mirror of
https://github.com/github/codeql.git
synced 2026-01-29 06:12:58 +01:00
Remove unused test comments
These were introduced in 68dca955. Currently they aren't doing anything
as there isn't an inline expectation test for the tag "source" in this
folder. It seems they were originally intended to indicate untrusted flow
sources, but they aren't needed as we are using "noflow" to only mark the
places where there isn't a flow.
This commit is contained in:
Owen Mansel-Chan
@@ -27,13 +27,13 @@ type MyRoute struct {
|
||||
|
||||
func (c MyRoute) Handler1() revel.Result {
|
||||
// GOOD: the Render function is likely to properly escape the user-controlled parameter.
|
||||
return c.Render("someviewparam", c.Params.Form.Get("someField")) // $ source="selection of Params"
|
||||
return c.Render("someviewparam", c.Params.Form.Get("someField"))
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler2() revel.Result {
|
||||
// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
|
||||
buf := &bytes.Buffer{}
|
||||
buf.WriteString(c.Params.Form.Get("someField")) // $ source="selection of Params"
|
||||
buf.WriteString(c.Params.Form.Get("someField"))
|
||||
return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf'
|
||||
}
|
||||
|
||||
@@ -41,55 +41,55 @@ func (c MyRoute) Handler3() revel.Result {
|
||||
// GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename
|
||||
// means it will be given a safe content-type.
|
||||
buf := &bytes.Buffer{}
|
||||
buf.WriteString(c.Params.Form.Get("someField")) // $ source="selection of Params"
|
||||
buf.WriteString(c.Params.Form.Get("someField"))
|
||||
return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now()) // $ responsebody='buf'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler4() revel.Result {
|
||||
// GOOD: the RenderError function either uses an HTML template with probable escaping,
|
||||
// or it uses content-type text/plain.
|
||||
err := errors.New(c.Params.Form.Get("someField")) // $ source="selection of Params"
|
||||
return c.RenderError(err) // $ responsebody='err'
|
||||
err := errors.New(c.Params.Form.Get("someField"))
|
||||
return c.RenderError(err) // $ responsebody='err'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler5() revel.Result {
|
||||
// BAD: returning an arbitrary file (but this is detected at the os.Open call, not
|
||||
// due to modelling Revel)
|
||||
f, _ := os.Open(c.Params.Form.Get("someField")) // $ source="selection of Params"
|
||||
f, _ := os.Open(c.Params.Form.Get("someField"))
|
||||
return c.RenderFile(f, revel.Inline)
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler6() revel.Result {
|
||||
// BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS)
|
||||
return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $ source="selection of Params"
|
||||
return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline)
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler7() revel.Result {
|
||||
// BAD: straightforward XSS
|
||||
return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params"
|
||||
return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler8() revel.Result {
|
||||
// GOOD: uses JSON content-type
|
||||
return c.RenderJSON(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params"
|
||||
return c.RenderJSON(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler9() revel.Result {
|
||||
// GOOD: uses Javascript content-type
|
||||
return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params"
|
||||
return c.RenderJSONP("callback", c.Params.Form.Get("someField")) // $ responsebody='call to Get'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler10() revel.Result {
|
||||
// GOOD: uses text content-type
|
||||
return c.RenderText(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params"
|
||||
return c.RenderText(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler11() revel.Result {
|
||||
// GOOD: uses xml content-type
|
||||
return c.RenderXML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' source="selection of Params"
|
||||
return c.RenderXML(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler12() revel.Result {
|
||||
// BAD: open redirect
|
||||
return c.Redirect(c.Params.Form.Get("someField")) // $ source="selection of Params"
|
||||
return c.Redirect(c.Params.Form.Get("someField"))
|
||||
}
|
||||
|
||||
@@ -24,10 +24,10 @@ func sink(_ ...interface{}) {}
|
||||
|
||||
func (c myAppController) accessingParamsDirectlyIsUnsafe() {
|
||||
sink(c.Params.Get("key"))
|
||||
sink(c.Params.Values) // $ source="selection of Params"
|
||||
sink(c.Params.Values)
|
||||
|
||||
val4 := ""
|
||||
c.Params.Bind(&val4, "key") // $ source="selection of Params"
|
||||
c.Params.Bind(&val4, "key")
|
||||
sink(val4)
|
||||
|
||||
sink(c.Request.FormValue("key"))
|
||||
|
||||
Reference in New Issue
Block a user