From faf43efb60199d88f60281b359aa0e4ef14cb011 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Tue, 18 Aug 2020 15:30:22 +0100 Subject: [PATCH] Promote OAuth2 constant-state query to mainline --- change-notes/2020-08-18-oauth2.md | 2 ++ .../CWE-352/ConstantOauth2State.qhelp | 0 .../{experimental => Security}/CWE-352/ConstantOauth2State.ql | 0 .../CWE-352/ConstantOauth2StateBad.go | 0 .../CWE-352/ConstantOauth2StateBetter.go | 0 ql/test/experimental/CWE-352/ConstantOauth2State.qlref | 1 - .../Security}/CWE-352/ConstantOauth2State.expected | 0 .../Security}/CWE-352/ConstantOauth2State.go | 0 ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref | 1 + ql/test/{experimental => query-tests/Security}/CWE-352/go.mod | 0 .../Security}/CWE-352/vendor/golang.org/x/oauth2/LICENSE | 0 .../Security}/CWE-352/vendor/golang.org/x/oauth2/stub.go | 0 .../Security}/CWE-352/vendor/modules.txt | 0 13 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 change-notes/2020-08-18-oauth2.md rename ql/src/{experimental => Security}/CWE-352/ConstantOauth2State.qhelp (100%) rename ql/src/{experimental => Security}/CWE-352/ConstantOauth2State.ql (100%) rename ql/src/{experimental => Security}/CWE-352/ConstantOauth2StateBad.go (100%) rename ql/src/{experimental => Security}/CWE-352/ConstantOauth2StateBetter.go (100%) delete mode 100644 ql/test/experimental/CWE-352/ConstantOauth2State.qlref rename ql/test/{experimental => query-tests/Security}/CWE-352/ConstantOauth2State.expected (100%) rename ql/test/{experimental => query-tests/Security}/CWE-352/ConstantOauth2State.go (100%) create mode 100644 ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref rename ql/test/{experimental => query-tests/Security}/CWE-352/go.mod (100%) rename ql/test/{experimental => query-tests/Security}/CWE-352/vendor/golang.org/x/oauth2/LICENSE (100%) rename ql/test/{experimental => query-tests/Security}/CWE-352/vendor/golang.org/x/oauth2/stub.go (100%) rename ql/test/{experimental => query-tests/Security}/CWE-352/vendor/modules.txt (100%) diff --git a/change-notes/2020-08-18-oauth2.md b/change-notes/2020-08-18-oauth2.md new file mode 100644 index 00000000000..aa4b566a3f0 --- /dev/null +++ b/change-notes/2020-08-18-oauth2.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* The query "Use of constant `state` value in OAuth 2.0 URL" (`go/constant-oauth2-state`) has been promoted from experimental status. This checks for use of a constant state value in generating an OAuth2 redirect URL, which may open the way for a CSRF attack. diff --git a/ql/src/experimental/CWE-352/ConstantOauth2State.qhelp b/ql/src/Security/CWE-352/ConstantOauth2State.qhelp similarity index 100% rename from ql/src/experimental/CWE-352/ConstantOauth2State.qhelp rename to ql/src/Security/CWE-352/ConstantOauth2State.qhelp diff --git a/ql/src/experimental/CWE-352/ConstantOauth2State.ql b/ql/src/Security/CWE-352/ConstantOauth2State.ql similarity index 100% rename from ql/src/experimental/CWE-352/ConstantOauth2State.ql rename to ql/src/Security/CWE-352/ConstantOauth2State.ql diff --git a/ql/src/experimental/CWE-352/ConstantOauth2StateBad.go b/ql/src/Security/CWE-352/ConstantOauth2StateBad.go similarity index 100% rename from ql/src/experimental/CWE-352/ConstantOauth2StateBad.go rename to ql/src/Security/CWE-352/ConstantOauth2StateBad.go diff --git a/ql/src/experimental/CWE-352/ConstantOauth2StateBetter.go b/ql/src/Security/CWE-352/ConstantOauth2StateBetter.go similarity index 100% rename from ql/src/experimental/CWE-352/ConstantOauth2StateBetter.go rename to ql/src/Security/CWE-352/ConstantOauth2StateBetter.go diff --git a/ql/test/experimental/CWE-352/ConstantOauth2State.qlref b/ql/test/experimental/CWE-352/ConstantOauth2State.qlref deleted file mode 100644 index 82c080c7754..00000000000 --- a/ql/test/experimental/CWE-352/ConstantOauth2State.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/CWE-352/ConstantOauth2State.ql diff --git a/ql/test/experimental/CWE-352/ConstantOauth2State.expected b/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.expected similarity index 100% rename from ql/test/experimental/CWE-352/ConstantOauth2State.expected rename to ql/test/query-tests/Security/CWE-352/ConstantOauth2State.expected diff --git a/ql/test/experimental/CWE-352/ConstantOauth2State.go b/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.go similarity index 100% rename from ql/test/experimental/CWE-352/ConstantOauth2State.go rename to ql/test/query-tests/Security/CWE-352/ConstantOauth2State.go diff --git a/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref b/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref new file mode 100644 index 00000000000..7898f39d415 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref @@ -0,0 +1 @@ +Security/CWE-352/ConstantOauth2State.ql diff --git a/ql/test/experimental/CWE-352/go.mod b/ql/test/query-tests/Security/CWE-352/go.mod similarity index 100% rename from ql/test/experimental/CWE-352/go.mod rename to ql/test/query-tests/Security/CWE-352/go.mod diff --git a/ql/test/experimental/CWE-352/vendor/golang.org/x/oauth2/LICENSE b/ql/test/query-tests/Security/CWE-352/vendor/golang.org/x/oauth2/LICENSE similarity index 100% rename from ql/test/experimental/CWE-352/vendor/golang.org/x/oauth2/LICENSE rename to ql/test/query-tests/Security/CWE-352/vendor/golang.org/x/oauth2/LICENSE diff --git a/ql/test/experimental/CWE-352/vendor/golang.org/x/oauth2/stub.go b/ql/test/query-tests/Security/CWE-352/vendor/golang.org/x/oauth2/stub.go similarity index 100% rename from ql/test/experimental/CWE-352/vendor/golang.org/x/oauth2/stub.go rename to ql/test/query-tests/Security/CWE-352/vendor/golang.org/x/oauth2/stub.go diff --git a/ql/test/experimental/CWE-352/vendor/modules.txt b/ql/test/query-tests/Security/CWE-352/vendor/modules.txt similarity index 100% rename from ql/test/experimental/CWE-352/vendor/modules.txt rename to ql/test/query-tests/Security/CWE-352/vendor/modules.txt