937 Commits

Author	SHA1	Message	Date
Slavomir	cd151fcdd1	Merge branch 'standard-lib-pt-5' into from-331-to-337	2020-09-20 15:45:46 +02:00
Chris Smowton	fee596ac83	Merge pull request #343 from smowton/smowton/feature/chi-models ... Add models for the Chi web framework	2020-09-16 11:38:08 +01:00
Chris Smowton	1bf366c1e3	Add models for the Chi web framework ... This is mostly simple as the framework uses ordinary net/http methods and ordinary Go contexts for most purposes.	2020-09-16 09:14:23 +01:00
Slavomir	a340270dc1	Move html TemplateEscape out of Texttemplate module	2020-09-14 15:47:52 +02:00
Slavomir	9a560e994c	Remove redundant field	2020-09-14 15:47:51 +02:00
Slavomir	ce67720542	Add taint-tracking for html/template package.	2020-09-14 15:47:51 +02:00
Slavomir	35136bbb2c	Add escape function.	2020-09-14 15:47:51 +02:00
Slavomir	52d4c71ec2	Add taint-tracking for html package.	2020-09-14 15:47:51 +02:00
Chris Smowton	8d7cbe3aa5	Merge pull request #323 from gagliardetto/standard-lib-pt-8 ... Add taint-tracking for packages in `encoding/*`	2020-09-14 14:41:19 +01:00
Slavomir	4c2537017f	Fix TaintStep.expected: add params to json.MarshalIndent	2020-09-14 13:10:25 +02:00
Slavomir	64a61bd648	Remove redundant taint-tracking from MarshalingFunction and UnmarshalingFunction classes in EncodingXml module.	2020-09-14 13:10:25 +02:00
Slavomir	947bbabf62	Extend MarshalingFunction and UnmarshalingFunction with encoding/pem	2020-09-14 13:10:25 +02:00
Slavomir	d472d5abe5	Remove redundant taint-tracking from MarshalingFunction and UnmarshalingFunction classes in EncodingJson module.	2020-09-14 13:10:25 +02:00
Slavomir	ed2e5b0f92	Extend MarshalingFunction and UnmarshalingFunction with encoding/asn1	2020-09-14 13:10:25 +02:00
Slavomir	afede9bde5	Remove encoder taint-tracking for encoding/hex	2020-09-14 13:10:25 +02:00
Slavomir	96a700becb	Remove encoder taint-tracking for encoding/base64	2020-09-14 13:10:25 +02:00
Slavomir	0baca5fa6c	Remove encoder taint-tracking for encoding/base32	2020-09-14 13:10:25 +02:00
Slavomir	828d3863a0	Remove encoder taint-tracking for encoding/ascii85	2020-09-14 13:10:25 +02:00
Slavomir	f3a61ed65c	Add MarshalFunction and UnmarshalFunction classes to EncodingXml module.	2020-09-14 13:10:25 +02:00
Slavomir	b4ff653071	Add taint-tracking for encoding/xml	2020-09-14 13:10:25 +02:00
Slavomir	e7fc3c5039	Add taint-tracking for encoding/pem	2020-09-14 13:10:25 +02:00
Slavomir	669ed91b0b	Move EncodingJson to stdlib; add Escape class.	2020-09-14 13:10:25 +02:00
Slavomir	24c23ba333	Add taint-tracking for encoding/json	2020-09-14 13:10:25 +02:00
Slavomir	f5fc9494fc	Remove old EncodingHex module	2020-09-14 13:10:25 +02:00
Slavomir	74fdfba85c	Add taint-tracking for encoding/hex	2020-09-14 13:10:25 +02:00
Slavomir	7a42992850	Add taint-tracking for encoding/gob	2020-09-14 13:10:25 +02:00
Slavomir	57518c7e3d	Add taint-tracking for encoding/csv	2020-09-14 13:10:25 +02:00
Slavomir	df55bb459f	Add taint-tracking for encoding/binary	2020-09-14 13:10:25 +02:00
Slavomir	20b4826e8e	Add taint-tracking for encoding/base64	2020-09-14 13:10:25 +02:00
Slavomir	7060367de5	Add taint-tracking for encoding/base32	2020-09-14 13:10:24 +02:00
Slavomir	ba78eda277	Add taint-tracking for encoding/asn1	2020-09-14 13:10:24 +02:00
Slavomir	412ba1263b	Add taint-tracking for encoding/ascii85	2020-09-14 13:10:24 +02:00
Slavomir	a47842d1c3	Add taint-tracking for package encoding	2020-09-14 13:10:24 +02:00
Slavomir	27ba893ba2	Add taint-tracking for context package	2020-09-14 13:09:45 +02:00
Chris Smowton	86ed037fd3	Port codeql#4238 (Dataflow: small fixes for naming in taint tracking) to Go's local copy of the dataflow libs	2020-09-14 12:01:30 +01:00
Chris Smowton	b9b306aade	CleartextLogging: sanitize strings.Split(authheader, ":")[0] and similar ... These can represent a username, method name or other non-sensitive component of an Authorization header. For greater precision we could split the query into one investigating Authorization headers and one investigating other sources of sensitive data that can't be sanitized by splitting this way.	2020-09-14 09:46:14 +01:00
Slavomir	cf29f9dede	Remove taint-tracking on single bytes and runes	2020-09-14 09:46:14 +01:00
Slavomir	6d3e6ded26	Fix: the Append* functions do not modify the dst slice argument.	2020-09-14 09:46:14 +01:00
Slavomir	9293bcde1d	Fix ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected: calls to strings.NewReader are a step now.	2020-09-14 09:46:14 +01:00
Slavomir	3075294cd8	Move strings module to stdlib, and add more taint-tracking classes to it.	2020-09-14 09:46:13 +01:00
Slavomir	42c7f8cc0d	Add taint-tracking for strconv package; rename module StrConv to Strconv and move into stdlib	2020-09-14 09:44:25 +01:00
Max Schaefer	b8d36b936e	Merge pull request #321 from gagliardetto/standard-lib-pt-14 ... Add taint-tracking for packages inside `mime/*`	2020-09-14 09:26:29 +01:00
Max Schaefer	c889bc3dae	Merge branch 'main' into standard-lib-pt-24	2020-09-11 14:09:50 +01:00
Chris Smowton	84def5f6c2	Merge pull request #327 from smowton/smowton/feature/more-post-update-nodes ... Add PostUpdateNodes for nested structs and arrays	2020-09-11 12:47:20 +01:00
Max Schaefer	903cffe7ed	Merge pull request #317 from gagliardetto/standard-lib-pt-18 ... Add taint-tracking for `reflect` package	2020-09-11 11:26:48 +01:00
Chris Smowton	650bc1d38f	Add PostUpdateNodes for derferenced expressions on an access path to a field- or element-write	2020-09-11 10:46:58 +01:00
Max Schaefer	e9bf3317b5	Merge pull request #328 from owen-mc/gorm-exec ... Update GORM model	2020-09-11 08:41:09 +01:00
Chris Smowton	405babf5af	Reflected XSS query: exclude more uses of encoding/json.Marshal ... Previously we only detected these if the marshalling directly fed the request body within the same function; now it's a general sanitiser for the purposes of XSS.	2020-09-10 16:52:06 +01:00
Owen Mansel-Chan	3af90c9fc8	Update GORM tests	2020-09-10 13:48:12 +01:00
Owen Mansel-Chan	d807e8de75	Add more methods from GORM as sinks ... Cf. https://gorm.io/docs/security.html	2020-09-09 16:18:41 +01:00