Ensure SetFormatterAssignment lhs/rhs match up

Introduce abstract `SanitizingFormatter` class as a base for all
sanitizing formatters

go/ql/lib/change-notes/2022-12-19-logrus-sanitizing-formatters.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Modified the behaviour of the `go/log-injection` query for `logrus` so that logging functions are not marked as data flow sources if only sanitizing formatters are installed with `SetFormatter` and through the `Formatter` property of `Logger` objects.

go/ql/lib/semmle/go/frameworks/Logrus.qll

@@ -32,7 +32,12 @@ module Logrus {
   }
 
   private class LogCall extends LoggerCall::Range, DataFlow::CallNode {
-    LogCall() { this = any(LogFunction f).getACall() }
+    LogCall() {
+      // find calls to logrus logging functions
+      this = any(LogFunction f).getACall() and
+      // unless all formatters that get assigned may be sanitizing formatters
+      not allFormattersMayBeSanitizing()
+    }
 
     override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() }
   }
@@ -49,4 +54,102 @@ module Logrus {
 
     override int getFirstFormattedParameterIndex() { result = argOffset + 1 }
   }
+
+  private class SetFormatterFunction extends Function {
+    SetFormatterFunction() {
+      this.hasQualifiedName(packagePath(), "SetFormatter") or
+      this.(Method).hasQualifiedName(packagePath(), "Logger", "SetFormatter")
+    }
+  }
+
+  private class JsonFormatter extends SanitizingFormatter {
+    JsonFormatter() { this.hasQualifiedName(packagePath(), "JSONFormatter") }
+  }
+
+  /**
+   * A type which represents a sanitizing formatter for Logrus.
+   *
+   * Extend this class to add support for additional, sanitizing formatters.
+   */
+  abstract class SanitizingFormatter extends Type { }
+
+  /**
+   * An assignment statement that assigns a value to the `Formatter` property of a `Logger` object.
+   */
+  private class SetFormatterAssignment extends AssignStmt {
+    int lhsIndex;
+
+    SetFormatterAssignment() {
+      exists(Field field |
+        this.getLhs(lhsIndex).(SelectorExpr).uses(field) and
+        field.hasQualifiedName(packagePath(), "Logger", "Formatter")
+      )
+    }
+
+    /**
+     * Gets the formatter that is being assigned to the `Formatter` property.
+     */
+    Expr getFormatter() { result = this.getRhs(lhsIndex) }
+  }
+
+  /**
+   * Holds if there is local data flow to `node` that, at some point, has a sanitizing formatter
+   * type.
+   */
+  private predicate mayBeSanitizingFormatter(DataFlow::Node node) {
+    // is there data flow from something of a sanitizing formatter type to the node?
+    exists(DataFlow::Node source |
+      // this is a slight approximation since a variable could be set to a
+      // sanitizing formatter and then replaced with another one that isn't
+      DataFlow::localFlow(source, node) and
+      source.getType() = any(SanitizingFormatter f).getPointerType()
+    )
+  }
+
+  /**
+   * Holds if `node` is the first argument to a call to the `SetFormatter` function or if `node`
+   * is the value being assigned to the `Formatter` property of a `Logger` object. The `expr`
+   * is the corresponding expression (the function call or the rhs of the assignment).
+   */
+  private predicate isFormatter(DataFlow::Node node, Expr expr) {
+    exists(DataFlow::CallNode call |
+      call = any(SetFormatterFunction f).getACall() and
+      node = call.getArgument(0) and
+      expr = call.asExpr()
+    )
+    or
+    expr = any(SetFormatterAssignment stmt).getFormatter() and
+    node.asExpr() = expr
+  }
+
+  /**
+   * Holds if `expr` is conditional within its enclosing function and there are no other formatter
+   * assignments in the same function.
+   */
+  private predicate isSoleConditional(Expr expr) {
+    exists(FuncDef func |
+      // find the enclosing function
+      func = expr.getEnclosingFunction() and
+      // check that the expression is conditional
+      expr.getParent*() instanceof IfStmt and
+      // and there isn't another formatter assignment in the function
+      not exists(Expr formatterAssignment |
+        isFormatter(_, formatterAssignment) and
+        formatterAssignment.getEnclosingFunction() = func and
+        expr != formatterAssignment
+      )
+    )
+  }
+
+  /**
+   * Holds if all calls to `SetFormatter` have a sanitizing formatter as argument and all
+   * assignments to the `Formatter` property of `Logger` values are also sanitizing formatters.
+   * Also holds if there are not any calls to `SetFormatter` or assignments to the `Formatter`
+   * property in the codebase.
+   */
+  private predicate allFormattersMayBeSanitizing() {
+    forex(DataFlow::Node node, Expr expr | isFormatter(node, expr) |
+      mayBeSanitizingFormatter(node) and not isSoleConditional(expr)
+    )
+  }
 }

go/ql/test/library-tests/semmle/go/frameworks/logrus/AllSanitizing/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/AllSanitizing/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/AllSanitizing/main.go

@@ -0,0 +1,31 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func main() {
+	logrus.SetFormatter(&logrus.JSONFormatter{})
+
+	formatter := new(logrus.JSONFormatter)
+	logrus.SetFormatter(formatter)
+
+	logger := logrus.StandardLogger()
+	logger.SetFormatter(&logrus.JSONFormatter{})
+	logger.SetFormatter(formatter)
+	logger.Formatter = &logrus.JSONFormatter{}
+	logger.Formatter = formatter
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/AllSanitizing/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/AllSanitizing/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/AllSanitizing/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/library-tests/semmle/go/frameworks/logrus/Conditional/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/Conditional/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/Conditional/main.go

@@ -0,0 +1,27 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func initLogger(useJSON bool) {
+	if useJSON {
+		logrus.SetFormatter(&logrus.JSONFormatter{})
+	} else {
+		// another safe formatter
+		logrus.SetFormatter(&logrus.JSONFormatter{})
+	}
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/Conditional/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/Conditional/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/Conditional/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterProperty/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterProperty/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterProperty/main.go

@@ -0,0 +1,31 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func main() {
+	logrus.SetFormatter(&logrus.JSONFormatter{})
+
+	formatter := new(logrus.JSONFormatter)
+	logrus.SetFormatter(formatter)
+
+	logger := logrus.StandardLogger()
+	logger.SetFormatter(&logrus.JSONFormatter{})
+	logger.SetFormatter(formatter)
+	logger.Formatter = &logrus.TextFormatter{}
+	logger.Formatter = formatter
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{ // $ hasTaintFlow="map literal"
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterProperty/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterProperty/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterProperty/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterPropertyIndirect/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterPropertyIndirect/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterPropertyIndirect/main.go

@@ -0,0 +1,32 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func main() {
+	logrus.SetFormatter(&logrus.JSONFormatter{})
+
+	formatter := new(logrus.JSONFormatter)
+	textFormatter := new(logrus.TextFormatter)
+	logrus.SetFormatter(formatter)
+
+	logger := logrus.StandardLogger()
+	logger.SetFormatter(&logrus.JSONFormatter{})
+	logger.SetFormatter(formatter)
+	logger.Formatter = &logrus.JSONFormatter{}
+	logger.Formatter = textFormatter
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{ // $ hasTaintFlow="map literal"
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterPropertyIndirect/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterPropertyIndirect/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/FormatterPropertyIndirect/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterDirect/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterDirect/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterDirect/main.go

@@ -0,0 +1,31 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func main() {
+	logrus.SetFormatter(&logrus.TextFormatter{})
+
+	formatter := new(logrus.JSONFormatter)
+	logrus.SetFormatter(formatter)
+
+	logger := logrus.StandardLogger()
+	logger.SetFormatter(&logrus.JSONFormatter{})
+	logger.SetFormatter(formatter)
+	logger.Formatter = &logrus.JSONFormatter{}
+	logger.Formatter = formatter
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{ // $ hasTaintFlow="map literal"
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterDirect/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterDirect/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterDirect/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterIndirect/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterIndirect/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterIndirect/main.go

@@ -0,0 +1,32 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func main() {
+	logrus.SetFormatter(&logrus.JSONFormatter{})
+
+	formatter := new(logrus.JSONFormatter)
+	textFormatter := new(logrus.TextFormatter)
+	logrus.SetFormatter(textFormatter)
+
+	logger := logrus.StandardLogger()
+	logger.SetFormatter(&logrus.JSONFormatter{})
+	logger.SetFormatter(formatter)
+	logger.Formatter = &logrus.JSONFormatter{}
+	logger.Formatter = formatter
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{ // $ hasTaintFlow="map literal"
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterIndirect/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterIndirect/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/GlobalFormatterIndirect/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterDirect/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterDirect/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterDirect/main.go

@@ -0,0 +1,31 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func main() {
+	logrus.SetFormatter(&logrus.JSONFormatter{})
+
+	formatter := new(logrus.JSONFormatter)
+	logrus.SetFormatter(formatter)
+
+	logger := logrus.StandardLogger()
+	logger.SetFormatter(&logrus.TextFormatter{})
+	logger.SetFormatter(formatter)
+	logger.Formatter = &logrus.JSONFormatter{}
+	logger.Formatter = formatter
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{ // $ hasTaintFlow="map literal"
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterDirect/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterDirect/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterDirect/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterIndirect/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterIndirect/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterIndirect/main.go

@@ -0,0 +1,32 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func main() {
+	logrus.SetFormatter(&logrus.JSONFormatter{})
+
+	formatter := new(logrus.JSONFormatter)
+	textFormatter := new(logrus.TextFormatter)
+	logrus.SetFormatter(formatter)
+
+	logger := logrus.StandardLogger()
+	logger.SetFormatter(&logrus.JSONFormatter{})
+	logger.SetFormatter(textFormatter)
+	logger.Formatter = &logrus.JSONFormatter{}
+	logger.Formatter = formatter
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{ // $ hasTaintFlow="map literal"
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterIndirect/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterIndirect/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/LocalFormatterIndirect/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/library-tests/semmle/go/frameworks/logrus/SoleConditional/LogInjectionTest.ql

@@ -0,0 +1,11 @@
+import go
+import TestUtilities.InlineFlowTest
+import semmle.go.security.LogInjection
+
+class LogInjectionTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() {
+    result = any(LogInjection::Configuration config)
+  }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/SoleConditional/go.mod

@@ -0,0 +1,8 @@
+module main
+
+go 1.14
+
+require (
+	github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+	github.com/sirupsen/logrus v1.8.1
+)

go/ql/test/library-tests/semmle/go/frameworks/logrus/SoleConditional/main.go

@@ -0,0 +1,24 @@
+package main
+
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Logger,JSONFormatter,TextFormatter SetFormatter,StandardLogger,WithFields
+//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
+
+import (
+	"net/http"
+
+	"github.com/elazarl/goproxy"
+	"github.com/sirupsen/logrus"
+)
+
+func initLogger(useJSON bool) {
+	if useJSON {
+		logrus.SetFormatter(&logrus.JSONFormatter{})
+	}
+}
+
+func logUserData(req *http.Request, ctx *goproxy.ProxyCtx) {
+	username := req.URL.Query()["username"][0]
+	logrus.WithFields(logrus.Fields{ // $ hasTaintFlow="map literal"
+		"USERNAME": username,
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/SoleConditional/vendor/github.com/elazarl/goproxy/stub.go

@@ -0,0 +1,125 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
+
+// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
+package goproxy
+
+import (
+	tls "crypto/tls"
+	net "net"
+	http "net/http"
+)
+
+type CertStorage interface {
+	Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
+}
+
+type ConnectAction struct {
+	Action    ConnectActionLiteral
+	Hijack    func(*http.Request, net.Conn, *ProxyCtx)
+	TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
+}
+
+type ConnectActionLiteral int
+
+type HttpsHandler interface {
+	HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
+}
+
+type Logger interface {
+	Printf(_ string, _ ...interface{})
+}
+
+type ProxyConds struct{}
+
+func (_ *ProxyConds) Do(_ RespHandler) {}
+
+func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
+
+type ProxyCtx struct {
+	Req          *http.Request
+	Resp         *http.Response
+	RoundTripper RoundTripper
+	Error        error
+	UserData     interface{}
+	Session      int64
+	Proxy        *ProxyHttpServer
+}
+
+func (_ *ProxyCtx) Charset() string {
+	return ""
+}
+
+func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
+
+func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
+
+type ProxyHttpServer struct {
+	KeepDestinationHeaders bool
+	Verbose                bool
+	Logger                 Logger
+	NonproxyHandler        http.Handler
+	Tr                     *http.Transport
+	ConnectDial            func(string, string) (net.Conn, error)
+	ConnectDialWithReq     func(*http.Request, string, string) (net.Conn, error)
+	CertStore              CertStorage
+	KeepHeader             bool
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
+	return nil
+}
+
+func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
+
+type ReqCondition interface {
+	HandleReq(_ *http.Request, _ *ProxyCtx) bool
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type ReqHandler interface {
+	Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
+}
+
+type ReqProxyConds struct{}
+
+func (_ *ReqProxyConds) Do(_ ReqHandler) {}
+
+func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
+
+func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
+
+func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
+
+func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
+
+type RespCondition interface {
+	HandleResp(_ *http.Response, _ *ProxyCtx) bool
+}
+
+type RespHandler interface {
+	Handle(_ *http.Response, _ *ProxyCtx) *http.Response
+}
+
+type RoundTripper interface {
+	RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/SoleConditional/vendor/github.com/sirupsen/logrus/stub.go

@@ -0,0 +1,357 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/sirupsen/logrus (exports: Fields,Logger,JSONFormatter,TextFormatter; functions: SetFormatter,StandardLogger,WithFields)
+
+// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
+package logrus
+
+import (
+	bytes "bytes"
+	context "context"
+	io "io"
+	runtime "runtime"
+	time "time"
+)
+
+type Entry struct {
+	Logger  *Logger
+	Data    Fields
+	Time    time.Time
+	Level   Level
+	Caller  *runtime.Frame
+	Message string
+	Buffer  *bytes.Buffer
+	Context context.Context
+}
+
+func (_ Entry) HasCaller() bool {
+	return false
+}
+
+func (_ *Entry) Bytes() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Entry) Debug(_ ...interface{}) {}
+
+func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Debugln(_ ...interface{}) {}
+
+func (_ *Entry) Dup() *Entry {
+	return nil
+}
+
+func (_ *Entry) Error(_ ...interface{}) {}
+
+func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Errorln(_ ...interface{}) {}
+
+func (_ *Entry) Fatal(_ ...interface{}) {}
+
+func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Fatalln(_ ...interface{}) {}
+
+func (_ *Entry) Info(_ ...interface{}) {}
+
+func (_ *Entry) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Infoln(_ ...interface{}) {}
+
+func (_ *Entry) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Entry) Panic(_ ...interface{}) {}
+
+func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Panicln(_ ...interface{}) {}
+
+func (_ *Entry) Print(_ ...interface{}) {}
+
+func (_ *Entry) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Println(_ ...interface{}) {}
+
+func (_ *Entry) String() (string, error) {
+	return "", nil
+}
+
+func (_ *Entry) Trace(_ ...interface{}) {}
+
+func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Traceln(_ ...interface{}) {}
+
+func (_ *Entry) Warn(_ ...interface{}) {}
+
+func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warning(_ ...interface{}) {}
+
+func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Entry) Warningln(_ ...interface{}) {}
+
+func (_ *Entry) Warnln(_ ...interface{}) {}
+
+func (_ *Entry) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Entry) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Entry) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+type FieldMap map[interface{}]string
+
+type Fields map[string]interface{}
+
+type Formatter interface {
+	Format(_ *Entry) ([]byte, error)
+}
+
+type Hook interface {
+	Fire(_ *Entry) error
+	Levels() []Level
+}
+
+type JSONFormatter struct {
+	TimestampFormat   string
+	DisableTimestamp  bool
+	DisableHTMLEscape bool
+	DataKey           string
+	FieldMap          FieldMap
+	CallerPrettyfier  func(*runtime.Frame) (string, string)
+	PrettyPrint       bool
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+type Level uint32
+
+func (_ Level) MarshalText() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ Level) String() string {
+	return ""
+}
+
+func (_ *Level) UnmarshalText(_ []byte) error {
+	return nil
+}
+
+type LevelHooks map[Level][]Hook
+
+func (_ LevelHooks) Add(_ Hook) {}
+
+func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
+	return nil
+}
+
+type LogFunction func() []interface{}
+
+type Logger struct {
+	Out          io.Writer
+	Hooks        LevelHooks
+	Formatter    Formatter
+	ReportCaller bool
+	Level        Level
+	ExitFunc     interface{}
+}
+
+func (_ *Logger) AddHook(_ Hook) {}
+
+func (_ *Logger) Debug(_ ...interface{}) {}
+
+func (_ *Logger) DebugFn(_ LogFunction) {}
+
+func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Debugln(_ ...interface{}) {}
+
+func (_ *Logger) Error(_ ...interface{}) {}
+
+func (_ *Logger) ErrorFn(_ LogFunction) {}
+
+func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Errorln(_ ...interface{}) {}
+
+func (_ *Logger) Exit(_ int) {}
+
+func (_ *Logger) Fatal(_ ...interface{}) {}
+
+func (_ *Logger) FatalFn(_ LogFunction) {}
+
+func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Fatalln(_ ...interface{}) {}
+
+func (_ *Logger) GetLevel() Level {
+	return 0
+}
+
+func (_ *Logger) Info(_ ...interface{}) {}
+
+func (_ *Logger) InfoFn(_ LogFunction) {}
+
+func (_ *Logger) Infof(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Infoln(_ ...interface{}) {}
+
+func (_ *Logger) IsLevelEnabled(_ Level) bool {
+	return false
+}
+
+func (_ *Logger) Log(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
+
+func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
+
+func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
+
+func (_ *Logger) Panic(_ ...interface{}) {}
+
+func (_ *Logger) PanicFn(_ LogFunction) {}
+
+func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Panicln(_ ...interface{}) {}
+
+func (_ *Logger) Print(_ ...interface{}) {}
+
+func (_ *Logger) PrintFn(_ LogFunction) {}
+
+func (_ *Logger) Printf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Println(_ ...interface{}) {}
+
+func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
+	return nil
+}
+
+func (_ *Logger) SetFormatter(_ Formatter) {}
+
+func (_ *Logger) SetLevel(_ Level) {}
+
+func (_ *Logger) SetNoLock() {}
+
+func (_ *Logger) SetOutput(_ io.Writer) {}
+
+func (_ *Logger) SetReportCaller(_ bool) {}
+
+func (_ *Logger) Trace(_ ...interface{}) {}
+
+func (_ *Logger) TraceFn(_ LogFunction) {}
+
+func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Traceln(_ ...interface{}) {}
+
+func (_ *Logger) Warn(_ ...interface{}) {}
+
+func (_ *Logger) WarnFn(_ LogFunction) {}
+
+func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warning(_ ...interface{}) {}
+
+func (_ *Logger) WarningFn(_ LogFunction) {}
+
+func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
+
+func (_ *Logger) Warningln(_ ...interface{}) {}
+
+func (_ *Logger) Warnln(_ ...interface{}) {}
+
+func (_ *Logger) WithContext(_ context.Context) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithError(_ error) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithFields(_ Fields) *Entry {
+	return nil
+}
+
+func (_ *Logger) WithTime(_ time.Time) *Entry {
+	return nil
+}
+
+func (_ *Logger) Writer() *io.PipeWriter {
+	return nil
+}
+
+func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
+	return nil
+}
+
+func SetFormatter(_ Formatter) {}
+
+func StandardLogger() *Logger {
+	return nil
+}
+
+type TextFormatter struct {
+	ForceColors               bool
+	DisableColors             bool
+	ForceQuote                bool
+	DisableQuote              bool
+	EnvironmentOverrideColors bool
+	DisableTimestamp          bool
+	FullTimestamp             bool
+	TimestampFormat           string
+	DisableSorting            bool
+	SortingFunc               func([]string)
+	DisableLevelTruncation    bool
+	PadLevelText              bool
+	QuoteEmptyFields          bool
+	FieldMap                  FieldMap
+	CallerPrettyfier          func(*runtime.Frame) (string, string)
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error) {
+	return nil, nil
+}
+
+func WithFields(_ Fields) *Entry {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/logrus/SoleConditional/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819
+## explicit
+github.com/elazarl/goproxy
+# github.com/sirupsen/logrus v1.8.1
+## explicit
+github.com/sirupsen/logrus

go/ql/test/query-tests/Security/CWE-117/LogInjection.go

@@ -7,7 +7,7 @@ package main
 //go:generate depstubber -vendor github.com/davecgh/go-spew/spew "" Dump,Errorf,Print,Printf,Println,Fdump,Fprint,Fprintf,Fprintln
 //go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
 //go:generate depstubber -vendor github.com/golang/glog Level,Verbose Info,InfoDepth,Infof,Infoln,Error,ErrorDepth,Errorf,Errorln,Fatal,FatalDepth,Fatalf,Fatalln,Exit,ExitDepth,Exitf,Exitln,V
-//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Entry,Logger,Level Debug,Debugf,Debugln,Error,Errorf,Errorln,Fatal,Fatalf,Fatalln,Info,Infof,Infoln,Panic,Panicf,Panicln,Print,Printf,Println,Trace,Tracef,Traceln,Warn,Warnf,Warnln,Warning,Warningf,Warningln,WithFields,WithField
+//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Entry,Logger,Level,JSONFormatter,TextFormatter Debug,Debugf,Debugln,Error,Errorf,Errorln,Fatal,Fatalf,Fatalln,Info,Infof,Infoln,Panic,Panicf,Panicln,Print,Printf,Println,SetFormatter,Trace,Tracef,Traceln,Warn,Warnf,Warnln,Warning,Warningf,Warningln,WithFields,WithField
 //go:generate depstubber -vendor go.uber.org/zap Logger,SugaredLogger NewProduction
 
 import (

go/ql/test/query-tests/Security/CWE-117/vendor/github.com/sirupsen/logrus/stub.go

@@ -165,6 +165,12 @@ func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+type JSONFormatter struct {
+
+}
+
+func (_ *JSONFormatter) Format(_ *Entry) ([]byte, error)
+
 type Level uint32
 
 func (_ Level) MarshalText() ([]byte, error) {
@@ -344,6 +350,14 @@ func Printf(_ string, _ ...interface{}) {}
 
 func Println(_ ...interface{}) {}
 
+func SetFormatter(_ Formatter) {}
+
+type TextFormatter struct {
+
+}
+
+func (_ *TextFormatter) Format(_ *Entry) ([]byte, error)
+
 func Trace(_ ...interface{}) {}
 
 func Tracef(_ string, _ ...interface{}) {}