From f84e8b0fbcfbe9f211892e41b8322ad27c5a91cd Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 3 Jun 2026 14:29:10 +0100 Subject: [PATCH] Make all lines in logging tests reachable --- .../semmle/go/concepts/LoggerCall/logrus.go | 16 ++-- .../semmle/go/concepts/LoggerCall/main.go | 2 +- .../semmle/go/concepts/LoggerCall/stdlib.go | 82 +++++++++++++------ 3 files changed, 68 insertions(+), 32 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go index bdb57aae2e1..56677fff99b 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go @@ -13,7 +13,7 @@ func logSomething(entry *logrus.Entry) { entry.Traceln(text) // $ logger=text } -func logrusCalls() { +func logrusCalls(selector int) { err := errors.New("Error") var fields logrus.Fields = nil var fn logrus.LogFunction = nil @@ -27,11 +27,15 @@ func logrusCalls() { tmp = logrus.WithFields(fields) // $ logger=fields logSomething(tmp) - logrus.Error(text) // $ logger=text - logrus.Fatalf(fmt, text) // $ logger=fmt logger=text - logrus.Panicln(text) // $ logger=text - logrus.Infof(fmt, text) // $ logger=fmt logger=text - logrus.FatalFn(fn) // $ logger=fn + logrus.Error(text) // $ logger=text + logrus.Infof(fmt, text) // $ logger=fmt logger=text + if selector == 0 { + logrus.Fatalf(fmt, text) // $ logger=fmt logger=text + } else if selector == 1 { + logrus.Panicln(text) // $ logger=text + } else if selector == 2 { + logrus.FatalFn(fn) // $ logger=fn + } // components corresponding to the format specifier "%T" are not considered vulnerable logrus.Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go index 688c59bc2ea..217d7029a30 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go @@ -7,5 +7,5 @@ var v []byte func main() { glogTest(len(v)) - stdlib() + stdlib(len(v)) } diff --git a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go index 6fbf3c43fd3..e77e83a2ac5 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go +++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go @@ -4,37 +4,69 @@ import ( "log" ) -func stdlib() { +func stdlib(selector int) { var logger log.Logger logger.SetPrefix("prefix: ") - logger.Fatal(text) // $ logger=text - logger.Fatalf(fmt, text) // $ logger=fmt logger=text - logger.Fatalln(text) // $ logger=text - logger.Panic(text) // $ logger=text - logger.Panicf(fmt, text) // $ logger=fmt logger=text - logger.Panicln(text) // $ logger=text - logger.Print(text) // $ logger=text - logger.Printf(fmt, text) // $ logger=fmt logger=text - logger.Println(text) // $ logger=text + switch selector { + case 0: + logger.Fatal(text) // $ logger=text + case 1: + logger.Fatalf(fmt, text) // $ logger=fmt logger=text + case 2: + logger.Fatalln(text) // $ logger=text + case 3: + logger.Panic(text) // $ logger=text + case 4: + logger.Panicf(fmt, text) // $ logger=fmt logger=text + case 5: + logger.Panicln(text) // $ logger=text + case 6: + logger.Print(text) // $ logger=text + case 7: + logger.Printf(fmt, text) // $ logger=fmt logger=text + case 8: + logger.Println(text) // $ logger=text + } // components corresponding to the format specifier "%T" are not considered vulnerable - logger.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - logger.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - logger.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + switch selector { + case 9: + logger.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + case 10: + logger.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + case 11: + logger.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } log.SetPrefix("prefix: ") - log.Fatal(text) // $ logger=text - log.Fatalf(fmt, text) // $ logger=fmt logger=text - log.Fatalln(text) // $ logger=text - log.Panic(text) // $ logger=text - log.Panicf(fmt, text) // $ logger=fmt logger=text - log.Panicln(text) // $ logger=text - log.Print(text) // $ logger=text - log.Printf(fmt, text) // $ logger=fmt logger=text - log.Println(text) // $ logger=text + switch selector { + case 12: + log.Fatal(text) // $ logger=text + case 13: + log.Fatalf(fmt, text) // $ logger=fmt logger=text + case 14: + log.Fatalln(text) // $ logger=text + case 15: + log.Panic(text) // $ logger=text + case 16: + log.Panicf(fmt, text) // $ logger=fmt logger=text + case 17: + log.Panicln(text) // $ logger=text + case 18: + log.Print(text) // $ logger=text + case 19: + log.Printf(fmt, text) // $ logger=fmt logger=text + case 20: + log.Println(text) // $ logger=text + } // components corresponding to the format specifier "%T" are not considered vulnerable - log.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - log.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v - log.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + switch selector { + case 21: + log.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + case 22: + log.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + case 23: + log.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v + } }