mirror of
https://github.com/github/codeql.git
synced 2026-01-29 06:12:58 +01:00
Quote expected values that have spaces
This commit is contained in:
Owen Mansel-Chan
@@ -9,7 +9,7 @@ import (
|
||||
)
|
||||
|
||||
func handler(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Response) {
|
||||
data := ctx.UserData // $untrustedflowsource=selection of UserData
|
||||
data := ctx.UserData // $ untrustedflowsource="selection of UserData"
|
||||
|
||||
// note no content type result here because we don't seem to extract the value of `ContentTypeHtml`
|
||||
return r, goproxy.NewResponse(r, goproxy.ContentTypeHtml, http.StatusForbidden, fmt.Sprintf("<body>Bad request: %v</body>", data)) // $headerwrite=status:403
|
||||
|
||||
@@ -9,7 +9,7 @@ class UntrustedFlowSourceTest extends InlineExpectationsTest {
|
||||
override predicate hasActualResult(string file, int line, string element, string tag, string value) {
|
||||
tag = "untrustedflowsource" and
|
||||
value = element and
|
||||
exists(UntrustedFlowSource src | value = src.toString() |
|
||||
exists(UntrustedFlowSource src | value = "\"" + src.toString() + "\"" |
|
||||
src.hasLocationInfo(file, line, _, _, _)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -11,12 +11,12 @@ type MyService interface {
|
||||
}
|
||||
|
||||
func makeEndpointLit(svc MyService) endpoint.Endpoint {
|
||||
return func(_ context.Context, request interface{}) (interface{}, error) { // $source=definition of request
|
||||
return func(_ context.Context, request interface{}) (interface{}, error) { // $source="definition of request"
|
||||
return request, nil
|
||||
}
|
||||
}
|
||||
|
||||
func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $source=definition of request
|
||||
func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $source="definition of request"
|
||||
return request, nil
|
||||
}
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@ class UntrustedFlowSourceTest extends InlineExpectationsTest {
|
||||
exists(UntrustedFlowSource source |
|
||||
source.hasLocationInfo(file, line, _, _, _) and
|
||||
element = source.toString() and
|
||||
value = source.toString() and
|
||||
value = "\"" + source.toString() + "\"" and
|
||||
tag = "source"
|
||||
)
|
||||
}
|
||||
|
||||
@@ -27,69 +27,69 @@ type MyRoute struct {
|
||||
|
||||
func (c MyRoute) Handler1() revel.Result {
|
||||
// GOOD: the Render function is likely to properly escape the user-controlled parameter.
|
||||
return c.Render("someviewparam", c.Params.Form.Get("someField")) // $source=selection of Params
|
||||
return c.Render("someviewparam", c.Params.Form.Get("someField")) // $source="selection of Params"
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler2() revel.Result {
|
||||
// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
|
||||
buf := &bytes.Buffer{}
|
||||
buf.WriteString(c.Params.Form.Get("someField")) // $source=selection of Params
|
||||
return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $responsebody=buf
|
||||
buf.WriteString(c.Params.Form.Get("someField")) // $source="selection of Params"
|
||||
return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $responsebody='buf'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler3() revel.Result {
|
||||
// GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename
|
||||
// means it will be given a safe content-type.
|
||||
buf := &bytes.Buffer{}
|
||||
buf.WriteString(c.Params.Form.Get("someField")) // $source=selection of Params
|
||||
return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $responsebody=buf
|
||||
buf.WriteString(c.Params.Form.Get("someField")) // $source="selection of Params"
|
||||
return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $responsebody='buf'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler4() revel.Result {
|
||||
// GOOD: the RenderError function either uses an HTML template with probable escaping,
|
||||
// or it uses content-type text/plain.
|
||||
err := errors.New(c.Params.Form.Get("someField")) // $source=selection of Params
|
||||
return c.RenderError(err) // $responsebody=err
|
||||
err := errors.New(c.Params.Form.Get("someField")) // $source="selection of Params"
|
||||
return c.RenderError(err) // $responsebody='err'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler5() revel.Result {
|
||||
// BAD: returning an arbitrary file (but this is detected at the os.Open call, not
|
||||
// due to modelling Revel)
|
||||
f, _ := os.Open(c.Params.Form.Get("someField")) // $source=selection of Params
|
||||
f, _ := os.Open(c.Params.Form.Get("someField")) // $source="selection of Params"
|
||||
return c.RenderFile(f, revel.Inline)
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler6() revel.Result {
|
||||
// BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS)
|
||||
return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $source=selection of Params
|
||||
return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $source="selection of Params"
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler7() revel.Result {
|
||||
// BAD: straightforward XSS
|
||||
return c.RenderHTML(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
|
||||
return c.RenderHTML(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params"
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler8() revel.Result {
|
||||
// GOOD: uses JSON content-type
|
||||
return c.RenderJSON(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
|
||||
return c.RenderJSON(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params"
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler9() revel.Result {
|
||||
// GOOD: uses Javascript content-type
|
||||
return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
|
||||
return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params"
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler10() revel.Result {
|
||||
// GOOD: uses text content-type
|
||||
return c.RenderText(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
|
||||
return c.RenderText(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params"
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler11() revel.Result {
|
||||
// GOOD: uses xml content-type
|
||||
return c.RenderXML(c.Params.Form.Get("someField")) // $responsebody=call to Get $source=selection of Params
|
||||
return c.RenderXML(c.Params.Form.Get("someField")) // $responsebody='call to Get' $source="selection of Params"
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler12() revel.Result {
|
||||
// BAD: open redirect
|
||||
return c.Redirect(c.Params.Form.Get("someField")) // $source=selection of Params
|
||||
return c.Redirect(c.Params.Form.Get("someField")) // $source="selection of Params"
|
||||
}
|
||||
|
||||
@@ -24,10 +24,10 @@ func sink(_ ...interface{}) {}
|
||||
|
||||
func (c myAppController) accessingParamsDirectlyIsUnsafe() {
|
||||
sink(c.Params.Get("key"))
|
||||
sink(c.Params.Values) // $source=selection of Params
|
||||
sink(c.Params.Values) // $source="selection of Params"
|
||||
|
||||
val4 := ""
|
||||
c.Params.Bind(&val4, "key") // $source=selection of Params
|
||||
c.Params.Bind(&val4, "key") // $source="selection of Params"
|
||||
sink(val4)
|
||||
|
||||
sink(c.Request.FormValue("key"))
|
||||
@@ -64,10 +64,10 @@ func (c myAppController) accessingParamsJSONIsUnsafe() {
|
||||
sink(val2["name"].(string))
|
||||
}
|
||||
|
||||
func (c myAppController) rawRead() { // $responsebody=argument corresponding to c
|
||||
c.ViewArgs["Foo"] = "<p>raw HTML</p>" // $responsebody="<p>raw HTML</p>"
|
||||
func (c myAppController) rawRead() { // $responsebody='argument corresponding to c'
|
||||
c.ViewArgs["Foo"] = "<p>raw HTML</p>" // $responsebody='"<p>raw HTML</p>"'
|
||||
c.ViewArgs["Bar"] = "<p>not raw HTML</p>"
|
||||
c.ViewArgs["Foo"] = c.Params.Query // $responsebody=selection of Query
|
||||
c.ViewArgs["Foo"] = c.Params.Query // $responsebody='selection of Query'
|
||||
c.Render()
|
||||
}
|
||||
|
||||
|
||||
@@ -104,7 +104,7 @@ func (c Hotels) ListJson(search string, size, page uint64) revel.Result {
|
||||
|
||||
var hotels []*models.Hotel
|
||||
|
||||
return c.RenderJSON(map[string]interface{}{"hotels": hotels, "search": search, "size": size, "page": page, "nextPage": nextPage}) // $responsebody=map literal
|
||||
return c.RenderJSON(map[string]interface{}{"hotels": hotels, "search": search, "size": size, "page": page, "nextPage": nextPage}) // $responsebody='map literal'
|
||||
}
|
||||
func (c Hotels) List(search string, size, page uint64) revel.Result {
|
||||
if page == 0 {
|
||||
@@ -155,7 +155,7 @@ func (c Hotels) SaveSettings(password, verifyPassword string) revel.Result {
|
||||
}
|
||||
|
||||
func (c Hotels) ConfirmBooking(id int, booking models.Booking) revel.Result {
|
||||
hotel := c.loadHotelById(id) // $responsebody=call to loadHotelById
|
||||
hotel := c.loadHotelById(id) // $responsebody='call to loadHotelById'
|
||||
if hotel == nil {
|
||||
return c.NotFound("Hotel %d does not exist", id)
|
||||
}
|
||||
|
||||
@@ -33,11 +33,11 @@ func init() {
|
||||
switch event {
|
||||
case revel.ENGINE_BEFORE_INITIALIZED:
|
||||
revel.AddHTTPMux("/this/is/a/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $responsebody=selection of Path $responsebody="Hi there, it worked"
|
||||
fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $responsebody='selection of Path' $responsebody='"Hi there, it worked"'
|
||||
w.WriteHeader(200)
|
||||
}))
|
||||
revel.AddHTTPMux("/this/is/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $responsebody=selection of Path $responsebody="Hi there, shorter prefix"
|
||||
fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $responsebody='selection of Path' $responsebody='"Hi there, shorter prefix"'
|
||||
w.WriteHeader(200)
|
||||
}))
|
||||
}
|
||||
|
||||
@@ -41,7 +41,7 @@ class HttpResponseBodyTest extends InlineExpectationsTest {
|
||||
exists(HTTP::ResponseBody rb |
|
||||
rb.hasLocationInfo(file, line, _, _, _) and
|
||||
element = rb.toString() and
|
||||
value = rb.toString()
|
||||
value = "'" + rb.toString() + "'"
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,7 +11,7 @@ class TaintFunctionModelTest extends InlineExpectationsTest {
|
||||
exists(TaintTracking::FunctionModel model, DataFlow::CallNode call | call = model.getACall() |
|
||||
call.hasLocationInfo(file, line, _, _, _) and
|
||||
element = call.toString() and
|
||||
value = model.getAnInputNode(call) + " -> " + model.getAnOutputNode(call)
|
||||
value = "\"" + model.getAnInputNode(call) + " -> " + model.getAnOutputNode(call) + "\""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -27,7 +27,8 @@ class MarshalerTest extends InlineExpectationsTest {
|
||||
call.hasLocationInfo(file, line, _, _, _) and
|
||||
element = call.toString() and
|
||||
value =
|
||||
m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " + m.getOutput().getNode(call)
|
||||
"\"" + m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " +
|
||||
m.getOutput().getNode(call) + "\""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -43,7 +44,8 @@ class UnmarshalerTest extends InlineExpectationsTest {
|
||||
call.hasLocationInfo(file, line, _, _, _) and
|
||||
element = call.toString() and
|
||||
value =
|
||||
m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " + m.getOutput().getNode(call)
|
||||
"\"" + m.getFormat() + ": " + m.getAnInput().getNode(call) + " -> " +
|
||||
m.getOutput().getNode(call) + "\""
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,31 +11,31 @@ func main() {
|
||||
var in, out interface{}
|
||||
var inb []byte
|
||||
|
||||
out, _ = yaml1.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0]
|
||||
yaml1.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out
|
||||
out, _ = yaml1.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]"
|
||||
yaml1.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out"
|
||||
|
||||
out, _ = yaml2.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0]
|
||||
yaml2.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out
|
||||
yaml2.UnmarshalStrict(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out
|
||||
out, _ = yaml2.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]"
|
||||
yaml2.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out"
|
||||
yaml2.UnmarshalStrict(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out"
|
||||
|
||||
var r io.Reader
|
||||
d := yaml2.NewDecoder(r) // $ttfnmodelstep=r -> call to NewDecoder
|
||||
d.Decode(out) // $ttfnmodelstep=d -> definition of out
|
||||
d := yaml2.NewDecoder(r) // $ttfnmodelstep="r -> call to NewDecoder"
|
||||
d.Decode(out) // $ttfnmodelstep="d -> definition of out"
|
||||
|
||||
var w io.Writer
|
||||
e := yaml2.NewEncoder(w) // $ttfnmodelstep=definition of e -> definition of w
|
||||
e.Encode(in) // $ttfnmodelstep=in -> definition of e
|
||||
e := yaml2.NewEncoder(w) // $ttfnmodelstep="definition of e -> definition of w"
|
||||
e.Encode(in) // $ttfnmodelstep="in -> definition of e"
|
||||
|
||||
out, _ = yaml3.Marshal(in) // $marshaler=yaml: in -> ... = ...[0] $ttfnmodelstep=in -> ... = ...[0]
|
||||
yaml3.Unmarshal(inb, out) // $unmarshaler=yaml: inb -> definition of out $ttfnmodelstep=inb -> definition of out
|
||||
out, _ = yaml3.Marshal(in) // $marshaler="yaml: in -> ... = ...[0]" $ttfnmodelstep="in -> ... = ...[0]"
|
||||
yaml3.Unmarshal(inb, out) // $unmarshaler="yaml: inb -> definition of out" $ttfnmodelstep="inb -> definition of out"
|
||||
|
||||
d1 := yaml3.NewDecoder(r) // $ttfnmodelstep=r -> call to NewDecoder
|
||||
d1.Decode(out) // $ttfnmodelstep=d1 -> definition of out
|
||||
d1 := yaml3.NewDecoder(r) // $ttfnmodelstep="r -> call to NewDecoder"
|
||||
d1.Decode(out) // $ttfnmodelstep="d1 -> definition of out"
|
||||
|
||||
e1 := yaml3.NewEncoder(w) // $ttfnmodelstep=definition of e1 -> definition of w
|
||||
e1.Encode(in) // $ttfnmodelstep=in -> definition of e1
|
||||
e1 := yaml3.NewEncoder(w) // $ttfnmodelstep="definition of e1 -> definition of w"
|
||||
e1.Encode(in) // $ttfnmodelstep="in -> definition of e1"
|
||||
|
||||
var n1 yaml3.Node
|
||||
n1.Decode(out) // $ttfnmodelstep=n1 -> definition of out
|
||||
n1.Encode(in) // $ttfnmodelstep=in -> definition of n1
|
||||
n1.Decode(out) // $ttfnmodelstep="n1 -> definition of out"
|
||||
n1.Encode(in) // $ttfnmodelstep="in -> definition of n1"
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ class ZapTest extends InlineExpectationsTest {
|
||||
tag = "zap" and
|
||||
exists(DataFlow::Node sink | any(TestConfig c).hasFlow(_, sink) |
|
||||
element = sink.toString() and
|
||||
value = sink.toString() and
|
||||
value = "\"" + sink.toString() + "\"" and
|
||||
sink.hasLocationInfo(file, line, _, _, _)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -18,72 +18,72 @@ func getUntrustedString() string {
|
||||
|
||||
func testZapLoggerDPanic() {
|
||||
logger, _ := zap.NewProduction()
|
||||
logger.DPanic(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
logger.DPanic(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
}
|
||||
|
||||
func testZapLoggerFatal() {
|
||||
logger := zap.NewExample()
|
||||
logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $zap=call to String
|
||||
logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $zap="call to String"
|
||||
}
|
||||
|
||||
func testZapLoggerPanic() {
|
||||
logger, _ := zap.NewDevelopment()
|
||||
logger.Panic("msg", zap.Any("key", getUntrustedData())) // $zap=call to Any
|
||||
logger.Panic("msg", zap.Any("key", getUntrustedData())) // $zap="call to Any"
|
||||
}
|
||||
|
||||
func testZapLoggerDebug(core zapcore.Core, byteArray []byte) {
|
||||
logger := zap.New(core)
|
||||
logger.Debug(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray)) // $zap=call to Binary
|
||||
logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $zap=call to ByteString
|
||||
logger.Debug(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray)) // $zap="call to Binary"
|
||||
logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $zap="call to ByteString"
|
||||
}
|
||||
|
||||
func testZapLoggerError(bss [][]byte) {
|
||||
logger := zap.L()
|
||||
logger.Error(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $zap=call to ByteStrings
|
||||
logger.Error("msg", zap.Error(getUntrustedData().(error))) // $zap=call to Error
|
||||
logger.Error(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $zap="call to ByteStrings"
|
||||
logger.Error("msg", zap.Error(getUntrustedData().(error))) // $zap="call to Error"
|
||||
}
|
||||
|
||||
func testZapLoggerInfo(logger *zap.Logger, errs []error) {
|
||||
logger.Info(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
logger.Info("msg", zap.Errors(getUntrustedString(), errs)) // $zap=call to Errors
|
||||
logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $zap=call to NamedError
|
||||
logger.Info(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
logger.Info("msg", zap.Errors(getUntrustedString(), errs)) // $zap="call to Errors"
|
||||
logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $zap="call to NamedError"
|
||||
}
|
||||
|
||||
func testZapLoggerWarn(logger *zap.Logger) {
|
||||
logger.Warn(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
logger.Warn("msg", zap.Reflect(getUntrustedString(), nil)) // $zap=call to Reflect
|
||||
logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string))) // $zap=call to Stringp
|
||||
logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $zap=call to Strings
|
||||
logger.Warn(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
logger.Warn("msg", zap.Reflect(getUntrustedString(), nil)) // $zap="call to Reflect"
|
||||
logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string))) // $zap="call to Stringp"
|
||||
logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $zap="call to Strings"
|
||||
}
|
||||
|
||||
func testZapLoggerNop() {
|
||||
// We do not currently recognise that a logger made using NewNop() does not actually do any logging
|
||||
logger := zap.NewNop()
|
||||
logger.Debug(getUntrustedString()) // $SPURIOUS:zap=call to getUntrustedString
|
||||
logger.Debug(getUntrustedString()) // $SPURIOUS:zap="call to getUntrustedString"
|
||||
}
|
||||
|
||||
func testLoggerNamed(logger *zap.Logger) {
|
||||
namedLogger := logger.Named(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
namedLogger := logger.Named(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
namedLogger.Info("hello world")
|
||||
}
|
||||
|
||||
func testLoggerWith(logger *zap.Logger) *zap.Logger {
|
||||
logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $zap=call to Any
|
||||
logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $zap="call to Any"
|
||||
logger1.Info("hello world")
|
||||
logger2 := logger.With(zap.String("key", getUntrustedString())) // $zap=call to String
|
||||
logger2 := logger.With(zap.String("key", getUntrustedString())) // $zap="call to String"
|
||||
logger2.Info("hello world")
|
||||
logger3 := logger.With(zap.String("key", getUntrustedString())) // $SPURIOUS:zap=call to String
|
||||
logger3 := logger.With(zap.String("key", getUntrustedString())) // $SPURIOUS:zap="call to String"
|
||||
return logger3
|
||||
}
|
||||
|
||||
func getLoggerWithUntrustedField() *zap.Logger {
|
||||
return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $zap=call to NamedError
|
||||
return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $zap="call to NamedError"
|
||||
}
|
||||
|
||||
func getLoggerWithUntrustedFieldUnused() *zap.Logger {
|
||||
return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $SPURIOUS:zap=call to NamedError
|
||||
return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $SPURIOUS:zap="call to NamedError"
|
||||
}
|
||||
|
||||
func testLoggerWithAcrossFunctionBoundary() {
|
||||
@@ -91,91 +91,91 @@ func testLoggerWithAcrossFunctionBoundary() {
|
||||
}
|
||||
|
||||
func testLoggerWithOptions(logger *zap.Logger) *zap.Logger {
|
||||
logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $zap=call to Fields
|
||||
logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $zap="call to Fields"
|
||||
logger1.Info("hello world")
|
||||
logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $zap=call to Fields
|
||||
logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $zap="call to Fields"
|
||||
logger2.Info("hello world")
|
||||
logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $SPURIOUS:zap=call to Fields
|
||||
logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $SPURIOUS:zap="call to Fields"
|
||||
return logger3
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerDPanic(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.DPanic(getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.DPanic(getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerDPanicf(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.DPanicf(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
sugaredLogger.DPanicf(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerDPanicw(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.DPanicw(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
sugaredLogger.DPanicw(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerFatal(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.Fatal(getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Fatal(getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerFatalf(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.Fatalf(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
sugaredLogger.Fatalf(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerFatalw(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.Fatalw(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
sugaredLogger.Fatalw(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerPanic(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.Panic(getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Panic(getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerPanicf(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.Panicf(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
sugaredLogger.Panicf(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerPanicw(sugaredLogger *zap.SugaredLogger) {
|
||||
sugaredLogger.Panicw(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
sugaredLogger.Panicw(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerDebug() {
|
||||
sugaredLogger := zap.S()
|
||||
sugaredLogger.Debug(getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Debugf("msg", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Debug(getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Debugf("msg", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerError() {
|
||||
logger, _ := zap.NewProduction()
|
||||
sugaredLogger := logger.Sugar()
|
||||
sugaredLogger.Error(getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Errorf("msg", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Error(getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Errorf("msg", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerInfo() {
|
||||
logger := zap.NewExample()
|
||||
sugaredLogger := logger.Sugar()
|
||||
sugaredLogger.Info(getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Infof("msg", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Infow("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Info(getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Infof("msg", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Infow("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerWarn() {
|
||||
logger, _ := zap.NewDevelopment()
|
||||
sugaredLogger := logger.Sugar()
|
||||
sugaredLogger.Warn(getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Warnf("msg", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.Warn(getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Warnf("msg", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerNamed() {
|
||||
logger := zap.L()
|
||||
sugaredLogger := logger.Sugar()
|
||||
sugaredLogger.Named(getUntrustedString()) // $zap=call to getUntrustedString
|
||||
sugaredLogger.Named(getUntrustedString()) // $zap="call to getUntrustedString"
|
||||
sugaredLogger.Info("msg")
|
||||
}
|
||||
|
||||
func testZapSugaredLoggerWith() {
|
||||
logger := zap.L()
|
||||
sugaredLogger := logger.Sugar()
|
||||
sugaredLogger.With("key", getUntrustedData()) // $zap=call to getUntrustedData
|
||||
sugaredLogger.With("key", getUntrustedData()) // $zap="call to getUntrustedData"
|
||||
sugaredLogger.Info("msg")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user