mirror of
https://github.com/github/codeql.git
synced 2026-04-26 17:25:19 +02:00
4e04d27d32
Make it sanitize the result of the call rather than the input, so that
further uses of the input are still tainted. This means that it catches
things like `log.Print(fmt.Sprintf("user %q logged in.\n", username))`
where the argument to the LoggerCall contains a StringFormatCall, but
it misses things like `log.Printf("user %q logged in.\n", username)`. So
we extract the logic into a predicate and apply it as a condition in the
sink as well.
The downside of this approach is that if there are two tainted inputs
and only one has a safe format argument then we still sanitize the
result. Hopefully this is rare.