrite=status:200 headerwrite=content-type:text/plain } func main() { diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go index 125bd661de8..a2a69a1a1b1 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go @@ -66,27 +66,27 @@ func (c MyRoute) Handler6() revel.Result { func (c MyRoute) Handler7() revel.Result { // BAD: straightforward XSS - return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" + return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" } func (c MyRoute) Handler8() revel.Result { // GOOD: uses JSON content-type - return c.RenderJSON(c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" + return c.RenderJSON(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" } func (c MyRoute) Handler9() revel.Result { // GOOD: uses Javascript content-type - return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" + return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" } func (c MyRoute) Handler10() revel.Result { // GOOD: uses text content-type - return c.RenderText(c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" + return c.RenderText(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" } func (c MyRoute) Handler11() revel.Result { // GOOD: uses xml content-type - return c.RenderXML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' $source="selection of Params" + return c.RenderXML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" } func (c MyRoute) Handler12() revel.Result { diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go index c49c0ca27fe..2f7fef73fc2 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go @@ -33,11 +33,11 @@ func init() { switch event { case revel.ENGINE_BEFORE_INITIALIZED: revel.AddHTTPMux("/this/is/a/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $ responsebody='selection of Path' $responsebody='"Hi there, it worked"' + fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, it worked"' w.WriteHeader(200) })) revel.AddHTTPMux("/this/is/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $ responsebody='selection of Path' $responsebody='"Hi there, shorter prefix"' + fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, shorter prefix"' w.WriteHeader(200) })) } diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go index 55be54c83b6..b27c5d1f47c 100644 --- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go +++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go @@ -160,7 +160,7 @@ func fsAccesses() { os.Chtimes(path, time, time) // $ fsaccess=path os.Create(path) // $ fsaccess=path os.Lchown(path, 1000, 1000) // $ fsaccess=path - os.Link(path, path1) // $ fsaccess=path $fsaccess=path1 + os.Link(path, path1) // $ fsaccess=path fsaccess=path1 os.Lstat(path) // $ fsaccess=path os.Mkdir(path, 0600) // $ fsaccess=path os.MkdirAll(path, 0600) // $ fsaccess=path @@ -170,14 +170,14 @@ func fsAccesses() { os.Readlink(path) // $ fsaccess=path os.Remove(path) // $ fsaccess=path os.RemoveAll(path) // $ fsaccess=path - os.Rename(path, path1) // $ fsaccess=path $fsaccess=path1 + os.Rename(path, path1) // $ fsaccess=path fsaccess=path1 os.Stat(path) // $ fsaccess=path - os.Symlink(path, path1) // $ fsaccess=path $fsaccess=path1 + os.Symlink(path, path1) // $ fsaccess=path fsaccess=path1 os.Truncate(path, 1000) // $ fsaccess=path os.DirFS(path) // $ fsaccess=path os.ReadDir(path) // $ fsaccess=path os.ReadFile(path) // $ fsaccess=path - os.MkdirTemp(path, part) // $ fsaccess=path $fsaccess=part - os.CreateTemp(path, part) // $ fsaccess=path $fsaccess=part + os.MkdirTemp(path, part) // $ fsaccess=path fsaccess=part + os.CreateTemp(path, part) // $ fsaccess=path fsaccess=part os.WriteFile(path, []byte{}, 0600) // $ fsaccess=path } diff --git a/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go b/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go index 6949542c731..9861acf33e6 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go +++ b/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go @@ -12,12 +12,12 @@ func main() { var in, out interface{} var inb []byte - out, _ = yaml1.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" - yaml1.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" + out, _ = yaml1.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]" + yaml1.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out" - out, _ = yaml2.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" - yaml2.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" - yaml2.UnmarshalStrict(inb, out) // $ unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" + out, _ = yaml2.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]" + yaml2.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out" + yaml2.UnmarshalStrict(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out" var r io.Reader d := yaml2.NewDecoder(r) // $ ttfnmodelstep="r -> call to NewDecoder" @@ -27,8 +27,8 @@ func main() { e := yaml2.NewEncoder(w) // $ ttfnmodelstep="definition of e -> definition of w" e.Encode(in) // $ ttfnmodelstep="in -> definition of e" - out, _ = yaml3.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]" - yaml3.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out" + out, _ = yaml3.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]" + yaml3.Unmarshal(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out" d1 := yaml3.NewDecoder(r) // $ ttfnmodelstep="r -> call to NewDecoder" d1.Decode(out) // $ ttfnmodelstep="d1 -> definition of out" From e01291f8808863884e5d81ba14ca12203cda9d0e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 20 Oct 2021 09:41:16 +0100 Subject: [PATCH 8/9] Put space after MISSING: and SPURIOUS: This is the preferred style now --- .../semmle/go/concepts/LoggerCall/glog.go | 20 +++++++++---------- .../go/dataflow/GuardingFunctions/test.go | 2 +- .../go/dataflow/PromotedMethods/methods.go | 6 +++--- .../semmle/go/frameworks/SQL/main.go | 12 +++++------ .../semmle/go/frameworks/Zap/test.go | 8 ++++---- 5 files changed, 24 insertions(+), 24 deletions(-) diff --git a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go index c2e4b91a869..28f5be2b067 100644 --- a/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go +++ b/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go @@ -10,44 +10,44 @@ import ( func glogTest() { glog.Error(text) // $ logger=text - glog.ErrorDepth(0, text) // $ MISSING:logger=text + glog.ErrorDepth(0, text) // $ MISSING: logger=text glog.Errorf(fmt, text) // $ logger=fmt logger=text glog.Errorln(text) // $ logger=text glog.Exit(text) // $ logger=text - glog.ExitDepth(0, text) // $ MISSING:logger=text + glog.ExitDepth(0, text) // $ MISSING: logger=text glog.Exitf(fmt, text) // $ logger=fmt logger=text glog.Exitln(text) // $ logger=text glog.Fatal(text) // $ logger=text - glog.FatalDepth(0, text) // $ MISSING:logger=text + glog.FatalDepth(0, text) // $ MISSING: logger=text glog.Fatalf(fmt, text) // $ logger=fmt logger=text glog.Fatalln(text) // $ logger=text glog.Info(text) // $ logger=text - glog.InfoDepth(0, text) // $ MISSING:logger=text + glog.InfoDepth(0, text) // $ MISSING: logger=text glog.Infof(fmt, text) // $ logger=fmt logger=text glog.Infoln(text) // $ logger=text glog.Warning(text) // $ logger=text - glog.WarningDepth(0, text) // $ MISSING:logger=text + glog.WarningDepth(0, text) // $ MISSING: logger=text glog.Warningf(fmt, text) // $ logger=fmt logger=text glog.Warningln(text) // $ logger=text klog.Error(text) // $ logger=text - klog.ErrorDepth(0, text) // $ MISSING:logger=text + klog.ErrorDepth(0, text) // $ MISSING: logger=text klog.Errorf(fmt, text) // $ logger=fmt logger=text klog.Errorln(text) // $ logger=text klog.Exit(text) // $ logger=text - klog.ExitDepth(0, text) // $ MISSING:logger=text + klog.ExitDepth(0, text) // $ MISSING: logger=text klog.Exitf(fmt, text) // $ logger=fmt logger=text klog.Exitln(text) // $ logger=text klog.Fatal(text) // $ logger=text - klog.FatalDepth(0, text) // $ MISSING:logger=text + klog.FatalDepth(0, text) // $ MISSING: logger=text klog.Fatalf(fmt, text) // $ logger=fmt logger=text klog.Fatalln(text) // $ logger=text klog.Info(text) // $ logger=text - klog.InfoDepth(0, text) // $ MISSING:logger=text + klog.InfoDepth(0, text) // $ MISSING: logger=text klog.Infof(fmt, text) // $ logger=fmt logger=text klog.Infoln(text) // $ logger=text klog.Warning(text) // $ logger=text - klog.WarningDepth(0, text) // $ MISSING:logger=text + klog.WarningDepth(0, text) // $ MISSING: logger=text klog.Warningf(fmt, text) // $ logger=fmt logger=text klog.Warningln(text) // $ logger=text } diff --git a/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go b/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go index 7b636ab61cb..285985c76f1 100644 --- a/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go +++ b/ql/test/library-tests/semmle/go/dataflow/GuardingFunctions/test.go @@ -842,7 +842,7 @@ func test() { s := source() isValid := !guardBool(s) if isValid { - sink(s) // $ SPURIOUS:dataflow=s + sink(s) // $ SPURIOUS: dataflow=s } else { sink(s) // $ dataflow=s } diff --git a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go index 124d94b9560..04ed9772319 100644 --- a/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go +++ b/ql/test/library-tests/semmle/go/dataflow/PromotedMethods/methods.go @@ -23,7 +23,7 @@ func (e Embedded) sinkFieldOnEmbeddedNonPointerReceiver() { } func (e *Embedded) sinkFieldOnEmbeddedPointerReceiver() { - sink(e.field) // $ MISSING:promotedmethods=nonPointerSender1 promotedmethods=pointerSender1 promotedmethods=nonPointerSender2 promotedmethods=pointerSender2 + sink(e.field) // $ MISSING: promotedmethods=nonPointerSender1 promotedmethods=pointerSender1 promotedmethods=nonPointerSender2 promotedmethods=pointerSender2 } func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() { @@ -31,7 +31,7 @@ func (base1 Base1) sinkFieldOnBase1NonPointerReceiver() { } func (base1 *Base1) sinkFieldOnBase1PointerReceiver() { - sink(base1.field) // $ promotedmethods=pointerSender1 MISSING:promotedmethods=nonPointerSender1 + sink(base1.field) // $ promotedmethods=pointerSender1 MISSING: promotedmethods=nonPointerSender1 } func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() { @@ -39,7 +39,7 @@ func (base2 Base2) sinkFieldOnBase2NonPointerReceiver() { } func (base2 *Base2) sinkFieldOnBase2PointerReceiver() { - sink(base2.field) // $ promotedmethods=pointerSender2 MISSING:promotedmethods=nonPointerSender2 + sink(base2.field) // $ promotedmethods=pointerSender2 MISSING: promotedmethods=nonPointerSender2 } func nonPointerSender1() { diff --git a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go index d564fe0e03d..f1597f3c123 100644 --- a/ql/test/library-tests/semmle/go/frameworks/SQL/main.go +++ b/ql/test/library-tests/semmle/go/frameworks/SQL/main.go @@ -59,16 +59,16 @@ func test2(tx *sql.Tx, query string, ctx context.Context) { } func test3(db *sql.DB, ctx context.Context) { - stmt1, _ := db.Prepare(query21) // $ SPURIOUS:querystring=query21 - stmt1.Exec() // $ MISSING:query=query21 - stmt2, _ := db.PrepareContext(ctx, query22) // $ SPURIOUS:querystring=query22 - stmt2.ExecContext(ctx) // $ MISSING:query=query22 - stmt3, _ := db.Prepare(query23) // $ SPURIOUS:querystring=query23 + stmt1, _ := db.Prepare(query21) // $ SPURIOUS: querystring=query21 + stmt1.Exec() // $ MISSING: query=query21 + stmt2, _ := db.PrepareContext(ctx, query22) // $ SPURIOUS: querystring=query22 + stmt2.ExecContext(ctx) // $ MISSING: query=query22 + stmt3, _ := db.Prepare(query23) // $ SPURIOUS: querystring=query23 runQuery(stmt3) } func runQuery(stmt *sql.Stmt) { - stmt.Exec() // $ MISSING:query=query23 + stmt.Exec() // $ MISSING: query=query23 } func main() {} diff --git a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go index 522f51c8693..d39dfbedb2b 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Zap/test.go +++ b/ql/test/library-tests/semmle/go/frameworks/Zap/test.go @@ -61,7 +61,7 @@ func testZapLoggerWarn(logger *zap.Logger) { func testZapLoggerNop() { // We do not currently recognise that a logger made using NewNop() does not actually do any logging logger := zap.NewNop() - logger.Debug(getUntrustedString()) // $ SPURIOUS:zap="call to getUntrustedString" + logger.Debug(getUntrustedString()) // $ SPURIOUS: zap="call to getUntrustedString" } func testLoggerNamed(logger *zap.Logger) { @@ -74,7 +74,7 @@ func testLoggerWith(logger *zap.Logger) *zap.Logger { logger1.Info("hello world") logger2 := logger.With(zap.String("key", getUntrustedString())) // $ zap="call to String" logger2.Info("hello world") - logger3 := logger.With(zap.String("key", getUntrustedString())) // $ SPURIOUS:zap="call to String" + logger3 := logger.With(zap.String("key", getUntrustedString())) // $ SPURIOUS: zap="call to String" return logger3 } @@ -83,7 +83,7 @@ func getLoggerWithUntrustedField() *zap.Logger { } func getLoggerWithUntrustedFieldUnused() *zap.Logger { - return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ SPURIOUS:zap="call to NamedError" + return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ SPURIOUS: zap="call to NamedError" } func testLoggerWithAcrossFunctionBoundary() { @@ -95,7 +95,7 @@ func testLoggerWithOptions(logger *zap.Logger) *zap.Logger { logger1.Info("hello world") logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ zap="call to Fields" logger2.Info("hello world") - logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ SPURIOUS:zap="call to Fields" + logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ SPURIOUS: zap="call to Fields" return logger3 } From f4d9f2f2fa86cf5dbb08ddff69b0e2bde8fe284b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 21 Oct 2021 05:18:25 +0100 Subject: [PATCH 9/9] Remove unused test comments These were introduced in 68dca955. Currently they aren't doing anything as there isn't an inline expectation test for the tag "source" in this folder. It seems they were originally intended to indicate untrusted flow sources, but they aren't needed as we are using "noflow" to only mark the places where there isn't a flow. --- .../semmle/go/frameworks/Revel/EndToEnd.go | 26 +++++++++---------- .../semmle/go/frameworks/Revel/Revel.go | 4 +-- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go index a2a69a1a1b1..a21911f3beb 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go @@ -27,13 +27,13 @@ type MyRoute struct { func (c MyRoute) Handler1() revel.Result { // GOOD: the Render function is likely to properly escape the user-controlled parameter. - return c.Render("someviewparam", c.Params.Form.Get("someField")) // $ source="selection of Params" + return c.Render("someviewparam", c.Params.Form.Get("someField")) } func (c MyRoute) Handler2() revel.Result { // BAD: the RenderBinary function copies an `io.Reader` to the user's browser. buf := &bytes.Buffer{} - buf.WriteString(c.Params.Form.Get("someField")) // $ source="selection of Params" + buf.WriteString(c.Params.Form.Get("someField")) return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf' } @@ -41,55 +41,55 @@ func (c MyRoute) Handler3() revel.Result { // GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename // means it will be given a safe content-type. buf := &bytes.Buffer{} - buf.WriteString(c.Params.Form.Get("someField")) // $ source="selection of Params" + buf.WriteString(c.Params.Form.Get("someField")) return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $ responsebody='buf' } func (c MyRoute) Handler4() revel.Result { // GOOD: the RenderError function either uses an HTML template with probable escaping, // or it uses content-type text/plain. - err := errors.New(c.Params.Form.Get("someField")) // $ source="selection of Params" - return c.RenderError(err) // $ responsebody='err' + err := errors.New(c.Params.Form.Get("someField")) + return c.RenderError(err) // $ responsebody='err' } func (c MyRoute) Handler5() revel.Result { // BAD: returning an arbitrary file (but this is detected at the os.Open call, not // due to modelling Revel) - f, _ := os.Open(c.Params.Form.Get("someField")) // $ source="selection of Params" + f, _ := os.Open(c.Params.Form.Get("someField")) return c.RenderFile(f, revel.Inline) } func (c MyRoute) Handler6() revel.Result { // BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS) - return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $ source="selection of Params" + return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) } func (c MyRoute) Handler7() revel.Result { // BAD: straightforward XSS - return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" + return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' } func (c MyRoute) Handler8() revel.Result { // GOOD: uses JSON content-type - return c.RenderJSON(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" + return c.RenderJSON(c.Params.Form.Get("someField")) // $ responsebody='call to Get' } func (c MyRoute) Handler9() revel.Result { // GOOD: uses Javascript content-type - return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" + return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $ responsebody='call to Get' } func (c MyRoute) Handler10() revel.Result { // GOOD: uses text content-type - return c.RenderText(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" + return c.RenderText(c.Params.Form.Get("someField")) // $ responsebody='call to Get' } func (c MyRoute) Handler11() revel.Result { // GOOD: uses xml content-type - return c.RenderXML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params" + return c.RenderXML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' } func (c MyRoute) Handler12() revel.Result { // BAD: open redirect - return c.Redirect(c.Params.Form.Get("someField")) // $ source="selection of Params" + return c.Redirect(c.Params.Form.Get("someField")) } diff --git a/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go b/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go index f1568e7791d..80e52937465 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go +++ b/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go @@ -24,10 +24,10 @@ func sink(_ ...interface{}) {} func (c myAppController) accessingParamsDirectlyIsUnsafe() { sink(c.Params.Get("key")) - sink(c.Params.Values) // $ source="selection of Params" + sink(c.Params.Values) val4 := "" - c.Params.Bind(&val4, "key") // $ source="selection of Params" + c.Params.Bind(&val4, "key") sink(val4) sink(c.Request.FormValue("key"))