github
/
codeql-go
зеркало из https://github.com/github/codeql-go.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #609 from github/atorralba/log-injection-query 

Go: Add Log Injection query (CWE-117)
This commit is contained in:
Tony Torralba 2021-11-24 15:41:43 +01:00 коммит произвёл GitHub
Родитель 5ed4e3651b cc8d9bdc7f
Коммит 662f880ab8
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
25 изменённых файлов: 1527 добавлений и 22 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
change-notes/2021-11-19-log-injection-query.md Normal file
Просмотреть файл

@ -0,0 +1,2 @@
lgtm,codescanning
* A new query "Log entries created from user input" (`go/log-injection`) has been added. The query reports user-provided data reaching calls to logging methods.

15
ql/lib/semmle/go/frameworks/Glog.qll
Просмотреть файл

@ -11,10 +11,17 @@ import go
*/
module Glog {
private class GlogCall extends LoggerCall::Range, DataFlow::CallNode {
int firstPrintedArg;
GlogCall() {
exists(string pkg, Function f, string fn |
exists(string pkg, Function f, string fn, string level |
pkg = package(["github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog"], "") and
fn.regexpMatch("(Error|Exit|Fatal|Info|Warning)(|f|ln)") and
level = ["Error", "Exit", "Fatal", "Info", "Warning"] and
(
fn = level + ["", "f", "ln"] and firstPrintedArg = 0
or
fn = level + "Depth" and firstPrintedArg = 1
) and
this = f.getACall()
|
f.hasQualifiedName(pkg, fn)
@ -23,6 +30,8 @@ module Glog {
)
}
override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() }
override DataFlow::Node getAMessageComponent() {
result = this.getArgument(any(int i | i >= firstPrintedArg))
}
}
}

7
ql/lib/semmle/go/frameworks/Logrus.qll
Просмотреть файл

@ -11,7 +11,10 @@ module Logrus {
bindingset[result]
private string getALogResultName() {
result.matches(["Debug%", "Error%", "Fatal%", "Info%", "Panic%", "Print%", "Trace%", "Warn%"])
result
.matches([
"Debug%", "Error%", "Fatal%", "Info%", "Log%", "Panic%", "Print%", "Trace%", "Warn%"
])
}
bindingset[result]
@ -23,7 +26,7 @@ module Logrus {
LogCall() {
exists(string name | name = getALogResultName() or name = getAnEntryUpdatingMethodName() |
this.getTarget().hasQualifiedName(packagePath(), name) or
this.getTarget().(Method).hasQualifiedName(packagePath(), "Entry", name)
this.getTarget().(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name)
)
}

8
ql/lib/semmle/go/frameworks/stdlib/Log.qll
Просмотреть файл

@ -8,13 +8,7 @@ import go
module Log {
private class LogCall extends LoggerCall::Range, DataFlow::CallNode {
LogCall() {
exists(string fn |
fn.matches("Fatal%")
or
fn.matches("Panic%")
or
fn.matches("Print%")
|
exists(string fn | fn.matches(["Fatal%", "Panic%", "Print%"]) |
this.getTarget().hasQualifiedName("log", fn)
or
this.getTarget().(Method).hasQualifiedName("log", "Logger", fn)

33
ql/lib/semmle/go/security/LogInjection.qll Normal file
Просмотреть файл

@ -0,0 +1,33 @@
/**
* Provides a taint tracking configuration for reasoning about log injection vulnerabilities.
*
* Note: for performance reasons, only import this file if `LogInjection::Configuration` is needed,
* otherwise `LogInjectionCustomizations` should be imported instead.
*/
import go
/**
* Provides a taint-tracking configuration for reasoning about
* log injection vulnerabilities.
*/
module LogInjection {
import LogInjectionCustomizations::LogInjection
/**
* A taint-tracking configuration for reasoning about log injection vulnerabilities.
*/
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "LogInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof SanitizerGuard
}
}
}

42
ql/lib/semmle/go/security/LogInjectionCustomizations.qll Normal file
Просмотреть файл

@ -0,0 +1,42 @@
/**
* Provides default sources, sinks, and sanitizers for reasoning about
* log injection vulnerabilities, as well as extension points for adding your own.
*/
import go
/**
* Provides extension points for customizing the data-flow tracking configuration for reasoning
* about log injection.
*/
module LogInjection {
/**
* A data flow source for log injection vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for log injection vulnerabilities.
*/
abstract class Sink extends DataFlow::Node { }
/**
* A sanitizer for log injection vulnerabilities.
*/
abstract class Sanitizer extends DataFlow::Node { }
/**
* A sanitizer guard for log injection vulnerabilities.
*/
abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
/** A source of untrusted data, considered as a taint source for log injection. */
class UntrustedFlowAsSource extends Source {
UntrustedFlowAsSource() { this instanceof UntrustedFlowSource }
}
/** An argument to a logging mechanism. */
class LoggerSink extends Sink {
LoggerSink() { this = any(LoggerCall log).getAMessageComponent() }
}
}

12
ql/src/Security/CWE-117/LogInjection.go Normal file
Просмотреть файл

@ -0,0 +1,12 @@
package main
import (
"log"
"net/http"
)
// BAD: A user-provided value is written directly to a log.
func handler(req *http.Request) {
username := req.URL.Query()["username"][0]
log.Printf("user %s logged in.\n", username)
}

46
ql/src/Security/CWE-117/LogInjection.qhelp Normal file
Просмотреть файл

@ -0,0 +1,46 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>If unsanitized user input is written to a log entry, a malicious user may
be able to forge new log entries.</p>
<p>Forgery can occur if a user provides some input with characters that are interpreted
when the log output is displayed. If the log is displayed as a plain text file, then new
line characters can be used by a malicious user. If the log is displayed as HTML, then
arbitrary HTML may be included to spoof log entries.</p>
</overview>
<recommendation>
<p>
User input should be suitably encoded before it is logged.
</p>
<p>
If the log entries are plain text then line breaks should be removed from user input, using
<code>strings.Replace</code> or similar. Care should also be taken that user input is clearly marked
in log entries, and that a malicious user cannot cause confusion in other ways.
</p>
<p>
For log entries that will be displayed in HTML, user input should be HTML encoded using
<code>html.EscapeString</code> or similar before being logged, to prevent forgery and
other forms of HTML injection.
</p>
</recommendation>
<example>
<p>
In the following example, a user name, provided by the user, is logged using a logging framework without any sanitization.
</p>
<sample src="LogInjection.go" />
<p>
In the next example, <code>strings.Replace</code> is used to ensure no line endings are present in the user input.
</p>
<sample src="LogInjectionGood.go" />
</example>
<references>
<li>OWASP: <a href="https://www.owasp.org/index.php/Log_Injection">Log Injection</a>.</li>
</references>
</qhelp>

21
ql/src/Security/CWE-117/LogInjection.ql Normal file
Просмотреть файл

@ -0,0 +1,21 @@
/**
* @name Log entries created from user input
* @description Building log entries from user-controlled sources is vulnerable to
* insertion of forged log entries by a malicious user.
* @kind path-problem
* @problem.severity error
* @security-severity 7.8
* @precision high
* @id go/log-injection
* @tags security
* external/cwe/cwe-117
*/
import go
import semmle.go.security.LogInjection
import DataFlow::PathGraph
from LogInjection::Configuration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink, source, sink, "This log write receives unsanitized user input from $@.",
source.getNode(), "here"

15
ql/src/Security/CWE-117/LogInjectionGood.go Normal file
Просмотреть файл

@ -0,0 +1,15 @@
package main
import (
"log"
"net/http"
"strings"
)
// GOOD: The user-provided value is escaped before being written to the log.
func handlerGood(req *http.Request) {
username := req.URL.Query()["username"][0]
escapedUsername := strings.Replace(username, "\n", "", -1)
escapedUsername = strings.Replace(escapedUsername, "\r", "", -1)
log.Printf("user %s logged in.\n", escapedUsername)
}

20
ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go
Просмотреть файл

@ -10,44 +10,44 @@ import (
func glogTest() {
glog.Error(text) // $ logger=text
glog.ErrorDepth(0, text) // $ MISSING: logger=text
glog.ErrorDepth(0, text) // $ logger=text
glog.Errorf(fmt, text) // $ logger=fmt logger=text
glog.Errorln(text) // $ logger=text
glog.Exit(text) // $ logger=text
glog.ExitDepth(0, text) // $ MISSING: logger=text
glog.ExitDepth(0, text) // $ logger=text
glog.Exitf(fmt, text) // $ logger=fmt logger=text
glog.Exitln(text) // $ logger=text
glog.Fatal(text) // $ logger=text
glog.FatalDepth(0, text) // $ MISSING: logger=text
glog.FatalDepth(0, text) // $ logger=text
glog.Fatalf(fmt, text) // $ logger=fmt logger=text
glog.Fatalln(text) // $ logger=text
glog.Info(text) // $ logger=text
glog.InfoDepth(0, text) // $ MISSING: logger=text
glog.InfoDepth(0, text) // $ logger=text
glog.Infof(fmt, text) // $ logger=fmt logger=text
glog.Infoln(text) // $ logger=text
glog.Warning(text) // $ logger=text
glog.WarningDepth(0, text) // $ MISSING: logger=text
glog.WarningDepth(0, text) // $ logger=text
glog.Warningf(fmt, text) // $ logger=fmt logger=text
glog.Warningln(text) // $ logger=text
klog.Error(text) // $ logger=text
klog.ErrorDepth(0, text) // $ MISSING: logger=text
klog.ErrorDepth(0, text) // $ logger=text
klog.Errorf(fmt, text) // $ logger=fmt logger=text
klog.Errorln(text) // $ logger=text
klog.Exit(text) // $ logger=text
klog.ExitDepth(0, text) // $ MISSING: logger=text
klog.ExitDepth(0, text) // $ logger=text
klog.Exitf(fmt, text) // $ logger=fmt logger=text
klog.Exitln(text) // $ logger=text
klog.Fatal(text) // $ logger=text
klog.FatalDepth(0, text) // $ MISSING: logger=text
klog.FatalDepth(0, text) // $ logger=text
klog.Fatalf(fmt, text) // $ logger=fmt logger=text
klog.Fatalln(text) // $ logger=text
klog.Info(text) // $ logger=text
klog.InfoDepth(0, text) // $ MISSING: logger=text
klog.InfoDepth(0, text) // $ logger=text
klog.Infof(fmt, text) // $ logger=fmt logger=text
klog.Infoln(text) // $ logger=text
klog.Warning(text) // $ logger=text
klog.WarningDepth(0, text) // $ MISSING: logger=text
klog.WarningDepth(0, text) // $ logger=text
klog.Warningf(fmt, text) // $ logger=fmt logger=text
klog.Warningln(text) // $ logger=text
}

362
ql/test/query-tests/Security/CWE-117/LogInjection.go Normal file
Просмотреть файл

@ -0,0 +1,362 @@
package main
//go:generate depstubber -vendor k8s.io/klog Verbose Info,Infof,Infoln,Error,Errorf,Errorln,Fatal,Fatalf,Fatalln,Exit,Exitf,Exitln,V
//go:generate depstubber -vendor github.com/astaxie/beego "" Alert,Critical,Debug,Emergency,Error,Info,Informational,Notice,Trace,Warn,Warning
//go:generate depstubber -vendor github.com/astaxie/beego/logs "" NewLogger,Alert,Critical,Debug,Emergency,Error,Info,Informational,Notice,Trace,Warn,Warning
//go:generate depstubber -vendor github.com/astaxie/beego/utils "" Display
//go:generate depstubber -vendor github.com/davecgh/go-spew/spew "" Dump,Errorf,Print,Printf,Println,Fdump,Fprint,Fprintf,Fprintln
//go:generate depstubber -vendor github.com/elazarl/goproxy ProxyCtx ""
//go:generate depstubber -vendor github.com/golang/glog Level,Verbose Info,InfoDepth,Infof,Infoln,Error,ErrorDepth,Errorf,Errorln,Fatal,FatalDepth,Fatalf,Fatalln,Exit,ExitDepth,Exitf,Exitln,V
//go:generate depstubber -vendor github.com/sirupsen/logrus Fields,Entry,Logger,Level Debug,Debugf,Debugln,Error,Errorf,Errorln,Fatal,Fatalf,Fatalln,Info,Infof,Infoln,Panic,Panicf,Panicln,Print,Printf,Println,Trace,Tracef,Traceln,Warn,Warnf,Warnln,Warning,Warningf,Warningln,WithFields,WithField
//go:generate depstubber -vendor go.uber.org/zap Logger,SugaredLogger NewProduction
import (
"fmt"
"log"
"net/http"
"github.com/astaxie/beego"
"github.com/astaxie/beego/logs"
"github.com/astaxie/beego/utils"
"github.com/davecgh/go-spew/spew"
"github.com/elazarl/goproxy"
"github.com/golang/glog"
"github.com/sirupsen/logrus"
"go.uber.org/zap"
"k8s.io/klog"
)
func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
username := req.URL.Query()["username"][0]
testFlag := req.URL.Query()["testFlag"][0]
{
fmt.Print(username) // $ hasTaintFlow="username"
fmt.Printf(username) // $ hasTaintFlow="username"
fmt.Println(username) // $ hasTaintFlow="username"
fmt.Fprint(nil, username) // $ hasTaintFlow="username"
fmt.Fprintf(nil, username) // $ hasTaintFlow="username"
fmt.Fprintln(nil, username) // $ hasTaintFlow="username"
}
// log
{
log.Print("user %s logged in.\n", username) // $ hasTaintFlow="username"
log.Printf("user %s logged in.\n", username) // $ hasTaintFlow="username"
log.Println("user %s logged in.\n", username) // $ hasTaintFlow="username"
if testFlag == "true" {
log.Fatal("user %s logged in.\n", username) // $ hasTaintFlow="username"
}
if testFlag == "true" {
log.Fatalf("user %s logged in.\n", username) // $ hasTaintFlow="username"
}
if testFlag == "true" {
log.Fatalln("user %s logged in.\n", username) // $ hasTaintFlow="username"
}
if testFlag == "true" {
log.Panic("user %s logged in.\n", username) // $ hasTaintFlow="username"
}
if testFlag == "true" {
log.Panicf("user %s logged in.\n", username) // $ hasTaintFlow="username"
}
if testFlag == "true" {
log.Panicln("user %s logged in.\n", username) // $ hasTaintFlow="username"
}
logger := log.Default()
logger.Print("user %s logged in.\n", username) // $ hasTaintFlow="username"
logger.Printf("user %s logged in.\n", username) // $ hasTaintFlow="username"
logger.Println("user %s logged in.\n", username) // $ hasTaintFlow="username"
logger.Fatal("user %s logged in.\n", username) // $ hasTaintFlow="username"
logger.Fatalf("user %s logged in.\n", username) // $ hasTaintFlow="username"
logger.Fatalln("user %s logged in.\n", username) // $ hasTaintFlow="username"
logger.Panic("user %s logged in.\n", username) // $ hasTaintFlow="username"
logger.Panicf("user %s logged in.\n", username) // $ hasTaintFlow="username"
logger.Panicln("user %s logged in.\n", username) // $ hasTaintFlow="username"
}
// k8s.io/klog
{
verbose := klog.V(0)
verbose.Info(username) // $ hasTaintFlow="username"
verbose.Infof(username) // $ hasTaintFlow="username"
verbose.Infoln(username) // $ hasTaintFlow="username"
klog.Info(username) // $ hasTaintFlow="username"
klog.Infof(username) // $ hasTaintFlow="username"
klog.Infoln(username) // $ hasTaintFlow="username"
klog.Error(username) // $ hasTaintFlow="username"
klog.Errorf(username) // $ hasTaintFlow="username"
klog.Errorln(username) // $ hasTaintFlow="username"
klog.Fatal(username) // $ hasTaintFlow="username"
klog.Fatalf(username) // $ hasTaintFlow="username"
klog.Fatalln(username) // $ hasTaintFlow="username"
klog.Exit(username) // $ hasTaintFlow="username"
klog.Exitf(username) // $ hasTaintFlow="username"
klog.Exitln(username) // $ hasTaintFlow="username"
}
// astaxie/beego
{
beego.Alert(username) // $ hasTaintFlow="username"
beego.Critical(username) // $ hasTaintFlow="username"
beego.Debug(username) // $ hasTaintFlow="username"
beego.Emergency(username) // $ hasTaintFlow="username"
beego.Error(username) // $ hasTaintFlow="username"
beego.Info(username) // $ hasTaintFlow="username"
beego.Informational(username) // $ hasTaintFlow="username"
beego.Notice(username) // $ hasTaintFlow="username"
beego.Trace(username) // $ hasTaintFlow="username"
beego.Warn(username) // $ hasTaintFlow="username"
beego.Warning(username) // $ hasTaintFlow="username"
logs.Alert(username) // $ hasTaintFlow="username"
logs.Critical(username) // $ hasTaintFlow="username"
logs.Debug(username) // $ hasTaintFlow="username"
logs.Emergency(username) // $ hasTaintFlow="username"
logs.Error(username) // $ hasTaintFlow="username"
logs.Info(username) // $ hasTaintFlow="username"
logs.Informational(username) // $ hasTaintFlow="username"
logs.Notice(username) // $ hasTaintFlow="username"
logs.Trace(username) // $ hasTaintFlow="username"
logs.Warn(username) // $ hasTaintFlow="username"
logs.Warning(username) // $ hasTaintFlow="username"
log := logs.NewLogger(10000)
log.Alert(username) // $ hasTaintFlow="username"
log.Critical(username) // $ hasTaintFlow="username"
log.Debug(username) // $ hasTaintFlow="username"
log.Emergency(username) // $ hasTaintFlow="username"
log.Error(username) // $ hasTaintFlow="username"
log.Info(username) // $ hasTaintFlow="username"
log.Informational(username) // $ hasTaintFlow="username"
log.Notice(username) // $ hasTaintFlow="username"
log.Trace(username) // $ hasTaintFlow="username"
log.Warn(username) // $ hasTaintFlow="username"
log.Warning(username) // $ hasTaintFlow="username"
utils.Display(username) // $ hasTaintFlow="username"
}
// elazarl/goproxy
{
ctx.Logf(username) // $ hasTaintFlow="username"
ctx.Logf("%s", username) // $ hasTaintFlow="username"
ctx.Warnf(username) // $ hasTaintFlow="username"
ctx.Warnf("%s", username) // $ hasTaintFlow="username"
}
// golang/glog
{
verbose := glog.V(0)
verbose.Info(username) // $ hasTaintFlow="username"
verbose.Infof(username) // $ hasTaintFlow="username"
verbose.Infoln(username) // $ hasTaintFlow="username"
glog.Info(username) // $ hasTaintFlow="username"
glog.InfoDepth(0, username) // $ hasTaintFlow="username"
glog.Infof(username) // $ hasTaintFlow="username"
glog.Infoln(username) // $ hasTaintFlow="username"
glog.Error(username) // $ hasTaintFlow="username"
glog.ErrorDepth(0, username) // $ hasTaintFlow="username"
glog.Errorf(username) // $ hasTaintFlow="username"
glog.Errorln(username) // $ hasTaintFlow="username"
glog.Fatal(username) // $ hasTaintFlow="username"
glog.FatalDepth(0, username) // $ hasTaintFlow="username"
glog.Fatalf(username) // $ hasTaintFlow="username"
glog.Fatalln(username) // $ hasTaintFlow="username"
glog.Exit(username) // $ hasTaintFlow="username"
glog.ExitDepth(0, username) // $ hasTaintFlow="username"
glog.Exitf(username) // $ hasTaintFlow="username"
glog.Exitln(username) // $ hasTaintFlow="username"
}
// sirupsen/logrus
{
logrus.Debug(username) // $ hasTaintFlow="username"
logrus.Debugf(username, "") // $ hasTaintFlow="username"
logrus.Debugf("", username) // $ hasTaintFlow="username"
logrus.Debugln(username) // $ hasTaintFlow="username"
logrus.Error(username) // $ hasTaintFlow="username"
logrus.Errorf(username, "") // $ hasTaintFlow="username"
logrus.Errorf("", username) // $ hasTaintFlow="username"
logrus.Errorln(username) // $ hasTaintFlow="username"
logrus.Fatal(username) // $ hasTaintFlow="username"
logrus.Fatalf(username, "") // $ hasTaintFlow="username"
logrus.Fatalf("", username) // $ hasTaintFlow="username"
logrus.Fatalln(username) // $ hasTaintFlow="username"
logrus.Info(username) // $ hasTaintFlow="username"
logrus.Infof(username, "") // $ hasTaintFlow="username"
logrus.Infof("", username) // $ hasTaintFlow="username"
logrus.Infoln(username) // $ hasTaintFlow="username"
logrus.Panic(username) // $ hasTaintFlow="username"
logrus.Panicf(username, "") // $ hasTaintFlow="username"
logrus.Panicf("", username) // $ hasTaintFlow="username"
logrus.Panicln(username) // $ hasTaintFlow="username"
logrus.Print(username) // $ hasTaintFlow="username"
logrus.Printf(username, "") // $ hasTaintFlow="username"
logrus.Printf("", username) // $ hasTaintFlow="username"
logrus.Println(username) // $ hasTaintFlow="username"
logrus.Trace(username) // $ hasTaintFlow="username"
logrus.Tracef(username, "") // $ hasTaintFlow="username"
logrus.Tracef("", username) // $ hasTaintFlow="username"
logrus.Traceln(username) // $ hasTaintFlow="username"
logrus.Warn(username) // $ hasTaintFlow="username"
logrus.Warnf(username, "") // $ hasTaintFlow="username"
logrus.Warnf("", username) // $ hasTaintFlow="username"
logrus.Warnln(username) // $ hasTaintFlow="username"
logrus.Warning(username) // $ hasTaintFlow="username"
logrus.Warningf(username, "") // $ hasTaintFlow="username"
logrus.Warningf("", username) // $ hasTaintFlow="username"
logrus.Warningln(username) // $ hasTaintFlow="username"
fields := make(logrus.Fields)
fields["username"] = username
entry := logrus.WithFields(fields) // $ hasTaintFlow="fields"
entry = logrus.WithField("username", username) // $ hasTaintFlow="username"
entry.Debug(username) // $ hasTaintFlow="username"
entry.Debugf(username, "") // $ hasTaintFlow="username"
entry.Debugf("", username) // $ hasTaintFlow="username"
entry.Debugln(username) // $ hasTaintFlow="username"
entry.Error(username) // $ hasTaintFlow="username"
entry.Errorf(username, "") // $ hasTaintFlow="username"
entry.Errorf("", username) // $ hasTaintFlow="username"
entry.Errorln(username) // $ hasTaintFlow="username"
entry.Fatal(username) // $ hasTaintFlow="username"
entry.Fatalf(username, "") // $ hasTaintFlow="username"
entry.Fatalf("", username) // $ hasTaintFlow="username"
entry.Fatalln(username) // $ hasTaintFlow="username"
entry.Info(username) // $ hasTaintFlow="username"
entry.Infof(username, "") // $ hasTaintFlow="username"
entry.Infof("", username) // $ hasTaintFlow="username"
entry.Infoln(username) // $ hasTaintFlow="username"
entry.Log(0, username) // $ hasTaintFlow="username"
entry.Logf(0, username, "") // $ hasTaintFlow="username"
entry.Logf(0, "", username) // $ hasTaintFlow="username"
entry.Logln(0, username) // $ hasTaintFlow="username"
entry.Panic(username) // $ hasTaintFlow="username"
entry.Panicf(username, "") // $ hasTaintFlow="username"
entry.Panicf("", username) // $ hasTaintFlow="username"
entry.Panicln(username) // $ hasTaintFlow="username"
entry.Print(username) // $ hasTaintFlow="username"
entry.Printf(username, "") // $ hasTaintFlow="username"
entry.Printf("", username) // $ hasTaintFlow="username"
entry.Println(username) // $ hasTaintFlow="username"
entry.Trace(username) // $ hasTaintFlow="username"
entry.Tracef(username, "") // $ hasTaintFlow="username"
entry.Tracef("", username) // $ hasTaintFlow="username"
entry.Traceln(username) // $ hasTaintFlow="username"
entry.Warn(username) // $ hasTaintFlow="username"
entry.Warnf(username, "") // $ hasTaintFlow="username"
entry.Warnf("", username) // $ hasTaintFlow="username"
entry.Warnln(username) // $ hasTaintFlow="username"
entry.Warning(username) // $ hasTaintFlow="username"
entry.Warningf(username, "") // $ hasTaintFlow="username"
entry.Warningf("", username) // $ hasTaintFlow="username"
entry.Warningln(username) // $ hasTaintFlow="username"
logger := entry.Logger
logger.Debug(username) // $ hasTaintFlow="username"
logger.Debugf(username, "") // $ hasTaintFlow="username"
logger.Debugf("", username) // $ hasTaintFlow="username"
logger.Debugln(username) // $ hasTaintFlow="username"
logger.Error(username) // $ hasTaintFlow="username"
logger.Errorf(username, "") // $ hasTaintFlow="username"
logger.Errorf("", username) // $ hasTaintFlow="username"
logger.Errorln(username) // $ hasTaintFlow="username"
logger.Fatal(username) // $ hasTaintFlow="username"
logger.Fatalf(username, "") // $ hasTaintFlow="username"
logger.Fatalf("", username) // $ hasTaintFlow="username"
logger.Fatalln(username) // $ hasTaintFlow="username"
logger.Info(username) // $ hasTaintFlow="username"
logger.Infof(username, "") // $ hasTaintFlow="username"
logger.Infof("", username) // $ hasTaintFlow="username"
logger.Infoln(username) // $ hasTaintFlow="username"
logger.Log(0, username) // $ hasTaintFlow="username"
logger.Logf(0, username, "") // $ hasTaintFlow="username"
logger.Logf(0, "", username) // $ hasTaintFlow="username"
logger.Logln(0, username) // $ hasTaintFlow="username"
logger.Panic(username) // $ hasTaintFlow="username"
logger.Panicf(username, "") // $ hasTaintFlow="username"
logger.Panicf("", username) // $ hasTaintFlow="username"
logger.Panicln(username) // $ hasTaintFlow="username"
logger.Print(username) // $ hasTaintFlow="username"
logger.Printf(username, "") // $ hasTaintFlow="username"
logger.Printf("", username) // $ hasTaintFlow="username"
logger.Println(username) // $ hasTaintFlow="username"
logger.Trace(username) // $ hasTaintFlow="username"
logger.Tracef(username, "") // $ hasTaintFlow="username"
logger.Tracef("", username) // $ hasTaintFlow="username"
logger.Traceln(username) // $ hasTaintFlow="username"
logger.Warn(username) // $ hasTaintFlow="username"
logger.Warnf(username, "") // $ hasTaintFlow="username"
logger.Warnf("", username) // $ hasTaintFlow="username"
logger.Warnln(username) // $ hasTaintFlow="username"
logger.Warning(username) // $ hasTaintFlow="username"
logger.Warningf(username, "") // $ hasTaintFlow="username"
logger.Warningf("", username) // $ hasTaintFlow="username"
logger.Warningln(username) // $ hasTaintFlow="username"
}
// davecgh/go-spew/spew
{
spew.Dump(username) // $ hasTaintFlow="username"
spew.Errorf(username) // $ hasTaintFlow="username"
spew.Print(username) // $ hasTaintFlow="username"
spew.Printf(username) // $ hasTaintFlow="username"
spew.Println(username) // $ hasTaintFlow="username"
spew.Fdump(nil, username) // $ hasTaintFlow="username"
spew.Fprint(nil, username) // $ hasTaintFlow="username"
spew.Fprintf(nil, username) // $ hasTaintFlow="username"
spew.Fprintln(nil, username) // $ hasTaintFlow="username"
}
// zap
{
logger, _ := zap.NewProduction()
logger.DPanic(username) // $ hasTaintFlow="username"
logger.Debug(username) // $ hasTaintFlow="username"
logger.Error(username) // $ hasTaintFlow="username"
if testFlag == " true" {
logger.Fatal(username) // $ hasTaintFlow="username"
}
logger.Info(username) // $ hasTaintFlow="username"
if testFlag == " true" {
logger.Panic(username) // $ hasTaintFlow="username"
}
logger.Warn(username) // $ hasTaintFlow="username"
logger.Named(username) // $ hasTaintFlow="username"
logger.With(username) // $ hasTaintFlow="username"
logger.WithOptions(username) // $ hasTaintFlow="username"
sLogger := logger.Sugar()
sLogger.DPanic(username) // $ hasTaintFlow="username"
sLogger.Debug(username) // $ hasTaintFlow="username"
sLogger.Error(username) // $ hasTaintFlow="username"
if testFlag == " true" {
sLogger.Fatal(username) // $ hasTaintFlow="username"
}
sLogger.Info(username) // $ hasTaintFlow="username"
if testFlag == " true" {
sLogger.Panic(username) // $ hasTaintFlow="username"
}
sLogger.Warn(username) // $ hasTaintFlow="username"
sLogger.DPanicf(username) // $ hasTaintFlow="username"
sLogger.Debugf(username) // $ hasTaintFlow="username"
sLogger.Errorf(username) // $ hasTaintFlow="username"
if testFlag == " true" {
sLogger.Fatalf(username) // $ hasTaintFlow="username"
}
sLogger.Infof(username) // $ hasTaintFlow="username"
if testFlag == " true" {
sLogger.Panicf(username) // $ hasTaintFlow="username"
}
sLogger.Warnf(username) // $ hasTaintFlow="username"
sLogger.DPanicw(username) // $ hasTaintFlow="username"
sLogger.Debugw(username) // $ hasTaintFlow="username"
sLogger.Errorw(username) // $ hasTaintFlow="username"
if testFlag == " true" {
sLogger.Fatalw(username) // $ hasTaintFlow="username"
}
sLogger.Infow(username) // $ hasTaintFlow="username"
if testFlag == " true" {
sLogger.Panicw(username) // $ hasTaintFlow="username"
}
sLogger.Warnw(username) // $ hasTaintFlow="username"
sLogger.Named(username) // $ hasTaintFlow="username"
sLogger.With(username) // $ hasTaintFlow="username"
}
}

0
ql/test/query-tests/Security/CWE-117/LogInjectionTest.expected Normal file
Просмотреть файл

11
ql/test/query-tests/Security/CWE-117/LogInjectionTest.ql Normal file
Просмотреть файл

@ -0,0 +1,11 @@
import go
import TestUtilities.InlineFlowTest
import semmle.go.security.LogInjection
class LogInjectionTest extends InlineFlowTest {
override DataFlow::Configuration getTaintFlowConfig() {
result = any(LogInjection::Configuration config)
}
override DataFlow::Configuration getValueFlowConfig() { none() }
}

14
ql/test/query-tests/Security/CWE-117/go.mod Normal file
Просмотреть файл

@ -0,0 +1,14 @@
module main
go 1.14
require (
github.com/astaxie/beego v1.12.3
github.com/elazarl/goproxy v0.0.0-20211114080932-d06c3be7c11b
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
github.com/kr/text v0.2.0 // indirect
github.com/sirupsen/logrus v1.8.1
github.com/stretchr/testify v1.6.0 // indirect
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect
k8s.io/klog v1.0.0
)

96
ql/test/query-tests/Security/CWE-117/vendor/github.com/astaxie/beego/logs/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,96 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/astaxie/beego/logs, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/astaxie/beego/logs (exports: ; functions: NewLogger,Alert,Critical,Debug,Emergency,Error,Info,Informational,Notice,Trace,Warn,Warning)
// Package logs is a stub of github.com/astaxie/beego/logs, generated by depstubber.
package logs
func Alert(_ interface{}, _ ...interface{}) {}
type BeeLogger struct{}
func (_ *BeeLogger) Alert(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Async(_ ...int64) *BeeLogger {
return nil
}
func (_ *BeeLogger) Close() {}
func (_ *BeeLogger) Critical(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Debug(_ string, _ ...interface{}) {}
func (_ *BeeLogger) DelLogger(_ string) error {
return nil
}
func (_ *BeeLogger) Emergency(_ string, _ ...interface{}) {}
func (_ *BeeLogger) EnableFuncCallDepth(_ bool) {}
func (_ *BeeLogger) Error(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Flush() {}
func (_ *BeeLogger) GetLevel() int {
return 0
}
func (_ *BeeLogger) GetLogFuncCallDepth() int {
return 0
}
func (_ *BeeLogger) Info(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Informational(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Notice(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Reset() {}
func (_ *BeeLogger) SetLevel(_ int) {}
func (_ *BeeLogger) SetLogFuncCallDepth(_ int) {}
func (_ *BeeLogger) SetLogger(_ string, _ ...string) error {
return nil
}
func (_ *BeeLogger) SetPrefix(_ string) {}
func (_ *BeeLogger) Trace(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Warn(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Warning(_ string, _ ...interface{}) {}
func (_ *BeeLogger) Write(_ []byte) (int, error) {
return 0, nil
}
func Critical(_ interface{}, _ ...interface{}) {}
func Debug(_ interface{}, _ ...interface{}) {}
func Emergency(_ interface{}, _ ...interface{}) {}
func Error(_ interface{}, _ ...interface{}) {}
func Info(_ interface{}, _ ...interface{}) {}
func Informational(_ interface{}, _ ...interface{}) {}
func NewLogger(_ ...int64) *BeeLogger {
return nil
}
func Notice(_ interface{}, _ ...interface{}) {}
func Trace(_ interface{}, _ ...interface{}) {}
func Warn(_ interface{}, _ ...interface{}) {}
func Warning(_ interface{}, _ ...interface{}) {}

30
ql/test/query-tests/Security/CWE-117/vendor/github.com/astaxie/beego/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,30 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/astaxie/beego, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/astaxie/beego (exports: ; functions: Alert,Critical,Debug,Emergency,Error,Info,Informational,Notice,Trace,Warn,Warning)
// Package beego is a stub of github.com/astaxie/beego, generated by depstubber.
package beego
func Alert(_ ...interface{}) {}
func Critical(_ ...interface{}) {}
func Debug(_ ...interface{}) {}
func Emergency(_ ...interface{}) {}
func Error(_ ...interface{}) {}
func Info(_ ...interface{}) {}
func Informational(_ ...interface{}) {}
func Notice(_ ...interface{}) {}
func Trace(_ ...interface{}) {}
func Warn(_ ...interface{}) {}
func Warning(_ ...interface{}) {}

10
ql/test/query-tests/Security/CWE-117/vendor/github.com/astaxie/beego/utils/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,10 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/astaxie/beego/utils, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/astaxie/beego/utils (exports: ; functions: Display)
// Package utils is a stub of github.com/astaxie/beego/utils, generated by depstubber.
package utils
func Display(_ ...interface{}) {}

44
ql/test/query-tests/Security/CWE-117/vendor/github.com/davecgh/go-spew/spew/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,44 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/davecgh/go-spew/spew, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/davecgh/go-spew/spew (exports: ; functions: Dump,Errorf,Print,Printf,Println,Fdump,Fprint,Fprintf,Fprintln)
// Package spew is a stub of github.com/davecgh/go-spew/spew, generated by depstubber.
package spew
import (
io "io"
)
func Dump(_ ...interface{}) {}
func Errorf(_ string, _ ...interface{}) error {
return nil
}
func Fdump(_ io.Writer, _ ...interface{}) {}
func Fprint(_ io.Writer, _ ...interface{}) (int, error) {
return 0, nil
}
func Fprintf(_ io.Writer, _ string, _ ...interface{}) (int, error) {
return 0, nil
}
func Fprintln(_ io.Writer, _ ...interface{}) (int, error) {
return 0, nil
}
func Print(_ ...interface{}) (int, error) {
return 0, nil
}
func Printf(_ string, _ ...interface{}) (int, error) {
return 0, nil
}
func Println(_ ...interface{}) (int, error) {
return 0, nil
}

124
ql/test/query-tests/Security/CWE-117/vendor/github.com/elazarl/goproxy/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,124 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/elazarl/goproxy, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/elazarl/goproxy (exports: ProxyCtx; functions: )
// Package goproxy is a stub of github.com/elazarl/goproxy, generated by depstubber.
package goproxy
import (
tls "crypto/tls"
net "net"
http "net/http"
)
type CertStorage interface {
Fetch(_ string, _ func() (*tls.Certificate, error)) (*tls.Certificate, error)
}
type ConnectAction struct {
Action ConnectActionLiteral
Hijack func(*http.Request, net.Conn, *ProxyCtx)
TLSConfig func(string, *ProxyCtx) (*tls.Config, error)
}
type ConnectActionLiteral int
type HttpsHandler interface {
HandleConnect(_ string, _ *ProxyCtx) (*ConnectAction, string)
}
type Logger interface {
Printf(_ string, _ ...interface{})
}
type ProxyConds struct{}
func (_ *ProxyConds) Do(_ RespHandler) {}
func (_ *ProxyConds) DoFunc(_ func(*http.Response, *ProxyCtx) *http.Response) {}
type ProxyCtx struct {
Req *http.Request
Resp *http.Response
RoundTripper RoundTripper
Error error
UserData interface{}
Session int64
Proxy *ProxyHttpServer
}
func (_ *ProxyCtx) Charset() string {
return ""
}
func (_ *ProxyCtx) Logf(_ string, _ ...interface{}) {}
func (_ *ProxyCtx) RoundTrip(_ *http.Request) (*http.Response, error) {
return nil, nil
}
func (_ *ProxyCtx) Warnf(_ string, _ ...interface{}) {}
type ProxyHttpServer struct {
KeepDestinationHeaders bool
Verbose bool
Logger Logger
NonproxyHandler http.Handler
Tr *http.Transport
ConnectDial func(string, string) (net.Conn, error)
CertStore CertStorage
KeepHeader bool
}
func (_ *ProxyHttpServer) NewConnectDialToProxy(_ string) func(string, string) (net.Conn, error) {
return nil
}
func (_ *ProxyHttpServer) NewConnectDialToProxyWithHandler(_ string, _ func(*http.Request)) func(string, string) (net.Conn, error) {
return nil
}
func (_ *ProxyHttpServer) OnRequest(_ ...ReqCondition) *ReqProxyConds {
return nil
}
func (_ *ProxyHttpServer) OnResponse(_ ...RespCondition) *ProxyConds {
return nil
}
func (_ *ProxyHttpServer) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
type ReqCondition interface {
HandleReq(_ *http.Request, _ *ProxyCtx) bool
HandleResp(_ *http.Response, _ *ProxyCtx) bool
}
type ReqHandler interface {
Handle(_ *http.Request, _ *ProxyCtx) (*http.Request, *http.Response)
}
type ReqProxyConds struct{}
func (_ *ReqProxyConds) Do(_ ReqHandler) {}
func (_ *ReqProxyConds) DoFunc(_ func(*http.Request, *ProxyCtx) (*http.Request, *http.Response)) {}
func (_ *ReqProxyConds) HandleConnect(_ HttpsHandler) {}
func (_ *ReqProxyConds) HandleConnectFunc(_ func(string, *ProxyCtx) (*ConnectAction, string)) {}
func (_ *ReqProxyConds) HijackConnect(_ func(*http.Request, net.Conn, *ProxyCtx)) {}
type RespCondition interface {
HandleResp(_ *http.Response, _ *ProxyCtx) bool
}
type RespHandler interface {
Handle(_ *http.Response, _ *ProxyCtx) *http.Response
}
type RoundTripper interface {
RoundTrip(_ *http.Request, _ *ProxyCtx) (*http.Response, error)
}

66
ql/test/query-tests/Security/CWE-117/vendor/github.com/golang/glog/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,66 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang/glog, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang/glog (exports: Level,Verbose; functions: Info,InfoDepth,Infof,Infoln,Error,ErrorDepth,Errorf,Errorln,Fatal,FatalDepth,Fatalf,Fatalln,Exit,ExitDepth,Exitf,Exitln,V)
// Package glog is a stub of github.com/golang/glog, generated by depstubber.
package glog
func Error(_ ...interface{}) {}
func ErrorDepth(_ int, _ ...interface{}) {}
func Errorf(_ string, _ ...interface{}) {}
func Errorln(_ ...interface{}) {}
func Exit(_ ...interface{}) {}
func ExitDepth(_ int, _ ...interface{}) {}
func Exitf(_ string, _ ...interface{}) {}
func Exitln(_ ...interface{}) {}
func Fatal(_ ...interface{}) {}
func FatalDepth(_ int, _ ...interface{}) {}
func Fatalf(_ string, _ ...interface{}) {}
func Fatalln(_ ...interface{}) {}
func Info(_ ...interface{}) {}
func InfoDepth(_ int, _ ...interface{}) {}
func Infof(_ string, _ ...interface{}) {}
func Infoln(_ ...interface{}) {}
type Level int32
func (_ *Level) Get() interface{} {
return nil
}
func (_ *Level) Set(_ string) error {
return nil
}
func (_ *Level) String() string {
return ""
}
func V(_ Level) Verbose {
return false
}
type Verbose bool
func (_ Verbose) Info(_ ...interface{}) {}
func (_ Verbose) Infof(_ string, _ ...interface{}) {}
func (_ Verbose) Infoln(_ ...interface{}) {}

371
ql/test/query-tests/Security/CWE-117/vendor/github.com/sirupsen/logrus/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,371 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/sirupsen/logrus, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/sirupsen/logrus (exports: Fields,Entry,Logger,Level; functions: Debug,Debugf,Debugln,Error,Errorf,Errorln,Fatal,Fatalf,Fatalln,Info,Infof,Infoln,Panic,Panicf,Panicln,Print,Printf,Println,Trace,Tracef,Traceln,Warn,Warnf,Warnln,Warning,Warningf,Warningln,WithFields,WithField)
// Package logrus is a stub of github.com/sirupsen/logrus, generated by depstubber.
package logrus
import (
bytes "bytes"
context "context"
io "io"
runtime "runtime"
time "time"
)
func Debug(_ ...interface{}) {}
func Debugf(_ string, _ ...interface{}) {}
func Debugln(_ ...interface{}) {}
type Entry struct {
Logger *Logger
Data Fields
Time time.Time
Level Level
Caller *runtime.Frame
Message string
Buffer *bytes.Buffer
Context context.Context
}
func (_ Entry) HasCaller() bool {
return false
}
func (_ *Entry) Bytes() ([]byte, error) {
return nil, nil
}
func (_ *Entry) Debug(_ ...interface{}) {}
func (_ *Entry) Debugf(_ string, _ ...interface{}) {}
func (_ *Entry) Debugln(_ ...interface{}) {}
func (_ *Entry) Dup() *Entry {
return nil
}
func (_ *Entry) Error(_ ...interface{}) {}
func (_ *Entry) Errorf(_ string, _ ...interface{}) {}
func (_ *Entry) Errorln(_ ...interface{}) {}
func (_ *Entry) Fatal(_ ...interface{}) {}
func (_ *Entry) Fatalf(_ string, _ ...interface{}) {}
func (_ *Entry) Fatalln(_ ...interface{}) {}
func (_ *Entry) Info(_ ...interface{}) {}
func (_ *Entry) Infof(_ string, _ ...interface{}) {}
func (_ *Entry) Infoln(_ ...interface{}) {}
func (_ *Entry) Log(_ Level, _ ...interface{}) {}
func (_ *Entry) Logf(_ Level, _ string, _ ...interface{}) {}
func (_ *Entry) Logln(_ Level, _ ...interface{}) {}
func (_ *Entry) Panic(_ ...interface{}) {}
func (_ *Entry) Panicf(_ string, _ ...interface{}) {}
func (_ *Entry) Panicln(_ ...interface{}) {}
func (_ *Entry) Print(_ ...interface{}) {}
func (_ *Entry) Printf(_ string, _ ...interface{}) {}
func (_ *Entry) Println(_ ...interface{}) {}
func (_ *Entry) String() (string, error) {
return "", nil
}
func (_ *Entry) Trace(_ ...interface{}) {}
func (_ *Entry) Tracef(_ string, _ ...interface{}) {}
func (_ *Entry) Traceln(_ ...interface{}) {}
func (_ *Entry) Warn(_ ...interface{}) {}
func (_ *Entry) Warnf(_ string, _ ...interface{}) {}
func (_ *Entry) Warning(_ ...interface{}) {}
func (_ *Entry) Warningf(_ string, _ ...interface{}) {}
func (_ *Entry) Warningln(_ ...interface{}) {}
func (_ *Entry) Warnln(_ ...interface{}) {}
func (_ *Entry) WithContext(_ context.Context) *Entry {
return nil
}
func (_ *Entry) WithError(_ error) *Entry {
return nil
}
func (_ *Entry) WithField(_ string, _ interface{}) *Entry {
return nil
}
func (_ *Entry) WithFields(_ Fields) *Entry {
return nil
}
func (_ *Entry) WithTime(_ time.Time) *Entry {
return nil
}
func (_ *Entry) Writer() *io.PipeWriter {
return nil
}
func (_ *Entry) WriterLevel(_ Level) *io.PipeWriter {
return nil
}
func Error(_ ...interface{}) {}
func Errorf(_ string, _ ...interface{}) {}
func Errorln(_ ...interface{}) {}
func Fatal(_ ...interface{}) {}
func Fatalf(_ string, _ ...interface{}) {}
func Fatalln(_ ...interface{}) {}
type Fields map[string]interface{}
type Formatter interface {
Format(_ *Entry) ([]byte, error)
}
type Hook interface {
Fire(_ *Entry) error
Levels() []Level
}
func Info(_ ...interface{}) {}
func Infof(_ string, _ ...interface{}) {}
func Infoln(_ ...interface{}) {}
type Level uint32
func (_ Level) MarshalText() ([]byte, error) {
return nil, nil
}
func (_ Level) String() string {
return ""
}
func (_ *Level) UnmarshalText(_ []byte) error {
return nil
}
type LevelHooks map[Level][]Hook
func (_ LevelHooks) Add(_ Hook) {}
func (_ LevelHooks) Fire(_ Level, _ *Entry) error {
return nil
}
type LogFunction func() []interface{}
type Logger struct {
Out io.Writer
Hooks LevelHooks
Formatter Formatter
ReportCaller bool
Level Level
ExitFunc interface{}
}
func (_ *Logger) AddHook(_ Hook) {}
func (_ *Logger) Debug(_ ...interface{}) {}
func (_ *Logger) DebugFn(_ LogFunction) {}
func (_ *Logger) Debugf(_ string, _ ...interface{}) {}
func (_ *Logger) Debugln(_ ...interface{}) {}
func (_ *Logger) Error(_ ...interface{}) {}
func (_ *Logger) ErrorFn(_ LogFunction) {}
func (_ *Logger) Errorf(_ string, _ ...interface{}) {}
func (_ *Logger) Errorln(_ ...interface{}) {}
func (_ *Logger) Exit(_ int) {}
func (_ *Logger) Fatal(_ ...interface{}) {}
func (_ *Logger) FatalFn(_ LogFunction) {}
func (_ *Logger) Fatalf(_ string, _ ...interface{}) {}
func (_ *Logger) Fatalln(_ ...interface{}) {}
func (_ *Logger) GetLevel() Level {
return 0
}
func (_ *Logger) Info(_ ...interface{}) {}
func (_ *Logger) InfoFn(_ LogFunction) {}
func (_ *Logger) Infof(_ string, _ ...interface{}) {}
func (_ *Logger) Infoln(_ ...interface{}) {}
func (_ *Logger) IsLevelEnabled(_ Level) bool {
return false
}
func (_ *Logger) Log(_ Level, _ ...interface{}) {}
func (_ *Logger) LogFn(_ Level, _ LogFunction) {}
func (_ *Logger) Logf(_ Level, _ string, _ ...interface{}) {}
func (_ *Logger) Logln(_ Level, _ ...interface{}) {}
func (_ *Logger) Panic(_ ...interface{}) {}
func (_ *Logger) PanicFn(_ LogFunction) {}
func (_ *Logger) Panicf(_ string, _ ...interface{}) {}
func (_ *Logger) Panicln(_ ...interface{}) {}
func (_ *Logger) Print(_ ...interface{}) {}
func (_ *Logger) PrintFn(_ LogFunction) {}
func (_ *Logger) Printf(_ string, _ ...interface{}) {}
func (_ *Logger) Println(_ ...interface{}) {}
func (_ *Logger) ReplaceHooks(_ LevelHooks) LevelHooks {
return nil
}
func (_ *Logger) SetFormatter(_ Formatter) {}
func (_ *Logger) SetLevel(_ Level) {}
func (_ *Logger) SetNoLock() {}
func (_ *Logger) SetOutput(_ io.Writer) {}
func (_ *Logger) SetReportCaller(_ bool) {}
func (_ *Logger) Trace(_ ...interface{}) {}
func (_ *Logger) TraceFn(_ LogFunction) {}
func (_ *Logger) Tracef(_ string, _ ...interface{}) {}
func (_ *Logger) Traceln(_ ...interface{}) {}
func (_ *Logger) Warn(_ ...interface{}) {}
func (_ *Logger) WarnFn(_ LogFunction) {}
func (_ *Logger) Warnf(_ string, _ ...interface{}) {}
func (_ *Logger) Warning(_ ...interface{}) {}
func (_ *Logger) WarningFn(_ LogFunction) {}
func (_ *Logger) Warningf(_ string, _ ...interface{}) {}
func (_ *Logger) Warningln(_ ...interface{}) {}
func (_ *Logger) Warnln(_ ...interface{}) {}
func (_ *Logger) WithContext(_ context.Context) *Entry {
return nil
}
func (_ *Logger) WithError(_ error) *Entry {
return nil
}
func (_ *Logger) WithField(_ string, _ interface{}) *Entry {
return nil
}
func (_ *Logger) WithFields(_ Fields) *Entry {
return nil
}
func (_ *Logger) WithTime(_ time.Time) *Entry {
return nil
}
func (_ *Logger) Writer() *io.PipeWriter {
return nil
}
func (_ *Logger) WriterLevel(_ Level) *io.PipeWriter {
return nil
}
func Panic(_ ...interface{}) {}
func Panicf(_ string, _ ...interface{}) {}
func Panicln(_ ...interface{}) {}
func Print(_ ...interface{}) {}
func Printf(_ string, _ ...interface{}) {}
func Println(_ ...interface{}) {}
func Trace(_ ...interface{}) {}
func Tracef(_ string, _ ...interface{}) {}
func Traceln(_ ...interface{}) {}
func Warn(_ ...interface{}) {}
func Warnf(_ string, _ ...interface{}) {}
func Warning(_ ...interface{}) {}
func Warningf(_ string, _ ...interface{}) {}
func Warningln(_ ...interface{}) {}
func Warnln(_ ...interface{}) {}
func WithField(_ string, _ interface{}) *Entry {
return nil
}
func WithFields(_ Fields) *Entry {
return nil
}

118
ql/test/query-tests/Security/CWE-117/vendor/go.uber.org/zap/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,118 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for go.uber.org/zap, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: go.uber.org/zap (exports: Logger,SugaredLogger; functions: NewProduction)
// Package zap is a stub of go.uber.org/zap, generated by depstubber.
package zap
type Logger struct{}
func (_ *Logger) Check(_ interface{}, _ string) interface{} {
return nil
}
func (_ *Logger) Core() interface{} {
return nil
}
func (_ *Logger) DPanic(_ string, _ ...interface{}) {}
func (_ *Logger) Debug(_ string, _ ...interface{}) {}
func (_ *Logger) Error(_ string, _ ...interface{}) {}
func (_ *Logger) Fatal(_ string, _ ...interface{}) {}
func (_ *Logger) Info(_ string, _ ...interface{}) {}
func (_ *Logger) Named(_ string) *Logger {
return nil
}
func (_ *Logger) Panic(_ string, _ ...interface{}) {}
func (_ *Logger) Sugar() *SugaredLogger {
return nil
}
func (_ *Logger) Sync() error {
return nil
}
func (_ *Logger) Warn(_ string, _ ...interface{}) {}
func (_ *Logger) With(_ ...interface{}) *Logger {
return nil
}
func (_ *Logger) WithOptions(_ ...Option) *Logger {
return nil
}
func NewProduction(_ ...Option) (*Logger, error) {
return nil, nil
}
type Option interface{}
type SugaredLogger struct{}
func (_ *SugaredLogger) DPanic(_ ...interface{}) {}
func (_ *SugaredLogger) DPanicf(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) DPanicw(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Debug(_ ...interface{}) {}
func (_ *SugaredLogger) Debugf(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Debugw(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Desugar() *Logger {
return nil
}
func (_ *SugaredLogger) Error(_ ...interface{}) {}
func (_ *SugaredLogger) Errorf(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Errorw(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Fatal(_ ...interface{}) {}
func (_ *SugaredLogger) Fatalf(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Fatalw(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Info(_ ...interface{}) {}
func (_ *SugaredLogger) Infof(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Infow(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Named(_ string) *SugaredLogger {
return nil
}
func (_ *SugaredLogger) Panic(_ ...interface{}) {}
func (_ *SugaredLogger) Panicf(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Panicw(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Sync() error {
return nil
}
func (_ *SugaredLogger) Warn(_ ...interface{}) {}
func (_ *SugaredLogger) Warnf(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) Warnw(_ string, _ ...interface{}) {}
func (_ *SugaredLogger) With(_ ...interface{}) *SugaredLogger {
return nil
}

58
ql/test/query-tests/Security/CWE-117/vendor/k8s.io/klog/stub.go сгенерированный поставляемый Normal file
Просмотреть файл

@ -0,0 +1,58 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for k8s.io/klog, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: k8s.io/klog (exports: Verbose; functions: Info,Infof,Infoln,Error,Errorf,Errorln,Fatal,Fatalf,Fatalln,Exit,Exitf,Exitln,V)
// Package klog is a stub of k8s.io/klog, generated by depstubber.
package klog
func Error(_ ...interface{}) {}
func Errorf(_ string, _ ...interface{}) {}
func Errorln(_ ...interface{}) {}
func Exit(_ ...interface{}) {}
func Exitf(_ string, _ ...interface{}) {}
func Exitln(_ ...interface{}) {}
func Fatal(_ ...interface{}) {}
func Fatalf(_ string, _ ...interface{}) {}
func Fatalln(_ ...interface{}) {}
func Info(_ ...interface{}) {}
func Infof(_ string, _ ...interface{}) {}
func Infoln(_ ...interface{}) {}
type Level int32
func (_ *Level) Get() interface{} {
return nil
}
func (_ *Level) Set(_ string) error {
return nil
}
func (_ *Level) String() string {
return ""
}
func V(_ Level) Verbose {
return false
}
type Verbose bool
func (_ Verbose) Info(_ ...interface{}) {}
func (_ Verbose) Infof(_ string, _ ...interface{}) {}
func (_ Verbose) Infoln(_ ...interface{}) {}

24
ql/test/query-tests/Security/CWE-117/vendor/modules.txt поставляемый Normal file
Просмотреть файл

@ -0,0 +1,24 @@
# github.com/astaxie/beego v1.12.3
## explicit
github.com/astaxie/beego
# github.com/elazarl/goproxy v0.0.0-20211114080932-d06c3be7c11b
## explicit
github.com/elazarl/goproxy
# github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
## explicit
github.com/golang/glog
# github.com/kr/text v0.2.0
## explicit
github.com/kr/text
# github.com/sirupsen/logrus v1.8.1
## explicit
github.com/sirupsen/logrus
# github.com/stretchr/testify v1.6.0
## explicit
github.com/stretchr/testify
# golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f
## explicit
golang.org/x/sys
# k8s.io/klog v1.0.0
## explicit
k8s.io/klog