From f1b69207172b260b10d712375fde8dcd3a909db6 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 06:43:10 +0200 Subject: [PATCH 1/5] First attempt --- .../experimental/CWE-090/LDAPInjection.go | 24 +-- .../experimental/CWE-090/LDAPInjection.qlref | 4 +- go/ql/test/experimental/CWE-203/Timing.qlref | 4 +- go/ql/test/experimental/CWE-203/timing.go | 12 +- .../experimental/CWE-285/PamAuthBypass.qlref | 4 +- go/ql/test/experimental/CWE-285/main.go | 2 +- .../experimental/CWE-287/ImproperLdapAuth.go | 8 +- .../CWE-287/ImproperLdapAuth.qlref | 4 +- .../CWE-321-V2/HardCodedKeys.qlref | 4 +- .../experimental/CWE-321-V2/go-jose.v3.go | 4 +- .../experimental/CWE-321-V2/golang-jwt-v5.go | 4 +- .../test/experimental/CWE-369/DivideByZero.go | 24 +-- .../experimental/CWE-369/DivideByZero.qlref | 4 +- .../CWE-400/DatabaseCallInLoop.go | 4 +- .../CWE-400/DatabaseCallInLoop.qlref | 4 +- go/ql/test/experimental/CWE-400/test.go | 16 +- .../DecompressionBombs.qlref | 4 +- .../CWE-522-DecompressionBombs/test.go | 104 +++++------ .../CWE-525/WebCacheDeception.qlref | 4 +- .../CWE-525/WebCacheDeceptionBad.go | 2 +- .../CWE-525/WebCacheDeceptionFiber.go | 4 +- .../CWE-525/WebCacheDeceptionGoChi.go | 2 +- .../CWE-525/WebCacheDeceptionHTTPRouter.go | 2 +- go/ql/test/experimental/CWE-74/Dsn.go | 12 +- .../experimental/CWE-74/DsnInjection.qlref | 4 +- .../CWE-74/DsnInjectionLocal.qlref | 4 +- .../CWE-807/SensitiveConditionBypass.qlref | 4 +- .../CWE-807/SensitiveConditionBypassBad.go | 2 +- go/ql/test/experimental/CWE-807/condition.go | 6 +- .../CWE-840/ConditionalBypass.qlref | 4 +- .../CWE-840/ConditionalBypassBad.go | 2 +- go/ql/test/experimental/CWE-840/condition.go | 4 +- .../InconsistentCode/DeferInLoop.go | 2 +- .../InconsistentCode/DeferInLoop.qlref | 4 +- .../InconsistentCode/GORMErrorNotChecked.go | 2 +- .../GORMErrorNotChecked.qlref | 4 +- .../experimental/InconsistentCode/test.go | 10 +- .../experimental/Unsafe/WrongUsageOfUnsafe.go | 34 ++-- .../Unsafe/WrongUsageOfUnsafe.qlref | 4 +- .../go/frameworks/BeegoOrm/SqlInjection.qlref | 4 +- .../go/frameworks/BeegoOrm/StoredXss.qlref | 4 +- .../semmle/go/frameworks/BeegoOrm/test.go | 164 +++++++++--------- .../go/frameworks/Chi/ReflectedXss.qlref | 4 +- .../semmle/go/frameworks/Chi/test.go | 10 +- .../go/frameworks/Echo/OpenRedirect.qlref | 4 +- .../go/frameworks/Echo/ReflectedXss.qlref | 4 +- .../go/frameworks/Echo/TaintedPath.qlref | 4 +- .../semmle/go/frameworks/Echo/test.go | 92 +++++----- .../go/frameworks/GoMicro/LogInjection.qlref | 4 +- .../semmle/go/frameworks/GoMicro/main.go | 4 +- .../semmle/go/frameworks/Revel/EndToEnd.go | 12 +- .../go/frameworks/Revel/OpenRedirect.qlref | 4 +- .../go/frameworks/Revel/ReflectedXss.qlref | 4 +- .../semmle/go/frameworks/Revel/Revel.go | 2 +- .../go/frameworks/Revel/TaintedPath.qlref | 4 +- .../Revel/examples/booking/app/init.go | 4 +- .../go/frameworks/Twirp/RequestForgery.qlref | 4 +- .../Twirp/rpc/notes/service.twirp.go | 2 +- .../semmle/go/frameworks/Twirp/server/main.go | 4 +- .../go/frameworks/XNetHtml/ReflectedXss.qlref | 4 +- .../go/frameworks/XNetHtml/SqlInjection.qlref | 4 +- .../semmle/go/frameworks/XNetHtml/test.go | 50 +++--- .../ConstantLengthComparison.go | 2 +- .../ConstantLengthComparison.qlref | 3 +- .../InconsistentLoopOrientation.go | 2 +- .../InconsistentLoopOrientation.qlref | 3 +- .../InconsistentLoopOrientation/main.go | 6 +- .../LengthComparisonOffByOne.go | 4 +- .../LengthComparisonOffByOne.qlref | 3 +- .../LengthComparisonOffByOne/main.go | 8 +- .../MissingErrorCheck/MissingErrorCheck.qlref | 4 +- .../MissingErrorCheck/tests.go | 4 +- .../MistypedExponentiation.go | 2 +- .../MistypedExponentiation.qlref | 3 +- .../MistypedExponentiation/main.go | 10 +- .../WhitespaceContradictsPrecedence.go | 2 +- .../WhitespaceContradictsPrecedence.qlref | 3 +- .../WhitespaceContradictsPrecedence/main.go | 2 +- .../WrappedErrorAlwaysNil.go | 8 +- .../WrappedErrorAlwaysNil.qlref | 3 +- .../CompareIdenticalValues.go | 2 +- .../CompareIdenticalValues.qlref | 3 +- .../CompareIdenticalValues/tst.go | 4 +- .../CompareIdenticalValues/vp.go | 2 +- .../DeadStoreOfField/DeadStoreOfField.go | 2 +- .../DeadStoreOfField/DeadStoreOfField.qlref | 3 +- .../DeadStoreOfLocal/DeadStoreOfLocal.qlref | 4 +- .../RedundantCode/DeadStoreOfLocal/main.go | 2 +- .../DeadStoreOfLocal/testdata.go | 58 +++---- .../DuplicateBranches/DuplicateBranches.go | 2 +- .../DuplicateBranches/DuplicateBranches.qlref | 3 +- .../RedundantCode/DuplicateBranches/main.go | 2 +- .../DuplicateCondition/DuplicateCondition.go | 4 +- .../DuplicateCondition.qlref | 3 +- .../RedundantCode/DuplicateCondition/tst.go | 4 +- .../DuplicateSwitchCase.go | 2 +- .../DuplicateSwitchCase.qlref | 4 +- .../RedundantCode/DuplicateSwitchCase/tst.go | 2 +- .../ExprHasNoEffect/ExprHasNoEffect.go | 2 +- .../ExprHasNoEffect/ExprHasNoEffect.qlref | 3 +- .../RedundantCode/ExprHasNoEffect/main.go | 6 +- .../ImpossibleInterfaceNilCheck.go | 2 +- .../ImpossibleInterfaceNilCheck.qlref | 3 +- .../ImpossibleInterfaceNilCheck/tst.go | 2 +- .../NegativeLengthCheck.go | 2 +- .../NegativeLengthCheck.qlref | 3 +- .../RedundantCode/NegativeLengthCheck/main.go | 10 +- .../RedundantExpr/RedundantExpr.go | 2 +- .../RedundantExpr/RedundantExpr.qlref | 4 +- .../RedundantCode/RedundantExpr/tst.go | 4 +- .../RedundantRecover/RedundantRecover.qlref | 4 +- .../RedundantRecover/RedundantRecover1.go | 2 +- .../RedundantRecover/RedundantRecover2.go | 2 +- .../RedundantCode/RedundantRecover/tst.go | 2 +- .../SelfAssignment/SelfAssignment.go | 2 +- .../SelfAssignment/SelfAssignment.qlref | 3 +- .../RedundantCode/SelfAssignment/tst.go | 2 +- .../ShiftOutOfRange/ShiftOutOfRange.go | 2 +- .../ShiftOutOfRange/ShiftOutOfRange.qlref | 3 +- .../RedundantCode/ShiftOutOfRange/main.go | 6 +- .../UnreachableStatement.go | 2 +- .../UnreachableStatement.qlref | 3 +- .../UnreachableStatement/main.go | 22 +-- .../IncompleteHostnameRegexp.go | 4 +- .../IncompleteHostnameRegexp.qlref | 4 +- .../CWE-020/IncompleteHostnameRegexp/main.go | 12 +- .../IncompleteUrlSchemeCheck.go | 2 +- .../IncompleteUrlSchemeCheck.qlref | 3 +- .../CWE-020/IncompleteUrlSchemeCheck/main.go | 2 +- .../MissingRegexpAnchor.go | 2 +- .../MissingRegexpAnchor.qlref | 3 +- .../CWE-020/MissingRegexpAnchor/main.go | 20 +-- .../SuspiciousCharacterInRegexp.go | 2 +- .../SuspiciousCharacterInRegexp.qlref | 4 +- .../SuspiciousCharacterInRegexp/test.go | 20 +-- .../GorillaMuxDefault/TaintedPath.qlref | 4 +- .../CWE-022/GorillaMuxSkipClean/MuxClean.go | 4 +- .../GorillaMuxSkipClean/TaintedPath.qlref | 4 +- .../Security/CWE-022/TaintedPath.go | 8 +- .../Security/CWE-022/TaintedPath.qlref | 4 +- .../Security/CWE-022/UnsafeUnzipSymlink.go | 8 +- .../Security/CWE-022/UnsafeUnzipSymlink.qlref | 4 +- .../CWE-022/UnsafeUnzipSymlinkGood.go | 4 +- .../query-tests/Security/CWE-022/ZipSlip.go | 4 +- .../Security/CWE-022/ZipSlip.qlref | 4 +- .../query-tests/Security/CWE-022/tarslip.go | 4 +- .../test/query-tests/Security/CWE-022/tst.go | 4 +- .../Security/CWE-078/ArgumentInjection.go | 4 +- .../Security/CWE-078/CommandInjection.go | 4 +- .../Security/CWE-078/CommandInjection.qlref | 4 +- .../Security/CWE-078/CommandInjection2.go | 8 +- .../Security/CWE-078/GitSubcommands.go | 16 +- .../Security/CWE-078/SanitizingDoubleDash.go | 36 ++-- .../Security/CWE-078/StoredCommand.go | 4 +- .../Security/CWE-078/StoredCommand.qlref | 4 +- .../Security/CWE-089/SqlInjection.go | 4 +- .../Security/CWE-089/SqlInjection.qlref | 4 +- .../Security/CWE-089/StringBreak.go | 4 +- .../Security/CWE-089/StringBreak.qlref | 4 +- .../Security/CWE-089/StringBreakMismatched.go | 8 +- .../query-tests/Security/CWE-089/issue48.go | 12 +- .../test/query-tests/Security/CWE-089/main.go | 22 +-- .../query-tests/Security/CWE-089/mongoDB.go | 30 ++-- .../CWE-190/AllocationSizeOverflow.go | 4 +- .../CWE-190/AllocationSizeOverflow.qlref | 4 +- .../test/query-tests/Security/CWE-190/tst.go | 16 +- .../test/query-tests/Security/CWE-190/tst2.go | 8 +- .../test/query-tests/Security/CWE-190/tst3.go | 8 +- .../Security/CWE-209/StackTraceExposure.qlref | 3 +- .../test/query-tests/Security/CWE-209/test.go | 4 +- .../DisabledCertificateCheck.go | 2 +- .../DisabledCertificateCheck.qlref | 3 +- .../CWE-295/DisabledCertificateCheck/main.go | 6 +- .../CWE-322/InsecureHostKeyCallback.qlref | 4 +- .../CWE-322/InsecureHostKeyCallbackExample.go | 36 ++-- .../Security/CWE-326/InsufficientKeySize.go | 22 +-- .../CWE-326/InsufficientKeySize.qlref | 3 +- .../query-tests/Security/CWE-327/UnsafeTLS.go | 94 +++++----- .../Security/CWE-327/UnsafeTLS.qlref | 4 +- .../InsecureRandomness/InsecureRandomness.go | 2 +- .../InsecureRandomness.qlref | 4 +- .../CWE-338/InsecureRandomness/sample.go | 14 +- .../CWE-347/MissingJwtSignatureCheck.qlref | 4 +- .../Security/CWE-347/go-jose.v3.go | 4 +- .../Security/CWE-347/golang-jwt-v5.go | 4 +- .../Security/CWE-352/ConstantOauth2State.go | 16 +- .../CWE-352/ConstantOauth2State.qlref | 3 +- .../BadRedirectCheck/BadRedirectCheck.go | 4 +- .../BadRedirectCheck/BadRedirectCheck.qlref | 4 +- .../Security/CWE-601/BadRedirectCheck/cves.go | 18 +- .../Security/CWE-601/BadRedirectCheck/main.go | 24 +-- .../Security/CWE-643/XPathInjection.go | 4 +- .../Security/CWE-643/XPathInjection.qlref | 4 +- .../test/query-tests/Security/CWE-643/tst.go | 90 +++++----- .../CWE-798/AlertSuppressionExample.go | 2 +- .../Security/CWE-798/HardcodedCredentials.go | 2 +- .../Security/CWE-798/HardcodedKeysBad.go | 2 +- .../test/query-tests/Security/CWE-798/jwt.go | 38 ++-- .../test/query-tests/Security/CWE-798/main.go | 2 +- .../query-tests/Security/CWE-798/sanitizer.go | 2 +- 200 files changed, 959 insertions(+), 833 deletions(-) diff --git a/go/ql/test/experimental/CWE-090/LDAPInjection.go b/go/ql/test/experimental/CWE-090/LDAPInjection.go index 87741a08d28a..b0fbbb6659d4 100644 --- a/go/ql/test/experimental/CWE-090/LDAPInjection.go +++ b/go/ql/test/experimental/CWE-090/LDAPInjection.go @@ -54,31 +54,31 @@ func main() {} // bad is an example of a bad implementation func (ld *Ldap) bad(req *http.Request) { // ... - untrusted := req.UserAgent() + untrusted := req.UserAgent() // $ Source[go/ldap-injection] goldap.NewSearchRequest( - untrusted, // BAD: untrusted dn + untrusted, // $ Alert[go/ldap-injection] // BAD: untrusted dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, - "(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter - []string{"dn", "cn", untrusted}, // BAD: untrusted attribute + "(&(objectClass=organizationalPerson))"+untrusted, // $ Alert[go/ldap-injection] // BAD: untrusted filter + []string{"dn", "cn", untrusted}, // $ Alert[go/ldap-injection] // BAD: untrusted attribute nil, ) goldapv3.NewSearchRequest( - untrusted, // BAD: untrusted dn + untrusted, // $ Alert[go/ldap-injection] // BAD: untrusted dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, - "(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter - []string{"dn", "cn", untrusted}, // BAD: untrusted attribute + "(&(objectClass=organizationalPerson))"+untrusted, // $ Alert[go/ldap-injection] // BAD: untrusted filter + []string{"dn", "cn", untrusted}, // $ Alert[go/ldap-injection] // BAD: untrusted attribute nil, ) gopkgldapv2.NewSearchRequest( - untrusted, // BAD: untrusted dn + untrusted, // $ Alert[go/ldap-injection] // BAD: untrusted dn goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false, - "(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter - []string{"dn", "cn", untrusted}, // BAD: untrusted attribute + "(&(objectClass=organizationalPerson))"+untrusted, // $ Alert[go/ldap-injection] // BAD: untrusted filter + []string{"dn", "cn", untrusted}, // $ Alert[go/ldap-injection] // BAD: untrusted attribute nil, ) client := &ldapclient.LDAPClient{} - client.Authenticate(untrusted, "123456") // BAD: untrusted filter - client.GetGroupsOfUser(untrusted) // BAD: untrusted filter + client.Authenticate(untrusted, "123456") // $ Alert[go/ldap-injection] // BAD: untrusted filter + client.GetGroupsOfUser(untrusted) // $ Alert[go/ldap-injection] // BAD: untrusted filter // ... } diff --git a/go/ql/test/experimental/CWE-090/LDAPInjection.qlref b/go/ql/test/experimental/CWE-090/LDAPInjection.qlref index 7049e09a7265..45935a174c4f 100644 --- a/go/ql/test/experimental/CWE-090/LDAPInjection.qlref +++ b/go/ql/test/experimental/CWE-090/LDAPInjection.qlref @@ -1,2 +1,4 @@ query: experimental/CWE-090/LDAPInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-203/Timing.qlref b/go/ql/test/experimental/CWE-203/Timing.qlref index 7306096e724e..e14641beccfe 100644 --- a/go/ql/test/experimental/CWE-203/Timing.qlref +++ b/go/ql/test/experimental/CWE-203/Timing.qlref @@ -1,2 +1,4 @@ query: experimental/CWE-203/Timing.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-203/timing.go b/go/ql/test/experimental/CWE-203/timing.go index 43401bd4111c..236965929d14 100644 --- a/go/ql/test/experimental/CWE-203/timing.go +++ b/go/ql/test/experimental/CWE-203/timing.go @@ -12,9 +12,9 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) { secret := "MySuperSecretPasscode" secretHeader := "X-Secret" - headerSecret := req.Header.Get(secretHeader) + headerSecret := req.Header.Get(secretHeader) // $ Source[go/timing-attack] secretStr := string(secret) - if len(headerSecret) != 0 && headerSecret != secretStr { + if len(headerSecret) != 0 && headerSecret != secretStr { // $ Alert[go/timing-attack] return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret) } return nil, nil @@ -25,9 +25,9 @@ func bad2(w http.ResponseWriter, req *http.Request) (interface{}, error) { secret := "MySuperSecretPasscode" secretHeader := "X-Secret" - headerSecret := req.Header.Get(secretHeader) + headerSecret := req.Header.Get(secretHeader) // $ Source[go/timing-attack] secretStr := string(secret) - if len(headerSecret) != 0 && strings.Compare(headerSecret, secretStr) != 0 { + if len(headerSecret) != 0 && strings.Compare(headerSecret, secretStr) != 0 { // $ Alert[go/timing-attack] return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret) } return nil, nil @@ -38,8 +38,8 @@ func bad4(w http.ResponseWriter, req *http.Request) (interface{}, error) { secret := "MySuperSecretPasscode" secretHeader := "X-Secret" - headerSecret := req.Header.Get(secretHeader) - if len(secret) != 0 && headerSecret != "SecretStringLiteral" { + headerSecret := req.Header.Get(secretHeader) // $ Source[go/timing-attack] + if len(secret) != 0 && headerSecret != "SecretStringLiteral" { // $ Alert[go/timing-attack] return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret) } return nil, nil diff --git a/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref b/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref index 8a1d5b259e0b..2e1f249dba39 100644 --- a/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref +++ b/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref @@ -1 +1,3 @@ -experimental/CWE-285/PamAuthBypass.ql \ No newline at end of file +query: experimental/CWE-285/PamAuthBypass.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-285/main.go b/go/ql/test/experimental/CWE-285/main.go index b0607a74a410..ff66bada592a 100644 --- a/go/ql/test/experimental/CWE-285/main.go +++ b/go/ql/test/experimental/CWE-285/main.go @@ -9,7 +9,7 @@ import ( func bad() error { t, _ := pam.StartFunc("", "", func(s pam.Style, msg string) (string, error) { return "", nil - }) + }) // $ Alert[go/pam-auth-bypass] return t.Authenticate(0) } diff --git a/go/ql/test/experimental/CWE-287/ImproperLdapAuth.go b/go/ql/test/experimental/CWE-287/ImproperLdapAuth.go index b4e7b796b909..77182f326fb8 100644 --- a/go/ql/test/experimental/CWE-287/ImproperLdapAuth.go +++ b/go/ql/test/experimental/CWE-287/ImproperLdapAuth.go @@ -15,7 +15,7 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) { ldapServer := "ldap.example.com" ldapPort := 389 bindDN := "cn=admin,dc=example,dc=com" - bindPassword := req.URL.Query()["password"][0] + bindPassword := req.URL.Query()["password"][0] // $ Source[go/improper-ldap-auth] // Connect to the LDAP server l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort)) @@ -25,7 +25,7 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) { defer l.Close() // BAD: user input is not sanetized - err = l.Bind(bindDN, bindPassword) + err = l.Bind(bindDN, bindPassword) // $ Alert[go/improper-ldap-auth] if err != nil { return fmt.Errorf("LDAP bind failed: %v", err), err } @@ -84,7 +84,7 @@ func bad2(req *http.Request) { ldapPort := 389 bindDN := "cn=admin,dc=example,dc=com" // BAD : empty password - bindPassword := "" + bindPassword := "" // $ Source[go/improper-ldap-auth] // Connect to the LDAP server l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort)) @@ -94,7 +94,7 @@ func bad2(req *http.Request) { defer l.Close() // BAD : bindPassword is empty - err = l.Bind(bindDN, bindPassword) + err = l.Bind(bindDN, bindPassword) // $ Alert[go/improper-ldap-auth] if err != nil { log.Fatalf("LDAP bind failed: %v", err) } diff --git a/go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref b/go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref index 35ca7800cc8a..409b5b3347db 100644 --- a/go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref +++ b/go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref @@ -1,2 +1,4 @@ query: experimental/CWE-287/ImproperLdapAuth.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref index e6cee5464208..36dd0fb80ed9 100644 --- a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref +++ b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref @@ -1 +1,3 @@ -experimental/CWE-321-V2/HardCodedKeys.ql \ No newline at end of file +query: experimental/CWE-321-V2/HardCodedKeys.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go b/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go index e25624bb680f..7091c6d44bba 100644 --- a/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go +++ b/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go @@ -10,7 +10,7 @@ import ( ) // NOT OK -var JwtKey = []byte("AllYourBase") +var JwtKey = []byte("AllYourBase") // $ Source[go/parse-jwt-with-hardcoded-key] Alert[go/parse-jwt-with-hardcoded-key] func main2(r *http.Request) { signedToken := r.URL.Query().Get("signedToken") @@ -21,7 +21,7 @@ func verifyJWT(signedToken string) { fmt.Println("verifying JWT") DecodedToken, _ := jwt.ParseSigned(signedToken) out := CustomerInfo{} - if err := DecodedToken.Claims(JwtKey, &out); err != nil { + if err := DecodedToken.Claims(JwtKey, &out); err != nil { // $ Alert[go/parse-jwt-with-hardcoded-key] Source[go/parse-jwt-with-hardcoded-key] panic(err) } fmt.Printf("%v\n", out) diff --git a/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go b/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go index 71917160bdaa..eade8ec9bbcc 100644 --- a/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go +++ b/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go @@ -16,7 +16,7 @@ type CustomerInfo struct { } // BAD constant key -var JwtKey1 = []byte("AllYourBase") +var JwtKey1 = []byte("AllYourBase") // $ Source[go/parse-jwt-with-hardcoded-key] Alert[go/parse-jwt-with-hardcoded-key] func main1(r *http.Request) { signedToken := r.URL.Query().Get("signedToken") @@ -24,7 +24,7 @@ func main1(r *http.Request) { } func LoadJwtKey(token *jwt.Token) (interface{}, error) { - return JwtKey1, nil + return JwtKey1, nil // $ Alert[go/parse-jwt-with-hardcoded-key] Source[go/parse-jwt-with-hardcoded-key] } func verifyJWT_golangjwt(signedToken string) { diff --git a/go/ql/test/experimental/CWE-369/DivideByZero.go b/go/ql/test/experimental/CWE-369/DivideByZero.go index 613479981b1e..c4f06a60be92 100644 --- a/go/ql/test/experimental/CWE-369/DivideByZero.go +++ b/go/ql/test/experimental/CWE-369/DivideByZero.go @@ -7,37 +7,37 @@ import ( ) func myHandler1(w http.ResponseWriter, r *http.Request) { - param1 := r.URL.Query()["param1"][0] + param1 := r.URL.Query()["param1"][0] // $ Source[go/divide-by-zero] value, _ := strconv.Atoi(param1) - out := 1337 / value + out := 1337 / value // $ Alert[go/divide-by-zero] fmt.Println(out) } func myHandler2(w http.ResponseWriter, r *http.Request) { - param1 := r.URL.Query()["param1"][0] + param1 := r.URL.Query()["param1"][0] // $ Source[go/divide-by-zero] value := int(param1[0]) - out := 1337 / value + out := 1337 / value // $ Alert[go/divide-by-zero] fmt.Println(out) } func myHandler3(w http.ResponseWriter, r *http.Request) { - param1 := r.URL.Query()["param1"][0] + param1 := r.URL.Query()["param1"][0] // $ Source[go/divide-by-zero] value, _ := strconv.ParseInt(param1, 10, 64) - out := 1337 / value + out := 1337 / value // $ Alert[go/divide-by-zero] fmt.Println(out) } func myHandler4(w http.ResponseWriter, r *http.Request) { - param1 := r.URL.Query()["param1"][0] + param1 := r.URL.Query()["param1"][0] // $ Source[go/divide-by-zero] value, _ := strconv.ParseFloat(param1, 32) - out := 1337 / value + out := 1337 / value // $ Alert[go/divide-by-zero] fmt.Println(out) } func myHandler5(w http.ResponseWriter, r *http.Request) { - param1 := r.URL.Query()["param1"][0] + param1 := r.URL.Query()["param1"][0] // $ Source[go/divide-by-zero] value, _ := strconv.ParseUint(param1, 10, 64) - out := 1337 / value + out := 1337 / value // $ Alert[go/divide-by-zero] fmt.Println(out) } @@ -51,10 +51,10 @@ func myHandler6(w http.ResponseWriter, r *http.Request) { } func myHandler7(w http.ResponseWriter, r *http.Request) { - param1 := r.URL.Query()["param1"][0] + param1 := r.URL.Query()["param1"][0] // $ Source[go/divide-by-zero] value := int(param1[0]) if value >= 0 { - out := 1337 / value + out := 1337 / value // $ Alert[go/divide-by-zero] fmt.Println(out) } } diff --git a/go/ql/test/experimental/CWE-369/DivideByZero.qlref b/go/ql/test/experimental/CWE-369/DivideByZero.qlref index 80eca2d32193..0713092d4b8a 100644 --- a/go/ql/test/experimental/CWE-369/DivideByZero.qlref +++ b/go/ql/test/experimental/CWE-369/DivideByZero.qlref @@ -1,2 +1,4 @@ query: experimental/CWE-369/DivideByZero.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go index 138bbbcd9d48..d29b9d305c93 100644 --- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go +++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go @@ -6,8 +6,8 @@ func getUsers(db *gorm.DB, names []string) []User { res := make([]User, 0, len(names)) for _, name := range names { var user User - db.Where("name = ?", name).First(&user) + db.Where("name = ?", name).First(&user) // $ Alert[go/examples/database-call-in-loop] Source[go/examples/database-call-in-loop] res = append(res, user) - } + } // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] return res } diff --git a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref index 63f27c9b41fc..fdbdf98fd1de 100644 --- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref +++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref @@ -1 +1,3 @@ -experimental/CWE-400/DatabaseCallInLoop.ql +query: experimental/CWE-400/DatabaseCallInLoop.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-400/test.go b/go/ql/test/experimental/CWE-400/test.go index 725fb541b386..02360fa8cd91 100644 --- a/go/ql/test/experimental/CWE-400/test.go +++ b/go/ql/test/experimental/CWE-400/test.go @@ -8,20 +8,20 @@ type User struct { } func runQuery(db *gorm.DB) { - db.Take(nil) -} + db.Take(nil) // $ Alert[go/examples/database-call-in-loop] Source[go/examples/database-call-in-loop] +} // $ Alert[go/examples/database-call-in-loop] Source[go/examples/database-call-in-loop] func runRunQuery(db *gorm.DB) { - runQuery(db) -} + runQuery(db) // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] +} // $ Alert[go/examples/database-call-in-loop] Source[go/examples/database-call-in-loop] func main() { var db *gorm.DB for i := 0; i < 10; i++ { - runQuery(db) - } + runQuery(db) // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] + } // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] for i := 10; i > 0; i-- { - runRunQuery(db) - } + runRunQuery(db) // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] + } // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] } diff --git a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref index 93d41075d5f3..367d7bfe2fd5 100644 --- a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref +++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref @@ -1,2 +1,4 @@ query: experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-522-DecompressionBombs/test.go b/go/ql/test/experimental/CWE-522-DecompressionBombs/test.go index dc359c387ac9..f5131f880175 100644 --- a/go/ql/test/experimental/CWE-522-DecompressionBombs/test.go +++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/test.go @@ -56,41 +56,41 @@ func main() { func DecompressHandler(w http.ResponseWriter, request *http.Request) { GZipOpenReaderSafe(request.PostFormValue("test")) ZipOpenReaderSafe(request.PostFormValue("test")) - ZipOpenReader(request.FormValue("filepath")) - ZipNewReader(request.Body) - ZipNewReaderKlauspost(request.Body) - Bzip2Dsnet(request.Body) + ZipOpenReader(request.FormValue("filepath")) // $ Source[go/uncontrolled-file-decompression] + ZipNewReader(request.Body) // $ Source[go/uncontrolled-file-decompression] + ZipNewReaderKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression] + Bzip2Dsnet(request.Body) // $ Source[go/uncontrolled-file-decompression] Bzip2DsnetSafe(request.Body) - Bzip2(request.Body) + Bzip2(request.Body) // $ Source[go/uncontrolled-file-decompression] Bzip2Safe(request.Body) - Flate(request.Body) + Flate(request.Body) // $ Source[go/uncontrolled-file-decompression] FlateSafe(request.Body) - FlateKlauspost(request.Body) + FlateKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression] FlateKlauspostSafe(request.Body) - FlateDsnet(request.Body) + FlateDsnet(request.Body) // $ Source[go/uncontrolled-file-decompression] FlateDsnetSafe(request.Body) - ZlibKlauspost(request.Body) + ZlibKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression] ZlibKlauspostSafe(request.Body) - Zlib(request.Body) + Zlib(request.Body) // $ Source[go/uncontrolled-file-decompression] ZlibSafe(request.Body) - Snappy(request.Body) + Snappy(request.Body) // $ Source[go/uncontrolled-file-decompression] SnappySafe(request.Body) - SnappyKlauspost(request.Body) + SnappyKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression] SnappyKlauspostSafe(request.Body) - S2(request.Body) + S2(request.Body) // $ Source[go/uncontrolled-file-decompression] S2Safe(request.Body) - Gzip(request.Body) + Gzip(request.Body) // $ Source[go/uncontrolled-file-decompression] GzipSafe(request.Body) - GZipIoReader(request.Body, "dest") - GzipKlauspost(request.Body) + GZipIoReader(request.Body, "dest") // $ Source[go/uncontrolled-file-decompression] + GzipKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression] GzipKlauspostSafe(request.Body) - PzipKlauspost(request.Body) + PzipKlauspost(request.Body) // $ Source[go/uncontrolled-file-decompression] PzipKlauspostSafe(request.Body) - Zstd_Klauspost(request.Body) + Zstd_Klauspost(request.Body) // $ Source[go/uncontrolled-file-decompression] Zstd_KlauspostSafe(request.Body) - Zstd_DataDog(request.Body) + Zstd_DataDog(request.Body) // $ Source[go/uncontrolled-file-decompression] Zstd_DataDogSafe(request.Body) - Xz(request.Body) + Xz(request.Body) // $ Source[go/uncontrolled-file-decompression] XzSafe(request.Body) } @@ -131,7 +131,7 @@ func ZipOpenReader(filename string) { for _, f := range zipReader.File { rc, _ := f.Open() for { - result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc" + result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc" Alert[go/uncontrolled-file-decompression] if result == 0 { _ = rc.Close() break @@ -144,7 +144,7 @@ func ZipOpenReader(filename string) { for _, f := range zipKlauspostReader.File { rc, _ := f.Open() for { - result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc" + result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc" Alert[go/uncontrolled-file-decompression] if result == 0 { _ = rc.Close() break @@ -161,7 +161,7 @@ func ZipNewReader(file io.Reader) { for _, file := range zipReader.File { fileWriter := bytes.NewBuffer([]byte{}) fileReaderCloser, _ := file.Open() - result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser" + result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser" Alert[go/uncontrolled-file-decompression] fmt.Print(result) } } @@ -173,7 +173,7 @@ func ZipNewReaderKlauspost(file io.Reader) { fileWriter := bytes.NewBuffer([]byte{}) // file.OpenRaw() fileReaderCloser, _ := file.Open() - result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser" + result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser" Alert[go/uncontrolled-file-decompression] fmt.Print(result) } } @@ -183,7 +183,7 @@ func Bzip2Dsnet(file io.Reader) { bzip2Reader, _ := bzip2Dsnet.NewReader(file, &bzip2Dsnet.ReaderConfig{}) var out []byte = make([]byte, 70) - bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader" + bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(bzip2Reader) TarDecompressor(tarRead) @@ -210,7 +210,7 @@ func Bzip2(file io.Reader) { bzip2Reader := bzip2.NewReader(file) var out []byte = make([]byte, 70) - bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader" + bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(bzip2Reader) TarDecompressor(tarRead) @@ -235,7 +235,7 @@ func Flate(file io.Reader) { flateReader := flate.NewReader(file) var out []byte = make([]byte, 70) - flateReader.Read(out) // $ hasValueFlow="flateReader" + flateReader.Read(out) // $ hasValueFlow="flateReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(flateReader) TarDecompressor(tarRead) @@ -260,7 +260,7 @@ func FlateKlauspost(file io.Reader) { flateReader := flateKlauspost.NewReader(file) var out []byte = make([]byte, 70) - flateReader.Read(out) // $ hasValueFlow="flateReader" + flateReader.Read(out) // $ hasValueFlow="flateReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(flateReader) TarDecompressor(tarRead) @@ -285,7 +285,7 @@ func FlateDsnet(file io.Reader) { flateReader, _ := flateDsnet.NewReader(file, &flateDsnet.ReaderConfig{}) var out []byte = make([]byte, 70) - flateReader.Read(out) // $ hasValueFlow="flateReader" + flateReader.Read(out) // $ hasValueFlow="flateReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(flateReader) TarDecompressor(tarRead) @@ -310,7 +310,7 @@ func ZlibKlauspost(file io.Reader) { zlibReader, _ := zlibKlauspost.NewReader(file) var out []byte = make([]byte, 70) - zlibReader.Read(out) // $ hasValueFlow="zlibReader" + zlibReader.Read(out) // $ hasValueFlow="zlibReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(zlibReader) TarDecompressor(tarRead) @@ -335,7 +335,7 @@ func Zlib(file io.Reader) { zlibReader, _ := zlib.NewReader(file) var out []byte = make([]byte, 70) - zlibReader.Read(out) // $ hasValueFlow="zlibReader" + zlibReader.Read(out) // $ hasValueFlow="zlibReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(zlibReader) TarDecompressor(tarRead) @@ -360,8 +360,8 @@ func Snappy(file io.Reader) { snappyReader := snappy.NewReader(file) var out []byte = make([]byte, 70) - snappyReader.Read(out) // $ hasValueFlow="snappyReader" - snappyReader.ReadByte() // $ hasValueFlow="snappyReader" + snappyReader.Read(out) // $ hasValueFlow="snappyReader" Alert[go/uncontrolled-file-decompression] + snappyReader.ReadByte() // $ hasValueFlow="snappyReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(snappyReader) TarDecompressor(tarRead) @@ -386,10 +386,10 @@ func SnappyKlauspost(file io.Reader) { snappyReader := snappyKlauspost.NewReader(file) var out []byte = make([]byte, 70) - snappyReader.Read(out) // $ hasValueFlow="snappyReader" + snappyReader.Read(out) // $ hasValueFlow="snappyReader" Alert[go/uncontrolled-file-decompression] var buf bytes.Buffer - snappyReader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="snappyReader" - snappyReader.ReadByte() // $ hasValueFlow="snappyReader" + snappyReader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="snappyReader" Alert[go/uncontrolled-file-decompression] + snappyReader.ReadByte() // $ hasValueFlow="snappyReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(snappyReader) TarDecompressor(tarRead) @@ -414,10 +414,10 @@ func S2(file io.Reader) { s2Reader := s2.NewReader(file) var out []byte = make([]byte, 70) - s2Reader.Read(out) // $ hasValueFlow="s2Reader" - s2Reader.ReadByte() // $ hasValueFlow="s2Reader" + s2Reader.Read(out) // $ hasValueFlow="s2Reader" Alert[go/uncontrolled-file-decompression] + s2Reader.ReadByte() // $ hasValueFlow="s2Reader" Alert[go/uncontrolled-file-decompression] var buf bytes.Buffer - s2Reader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="s2Reader" + s2Reader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="s2Reader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(s2Reader) TarDecompressor(tarRead) @@ -442,14 +442,14 @@ func GZipIoReader(src io.Reader, dst string) { dstF, _ := os.OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755) defer dstF.Close() newSrc := io.Reader(gzipReader) - _, _ = io.Copy(dstF, newSrc) // $ hasValueFlow="newSrc" + _, _ = io.Copy(dstF, newSrc) // $ hasValueFlow="newSrc" Alert[go/uncontrolled-file-decompression] } func Gzip(file io.Reader) { var tarRead *tar.Reader gzipReader, _ := gzip.NewReader(file) var out []byte = make([]byte, 70) - gzipReader.Read(out) // $ hasValueFlow="gzipReader" + gzipReader.Read(out) // $ hasValueFlow="gzipReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(gzipReader) TarDecompressor(tarRead) @@ -474,9 +474,9 @@ func GzipKlauspost(file io.Reader) { gzipReader, _ := gzipKlauspost.NewReader(file) var out []byte = make([]byte, 70) - gzipReader.Read(out) // $ hasValueFlow="gzipReader" + gzipReader.Read(out) // $ hasValueFlow="gzipReader" Alert[go/uncontrolled-file-decompression] var buf bytes.Buffer - gzipReader.WriteTo(&buf) // $ hasValueFlow="gzipReader" + gzipReader.WriteTo(&buf) // $ hasValueFlow="gzipReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(gzipReader) TarDecompressor(tarRead) @@ -501,9 +501,9 @@ func PzipKlauspost(file io.Reader) { pgzipReader, _ := pgzipKlauspost.NewReader(file) var out []byte = make([]byte, 70) - pgzipReader.Read(out) // $ hasValueFlow="pgzipReader" + pgzipReader.Read(out) // $ hasValueFlow="pgzipReader" Alert[go/uncontrolled-file-decompression] var buf bytes.Buffer - pgzipReader.WriteTo(&buf) // $ hasValueFlow="pgzipReader" + pgzipReader.WriteTo(&buf) // $ hasValueFlow="pgzipReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(pgzipReader) TarDecompressor(tarRead) @@ -528,11 +528,11 @@ func Zstd_Klauspost(file io.Reader) { zstdReader, _ := zstdKlauspost.NewReader(file) var out []byte = make([]byte, 70) - zstdReader.Read(out) // $ hasValueFlow="zstdReader" + zstdReader.Read(out) // $ hasValueFlow="zstdReader" Alert[go/uncontrolled-file-decompression] var buf bytes.Buffer - zstdReader.WriteTo(&buf) // $ hasValueFlow="zstdReader" + zstdReader.WriteTo(&buf) // $ hasValueFlow="zstdReader" Alert[go/uncontrolled-file-decompression] var src []byte - zstdReader.DecodeAll(src, nil) // $ hasValueFlow="zstdReader" + zstdReader.DecodeAll(src, nil) // $ hasValueFlow="zstdReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(zstdReader) TarDecompressor(tarRead) @@ -557,7 +557,7 @@ func Zstd_DataDog(file io.Reader) { zstdReader := zstdDataDog.NewReader(file) var out []byte = make([]byte, 70) - zstdReader.Read(out) // $ hasValueFlow="zstdReader" + zstdReader.Read(out) // $ hasValueFlow="zstdReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(zstdReader) TarDecompressor(tarRead) @@ -582,7 +582,7 @@ func Xz(file io.Reader) { xzReader, _ := xz.NewReader(file) var out []byte = make([]byte, 70) - xzReader.Read(out) // $ hasValueFlow="xzReader" + xzReader.Read(out) // $ hasValueFlow="xzReader" Alert[go/uncontrolled-file-decompression] tarRead = tar.NewReader(xzReader) fmt.Println(io.SeekStart) @@ -618,7 +618,7 @@ func TarDecompressor(tarRead *tar.Reader) { if cur.Typeflag != tar.TypeReg { continue } - data, _ := io.ReadAll(tarRead) // $ hasValueFlow="tarRead" + data, _ := io.ReadAll(tarRead) // $ hasValueFlow="tarRead" Alert[go/uncontrolled-file-decompression] files[cur.Name] = &fstest.MapFile{Data: data} } fmt.Print(files) @@ -626,7 +626,7 @@ func TarDecompressor(tarRead *tar.Reader) { func TarDecompressor2(tarRead *tar.Reader) { var tarOut []byte = make([]byte, 70) - tarRead.Read(tarOut) // $ hasValueFlow="tarRead" + tarRead.Read(tarOut) // $ hasValueFlow="tarRead" Alert[go/uncontrolled-file-decompression] fmt.Println("do sth with output:", tarOut) } diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref b/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref index 8b0788ef904d..60704b312777 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref +++ b/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref @@ -1 +1,3 @@ -experimental/CWE-525/WebCacheDeception.ql \ No newline at end of file +query: experimental/CWE-525/WebCacheDeception.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go b/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go index 577fbd78c062..7f3fc670b7cc 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go +++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go @@ -79,7 +79,7 @@ func badRoutingNet() { http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/")))) - http.HandleFunc("/adminusers/", ShowAdminPageCache) + http.HandleFunc("/adminusers/", ShowAdminPageCache) // $ Alert[go/web-cache-deception] err := http.ListenAndServe(":1337", nil) if err != nil { log.Fatal("ListenAndServe: ", err) diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go b/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go index 80f396c26dfd..a76395217a9b 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go +++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go @@ -12,12 +12,12 @@ func badRouting() { log.Println("We are logging in Golang!") // GET /api/register - app.Get("/api/*", func(c *fiber.Ctx) error { + app.Get("/api/*", func(c *fiber.Ctx) error { // $ Alert[go/web-cache-deception] msg := fmt.Sprintf("✋") return c.SendString(msg) // => ✋ register }) - app.Post("/api/*", func(c *fiber.Ctx) error { + app.Post("/api/*", func(c *fiber.Ctx) error { // $ Alert[go/web-cache-deception] msg := fmt.Sprintf("✋") return c.SendString(msg) // => ✋ register }) diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go b/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go index 539dae1dee99..87815459ec13 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go +++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go @@ -10,7 +10,7 @@ import ( func badRoutingChi() { r := chi.NewRouter() r.Use(middleware.Logger) - r.Get("/*", func(w http.ResponseWriter, r *http.Request) { + r.Get("/*", func(w http.ResponseWriter, r *http.Request) { // $ Alert[go/web-cache-deception] w.Write([]byte("welcome")) }) http.ListenAndServe(":3000", r) diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go b/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go index 864c6c5e31cd..12d32e603a3f 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go +++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go @@ -18,7 +18,7 @@ func Hello(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { func badHTTPRouter() { router := httprouter.New() - router.GET("/test/*test", Index) + router.GET("/test/*test", Index) // $ Alert[go/web-cache-deception] router.GET("/hello/:name", Hello) log.Fatal(http.ListenAndServe(":8082", router)) diff --git a/go/ql/test/experimental/CWE-74/Dsn.go b/go/ql/test/experimental/CWE-74/Dsn.go index 3cdabc7cb3f2..56eee4a48eea 100644 --- a/go/ql/test/experimental/CWE-74/Dsn.go +++ b/go/ql/test/experimental/CWE-74/Dsn.go @@ -23,10 +23,10 @@ func good() (interface{}, error) { } func bad() interface{} { - name2 := os.Args[1:] + name2 := os.Args[1:] // $ Source[go/dsn-injection-local] // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files. dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, name2[0]) - db, _ := sql.Open("mysql", dbDSN) + db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection-local] return db } @@ -44,10 +44,10 @@ func good2(w http.ResponseWriter, req *http.Request) (interface{}, error) { } func bad2(w http.ResponseWriter, req *http.Request) interface{} { - name := req.FormValue("name") + name := req.FormValue("name") // $ Source[go/dsn-injection] // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files. dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, name) - db, _ := sql.Open("mysql", dbDSN) + db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection] return db } @@ -60,12 +60,12 @@ func (Config) Parse([]string) error { return nil } func RegexFuncModelTest(w http.ResponseWriter, req *http.Request) (interface{}, error) { cfg := NewConfig() - err := cfg.Parse(os.Args[1:]) // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files. + err := cfg.Parse(os.Args[1:]) // $ Source[go/dsn-injection-local] // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files. if err != nil { return nil, err } dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, cfg.dsn) - db, _ := sql.Open("mysql", dbDSN) + db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection-local] return db, nil } diff --git a/go/ql/test/experimental/CWE-74/DsnInjection.qlref b/go/ql/test/experimental/CWE-74/DsnInjection.qlref index f8e0117d7351..1b4688980783 100644 --- a/go/ql/test/experimental/CWE-74/DsnInjection.qlref +++ b/go/ql/test/experimental/CWE-74/DsnInjection.qlref @@ -1,2 +1,4 @@ query: experimental/CWE-74/DsnInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref b/go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref index f2d6116c7f1e..f0907dee9395 100644 --- a/go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref +++ b/go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref @@ -1,2 +1,4 @@ query: experimental/CWE-74/DsnInjectionLocal.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref b/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref index da2ab35074a6..8351e509a370 100644 --- a/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref +++ b/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref @@ -1 +1,3 @@ -experimental/CWE-807/SensitiveConditionBypass.ql +query: experimental/CWE-807/SensitiveConditionBypass.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-807/SensitiveConditionBypassBad.go b/go/ql/test/experimental/CWE-807/SensitiveConditionBypassBad.go index bf8e70f88b76..fc7188ede6db 100644 --- a/go/ql/test/experimental/CWE-807/SensitiveConditionBypassBad.go +++ b/go/ql/test/experimental/CWE-807/SensitiveConditionBypassBad.go @@ -4,7 +4,7 @@ import "net/http" func example(w http.ResponseWriter, r *http.Request) { test2 := "test" - if r.Header.Get("X-Password") != test2 { + if r.Header.Get("X-Password") != test2 { // $ Alert[go/sensitive-condition-bypass] login() } } diff --git a/go/ql/test/experimental/CWE-807/condition.go b/go/ql/test/experimental/CWE-807/condition.go index ecd6b0a9f2a8..33726d36fc0c 100644 --- a/go/ql/test/experimental/CWE-807/condition.go +++ b/go/ql/test/experimental/CWE-807/condition.go @@ -13,7 +13,7 @@ const test = "localhost" // Should alert as authkey is sensitive func ex1(w http.ResponseWriter, r *http.Request) { - if r.Header.Get("Origin") != test { + if r.Header.Get("Origin") != test { // $ Alert[go/sensitive-condition-bypass] authkey := "randomDatta" io.WriteString(w, authkey) } @@ -22,7 +22,7 @@ func ex1(w http.ResponseWriter, r *http.Request) { // Should alert as authkey is sensitive func ex2(w http.ResponseWriter, r *http.Request) { test2 := "test" - if r.Header.Get("Origin") != test2 { + if r.Header.Get("Origin") != test2 { // $ Alert[go/sensitive-condition-bypass] authkey := "randomDatta2" io.WriteString(w, authkey) } @@ -31,7 +31,7 @@ func ex2(w http.ResponseWriter, r *http.Request) { // Should alert as login() is sensitive func ex3(w http.ResponseWriter, r *http.Request) { test2 := "test" - if r.Header.Get("Origin") != test2 { + if r.Header.Get("Origin") != test2 { // $ Alert[go/sensitive-condition-bypass] login() } } diff --git a/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref b/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref index 6d1676160552..8a212cdf8c96 100644 --- a/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref +++ b/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref @@ -1 +1,3 @@ -experimental/CWE-840/ConditionalBypass.ql +query: experimental/CWE-840/ConditionalBypass.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-840/ConditionalBypassBad.go b/go/ql/test/experimental/CWE-840/ConditionalBypassBad.go index b788dee2009c..2cf988dbe949 100644 --- a/go/ql/test/experimental/CWE-840/ConditionalBypassBad.go +++ b/go/ql/test/experimental/CWE-840/ConditionalBypassBad.go @@ -6,7 +6,7 @@ import ( func exampleHandlerBad(w http.ResponseWriter, r *http.Request) { // BAD: the Origin and Host headers are user controlled - if r.Header.Get("Origin") != "http://"+r.Host { + if r.Header.Get("Origin") != "http://"+r.Host { // $ Alert[go/user-controlled-bypass] //do something } } diff --git a/go/ql/test/experimental/CWE-840/condition.go b/go/ql/test/experimental/CWE-840/condition.go index 7b7b7480c104..a0f79d57f669 100644 --- a/go/ql/test/experimental/CWE-840/condition.go +++ b/go/ql/test/experimental/CWE-840/condition.go @@ -6,14 +6,14 @@ import ( // BAD: taken from https://www.gorillatoolkit.org/pkg/websocket func ex1(w http.ResponseWriter, r *http.Request) { - if r.Header.Get("Origin") != "http://"+r.Host { + if r.Header.Get("Origin") != "http://"+r.Host { // $ Alert[go/user-controlled-bypass] //do something } } // BAD: both operands are from remote sources func ex2(w http.ResponseWriter, r *http.Request) { - if r.Header.Get("Origin") != "http://"+r.Header.Get("Header") { + if r.Header.Get("Origin") != "http://"+r.Header.Get("Header") { // $ Alert[go/user-controlled-bypass] //do something } } diff --git a/go/ql/test/experimental/InconsistentCode/DeferInLoop.go b/go/ql/test/experimental/InconsistentCode/DeferInLoop.go index 1b57d1855b40..476a72a68f96 100644 --- a/go/ql/test/experimental/InconsistentCode/DeferInLoop.go +++ b/go/ql/test/experimental/InconsistentCode/DeferInLoop.go @@ -5,7 +5,7 @@ import "os" func openFiles(filenames []string) { for _, filename := range filenames { file, err := os.Open(filename) - defer file.Close() + defer file.Close() // $ Alert[go/examples/deferinloop] if err != nil { // handle error } diff --git a/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref b/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref index e50bcf4fdf62..ae9bde0a908f 100644 --- a/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref +++ b/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref @@ -1 +1,3 @@ -experimental/InconsistentCode/DeferInLoop.ql +query: experimental/InconsistentCode/DeferInLoop.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.go b/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.go index 422e49b5f105..c24f9bad5a7d 100644 --- a/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.go +++ b/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.go @@ -4,6 +4,6 @@ import "gorm.io/gorm" func getUserId(db *gorm.DB, name string) int64 { var user User - db.Where("name = ?", name).First(&user) + db.Where("name = ?", name).First(&user) // $ Alert[go/examples/gorm-error-not-checked] return user.Id } diff --git a/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref b/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref index b52256ad5391..b994ca2153d7 100644 --- a/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref +++ b/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref @@ -1 +1,3 @@ -experimental/InconsistentCode/GORMErrorNotChecked.ql +query: experimental/InconsistentCode/GORMErrorNotChecked.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/InconsistentCode/test.go b/go/ql/test/experimental/InconsistentCode/test.go index 1dc64350bd41..ec893a14e74a 100644 --- a/go/ql/test/experimental/InconsistentCode/test.go +++ b/go/ql/test/experimental/InconsistentCode/test.go @@ -3,24 +3,24 @@ package main func test() { var xs []int for _ = range xs { - defer test() // not ok + defer test() // $ Alert[go/examples/deferinloop] // not ok } for _ = range xs { if true { - defer test() // not ok + defer test() // $ Alert[go/examples/deferinloop] // not ok } } for i := 0; i < 10; i++ { - defer test() + defer test() // $ Alert[go/examples/deferinloop] } for true { - defer test() // not ok + defer test() // $ Alert[go/examples/deferinloop] // not ok } for false { - defer test() // fine but caught + defer test() // $ Alert[go/examples/deferinloop] // fine but caught } } diff --git a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go index 8599550039a6..e18df2c0d3b7 100644 --- a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go +++ b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go @@ -14,7 +14,7 @@ func good0() { // Read before secret without overflowing to secret: // NOTE: unsafe.Pointer(&harmless) == unsafe.Pointer(&harmless[0]) - var data = (*[8]byte)(unsafe.Pointer(&harmless)) // OK + var data = (*[8]byte)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // OK fmt.Println(string((*data)[:])) @@ -31,7 +31,7 @@ func goodIndexExpr() { // Read before secret without overflowing to secret: // NOTE: unsafe.Pointer(&harmless) == unsafe.Pointer(&harmless[0]) - var data = (*[8]byte)(unsafe.Pointer(&harmless[0])) // OK + var data = (*[8]byte)(unsafe.Pointer(&harmless[0])) // $ Alert[go/wrong-usage-of-unsafe] // OK fmt.Println(string((*data)[:])) @@ -52,7 +52,7 @@ func goodIndexExprDifferentTypes() { // up until the end of `harmless` (from `harmless[3]` to // the end of `harmless` is 8 bytes), // which does not cross into `secret`. - var data = (*[8]byte)(unsafe.Pointer(&harmless[3])) // OK + var data = (*[8]byte)(unsafe.Pointer(&harmless[3])) // $ Alert[go/wrong-usage-of-unsafe] // OK fmt.Println(string((*data)[:])) @@ -74,7 +74,7 @@ func badIndexExpr() { // the address of the 3rd element of the `harmless` array, // and continue for 8 bytes, going out of the boundaries of // `harmless` and crossing into the memory occupied by `secret`. - var leaking = (*[8]byte)(unsafe.Pointer(&harmless[2])) // BAD + var leaking = (*[8]byte)(unsafe.Pointer(&harmless[2])) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(string((*leaking)[:])) @@ -90,7 +90,7 @@ func good2() { secret := [9]byte{'s', 'e', 'n', 's', 'i', 't', 'i', 'v', 'e'} // Read before secret: - var data = (*int)(unsafe.Pointer(&harmless)) // TODO: is this really OK? + var data = (*int)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // TODO: is this really OK? fmt.Println(*data) @@ -108,7 +108,7 @@ func bad0() { // Read before secret, overflowing into secret // (notice we get the pointer to the first byte of harmless) - var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless[0])) // BAD + var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless[0])) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(string((*leaking)[:])) @@ -126,7 +126,7 @@ func bad1() { // Read before secret, overflowing into secret // (notice we read more than the length of harmless) - var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD + var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(string((*leaking)[:])) @@ -146,7 +146,7 @@ func bad2() { // Read before secret, overflowing into secret // (notice we read more than the length of harmless) - var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD + var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(string((*leaking)[:])) @@ -163,7 +163,7 @@ func bad3() { // Read before secret, overflowing into secret // (notice we read more than the length of harmless) - var leaking = (*[8 + 9]string)(unsafe.Pointer(&harmless)) // BAD + var leaking = (*[8 + 9]string)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(*leaking) fmt.Println([17]string((*leaking))) @@ -186,7 +186,7 @@ func bad4() { // Read before secret, overflowing into secret // (notice we read more than the length of harmless) - var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD + var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(string((*leaking)[:])) @@ -208,7 +208,7 @@ func bad5() { // Read before secret, overflowing into secret // (notice we read more than the length of harmless) - var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless.Data)) // BAD + var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless.Data)) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(string(leaking[:])) @@ -224,7 +224,7 @@ func bad6() { secret := [9]byte{'s', 'e', 'n', 's', 'i', 't', 'i', 'v', 'e'} // Read before secret: - var leaking = buffer_request(unsafe.Pointer(&harmless)) // BAD (see inside buffer_request func) + var leaking = buffer_request(unsafe.Pointer(&harmless)) // $ Source[go/wrong-usage-of-unsafe] Alert[go/wrong-usage-of-unsafe] // BAD (see inside buffer_request func) fmt.Println((string)(leaking[:])) @@ -233,14 +233,14 @@ func bad6() { fmt.Println("hello world") } } -func buffer_request(req unsafe.Pointer) [8 + 9]byte { +func buffer_request(req unsafe.Pointer) [8 + 9]byte { // $ Source[go/wrong-usage-of-unsafe] Alert[go/wrong-usage-of-unsafe] // The length of req is 8 bytes, // but we cast it to a longer array, // which means that when the resulting array // will be read, the read will also contain pieces of // data from `secret`. var buf [8 + 9]byte - buf = *(*[8 + 9]byte)(req) // BAD (from above func) + buf = *(*[8 + 9]byte)(req) // $ Alert[go/wrong-usage-of-unsafe] Source[go/wrong-usage-of-unsafe] // BAD (from above func) return buf } func bad7() { @@ -253,7 +253,7 @@ func bad7() { // (notice we read more than the length of harmless); // the leaking array will not contain letters, // but integers representing bytes from `secret`. - var leaking = (*[4]int64)(unsafe.Pointer(&harmless)) // BAD + var leaking = (*[4]int64)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(*leaking) @@ -271,7 +271,7 @@ func bad8() { // Read before secret, overflowing into secret // (notice we read more than the length of harmless); // the leaking data will contain some bits from `secret`. - var leaking = (*int64)(unsafe.Pointer(&harmless)) // BAD + var leaking = (*int64)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(*leaking) @@ -289,7 +289,7 @@ func bad9() { // Read before secret, overflowing into secret // (notice we read more than the length of harmless); // the leaking data will contain some bits from `secret`. - var leaking = (*int)(unsafe.Pointer(&harmless)) // BAD + var leaking = (*int)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // BAD fmt.Println(*leaking) diff --git a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref index 2f5c54707c76..9ab864ea659f 100644 --- a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref +++ b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref @@ -1 +1,3 @@ -experimental/Unsafe/WrongUsageOfUnsafe.ql +query: experimental/Unsafe/WrongUsageOfUnsafe.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref index b6916bd2cd46..e19181577447 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref @@ -1,2 +1,4 @@ query: Security/CWE-089/SqlInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref index 66b7d67dd8f3..f47ad25ca9c7 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref @@ -1,2 +1,4 @@ query: Security/CWE-079/StoredXss.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go index cce152e57ef8..27352f5dac82 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go @@ -8,61 +8,61 @@ import ( // BAD: using untrusted data in SQL queries func testDbMethods(bdb *orm.DB, untrustedSource *http.Request) { - untrusted := untrustedSource.UserAgent() - - bdb.Exec(untrusted) // $ querystring=untrusted - bdb.ExecContext(nil, untrusted) // $ querystring=untrusted - bdb.Prepare(untrusted) // $ querystring=untrusted - bdb.PrepareContext(nil, untrusted) // $ querystring=untrusted - bdb.Query(untrusted) // $ querystring=untrusted - bdb.QueryContext(nil, untrusted) // $ querystring=untrusted - bdb.QueryRow(untrusted) // $ querystring=untrusted - bdb.QueryRowContext(nil, untrusted) // $ querystring=untrusted + untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection] + + bdb.Exec(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + bdb.ExecContext(nil, untrusted) // $ querystring=untrusted Alert[go/sql-injection] + bdb.Prepare(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + bdb.PrepareContext(nil, untrusted) // $ querystring=untrusted Alert[go/sql-injection] + bdb.Query(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + bdb.QueryContext(nil, untrusted) // $ querystring=untrusted Alert[go/sql-injection] + bdb.QueryRow(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + bdb.QueryRowContext(nil, untrusted) // $ querystring=untrusted Alert[go/sql-injection] } // BAD: using untrusted data to build SQL queries (QueryBuilder does not sanitize its arguments) func testQueryBuilderMethods(qb orm.QueryBuilder, untrustedSource *http.Request) { - untrusted := untrustedSource.UserAgent() - untrusted2 := untrustedSource.UserAgent() - - qb.Select(untrusted) // $ querystring=untrusted - qb.From(untrusted) // $ querystring=untrusted - qb.InnerJoin(untrusted) // $ querystring=untrusted - qb.LeftJoin(untrusted) // $ querystring=untrusted - qb.RightJoin(untrusted) // $ querystring=untrusted - qb.On(untrusted) // $ querystring=untrusted - qb.Where(untrusted) // $ querystring=untrusted - qb.And(untrusted) // $ querystring=untrusted - qb.Or(untrusted) // $ querystring=untrusted - qb.In(untrusted) // $ querystring=untrusted - qb.OrderBy(untrusted) // $ querystring=untrusted - qb.GroupBy(untrusted) // $ querystring=untrusted - qb.Having(untrusted) // $ querystring=untrusted - qb.Update(untrusted) // $ querystring=untrusted - qb.Set(untrusted) // $ querystring=untrusted - qb.Delete(untrusted) // $ querystring=untrusted - qb.InsertInto(untrusted, untrusted2) // $ querystring=untrusted querystring=untrusted2 - qb.Values(untrusted) // $ querystring=untrusted - qb.Subquery(untrusted, untrusted2) // $ querystring=untrusted querystring=untrusted2 + untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection] + untrusted2 := untrustedSource.UserAgent() // $ Source[go/sql-injection] + + qb.Select(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.From(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.InnerJoin(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.LeftJoin(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.RightJoin(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.On(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.Where(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.And(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.Or(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.In(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.OrderBy(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.GroupBy(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.Having(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.Update(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.Set(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.Delete(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.InsertInto(untrusted, untrusted2) // $ querystring=untrusted querystring=untrusted2 Alert[go/sql-injection] + qb.Values(untrusted) // $ querystring=untrusted Alert[go/sql-injection] + qb.Subquery(untrusted, untrusted2) // $ querystring=untrusted querystring=untrusted2 Alert[go/sql-injection] } func testOrmerRaw(ormer orm.Ormer, untrustedSource *http.Request) { - untrusted := untrustedSource.UserAgent() + untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection] untrusted2 := untrustedSource.UserAgent() - ormer.Raw(untrusted, untrusted2) // $ querystring=untrusted // BAD: using an untrusted string as a query + ormer.Raw(untrusted, untrusted2) // $ querystring=untrusted Alert[go/sql-injection] // BAD: using an untrusted string as a query ormer.Raw("FROM ? SELECT ?", untrusted, untrusted2) // $ querystring="FROM ? SELECT ?" // GOOD: untrusted string used in argument context } func testFilterRaw(querySeter orm.QuerySeter, untrustedSource *http.Request) { - untrusted := untrustedSource.UserAgent() + untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection] querySeter.FilterRaw(untrusted, "safe") // $ querystring="safe" // GOOD: untrusted used as a column name - querySeter.FilterRaw("safe", untrusted) // $ querystring=untrusted // BAD: untrusted used as a SQL fragment + querySeter.FilterRaw("safe", untrusted) // $ querystring=untrusted Alert[go/sql-injection] // BAD: untrusted used as a SQL fragment } func testConditionRaw(cond orm.Condition, untrustedSource *http.Request) { - untrusted := untrustedSource.UserAgent() + untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection] cond.Raw(untrusted, "safe") // $ querystring="safe" // GOOD: untrusted used as a column name - cond.Raw("safe", untrusted) // $ querystring=untrusted // BAD: untrusted used as a SQL fragment + cond.Raw("safe", untrusted) // $ querystring=untrusted Alert[go/sql-injection] // BAD: untrusted used as a SQL fragment } type SubStruct struct { @@ -77,90 +77,90 @@ type MyStruct struct { // BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response func testOrmerReads(ormer orm.Ormer, sink http.ResponseWriter) { obj := MyStruct{} - ormer.Read(&obj) - sink.Write([]byte(obj.field)) - sink.Write([]byte(obj.substructs[0].field)) + ormer.Read(&obj) // $ Source[go/stored-xss] + sink.Write([]byte(obj.field)) // $ Alert[go/stored-xss] + sink.Write([]byte(obj.substructs[0].field)) // $ Alert[go/stored-xss] obj2 := MyStruct{} - ormer.ReadForUpdate(&obj2) - sink.Write([]byte(obj2.field)) + ormer.ReadForUpdate(&obj2) // $ Source[go/stored-xss] + sink.Write([]byte(obj2.field)) // $ Alert[go/stored-xss] obj3 := MyStruct{} - ormer.ReadOrCreate(&obj3, "arg") - sink.Write([]byte(obj3.field)) + ormer.ReadOrCreate(&obj3, "arg") // $ Source[go/stored-xss] + sink.Write([]byte(obj3.field)) // $ Alert[go/stored-xss] } // BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response func testFieldReads(textField *orm.TextField, jsonField *orm.JSONField, jsonbField *orm.JsonbField, sink http.ResponseWriter) { - sink.Write([]byte(textField.Value())) - sink.Write([]byte(textField.RawValue().(string))) - sink.Write([]byte(textField.String())) - sink.Write([]byte(jsonField.Value())) - sink.Write([]byte(jsonField.RawValue().(string))) - sink.Write([]byte(jsonField.String())) - sink.Write([]byte(jsonbField.Value())) - sink.Write([]byte(jsonbField.RawValue().(string))) - sink.Write([]byte(jsonbField.String())) + sink.Write([]byte(textField.Value())) // $ Alert[go/stored-xss] + sink.Write([]byte(textField.RawValue().(string))) // $ Alert[go/stored-xss] + sink.Write([]byte(textField.String())) // $ Alert[go/stored-xss] + sink.Write([]byte(jsonField.Value())) // $ Alert[go/stored-xss] + sink.Write([]byte(jsonField.RawValue().(string))) // $ Alert[go/stored-xss] + sink.Write([]byte(jsonField.String())) // $ Alert[go/stored-xss] + sink.Write([]byte(jsonbField.Value())) // $ Alert[go/stored-xss] + sink.Write([]byte(jsonbField.RawValue().(string))) // $ Alert[go/stored-xss] + sink.Write([]byte(jsonbField.String())) // $ Alert[go/stored-xss] } // BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response func testQuerySeterReads(qs orm.QuerySeter, sink http.ResponseWriter) { var objs []*MyStruct - qs.All(&objs) - sink.Write([]byte(objs[0].field)) + qs.All(&objs) // $ Source[go/stored-xss] + sink.Write([]byte(objs[0].field)) // $ Alert[go/stored-xss] var obj MyStruct - qs.One(&obj) - sink.Write([]byte(obj.field)) + qs.One(&obj) // $ Source[go/stored-xss] + sink.Write([]byte(obj.field)) // $ Alert[go/stored-xss] var allMaps []orm.Params - qs.Values(&allMaps) - sink.Write([]byte(allMaps[0]["field"].(string))) + qs.Values(&allMaps) // $ Source[go/stored-xss] + sink.Write([]byte(allMaps[0]["field"].(string))) // $ Alert[go/stored-xss] var allLists []orm.ParamsList - qs.ValuesList(&allLists) - sink.Write([]byte(allLists[0][0].(string))) + qs.ValuesList(&allLists) // $ Source[go/stored-xss] + sink.Write([]byte(allLists[0][0].(string))) // $ Alert[go/stored-xss] var oneList orm.ParamsList - qs.ValuesFlat(&oneList, "colname") - sink.Write([]byte(oneList[0].(string))) + qs.ValuesFlat(&oneList, "colname") // $ Source[go/stored-xss] + sink.Write([]byte(oneList[0].(string))) // $ Alert[go/stored-xss] var oneRowMap orm.Params - qs.RowsToMap(&oneRowMap, "key", "value") - sink.Write([]byte(oneRowMap["field"].(string))) + qs.RowsToMap(&oneRowMap, "key", "value") // $ Source[go/stored-xss] + sink.Write([]byte(oneRowMap["field"].(string))) // $ Alert[go/stored-xss] var oneRowStruct MyStruct - qs.RowsToStruct(&oneRowStruct, "key", "value") - sink.Write([]byte(oneRowStruct.field)) + qs.RowsToStruct(&oneRowStruct, "key", "value") // $ Source[go/stored-xss] + sink.Write([]byte(oneRowStruct.field)) // $ Alert[go/stored-xss] } // BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response func testRawSeterReads(rs orm.RawSeter, sink http.ResponseWriter) { var allMaps []orm.Params - rs.Values(&allMaps) - sink.Write([]byte(allMaps[0]["field"].(string))) + rs.Values(&allMaps) // $ Source[go/stored-xss] + sink.Write([]byte(allMaps[0]["field"].(string))) // $ Alert[go/stored-xss] var allLists []orm.ParamsList - rs.ValuesList(&allLists) - sink.Write([]byte(allLists[0][0].(string))) + rs.ValuesList(&allLists) // $ Source[go/stored-xss] + sink.Write([]byte(allLists[0][0].(string))) // $ Alert[go/stored-xss] var oneList orm.ParamsList - rs.ValuesFlat(&oneList, "colname") - sink.Write([]byte(oneList[0].(string))) + rs.ValuesFlat(&oneList, "colname") // $ Source[go/stored-xss] + sink.Write([]byte(oneList[0].(string))) // $ Alert[go/stored-xss] var oneRowMap orm.Params - rs.RowsToMap(&oneRowMap, "key", "value") - sink.Write([]byte(oneRowMap["field"].(string))) + rs.RowsToMap(&oneRowMap, "key", "value") // $ Source[go/stored-xss] + sink.Write([]byte(oneRowMap["field"].(string))) // $ Alert[go/stored-xss] var oneRowStruct MyStruct - rs.RowsToStruct(&oneRowStruct, "key", "value") - sink.Write([]byte(oneRowStruct.field)) + rs.RowsToStruct(&oneRowStruct, "key", "value") // $ Source[go/stored-xss] + sink.Write([]byte(oneRowStruct.field)) // $ Alert[go/stored-xss] var strField string - rs.QueryRow(&strField) - sink.Write([]byte(strField)) + rs.QueryRow(&strField) // $ Source[go/stored-xss] + sink.Write([]byte(strField)) // $ Alert[go/stored-xss] var strFields []string - rs.QueryRows(&strFields) - sink.Write([]byte(strFields[0])) + rs.QueryRows(&strFields) // $ Source[go/stored-xss] + sink.Write([]byte(strFields[0])) // $ Alert[go/stored-xss] } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Chi/ReflectedXss.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Chi/ReflectedXss.qlref index 754513d72bb3..e6b791f39fca 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Chi/ReflectedXss.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/Chi/ReflectedXss.qlref @@ -1,2 +1,4 @@ query: Security/CWE-079/ReflectedXss.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Chi/test.go b/go/ql/test/library-tests/semmle/go/frameworks/Chi/test.go index f02e0cdfb15a..6ef42ce00539 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Chi/test.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Chi/test.go @@ -10,7 +10,7 @@ var hidden string func hideUserData(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - hidden = r.URL.Path + hidden = r.URL.Path // $ Source[go/reflected-xss] next.ServeHTTP(w, r) }) } @@ -18,10 +18,10 @@ func hideUserData(next http.Handler) http.Handler { func main() { r := chi.NewRouter() r.With(hideUserData).Get("/", func(w http.ResponseWriter, r *http.Request) { - w.Write([]byte(hidden)) - w.Write([]byte(chi.URLParam(r, "someParam"))) - w.Write([]byte(chi.URLParamFromCtx(r.Context(), "someKey"))) - w.Write([]byte(chi.RouteContext(r.Context()).URLParam("someOtherKey"))) + w.Write([]byte(hidden)) // $ Alert[go/reflected-xss] + w.Write([]byte(chi.URLParam(r, "someParam"))) // $ Alert[go/reflected-xss] + w.Write([]byte(chi.URLParamFromCtx(r.Context(), "someKey"))) // $ Alert[go/reflected-xss] + w.Write([]byte(chi.RouteContext(r.Context()).URLParam("someOtherKey"))) // $ Alert[go/reflected-xss] }) http.ListenAndServe(":3000", r) } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.qlref index 867dd7665618..13add930f517 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.qlref @@ -1,2 +1,4 @@ query: Security/CWE-601/OpenUrlRedirect.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.qlref index 754513d72bb3..e6b791f39fca 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.qlref @@ -1,2 +1,4 @@ query: Security/CWE-079/ReflectedXss.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.qlref index 78ce25b1921f..6eb2e94892f2 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.qlref @@ -1,2 +1,4 @@ query: Security/CWE-022/TaintedPath.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go b/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go index 4a9f4e161f62..05d674a597e7 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go @@ -12,81 +12,81 @@ import ( // All are XSS vulnerabilities, except as specifically noted. func testParam(ctx echo.Context) error { - param := ctx.Param("someParam") - ctx.HTML(200, param) + param := ctx.Param("someParam") // $ Source[go/reflected-xss] + ctx.HTML(200, param) // $ Alert[go/reflected-xss] return nil } func testParamValues(ctx echo.Context) error { - param := ctx.ParamValues()[0] - ctx.HTML(200, param) + param := ctx.ParamValues()[0] // $ Source[go/reflected-xss] + ctx.HTML(200, param) // $ Alert[go/reflected-xss] return nil } func testQueryParam(ctx echo.Context) error { - param := ctx.QueryParam("someParam") - ctx.HTML(200, param) + param := ctx.QueryParam("someParam") // $ Source[go/reflected-xss] + ctx.HTML(200, param) // $ Alert[go/reflected-xss] return nil } func testQueryParams(ctx echo.Context) error { - param := ctx.QueryParams()["someParam"][0] - ctx.HTML(200, param) + param := ctx.QueryParams()["someParam"][0] // $ Source[go/reflected-xss] + ctx.HTML(200, param) // $ Alert[go/reflected-xss] return nil } func testQueryString(ctx echo.Context) error { - qstr := ctx.QueryString() - ctx.HTML(200, qstr) + qstr := ctx.QueryString() // $ Source[go/reflected-xss] + ctx.HTML(200, qstr) // $ Alert[go/reflected-xss] return nil } func testFormValue(ctx echo.Context) error { - val := ctx.FormValue("someField") - ctx.HTML(200, val) + val := ctx.FormValue("someField") // $ Source[go/reflected-xss] + ctx.HTML(200, val) // $ Alert[go/reflected-xss] return nil } func testFormParams(ctx echo.Context) error { - params, _ := ctx.FormParams() - ctx.HTML(200, params["someField"][0]) + params, _ := ctx.FormParams() // $ Source[go/reflected-xss] + ctx.HTML(200, params["someField"][0]) // $ Alert[go/reflected-xss] return nil } func testFormFile(ctx echo.Context) error { - fileHeader, _ := ctx.FormFile("someFilename") + fileHeader, _ := ctx.FormFile("someFilename") // $ Source[go/reflected-xss] file, _ := fileHeader.Open() buffer := make([]byte, 100) file.Read(buffer) - ctx.HTMLBlob(200, buffer) + ctx.HTMLBlob(200, buffer) // $ Alert[go/reflected-xss] return nil } func testMultipartFormValue(ctx echo.Context) error { - form, _ := ctx.MultipartForm() - ctx.HTML(200, form.Value["someField"][0]) + form, _ := ctx.MultipartForm() // $ Source[go/reflected-xss] + ctx.HTML(200, form.Value["someField"][0]) // $ Alert[go/reflected-xss] return nil } func testMultipartFormFile(ctx echo.Context) error { - form, _ := ctx.MultipartForm() + form, _ := ctx.MultipartForm() // $ Source[go/reflected-xss] fileHeader := form.File["someFilename"][0] file, _ := fileHeader.Open() buffer := make([]byte, 100) file.Read(buffer) - ctx.HTMLBlob(200, buffer) + ctx.HTMLBlob(200, buffer) // $ Alert[go/reflected-xss] return nil } func testCookie(ctx echo.Context) error { - val, _ := ctx.Cookie("someKey") - ctx.HTML(200, val.Value) + val, _ := ctx.Cookie("someKey") // $ Source[go/reflected-xss] + ctx.HTML(200, val.Value) // $ Alert[go/reflected-xss] return nil } func testCookies(ctx echo.Context) error { - cookies := ctx.Cookies() - ctx.HTML(200, cookies[0].Value) + cookies := ctx.Cookies() // $ Source[go/reflected-xss] + ctx.HTML(200, cookies[0].Value) // $ Alert[go/reflected-xss] return nil } @@ -96,8 +96,8 @@ type myStruct struct { func testBind(ctx echo.Context) error { data := myStruct{} - ctx.Bind(&data) - ctx.HTML(200, data.s) + ctx.Bind(&data) // $ Source[go/reflected-xss] + ctx.HTML(200, data.s) // $ Alert[go/reflected-xss] return nil } @@ -110,8 +110,8 @@ func testGetSetEmpty(ctx echo.Context) error { } func testGetSet(ctx echo.Context) error { - ctx.Set("someKey", ctx.Param("someParam")) - ctx.HTML(200, ctx.Get("someKey").(string)) // BAD, the context is tainted + ctx.Set("someKey", ctx.Param("someParam")) // $ Source[go/reflected-xss] + ctx.HTML(200, ctx.Get("someKey").(string)) // $ Alert[go/reflected-xss] // BAD, the context is tainted return nil } @@ -121,20 +121,20 @@ func testGetSet(ctx echo.Context) error { // All are XSS vulnerabilities, except as specifically noted. func testHTML(ctx echo.Context) error { - param := ctx.Param("someParam") - ctx.HTML(200, param) + param := ctx.Param("someParam") // $ Source[go/reflected-xss] + ctx.HTML(200, param) // $ Alert[go/reflected-xss] return nil } func testHTMLBlob(ctx echo.Context) error { - param := ctx.Param("someParam") - ctx.HTMLBlob(200, []byte(param)) + param := ctx.Param("someParam") // $ Source[go/reflected-xss] + ctx.HTMLBlob(200, []byte(param)) // $ Alert[go/reflected-xss] return nil } func testBlob(ctx echo.Context) error { - param := ctx.Param("someParam") - ctx.Blob(200, "text/html", []byte(param)) // BAD, the content-type is HTML + param := ctx.Param("someParam") // $ Source[go/reflected-xss] + ctx.Blob(200, "text/html", []byte(param)) // $ Alert[go/reflected-xss] // BAD, the content-type is HTML return nil } @@ -145,9 +145,9 @@ func testBlobSafe(ctx echo.Context) error { } func testStream(ctx echo.Context) error { - param := ctx.Param("someParam") + param := ctx.Param("someParam") // $ Source[go/reflected-xss] reader := strings.NewReader(param) - ctx.Stream(200, "text/html", reader) // BAD, the content-type is HTML + ctx.Stream(200, "text/html", reader) // $ Alert[go/reflected-xss] // BAD, the content-type is HTML return nil } @@ -161,28 +161,28 @@ func testStreamSafe(ctx echo.Context) error { // Section: testing output methods defined on Response (XSS vulnerability) func testResponseWrite(ctx echo.Context) error { - param := ctx.Param("someParam") - ctx.Response().Write([]byte(param)) + param := ctx.Param("someParam") // $ Source[go/reflected-xss] + ctx.Response().Write([]byte(param)) // $ Alert[go/reflected-xss] return nil } // Section: test detecting an open redirect using the Context.Redirect function: func testRedirect(ctx echo.Context) error { - param := ctx.Param("someParam") - ctx.Redirect(301, param) + param := ctx.Param("someParam") // $ Source[go/unvalidated-url-redirection] + ctx.Redirect(301, param) // $ Alert[go/unvalidated-url-redirection] return nil } func testLocalRedirects(ctx echo.Context) error { - param := ctx.Param("someParam") + param := ctx.Param("someParam") // $ Source[go/unvalidated-url-redirection] param2 := param param3 := param // Gratuitous copy because sanitization of uses propagates to subsequent uses // GOOD: local redirects are unproblematic ctx.Redirect(301, "/local"+param) // BAD: this could be a non-local redirect - ctx.Redirect(301, "/"+param2) + ctx.Redirect(301, "/"+param2) // $ Alert[go/unvalidated-url-redirection] // GOOD: localhost redirects are unproblematic ctx.Redirect(301, "//localhost/"+param3) return nil @@ -221,12 +221,12 @@ func testNonExploitableFields(ctx echo.Context) error { func fsOpsTest() { e := echo.New() e.GET("/", func(c echo.Context) error { - filepath := c.QueryParam("filePath") - return c.File(filepath) // $ FileSystemAccess=filepath + filepath := c.QueryParam("filePath") // $ Source[go/path-injection] + return c.File(filepath) // $ FileSystemAccess=filepath Alert[go/path-injection] }) e.GET("/attachment", func(c echo.Context) error { - filepath := c.QueryParam("filePath") - return c.Attachment(filepath, "file name in response") // $ FileSystemAccess=filepath + filepath := c.QueryParam("filePath") // $ Source[go/path-injection] + return c.Attachment(filepath, "file name in response") // $ FileSystemAccess=filepath Alert[go/path-injection] }) _ = e.Start(":1323") } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref index 1837c628c33e..7f3ff6322b71 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref @@ -1 +1,3 @@ -Security/CWE-117/LogInjection.ql +query: Security/CWE-117/LogInjection.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go index 3eaacef9822a..5b50dc5a0e0b 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go @@ -15,10 +15,10 @@ import ( type Greeter struct{} -func (g *Greeter) Hello(ctx context.Context, req *pb.Request, rsp *pb.Response) error { // $ serverRequest="definition of req" +func (g *Greeter) Hello(ctx context.Context, req *pb.Request, rsp *pb.Response) error { // $ serverRequest="definition of req" Source[go/log-injection] Alert[go/log-injection] // var access name := req.Name - fmt.Println("Name :: %s", name) + fmt.Println("Name :: %s", name) // $ Alert[go/log-injection] Source[go/log-injection] return nil } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go b/go/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go index 69fc2c52c4a2..d6c1feb8f85a 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go @@ -33,8 +33,8 @@ func (c MyRoute) Handler1() revel.Result { func (c MyRoute) Handler2() revel.Result { // BAD: the RenderBinary function copies an `io.Reader` to the user's browser. buf := &bytes.Buffer{} - buf.WriteString(c.Params.Form.Get("someField")) - return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf' + buf.WriteString(c.Params.Form.Get("someField")) // $ Source[go/reflected-xss] + return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf' Alert[go/reflected-xss] } func (c MyRoute) Handler3() revel.Result { @@ -55,18 +55,18 @@ func (c MyRoute) Handler4() revel.Result { func (c MyRoute) Handler5() revel.Result { // BAD: returning an arbitrary file (but this is detected at the os.Open call, not // due to modelling Revel) - f, _ := os.Open(c.Params.Form.Get("someField")) + f, _ := os.Open(c.Params.Form.Get("someField")) // $ Alert[go/path-injection] return c.RenderFile(f, revel.Inline) } func (c MyRoute) Handler6() revel.Result { // BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS) - return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) + return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $ Alert[go/path-injection] } func (c MyRoute) Handler7() revel.Result { // BAD: straightforward XSS - return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' + return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' Alert[go/reflected-xss] } func (c MyRoute) Handler8() revel.Result { @@ -91,5 +91,5 @@ func (c MyRoute) Handler11() revel.Result { func (c MyRoute) Handler12() revel.Result { // BAD: open redirect - return c.Redirect(c.Params.Form.Get("someField")) + return c.Redirect(c.Params.Form.Get("someField")) // $ Alert[go/unvalidated-url-redirection] } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.qlref index 867dd7665618..13add930f517 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.qlref @@ -1,2 +1,4 @@ query: Security/CWE-601/OpenUrlRedirect.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.qlref index 754513d72bb3..e6b791f39fca 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.qlref @@ -1,2 +1,4 @@ query: Security/CWE-079/ReflectedXss.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go b/go/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go index f09dcd6fa586..219e1dddb4c9 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go @@ -67,7 +67,7 @@ func (c myAppController) accessingParamsJSONIsUnsafe() { func (c myAppController) rawRead() { // $ responsebody='argument corresponding to c' c.ViewArgs["Foo"] = "

raw HTML

" // $ responsebody='"

raw HTML

"' c.ViewArgs["Bar"] = "

not raw HTML

" - c.ViewArgs["Foo"] = c.Params.Query // $ responsebody='selection of Query' + c.ViewArgs["Foo"] = c.Params.Query // $ responsebody='selection of Query' Alert[go/reflected-xss] c.Render() } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.qlref index 78ce25b1921f..6eb2e94892f2 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.qlref @@ -1,2 +1,4 @@ query: Security/CWE-022/TaintedPath.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go b/go/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go index 2f7fef73fc29..ca9232ec7c79 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go @@ -33,11 +33,11 @@ func init() { switch event { case revel.ENGINE_BEFORE_INITIALIZED: revel.AddHTTPMux("/this/is/a/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, it worked"' + fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, it worked"' Alert[go/reflected-xss] w.WriteHeader(200) })) revel.AddHTTPMux("/this/is/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, shorter prefix"' + fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, shorter prefix"' Alert[go/reflected-xss] w.WriteHeader(200) })) } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.qlref index 061679da228d..760862973f1d 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.qlref @@ -1,2 +1,4 @@ query: Security/CWE-918/RequestForgery.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/rpc/notes/service.twirp.go b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/rpc/notes/service.twirp.go index 19bcc56f2612..49eb11f67701 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/rpc/notes/service.twirp.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/rpc/notes/service.twirp.go @@ -535,7 +535,7 @@ func (s *notesServiceServer) serveCreateNoteProtobuf(ctx context.Context, resp h return } - buf, err := io.ReadAll(req.Body) + buf, err := io.ReadAll(req.Body) // $ Source[go/request-forgery] if err != nil { s.handleRequestBodyError(ctx, resp, "failed to read request body", err) return diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/server/main.go b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/server/main.go index 203b3af17361..c840aa3238df 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/server/main.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/server/main.go @@ -16,7 +16,7 @@ type notesService struct { CurrentId int32 } -func (s *notesService) CreateNote(ctx context.Context, params *notes.CreateNoteParams) (*notes.Note, error) { // test: routeHandler, request +func (s *notesService) CreateNote(ctx context.Context, params *notes.CreateNoteParams) (*notes.Note, error) { // $ Source[go/request-forgery] // test: routeHandler, request if len(params.Text) < 4 { return nil, twirp.InvalidArgument.Error("Text should be min 4 characters.") } @@ -27,7 +27,7 @@ func (s *notesService) CreateNote(ctx context.Context, params *notes.CreateNoteP CreatedAt: time.Now().UnixMilli(), } - notes.NewNotesServiceProtobufClient(params.Text, &http.Client{}) // test: ssrfSink, ssrf + notes.NewNotesServiceProtobufClient(params.Text, &http.Client{}) // $ Alert[go/request-forgery] // test: ssrfSink, ssrf notes.NewNotesServiceProtobufClient(strconv.FormatInt(int64(s.CurrentId), 10), &http.Client{}) // test: ssrfSink, !ssrf s.Notes = append(s.Notes, note) diff --git a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.qlref b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.qlref index 754513d72bb3..e6b791f39fca 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.qlref @@ -1,2 +1,4 @@ query: Security/CWE-079/ReflectedXss.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/SqlInjection.qlref b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/SqlInjection.qlref index b6916bd2cd46..e19181577447 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/SqlInjection.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/SqlInjection.qlref @@ -1,2 +1,4 @@ query: Security/CWE-089/SqlInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go index a89167e126c4..dafa5348d0c5 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go @@ -9,50 +9,50 @@ import ( func test(request *http.Request, writer http.ResponseWriter) { - param1 := request.URL.Query().Get("param1") + param1 := request.URL.Query().Get("param1") // $ Source[go/reflected-xss] writer.Write([]byte(html.EscapeString(param1))) // GOOD: escaped. - writer.Write([]byte(html.UnescapeString(param1))) // BAD: unescaped. + writer.Write([]byte(html.UnescapeString(param1))) // $ Alert[go/reflected-xss] // BAD: unescaped. - node, _ := html.Parse(request.Body) - writer.Write([]byte(node.Data)) // BAD: writing unescaped HTML data + node, _ := html.Parse(request.Body) // $ Source[go/reflected-xss] + writer.Write([]byte(node.Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data - node2, _ := html.ParseWithOptions(request.Body) - writer.Write([]byte(node2.Data)) // BAD: writing unescaped HTML data + node2, _ := html.ParseWithOptions(request.Body) // $ Source[go/reflected-xss] + writer.Write([]byte(node2.Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data - nodes, _ := html.ParseFragment(request.Body, nil) - writer.Write([]byte(nodes[0].Data)) // BAD: writing unescaped HTML data + nodes, _ := html.ParseFragment(request.Body, nil) // $ Source[go/reflected-xss] + writer.Write([]byte(nodes[0].Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data - nodes2, _ := html.ParseFragmentWithOptions(request.Body, nil) - writer.Write([]byte(nodes2[0].Data)) // BAD: writing unescaped HTML data + nodes2, _ := html.ParseFragmentWithOptions(request.Body, nil) // $ Source[go/reflected-xss] + writer.Write([]byte(nodes2[0].Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data - html.Render(writer, node) // BAD: rendering untrusted HTML to `writer` + html.Render(writer, node) // $ Alert[go/reflected-xss] // BAD: rendering untrusted HTML to `writer` - tokenizer := html.NewTokenizer(request.Body) - writer.Write(tokenizer.Buffered()) // BAD: writing unescaped HTML data - writer.Write(tokenizer.Raw()) // BAD: writing unescaped HTML data + tokenizer := html.NewTokenizer(request.Body) // $ Source[go/reflected-xss] + writer.Write(tokenizer.Buffered()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data + writer.Write(tokenizer.Raw()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data _, value, _ := tokenizer.TagAttr() - writer.Write(value) // BAD: writing unescaped HTML data - writer.Write(tokenizer.Text()) // BAD: writing unescaped HTML data - writer.Write([]byte(tokenizer.Token().Data)) // BAD: writing unescaped HTML data + writer.Write(value) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data + writer.Write(tokenizer.Text()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data + writer.Write([]byte(tokenizer.Token().Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data - tokenizerFragment := html.NewTokenizerFragment(request.Body, "some context") - writer.Write(tokenizerFragment.Buffered()) // BAD: writing unescaped HTML data + tokenizerFragment := html.NewTokenizerFragment(request.Body, "some context") // $ Source[go/reflected-xss] + writer.Write(tokenizerFragment.Buffered()) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data var cleanNode html.Node - taintedNode, _ := html.Parse(request.Body) + taintedNode, _ := html.Parse(request.Body) // $ Source[go/reflected-xss] cleanNode.AppendChild(taintedNode) - html.Render(writer, &cleanNode) // BAD: writing unescaped HTML data + html.Render(writer, &cleanNode) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data var cleanNode2 html.Node - taintedNode2, _ := html.Parse(request.Body) + taintedNode2, _ := html.Parse(request.Body) // $ Source[go/reflected-xss] cleanNode2.InsertBefore(taintedNode2, &cleanNode2) - html.Render(writer, &cleanNode2) // BAD: writing unescaped HTML data + html.Render(writer, &cleanNode2) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data } func sqlTest(request *http.Request, db *sql.DB) { // Ensure EscapeString is a taint propagator for non-XSS queries, e.g. SQL injection: - cookie, _ := request.Cookie("SomeCookie") - db.Query(html.EscapeString(cookie.Value)) + cookie, _ := request.Cookie("SomeCookie") // $ Source[go/sql-injection] + db.Query(html.EscapeString(cookie.Value)) // $ Alert[go/sql-injection] } diff --git a/go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.go b/go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.go index cec41e2dab2d..a1a6b1f309ed 100644 --- a/go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.go +++ b/go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.go @@ -2,7 +2,7 @@ package main func isPrefixOf(xs, ys []int) bool { for i := 0; i < len(xs); i++ { - if len(ys) == 0 || xs[i] != ys[i] { // NOT OK + if len(ys) == 0 || xs[i] != ys[i] { // $ Alert // NOT OK return false } } diff --git a/go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.qlref b/go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.qlref index 315838df15f7..edd5d2d1d433 100644 --- a/go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.qlref +++ b/go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.qlref @@ -1 +1,2 @@ -InconsistentCode/ConstantLengthComparison.ql +query: InconsistentCode/ConstantLengthComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.go b/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.go index 077015ced99d..cda530aec6a7 100644 --- a/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.go +++ b/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.go @@ -7,7 +7,7 @@ func zeroOutExceptBad(a []int, lower int, upper int) { } // zero out everything above index `upper` - for i := upper + 1; i < len(a); i-- { // NOT OK + for i := upper + 1; i < len(a); i-- { // $ Alert // NOT OK a[i] = 0 } } diff --git a/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref b/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref index 62ab35e22578..336261fde233 100644 --- a/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref +++ b/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref @@ -1 +1,2 @@ -InconsistentCode/InconsistentLoopOrientation.ql +query: InconsistentCode/InconsistentLoopOrientation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/main.go b/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/main.go index ede1c5878fba..4cb6e1feac7c 100644 --- a/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/main.go +++ b/go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/main.go @@ -6,12 +6,12 @@ func f1(i int) { } func f2(i int, s string) { - for j := i + 1; j < len(s); j-- { // NOT OK + for j := i + 1; j < len(s); j-- { // $ Alert // NOT OK } } func f3(s string) { - for i, l := 0, len(s); i > l; i++ { // NOT OK + for i, l := 0, len(s); i > l; i++ { // $ Alert // NOT OK } } @@ -22,7 +22,7 @@ func f4(lower int, a []int) { } func f5(upper int, a []int) { - for i := upper + 1; i < len(a); i-- { // NOT OK + for i := upper + 1; i < len(a); i-- { // $ Alert // NOT OK a[i] = 0 } } diff --git a/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.go b/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.go index 7db63c62bfe0..965178e2cdcd 100644 --- a/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.go +++ b/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.go @@ -5,9 +5,9 @@ import "strings" func containsBad(searchName string, names string) bool { values := strings.Split(names, ",") // BAD: index could be equal to length - for i := 0; i <= len(values); i++ { + for i := 0; i <= len(values); i++ { // $ Alert // When i = length, this access will be out of bounds - if values[i] == searchName { + if values[i] == searchName { // $ Source return true } } diff --git a/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref b/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref index 8692ba8a17da..ddd036de50a3 100644 --- a/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref +++ b/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref @@ -1 +1,2 @@ -InconsistentCode/LengthComparisonOffByOne.ql +query: InconsistentCode/LengthComparisonOffByOne.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/main.go b/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/main.go index 3a426dc554da..01e849c0f2fc 100644 --- a/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/main.go +++ b/go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/main.go @@ -3,8 +3,8 @@ package main import "regexp" func f1(i int, a []int) int { - if i <= len(a) { // NOT OK - return a[i] + if i <= len(a) { // $ Alert // NOT OK + return a[i] // $ Source } return -1 } @@ -26,8 +26,8 @@ func f3(i int, a []int) int { } func f4(i int, a []int) int { - if len(a) > 0 { // NOT OK - return a[1] + if len(a) > 0 { // $ Alert // NOT OK + return a[1] // $ Source } return -1 } diff --git a/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref b/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref index 519bdd54e687..3895adea4d02 100644 --- a/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref +++ b/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref @@ -1 +1,3 @@ -InconsistentCode/MissingErrorCheck.ql +query: InconsistentCode/MissingErrorCheck.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/tests.go b/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/tests.go index da60b272bbe2..97217e6f9794 100644 --- a/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/tests.go +++ b/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/tests.go @@ -58,7 +58,7 @@ func missingCheckMayFail(fname string) { result, err := os.Open(fname) - fmt.Printf("Opened: %v\n", *result) // NOT OK + fmt.Printf("Opened: %v\n", *result) // $ Alert[go/missing-error-check] // NOT OK fmt.Printf("%v\n", err) // use err } @@ -240,7 +240,7 @@ func mishandlesMyError(input int) { result, err := returnsMyError(input) - fmt.Printf("Got: %d\n", *result) // NOT OK + fmt.Printf("Got: %d\n", *result) // $ Alert[go/missing-error-check] // NOT OK fmt.Printf("%v\n", err) // use err } diff --git a/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.go b/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.go index f6e3108f581b..0ae2c8a0afb6 100644 --- a/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.go +++ b/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.go @@ -3,5 +3,5 @@ package main import "fmt" func test() { - fmt.Println(2 ^ 32) // should be 1 << 32 + fmt.Println(2 ^ 32) // $ Alert // should be 1 << 32 } diff --git a/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.qlref b/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.qlref index bd96eb93eb49..40b505ceca23 100644 --- a/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.qlref +++ b/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.qlref @@ -1 +1,2 @@ -InconsistentCode/MistypedExponentiation.ql +query: InconsistentCode/MistypedExponentiation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/main.go b/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/main.go index b8b4be44847e..5aa436eb08f3 100644 --- a/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/main.go +++ b/go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/main.go @@ -12,13 +12,13 @@ func main() { expectingResponse := 1 << 5 power := 10 - fmt.Println(3 ^ 5) // Not OK + fmt.Println(3 ^ 5) // $ Alert // Not OK fmt.Println(0755 ^ 2423) // OK - fmt.Println(2 ^ 32) // Not OK - fmt.Println(10 ^ 5) // Not OK - fmt.Println(10 ^ exp) // Not OK + fmt.Println(2 ^ 32) // $ Alert // Not OK + fmt.Println(10 ^ 5) // $ Alert // Not OK + fmt.Println(10 ^ exp) // $ Alert // Not OK fmt.Println(253 ^ expectingResponse) // OK - fmt.Println(2 ^ power) // Not OK + fmt.Println(2 ^ power) // $ Alert // Not OK mask := (((1 << 10) - 1) ^ 7) // OK diff --git a/go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.go b/go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.go index ee6987ec9312..bee4b5921b0f 100644 --- a/go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.go +++ b/go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.go @@ -3,5 +3,5 @@ package main // autoformat-ignore (otherwise gofmt will fix the spacing to reflect precedence) func isBitSetBad(x int, pos uint) bool { - return x & 1<> 1; + return x+x >> 1; // $ Alert } func ok3(x int) int { diff --git a/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.go b/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.go index 70ccce77ba74..d5901800cbbf 100644 --- a/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.go +++ b/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.go @@ -28,7 +28,7 @@ func test1(input string) error { } if ok2, _ := f2(input); !ok2 { // BAD: Wrapped error is always nil - return errors.Wrap(err, "") + return errors.Wrap(err, "") // $ Alert } return nil } @@ -38,13 +38,13 @@ func test2(err error) { errors.Wrap(err, "") // BAD: Wrapped error is always nil - errors.Wrap(nil, "") + errors.Wrap(nil, "") // $ Alert err = nil // BAD: Wrapped error is always nil - errors.Wrap(err, "") + errors.Wrap(err, "") // $ Alert var localErr error = nil // BAD: Wrapped error is always nil - errors.Wrap(localErr, "") + errors.Wrap(localErr, "") // $ Alert } diff --git a/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.qlref b/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.qlref index bad618814a12..03f9d3ebda16 100644 --- a/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.qlref +++ b/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.qlref @@ -1 +1,2 @@ -InconsistentCode/WrappedErrorAlwaysNil.ql +query: InconsistentCode/WrappedErrorAlwaysNil.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.go b/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.go index b096cdf5ceca..594d8cfcca1a 100644 --- a/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.go +++ b/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.go @@ -6,7 +6,7 @@ type Rectangle struct { func (r *Rectangle) containsBad(x, y int) bool { return r.x <= x && - y <= y && // NOT OK + y <= y && // $ Alert // NOT OK x <= r.x+r.width && y <= r.y+r.height } diff --git a/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.qlref b/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.qlref index 7c3ac7ace2b4..e9d5bb357fdf 100644 --- a/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.qlref +++ b/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.qlref @@ -1 +1,2 @@ -RedundantCode/CompareIdenticalValues.ql +query: RedundantCode/CompareIdenticalValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/tst.go b/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/tst.go index 935e71bab996..fbe842b669ca 100644 --- a/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/tst.go +++ b/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/tst.go @@ -3,7 +3,7 @@ package main import "fmt" func foo(x int) bool { - return x == x // NOT OK + return x == x // $ Alert // NOT OK } func isNaN(x float32) bool { @@ -57,5 +57,5 @@ func baz2() bool { func baz3() bool { var y counter y.bimp() - return y == 0 // NOT OK + return y == 0 // $ Alert // NOT OK } diff --git a/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/vp.go b/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/vp.go index 64e070e660e6..9087a5895003 100644 --- a/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/vp.go +++ b/go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/vp.go @@ -13,5 +13,5 @@ type t struct { } func (x *t) foo(other t) bool { - return x.GetLength() != x.GetLength() + return x.GetLength() != x.GetLength() // $ Alert } diff --git a/go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.go b/go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.go index b74b7312a7fe..7e1328e5a33f 100644 --- a/go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.go +++ b/go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.go @@ -5,5 +5,5 @@ type counter struct { } func (w counter) reset() { - w.val = 0 // NOT OK + w.val = 0 // $ Alert // NOT OK } diff --git a/go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.qlref b/go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.qlref index 90aa8beb7ad9..1fa9500a954b 100644 --- a/go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.qlref +++ b/go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.qlref @@ -1 +1,2 @@ -RedundantCode/DeadStoreOfField.ql +query: RedundantCode/DeadStoreOfField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref index 9acb5d81615f..8c5bd9a74820 100644 --- a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref +++ b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref @@ -1 +1,3 @@ -RedundantCode/DeadStoreOfLocal.ql +query: RedundantCode/DeadStoreOfLocal.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/main.go b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/main.go index 31062a18f984..52c4cc966e2d 100644 --- a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/main.go +++ b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/main.go @@ -22,7 +22,7 @@ func main() { } func deadParameter(x int) bool { // we don't want to flag x here - x = deadStore() // but we do want to flag this + x = deadStore() // $ Alert[go/useless-assignment-to-local] // but we do want to flag this return true } diff --git a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/testdata.go b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/testdata.go index dad31ebd1aef..e9baf635abb4 100644 --- a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/testdata.go +++ b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/testdata.go @@ -29,12 +29,12 @@ func _() { func _() { var x int _ = x - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD } func _() { var x int - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD x = 0 _ = x } @@ -58,13 +58,13 @@ func _() { } func _() { - x := deadStore2() // BAD + x := deadStore2() // $ Alert[go/useless-assignment-to-local] // BAD x = "def" _ = x } func _() { - x := deadStore() // BAD + x := deadStore() // $ Alert[go/useless-assignment-to-local] // BAD x = 0 _ = x } @@ -96,18 +96,18 @@ func _() { } func _() { - x := deadStore() // BAD + x := deadStore() // $ Alert[go/useless-assignment-to-local] // BAD if b { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD } x = 0 _ = x } func _() { - x := deadStore() // BAD + x := deadStore() // $ Alert[go/useless-assignment-to-local] // BAD for b { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD } x = 0 _ = x @@ -125,13 +125,13 @@ func _() { } func _() { - x := deadStore() // BAD + x := deadStore() // $ Alert[go/useless-assignment-to-local] // BAD if b { - x = deadStore() // BAD - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD } if b { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD } x = 0 _ = x @@ -140,7 +140,7 @@ func _() { func _() { x := 0 if b { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD x = 0 } if b { @@ -161,7 +161,7 @@ func _() { x := 0 for { _ = x - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD x = 0 } } @@ -169,7 +169,7 @@ func _() { func _() { x := 0 for { - x += deadStore() // BAD + x += deadStore() // $ Alert[go/useless-assignment-to-local] // BAD x = 0 } } @@ -177,7 +177,7 @@ func _() { func _() { x := 0 for { - x++ // BAD + x++ // $ Alert[go/useless-assignment-to-local] // BAD x = 0 } } @@ -198,7 +198,7 @@ func _() { func _() { x := struct{ f int }{42} _ = x.f - x = struct{ f int }{23} + x = struct{ f int }{23} // $ Alert[go/useless-assignment-to-local] } func _() { @@ -259,13 +259,13 @@ func _() (x int) { } func _() (x int) { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD x = 0 return } func _() (x int) { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD return 0 } @@ -306,7 +306,7 @@ func _(a float32, b float32) (x int) { func _(a float32, b float32) (x int) { x = 1 - a /= b + a /= b // $ Alert[go/useless-assignment-to-local] return 2 } @@ -318,7 +318,7 @@ func _(a int, b int) (x int) { func _(a int, b int) (x int) { x = 1 - a %= b + a %= b // $ Alert[go/useless-assignment-to-local] return 2 } @@ -384,7 +384,7 @@ func _() { case true: _ = x default: - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD fallthrough case b: } @@ -429,16 +429,16 @@ func _() { var ch chan int select { case ch <- 0: - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD case <-ch: - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD default: _ = x } } func _() { - x := deadStore() // BAD + x := deadStore() // $ Alert[go/useless-assignment-to-local] // BAD var ch chan int select { case ch <- 0: @@ -485,7 +485,7 @@ func _() { func _() { var x int if b { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD } if x = 0; b { @@ -539,7 +539,7 @@ func _() { func _() { x := 0 for x < 0 { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD if b { break } @@ -577,7 +577,7 @@ func _() { var x int for { if b { - x = deadStore() // BAD + x = deadStore() // $ Alert[go/useless-assignment-to-local] // BAD break } _ = x @@ -626,7 +626,7 @@ func _(v1, v2 int32) (int32, int32) { func _(v1, v2 int32) (int32, int32) { if v1 > v2 { - v1, _ = v2, v1 + v1, _ = v2, v1 // $ Alert[go/useless-assignment-to-local] } v1, v2 = 0, 0 return v1, v2 diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.go b/go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.go index f4bc36b63fe6..1f163c2867f9 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.go +++ b/go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.go @@ -1,7 +1,7 @@ package main func abs(x int) int { - if x >= 0 { + if x >= 0 { // $ Alert return x } else { return x diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.qlref b/go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.qlref index 3eb10d9d91fb..a32bc6c31f1a 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.qlref +++ b/go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.qlref @@ -1 +1,2 @@ -RedundantCode/DuplicateBranches.ql +query: RedundantCode/DuplicateBranches.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateBranches/main.go b/go/ql/test/query-tests/RedundantCode/DuplicateBranches/main.go index 0a524b094a7d..9e3677835503 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateBranches/main.go +++ b/go/ql/test/query-tests/RedundantCode/DuplicateBranches/main.go @@ -3,7 +3,7 @@ package main import "fmt" func bad(x int) { - if x < 0 { // NOT OK + if x < 0 { // $ Alert // NOT OK fmt.Println("x is negative") } else { fmt.Println("x is negative") diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.go b/go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.go index a93bb546c425..2ad4ad8e0e49 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.go +++ b/go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.go @@ -1,9 +1,9 @@ package main func controller(msg string) { - if msg == "start" { + if msg == "start" { // $ Source start() - } else if msg == "start" { // NOT OK + } else if msg == "start" { // $ Alert // NOT OK stop() } else { panic("Message not understood.") diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.qlref b/go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.qlref index a6069ea94ad1..36bb8140f1a2 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.qlref +++ b/go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.qlref @@ -1 +1,2 @@ -RedundantCode/DuplicateCondition.ql +query: RedundantCode/DuplicateCondition.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateCondition/tst.go b/go/ql/test/query-tests/RedundantCode/DuplicateCondition/tst.go index 912f13fef7e6..60e88d978f6f 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateCondition/tst.go +++ b/go/ql/test/query-tests/RedundantCode/DuplicateCondition/tst.go @@ -5,8 +5,8 @@ func check(x int) bool { } func main() { - if ok := check(42); ok { - } else if ok { // NOT OK + if ok := check(42); ok { // $ Source + } else if ok { // $ Alert // NOT OK } else if ok := check(23); ok { // OK } } diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.go b/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.go index 1c902c1328be..6b20ddba8069 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.go +++ b/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.go @@ -4,7 +4,7 @@ func controller(msg string) { switch { case msg == "start": start() - case msg == "start": + case msg == "start": // $ Alert[go/duplicate-switch-case] stop() default: panic("Message not understood.") diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref b/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref index 570b78b50543..aee21264046e 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref +++ b/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref @@ -1 +1,3 @@ -RedundantCode/DuplicateSwitchCase.ql +query: RedundantCode/DuplicateSwitchCase.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/tst.go b/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/tst.go index c927cd3d6862..1c2ab4924d0a 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/tst.go +++ b/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/tst.go @@ -6,7 +6,7 @@ func check(x int) { case x < 42: - case x < 23: // NOT OK + case x < 23: // $ Alert[go/duplicate-switch-case] // NOT OK } } diff --git a/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.go b/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.go index 3c8b85f1e674..3b647bc2a8a2 100644 --- a/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.go +++ b/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.go @@ -10,6 +10,6 @@ func (t Timestamp) addDays(d int) Timestamp { func test(t Timestamp) { fmt.Printf("Before: %s\n", t) - t.addDays(7) + t.addDays(7) // $ Alert fmt.Printf("After: %s\n", t) } diff --git a/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.qlref b/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.qlref index d13ada431941..bb4426132466 100644 --- a/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.qlref +++ b/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -RedundantCode/ExprHasNoEffect.ql +query: RedundantCode/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/main.go b/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/main.go index e9c18030df55..960260b1fce5 100644 --- a/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/main.go +++ b/go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/main.go @@ -23,10 +23,10 @@ func div(x int, y int) int { } func main() { - f1(42) // NOT OK + f1(42) // $ Alert // NOT OK f2(42) // OK - f1(f2(42)) // NOT OK - abs(-2) // NOT OK + f1(f2(42)) // $ Alert // NOT OK + abs(-2) // $ Alert // NOT OK div(1, 0) // OK dostuff() // OK cleanup() // OK diff --git a/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.go b/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.go index 00b015d3814d..f0013365e1fa 100644 --- a/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.go +++ b/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.go @@ -6,7 +6,7 @@ func niceFetch(url string) { var s string var e error s, e = fetch(url) - if e != nil { + if e != nil { // $ Alert fmt.Printf("Unable to fetch URL: %v\n", e) } else { fmt.Printf("URL contents: %s\n", s) diff --git a/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.qlref b/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.qlref index d858724be57a..0049d67433aa 100644 --- a/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.qlref +++ b/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.qlref @@ -1 +1,2 @@ -RedundantCode/ImpossibleInterfaceNilCheck.ql +query: RedundantCode/ImpossibleInterfaceNilCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/tst.go b/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/tst.go index 81584045c131..e7716a7584a4 100644 --- a/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/tst.go +++ b/go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/tst.go @@ -7,7 +7,7 @@ func test1() { var y interface{} = x fmt.Println(x == nil) fmt.Println(x == y) - fmt.Println(y == nil) // NOT OK + fmt.Println(y == nil) // $ Alert // NOT OK } func test2() { diff --git a/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.go b/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.go index 6ebdb224ee13..9c7460b94325 100644 --- a/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.go +++ b/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.go @@ -1,7 +1,7 @@ package main func getFirst(xs []int) int { - if len(xs) < 0 { + if len(xs) < 0 { // $ Alert panic("No elements provided") } return xs[0] diff --git a/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.qlref b/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.qlref index d3e9be220bf3..de3ae7284148 100644 --- a/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.qlref +++ b/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.qlref @@ -1 +1,2 @@ -RedundantCode/NegativeLengthCheck.ql +query: RedundantCode/NegativeLengthCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/main.go b/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/main.go index f43f4851c5f0..9b145e293e20 100644 --- a/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/main.go +++ b/go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/main.go @@ -3,7 +3,7 @@ package main import "os" func main() { - if len(os.Args) < 0 { // NOT OK + if len(os.Args) < 0 { // $ Alert // NOT OK println("No arguments provided.") } @@ -11,21 +11,21 @@ func main() { println("No arguments provided.") } - if cap(os.Args) < 0 { // NOT OK + if cap(os.Args) < 0 { // $ Alert // NOT OK println("Out of space!") } - if len(os.Args) <= -1 { // NOT OK + if len(os.Args) <= -1 { // $ Alert // NOT OK println("No arguments provided.") } - if len(os.Args) == -1 { // NOT OK + if len(os.Args) == -1 { // $ Alert // NOT OK println("No arguments provided.") } } func checkNegative(x uint) bool { - return x < 0 // NOT OK + return x < 0 // $ Alert // NOT OK } func checkNonPositive(x uint) bool { diff --git a/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.go b/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.go index 033f3883b0a7..c71d8f352fb6 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.go +++ b/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.go @@ -1,5 +1,5 @@ package main func avg(x, y float64) float64 { - return (x + x) / 2 + return (x + x) / 2 // $ Alert[go/redundant-operation] } diff --git a/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref b/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref index 23a5db7b419f..12b5700023b4 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref +++ b/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref @@ -1 +1,3 @@ -RedundantCode/RedundantExpr.ql +query: RedundantCode/RedundantExpr.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/RedundantExpr/tst.go b/go/ql/test/query-tests/RedundantCode/RedundantExpr/tst.go index e4106fb7bfaa..b7eba33e2a66 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantExpr/tst.go +++ b/go/ql/test/query-tests/RedundantCode/RedundantExpr/tst.go @@ -1,12 +1,12 @@ package main func foo(x int) int { - return x - x /* NOT OK */ + (x & x) /* NOT OK */ + return x - x /* NOT OK */ + (x & x) /* NOT OK */ // $ Alert[go/redundant-operation] } func bar(b bool, x float32) float32 { if b { - return (x + x) / 2 // NOT OK + return (x + x) / 2 // $ Alert[go/redundant-operation] // NOT OK } else { return (x * x) / 2 // OK } diff --git a/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref b/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref index c8997068734d..bd17a344b030 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref +++ b/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref @@ -1 +1,3 @@ -RedundantCode/RedundantRecover.ql +query: RedundantCode/RedundantRecover.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover1.go b/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover1.go index d058dd0dfdea..6737f3ccf4ea 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover1.go +++ b/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover1.go @@ -3,7 +3,7 @@ package main import "fmt" func callRecover1() { - if recover() != nil { + if recover() != nil { // $ Alert[go/redundant-recover] fmt.Printf("recovered") } } diff --git a/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover2.go b/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover2.go index 4365cb7c9fe5..1a566e928c47 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover2.go +++ b/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover2.go @@ -1,6 +1,6 @@ package main func fun2() { - defer recover() + defer recover() // $ Alert[go/redundant-recover] panic("2") } diff --git a/go/ql/test/query-tests/RedundantCode/RedundantRecover/tst.go b/go/ql/test/query-tests/RedundantCode/RedundantRecover/tst.go index 0533a0609318..54dc3796d5f3 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantRecover/tst.go +++ b/go/ql/test/query-tests/RedundantCode/RedundantRecover/tst.go @@ -5,7 +5,7 @@ import "fmt" func callRecover3() { // This will have no effect because panics do not propagate down the stack, // only back up the stack - if recover() != nil { + if recover() != nil { // $ Alert[go/redundant-recover] fmt.Printf("recovered") } } diff --git a/go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.go b/go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.go index ab2e585e1988..00b971db61a8 100644 --- a/go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.go +++ b/go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.go @@ -9,5 +9,5 @@ func (r *Rect) setWidth(width int) { } func (r *Rect) setHeight(height int) { - height = height + height = height // $ Alert } diff --git a/go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.qlref b/go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.qlref index 3eebdc5dc73f..fcdd17256036 100644 --- a/go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.qlref +++ b/go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.qlref @@ -1 +1,2 @@ -RedundantCode/SelfAssignment.ql +query: RedundantCode/SelfAssignment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/SelfAssignment/tst.go b/go/ql/test/query-tests/RedundantCode/SelfAssignment/tst.go index 31a556ce551a..fef980cdc152 100644 --- a/go/ql/test/query-tests/RedundantCode/SelfAssignment/tst.go +++ b/go/ql/test/query-tests/RedundantCode/SelfAssignment/tst.go @@ -2,5 +2,5 @@ package main func main() { x := 42 - x = x // NOT OK + x = x // $ Alert // NOT OK } diff --git a/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.go b/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.go index aaa05763ce2a..64d1383393df 100644 --- a/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.go +++ b/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.go @@ -1,7 +1,7 @@ package main func shift(base int32) int32 { - return base << 40 + return base << 40 // $ Alert } var x1 = shift(1) diff --git a/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.qlref b/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.qlref index 223322f97762..2920410dfebb 100644 --- a/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.qlref +++ b/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.qlref @@ -1 +1,2 @@ -RedundantCode/ShiftOutOfRange.ql +query: RedundantCode/ShiftOutOfRange.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/main.go b/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/main.go index 4afb91d1750d..22d68cc6bac7 100644 --- a/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/main.go +++ b/go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/main.go @@ -1,15 +1,15 @@ package main func bad1(x uint8) uint8 { - return x << 8 // NOT OK + return x << 8 // $ Alert // NOT OK } func bad2(y int32) int32 { - return y >> 33 // NOT OK + return y >> 33 // $ Alert // NOT OK } func bad3(z int) int { - return z << 64 // NOT OK + return z << 64 // $ Alert // NOT OK } func good1(x uint8) uint8 { diff --git a/go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.go b/go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.go index 10250238158d..a11218b99e15 100644 --- a/go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.go +++ b/go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.go @@ -2,7 +2,7 @@ package main func mul(xs []int) int { res := 1 - for i := 0; i < len(xs); i++ { + for i := 0; i < len(xs); i++ { // $ Alert x := xs[i] res *= x if res == 0 { diff --git a/go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.qlref b/go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.qlref index 645ea6222276..a705d9b8cff5 100644 --- a/go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.qlref +++ b/go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.qlref @@ -1 +1,2 @@ -RedundantCode/UnreachableStatement.ql +query: RedundantCode/UnreachableStatement.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/UnreachableStatement/main.go b/go/ql/test/query-tests/RedundantCode/UnreachableStatement/main.go index 7903ef1ef846..cc26b717f605 100644 --- a/go/ql/test/query-tests/RedundantCode/UnreachableStatement/main.go +++ b/go/ql/test/query-tests/RedundantCode/UnreachableStatement/main.go @@ -10,16 +10,16 @@ func reachable() {} func test1() { return - unreachable() // NOT OK + unreachable() // $ Alert // NOT OK } func test2() { select {} - unreachable() // NOT OK + unreachable() // $ Alert // NOT OK } func test3() { - for i := 0; i < 10; unreachable() { // NOT OK + for i := 0; i < 10; unreachable() { // $ Alert // NOT OK return } } @@ -27,7 +27,7 @@ func test3() { func test4() { for true { } - unreachable() // NOT OK + unreachable() // $ Alert // NOT OK } func test5(cond bool) { @@ -46,15 +46,15 @@ func test6(cond bool) { } reachable() } - unreachable() // NOT OK + unreachable() // $ Alert // NOT OK } func test7(cond bool) { for true { continue - unreachable() // NOT OK + unreachable() // $ Alert // NOT OK } - unreachable() // NOT OK + unreachable() // $ Alert // NOT OK } func test8() { @@ -138,25 +138,25 @@ func test16() *mystruct { select {} // Flagged, as `return nil` is possible and preferable when the // return site is unreachable. - return &mystruct{0, true} + return &mystruct{0, true} // $ Alert } func test17() int { select {} // Flagged, as a nontrivial unreachable return - return test10(1) + return test10(1) // $ Alert } func test18() bool { select {} // Flagged, as a nontrivial unreachable return - return test10(1) == 1 + return test10(1) == 1 // $ Alert } func test19() mystruct { select {} // Flagged, as a nontrivial unreachable return - return mystruct{test10(1), test10(2) == 2} + return mystruct{test10(1), test10(2) == 2} // $ Alert } func main() {} diff --git a/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.go b/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.go index 073c8555efc0..e76ea040148e 100644 --- a/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.go +++ b/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.go @@ -8,8 +8,8 @@ import ( func checkRedirect(req *http.Request, via []*http.Request) error { // BAD: the host of `req.URL` may be controlled by an attacker - re := "^((www|beta).)?example.com/" - if matched, _ := regexp.MatchString(re, req.URL.Host); matched { + re := "^((www|beta).)?example.com/" // $ Alert[go/incomplete-hostname-regexp] + if matched, _ := regexp.MatchString(re, req.URL.Host); matched { // $ Sink[go/incomplete-hostname-regexp] return nil } return errors.New("Invalid redirect") diff --git a/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.qlref b/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.qlref index 88d20f52eeed..0a6dac4bded6 100644 --- a/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.qlref +++ b/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.qlref @@ -1,2 +1,4 @@ query: Security/CWE-020/IncompleteHostnameRegexp.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/main.go b/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/main.go index 7eda0d7255a2..716bcf08b63d 100644 --- a/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/main.go +++ b/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/main.go @@ -37,30 +37,30 @@ func proxy() { HandleConnect(goproxy.AlwaysReject) // OK (rejecting all requests) proxy.OnRequest(goproxy.ReqHostMatches(regexp.MustCompile("^test1.github.com$"))). DoFunc(reject) // OK (rejecting all requests) - proxy.OnRequest(goproxy.ReqHostMatches(regexp.MustCompile("^test2.github.com$"))). + proxy.OnRequest(goproxy.ReqHostMatches(regexp.MustCompile("^test2.github.com$"))). // $ Alert[go/incomplete-hostname-regexp] DoFunc(sometimesReject) // NOT OK (sometimes accepts requests) } func main() { - regexp.Match(`https://www.example.com`, []byte("")) // NOT OK + regexp.Match(`https://www.example.com`, []byte("")) // $ Alert[go/incomplete-hostname-regexp] // NOT OK regexp.Match(`https://www\.example\.com`, []byte("")) // OK } -const sourceConst = `https://www.example.com` +const sourceConst = `https://www.example.com` // $ Alert[go/incomplete-hostname-regexp] const firstHalfConst = `https://www.example.` func concatenateStrings() { firstHalf := `https://www.example.` regexp.Match(firstHalf+`com`, []byte("")) // MISSING: NOT OK - regexp.Match(firstHalfConst+`com`, []byte("")) // NOT OK + regexp.Match(firstHalfConst+`com`, []byte("")) // $ Alert[go/incomplete-hostname-regexp] // NOT OK - regexp.Match(`https://www.example.`+`com`, []byte("")) // NOT OK + regexp.Match(`https://www.example.`+`com`, []byte("")) // $ Alert[go/incomplete-hostname-regexp] // NOT OK } func avoidDuplicateResults() { localVar1 := sourceConst localVar2 := localVar1 localVar3 := localVar2 - regexp.Match(localVar3, []byte("")) // NOT OK + regexp.Match(localVar3, []byte("")) // $ Sink[go/incomplete-hostname-regexp] // NOT OK } diff --git a/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.go b/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.go index f38261a032d1..69221d5c2129 100644 --- a/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.go +++ b/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.go @@ -4,7 +4,7 @@ import "net/url" func sanitizeUrl(urlstr string) string { u, err := url.Parse(urlstr) - if err != nil || u.Scheme == "javascript" { + if err != nil || u.Scheme == "javascript" { // $ Alert return "about:blank" } return urlstr diff --git a/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.qlref b/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.qlref index b27571781b34..0c088087e994 100644 --- a/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.qlref +++ b/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.qlref @@ -1 +1,2 @@ -Security/CWE-020/IncompleteUrlSchemeCheck.ql +query: Security/CWE-020/IncompleteUrlSchemeCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/main.go b/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/main.go index ebe18f142f80..8b96f7c0af8c 100644 --- a/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/main.go +++ b/go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/main.go @@ -14,7 +14,7 @@ func test(urlstr string) { urlstr = strings.NewReplacer("\n", "", "\r", "", "\t", "", "\u0000", "").Replace(urlstr) urlstr = strings.ToLower(urlstr) - if strings.HasPrefix(urlstr, "javascript:") || strings.HasPrefix(urlstr, "data:") { // NOT OK + if strings.HasPrefix(urlstr, "javascript:") || strings.HasPrefix(urlstr, "data:") { // $ Alert // NOT OK return } } diff --git a/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.go b/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.go index 60cb9d5b6bbc..6e7a567cb8cd 100644 --- a/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.go +++ b/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.go @@ -8,7 +8,7 @@ import ( func checkRedirect2(req *http.Request, via []*http.Request) error { // BAD: the host of `req.URL` may be controlled by an attacker - re := "https?://www\\.example\\.com/" + re := "https?://www\\.example\\.com/" // $ Alert if matched, _ := regexp.MatchString(re, req.URL.String()); matched { return nil } diff --git a/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.qlref b/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.qlref index b03fcd14a59e..ba73933077fe 100644 --- a/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.qlref +++ b/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.qlref @@ -1 +1,2 @@ -Security/CWE-020/MissingRegexpAnchor.ql +query: Security/CWE-020/MissingRegexpAnchor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/main.go b/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/main.go index efd10b7a6e2b..8674e2f2f383 100644 --- a/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/main.go +++ b/go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/main.go @@ -6,36 +6,36 @@ import ( func main() { regexp.Match(`^a|`, []byte("")) // OK - regexp.Match(`^a|b`, []byte("")) // NOT OK + regexp.Match(`^a|b`, []byte("")) // $ Alert // NOT OK regexp.Match(`a|^b`, []byte("")) // OK regexp.Match(`^a|^b`, []byte("")) // OK - regexp.Match(`^a|b|c`, []byte("")) // NOT OK + regexp.Match(`^a|b|c`, []byte("")) // $ Alert // NOT OK regexp.Match(`a|^b|c`, []byte("")) // OK regexp.Match(`a|b|^c`, []byte("")) // OK regexp.Match(`^a|^b|c`, []byte("")) // OK regexp.Match(`(^a)|b`, []byte("")) // OK - regexp.Match(`^a|(b)`, []byte("")) // NOT OK + regexp.Match(`^a|(b)`, []byte("")) // $ Alert // NOT OK regexp.Match(`^a|(^b)`, []byte("")) // OK - regexp.Match(`^(a)|(b)`, []byte("")) // NOT OK + regexp.Match(`^(a)|(b)`, []byte("")) // $ Alert // NOT OK - regexp.Match(`a|b$`, []byte("")) // NOT OK + regexp.Match(`a|b$`, []byte("")) // $ Alert // NOT OK regexp.Match(`a$|b`, []byte("")) // OK regexp.Match(`a$|b$`, []byte("")) // OK - regexp.Match(`a|b|c$`, []byte("")) // NOT OK + regexp.Match(`a|b|c$`, []byte("")) // $ Alert // NOT OK regexp.Match(`a|b$|c`, []byte("")) // OK regexp.Match(`a$|b|c`, []byte("")) // OK regexp.Match(`a|b$|c$`, []byte("")) // OK regexp.Match(`a|(b$)`, []byte("")) // OK - regexp.Match(`(a)|b$`, []byte("")) // NOT OK + regexp.Match(`(a)|b$`, []byte("")) // $ Alert // NOT OK regexp.Match(`(a$)|b$`, []byte("")) // OK - regexp.Match(`(a)|(b)$`, []byte("")) // NOT OK + regexp.Match(`(a)|(b)$`, []byte("")) // $ Alert // NOT OK - regexp.Match(`https?://good.com`, []byte("http://evil.com/?http://good.com")) // NOT OK + regexp.Match(`https?://good.com`, []byte("http://evil.com/?http://good.com")) // $ Alert // NOT OK regexp.Match(`^https?://good.com`, []byte("http://evil.com/?http://good.com")) // OK - regexp.Match(`www\.example\.com`, []byte("")) // NOT OK + regexp.Match(`www\.example\.com`, []byte("")) // $ Alert // NOT OK regexp.Match(`^www\.example\.com`, []byte("")) // OK regexp.Match(`\Awww\.example\.com`, []byte("")) // OK regexp.Match(`www\.example\.com$`, []byte("")) // OK diff --git a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go index d9f2199fd522..e669bc8b54dd 100644 --- a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go +++ b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go @@ -3,7 +3,7 @@ package main import "regexp" func broken(hostNames []byte) string { - var hostRe = regexp.MustCompile("\bforbidden.host.org") + var hostRe = regexp.MustCompile("\bforbidden.host.org") // $ Alert[go/suspicious-character-in-regex] if hostRe.Match(hostNames) { return "Must not target forbidden.host.org" } else { diff --git a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref index 727f3528b23c..1b91d9d0fcf8 100644 --- a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref +++ b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref @@ -1 +1,3 @@ -Security/CWE-020/SuspiciousCharacterInRegexp.ql +query: Security/CWE-020/SuspiciousCharacterInRegexp.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go index ff3da9b8496d..f8bc084feec7 100644 --- a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go +++ b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go @@ -4,23 +4,23 @@ import "regexp" func main() { // many backslashes - regexp.MustCompile("\a") // BAD + regexp.MustCompile("\a") // $ Alert[go/suspicious-character-in-regex] // BAD regexp.MustCompile("\\a") - regexp.MustCompile("\\\a") // BAD - regexp.MustCompile("x\\\a") // BAD + regexp.MustCompile("\\\a") // $ Alert[go/suspicious-character-in-regex] // BAD + regexp.MustCompile("x\\\a") // $ Alert[go/suspicious-character-in-regex] // BAD regexp.MustCompile("\\\\a") - regexp.MustCompile("\\\\\a") // BAD + regexp.MustCompile("\\\\\a") // $ Alert[go/suspicious-character-in-regex] // BAD regexp.MustCompile("\\\\\\a") - regexp.MustCompile("\\\\\\\a") // BAD + regexp.MustCompile("\\\\\\\a") // $ Alert[go/suspicious-character-in-regex] // BAD regexp.MustCompile("\\\\\\\\a") - regexp.MustCompile("\\\\\\\\\a") // BAD + regexp.MustCompile("\\\\\\\\\a") // $ Alert[go/suspicious-character-in-regex] // BAD regexp.MustCompile("\\\\\\\\\\a") // BAD: probably a mistake: - regexp.MustCompile("hello\aworld") - regexp.MustCompile("hello\\\aworld") - regexp.MustCompile("hello\bworld") - regexp.MustCompile("hello\\\bworld") + regexp.MustCompile("hello\aworld") // $ Alert[go/suspicious-character-in-regex] + regexp.MustCompile("hello\\\aworld") // $ Alert[go/suspicious-character-in-regex] + regexp.MustCompile("hello\bworld") // $ Alert[go/suspicious-character-in-regex] + regexp.MustCompile("hello\\\bworld") // $ Alert[go/suspicious-character-in-regex] // GOOD: more likely deliberate: regexp.MustCompile("hello\\aworld") regexp.MustCompile("hello\x07world") diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/TaintedPath.qlref b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/TaintedPath.qlref index 1e9166dd1cae..688f7b5136f7 100644 --- a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/TaintedPath.qlref +++ b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/TaintedPath.qlref @@ -1,2 +1,4 @@ query: Security/CWE-022/TaintedPath.ql -postprocess: utils/test//PrettyPrintModels.ql \ No newline at end of file +postprocess: + - utils/test//PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go index cb3b5d2a7b89..39a09e71644a 100644 --- a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go +++ b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go @@ -10,8 +10,8 @@ import ( // BAD: Gorilla's `Vars` is not a sanitizer as `Router.SkipClean` has been called func GorillaHandler(w http.ResponseWriter, r *http.Request) { - not_tainted_path := mux.Vars(r)["id"] - data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path)) + not_tainted_path := mux.Vars(r)["id"] // $ Source[go/path-injection] + data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path)) // $ Alert[go/path-injection] w.Write(data) } diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/TaintedPath.qlref b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/TaintedPath.qlref index 1e9166dd1cae..688f7b5136f7 100644 --- a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/TaintedPath.qlref +++ b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/TaintedPath.qlref @@ -1,2 +1,4 @@ query: Security/CWE-022/TaintedPath.ql -postprocess: utils/test//PrettyPrintModels.ql \ No newline at end of file +postprocess: + - utils/test//PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go index 65da5caecd2c..812b56f7c94b 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go @@ -12,14 +12,14 @@ import ( ) func handler(w http.ResponseWriter, r *http.Request) { - tainted_path := r.URL.Query()["path"][0] + tainted_path := r.URL.Query()["path"][0] // $ Source[go/path-injection] // BAD: This could read any file on the file system - data, _ := ioutil.ReadFile(tainted_path) + data, _ := ioutil.ReadFile(tainted_path) // $ Alert[go/path-injection] w.Write(data) // BAD: This could still read any file on the file system - data, _ = ioutil.ReadFile(filepath.Join("/home/user/", tainted_path)) + data, _ = ioutil.ReadFile(filepath.Join("/home/user/", tainted_path)) // $ Alert[go/path-injection] w.Write(data) // GOOD: This can only read inside the provided safe path @@ -71,7 +71,7 @@ func handler(w http.ResponseWriter, r *http.Request) { // BAD: Sanitized by path.Clean with a prepended '/' forcing interpretation // as an absolute path, however is not sufficient for Windows paths. - data, _ = ioutil.ReadFile(path.Clean("/" + tainted_path)) + data, _ = ioutil.ReadFile(path.Clean("/" + tainted_path)) // $ Alert[go/path-injection] w.Write(data) // GOOD: Multipart.Form.FileHeader.Filename sanitized by filepath.Base when calling ParseMultipartForm diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.qlref b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.qlref index 78ce25b1921f..6eb2e94892f2 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.qlref +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.qlref @@ -1,2 +1,4 @@ query: Security/CWE-022/TaintedPath.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.go b/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.go index 8a3016f9c31c..66a8763a2b05 100644 --- a/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.go +++ b/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.go @@ -28,7 +28,7 @@ func unzipSymlinkBad(f io.Reader, target string) { break } if isRel(header.Linkname, target) && isRel(header.Name, target) { - os.Symlink(header.Linkname, header.Name) + os.Symlink(header.Linkname, header.Name) // $ Alert[go/unsafe-unzip-symlink] } } } @@ -40,7 +40,7 @@ func unzipSymlinkBadZip(f io.ReaderAt, target string) { linkNameBytes, _ := ioutil.ReadAll(linkData) linkName := string(linkNameBytes) if isRel(linkName, target) && isRel(header.Name, target) { - os.Symlink(linkName, header.Name) + os.Symlink(linkName, header.Name) // $ Alert[go/unsafe-unzip-symlink] } } } @@ -109,7 +109,7 @@ func getNextHeader(f *tar.Reader) (*tar.Header, error) { } func writeSymlink(linkName, fileName string) { - os.Symlink(linkName, fileName) + os.Symlink(linkName, fileName) // $ Sink[go/unsafe-unzip-symlink] } // BAD: a variant of `unzipSymlinkBad` where the tar-read and symlink @@ -123,7 +123,7 @@ func unzipSymlinkBadFactored(f io.Reader, target string) { break } if isRel(header.Linkname, target) && isRel(header.Name, target) { - writeSymlink(header.Linkname, header.Name) + writeSymlink(header.Linkname, header.Name) // $ Alert[go/unsafe-unzip-symlink] } } } diff --git a/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.qlref b/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.qlref index a40aa6194e10..5971b0737351 100644 --- a/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.qlref +++ b/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.qlref @@ -1,2 +1,4 @@ query: Security/CWE-022/UnsafeUnzipSymlink.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlinkGood.go b/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlinkGood.go index dde03db263d0..d662246a9c26 100644 --- a/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlinkGood.go +++ b/go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlinkGood.go @@ -58,7 +58,7 @@ func isRelGoodReadlink(candidate, target string) bool { if filepath.IsAbs(candidate) { return false } - realpath, err := os.Readlink(filepath.Join(target, candidate)) + realpath, err := os.Readlink(filepath.Join(target, candidate)) // $ Sink[go/zipslip] if err != nil { return false } @@ -69,7 +69,7 @@ func isRelGoodReadlink(candidate, target string) bool { func unzipSymlinkGoodReadlink(f io.Reader, target string) { r := tar.NewReader(f) for { - header, err := r.Next() + header, err := r.Next() // $ Alert[go/zipslip] if err != nil { break } diff --git a/go/ql/test/query-tests/Security/CWE-022/ZipSlip.go b/go/ql/test/query-tests/Security/CWE-022/ZipSlip.go index 1628eabbef98..936c3c8e9a26 100644 --- a/go/ql/test/query-tests/Security/CWE-022/ZipSlip.go +++ b/go/ql/test/query-tests/Security/CWE-022/ZipSlip.go @@ -11,6 +11,6 @@ func unzip(f string) { for _, f := range r.File { p, _ := filepath.Abs(f.Name) // BAD: This could overwrite any file on the file system - ioutil.WriteFile(p, []byte("present"), 0666) - } + ioutil.WriteFile(p, []byte("present"), 0666) // $ Sink[go/zipslip] + } // $ Alert[go/zipslip] } diff --git a/go/ql/test/query-tests/Security/CWE-022/ZipSlip.qlref b/go/ql/test/query-tests/Security/CWE-022/ZipSlip.qlref index da30bbaf10df..39acfb7ca4a8 100644 --- a/go/ql/test/query-tests/Security/CWE-022/ZipSlip.qlref +++ b/go/ql/test/query-tests/Security/CWE-022/ZipSlip.qlref @@ -1,2 +1,4 @@ query: Security/CWE-022/ZipSlip.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-022/tarslip.go b/go/ql/test/query-tests/Security/CWE-022/tarslip.go index 37b3a32715c3..b8a9d7478828 100644 --- a/go/ql/test/query-tests/Security/CWE-022/tarslip.go +++ b/go/ql/test/query-tests/Security/CWE-022/tarslip.go @@ -12,8 +12,8 @@ import ( func untarBad(reader io.Reader, prefix string) { tarReader := tar.NewReader(reader) - header, _ := tarReader.Next() - os.MkdirAll(path.Dir(header.Name), 0755) // NOT OK + header, _ := tarReader.Next() // $ Alert[go/zipslip] + os.MkdirAll(path.Dir(header.Name), 0755) // $ Sink[go/zipslip] // NOT OK } func untarGood(reader io.Reader, prefix string) { diff --git a/go/ql/test/query-tests/Security/CWE-022/tst.go b/go/ql/test/query-tests/Security/CWE-022/tst.go index 599faccf0f1b..4cf3a77c4c8d 100644 --- a/go/ql/test/query-tests/Security/CWE-022/tst.go +++ b/go/ql/test/query-tests/Security/CWE-022/tst.go @@ -26,7 +26,7 @@ func unzip2(f string, root string) { if err == nil { ioutil.WriteFile(filepath.Join(root, relpath), []byte("present"), 0666) // OK } - ioutil.WriteFile(path, []byte("present"), 0666) // NOT OK + ioutil.WriteFile(path, []byte("present"), 0666) // $ Sink[go/zipslip] // NOT OK if containedIn(path, root) { ioutil.WriteFile(path, []byte("present"), 0666) // OK } @@ -40,7 +40,7 @@ func unzip2(f string, root string) { if containedIn(f.Name, root) { ioutil.WriteFile(f.Name, []byte("present"), 0666) // OK } - } + } // $ Alert[go/zipslip] } func containedIn(f string, root string) bool { diff --git a/go/ql/test/query-tests/Security/CWE-078/ArgumentInjection.go b/go/ql/test/query-tests/Security/CWE-078/ArgumentInjection.go index d38d4662542e..b43f798bf2b4 100644 --- a/go/ql/test/query-tests/Security/CWE-078/ArgumentInjection.go +++ b/go/ql/test/query-tests/Security/CWE-078/ArgumentInjection.go @@ -6,7 +6,7 @@ import ( ) func handler2(req *http.Request) { - path := req.URL.Query()["path"][0] - cmd := exec.Command("rsync", path, "/tmp") + path := req.URL.Query()["path"][0] // $ Source[go/command-injection] + cmd := exec.Command("rsync", path, "/tmp") // $ Alert[go/command-injection] cmd.Run() } diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.go b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.go index ff046f240844..bd7e70e038b3 100644 --- a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.go +++ b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.go @@ -6,7 +6,7 @@ import ( ) func handler(req *http.Request) { - cmdName := req.URL.Query()["cmd"][0] - cmd := exec.Command(cmdName) + cmdName := req.URL.Query()["cmd"][0] // $ Source[go/command-injection] + cmd := exec.Command(cmdName) // $ Alert[go/command-injection] cmd.Run() } diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref index 2b07372975ff..b1836a682e3b 100644 --- a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref +++ b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref @@ -1,2 +1,4 @@ query: Security/CWE-078/CommandInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection2.go b/go/ql/test/query-tests/Security/CWE-078/CommandInjection2.go index 943a3f72f05a..975ff72d1772 100644 --- a/go/ql/test/query-tests/Security/CWE-078/CommandInjection2.go +++ b/go/ql/test/query-tests/Security/CWE-078/CommandInjection2.go @@ -10,9 +10,9 @@ import ( ) func handlerExample(req *http.Request) { - imageName := req.URL.Query()["imageName"][0] + imageName := req.URL.Query()["imageName"][0] // $ Source[go/command-injection] outputPath := "/tmp/output.svg" - cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath)) // NOT OK - correctly flagged + cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath)) // $ Alert[go/command-injection] // NOT OK - correctly flagged cmd.Run() // ... } @@ -38,10 +38,10 @@ func handlerExample2(req *http.Request) { } func handlerExample3(req *http.Request) { - imageName := req.URL.Query()["imageName"][0] + imageName := req.URL.Query()["imageName"][0] // $ Source[go/command-injection] outputPath := "/tmp/output.svg" - cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath)) // NOT OK - correctly flagged + cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath)) // $ Alert[go/command-injection] // NOT OK - correctly flagged cmd.Run() // Validate the imageName with a regular expression diff --git a/go/ql/test/query-tests/Security/CWE-078/GitSubcommands.go b/go/ql/test/query-tests/Security/CWE-078/GitSubcommands.go index 5e72e5825afd..a7747b021fd4 100644 --- a/go/ql/test/query-tests/Security/CWE-078/GitSubcommands.go +++ b/go/ql/test/query-tests/Security/CWE-078/GitSubcommands.go @@ -8,13 +8,13 @@ import ( // BAD: using git subcommands that are vulnerable to arbitrary remote command execution func gitSubcommandsBad(req *http.Request) { - tainted := req.URL.Query()["cmd"][0] + tainted := req.URL.Query()["cmd"][0] // $ Source[go/command-injection] - exec.Command("git", "clone", tainted) - exec.Command("git", "fetch", tainted) - exec.Command("git", "pull", tainted) - exec.Command("git", "ls-remote", tainted) - exec.Command("git", "fetch-pack", tainted) + exec.Command("git", "clone", tainted) // $ Alert[go/command-injection] + exec.Command("git", "fetch", tainted) // $ Alert[go/command-injection] + exec.Command("git", "pull", tainted) // $ Alert[go/command-injection] + exec.Command("git", "ls-remote", tainted) // $ Alert[go/command-injection] + exec.Command("git", "fetch-pack", tainted) // $ Alert[go/command-injection] } // GOOD: using a sampling of git subcommands that are not vulnerable to arbitrary remote command execution @@ -30,11 +30,11 @@ func gitSubcommandsGood(req *http.Request) { // BAD: using git subcommands that are vulnerable to arbitrary remote command execution func gitSubcommandsGood2(req *http.Request) { - tainted := req.URL.Query()["cmd"][0] + tainted := req.URL.Query()["cmd"][0] // $ Source[go/command-injection] if !strings.HasPrefix(tainted, "--") { exec.Command("git", "clone", tainted) // GOOD, `tainted` cannot start with "--" } else { - exec.Command("git", "clone", tainted) // BAD, `tainted` can start with "--" + exec.Command("git", "clone", tainted) // $ Alert[go/command-injection] // BAD, `tainted` can start with "--" } } diff --git a/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go b/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go index 0428df550868..9a8692319bb2 100644 --- a/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go +++ b/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go @@ -6,12 +6,12 @@ import ( ) func testDoubleDashSanitizes(req *http.Request) { - tainted := req.URL.Query()["cmd"][0] + tainted := req.URL.Query()["cmd"][0] // $ Source[go/command-injection] // BAD: no sanitizing "--" preceding tainted data { arrayLit := [1]string{tainted} - exec.Command("git", arrayLit[:]...) + exec.Command("git", arrayLit[:]...) // $ Alert[go/command-injection] } // GOOD: sanitizing "--" preceding tainted data @@ -37,7 +37,7 @@ func testDoubleDashSanitizes(req *http.Request) { { arrayLit := []string{} arrayLit = append(arrayLit, tainted, "--") - exec.Command("git", arrayLit...) + exec.Command("git", arrayLit...) // $ Alert[go/command-injection] } // GOOD: sanitizing "--" preceding tainted data, built in two steps @@ -51,7 +51,7 @@ func testDoubleDashSanitizes(req *http.Request) { { arrayLit := []string{tainted} arrayLit = append(arrayLit, "--") - exec.Command("git", arrayLit...) + exec.Command("git", arrayLit...) // $ Alert[go/command-injection] } // GOOD: sanitizing "--" preceding tainted data, built in three steps @@ -67,7 +67,7 @@ func testDoubleDashSanitizes(req *http.Request) { arrayLit := []string{"something else"} arrayLit = append(arrayLit, tainted) arrayLit = append(arrayLit, "--") - exec.Command("git", arrayLit...) + exec.Command("git", arrayLit...) // $ Alert[go/command-injection] } // GOOD: sanitizing "--" preceding tainted data, used directly in a Command @@ -77,7 +77,7 @@ func testDoubleDashSanitizes(req *http.Request) { // BAD: sanitizing "--" comes after tainted data, used directly in a Command { - exec.Command("git", tainted, "--") + exec.Command("git", tainted, "--") // $ Alert[go/command-injection] } // GOOD: sanitizing "--" preceding tainted data, used directly in a Command, after several other arguments @@ -89,66 +89,66 @@ func testDoubleDashSanitizes(req *http.Request) { // This test mirrors testDoubleDashSanitizes above, but uses sudo instead of git, where "--" is not sanitizing. // All cases are therefore BAD. func testDoubleDashIrrelevant(req *http.Request) { - tainted := req.URL.Query()["cmd"][0] + tainted := req.URL.Query()["cmd"][0] // $ Source[go/command-injection] { arrayLit := [1]string{tainted} - exec.Command("sudo", arrayLit[:]...) // BAD + exec.Command("sudo", arrayLit[:]...) // $ Alert[go/command-injection] // BAD } { arrayLit := [2]string{"--", tainted} - exec.Command("sudo", arrayLit[:]...) // BAD + exec.Command("sudo", arrayLit[:]...) // $ Alert[go/command-injection] // BAD } { arrayLit := []string{"--", tainted} - exec.Command("sudo", arrayLit...) // BAD + exec.Command("sudo", arrayLit...) // $ Alert[go/command-injection] // BAD } { arrayLit := []string{} arrayLit = append(arrayLit, "--", tainted) - exec.Command("sudo", arrayLit...) // BAD + exec.Command("sudo", arrayLit...) // $ Alert[go/command-injection] // BAD } { arrayLit := []string{} arrayLit = append(arrayLit, tainted, "--") - exec.Command("sudo", arrayLit...) // BAD + exec.Command("sudo", arrayLit...) // $ Alert[go/command-injection] // BAD } { arrayLit := []string{"--"} arrayLit = append(arrayLit, tainted) - exec.Command("sudo", arrayLit...) // BAD + exec.Command("sudo", arrayLit...) // $ Alert[go/command-injection] // BAD } { arrayLit := []string{tainted} arrayLit = append(arrayLit, "--") - exec.Command("sudo", arrayLit...) // BAD + exec.Command("sudo", arrayLit...) // $ Alert[go/command-injection] // BAD } { arrayLit := []string{"--"} arrayLit = append(arrayLit, "something else") arrayLit = append(arrayLit, tainted) - exec.Command("sudo", arrayLit...) // BAD + exec.Command("sudo", arrayLit...) // $ Alert[go/command-injection] // BAD } { arrayLit := []string{"something else"} arrayLit = append(arrayLit, tainted) arrayLit = append(arrayLit, "--") - exec.Command("sudo", arrayLit...) // BAD + exec.Command("sudo", arrayLit...) // $ Alert[go/command-injection] // BAD } { - exec.Command("sudo", "--", tainted) // BAD + exec.Command("sudo", "--", tainted) // $ Alert[go/command-injection] // BAD } { - exec.Command("sudo", tainted, "--") // BAD + exec.Command("sudo", tainted, "--") // $ Alert[go/command-injection] // BAD } } diff --git a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.go b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.go index 5b7c16d0c590..ee38e54f4dab 100644 --- a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.go +++ b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.go @@ -8,9 +8,9 @@ import ( var db *sql.DB func run(query string) { - rows, _ := db.Query(query) + rows, _ := db.Query(query) // $ Source[go/stored-command] var cmdName string rows.Scan(&cmdName) - cmd := exec.Command(cmdName) + cmd := exec.Command(cmdName) // $ Alert[go/stored-command] cmd.Run() } diff --git a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.qlref b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.qlref index 92c41892880b..d1bc2b0f697b 100644 --- a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.qlref +++ b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.qlref @@ -1,2 +1,4 @@ query: Security/CWE-078/StoredCommand.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.go b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.go index 0df976d93c3f..4fc4447b809a 100644 --- a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.go +++ b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.go @@ -8,6 +8,6 @@ import ( func handler(db *sql.DB, req *http.Request) { q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE", - req.URL.Query()["category"]) - db.Query(q) + req.URL.Query()["category"]) // $ Source[go/sql-injection] + db.Query(q) // $ Alert[go/sql-injection] } diff --git a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref index b6916bd2cd46..e19181577447 100644 --- a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref +++ b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref @@ -1,2 +1,4 @@ query: Security/CWE-089/SqlInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-089/StringBreak.go b/go/ql/test/query-tests/Security/CWE-089/StringBreak.go index d5aec9777d42..e9c46d564ed3 100644 --- a/go/ql/test/query-tests/Security/CWE-089/StringBreak.go +++ b/go/ql/test/query-tests/Security/CWE-089/StringBreak.go @@ -7,10 +7,10 @@ import ( ) func save(id string, version interface{}) { - versionJSON, _ := json.Marshal(version) + versionJSON, _ := json.Marshal(version) // $ Source[go/unsafe-quoting] sq.StatementBuilder. Insert("resources"). Columns("resource_id", "version_md5"). - Values(id, sq.Expr(fmt.Sprintf("md5('%s')", versionJSON))). + Values(id, sq.Expr(fmt.Sprintf("md5('%s')", versionJSON))). // $ Alert[go/unsafe-quoting] Exec() } diff --git a/go/ql/test/query-tests/Security/CWE-089/StringBreak.qlref b/go/ql/test/query-tests/Security/CWE-089/StringBreak.qlref index 45a8c4191347..096091bde4c4 100644 --- a/go/ql/test/query-tests/Security/CWE-089/StringBreak.qlref +++ b/go/ql/test/query-tests/Security/CWE-089/StringBreak.qlref @@ -1,2 +1,4 @@ query: Security/CWE-089/StringBreak.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go b/go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go index ba8ee72d0fa8..5d0b98a04b04 100644 --- a/go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go +++ b/go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go @@ -9,23 +9,23 @@ import ( // Bad because quote characters are removed before concatenation, // but then enclosed in a different enclosing quote: func mismatch1(id string, version interface{}) { - versionJSON, _ := json.Marshal(version) + versionJSON, _ := json.Marshal(version) // $ Source[go/unsafe-quoting] escaped := strings.Replace(string(versionJSON), "\"", "", -1) sq.StatementBuilder. Insert("resources"). Columns("resource_id", "version_md5"). - Values(id, sq.Expr("'"+escaped+"'")). + Values(id, sq.Expr("'"+escaped+"'")). // $ Alert[go/unsafe-quoting] Exec() } // Bad because quote characters are removed before concatenation, // but then enclosed in a different enclosing quote: func mismatch2(id string, version interface{}) { - versionJSON, _ := json.Marshal(version) + versionJSON, _ := json.Marshal(version) // $ Source[go/unsafe-quoting] escaped := strings.Replace(string(versionJSON), "'", "", -1) sq.StatementBuilder. Insert("resources"). Columns("resource_id", "version_md5"). - Values(id, sq.Expr("\""+escaped+"\"")). + Values(id, sq.Expr("\""+escaped+"\"")). // $ Alert[go/unsafe-quoting] Exec() } diff --git a/go/ql/test/query-tests/Security/CWE-089/issue48.go b/go/ql/test/query-tests/Security/CWE-089/issue48.go index 2c23b617190b..9ef91eb13509 100644 --- a/go/ql/test/query-tests/Security/CWE-089/issue48.go +++ b/go/ql/test/query-tests/Security/CWE-089/issue48.go @@ -14,29 +14,29 @@ func handler1(db *sql.DB, req *http.Request) { // read data from request body and unmarshal to a indeterminacy struct // POST: {"a": "b", "category": "test"} var RequestDataFromJson map[string]interface{} - b, _ := ioutil.ReadAll(req.Body) + b, _ := ioutil.ReadAll(req.Body) // $ Source[go/sql-injection] json.Unmarshal(b, &RequestDataFromJson) q3 := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE", RequestDataFromJson["category"]) - db.Query(q3) // NOT OK + db.Query(q3) // $ Alert[go/sql-injection] // NOT OK // read data from request body and unmarshal to a determined struct // POST: {"id": "1", "category": "test"} var RequestDataFromJson2 RequestStruct - b2, _ := ioutil.ReadAll(req.Body) + b2, _ := ioutil.ReadAll(req.Body) // $ Source[go/sql-injection] json.Unmarshal(b2, &RequestDataFromJson2) q4 := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE", RequestDataFromJson2.Category) - db.Query(q4) // NOT OK + db.Query(q4) // $ Alert[go/sql-injection] // NOT OK // read json data from a url parameter // GET: ?json={"id": 1, "category": "test"} var RequestDataFromJson3 RequestStruct - json.Unmarshal([]byte(req.URL.Query()["json"][0]), &RequestDataFromJson3) + json.Unmarshal([]byte(req.URL.Query()["json"][0]), &RequestDataFromJson3) // $ Source[go/sql-injection] q5 := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE", RequestDataFromJson3.Category) - db.Query(q5) // NOT OK + db.Query(q5) // $ Alert[go/sql-injection] // NOT OK } diff --git a/go/ql/test/query-tests/Security/CWE-089/main.go b/go/ql/test/query-tests/Security/CWE-089/main.go index 7e5f5a35a9df..d0b17bf11459 100644 --- a/go/ql/test/query-tests/Security/CWE-089/main.go +++ b/go/ql/test/query-tests/Security/CWE-089/main.go @@ -8,12 +8,12 @@ import ( ) func test(db *sql.DB, r *http.Request) { - db.Query(r.Form["query"][0]) // NOT OK + db.Query(r.Form["query"][0]) // $ Alert[go/sql-injection] // NOT OK } func test2(tx *sql.Tx, r *http.Request) { - tx.Query(fmt.Sprintf("SELECT USER FROM USERS WHERE ID='%s'", r.URL.Query()["uuid"])) // NOT OK - tx.Query(fmt.Sprintf("SELECT USER FROM USERS WHERE ID='%s'", r.Header.Get("X-Uuid"))) // NOT OK + tx.Query(fmt.Sprintf("SELECT USER FROM USERS WHERE ID='%s'", r.URL.Query()["uuid"])) // $ Alert[go/sql-injection] // NOT OK + tx.Query(fmt.Sprintf("SELECT USER FROM USERS WHERE ID='%s'", r.Header.Get("X-Uuid"))) // $ Alert[go/sql-injection] // NOT OK } func main() {} @@ -27,39 +27,39 @@ type RequestStruct struct { func handler2(db *sql.DB, req *http.Request) { RequestData := &RequestStruct{ Id: 1, - Category: req.URL.Query()["category"], + Category: req.URL.Query()["category"], // $ Source[go/sql-injection] } q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE", RequestData.Category) - db.Query(q) + db.Query(q) // $ Alert[go/sql-injection] } func handler3(db *sql.DB, req *http.Request) { RequestData := &RequestStruct{} - RequestData.Category = req.URL.Query()["category"] + RequestData.Category = req.URL.Query()["category"] // $ Source[go/sql-injection] q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE", RequestData.Category) - db.Query(q) + db.Query(q) // $ Alert[go/sql-injection] } func handler4(db *sql.DB, req *http.Request) { RequestData := &RequestStruct{} - (*RequestData).Category = req.URL.Query()["category"] + (*RequestData).Category = req.URL.Query()["category"] // $ Source[go/sql-injection] q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE", RequestData.Category) - db.Query(q) + db.Query(q) // $ Alert[go/sql-injection] } func handler5(db *sql.DB, req *http.Request) { RequestData := &RequestStruct{} - (*RequestData).Category = req.URL.Query()["category"] + (*RequestData).Category = req.URL.Query()["category"] // $ Source[go/sql-injection] q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE", (*RequestData).Category) - db.Query(q) + db.Query(q) // $ Alert[go/sql-injection] } // This is an integer, so should not counted as injection diff --git a/go/ql/test/query-tests/Security/CWE-089/mongoDB.go b/go/ql/test/query-tests/Security/CWE-089/mongoDB.go index 818f8adb13cb..ee116ac62cef 100644 --- a/go/ql/test/query-tests/Security/CWE-089/mongoDB.go +++ b/go/ql/test/query-tests/Security/CWE-089/mongoDB.go @@ -37,7 +37,7 @@ func mongo2(w http.ResponseWriter, r *http.Request) { // Get a handle for your collection db := client.Database("test") coll := db.Collection("collection") - untrustedInput := r.Referer() + untrustedInput := r.Referer() // $ Source[go/sql-injection] filter := bson.D{{"name", untrustedInput}} @@ -54,30 +54,30 @@ func mongo2(w http.ResponseWriter, r *http.Request) { update := bson.D{{"$inc", bson.D{{"age", 1}}}} // models := nil - coll.Aggregate(ctx, pipeline, nil) + coll.Aggregate(ctx, pipeline, nil) // $ Alert[go/sql-injection] // coll.BulkWrite(ctx, models, nil) coll.BulkWrite(ctx, nil, nil) coll.Clone(nil) - coll.CountDocuments(ctx, filter, nil) + coll.CountDocuments(ctx, filter, nil) // $ Alert[go/sql-injection] coll.Database() - coll.DeleteMany(ctx, filter, nil) - coll.DeleteOne(ctx, filter, nil) + coll.DeleteMany(ctx, filter, nil) // $ Alert[go/sql-injection] + coll.DeleteOne(ctx, filter, nil) // $ Alert[go/sql-injection] - coll.Distinct(ctx, fieldName, filter) + coll.Distinct(ctx, fieldName, filter) // $ Alert[go/sql-injection] coll.Drop(ctx) coll.EstimatedDocumentCount(ctx, nil) - coll.Find(ctx, filter, nil) - coll.FindOne(ctx, filter, nil) - coll.FindOneAndDelete(ctx, filter, nil) - coll.FindOneAndReplace(ctx, filter, nil) - coll.FindOneAndUpdate(ctx, filter, nil) + coll.Find(ctx, filter, nil) // $ Alert[go/sql-injection] + coll.FindOne(ctx, filter, nil) // $ Alert[go/sql-injection] + coll.FindOneAndDelete(ctx, filter, nil) // $ Alert[go/sql-injection] + coll.FindOneAndReplace(ctx, filter, nil) // $ Alert[go/sql-injection] + coll.FindOneAndUpdate(ctx, filter, nil) // $ Alert[go/sql-injection] coll.Indexes() coll.InsertMany(ctx, documents) coll.InsertOne(ctx, document, nil) coll.Name() - coll.ReplaceOne(ctx, filter, replacement) - coll.UpdateMany(ctx, filter, update) - coll.UpdateOne(ctx, filter, update) - coll.Watch(ctx, pipeline) + coll.ReplaceOne(ctx, filter, replacement) // $ Alert[go/sql-injection] + coll.UpdateMany(ctx, filter, update) // $ Alert[go/sql-injection] + coll.UpdateOne(ctx, filter, update) // $ Alert[go/sql-injection] + coll.Watch(ctx, pipeline) // $ Alert[go/sql-injection] } diff --git a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.go b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.go index aa11afa816aa..2871c45e80ec 100644 --- a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.go +++ b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.go @@ -3,11 +3,11 @@ package main import "encoding/json" func encryptValue(v interface{}) ([]byte, error) { - jsonData, err := json.Marshal(v) + jsonData, err := json.Marshal(v) // $ Source[go/allocation-size-overflow] if err != nil { return nil, err } - size := len(jsonData) + (len(jsonData) % 16) + size := len(jsonData) + (len(jsonData) % 16) // $ Alert[go/allocation-size-overflow] buffer := make([]byte, size) copy(buffer, jsonData) return encryptBuffer(buffer) diff --git a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.qlref b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.qlref index f6da9bc1c36d..e06f99c7747e 100644 --- a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.qlref +++ b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.qlref @@ -1,2 +1,4 @@ query: Security/CWE-190/AllocationSizeOverflow.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-190/tst.go b/go/ql/test/query-tests/Security/CWE-190/tst.go index abe4452343e2..76077be21167 100644 --- a/go/ql/test/query-tests/Security/CWE-190/tst.go +++ b/go/ql/test/query-tests/Security/CWE-190/tst.go @@ -11,28 +11,28 @@ func test(x int, s string, xs []int, ys [16]int, ss [16]string, h *header) { jsonData, _ := json.Marshal(x) ignore(make([]byte, len(jsonData)+1)) // OK: data is small - jsonData, _ = json.Marshal(s) - ignore(make([]byte, len(jsonData)+1)) // NOT OK: data might be big + jsonData, _ = json.Marshal(s) // $ Source[go/allocation-size-overflow] + ignore(make([]byte, len(jsonData)+1)) // $ Alert[go/allocation-size-overflow] // NOT OK: data might be big jsonData, _ = json.Marshal("hi there") ignore(make([]byte, len(jsonData)+1)) // OK: data is small - jsonData, _ = json.Marshal(xs) - ignore(make([]byte, len(jsonData)+1)) // NOT OK: data might be big + jsonData, _ = json.Marshal(xs) // $ Source[go/allocation-size-overflow] + ignore(make([]byte, len(jsonData)+1)) // $ Alert[go/allocation-size-overflow] // NOT OK: data might be big jsonData, _ = json.Marshal(ys) ignore(make([]byte, len(jsonData)+1)) // OK: data is small - jsonData, _ = json.Marshal(ss) - ignore(make([]byte, 10, len(jsonData)+1)) // NOT OK: data might be big + jsonData, _ = json.Marshal(ss) // $ Source[go/allocation-size-overflow] + ignore(make([]byte, 10, len(jsonData)+1)) // $ Alert[go/allocation-size-overflow] // NOT OK: data might be big jsonData, _ = json.Marshal(h) ignore(make([]byte, len(jsonData)+1)) // OK: data is small var i interface{} i = h - jsonData, _ = json.Marshal(i) - ignore(make([]byte, len(jsonData)+1)) // NOT OK: data might be big + jsonData, _ = json.Marshal(i) // $ Source[go/allocation-size-overflow] + ignore(make([]byte, len(jsonData)+1)) // $ Alert[go/allocation-size-overflow] // NOT OK: data might be big } func ignore(_ interface{}) {} diff --git a/go/ql/test/query-tests/Security/CWE-190/tst2.go b/go/ql/test/query-tests/Security/CWE-190/tst2.go index d9dfe6912e81..891e72af7b2d 100644 --- a/go/ql/test/query-tests/Security/CWE-190/tst2.go +++ b/go/ql/test/query-tests/Security/CWE-190/tst2.go @@ -6,13 +6,13 @@ import ( ) func test2(filename string) { - data, _ := ioutil.ReadFile(filename) - ignore(make([]byte, len(data)+1)) // NOT OK + data, _ := ioutil.ReadFile(filename) // $ Source[go/allocation-size-overflow] + ignore(make([]byte, len(data)+1)) // $ Alert[go/allocation-size-overflow] // NOT OK } func test3(r io.Reader) { - data, _ := ioutil.ReadAll(r) - ignore(make([]byte, len(data)+1)) // NOT OK + data, _ := ioutil.ReadAll(r) // $ Source[go/allocation-size-overflow] + ignore(make([]byte, len(data)+1)) // $ Alert[go/allocation-size-overflow] // NOT OK } func test4(r io.Reader, ws []io.Writer) { diff --git a/go/ql/test/query-tests/Security/CWE-190/tst3.go b/go/ql/test/query-tests/Security/CWE-190/tst3.go index 660345b099dd..8db8d6e485c6 100644 --- a/go/ql/test/query-tests/Security/CWE-190/tst3.go +++ b/go/ql/test/query-tests/Security/CWE-190/tst3.go @@ -3,8 +3,8 @@ package main import "encoding/json" func testSanitizers(s string) { - jsonData, _ := json.Marshal(s) - ignore(make([]byte, len(jsonData)+1)) // NOT OK: data might be big + jsonData, _ := json.Marshal(s) // $ Source[go/allocation-size-overflow] + ignore(make([]byte, len(jsonData)+1)) // $ Alert[go/allocation-size-overflow] // NOT OK: data might be big ignore(make([]byte, int64(len(jsonData))+1)) // OK: sanitized by widening to 64 bits @@ -21,7 +21,7 @@ func testSanitizers(s string) { } { - newlength := len(jsonData) + 3 // NOT OK: newlength is changed after the upper bound check (even though it's made smaller) + newlength := len(jsonData) + 3 // $ Alert[go/allocation-size-overflow] // NOT OK: newlength is changed after the upper bound check (even though it's made smaller) if newlength < 1000 { newlength = newlength - 1 ignore(make([]byte, newlength)) @@ -29,7 +29,7 @@ func testSanitizers(s string) { } { - newlength := len(jsonData) + 4 // NOT OK: there is an upper bound check but it doesn't dominate `make` + newlength := len(jsonData) + 4 // $ Alert[go/allocation-size-overflow] // NOT OK: there is an upper bound check but it doesn't dominate `make` if newlength < 1000 { ignore(newlength + 2) } diff --git a/go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref b/go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref index 18cf2d49a1aa..420481918d12 100644 --- a/go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref +++ b/go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref @@ -1 +1,2 @@ -Security/CWE-209/StackTraceExposure.ql +query: Security/CWE-209/StackTraceExposure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-209/test.go b/go/ql/test/query-tests/Security/CWE-209/test.go index 77df73b8046c..6a1b6c298ba2 100644 --- a/go/ql/test/query-tests/Security/CWE-209/test.go +++ b/go/ql/test/query-tests/Security/CWE-209/test.go @@ -12,10 +12,10 @@ var logger log.Logger func handlePanic(w http.ResponseWriter, r *http.Request) { buf := make([]byte, 2<<16) - stackLen := runtime.Stack(buf, true) + stackLen := runtime.Stack(buf, true) // $ Source buf = buf[:stackLen] // BAD: printing a stack trace back to the response - w.Write(buf) + w.Write(buf) // $ Alert // GOOD: logging the response to the server and sending // a more generic message. logger.Printf("Panic: %s", buf) diff --git a/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.go b/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.go index b0490ad6f4f2..67f757544f29 100644 --- a/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.go +++ b/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.go @@ -7,7 +7,7 @@ import ( func doAuthReq(authReq *http.Request) *http.Response { tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // NOT OK + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // $ Alert // NOT OK } client := &http.Client{Transport: tr} res, _ := client.Do(authReq) diff --git a/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.qlref b/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.qlref index cca259717b57..8864221dea7c 100644 --- a/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.qlref +++ b/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.qlref @@ -1 +1,2 @@ -Security/CWE-295/DisabledCertificateCheck.ql +query: Security/CWE-295/DisabledCertificateCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/main.go b/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/main.go index 3cb5d107a70a..152ece5ba466 100644 --- a/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/main.go +++ b/go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/main.go @@ -6,7 +6,7 @@ import ( ) func bad1(cfg *tls.Config) { - cfg.InsecureSkipVerify = true // NOT OK + cfg.InsecureSkipVerify = true // $ Alert // NOT OK } func good1(cfg *tls.Config) { @@ -54,12 +54,12 @@ func makeInsecureConfig() *tls.Config { } func makeConfig() *tls.Config { - return &tls.Config{InsecureSkipVerify: true} // NOT OK + return &tls.Config{InsecureSkipVerify: true} // $ Alert // NOT OK } func bad3() *http.Transport { transport := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // NOT OK + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // $ Alert // NOT OK } return transport } diff --git a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref index b5f8712594db..ed6809d04f3c 100644 --- a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref +++ b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref @@ -1 +1,3 @@ -Security/CWE-322/InsecureHostKeyCallback.ql +query: Security/CWE-322/InsecureHostKeyCallback.ql +postprocess: + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go index d13bda30a5e4..8fc2a778ee03 100644 --- a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go +++ b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go @@ -15,7 +15,7 @@ func insecureSSHClientConfig() { HostKeyCallback: ssh.HostKeyCallback( // BAD func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil - }), + }), // $ Alert[go/insecure-hostkeycallback] } } @@ -23,7 +23,7 @@ func insecureSSHClientConfigAlt() { _ = &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, - HostKeyCallback: ssh.InsecureIgnoreHostKey(), // BAD + HostKeyCallback: ssh.InsecureIgnoreHostKey(), // $ Alert[go/insecure-hostkeycallback] // BAD } } @@ -31,12 +31,12 @@ func insecureSSHClientConfigLocalFlow() { callback := ssh.HostKeyCallback( func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil - }) + }) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] _ = &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, - HostKeyCallback: callback, // BAD + HostKeyCallback: callback, // $ Alert[go/insecure-hostkeycallback] Source[go/insecure-hostkeycallback] // BAD } } @@ -44,28 +44,28 @@ func insecureSSHClientConfigLocalFlowAlt() { callback := func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil - } + } // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] _ = &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, - HostKeyCallback: ssh.HostKeyCallback(callback), // BAD + HostKeyCallback: ssh.HostKeyCallback(callback), // $ Alert[go/insecure-hostkeycallback] Source[go/insecure-hostkeycallback] // BAD } } // Check that insecure and secure functions flowing together to the same // sink is not flagged (we assume this is configurable security) -func potentialInsecureSSHClientConfig(callback ssh.HostKeyCallback) { +func potentialInsecureSSHClientConfig(callback ssh.HostKeyCallback) { // $ Alert[go/insecure-hostkeycallback] Source[go/insecure-hostkeycallback] _ = &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, - HostKeyCallback: callback, // OK + HostKeyCallback: callback, // $ Source[go/insecure-hostkeycallback] // OK } } // Check that insecure and secure functions flowing to different writes to // the same objects are not flagged (we assume this is configurable security) -func potentialInsecureSSHClientConfigTwoWrites(callback ssh.HostKeyCallback) { +func potentialInsecureSSHClientConfigTwoWrites(callback ssh.HostKeyCallback) { // $ Alert[go/insecure-hostkeycallback] Source[go/insecure-hostkeycallback] config := &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, @@ -75,7 +75,7 @@ func potentialInsecureSSHClientConfigTwoWrites(callback ssh.HostKeyCallback) { if callback == nil { config.HostKeyCallback = ssh.InsecureIgnoreHostKey() // OK } else { - config.HostKeyCallback = callback + config.HostKeyCallback = callback // $ Source[go/insecure-hostkeycallback] } } @@ -91,8 +91,8 @@ func potentialInsecureSSHClientConfigUsingKnownHosts(x bool) { if x { config.HostKeyCallback = ssh.InsecureIgnoreHostKey() // OK } else { - callback, _ := knownhosts.New("somefile") - config.HostKeyCallback = callback + callback, _ := knownhosts.New("somefile") // $ Alert[go/insecure-hostkeycallback] + config.HostKeyCallback = callback // $ Source[go/insecure-hostkeycallback] } } @@ -102,9 +102,9 @@ func main() { insecureCallback := ssh.HostKeyCallback( func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil - }) + }) // $ Alert[go/insecure-hostkeycallback] - potentialInsecureSSHClientConfig(insecureCallback) + potentialInsecureSSHClientConfig(insecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] potentiallySecureCallback := ssh.HostKeyCallback( func(hostname string, remote net.Addr, key ssh.PublicKey) error { @@ -112,10 +112,10 @@ func main() { return nil } return fmt.Errorf("ssh: Unexpected host for key") - }) + }) // $ Alert[go/insecure-hostkeycallback] - potentialInsecureSSHClientConfig(potentiallySecureCallback) - potentialInsecureSSHClientConfig(ssh.InsecureIgnoreHostKey()) + potentialInsecureSSHClientConfig(potentiallySecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] + potentialInsecureSSHClientConfig(ssh.InsecureIgnoreHostKey()) // $ Alert[go/insecure-hostkeycallback] - potentialInsecureSSHClientConfigTwoWrites(potentiallySecureCallback) + potentialInsecureSSHClientConfigTwoWrites(potentiallySecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] } diff --git a/go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.go b/go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.go index 9d5ce2ac424f..b8681517b071 100644 --- a/go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.go +++ b/go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.go @@ -6,16 +6,16 @@ import ( ) func foo1() { - rsa.GenerateKey(rand.Reader, 1024) // BAD + rsa.GenerateKey(rand.Reader, 1024) // $ Alert // BAD } func foo2() { - size := 1024 - rsa.GenerateKey(rand.Reader, size) // BAD + size := 1024 // $ Source + rsa.GenerateKey(rand.Reader, size) // $ Alert // BAD } func foo3() { - foo5(1024) // BAD + foo5(1024) // $ Source // BAD } func foo4() { @@ -23,13 +23,13 @@ func foo4() { } func foo5(size int) { - rsa.GenerateKey(rand.Reader, size) + rsa.GenerateKey(rand.Reader, size) // $ Alert } func foo6() { - keyBits := 1024 + keyBits := 1024 // $ Source if keyBits >= 2047 { - rsa.GenerateKey(rand.Reader, keyBits) // BAD + rsa.GenerateKey(rand.Reader, keyBits) // $ Alert // BAD } } @@ -41,10 +41,10 @@ func foo7() { } func foo8() { - keyBits := 1024 + keyBits := 1024 // $ Source switch { case keyBits >= 2047: - rsa.GenerateKey(rand.Reader, keyBits) // BAD + rsa.GenerateKey(rand.Reader, keyBits) // $ Alert // BAD } } @@ -58,13 +58,13 @@ func foo9() { func foo10(customOptionSupplied bool, nonConstantKeyBits int) { keyBits := 0 - constantKeyBits := 1024 + constantKeyBits := 1024 // $ Source if customOptionSupplied { keyBits = constantKeyBits } else { keyBits = nonConstantKeyBits } - rsa.GenerateKey(rand.Reader, keyBits) // BAD + rsa.GenerateKey(rand.Reader, keyBits) // $ Alert // BAD } func foo11(customOptionSupplied bool, nonConstantKeyBits int) { diff --git a/go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.qlref b/go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.qlref index fbb59dd4be63..ef999cf368a5 100644 --- a/go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.qlref +++ b/go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.qlref @@ -1 +1,2 @@ -Security/CWE-326/InsufficientKeySize.ql +query: Security/CWE-326/InsufficientKeySize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.go b/go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.go index 24dfeb195a04..5a91077e5559 100644 --- a/go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.go +++ b/go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.go @@ -18,7 +18,7 @@ func oldVersionFunc() bool { func minMaxTlsVersion() { { config := &tls.Config{} - config.MinVersion = 0 // BAD + config.MinVersion = 0 // $ Alert[go/insecure-tls] // BAD } { config := &tls.Config{} @@ -27,7 +27,7 @@ func minMaxTlsVersion() { /// { config := &tls.Config{ - MinVersion: 0, // BAD + MinVersion: 0, // $ Alert[go/insecure-tls] // BAD } _ = config } @@ -40,40 +40,40 @@ func minMaxTlsVersion() { /// { config := &tls.Config{} - config.MinVersion = tls.VersionSSL30 // BAD + config.MinVersion = tls.VersionSSL30 // $ Alert[go/insecure-tls] // BAD } { config := &tls.Config{} - config.MaxVersion = tls.VersionSSL30 // BAD + config.MaxVersion = tls.VersionSSL30 // $ Alert[go/insecure-tls] // BAD } /// { config := &tls.Config{} - config.MinVersion = tls.VersionTLS10 // BAD + config.MinVersion = tls.VersionTLS10 // $ Alert[go/insecure-tls] // BAD } { config := &tls.Config{} - config.MaxVersion = tls.VersionTLS10 // BAD + config.MaxVersion = tls.VersionTLS10 // $ Alert[go/insecure-tls] // BAD } /// { config := &tls.Config{} - config.MinVersion = tls.VersionTLS11 // BAD + config.MinVersion = tls.VersionTLS11 // $ Alert[go/insecure-tls] // BAD } { config := &tls.Config{} - config.MaxVersion = tls.VersionTLS11 // BAD + config.MaxVersion = tls.VersionTLS11 // $ Alert[go/insecure-tls] // BAD } /// { config := &tls.Config{ - MinVersion: tls.VersionTLS11, // BAD + MinVersion: tls.VersionTLS11, // $ Alert[go/insecure-tls] // BAD } _ = config } { config := &tls.Config{ - MaxVersion: tls.VersionTLS11, // BAD + MaxVersion: tls.VersionTLS11, // $ Alert[go/insecure-tls] // BAD } _ = config } @@ -92,13 +92,13 @@ func minMaxTlsVersion() { /// { config := &tls.Config{ - MinVersion: 0x0300, // BAD + MinVersion: 0x0300, // $ Alert[go/insecure-tls] // BAD } _ = config } { config := &tls.Config{ - MaxVersion: 0x0301, // BAD + MaxVersion: 0x0301, // $ Alert[go/insecure-tls] // BAD } _ = config } @@ -108,7 +108,7 @@ func minMaxTlsVersion() { oldVersionFlag := len(os.Args) > 3 if unknown { config := &tls.Config{ - MinVersion: 0, // BAD + MinVersion: 0, // $ Alert[go/insecure-tls] // BAD } _ = config } @@ -198,7 +198,7 @@ func minMaxTlsVersion() { _ = config default: config := &tls.Config{ - MinVersion: 0, // BAD + MinVersion: 0, // $ Alert[go/insecure-tls] // BAD } _ = config } @@ -216,7 +216,7 @@ func minMaxTlsVersion() { _ = config default: config := &tls.Config{ - MinVersion: 0, // BAD + MinVersion: 0, // $ Alert[go/insecure-tls] // BAD } _ = config } @@ -257,61 +257,61 @@ func cipherSuites() { { config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, // BAD - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, // BAD - tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, // BAD - tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, // BAD - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // BAD - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, // BAD - }, + tls.TLS_RSA_WITH_RC4_128_SHA, // $ Source[go/insecure-tls] // BAD + tls.TLS_RSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, // $ Source[go/insecure-tls] // BAD + tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, // $ Source[go/insecure-tls] // BAD + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } { config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, // BAD - }, + tls.TLS_RSA_WITH_RC4_128_SHA, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } { config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, // BAD - }, + tls.TLS_RSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } { config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, // BAD - }, + tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } { config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, // BAD - }, + tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } { config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // BAD - }, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } { config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, // BAD - }, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } @@ -326,33 +326,33 @@ func cipherSuites() { { config := &tls.Config{} config.CipherSuites = make([]uint16, 0) - config.CipherSuites = append(config.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) // BAD + config.CipherSuites = append(config.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) // $ Alert[go/insecure-tls] // BAD } { config := &tls.Config{} config.CipherSuites = make([]uint16, 0) - suites := tls.InsecureCipherSuites() + suites := tls.InsecureCipherSuites() // $ Source[go/insecure-tls] for _, v := range suites { - config.CipherSuites = append(config.CipherSuites, v.ID) // BAD + config.CipherSuites = append(config.CipherSuites, v.ID) // $ Alert[go/insecure-tls] // BAD } } { config := &tls.Config{} cipherSuites := make([]uint16, 0) - suites := tls.InsecureCipherSuites() + suites := tls.InsecureCipherSuites() // $ Source[go/insecure-tls] for _, v := range suites { cipherSuites = append(cipherSuites, v.ID) } - config.CipherSuites = cipherSuites // BAD + config.CipherSuites = cipherSuites // $ Alert[go/insecure-tls] // BAD } { config := &tls.Config{} cipherSuites := make([]uint16, 0) - suites := tls.InsecureCipherSuites() + suites := tls.InsecureCipherSuites() // $ Source[go/insecure-tls] for i := range suites { cipherSuites = append(cipherSuites, suites[i].ID) } - config.CipherSuites = cipherSuites // BAD + config.CipherSuites = cipherSuites // $ Alert[go/insecure-tls] // BAD } unknown := len(os.Args) > 1 insecureFlag := len(os.Args) > 2 @@ -360,8 +360,8 @@ func cipherSuites() { if unknown { config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // BAD - }, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } @@ -430,8 +430,8 @@ func cipherSuites() { default: config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // BAD - }, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } @@ -454,8 +454,8 @@ func cipherSuites() { default: config := &tls.Config{ CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // BAD - }, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // $ Source[go/insecure-tls] // BAD + }, // $ Alert[go/insecure-tls] } _ = config } diff --git a/go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.qlref b/go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.qlref index 0349f62f26fa..892cb53d05bb 100644 --- a/go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.qlref +++ b/go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.qlref @@ -1,2 +1,4 @@ query: Security/CWE-327/InsecureTLS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.go b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.go index 2e4d309f46c6..1c158be26262 100644 --- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.go +++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.go @@ -9,7 +9,7 @@ var charset = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345 func generatePassword() string { s := make([]rune, 20) for i := range s { - s[i] = charset[rand.Intn(len(charset))] // BAD: weak RNG used to generate password + s[i] = charset[rand.Intn(len(charset))] // $ Alert[go/insecure-randomness] // BAD: weak RNG used to generate password } return string(s) } diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.qlref b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.qlref index b30e6ede8ceb..f148404a1c5e 100644 --- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.qlref +++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.qlref @@ -1,2 +1,4 @@ query: Security/CWE-338/InsecureRandomness.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go index 9eef81f63bb4..d9624a10f4c4 100644 --- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go +++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go @@ -12,7 +12,7 @@ import ( ) func Guid() []byte { - hash := sha256.Sum256([]byte(fmt.Sprintf("%n", rand.Uint32()))) // OK: may not be used in a cryptographic setting + hash := sha256.Sum256([]byte(fmt.Sprintf("%n", rand.Uint32()))) // $ Source[go/insecure-randomness] // OK: may not be used in a cryptographic setting return hash[:] } @@ -23,7 +23,7 @@ func createHash(key string) string { } func ed25519FromGuid() { - ed25519.NewKeyFromSeed(Guid()) // BAD: Guid internally uses rand + ed25519.NewKeyFromSeed(Guid()) // $ Alert[go/insecure-randomness] // BAD: Guid internally uses rand } func encrypt(data []byte, password string) []byte { @@ -31,16 +31,16 @@ func encrypt(data []byte, password string) []byte { gcm, _ := cipher.NewGCM(block) nonce := make([]byte, gcm.NonceSize()) - random := rand.New(rand.NewSource(999)) + random := rand.New(rand.NewSource(999)) // $ Source[go/insecure-randomness] io.ReadFull(random, nonce) - ciphertext := gcm.Seal(data[:0], nonce, data, nil) // BAD: use of an insecure rng to generate a nonce + ciphertext := gcm.Seal(data[:0], nonce, data, nil) // $ Alert[go/insecure-randomness] // BAD: use of an insecure rng to generate a nonce return ciphertext } func makePasswordFiveChar() string { s := make([]rune, 5) - s[0] = charset[rand.Intn(len(charset))] // BAD: weak RNG used to generate salt + s[0] = charset[rand.Intn(len(charset))] // $ Alert[go/insecure-randomness] // BAD: weak RNG used to generate salt s[1] = charset[rand.Intn(len(charset))] // Rest OK because only the first result is caught s[2] = charset[rand.Intn(len(charset))] s[3] = charset[rand.Intn(len(charset))] @@ -52,8 +52,8 @@ func generateRandomKey() ed25519.PrivateKey { candidates := "0123456789ABCDEF" seed := "" for i := 0; i < ed25519.SeedSize; i++ { - randNumber := rand.Intn(len(candidates)) + randNumber := rand.Intn(len(candidates)) // $ Source[go/insecure-randomness] seed += string(candidates[randNumber]) } - return ed25519.NewKeyFromSeed([]byte(seed)) // BAD: seed candidates were selected with a weak RNG + return ed25519.NewKeyFromSeed([]byte(seed)) // $ Alert[go/insecure-randomness] // BAD: seed candidates were selected with a weak RNG } diff --git a/go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.qlref b/go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.qlref index 404fe618edc8..55524e6e0e62 100644 --- a/go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.qlref +++ b/go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.qlref @@ -1,2 +1,4 @@ query: Security/CWE-347/MissingJwtSignatureCheck.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-347/go-jose.v3.go b/go/ql/test/query-tests/Security/CWE-347/go-jose.v3.go index 3e55ced31f6a..252b56701265 100644 --- a/go/ql/test/query-tests/Security/CWE-347/go-jose.v3.go +++ b/go/ql/test/query-tests/Security/CWE-347/go-jose.v3.go @@ -22,7 +22,7 @@ func jose(r *http.Request) { verifyJWT(signedToken) // NOT OK: no verification - signedToken = r.URL.Query().Get("signedToken") + signedToken = r.URL.Query().Get("signedToken") // $ Source[go/missing-jwt-signature-check] notVerifyJWT(signedToken) } @@ -30,7 +30,7 @@ func notVerifyJWT(signedToken string) { fmt.Println("only decoding JWT") DecodedToken, _ := jwt.ParseSigned(signedToken) out := CustomerInfo{} - if err := DecodedToken.UnsafeClaimsWithoutVerification(&out); err != nil { + if err := DecodedToken.UnsafeClaimsWithoutVerification(&out); err != nil { // $ Alert[go/missing-jwt-signature-check] panic(err) } fmt.Printf("%v\n", out) diff --git a/go/ql/test/query-tests/Security/CWE-347/golang-jwt-v5.go b/go/ql/test/query-tests/Security/CWE-347/golang-jwt-v5.go index e37265f03c04..761fe2c51c67 100644 --- a/go/ql/test/query-tests/Security/CWE-347/golang-jwt-v5.go +++ b/go/ql/test/query-tests/Security/CWE-347/golang-jwt-v5.go @@ -25,13 +25,13 @@ func golangjwt(r *http.Request) { verifyJWT_golangjwt(signedToken) // NOT OK: only unverified parse - signedToken = r.URL.Query().Get("signedToken") + signedToken = r.URL.Query().Get("signedToken") // $ Source[go/missing-jwt-signature-check] notVerifyJWT_golangjwt(signedToken) } func notVerifyJWT_golangjwt(signedToken string) { fmt.Println("only decoding JWT") - DecodedToken, _, err := jwt.NewParser().ParseUnverified(signedToken, &CustomerInfo1{}) + DecodedToken, _, err := jwt.NewParser().ParseUnverified(signedToken, &CustomerInfo1{}) // $ Alert[go/missing-jwt-signature-check] if claims, ok := DecodedToken.Claims.(*CustomerInfo1); ok { fmt.Printf("DecodedToken:%v\n", claims) } else { diff --git a/go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.go b/go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.go index 75f899aea518..817c76c8bfa9 100644 --- a/go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.go +++ b/go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.go @@ -17,9 +17,9 @@ import ( func main() {} -const stateStringConst = "state" +const stateStringConst = "state" // $ Source -var stateStringVar = "state" +var stateStringVar = "state" // $ Source func badWithStringLiteralState(w http.ResponseWriter) { conf := &oauth2.Config{ @@ -32,7 +32,7 @@ func badWithStringLiteralState(w http.ResponseWriter) { }, } - url := conf.AuthCodeURL("state") // BAD + url := conf.AuthCodeURL("state") // $ Alert // BAD _ = url // ... } @@ -47,7 +47,7 @@ func badWithConstState(w http.ResponseWriter) { }, } - url := conf.AuthCodeURL(stateStringConst) // BAD + url := conf.AuthCodeURL(stateStringConst) // $ Alert // BAD _ = url // ... } @@ -62,7 +62,7 @@ func badWithFixedVarState(w http.ResponseWriter) { }, } - url := conf.AuthCodeURL(stateStringVar) // BAD + url := conf.AuthCodeURL(stateStringVar) // $ Alert // BAD _ = url // ... } @@ -78,12 +78,12 @@ func badWithFixedStateReturned(w http.ResponseWriter) { } state := newFixedState() - url := conf.AuthCodeURL(state) // BAD + url := conf.AuthCodeURL(state) // $ Alert // BAD _ = url // ... } func newFixedState() string { - return "state" + return "state" // $ Source } func betterWithVariableStateReturned(w http.ResponseWriter) { @@ -229,7 +229,7 @@ func badWithConstStatePrinter(w http.ResponseWriter) { }, } - url := conf.AuthCodeURL(stateStringConst) // BAD + url := conf.AuthCodeURL(stateStringConst) // $ Alert // BAD fmt.Printf("LOG: URL %v", url) // ... } diff --git a/go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref b/go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref index 7898f39d4155..7d6cf6469157 100644 --- a/go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref +++ b/go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref @@ -1 +1,2 @@ -Security/CWE-352/ConstantOauth2State.ql +query: Security/CWE-352/ConstantOauth2State.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.go b/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.go index 279e59c9cfbc..bbfe38f1cf9d 100644 --- a/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.go +++ b/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.go @@ -1,7 +1,7 @@ package main -func sanitizeUrl(redir string) string { - if len(redir) > 0 && redir[0] == '/' { +func sanitizeUrl(redir string) string { // $ Source[go/bad-redirect-check] + if len(redir) > 0 && redir[0] == '/' { // $ Alert[go/bad-redirect-check] return redir } return "/" diff --git a/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.qlref b/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.qlref index fddee377510d..59540d49a15e 100644 --- a/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.qlref +++ b/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.qlref @@ -1,2 +1,4 @@ query: Security/CWE-601/BadRedirectCheck.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/cves.go b/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/cves.go index 42e8bab3452f..27254a5f4223 100644 --- a/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/cves.go +++ b/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/cves.go @@ -8,12 +8,12 @@ import ( // CVE-2018-15178 // Code from github.com/gogs/gogs func isValidRedirect(url string) bool { - return len(url) >= 2 && url[0] == '/' && url[1] != '/' // NOT OK + return len(url) >= 2 && url[0] == '/' && url[1] != '/' // $ Alert[go/bad-redirect-check] // NOT OK } -func alsoABadRedirect(url string, rw http.ResponseWriter, req *http.Request) { +func alsoABadRedirect(url string, rw http.ResponseWriter, req *http.Request) { // $ Source[go/bad-redirect-check] if isValidRedirect(url) { - http.Redirect(rw, req, url, 302) + http.Redirect(rw, req, url, 302) // $ Sink[go/bad-redirect-check] } } @@ -30,17 +30,17 @@ func alsoAGoodRedirect(url string, rw http.ResponseWriter, req *http.Request) { // CVE-2017-1000070 (both vulnerable!) // Code from github.com/bitly/oauth2_proxy func OAuthCallback(rw http.ResponseWriter, req *http.Request) { - redirect := req.Form.Get("state") - if !strings.HasPrefix(redirect, "/") { // NOT OK + redirect := req.Form.Get("state") // $ Source[go/bad-redirect-check] + if !strings.HasPrefix(redirect, "/") { // $ Alert[go/bad-redirect-check] // NOT OK redirect = "/" } - http.Redirect(rw, req, redirect, 302) + http.Redirect(rw, req, redirect, 302) // $ Sink[go/bad-redirect-check] } func OAuthCallback1(rw http.ResponseWriter, req *http.Request) { - redirect := req.Form.Get("state") - if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") { // NOT OK + redirect := req.Form.Get("state") // $ Source[go/bad-redirect-check] + if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") { // $ Alert[go/bad-redirect-check] // NOT OK redirect = "/" } - http.Redirect(rw, req, redirect, 302) + http.Redirect(rw, req, redirect, 302) // $ Sink[go/bad-redirect-check] } diff --git a/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/main.go b/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/main.go index beccc9a135d0..6db721ead8d8 100644 --- a/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/main.go +++ b/go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/main.go @@ -7,8 +7,8 @@ import ( "strings" ) -func badRedirect(redirect string, rw http.ResponseWriter, req *http.Request) { - http.Redirect(rw, req, sanitizeUrl(redirect), 302) +func badRedirect(redirect string, rw http.ResponseWriter, req *http.Request) { // $ Source[go/bad-redirect-check] + http.Redirect(rw, req, sanitizeUrl(redirect), 302) // $ Sink[go/bad-redirect-check] } func goodRedirect(redirect string, rw http.ResponseWriter, req *http.Request) { @@ -22,16 +22,16 @@ func goodRedirect2(url string, rw http.ResponseWriter, req *http.Request) { func isValidRedir(redirect string) bool { switch { // Not OK: does not check for '/\' - case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"): + case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"): // $ Alert[go/bad-redirect-check] return true default: return false } } -func alsoABadRedirect1(url string, rw http.ResponseWriter, req *http.Request) { +func alsoABadRedirect1(url string, rw http.ResponseWriter, req *http.Request) { // $ Source[go/bad-redirect-check] if isValidRedir(url) { - http.Redirect(rw, req, url, 302) + http.Redirect(rw, req, url, 302) // $ Sink[go/bad-redirect-check] } } @@ -65,28 +65,28 @@ func goodRedirect4(url string, rw http.ResponseWriter, req *http.Request) { http.Redirect(rw, req, getTarget(url), 302) } -func getTarget1(redirect string) string { - if redirect[0] != '/' { +func getTarget1(redirect string) string { // $ Source[go/bad-redirect-check] + if redirect[0] != '/' { // $ Alert[go/bad-redirect-check] return "/" } return path.Clean(redirect) } -func badRedirect1(url string, rw http.ResponseWriter, req *http.Request) { - http.Redirect(rw, req, getTarget1(url), 302) +func badRedirect1(url string, rw http.ResponseWriter, req *http.Request) { // $ Source[go/bad-redirect-check] + http.Redirect(rw, req, getTarget1(url), 302) // $ Sink[go/bad-redirect-check] } func getTarget2(redirect string) string { u, _ := url.Parse(redirect) - if u.Path[0] != '/' { + if u.Path[0] != '/' { // $ Alert[go/bad-redirect-check] return "/" } - return u.Path + return u.Path // $ Source[go/bad-redirect-check] } func badRedirect2(url string, rw http.ResponseWriter, req *http.Request) { - http.Redirect(rw, req, getTarget2(url), 302) + http.Redirect(rw, req, getTarget2(url), 302) // $ Sink[go/bad-redirect-check] } diff --git a/go/ql/test/query-tests/Security/CWE-643/XPathInjection.go b/go/ql/test/query-tests/Security/CWE-643/XPathInjection.go index 50b130db91c0..96055469034d 100644 --- a/go/ql/test/query-tests/Security/CWE-643/XPathInjection.go +++ b/go/ql/test/query-tests/Security/CWE-643/XPathInjection.go @@ -10,10 +10,10 @@ import ( func processRequest(r *http.Request, doc tree.Node) { r.ParseForm() - username := r.Form.Get("username") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - xPath := goxpath.MustParse("//users/user[login/text()='" + username + "']/home_dir/text()") + xPath := goxpath.MustParse("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] unsafeRes, _ := xPath.ExecBool(doc) fmt.Println(unsafeRes) diff --git a/go/ql/test/query-tests/Security/CWE-643/XPathInjection.qlref b/go/ql/test/query-tests/Security/CWE-643/XPathInjection.qlref index e6a07d4a6886..f3d92cc4c017 100644 --- a/go/ql/test/query-tests/Security/CWE-643/XPathInjection.qlref +++ b/go/ql/test/query-tests/Security/CWE-643/XPathInjection.qlref @@ -1,2 +1,4 @@ query: Security/CWE-643/XPathInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-643/tst.go b/go/ql/test/query-tests/Security/CWE-643/tst.go index d3fc98b41a78..d28bed01149c 100644 --- a/go/ql/test/query-tests/Security/CWE-643/tst.go +++ b/go/ql/test/query-tests/Security/CWE-643/tst.go @@ -32,70 +32,70 @@ func main() {} func testAntchfxXpath(r *http.Request) { r.ParseForm() - username := r.Form.Get("username") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - _, _ = xpath.Compile("//users/user[login/text()='" + username + "']/home_dir/text()") - _, _ = xpath.CompileWithNS("//users/user[login/text()='"+username+"']/home_dir/text()", make(map[string]string)) - _ = xpath.MustCompile("//users/user[login/text()='" + username + "']/home_dir/text()") - _ = xpath.Select(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") + _, _ = xpath.Compile("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = xpath.CompileWithNS("//users/user[login/text()='"+username+"']/home_dir/text()", make(map[string]string)) // $ Alert[go/xml/xpath-injection] + _ = xpath.MustCompile("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = xpath.Select(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] } func testAntchfxHtmlquery(r *http.Request) { r.ParseForm() - username := r.Form.Get("username") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - _ = htmlquery.Find(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _ = htmlquery.FindOne(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _, _ = htmlquery.Query(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _, _ = htmlquery.QueryAll(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") + _ = htmlquery.Find(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = htmlquery.FindOne(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = htmlquery.Query(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = htmlquery.QueryAll(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] } func testAntchfxXmlquery(r *http.Request, n *xmlquery.Node) { r.ParseForm() - username := r.Form.Get("username") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - _ = xmlquery.Find(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _ = xmlquery.FindOne(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - xmlquery.FindEach(nil, "//users/user[login/text()='"+username+"']/home_dir/text()", nil) - xmlquery.FindEachWithBreak(nil, "//users/user[login/text()='"+username+"']/home_dir/text()", nil) - _, _ = xmlquery.Query(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _, _ = xmlquery.QueryAll(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _ = n.SelectElements("//users/user[login/text()='" + username + "']/home_dir/text()") - _ = n.SelectElement("//users/user[login/text()='" + username + "']/home_dir/text()") + _ = xmlquery.Find(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = xmlquery.FindOne(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + xmlquery.FindEach(nil, "//users/user[login/text()='"+username+"']/home_dir/text()", nil) // $ Alert[go/xml/xpath-injection] + xmlquery.FindEachWithBreak(nil, "//users/user[login/text()='"+username+"']/home_dir/text()", nil) // $ Alert[go/xml/xpath-injection] + _, _ = xmlquery.Query(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = xmlquery.QueryAll(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = n.SelectElements("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = n.SelectElement("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] } func testAntchfxJsonquery(r *http.Request) { r.ParseForm() - username := r.Form.Get("username") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - _ = jsonquery.Find(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _ = jsonquery.FindOne(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _, _ = jsonquery.Query(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") - _, _ = jsonquery.QueryAll(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") + _ = jsonquery.Find(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = jsonquery.FindOne(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = jsonquery.Query(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = jsonquery.QueryAll(nil, "//users/user[login/text()='"+username+"']/home_dir/text()") // $ Alert[go/xml/xpath-injection] } func testGoXmlpathXmlpath(r *http.Request) { r.ParseForm() - username := r.Form.Get("username") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - _, _ = xmlpath.Compile("//users/user[login/text()='" + username + "']/home_dir/text()") - _ = xmlpath.MustCompile("//users/user[login/text()='" + username + "']/home_dir/text()") + _, _ = xmlpath.Compile("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = xmlpath.MustCompile("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] } func testChrisTrenkampGoxpath(r *http.Request) { r.ParseForm() - username := r.Form.Get("username") - password := r.Form.Get("password") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] + password := r.Form.Get("password") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - _, _ = goxpath.Parse("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()") - _ = goxpath.MustParse("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()") - _, _ = goxpath.ParseExec("//users/user[login/text()='"+username+"' and password/text() = '"+password+"']/home_dir/text()", nil) + _, _ = goxpath.Parse("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = goxpath.MustParse("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = goxpath.ParseExec("//users/user[login/text()='"+username+"' and password/text() = '"+password+"']/home_dir/text()", nil) // $ Alert[go/xml/xpath-injection] // GOOD: Uses parameters to avoid including user input directly in XPath expression _ = goxpath.MustParse("//users/user[login/text()=$username and password/text() = $password]/home_dir/text()") @@ -103,24 +103,24 @@ func testChrisTrenkampGoxpath(r *http.Request) { func testSanthoshTekuriXpathparser(r *http.Request) { r.ParseForm() - username := r.Form.Get("username") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - _, _ = xpathparser.Parse("//users/user[login/text()='" + username + "']/home_dir/text()") - _ = xpathparser.MustParse("//users/user[login/text()='" + username + "']/home_dir/text()") + _, _ = xpathparser.Parse("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _ = xpathparser.MustParse("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] } func testJbowtieGokogiri(r *http.Request, n gokogiriXml.Node) { r.ParseForm() - username := r.Form.Get("username") - password := r.Form.Get("password") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] + password := r.Form.Get("password") // $ Source[go/xml/xpath-injection] // BAD: User input used directly in an XPath expression - xpath := gokogiriXpath.Compile("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()") - _, _ = n.Search("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()") - _, _ = n.SearchWithVariables("//users/user[login/text()='"+username+"' and password/text() = '"+password+"']/home_dir/text()", nil) - _, _ = n.EvalXPath("//users/user[login/text()='"+username+"' and password/text() = '"+password+"']/home_dir/text()", nil) - _ = n.EvalXPathAsBoolean("//users/user[login/text()='"+username+"' and password/text() = '"+password+"']/home_dir/text()", nil) + xpath := gokogiriXpath.Compile("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = n.Search("//users/user[login/text()='" + username + "' and password/text() = '" + password + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] + _, _ = n.SearchWithVariables("//users/user[login/text()='"+username+"' and password/text() = '"+password+"']/home_dir/text()", nil) // $ Alert[go/xml/xpath-injection] + _, _ = n.EvalXPath("//users/user[login/text()='"+username+"' and password/text() = '"+password+"']/home_dir/text()", nil) // $ Alert[go/xml/xpath-injection] + _ = n.EvalXPathAsBoolean("//users/user[login/text()='"+username+"' and password/text() = '"+password+"']/home_dir/text()", nil) // $ Alert[go/xml/xpath-injection] // OK: Not flagged, since the creation of `xpath` is already flagged. _, _ = n.Search(xpath) @@ -136,12 +136,12 @@ func testJbowtieGokogiri(r *http.Request, n gokogiriXml.Node) { func testLestratGoLibxml2(r *http.Request) { r.ParseForm() - username := r.Form.Get("username") + username := r.Form.Get("username") // $ Source[go/xml/xpath-injection] p := parser.New(parser.XMLParseNoEnt) // BAD: User input used directly in an XPath expression - _, _ = p.Parse([]byte("//users/user[login/text()='" + username + "']/home_dir/text()")) + _, _ = p.Parse([]byte("//users/user[login/text()='" + username + "']/home_dir/text()")) // $ Alert[go/xml/xpath-injection] _, _ = p.ParseReader(strings.NewReader("//users/user[login/text()='" + username + "']/home_dir/text()")) - _, _ = p.ParseString("//users/user[login/text()='" + username + "']/home_dir/text()") + _, _ = p.ParseString("//users/user[login/text()='" + username + "']/home_dir/text()") // $ Alert[go/xml/xpath-injection] } diff --git a/go/ql/test/query-tests/Security/CWE-798/AlertSuppressionExample.go b/go/ql/test/query-tests/Security/CWE-798/AlertSuppressionExample.go index c6cd369394fd..be5c1c97f949 100644 --- a/go/ql/test/query-tests/Security/CWE-798/AlertSuppressionExample.go +++ b/go/ql/test/query-tests/Security/CWE-798/AlertSuppressionExample.go @@ -8,7 +8,7 @@ func login(user, password string) bool { func TestLogin(t *testing.T) { user := "testuser" - password := "horsebatterystaplecorrect" // lgtm[go/hardcoded-credentials] + password := "horsebatterystaplecorrect" // $ Alert[go/hardcoded-credentials] // lgtm[go/hardcoded-credentials] if !login(user, password) { t.Errorf("Login test failed.") } diff --git a/go/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.go b/go/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.go index 78d0603c2c3c..d9c2398532d0 100644 --- a/go/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.go +++ b/go/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.go @@ -7,7 +7,7 @@ import ( const ( user = "dbuser" - password = "s3cretp4ssword" + password = "s3cretp4ssword" // $ Alert[go/hardcoded-credentials] ) func connect() *sql.DB { diff --git a/go/ql/test/query-tests/Security/CWE-798/HardcodedKeysBad.go b/go/ql/test/query-tests/Security/CWE-798/HardcodedKeysBad.go index 2ffc46147f6e..c413b4bfcd2a 100644 --- a/go/ql/test/query-tests/Security/CWE-798/HardcodedKeysBad.go +++ b/go/ql/test/query-tests/Security/CWE-798/HardcodedKeysBad.go @@ -16,5 +16,5 @@ func bad() (interface{}, error) { } token := jwt.NewWithClaims(nil, claims) - return token.SignedString(mySigningKey) + return token.SignedString(mySigningKey) // $ Alert[go/hardcoded-credentials] } diff --git a/go/ql/test/query-tests/Security/CWE-798/jwt.go b/go/ql/test/query-tests/Security/CWE-798/jwt.go index 560f95800df8..3a0a23472b89 100644 --- a/go/ql/test/query-tests/Security/CWE-798/jwt.go +++ b/go/ql/test/query-tests/Security/CWE-798/jwt.go @@ -39,14 +39,14 @@ func gjwtt() (interface{}, error) { } token := gjwt.NewWithClaims(nil, claims) - return token.SignedString(mySigningKey) // BAD + return token.SignedString(mySigningKey) // $ Alert[go/hardcoded-credentials] // BAD } func gin_jwt() (interface{}, error) { var identityKey = "id" return jwt.New(&jwt.GinJWTMiddleware{ Realm: "test zone", - Key: []byte("key2"), // BAD + Key: []byte("key2"), // $ Alert[go/hardcoded-credentials] // BAD Timeout: time.Hour, MaxRefresh: time.Hour, IdentityKey: identityKey, @@ -65,12 +65,12 @@ func gin_jwt() (interface{}, error) { func cristalhq() (interface{}, error) { key := []byte(`key3`) - return cristal.NewSignerHS(cristal.HS256, key) // BAD + return cristal.NewSignerHS(cristal.HS256, key) // $ Alert[go/hardcoded-credentials] // BAD } func josev3() (interface{}, error) { key := []byte("key4") - return jose_v3.NewSigner(jose_v3.SigningKey{Algorithm: "", Key: key}, nil) // BAD + return jose_v3.NewSigner(jose_v3.SigningKey{Algorithm: "", Key: key}, nil) // $ Alert[go/hardcoded-credentials] // BAD } func josev3_2() (interface{}, error) { key2 := []byte("key5") @@ -78,7 +78,7 @@ func josev3_2() (interface{}, error) { "", jose_v3.Recipient{ Algorithm: "", - Key: key2, // BAD + Key: key2, // $ Alert[go/hardcoded-credentials] // BAD }, nil) } @@ -88,14 +88,14 @@ func josev2() (interface{}, error) { return jose_v2.NewEncrypter( "", - jose_v2.Recipient{Algorithm: "", Key: key}, // BAD + jose_v2.Recipient{Algorithm: "", Key: key}, // $ Alert[go/hardcoded-credentials] // BAD nil, ) } func jose_v2_2() (interface{}, error) { key2 := []byte("key7") - return jose_v2.NewSigner(jose_v2.SigningKey{Algorithm: "", Key: key2}, nil) // BAD + return jose_v2.NewSigner(jose_v2.SigningKey{Algorithm: "", Key: key2}, nil) // $ Alert[go/hardcoded-credentials] // BAD } func go_kit() interface{} { @@ -106,24 +106,24 @@ func go_kit() interface{} { mapClaims = gjwt.MapClaims{"user": "go-kit"} ) - return gokit.NewSigner(kid, key, nil, mapClaims) // BAD + return gokit.NewSigner(kid, key, nil, mapClaims) // $ Alert[go/hardcoded-credentials] // BAD } func lejwt() (interface{}, error) { sharedKey := []byte("key9") - return le.New(sharedKey) // BAD + return le.New(sharedKey) // $ Alert[go/hardcoded-credentials] // BAD } var sharedKeyglobal = []byte("key10") func lejwt2() (interface{}, error) { - return le.New(sharedKeyglobal) // BAD + return le.New(sharedKeyglobal) // $ Alert[go/hardcoded-credentials] // BAD } func gogfjwt() interface{} { return &gogf.GfJWTMiddleware{ Realm: "test zone", - Key: []byte("key11"), // BAD + Key: []byte("key11"), // $ Alert[go/hardcoded-credentials] // BAD Timeout: time.Minute * 5, MaxRefresh: time.Minute * 5, IdentityKey: "id", @@ -140,7 +140,7 @@ func gogfjwt() interface{} { func irisjwt() interface{} { key := []byte("key12") token := iris.NewTokenWithClaims(nil, nil) - tokenString, _ := token.SignedString(key) // BAD + tokenString, _ := token.SignedString(key) // $ Alert[go/hardcoded-credentials] // BAD return tokenString } @@ -149,7 +149,7 @@ func iris12jwt2() interface{} { s := &iris12.Signer{ Alg: nil, - Key: key, // BAD + Key: key, // $ Alert[go/hardcoded-credentials] // BAD MaxAge: 3 * time.Second, } return s @@ -157,31 +157,31 @@ func iris12jwt2() interface{} { func irisjwt3() interface{} { key := []byte("key14") - signer := iris12.NewSigner(nil, key, 3*time.Second) // BAD + signer := iris12.NewSigner(nil, key, 3*time.Second) // $ Alert[go/hardcoded-credentials] // BAD return signer } func katarasJwt() interface{} { key := []byte("key15") - token, _ := kataras.Sign(nil, key, nil, nil) // BAD + token, _ := kataras.Sign(nil, key, nil, nil) // $ Alert[go/hardcoded-credentials] // BAD return token } func katarasJwt2() interface{} { key := []byte("key16") - token, _ := kataras.SignEncrypted(nil, key, nil, nil) // BAD + token, _ := kataras.SignEncrypted(nil, key, nil, nil) // $ Alert[go/hardcoded-credentials] // BAD return token } func katarasJwt3() interface{} { key := []byte("key17") - token, _ := kataras.SignEncryptedWithHeader(nil, key, nil, nil, nil) // BAD + token, _ := kataras.SignEncryptedWithHeader(nil, key, nil, nil, nil) // $ Alert[go/hardcoded-credentials] // BAD return token } func katarasJwt4() interface{} { key := []byte("key18") - token, _ := kataras.SignWithHeader(nil, key, nil, nil) // BAD + token, _ := kataras.SignWithHeader(nil, key, nil, nil) // $ Alert[go/hardcoded-credentials] // BAD return token } @@ -189,5 +189,5 @@ func katarasJwt5() { key := []byte("key19") var keys kataras.Keys var alg kataras.Alg - keys.Register(alg, "api", nil, key) // BAD + keys.Register(alg, "api", nil, key) // $ Alert[go/hardcoded-credentials] // BAD } diff --git a/go/ql/test/query-tests/Security/CWE-798/main.go b/go/ql/test/query-tests/Security/CWE-798/main.go index 366933c76934..5a0519578de3 100644 --- a/go/ql/test/query-tests/Security/CWE-798/main.go +++ b/go/ql/test/query-tests/Security/CWE-798/main.go @@ -3,7 +3,7 @@ package main import "fmt" const ( - passwd = "p4ssw0rd" // NOT OK + passwd = "p4ssw0rd" // $ Alert[go/hardcoded-credentials] // NOT OK _password = "" // OK ) diff --git a/go/ql/test/query-tests/Security/CWE-798/sanitizer.go b/go/ql/test/query-tests/Security/CWE-798/sanitizer.go index 749642ceb3bf..14635feba949 100644 --- a/go/ql/test/query-tests/Security/CWE-798/sanitizer.go +++ b/go/ql/test/query-tests/Security/CWE-798/sanitizer.go @@ -15,7 +15,7 @@ import ( func check_ok() (interface{}, error) { key := []byte(`some_key`) - return cristal.NewSignerHS(cristal.HS256, key) // BAD + return cristal.NewSignerHS(cristal.HS256, key) // $ Alert[go/hardcoded-credentials] // BAD } func GenerateRandomString(size int) string { From e322076b09385a5dd28be67f2989bc6f7c321049 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 07:07:49 +0200 Subject: [PATCH 2/5] Fix odd hand-rolled inline expectations test --- .../library-tests/semmle/go/frameworks/Twirp/tests.expected | 6 +++--- .../test/library-tests/semmle/go/frameworks/Twirp/tests.ql | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.expected b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.expected index 4b0a2d917e71..45f8d66dfca8 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.expected @@ -6,16 +6,16 @@ passingPositiveTests | PASSED | message | rpc/notes/service.pb.go:86:32:86:47 | comment | | PASSED | message | rpc/notes/service.pb.go:133:33:133:48 | comment | | PASSED | message | rpc/notes/service.pb.go:171:33:171:48 | comment | -| PASSED | request | server/main.go:19:111:19:140 | comment | +| PASSED | request | server/main.go:19:111:19:172 | comment | | PASSED | request | server/main.go:40:126:40:155 | comment | | PASSED | serverConstructor | rpc/notes/service.twirp.go:334:81:334:106 | comment | | PASSED | serviceClient | rpc/notes/service.twirp.go:44:42:44:63 | comment | | PASSED | serviceClient | rpc/notes/service.twirp.go:183:38:183:59 | comment | | PASSED | serviceInterface | rpc/notes/service.twirp.go:34:31:34:55 | comment | | PASSED | serviceServer | rpc/notes/service.twirp.go:322:34:322:55 | comment | -| PASSED | ssrf | server/main.go:30:97:30:119 | comment | +| PASSED | ssrf | server/main.go:30:97:30:150 | comment | | PASSED | ssrfSink | client/main.go:12:89:12:105 | comment | -| PASSED | ssrfSink | server/main.go:30:97:30:119 | comment | +| PASSED | ssrfSink | server/main.go:30:97:30:150 | comment | | PASSED | ssrfSink | server/main.go:31:97:31:120 | comment | failingPositiveTests passingNegativeTests diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.ql b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.ql index 5866b6ff3eda..391cb2242967 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.ql +++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.ql @@ -6,7 +6,7 @@ import semmle.go.security.RequestForgery class InlineTest extends LineComment { string tests; - InlineTest() { tests = this.getText().regexpCapture("\\s*test:(.*)", 1) } + InlineTest() { tests = this.getText().regexpCapture(".*test:\\s*(.*)", 1) } string getPositiveTest() { result = tests.trim().splitAt(",").trim() and not result.matches("!%") From c0b77b43bdf00925e41d435e9577050ae93d70e0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 07:12:08 +0200 Subject: [PATCH 3/5] Fix pre-existing whitespace issues in go test files --- .../WhitespaceContradictsPrecedence/main.go | 2 +- .../Security/CWE-089/StringBreak.expected | 40 +++++++++---------- .../Security/CWE-089/StringBreak.go | 1 + .../Security/CWE-089/StringBreakMismatched.go | 3 +- 4 files changed, 24 insertions(+), 22 deletions(-) diff --git a/go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/main.go b/go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/main.go index 8cbb69941a8c..a168ea04acf2 100644 --- a/go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/main.go +++ b/go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/main.go @@ -21,7 +21,7 @@ func ok3(x int) int { func ok4(x int, y int, z int) int { return x + y + z; } - + func ok5(x int, y int, z int) int { return x + y+z; } diff --git a/go/ql/test/query-tests/Security/CWE-089/StringBreak.expected b/go/ql/test/query-tests/Security/CWE-089/StringBreak.expected index 5deab249337e..63caa73d596d 100644 --- a/go/ql/test/query-tests/Security/CWE-089/StringBreak.expected +++ b/go/ql/test/query-tests/Security/CWE-089/StringBreak.expected @@ -1,26 +1,26 @@ #select -| StringBreak.go:14:47:14:57 | versionJSON | StringBreak.go:10:2:10:40 | ... := ...[0] | StringBreak.go:14:47:14:57 | versionJSON | If this $@ contains a single quote, it could break out of the enclosing quotes. | StringBreak.go:10:2:10:40 | ... := ...[0] | JSON value | -| StringBreakMismatched.go:17:26:17:32 | escaped | StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | StringBreakMismatched.go:17:26:17:32 | escaped | If this $@ contains a single quote, it could break out of the enclosing quotes. | StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | JSON value | -| StringBreakMismatched.go:29:27:29:33 | escaped | StringBreakMismatched.go:24:2:24:40 | ... := ...[0] | StringBreakMismatched.go:29:27:29:33 | escaped | If this $@ contains a double quote, it could break out of the enclosing quotes. | StringBreakMismatched.go:24:2:24:40 | ... := ...[0] | JSON value | +| StringBreak.go:15:47:15:57 | versionJSON | StringBreak.go:11:2:11:40 | ... := ...[0] | StringBreak.go:15:47:15:57 | versionJSON | If this $@ contains a single quote, it could break out of the enclosing quotes. | StringBreak.go:11:2:11:40 | ... := ...[0] | JSON value | +| StringBreakMismatched.go:18:26:18:32 | escaped | StringBreakMismatched.go:13:2:13:40 | ... := ...[0] | StringBreakMismatched.go:18:26:18:32 | escaped | If this $@ contains a single quote, it could break out of the enclosing quotes. | StringBreakMismatched.go:13:2:13:40 | ... := ...[0] | JSON value | +| StringBreakMismatched.go:30:27:30:33 | escaped | StringBreakMismatched.go:25:2:25:40 | ... := ...[0] | StringBreakMismatched.go:30:27:30:33 | escaped | If this $@ contains a double quote, it could break out of the enclosing quotes. | StringBreakMismatched.go:25:2:25:40 | ... := ...[0] | JSON value | edges -| StringBreak.go:10:2:10:40 | ... := ...[0] | StringBreak.go:14:47:14:57 | versionJSON | provenance | | -| StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | StringBreakMismatched.go:13:29:13:47 | type conversion | provenance | | -| StringBreakMismatched.go:13:13:13:62 | call to Replace | StringBreakMismatched.go:17:26:17:32 | escaped | provenance | | -| StringBreakMismatched.go:13:29:13:47 | type conversion | StringBreakMismatched.go:13:13:13:62 | call to Replace | provenance | MaD:1 | -| StringBreakMismatched.go:24:2:24:40 | ... := ...[0] | StringBreakMismatched.go:25:29:25:47 | type conversion | provenance | | -| StringBreakMismatched.go:25:13:25:61 | call to Replace | StringBreakMismatched.go:29:27:29:33 | escaped | provenance | | -| StringBreakMismatched.go:25:29:25:47 | type conversion | StringBreakMismatched.go:25:13:25:61 | call to Replace | provenance | MaD:1 | +| StringBreak.go:11:2:11:40 | ... := ...[0] | StringBreak.go:15:47:15:57 | versionJSON | provenance | | +| StringBreakMismatched.go:13:2:13:40 | ... := ...[0] | StringBreakMismatched.go:14:29:14:47 | type conversion | provenance | | +| StringBreakMismatched.go:14:13:14:62 | call to Replace | StringBreakMismatched.go:18:26:18:32 | escaped | provenance | | +| StringBreakMismatched.go:14:29:14:47 | type conversion | StringBreakMismatched.go:14:13:14:62 | call to Replace | provenance | MaD:1 | +| StringBreakMismatched.go:25:2:25:40 | ... := ...[0] | StringBreakMismatched.go:26:29:26:47 | type conversion | provenance | | +| StringBreakMismatched.go:26:13:26:61 | call to Replace | StringBreakMismatched.go:30:27:30:33 | escaped | provenance | | +| StringBreakMismatched.go:26:29:26:47 | type conversion | StringBreakMismatched.go:26:13:26:61 | call to Replace | provenance | MaD:1 | models | 1 | Summary: strings; ; false; Replace; ; ; Argument[0]; ReturnValue; taint; manual | nodes -| StringBreak.go:10:2:10:40 | ... := ...[0] | semmle.label | ... := ...[0] | -| StringBreak.go:14:47:14:57 | versionJSON | semmle.label | versionJSON | -| StringBreakMismatched.go:12:2:12:40 | ... := ...[0] | semmle.label | ... := ...[0] | -| StringBreakMismatched.go:13:13:13:62 | call to Replace | semmle.label | call to Replace | -| StringBreakMismatched.go:13:29:13:47 | type conversion | semmle.label | type conversion | -| StringBreakMismatched.go:17:26:17:32 | escaped | semmle.label | escaped | -| StringBreakMismatched.go:24:2:24:40 | ... := ...[0] | semmle.label | ... := ...[0] | -| StringBreakMismatched.go:25:13:25:61 | call to Replace | semmle.label | call to Replace | -| StringBreakMismatched.go:25:29:25:47 | type conversion | semmle.label | type conversion | -| StringBreakMismatched.go:29:27:29:33 | escaped | semmle.label | escaped | +| StringBreak.go:11:2:11:40 | ... := ...[0] | semmle.label | ... := ...[0] | +| StringBreak.go:15:47:15:57 | versionJSON | semmle.label | versionJSON | +| StringBreakMismatched.go:13:2:13:40 | ... := ...[0] | semmle.label | ... := ...[0] | +| StringBreakMismatched.go:14:13:14:62 | call to Replace | semmle.label | call to Replace | +| StringBreakMismatched.go:14:29:14:47 | type conversion | semmle.label | type conversion | +| StringBreakMismatched.go:18:26:18:32 | escaped | semmle.label | escaped | +| StringBreakMismatched.go:25:2:25:40 | ... := ...[0] | semmle.label | ... := ...[0] | +| StringBreakMismatched.go:26:13:26:61 | call to Replace | semmle.label | call to Replace | +| StringBreakMismatched.go:26:29:26:47 | type conversion | semmle.label | type conversion | +| StringBreakMismatched.go:30:27:30:33 | escaped | semmle.label | escaped | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-089/StringBreak.go b/go/ql/test/query-tests/Security/CWE-089/StringBreak.go index e9c46d564ed3..26cb9986c91d 100644 --- a/go/ql/test/query-tests/Security/CWE-089/StringBreak.go +++ b/go/ql/test/query-tests/Security/CWE-089/StringBreak.go @@ -3,6 +3,7 @@ package main import ( "encoding/json" "fmt" + sq "github.com/Masterminds/squirrel" ) diff --git a/go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go b/go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go index 5d0b98a04b04..70f3af40d6f5 100644 --- a/go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go +++ b/go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go @@ -2,8 +2,9 @@ package main import ( "encoding/json" - sq "github.com/Masterminds/squirrel" "strings" + + sq "github.com/Masterminds/squirrel" ) // Bad because quote characters are removed before concatenation, From 56ec153d4d5ff00dea59e1d1438da55a0a22b7e3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 07:16:03 +0200 Subject: [PATCH 4/5] Make .qlref files with one `postprocess` entry more concise --- go/ql/test/experimental/CWE-285/PamAuthBypass.qlref | 3 +-- go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref | 3 +-- go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref | 3 +-- go/ql/test/experimental/CWE-525/WebCacheDeception.qlref | 3 +-- go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref | 3 +-- go/ql/test/experimental/CWE-840/ConditionalBypass.qlref | 3 +-- go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref | 3 +-- .../experimental/InconsistentCode/GORMErrorNotChecked.qlref | 3 +-- go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref | 3 +-- .../semmle/go/frameworks/GoMicro/LogInjection.qlref | 3 +-- .../InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref | 3 +-- .../RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref | 3 +-- .../DuplicateSwitchCase/DuplicateSwitchCase.qlref | 3 +-- .../RedundantCode/RedundantExpr/RedundantExpr.qlref | 3 +-- .../RedundantCode/RedundantRecover/RedundantRecover.qlref | 3 +-- .../SuspiciousCharacterInRegexp.qlref | 3 +-- .../query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref | 3 +-- 17 files changed, 17 insertions(+), 34 deletions(-) diff --git a/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref b/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref index 2e1f249dba39..85ba5b1005d3 100644 --- a/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref +++ b/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref @@ -1,3 +1,2 @@ query: experimental/CWE-285/PamAuthBypass.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref index 36dd0fb80ed9..63827b14d7aa 100644 --- a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref +++ b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref @@ -1,3 +1,2 @@ query: experimental/CWE-321-V2/HardCodedKeys.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref index fdbdf98fd1de..945fbc88364e 100644 --- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref +++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref @@ -1,3 +1,2 @@ query: experimental/CWE-400/DatabaseCallInLoop.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref b/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref index 60704b312777..9e5d5cc3033d 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref +++ b/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref @@ -1,3 +1,2 @@ query: experimental/CWE-525/WebCacheDeception.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref b/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref index 8351e509a370..b31f535387ef 100644 --- a/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref +++ b/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref @@ -1,3 +1,2 @@ query: experimental/CWE-807/SensitiveConditionBypass.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref b/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref index 8a212cdf8c96..8c99cf7c2856 100644 --- a/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref +++ b/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref @@ -1,3 +1,2 @@ query: experimental/CWE-840/ConditionalBypass.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref b/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref index ae9bde0a908f..f291f77e09ec 100644 --- a/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref +++ b/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref @@ -1,3 +1,2 @@ query: experimental/InconsistentCode/DeferInLoop.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref b/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref index b994ca2153d7..20b8106442bf 100644 --- a/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref +++ b/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref @@ -1,3 +1,2 @@ query: experimental/InconsistentCode/GORMErrorNotChecked.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref index 9ab864ea659f..5496859ca2e8 100644 --- a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref +++ b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref @@ -1,3 +1,2 @@ query: experimental/Unsafe/WrongUsageOfUnsafe.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref index 7f3ff6322b71..fc8a61c453d2 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref +++ b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref @@ -1,3 +1,2 @@ query: Security/CWE-117/LogInjection.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref b/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref index 3895adea4d02..c70c6a57526a 100644 --- a/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref +++ b/go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref @@ -1,3 +1,2 @@ query: InconsistentCode/MissingErrorCheck.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref index 8c5bd9a74820..5e4405270c01 100644 --- a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref +++ b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref @@ -1,3 +1,2 @@ query: RedundantCode/DeadStoreOfLocal.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref b/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref index aee21264046e..005bb508043a 100644 --- a/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref +++ b/go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref @@ -1,3 +1,2 @@ query: RedundantCode/DuplicateSwitchCase.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref b/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref index 12b5700023b4..f9c95d27835a 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref +++ b/go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref @@ -1,3 +1,2 @@ query: RedundantCode/RedundantExpr.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref b/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref index bd17a344b030..3f91b000a4cb 100644 --- a/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref +++ b/go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref @@ -1,3 +1,2 @@ query: RedundantCode/RedundantRecover.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref index 1b91d9d0fcf8..17c2ba019cb2 100644 --- a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref +++ b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref @@ -1,3 +1,2 @@ query: Security/CWE-020/SuspiciousCharacterInRegexp.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref index ed6809d04f3c..2c5cecd3a294 100644 --- a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref +++ b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref @@ -1,3 +1,2 @@ query: Security/CWE-322/InsecureHostKeyCallback.ql -postprocess: - - utils/test/InlineExpectationsTestQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql From 3dfc9f6fc5596b21ba2d5f9e2ad2e94999ccfd97 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 13:27:31 +0200 Subject: [PATCH 5/5] Manual fixes --- .../experimental/CWE-525/WebCacheDeception.ql | 2 +- go/ql/test/experimental/CWE-285/main.go | 2 +- .../CWE-321-V2/HardCodedKeys.expected | 6 ++-- .../experimental/CWE-321-V2/go-jose.v3.go | 4 +-- .../experimental/CWE-321-V2/golang-jwt-v5.go | 4 +-- .../CWE-400/DatabaseCallInLoop.expected | 8 ++--- .../CWE-400/DatabaseCallInLoop.go | 4 +-- go/ql/test/experimental/CWE-400/test.go | 16 ++++----- .../CWE-525/WebCacheDeceptionBad.go | 2 +- .../CWE-525/WebCacheDeceptionFiber.go | 4 +-- .../CWE-525/WebCacheDeceptionGoChi.go | 2 +- .../CWE-525/WebCacheDeceptionHTTPRouter.go | 2 +- .../Unsafe/WrongUsageOfUnsafe.expected | 24 ++++++------- .../experimental/Unsafe/WrongUsageOfUnsafe.go | 14 ++++---- .../frameworks/GoMicro/LogInjection.expected | 4 +-- .../semmle/go/frameworks/GoMicro/main.go | 4 +-- .../CWE-322/InsecureHostKeyCallback.expected | 10 +++--- .../CWE-322/InsecureHostKeyCallbackExample.go | 36 +++++++++---------- 18 files changed, 74 insertions(+), 74 deletions(-) diff --git a/go/ql/src/experimental/CWE-525/WebCacheDeception.ql b/go/ql/src/experimental/CWE-525/WebCacheDeception.ql index eb488b0b0d1a..04faa7c29e11 100644 --- a/go/ql/src/experimental/CWE-525/WebCacheDeception.ql +++ b/go/ql/src/experimental/CWE-525/WebCacheDeception.ql @@ -1,4 +1,4 @@ -/* +/** * @name Web Cache Deception * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user. * @kind problem diff --git a/go/ql/test/experimental/CWE-285/main.go b/go/ql/test/experimental/CWE-285/main.go index ff66bada592a..352a57bb6990 100644 --- a/go/ql/test/experimental/CWE-285/main.go +++ b/go/ql/test/experimental/CWE-285/main.go @@ -9,7 +9,7 @@ import ( func bad() error { t, _ := pam.StartFunc("", "", func(s pam.Style, msg string) (string, error) { return "", nil - }) // $ Alert[go/pam-auth-bypass] + }) // $ Alert return t.Authenticate(0) } diff --git a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected index 5b26a2a9b369..0cad327e6415 100644 --- a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected +++ b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected @@ -1,3 +1,6 @@ +#select +| go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:24:32:24:37 | JwtKey | This $@. | go-jose.v3.go:13:21:13:33 | "AllYourBase" | Constant Key is used as JWT Secret key | +| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key | edges | go-jose.v3.go:13:14:13:34 | type conversion | go-jose.v3.go:24:32:24:37 | JwtKey | provenance | | | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:13:14:13:34 | type conversion | provenance | | @@ -11,6 +14,3 @@ nodes | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | semmle.label | "AllYourBase" | | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | semmle.label | JwtKey1 | subpaths -#select -| go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:24:32:24:37 | JwtKey | This $@. | go-jose.v3.go:13:21:13:33 | "AllYourBase" | Constant Key is used as JWT Secret key | -| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key | diff --git a/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go b/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go index 7091c6d44bba..c9d103710bad 100644 --- a/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go +++ b/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go @@ -10,7 +10,7 @@ import ( ) // NOT OK -var JwtKey = []byte("AllYourBase") // $ Source[go/parse-jwt-with-hardcoded-key] Alert[go/parse-jwt-with-hardcoded-key] +var JwtKey = []byte("AllYourBase") // $ Source func main2(r *http.Request) { signedToken := r.URL.Query().Get("signedToken") @@ -21,7 +21,7 @@ func verifyJWT(signedToken string) { fmt.Println("verifying JWT") DecodedToken, _ := jwt.ParseSigned(signedToken) out := CustomerInfo{} - if err := DecodedToken.Claims(JwtKey, &out); err != nil { // $ Alert[go/parse-jwt-with-hardcoded-key] Source[go/parse-jwt-with-hardcoded-key] + if err := DecodedToken.Claims(JwtKey, &out); err != nil { // $ Alert panic(err) } fmt.Printf("%v\n", out) diff --git a/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go b/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go index eade8ec9bbcc..166c8e6454e9 100644 --- a/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go +++ b/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go @@ -16,7 +16,7 @@ type CustomerInfo struct { } // BAD constant key -var JwtKey1 = []byte("AllYourBase") // $ Source[go/parse-jwt-with-hardcoded-key] Alert[go/parse-jwt-with-hardcoded-key] +var JwtKey1 = []byte("AllYourBase") // $ Source func main1(r *http.Request) { signedToken := r.URL.Query().Get("signedToken") @@ -24,7 +24,7 @@ func main1(r *http.Request) { } func LoadJwtKey(token *jwt.Token) (interface{}, error) { - return JwtKey1, nil // $ Alert[go/parse-jwt-with-hardcoded-key] Source[go/parse-jwt-with-hardcoded-key] + return JwtKey1, nil // $ Alert } func verifyJWT_golangjwt(signedToken string) { diff --git a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected index 074dfaa134f6..e95505223cd7 100644 --- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected +++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected @@ -1,3 +1,7 @@ +#select +| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | This calls call to First in a $@. | DatabaseCallInLoop.go:7:2:11:2 | range statement | loop | +| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:20:2:22:2 | for statement | loop | +| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:24:2:26:2 | for statement | loop | edges | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | | test.go:10:1:12:1 | function declaration | test.go:11:2:11:13 | call to Take | @@ -7,7 +11,3 @@ edges | test.go:21:3:21:14 | call to runQuery | test.go:10:1:12:1 | function declaration | | test.go:24:2:26:2 | for statement | test.go:25:3:25:17 | call to runRunQuery | | test.go:25:3:25:17 | call to runRunQuery | test.go:14:1:16:1 | function declaration | -#select -| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | This calls call to First in a $@. | DatabaseCallInLoop.go:7:2:11:2 | range statement | loop | -| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:20:2:22:2 | for statement | loop | -| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:24:2:26:2 | for statement | loop | diff --git a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go index d29b9d305c93..eff08179ee5a 100644 --- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go +++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go @@ -6,8 +6,8 @@ func getUsers(db *gorm.DB, names []string) []User { res := make([]User, 0, len(names)) for _, name := range names { var user User - db.Where("name = ?", name).First(&user) // $ Alert[go/examples/database-call-in-loop] Source[go/examples/database-call-in-loop] + db.Where("name = ?", name).First(&user) // $ Alert res = append(res, user) - } // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] + } // $ Source return res } diff --git a/go/ql/test/experimental/CWE-400/test.go b/go/ql/test/experimental/CWE-400/test.go index 02360fa8cd91..4c0a7f01d2eb 100644 --- a/go/ql/test/experimental/CWE-400/test.go +++ b/go/ql/test/experimental/CWE-400/test.go @@ -8,20 +8,20 @@ type User struct { } func runQuery(db *gorm.DB) { - db.Take(nil) // $ Alert[go/examples/database-call-in-loop] Source[go/examples/database-call-in-loop] -} // $ Alert[go/examples/database-call-in-loop] Source[go/examples/database-call-in-loop] + db.Take(nil) // $ Alert +} func runRunQuery(db *gorm.DB) { - runQuery(db) // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] -} // $ Alert[go/examples/database-call-in-loop] Source[go/examples/database-call-in-loop] + runQuery(db) +} func main() { var db *gorm.DB for i := 0; i < 10; i++ { - runQuery(db) // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] - } // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] + runQuery(db) + } // $ Source for i := 10; i > 0; i-- { - runRunQuery(db) // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] - } // $ Source[go/examples/database-call-in-loop] Alert[go/examples/database-call-in-loop] + runRunQuery(db) + } // $ Source } diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go b/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go index 7f3fc670b7cc..978d05588bbf 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go +++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go @@ -79,7 +79,7 @@ func badRoutingNet() { http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/")))) - http.HandleFunc("/adminusers/", ShowAdminPageCache) // $ Alert[go/web-cache-deception] + http.HandleFunc("/adminusers/", ShowAdminPageCache) // $ Alert err := http.ListenAndServe(":1337", nil) if err != nil { log.Fatal("ListenAndServe: ", err) diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go b/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go index a76395217a9b..1126659d76e3 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go +++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go @@ -12,12 +12,12 @@ func badRouting() { log.Println("We are logging in Golang!") // GET /api/register - app.Get("/api/*", func(c *fiber.Ctx) error { // $ Alert[go/web-cache-deception] + app.Get("/api/*", func(c *fiber.Ctx) error { // $ Alert msg := fmt.Sprintf("✋") return c.SendString(msg) // => ✋ register }) - app.Post("/api/*", func(c *fiber.Ctx) error { // $ Alert[go/web-cache-deception] + app.Post("/api/*", func(c *fiber.Ctx) error { // $ Alert msg := fmt.Sprintf("✋") return c.SendString(msg) // => ✋ register }) diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go b/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go index 87815459ec13..3de5e659138f 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go +++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go @@ -10,7 +10,7 @@ import ( func badRoutingChi() { r := chi.NewRouter() r.Use(middleware.Logger) - r.Get("/*", func(w http.ResponseWriter, r *http.Request) { // $ Alert[go/web-cache-deception] + r.Get("/*", func(w http.ResponseWriter, r *http.Request) { // $ Alert w.Write([]byte("welcome")) }) http.ListenAndServe(":3000", r) diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go b/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go index 12d32e603a3f..7d1cd0b3d16e 100644 --- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go +++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go @@ -18,7 +18,7 @@ func Hello(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { func badHTTPRouter() { router := httprouter.New() - router.GET("/test/*test", Index) // $ Alert[go/web-cache-deception] + router.GET("/test/*test", Index) // $ Alert router.GET("/hello/:name", Hello) log.Fatal(http.ListenAndServe(":8082", router)) diff --git a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected index 3c7e02eea265..0dfdf1d7c150 100644 --- a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected +++ b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected @@ -1,3 +1,15 @@ +#select +| WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | $@. | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | Dangerous array type casting to [8]uint8 from an index expression ([8]uint8)[2] (the destination type is 2 elements longer) | +| WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | $@. | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | Dangerous array type casting to [17]uint8 from an index expression ([8]uint8)[0] (the destination type is 9 elements longer) | +| WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | $@. | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | +| WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | $@. | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | +| WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | $@. | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | Dangerous array type casting to [17]string from [8]string | +| WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | $@. | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | Dangerous type up-casting to [17]uint8 from struct type | +| WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | $@. | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | +| WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | $@. | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | +| WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | $@. | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | Dangerous array type casting to [4]int64 from [1]int64 | +| WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | $@. | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | Dangerous numeric type casting to int64 from int8 | +| WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | $@. | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | Dangerous numeric type casting to int from int8 | edges | WrongUsageOfUnsafe.go:17:24:17:48 | type conversion | WrongUsageOfUnsafe.go:17:13:17:49 | type conversion | provenance | | | WrongUsageOfUnsafe.go:34:24:34:51 | type conversion | WrongUsageOfUnsafe.go:34:13:34:52 | type conversion | provenance | | @@ -48,15 +60,3 @@ nodes | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | semmle.label | type conversion | | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | semmle.label | type conversion | subpaths -#select -| WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | $@. | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | Dangerous array type casting to [8]uint8 from an index expression ([8]uint8)[2] (the destination type is 2 elements longer) | -| WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | $@. | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | Dangerous array type casting to [17]uint8 from an index expression ([8]uint8)[0] (the destination type is 9 elements longer) | -| WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | $@. | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | -| WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | $@. | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | -| WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | $@. | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | Dangerous array type casting to [17]string from [8]string | -| WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | $@. | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | Dangerous type up-casting to [17]uint8 from struct type | -| WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | $@. | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | -| WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | $@. | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | -| WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | $@. | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | Dangerous array type casting to [4]int64 from [1]int64 | -| WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | $@. | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | Dangerous numeric type casting to int64 from int8 | -| WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | $@. | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | Dangerous numeric type casting to int from int8 | diff --git a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go index e18df2c0d3b7..16c0f715790c 100644 --- a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go +++ b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go @@ -14,7 +14,7 @@ func good0() { // Read before secret without overflowing to secret: // NOTE: unsafe.Pointer(&harmless) == unsafe.Pointer(&harmless[0]) - var data = (*[8]byte)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // OK + var data = (*[8]byte)(unsafe.Pointer(&harmless)) // OK fmt.Println(string((*data)[:])) @@ -31,7 +31,7 @@ func goodIndexExpr() { // Read before secret without overflowing to secret: // NOTE: unsafe.Pointer(&harmless) == unsafe.Pointer(&harmless[0]) - var data = (*[8]byte)(unsafe.Pointer(&harmless[0])) // $ Alert[go/wrong-usage-of-unsafe] // OK + var data = (*[8]byte)(unsafe.Pointer(&harmless[0])) // OK fmt.Println(string((*data)[:])) @@ -52,7 +52,7 @@ func goodIndexExprDifferentTypes() { // up until the end of `harmless` (from `harmless[3]` to // the end of `harmless` is 8 bytes), // which does not cross into `secret`. - var data = (*[8]byte)(unsafe.Pointer(&harmless[3])) // $ Alert[go/wrong-usage-of-unsafe] // OK + var data = (*[8]byte)(unsafe.Pointer(&harmless[3])) // OK fmt.Println(string((*data)[:])) @@ -90,7 +90,7 @@ func good2() { secret := [9]byte{'s', 'e', 'n', 's', 'i', 't', 'i', 'v', 'e'} // Read before secret: - var data = (*int)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // TODO: is this really OK? + var data = (*int)(unsafe.Pointer(&harmless)) // TODO: is this really OK? fmt.Println(*data) @@ -224,7 +224,7 @@ func bad6() { secret := [9]byte{'s', 'e', 'n', 's', 'i', 't', 'i', 'v', 'e'} // Read before secret: - var leaking = buffer_request(unsafe.Pointer(&harmless)) // $ Source[go/wrong-usage-of-unsafe] Alert[go/wrong-usage-of-unsafe] // BAD (see inside buffer_request func) + var leaking = buffer_request(unsafe.Pointer(&harmless)) // $ Source[go/wrong-usage-of-unsafe] // BAD (see inside buffer_request func) fmt.Println((string)(leaking[:])) @@ -233,14 +233,14 @@ func bad6() { fmt.Println("hello world") } } -func buffer_request(req unsafe.Pointer) [8 + 9]byte { // $ Source[go/wrong-usage-of-unsafe] Alert[go/wrong-usage-of-unsafe] +func buffer_request(req unsafe.Pointer) [8 + 9]byte { // The length of req is 8 bytes, // but we cast it to a longer array, // which means that when the resulting array // will be read, the read will also contain pieces of // data from `secret`. var buf [8 + 9]byte - buf = *(*[8 + 9]byte)(req) // $ Alert[go/wrong-usage-of-unsafe] Source[go/wrong-usage-of-unsafe] // BAD (from above func) + buf = *(*[8 + 9]byte)(req) // $ Alert[go/wrong-usage-of-unsafe] // BAD (from above func) return buf } func bad7() { diff --git a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected index 703066d64494..4ec65220a529 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected @@ -1,8 +1,8 @@ +#select +| main.go:21:28:21:31 | name | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | This log entry depends on a $@. | main.go:18:46:18:48 | definition of req | user-provided value | edges | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | provenance | | nodes | main.go:18:46:18:48 | definition of req | semmle.label | definition of req | | main.go:21:28:21:31 | name | semmle.label | name | subpaths -#select -| main.go:21:28:21:31 | name | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | This log entry depends on a $@. | main.go:18:46:18:48 | definition of req | user-provided value | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go index 5b50dc5a0e0b..f16eb3458789 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go @@ -15,10 +15,10 @@ import ( type Greeter struct{} -func (g *Greeter) Hello(ctx context.Context, req *pb.Request, rsp *pb.Response) error { // $ serverRequest="definition of req" Source[go/log-injection] Alert[go/log-injection] +func (g *Greeter) Hello(ctx context.Context, req *pb.Request, rsp *pb.Response) error { // $ serverRequest="definition of req" Source[go/log-injection] // var access name := req.Name - fmt.Println("Name :: %s", name) // $ Alert[go/log-injection] Source[go/log-injection] + fmt.Println("Name :: %s", name) // $ Alert[go/log-injection] return nil } diff --git a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.expected b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.expected index b81d24f26654..b05736dc4c4e 100644 --- a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.expected +++ b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.expected @@ -1,3 +1,8 @@ +#select +| InsecureHostKeyCallbackExample.go:15:20:18:5 | type conversion | InsecureHostKeyCallbackExample.go:16:4:18:4 | function literal | InsecureHostKeyCallbackExample.go:15:20:18:5 | type conversion | Configuring SSH ClientConfig with insecure HostKeyCallback implementation from $@. | InsecureHostKeyCallbackExample.go:16:4:18:4 | function literal | this source | +| InsecureHostKeyCallbackExample.go:26:20:26:46 | call to InsecureIgnoreHostKey | InsecureHostKeyCallbackExample.go:26:20:26:46 | call to InsecureIgnoreHostKey | InsecureHostKeyCallbackExample.go:26:20:26:46 | call to InsecureIgnoreHostKey | Configuring SSH ClientConfig with insecure HostKeyCallback implementation from $@. | InsecureHostKeyCallbackExample.go:26:20:26:46 | call to InsecureIgnoreHostKey | this source | +| InsecureHostKeyCallbackExample.go:39:20:39:27 | callback | InsecureHostKeyCallbackExample.go:32:3:34:3 | function literal | InsecureHostKeyCallbackExample.go:39:20:39:27 | callback | Configuring SSH ClientConfig with insecure HostKeyCallback implementation from $@. | InsecureHostKeyCallbackExample.go:32:3:34:3 | function literal | this source | +| InsecureHostKeyCallbackExample.go:52:20:52:48 | type conversion | InsecureHostKeyCallbackExample.go:45:3:47:3 | function literal | InsecureHostKeyCallbackExample.go:52:20:52:48 | type conversion | Configuring SSH ClientConfig with insecure HostKeyCallback implementation from $@. | InsecureHostKeyCallbackExample.go:45:3:47:3 | function literal | this source | edges | InsecureHostKeyCallbackExample.go:16:4:18:4 | function literal | InsecureHostKeyCallbackExample.go:15:20:18:5 | type conversion | provenance | | | InsecureHostKeyCallbackExample.go:31:14:34:4 | type conversion | InsecureHostKeyCallbackExample.go:39:20:39:27 | callback | provenance | | @@ -41,8 +46,3 @@ nodes | InsecureHostKeyCallbackExample.go:118:35:118:61 | call to InsecureIgnoreHostKey | semmle.label | call to InsecureIgnoreHostKey | | InsecureHostKeyCallbackExample.go:120:44:120:68 | potentiallySecureCallback | semmle.label | potentiallySecureCallback | subpaths -#select -| InsecureHostKeyCallbackExample.go:15:20:18:5 | type conversion | InsecureHostKeyCallbackExample.go:16:4:18:4 | function literal | InsecureHostKeyCallbackExample.go:15:20:18:5 | type conversion | Configuring SSH ClientConfig with insecure HostKeyCallback implementation from $@. | InsecureHostKeyCallbackExample.go:16:4:18:4 | function literal | this source | -| InsecureHostKeyCallbackExample.go:26:20:26:46 | call to InsecureIgnoreHostKey | InsecureHostKeyCallbackExample.go:26:20:26:46 | call to InsecureIgnoreHostKey | InsecureHostKeyCallbackExample.go:26:20:26:46 | call to InsecureIgnoreHostKey | Configuring SSH ClientConfig with insecure HostKeyCallback implementation from $@. | InsecureHostKeyCallbackExample.go:26:20:26:46 | call to InsecureIgnoreHostKey | this source | -| InsecureHostKeyCallbackExample.go:39:20:39:27 | callback | InsecureHostKeyCallbackExample.go:32:3:34:3 | function literal | InsecureHostKeyCallbackExample.go:39:20:39:27 | callback | Configuring SSH ClientConfig with insecure HostKeyCallback implementation from $@. | InsecureHostKeyCallbackExample.go:32:3:34:3 | function literal | this source | -| InsecureHostKeyCallbackExample.go:52:20:52:48 | type conversion | InsecureHostKeyCallbackExample.go:45:3:47:3 | function literal | InsecureHostKeyCallbackExample.go:52:20:52:48 | type conversion | Configuring SSH ClientConfig with insecure HostKeyCallback implementation from $@. | InsecureHostKeyCallbackExample.go:45:3:47:3 | function literal | this source | diff --git a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go index 8fc2a778ee03..1d5b17ebd8d4 100644 --- a/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go +++ b/go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go @@ -15,7 +15,7 @@ func insecureSSHClientConfig() { HostKeyCallback: ssh.HostKeyCallback( // BAD func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil - }), // $ Alert[go/insecure-hostkeycallback] + }), // $ Source Alert } } @@ -23,7 +23,7 @@ func insecureSSHClientConfigAlt() { _ = &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, - HostKeyCallback: ssh.InsecureIgnoreHostKey(), // $ Alert[go/insecure-hostkeycallback] // BAD + HostKeyCallback: ssh.InsecureIgnoreHostKey(), // $ Alert // BAD } } @@ -31,12 +31,12 @@ func insecureSSHClientConfigLocalFlow() { callback := ssh.HostKeyCallback( func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil - }) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] + }) // $ Source _ = &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, - HostKeyCallback: callback, // $ Alert[go/insecure-hostkeycallback] Source[go/insecure-hostkeycallback] // BAD + HostKeyCallback: callback, // $ Alert // BAD } } @@ -44,28 +44,28 @@ func insecureSSHClientConfigLocalFlowAlt() { callback := func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil - } // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] + } // $ Source _ = &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, - HostKeyCallback: ssh.HostKeyCallback(callback), // $ Alert[go/insecure-hostkeycallback] Source[go/insecure-hostkeycallback] // BAD + HostKeyCallback: ssh.HostKeyCallback(callback), // $ Alert // BAD } } // Check that insecure and secure functions flowing together to the same // sink is not flagged (we assume this is configurable security) -func potentialInsecureSSHClientConfig(callback ssh.HostKeyCallback) { // $ Alert[go/insecure-hostkeycallback] Source[go/insecure-hostkeycallback] +func potentialInsecureSSHClientConfig(callback ssh.HostKeyCallback) { _ = &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, - HostKeyCallback: callback, // $ Source[go/insecure-hostkeycallback] // OK + HostKeyCallback: callback, // OK } } // Check that insecure and secure functions flowing to different writes to // the same objects are not flagged (we assume this is configurable security) -func potentialInsecureSSHClientConfigTwoWrites(callback ssh.HostKeyCallback) { // $ Alert[go/insecure-hostkeycallback] Source[go/insecure-hostkeycallback] +func potentialInsecureSSHClientConfigTwoWrites(callback ssh.HostKeyCallback) { config := &ssh.ClientConfig{ User: "user", Auth: []ssh.AuthMethod{nil}, @@ -75,7 +75,7 @@ func potentialInsecureSSHClientConfigTwoWrites(callback ssh.HostKeyCallback) { / if callback == nil { config.HostKeyCallback = ssh.InsecureIgnoreHostKey() // OK } else { - config.HostKeyCallback = callback // $ Source[go/insecure-hostkeycallback] + config.HostKeyCallback = callback } } @@ -91,8 +91,8 @@ func potentialInsecureSSHClientConfigUsingKnownHosts(x bool) { if x { config.HostKeyCallback = ssh.InsecureIgnoreHostKey() // OK } else { - callback, _ := knownhosts.New("somefile") // $ Alert[go/insecure-hostkeycallback] - config.HostKeyCallback = callback // $ Source[go/insecure-hostkeycallback] + callback, _ := knownhosts.New("somefile") + config.HostKeyCallback = callback } } @@ -102,9 +102,9 @@ func main() { insecureCallback := ssh.HostKeyCallback( func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil - }) // $ Alert[go/insecure-hostkeycallback] + }) - potentialInsecureSSHClientConfig(insecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] + potentialInsecureSSHClientConfig(insecureCallback) potentiallySecureCallback := ssh.HostKeyCallback( func(hostname string, remote net.Addr, key ssh.PublicKey) error { @@ -112,10 +112,10 @@ func main() { return nil } return fmt.Errorf("ssh: Unexpected host for key") - }) // $ Alert[go/insecure-hostkeycallback] + }) - potentialInsecureSSHClientConfig(potentiallySecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] - potentialInsecureSSHClientConfig(ssh.InsecureIgnoreHostKey()) // $ Alert[go/insecure-hostkeycallback] + potentialInsecureSSHClientConfig(potentiallySecureCallback) + potentialInsecureSSHClientConfig(ssh.InsecureIgnoreHostKey()) - potentialInsecureSSHClientConfigTwoWrites(potentiallySecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback] + potentialInsecureSSHClientConfigTwoWrites(potentiallySecureCallback) }