github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'main' into criemen/move-win-autobuilder

This commit is contained in:
Cornelius Riemenschneider 2024-05-15 10:58:01 +02:00 коммит произвёл GitHub
Родитель 8ea1d1376f 64b8f97d39
Коммит ab7d30a464
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
362 изменённых файлов: 4623 добавлений и 1279 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

65
.github/workflows/go-tests-other-os.yml поставляемый
Просмотреть файл

@ -7,8 +7,6 @@ on:
- .github/workflows/go-tests-other-os.yml
- .github/actions/**
- codeql-workspace.yml
env:
GO_VERSION: '~1.22.0'
permissions:
contents: read
@ -18,72 +16,17 @@ jobs:
name: Test MacOS
runs-on: macos-latest
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
id: go
- name: Check out code
uses: actions/checkout@v4
- name: Set up CodeQL CLI
uses: ./.github/actions/fetch-codeql
- name: Enable problem matchers in repository
shell: bash
run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
- name: Build
run: |
cd go
make
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: go-qltest
- name: Test
run: |
cd go
make test cache="${{ steps.query-cache.outputs.cache-dir }}"
- name: Run tests
uses: ./go/actions/test
test-win:
if: github.repository_owner == 'github'
name: Test Windows
runs-on: windows-latest-xl
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
id: go
- name: Check out code
uses: actions/checkout@v4
- name: Set up CodeQL CLI
uses: ./.github/actions/fetch-codeql
- name: Enable problem matchers in repository
shell: bash
run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
- name: Build
run: |
cd go
make
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: go-qltest
- name: Test
run: |
cd go
make test cache="${{ steps.query-cache.outputs.cache-dir }}"
- name: Run tests
uses: ./go/actions/test

51
.github/workflows/go-tests.yml поставляемый
Просмотреть файл

@ -16,9 +16,6 @@ on:
- .github/actions/**
- codeql-workspace.yml
env:
GO_VERSION: '~1.22.0'
permissions:
contents: read
@ -28,51 +25,9 @@ jobs:
name: Test Linux (Ubuntu)
runs-on: ubuntu-latest-xl
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
id: go
- name: Check out code
uses: actions/checkout@v4
- name: Set up CodeQL CLI
uses: ./.github/actions/fetch-codeql
- name: Enable problem matchers in repository
shell: bash
run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
- name: Build
run: |
cd go
make
- name: Check that all Go code is autoformatted
run: |
cd go
make check-formatting
- name: Compile qhelp files to markdown
run: |
cd go
env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
- name: Upload qhelp markdown
uses: actions/upload-artifact@v3
- name: Run tests
uses: ./go/actions/test
with:
name: qhelp-markdown
path: go/qhelp-out/**/*.md
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: go-qltest
- name: Test
run: |
cd go
make test cache="${{ steps.query-cache.outputs.cache-dir }}"
run-code-checks: true

13
.pre-commit-config.yaml
Просмотреть файл

@ -29,12 +29,13 @@ repos:
entry: bazel run //misc/bazel:buildifier
pass_filenames: false
- id: go-gen
name: Check checked in generated files in go
files: ^go/.*
language: system
entry: bazel run //go:gen
pass_filenames: false
# DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
# - id: go-gen
# name: Check checked in generated files in go
# files: ^go/.*
# language: system
# entry: bazel run //go:gen
# pass_filenames: false
- id: codeql-format
name: Fix QL file formatting

4
cpp/ql/lib/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,7 @@
## 0.13.1
No user-facing changes.
## 0.13.0
### Breaking Changes

3
cpp/ql/lib/change-notes/released/0.13.1.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
## 0.13.1
No user-facing changes.

2
cpp/ql/lib/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.13.0
lastReleaseVersion: 0.13.1

2
cpp/ql/lib/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.13.1-dev
version: 0.13.2-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

3
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
Просмотреть файл

@ -1844,9 +1844,6 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
child = this.getRightOperand() and
result = this.getLeftOperand().getFirstInstruction(kind)
or
child = this.getRightOperand() and
result = this.getLeftOperand().getFirstInstruction(kind)
or
kind instanceof GotoEdge and
child = this.getLeftOperand() and
result = this.getInstruction(AssignmentStoreTag())

6
cpp/ql/src/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,9 @@
## 0.9.12
### New Queries
* Added a new query, `cpp/iterator-to-expired-container`, to detect the creation of iterators owned by a temporary objects that are about to be destroyed.
## 0.9.11
### Minor Analysis Improvements

22
cpp/ql/src/Security/CWE/CWE-022/TaintedPath.c
Просмотреть файл

@ -1,22 +0,0 @@
int main(int argc, char** argv) {
char *userAndFile = argv[2];
{
char fileBuffer[FILENAME_MAX] = "/home/";
char *fileName = fileBuffer;
size_t len = strlen(fileName);
strncat(fileName+len, userAndFile, FILENAME_MAX-len-1);
// BAD: a string from the user is used in a filename
fopen(fileName, "wb+");
}
{
char fileBuffer[FILENAME_MAX] = "/home/";
char *fileName = fileBuffer;
size_t len = strlen(fileName);
// GOOD: use a fixed file
char* fixed = "jim/file.txt";
strncat(fileName+len, fixed, FILENAME_MAX-len-1);
fopen(fileName, "wb+");
}
}

56
cpp/ql/src/Security/CWE/CWE-022/TaintedPath.qhelp
Просмотреть файл

@ -3,36 +3,57 @@
"qhelp.dtd">
<qhelp>
<overview>
<p>Accessing paths controlled by users can allow an attacker to access unexpected resources. This
<p>Accessing paths controlled by users can allow an attacker to access unexpected resources. This
can result in sensitive information being revealed or deleted, or an attacker being able to influence
behavior by modifying unexpected files.</p>
<p>Paths that are naively constructed from data controlled by a user may contain unexpected special characters,
such as "..". Such a path may potentially point to any directory on the filesystem.</p>
<p>Paths that are naively constructed from data controlled by a user may be absolute paths, or may contain
unexpected special characters such as "..". Such a path could point anywhere on the file system.</p>
</overview>
<recommendation>
<p>Validate user input before using it to construct a filepath. Ideally, follow these rules:</p>
<p>Validate user input before using it to construct a file path.</p>
<ul>
<li>Do not allow more than a single "." character.</li>
<li>Do not allow directory separators such as "/" or "\" (depending on the filesystem).</li>
<li>Do not rely on simply replacing problematic sequences such as "../". For example, after applying this filter to
".../...//" the resulting string would still be "../".</li>
<li>Ideally use a whitelist of known good patterns.</li>
</ul>
<p>Common validation methods include checking that the normalized path is relative and does not contain
any ".." components, or checking that the path is contained within a safe folder. The method you should use depends
on how the path is used in the application, and whether the path should be a single path component.
</p>
<p>If the path should be a single path component (such as a file name), you can check for the existence
of any path separators ("/" or "\"), or ".." sequences in the input, and reject the input if any are found.
</p>
<p>
Note that removing "../" sequences is <i>not</i> sufficient, since the input could still contain a path separator
followed by "..". For example, the input ".../...//" would still result in the string "../" if only "../" sequences
are removed.
</p>
<p>Finally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that
the user input matches one of these patterns.</p>
</recommendation>
<example>
<p>In this example, a username and file are read from the arguments to main and then used to access a file in the
user's home directory. However, a malicious user could enter a filename which contains special
characters. For example, the string "../../etc/passwd" will result in the code reading the file located at
"/home/[user]/../../etc/passwd", which is the system's password file. This could potentially allow them to
access all the system's passwords.</p>
<p>In this example, a file name is read from a user and then used to access a file.
However, a malicious user could enter a file name anywhere on the file system,
such as "/etc/passwd" or "../../../etc/passwd".</p>
<sample src="TaintedPath.c" />
<sample src="examples/TaintedPath.c" />
<p>
If the input should only be a file name, you can check that it doesn't contain any path separators or ".." sequences.
</p>
<sample src="examples/TaintedPathNormalize.c" />
<p>
If the input should be within a specific directory, you can check that the resolved path
is still contained within that directory.
</p>
<sample src="examples/TaintedPathFolder.c" />
</example>
<references>
@ -41,6 +62,7 @@ access all the system's passwords.</p>
OWASP:
<a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.
</li>
<li>Linux man pages: <a href="https://man7.org/linux/man-pages/man3/realpath.3.html">realpath(3)</a>.</li>
</references>
</qhelp>

10
cpp/ql/src/Security/CWE/CWE-022/examples/TaintedPath.c Normal file
Просмотреть файл

@ -0,0 +1,10 @@
int main(int argc, char** argv) {
char *userAndFile = argv[2];
{
char fileBuffer[PATH_MAX];
snprintf(fileBuffer, sizeof(fileBuffer), "/home/%s", userAndFile);
// BAD: a string from the user is used in a filename
fopen(fileBuffer, "wb+");
}
}

28
cpp/ql/src/Security/CWE/CWE-022/examples/TaintedPathFolder.c Normal file
Просмотреть файл

@ -0,0 +1,28 @@
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv) {
char *userAndFile = argv[2];
const char *baseDir = "/home/user/public/";
char fullPath[PATH_MAX];
// Attempt to concatenate the base directory and the user-supplied path
snprintf(fullPath, sizeof(fullPath), "%s%s", baseDir, userAndFile);
// Resolve the absolute path, normalizing any ".." or "."
char *resolvedPath = realpath(fullPath, NULL);
if (resolvedPath == NULL) {
perror("Error resolving path");
return 1;
}
// Check if the resolved path starts with the base directory
if (strncmp(baseDir, resolvedPath, strlen(baseDir)) != 0) {
free(resolvedPath);
return 1;
}
// GOOD: Path is within the intended directory
FILE *file = fopen(resolvedPath, "wb+");
free(resolvedPath);
}

16
cpp/ql/src/Security/CWE/CWE-022/examples/TaintedPathNormalize.c Normal file
Просмотреть файл

@ -0,0 +1,16 @@
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv) {
char *fileName = argv[2];
// Check for invalid sequences in the user input
if (strstr(fileName , "..") || strchr(fileName , '/') || strchr(fileName , '\\')) {
printf("Invalid filename.\n");
return 1;
}
char fileBuffer[PATH_MAX];
snprintf(fileBuffer, sizeof(fileBuffer), "/home/user/files/%s", fileName);
// GOOD: We know that the filename is safe and stays within the public folder
FILE *file = fopen(fileBuffer, "wb+");
}

7
cpp/ql/src/change-notes/2024-04-29-iterator-to-expired-container.md → cpp/ql/src/change-notes/released/0.9.12.md
Просмотреть файл

@ -1,4 +1,5 @@
---
category: newQuery
---
## 0.9.12
### New Queries
* Added a new query, `cpp/iterator-to-expired-container`, to detect the creation of iterators owned by a temporary objects that are about to be destroyed.

2
cpp/ql/src/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.11
lastReleaseVersion: 0.9.12

2
cpp/ql/src/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.9.12-dev
version: 0.9.13-dev
groups:
- cpp
- queries

10
cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected
Просмотреть файл

@ -2,6 +2,8 @@ edges
| test.c:8:27:8:30 | **argv | test.c:9:23:9:29 | *access to array | provenance | |
| test.c:8:27:8:30 | **argv | test.c:31:22:31:28 | *access to array | provenance | |
| test.c:8:27:8:30 | **argv | test.c:69:14:69:20 | *access to array | provenance | |
| test.c:8:27:8:30 | **argv | test.c:80:25:80:31 | *access to array | provenance | |
| test.c:8:27:8:30 | **argv | test.c:88:22:88:28 | *access to array | provenance | |
| test.c:9:23:9:29 | *access to array | test.c:17:11:17:18 | *fileName | provenance | TaintFunction |
| test.c:31:22:31:28 | *access to array | test.c:32:11:32:18 | *fileName | provenance | |
| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | *fileName | provenance | |
@ -11,6 +13,8 @@ edges
| test.c:54:21:54:26 | *call to getenv | test.c:55:11:55:16 | *buffer | provenance | TaintFunction |
| test.c:74:13:74:18 | read output argument | test.c:76:11:76:16 | *buffer | provenance | |
| test.c:75:13:75:18 | read output argument | test.c:76:11:76:16 | *buffer | provenance | |
| test.c:80:25:80:31 | *access to array | test.c:84:11:84:20 | *fileBuffer | provenance | TaintFunction |
| test.c:88:22:88:28 | *access to array | test.c:98:24:98:33 | *fileBuffer | provenance | TaintFunction |
nodes
| test.c:8:27:8:30 | **argv | semmle.label | **argv |
| test.c:9:23:9:29 | *access to array | semmle.label | *access to array |
@ -30,6 +34,10 @@ nodes
| test.c:74:13:74:18 | read output argument | semmle.label | read output argument |
| test.c:75:13:75:18 | read output argument | semmle.label | read output argument |
| test.c:76:11:76:16 | *buffer | semmle.label | *buffer |
| test.c:80:25:80:31 | *access to array | semmle.label | *access to array |
| test.c:84:11:84:20 | *fileBuffer | semmle.label | *fileBuffer |
| test.c:88:22:88:28 | *access to array | semmle.label | *access to array |
| test.c:98:24:98:33 | *fileBuffer | semmle.label | *fileBuffer |
subpaths
#select
| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | **argv | test.c:17:11:17:18 | *fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | **argv | user input (a command-line argument) |
@ -41,3 +49,5 @@ subpaths
| test.c:69:14:69:20 | access to array | test.c:8:27:8:30 | **argv | test.c:69:14:69:20 | *access to array | This argument to a file access function is derived from $@ and then passed to readFile(fileName), which calls fopen(filename). | test.c:8:27:8:30 | **argv | user input (a command-line argument) |
| test.c:76:11:76:16 | buffer | test.c:74:13:74:18 | read output argument | test.c:76:11:76:16 | *buffer | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:74:13:74:18 | read output argument | user input (buffer read by read) |
| test.c:76:11:76:16 | buffer | test.c:75:13:75:18 | read output argument | test.c:76:11:76:16 | *buffer | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:75:13:75:18 | read output argument | user input (buffer read by read) |
| test.c:84:11:84:20 | fileBuffer | test.c:8:27:8:30 | **argv | test.c:84:11:84:20 | *fileBuffer | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | **argv | user input (a command-line argument) |
| test.c:98:24:98:33 | fileBuffer | test.c:8:27:8:30 | **argv | test.c:98:24:98:33 | *fileBuffer | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | **argv | user input (a command-line argument) |

51
cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/test.c
Просмотреть файл

@ -2,7 +2,7 @@
// Associated with CWE-022: Improper Limitation of a Pathname to a Restricted Directory. http://cwe.mitre.org/data/definitions/22.html
#include "stdlib.h"
#define PATH_MAX 4096
///// Test code /////
int main(int argc, char** argv) {
@ -75,6 +75,55 @@ int main(int argc, char** argv) {
read(0, buffer, 1024);
fopen(buffer, "wb+"); // BAD [duplicated with both sources]
}
{
char *userAndFile = argv[2];
char fileBuffer[PATH_MAX];
snprintf(fileBuffer, sizeof(fileBuffer), "/home/%s", userAndFile);
// BAD: a string from the user is used in a filename
fopen(fileBuffer, "wb+");
}
{
char *fileName = argv[2];
// Check for invalid sequences in the user input
if (strstr(fileName , "..") || strchr(fileName , '/') || strchr(fileName , '\\')) {
printf("Invalid filename.\n");
return 1;
}
char fileBuffer[PATH_MAX];
snprintf(fileBuffer, sizeof(fileBuffer), "/home/user/files/%s", fileName);
// GOOD: We know that the filename is safe and stays within the public folder. But we currently get an FP here.
FILE *file = fopen(fileBuffer, "wb+");
}
{
char *userAndFile = argv[2];
const char *baseDir = "/home/user/public/";
char fullPath[PATH_MAX];
// Attempt to concatenate the base directory and the user-supplied path
snprintf(fullPath, sizeof(fullPath), "%s%s", baseDir, userAndFile);
// Resolve the absolute path, normalizing any ".." or "."
char *resolvedPath = realpath(fullPath, 0); // <- we're using `NULL` in the example, but 0 here to get it to compile. Same for next line.
if (resolvedPath == 0) {
perror("Error resolving path");
return 1;
}
// Check if the resolved path starts with the base directory
if (strncmp(baseDir, resolvedPath, strlen(baseDir)) != 0) {
free(resolvedPath);
return 1;
}
// GOOD: Path is within the intended directory
FILE *file = fopen(resolvedPath, "wb+");
free(resolvedPath);
}
}
void readFile(char *fileName) {

2
csharp/downgrades/ab09ac8287516082b7a7367f8fda1862b1be47c5/upgrade.properties
Просмотреть файл

@ -1,3 +1,3 @@
description: Remove 'kind' from 'attributes'.
compatability: full
attributes.rel: reorder attributes.rel (int id, int kind, int type_id, int target) id type_id target
attributes.rel: reorder attributes.rel (@attribute id, int kind, @type_or_ref type_id, @attributable target) id type_id target

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,7 @@
## 1.7.16
No user-facing changes.
## 1.7.15
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.16.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
## 1.7.16
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.15
lastReleaseVersion: 1.7.16

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.16-dev
version: 1.7.17-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,7 @@
## 1.7.16
No user-facing changes.
## 1.7.15
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.16.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
## 1.7.16
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.15
lastReleaseVersion: 1.7.16

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.16-dev
version: 1.7.17-dev
groups:
- csharp
- solorigate

4
csharp/ql/lib/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,7 @@
## 0.10.1
No user-facing changes.
## 0.10.0
### Breaking Changes

3
csharp/ql/lib/change-notes/released/0.10.1.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
## 0.10.1
No user-facing changes.

2
csharp/ql/lib/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.10.0
lastReleaseVersion: 0.10.1

2
csharp/ql/lib/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.10.1-dev
version: 0.10.2-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

4
csharp/ql/lib/upgrades/0f562410898f4d4afab2da91f5aaece660ebfa88/upgrade.properties
Просмотреть файл

@ -1,4 +1,4 @@
description: Removed unused column from the `folders` and `files` relations
compatibility: full
files.rel: reorder files.rel (int id, string name, string simple, string ext, int fromSource) id name
folders.rel: reorder folders.rel (int id, string name, string simple) id name
files.rel: reorder files.rel (@file id, string name, string simple, string ext, int fromSource) id name
folders.rel: reorder folders.rel (@folder id, string name, string simple) id name

4
csharp/ql/src/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,7 @@
## 0.8.16
No user-facing changes.
## 0.8.15
No user-facing changes.

1
csharp/ql/src/Input Validation/ValueShadowing.ql
Просмотреть файл

@ -8,6 +8,7 @@
* @tags security
* maintainability
* frameworks/asp.net
* external/cwe/cwe-348
*/
import csharp

1
csharp/ql/src/Input Validation/ValueShadowingServerVariable.ql
Просмотреть файл

@ -8,6 +8,7 @@
* @tags security
* maintainability
* frameworks/asp.net
* external/cwe/cwe-348
*/
import csharp

3
csharp/ql/src/change-notes/released/0.8.16.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
## 0.8.16
No user-facing changes.

2
csharp/ql/src/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.15
lastReleaseVersion: 0.8.16

2
csharp/ql/src/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 0.8.16-dev
version: 0.8.17-dev
groups:
- csharp
- queries

2
csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
Просмотреть файл

@ -7,7 +7,7 @@ private import CaptureModelsSpecific
private import CaptureModelsPrinting
class DataFlowTargetApi extends TargetApiSpecific {
DataFlowTargetApi() { isRelevantForDataFlowModels(this) }
DataFlowTargetApi() { not isUninterestingForDataFlowModels(this) }
}
private module Printing implements PrintingSig {

17
csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
Просмотреть файл

@ -51,16 +51,18 @@ private predicate isRelevantForModels(CS::Callable api) {
}
/**
* Holds if it is relevant to generate models for `api` based on data flow analysis.
* Holds if it is irrelevant to generate models for `api` based on data flow analysis.
*
* This serves as an extra filter for the `relevant` predicate.
*/
predicate isRelevantForDataFlowModels(CS::Callable api) {
isRelevantForModels(api) and not isHigherOrder(api)
}
predicate isUninterestingForDataFlowModels(CS::Callable api) { isHigherOrder(api) }
/**
* Holds if it is relevant to generate models for `api` based on its type.
* Holds if it is irrelevant to generate models for `api` based on type-based analysis.
*
* This serves as an extra filter for the `relevant` predicate.
*/
predicate isRelevantForTypeBasedFlowModels = isRelevantForModels/1;
predicate isUninterestingForTypeBasedFlowModels(CS::Callable api) { none() }
/**
* A class of callables that are relevant generating summary, source and sinks models for.
@ -71,7 +73,8 @@ predicate isRelevantForTypeBasedFlowModels = isRelevantForModels/1;
class TargetApiSpecific extends CS::Callable {
TargetApiSpecific() {
this.fromSource() and
this.isUnboundDeclaration()
this.isUnboundDeclaration() and
isRelevantForModels(this)
}
}

2
csharp/ql/src/utils/modelgenerator/internal/CaptureTypeBasedSummaryModels.qll
Просмотреть файл

@ -190,7 +190,7 @@ private module ModelPrinting = PrintingImpl<Printing>;
* on the Theorems for Free approach.
*/
class TypeBasedFlowTargetApi extends Specific::TargetApiSpecific {
TypeBasedFlowTargetApi() { Specific::isRelevantForTypeBasedFlowModels(this) }
TypeBasedFlowTargetApi() { not Specific::isUninterestingForTypeBasedFlowModels(this) }
/**
* Gets the string representation of all type based summaries for `this`

89
go/Makefile
Просмотреть файл

@ -1,30 +1,10 @@
all: extractor ql/lib/go.dbscheme
ifeq ($(OS),Windows_NT)
EXE = .exe
CODEQL_PLATFORM = win64
else
EXE =
UNAME_S := $(shell uname -s)
ifeq ($(UNAME_S),Linux)
CODEQL_PLATFORM = linux64
endif
ifeq ($(UNAME_S),Darwin)
CODEQL_PLATFORM = osx64
endif
endif
CODEQL_TOOLS = $(addprefix codeql-tools/,autobuild.cmd autobuild.sh baseline-config-empty.json baseline-config-vendor.json configure-baseline.cmd configure-baseline.sh identify-environment.cmd identify-environment.sh index.cmd index.sh pre-finalize.cmd pre-finalize.sh tracing-config.lua)
all: gen extractor
EXTRACTOR_PACK_OUT = build/codeql-extractor-go
BINARIES = go-extractor go-tokenizer go-autobuilder go-build-runner go-bootstrap go-gen-dbscheme
.PHONY: tools tools-codeql tools-codeql-full clean autoformat \
tools-linux64 tools-osx64 tools-win64 check-formatting
.PHONY: extractor gen clean autoformat check-formatting
clean:
rm -rf tools/bin tools/linux64 tools/osx64 tools/win64 tools/net tools/opencsv
rm -rf $(EXTRACTOR_PACK_OUT) build/stats build/testdb
autoformat:
@ -47,66 +27,11 @@ endif
qhelp-to-markdown:
scripts/qhelp-to-markdown.sh ql/src "$(QHELP_OUT_DIR)"
tools: tools-codeql tools/tokenizer.jar
extractor:
bazel run :create-extractor-pack
.PHONY: $(addsuffix $(EXE),$(addprefix tools/bin/,$(BINARIES)))
$(addsuffix $(EXE),$(addprefix tools/bin/,$(BINARIES))):
go build -C extractor -mod=vendor -o ../$@ ./cli/$(basename $(@F))
tools-codeql: tools-$(CODEQL_PLATFORM)
tools-codeql-full: tools-linux64 tools-osx64 tools-win64
tools-linux64: $(addprefix tools/linux64/,$(BINARIES))
.PHONY: $(addprefix tools/linux64/,$(BINARIES))
$(addprefix tools/linux64/,$(BINARIES)):
GOOS=linux GOARCH=amd64 go build -C extractor -mod=vendor -o ../$@ ./cli/$(@F)
tools-osx64: $(addprefix tools/osx64/,$(BINARIES))
.PHONY: $(addprefix tools/osx64/,$(BINARIES))
$(addprefix tools/osx64/,$(BINARIES)):
GOOS=darwin GOARCH=amd64 go build -C extractor -mod=vendor -o ../$@.amd64 ./cli/$(@F)
GOOS=darwin GOARCH=arm64 go build -C extractor -mod=vendor -o ../$@.arm64 ./cli/$(@F)
lipo -create $@.amd64 $@.arm64 -output $@
rm $@.amd64 $@.arm64
tools-win64: $(addsuffix .exe,$(addprefix tools/win64/,$(BINARIES)))
.PHONY: $(addsuffix .exe,$(addprefix tools/win64/,$(BINARIES)))
$(addsuffix .exe,$(addprefix tools/win64/,$(BINARIES))):
env GOOS=windows GOARCH=amd64 go build -C extractor -mod=vendor -o ../$@ ./cli/$(basename $(@F))
.PHONY: extractor-common extractor extractor-full
extractor-common: codeql-extractor.yml LICENSE ql/lib/go.dbscheme \
tools/tokenizer.jar $(CODEQL_TOOLS)
rm -rf $(EXTRACTOR_PACK_OUT)
mkdir -p $(EXTRACTOR_PACK_OUT)
cp codeql-extractor.yml LICENSE ql/lib/go.dbscheme ql/lib/go.dbscheme.stats $(EXTRACTOR_PACK_OUT)
mkdir $(EXTRACTOR_PACK_OUT)/tools
cp -r tools/tokenizer.jar $(CODEQL_TOOLS) $(EXTRACTOR_PACK_OUT)/tools
cp -r downgrades $(EXTRACTOR_PACK_OUT)
extractor: extractor-common tools-codeql
cp -r tools/$(CODEQL_PLATFORM) $(EXTRACTOR_PACK_OUT)/tools
extractor-full: extractor-common tools-codeql-full
cp -r $(addprefix tools/,linux64 osx64 win64) $(EXTRACTOR_PACK_OUT)/tools
tools/tokenizer.jar: tools/net/sourceforge/pmd/cpd/GoLanguage.class
jar cf $@ -C tools net
jar uf $@ -C tools opencsv
tools/net/sourceforge/pmd/cpd/GoLanguage.class: extractor/net/sourceforge/pmd/cpd/GoLanguage.java
javac -cp extractor -d tools $<
rm tools/net/sourceforge/pmd/cpd/AbstractLanguage.class
rm tools/net/sourceforge/pmd/cpd/SourceCode.class
rm tools/net/sourceforge/pmd/cpd/TokenEntry.class
rm tools/net/sourceforge/pmd/cpd/Tokenizer.class
ql/lib/go.dbscheme: tools/$(CODEQL_PLATFORM)/go-gen-dbscheme$(EXE)
$< $@
gen:
bazel run :gen
build/stats/src.stamp:
mkdir -p $(@D)/src
@ -123,7 +48,7 @@ test: all build/testdb/check-upgrade-path
codeql test run -j0 ql/test --search-path build/codeql-extractor-go --consistency-queries ql/test/consistency --compilation-cache=$(cache)
# use GOOS=linux because GOOS=darwin GOARCH=386 is no longer supported
env GOOS=linux GOARCH=386 codeql$(EXE) test run -j0 ql/test/query-tests/Security/CWE-681 --search-path build/codeql-extractor-go --consistency-queries ql/test/consistency --compilation-cache=$(cache)
cd extractor; go test -mod=vendor ./...
cd extractor; bazel test ...
bash extractor-smoke-test/test.sh || (echo "Extractor smoke test FAILED"; exit 1)
.PHONY: build/testdb/check-upgrade-path

77
go/actions/test/action.yml Normal file
Просмотреть файл

@ -0,0 +1,77 @@
name: Test Go extractor
description: Run build, QL tests, and optionally basic code sanity checks (formatting and generated code) for the Go extractor
inputs:
go-test-version:
description: Which Go version to use for running the tests
required: false
default: ~1.22.0
run-code-checks:
description: Whether to run formatting, code and qhelp generation checks
required: false
default: false
runs:
using: composite
steps:
- name: Set up Go ${{ inputs.go-test-version }}
uses: actions/setup-go@v5
with:
go-version: ${{ inputs.go-test-version }}
cache: false
id: go
- name: Set up CodeQL CLI
uses: ./.github/actions/fetch-codeql
- name: Enable problem matchers in repository
shell: bash
run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
- name: Check checked-in generated code
if: inputs.run-code-checks == 'true'
shell: bash
run: |
bazel run go:gen
git add .
git diff --exit-code HEAD || (
echo "please run bazel run //go:gen"
exit 1
)
- name: Build
shell: bash
run: |
bazel run go:create-extractor-pack
- name: Check that all Go code is autoformatted
if: inputs.run-code-checks == 'true' && !cancelled()
shell: bash
run: |
cd go
make check-formatting
- name: Compile qhelp files to markdown
if: inputs.run-code-checks == 'true' && !cancelled()
id: markdown
shell: bash
run: |
cd go
env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
- name: Upload qhelp markdown
if: inputs.run-code-checks == 'true' && !cancelled()
uses: actions/upload-artifact@v3
with:
name: qhelp-markdown
path: go/qhelp-out/**/*.md
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: go-qltest
- name: Test
shell: bash
run: |
cd go
make test cache="${{ steps.query-cache.outputs.cache-dir }}"

4
go/ql/consistency-queries/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,7 @@
## 0.0.15
No user-facing changes.
## 0.0.14
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/0.0.15.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
## 0.0.15
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.14
lastReleaseVersion: 0.0.15

2
go/ql/consistency-queries/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 0.0.15-dev
version: 0.0.16-dev
groups:
- go
- queries

8
go/ql/lib/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,11 @@
## 0.8.1
### Minor Analysis Improvements
* Fixed a bug that stopped built-in functions from being referenced using the predicate `hasQualifiedName` because technically they do not belong to any package. Now you can use the empty string as the package, e.g. `f.hasQualifiedName("", "len")`.
* Fixed a bug that stopped data flow models for built-in functions from having any effect because the package "" was not parsed correctly.
* Fixed a bug that stopped data flow from being followed through variadic arguments to built-in functions or to functions called using a variable.
## 0.8.0
### Breaking Changes

4
go/ql/lib/change-notes/2024-05-08-fix-flow-variadic-builtin-variable.md
Просмотреть файл

@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed a bug that stopped data flow from being followed through variadic arguments to built-in functions or to functions called using a variable.

4
go/ql/lib/change-notes/2024-05-09-model-append-copy-max-min.md Normal file
Просмотреть файл

@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Converted the models for the built-in functions `append`, `copy`, `max` and `min` to value flow and Models-as-Data.

8
go/ql/lib/change-notes/2024-05-08-builtin-functions-no-package.md → go/ql/lib/change-notes/released/0.8.1.md
Просмотреть файл

@ -1,5 +1,7 @@
---
category: minorAnalysis
---
## 0.8.1
### Minor Analysis Improvements
* Fixed a bug that stopped built-in functions from being referenced using the predicate `hasQualifiedName` because technically they do not belong to any package. Now you can use the empty string as the package, e.g. `f.hasQualifiedName("", "len")`.
* Fixed a bug that stopped data flow models for built-in functions from having any effect because the package "" was not parsed correctly.
* Fixed a bug that stopped data flow from being followed through variadic arguments to built-in functions or to functions called using a variable.

2
go/ql/lib/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.0
lastReleaseVersion: 0.8.1

5
go/ql/lib/ext/builtin.model.yml
Просмотреть файл

@ -4,4 +4,7 @@ extensions:
extensible: summaryModel
data:
- ["", "", False, "append", "", "", "Argument[0].ArrayElement", "ReturnValue.ArrayElement", "value", "manual"]
- ["", "", False, "append", "", "", "Argument[1]", "ReturnValue.ArrayElement", "value", "manual"]
- ["", "", False, "append", "", "", "Argument[1].ArrayElement", "ReturnValue.ArrayElement", "value", "manual"]
- ["", "", False, "copy", "", "", "Argument[1].ArrayElement", "Argument[0].ArrayElement", "value", "manual"]
- ["", "", False, "max", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
- ["", "", False, "min", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]

2
go/ql/lib/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql/go-all
version: 0.8.1-dev
version: 0.8.2-dev
groups: go
dbscheme: go.dbscheme
extractor: go

4
go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
Просмотреть файл

@ -140,6 +140,10 @@ predicate referenceStep(DataFlow::Node pred, DataFlow::Node succ) {
*/
predicate elementWriteStep(DataFlow::Node pred, DataFlow::Node succ) {
any(DataFlow::Write w).writesElement(succ.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, pred)
or
FlowSummaryImpl::Private::Steps::summaryStoreStep(pred.(DataFlowPrivate::FlowSummaryNode)
.getSummaryNode(), any(DataFlow::Content c | c instanceof DataFlow::ArrayContent),
succ.(DataFlowPrivate::FlowSummaryNode).getSummaryNode())
}
/** Holds if taint flows from `pred` to `succ` via a field read. */

52
go/ql/lib/semmle/go/frameworks/Stdlib.qll
Просмотреть файл

@ -44,58 +44,6 @@ import semmle.go.frameworks.stdlib.TextTabwriter
import semmle.go.frameworks.stdlib.TextTemplate
import semmle.go.frameworks.stdlib.Unsafe
// These are modeled using TaintTracking::FunctionModel because they doesn't have real type signatures,
// and therefore currently have an InvalidType, not a SignatureType, which breaks Models as Data.
/**
* A model of the built-in `append` function, which propagates taint from its arguments to its
* result.
*/
private class AppendFunction extends TaintTracking::FunctionModel {
AppendFunction() { this = Builtin::append() }
override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
inp.isParameter(_) and outp.isResult()
}
}
/**
* A model of the built-in `copy` function, which propagates taint from its second argument
* to its first.
*/
private class CopyFunction extends TaintTracking::FunctionModel {
CopyFunction() { this = Builtin::copy() }
override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
inp.isParameter(1) and outp.isParameter(0)
}
}
/**
* A model of the built-in `min` function, which computes the smallest value of a fixed number of
* arguments of ordered types. There is at least one argument and "ordered types" includes e.g.
* strings, so we care about data flow through `min`.
*/
private class MinFunction extends DataFlow::FunctionModel {
MinFunction() { this = Builtin::min_() }
override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp) {
inp.isParameter(_) and outp.isResult()
}
}
/**
* A model of the built-in `max` function, which computes the largest value of a fixed number of
* arguments of ordered types. There is at least one argument and "ordered types" includes e.g.
* strings, so we care about data flow through `max`.
*/
private class MaxFunction extends DataFlow::FunctionModel {
MaxFunction() { this = Builtin::max_() }
override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp) {
inp.isParameter(_) and outp.isResult()
}
}
/** Provides a class for modeling functions which convert strings into integers. */
module IntegerParser {
/**

4
go/ql/lib/upgrades/b37faf5d62cccefad9fcfd8f5c026620097b2355/upgrade.properties
Просмотреть файл

@ -1,4 +1,4 @@
description: Removed unused column from the `folders` and `files` relations
compatibility: full
files.rel: reorder files.rel (int id, string name, string simple, string ext, int fromSource) id name
folders.rel: reorder folders.rel (int id, string name, string simple) id name
files.rel: reorder files.rel (@file id, string name, string simple, string ext, int fromSource) id name
folders.rel: reorder folders.rel (@folder id, string name, string simple) id name

4
go/ql/src/CHANGELOG.md
Просмотреть файл

@ -1,3 +1,7 @@
## 0.7.16
No user-facing changes.
## 0.7.15
### Minor Analysis Improvements

6
go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp
Просмотреть файл

@ -45,6 +45,12 @@ one of the alternatives. As an example, the regular expression
<code>(^www\.example\.com)|(beta\.example\.com)/</code>, so the second alternative
<code>beta\.example\.com</code> is not anchored at the beginning of the string.
</p>
<p>
When checking for a domain name that may have subdomains, it is important to anchor the regular expression
or ensure that the domain name is prefixed with a dot.
</p>
<sample src="MissingRegexpAnchorGoodDomain.go"/>
</example>
<references>

20
go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go Normal file
Просмотреть файл

@ -0,0 +1,20 @@
package main
import (
"regexp"
)
func checkSubdomain(domain String) {
// Checking strictly that the domain is `example.com`.
re := "^example\\.com$"
if matched, _ := regexp.MatchString(re, domain); matched {
// domain is good.
}
// GOOD: Alternatively, check the domain is `example.com` or a subdomain of `example.com`.
re2 := "(^|\\.)example\\.com$"
if matched, _ := regexp.MatchString(re2, domain); matched {
// domain is good.
}
}

3
go/ql/src/change-notes/released/0.7.16.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
## 0.7.16
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
Просмотреть файл

@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.15
lastReleaseVersion: 0.7.16

2
go/ql/src/qlpack.yml
Просмотреть файл

@ -1,5 +1,5 @@
name: codeql/go-queries
version: 0.7.16-dev
version: 0.7.17-dev
groups:
- go
- queries

28
go/ql/test/experimental/CWE-090/LDAPInjection.expected
Просмотреть файл

@ -1,18 +1,18 @@
edges
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:59:3:59:11 | untrusted | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:61:3:61:51 | ...+... | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:3:62:33 | slice literal | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:24:62:32 | untrusted | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:66:3:66:11 | untrusted | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:68:3:68:51 | ...+... | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:3:69:33 | slice literal | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:24:69:32 | untrusted | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:73:3:73:11 | untrusted | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:75:3:75:51 | ...+... | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:3:76:33 | slice literal | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:24:76:32 | untrusted | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:80:22:80:30 | untrusted | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:81:25:81:33 | untrusted | provenance | Src:MaD:671 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:59:3:59:11 | untrusted | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:61:3:61:51 | ...+... | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:3:62:33 | slice literal | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:24:62:32 | untrusted | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:66:3:66:11 | untrusted | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:68:3:68:51 | ...+... | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:3:69:33 | slice literal | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:24:69:32 | untrusted | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:73:3:73:11 | untrusted | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:75:3:75:51 | ...+... | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:3:76:33 | slice literal | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:24:76:32 | untrusted | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:80:22:80:30 | untrusted | provenance | Src:MaD:674 |
| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:81:25:81:33 | untrusted | provenance | Src:MaD:674 |
| LDAPInjection.go:62:3:62:33 | slice literal [array] | LDAPInjection.go:62:3:62:33 | slice literal | provenance | |
| LDAPInjection.go:62:24:62:32 | untrusted | LDAPInjection.go:62:3:62:33 | slice literal [array] | provenance | |
| LDAPInjection.go:69:3:69:33 | slice literal [array] | LDAPInjection.go:69:3:69:33 | slice literal | provenance | |

6
go/ql/test/experimental/CWE-203/Timing.expected
Просмотреть файл

@ -1,9 +1,9 @@
edges
| timing.go:15:18:15:27 | selection of Header | timing.go:15:18:15:45 | call to Get | provenance | MaD:652 |
| timing.go:15:18:15:27 | selection of Header | timing.go:15:18:15:45 | call to Get | provenance | MaD:655 |
| timing.go:15:18:15:45 | call to Get | timing.go:17:31:17:42 | headerSecret | provenance | |
| timing.go:28:18:28:27 | selection of Header | timing.go:28:18:28:45 | call to Get | provenance | MaD:652 |
| timing.go:28:18:28:27 | selection of Header | timing.go:28:18:28:45 | call to Get | provenance | MaD:655 |
| timing.go:28:18:28:45 | call to Get | timing.go:30:47:30:58 | headerSecret | provenance | |
| timing.go:41:18:41:27 | selection of Header | timing.go:41:18:41:45 | call to Get | provenance | MaD:652 |
| timing.go:41:18:41:27 | selection of Header | timing.go:41:18:41:45 | call to Get | provenance | MaD:655 |
| timing.go:41:18:41:45 | call to Get | timing.go:42:25:42:36 | headerSecret | provenance | |
nodes
| timing.go:15:18:15:27 | selection of Header | semmle.label | selection of Header |

2
go/ql/test/experimental/CWE-287/ImproperLdapAuth.expected
Просмотреть файл

@ -1,5 +1,5 @@
edges
| ImproperLdapAuth.go:18:18:18:24 | selection of URL | ImproperLdapAuth.go:18:18:18:32 | call to Query | provenance | MaD:732 |
| ImproperLdapAuth.go:18:18:18:24 | selection of URL | ImproperLdapAuth.go:18:18:18:32 | call to Query | provenance | MaD:735 |
| ImproperLdapAuth.go:18:18:18:32 | call to Query | ImproperLdapAuth.go:28:23:28:34 | bindPassword | provenance | |
| ImproperLdapAuth.go:87:18:87:19 | "" | ImproperLdapAuth.go:97:23:97:34 | bindPassword | provenance | |
nodes

12
go/ql/test/experimental/CWE-369/DivideByZero.expected
Просмотреть файл

@ -1,24 +1,24 @@
edges
| DivideByZero.go:10:12:10:16 | selection of URL | DivideByZero.go:10:12:10:24 | call to Query | provenance | MaD:732 |
| DivideByZero.go:10:12:10:16 | selection of URL | DivideByZero.go:10:12:10:24 | call to Query | provenance | MaD:735 |
| DivideByZero.go:10:12:10:24 | call to Query | DivideByZero.go:11:27:11:32 | param1 | provenance | |
| DivideByZero.go:11:2:11:33 | ... := ...[0] | DivideByZero.go:12:16:12:20 | value | provenance | |
| DivideByZero.go:11:27:11:32 | param1 | DivideByZero.go:11:2:11:33 | ... := ...[0] | provenance | |
| DivideByZero.go:17:12:17:16 | selection of URL | DivideByZero.go:17:12:17:24 | call to Query | provenance | MaD:732 |
| DivideByZero.go:17:12:17:16 | selection of URL | DivideByZero.go:17:12:17:24 | call to Query | provenance | MaD:735 |
| DivideByZero.go:17:12:17:24 | call to Query | DivideByZero.go:18:11:18:24 | type conversion | provenance | |
| DivideByZero.go:18:11:18:24 | type conversion | DivideByZero.go:19:16:19:20 | value | provenance | |
| DivideByZero.go:24:12:24:16 | selection of URL | DivideByZero.go:24:12:24:24 | call to Query | provenance | MaD:732 |
| DivideByZero.go:24:12:24:16 | selection of URL | DivideByZero.go:24:12:24:24 | call to Query | provenance | MaD:735 |
| DivideByZero.go:24:12:24:24 | call to Query | DivideByZero.go:25:31:25:36 | param1 | provenance | |
| DivideByZero.go:25:2:25:45 | ... := ...[0] | DivideByZero.go:26:16:26:20 | value | provenance | |
| DivideByZero.go:25:31:25:36 | param1 | DivideByZero.go:25:2:25:45 | ... := ...[0] | provenance | |
| DivideByZero.go:31:12:31:16 | selection of URL | DivideByZero.go:31:12:31:24 | call to Query | provenance | MaD:732 |
| DivideByZero.go:31:12:31:16 | selection of URL | DivideByZero.go:31:12:31:24 | call to Query | provenance | MaD:735 |
| DivideByZero.go:31:12:31:24 | call to Query | DivideByZero.go:32:33:32:38 | param1 | provenance | |
| DivideByZero.go:32:2:32:43 | ... := ...[0] | DivideByZero.go:33:16:33:20 | value | provenance | |
| DivideByZero.go:32:33:32:38 | param1 | DivideByZero.go:32:2:32:43 | ... := ...[0] | provenance | |
| DivideByZero.go:38:12:38:16 | selection of URL | DivideByZero.go:38:12:38:24 | call to Query | provenance | MaD:732 |
| DivideByZero.go:38:12:38:16 | selection of URL | DivideByZero.go:38:12:38:24 | call to Query | provenance | MaD:735 |
| DivideByZero.go:38:12:38:24 | call to Query | DivideByZero.go:39:32:39:37 | param1 | provenance | |
| DivideByZero.go:39:2:39:46 | ... := ...[0] | DivideByZero.go:40:16:40:20 | value | provenance | |
| DivideByZero.go:39:32:39:37 | param1 | DivideByZero.go:39:2:39:46 | ... := ...[0] | provenance | |
| DivideByZero.go:54:12:54:16 | selection of URL | DivideByZero.go:54:12:54:24 | call to Query | provenance | MaD:732 |
| DivideByZero.go:54:12:54:16 | selection of URL | DivideByZero.go:54:12:54:24 | call to Query | provenance | MaD:735 |
| DivideByZero.go:54:12:54:24 | call to Query | DivideByZero.go:55:11:55:24 | type conversion | provenance | |
| DivideByZero.go:55:11:55:24 | type conversion | DivideByZero.go:57:17:57:21 | value | provenance | |
nodes

10
go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected
Просмотреть файл

@ -1,5 +1,5 @@
edges
| test.go:59:16:59:44 | call to FormValue | test.go:128:20:128:27 | definition of filename | provenance | Src:MaD:667 |
| test.go:59:16:59:44 | call to FormValue | test.go:128:20:128:27 | definition of filename | provenance | Src:MaD:670 |
| test.go:60:15:60:26 | selection of Body | test.go:158:19:158:22 | definition of file | provenance | |
| test.go:61:24:61:35 | selection of Body | test.go:169:28:169:31 | definition of file | provenance | |
| test.go:62:13:62:24 | selection of Body | test.go:181:17:181:20 | definition of file | provenance | |
@ -34,18 +34,18 @@ edges
| test.go:145:12:145:19 | call to Open | test.go:147:37:147:38 | rc | provenance | |
| test.go:158:19:158:22 | definition of file | test.go:159:25:159:28 | file | provenance | |
| test.go:159:2:159:29 | ... := ...[0] | test.go:160:48:160:52 | file1 | provenance | |
| test.go:159:25:159:28 | file | test.go:159:2:159:29 | ... := ...[0] | provenance | MaD:544 |
| test.go:159:25:159:28 | file | test.go:159:2:159:29 | ... := ...[0] | provenance | MaD:547 |
| test.go:160:2:160:69 | ... := ...[0] | test.go:163:26:163:29 | file | provenance | |
| test.go:160:32:160:53 | call to NewReader | test.go:160:2:160:69 | ... := ...[0] | provenance | |
| test.go:160:48:160:52 | file1 | test.go:160:32:160:53 | call to NewReader | provenance | MaD:40 |
| test.go:160:48:160:52 | file1 | test.go:160:32:160:53 | call to NewReader | provenance | MaD:43 |
| test.go:163:3:163:36 | ... := ...[0] | test.go:164:36:164:51 | fileReaderCloser | provenance | |
| test.go:163:26:163:29 | file | test.go:163:3:163:36 | ... := ...[0] | provenance | MaD:8 |
| test.go:169:28:169:31 | definition of file | test.go:170:25:170:28 | file | provenance | |
| test.go:170:2:170:29 | ... := ...[0] | test.go:171:57:171:61 | file2 | provenance | |
| test.go:170:25:170:28 | file | test.go:170:2:170:29 | ... := ...[0] | provenance | MaD:544 |
| test.go:170:25:170:28 | file | test.go:170:2:170:29 | ... := ...[0] | provenance | MaD:547 |
| test.go:171:2:171:78 | ... := ...[0] | test.go:175:26:175:29 | file | provenance | |
| test.go:171:41:171:62 | call to NewReader | test.go:171:2:171:78 | ... := ...[0] | provenance | |
| test.go:171:57:171:61 | file2 | test.go:171:41:171:62 | call to NewReader | provenance | MaD:40 |
| test.go:171:57:171:61 | file2 | test.go:171:41:171:62 | call to NewReader | provenance | MaD:43 |
| test.go:175:26:175:29 | file | test.go:175:26:175:36 | call to Open | provenance | |
| test.go:175:26:175:36 | call to Open | test.go:176:36:176:51 | fileReaderCloser | provenance | |
| test.go:181:17:181:20 | definition of file | test.go:184:41:184:44 | file | provenance | |

4
go/ql/test/experimental/CWE-74/DsnInjection.expected
Просмотреть файл

@ -1,6 +1,6 @@
edges
| Dsn.go:47:10:47:30 | call to FormValue | Dsn.go:49:102:49:105 | name | provenance | Src:MaD:667 |
| Dsn.go:49:11:49:106 | []type{args} [array] | Dsn.go:49:11:49:106 | call to Sprintf | provenance | MaD:242 |
| Dsn.go:47:10:47:30 | call to FormValue | Dsn.go:49:102:49:105 | name | provenance | Src:MaD:670 |
| Dsn.go:49:11:49:106 | []type{args} [array] | Dsn.go:49:11:49:106 | call to Sprintf | provenance | MaD:245 |
| Dsn.go:49:11:49:106 | call to Sprintf | Dsn.go:50:29:50:33 | dbDSN | provenance | |
| Dsn.go:49:102:49:105 | name | Dsn.go:49:11:49:106 | []type{args} [array] | provenance | |
| Dsn.go:49:102:49:105 | name | Dsn.go:49:11:49:106 | call to Sprintf | provenance | FunctionModel |

4
go/ql/test/experimental/CWE-74/DsnInjectionLocal.expected
Просмотреть файл

@ -1,6 +1,6 @@
edges
| Dsn.go:26:11:26:17 | selection of Args | Dsn.go:28:102:28:109 | index expression | provenance | |
| Dsn.go:28:11:28:110 | []type{args} [array] | Dsn.go:28:11:28:110 | call to Sprintf | provenance | MaD:242 |
| Dsn.go:28:11:28:110 | []type{args} [array] | Dsn.go:28:11:28:110 | call to Sprintf | provenance | MaD:245 |
| Dsn.go:28:11:28:110 | call to Sprintf | Dsn.go:29:29:29:33 | dbDSN | provenance | |
| Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | []type{args} [array] | provenance | |
| Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | call to Sprintf | provenance | FunctionModel |
@ -12,7 +12,7 @@ edges
| Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:67:102:67:108 | selection of dsn | provenance | |
| Dsn.go:63:19:63:25 | selection of Args | Dsn.go:63:19:63:29 | slice expression | provenance | |
| Dsn.go:63:19:63:29 | slice expression | Dsn.go:63:9:63:11 | implicit dereference | provenance | FunctionModel |
| Dsn.go:67:11:67:109 | []type{args} [array] | Dsn.go:67:11:67:109 | call to Sprintf | provenance | MaD:242 |
| Dsn.go:67:11:67:109 | []type{args} [array] | Dsn.go:67:11:67:109 | call to Sprintf | provenance | MaD:245 |
| Dsn.go:67:11:67:109 | call to Sprintf | Dsn.go:68:29:68:33 | dbDSN | provenance | |
| Dsn.go:67:102:67:104 | cfg [pointer] | Dsn.go:67:102:67:104 | implicit dereference | provenance | |
| Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:63:9:63:11 | implicit dereference | provenance | |

26
go/ql/test/experimental/CWE-79/HTMLTemplateEscapingPassthrough.expected
Просмотреть файл

@ -1,28 +1,28 @@
edges
| HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | provenance | |
| HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | provenance | |
| HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | provenance | |
| HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | provenance | |
| HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | provenance | |
| HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | provenance | |
| HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | provenance | |
| HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | provenance | |
| HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | provenance | |
| HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:75:17:75:31 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:76:38:76:44 | escaped | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:81:10:81:24 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:84:38:84:40 | src | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:89:10:89:24 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | provenance | Src:MaD:671 |
| HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:75:17:75:31 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:76:38:76:44 | escaped | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:81:10:81:24 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:84:38:84:40 | src | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:89:10:89:24 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | provenance | Src:MaD:674 |
| HTMLTemplateEscapingPassthrough.go:91:16:91:77 | type conversion | HTMLTemplateEscapingPassthrough.go:92:38:92:46 | converted | provenance | |
| HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | HTMLTemplateEscapingPassthrough.go:91:16:91:77 | type conversion | provenance | |
| HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | provenance | MaD:519 |
| HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | provenance | MaD:522 |
nodes
| HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | semmle.label | type conversion |
| HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | semmle.label | call to UserAgent |

32
go/ql/test/experimental/CWE-918/SSRF.expected
Просмотреть файл

@ -1,44 +1,44 @@
edges
| builtin.go:19:12:19:34 | call to FormValue | builtin.go:22:21:22:62 | ...+... | provenance | Src:MaD:667 |
| builtin.go:83:21:83:31 | call to Referer | builtin.go:88:27:88:40 | untrustedInput | provenance | Src:MaD:670 |
| builtin.go:97:21:97:31 | call to Referer | builtin.go:101:36:101:49 | untrustedInput | provenance | Src:MaD:670 |
| builtin.go:111:21:111:31 | call to Referer | builtin.go:114:15:114:28 | untrustedInput | provenance | Src:MaD:670 |
| builtin.go:129:21:129:31 | call to Referer | builtin.go:132:38:132:51 | untrustedInput | provenance | Src:MaD:670 |
| builtin.go:19:12:19:34 | call to FormValue | builtin.go:22:21:22:62 | ...+... | provenance | Src:MaD:670 |
| builtin.go:83:21:83:31 | call to Referer | builtin.go:88:27:88:40 | untrustedInput | provenance | Src:MaD:673 |
| builtin.go:97:21:97:31 | call to Referer | builtin.go:101:36:101:49 | untrustedInput | provenance | Src:MaD:673 |
| builtin.go:111:21:111:31 | call to Referer | builtin.go:114:15:114:28 | untrustedInput | provenance | Src:MaD:673 |
| builtin.go:129:21:129:31 | call to Referer | builtin.go:132:38:132:51 | untrustedInput | provenance | Src:MaD:673 |
| new-tests.go:26:26:26:30 | &... | new-tests.go:31:48:31:56 | selection of word | provenance | |
| new-tests.go:26:26:26:30 | &... | new-tests.go:32:48:32:56 | selection of safe | provenance | |
| new-tests.go:26:26:26:30 | &... | new-tests.go:35:49:35:57 | selection of word | provenance | |
| new-tests.go:31:11:31:57 | []type{args} [array] | new-tests.go:31:11:31:57 | call to Sprintf | provenance | MaD:242 |
| new-tests.go:31:11:31:57 | []type{args} [array] | new-tests.go:31:11:31:57 | call to Sprintf | provenance | MaD:245 |
| new-tests.go:31:48:31:56 | selection of word | new-tests.go:31:11:31:57 | []type{args} [array] | provenance | |
| new-tests.go:31:48:31:56 | selection of word | new-tests.go:31:11:31:57 | call to Sprintf | provenance | FunctionModel |
| new-tests.go:32:11:32:57 | []type{args} [array] | new-tests.go:32:11:32:57 | call to Sprintf | provenance | MaD:242 |
| new-tests.go:32:11:32:57 | []type{args} [array] | new-tests.go:32:11:32:57 | call to Sprintf | provenance | MaD:245 |
| new-tests.go:32:48:32:56 | selection of safe | new-tests.go:32:11:32:57 | []type{args} [array] | provenance | |
| new-tests.go:32:48:32:56 | selection of safe | new-tests.go:32:11:32:57 | call to Sprintf | provenance | FunctionModel |
| new-tests.go:35:12:35:58 | []type{args} [array] | new-tests.go:35:12:35:58 | call to Sprintf | provenance | MaD:242 |
| new-tests.go:35:12:35:58 | []type{args} [array] | new-tests.go:35:12:35:58 | call to Sprintf | provenance | MaD:245 |
| new-tests.go:35:49:35:57 | selection of word | new-tests.go:35:12:35:58 | []type{args} [array] | provenance | |
| new-tests.go:35:49:35:57 | selection of word | new-tests.go:35:12:35:58 | call to Sprintf | provenance | FunctionModel |
| new-tests.go:39:18:39:30 | call to Param | new-tests.go:47:11:47:46 | ...+... | provenance | |
| new-tests.go:49:18:49:30 | call to Query | new-tests.go:50:11:50:46 | ...+... | provenance | |
| new-tests.go:62:2:62:39 | ... := ...[0] | new-tests.go:63:17:63:23 | reqBody | provenance | |
| new-tests.go:62:31:62:38 | selection of Body | new-tests.go:62:2:62:39 | ... := ...[0] | provenance | MaD:537 |
| new-tests.go:63:17:63:23 | reqBody | new-tests.go:63:26:63:30 | &... | provenance | MaD:181 |
| new-tests.go:62:31:62:38 | selection of Body | new-tests.go:62:2:62:39 | ... := ...[0] | provenance | MaD:540 |
| new-tests.go:63:17:63:23 | reqBody | new-tests.go:63:26:63:30 | &... | provenance | MaD:184 |
| new-tests.go:63:26:63:30 | &... | new-tests.go:68:48:68:56 | selection of word | provenance | |
| new-tests.go:63:26:63:30 | &... | new-tests.go:69:48:69:56 | selection of safe | provenance | |
| new-tests.go:63:26:63:30 | &... | new-tests.go:74:49:74:57 | selection of word | provenance | |
| new-tests.go:68:11:68:57 | []type{args} [array] | new-tests.go:68:11:68:57 | call to Sprintf | provenance | MaD:242 |
| new-tests.go:68:11:68:57 | []type{args} [array] | new-tests.go:68:11:68:57 | call to Sprintf | provenance | MaD:245 |
| new-tests.go:68:48:68:56 | selection of word | new-tests.go:68:11:68:57 | []type{args} [array] | provenance | |
| new-tests.go:68:48:68:56 | selection of word | new-tests.go:68:11:68:57 | call to Sprintf | provenance | FunctionModel |
| new-tests.go:69:11:69:57 | []type{args} [array] | new-tests.go:69:11:69:57 | call to Sprintf | provenance | MaD:242 |
| new-tests.go:69:11:69:57 | []type{args} [array] | new-tests.go:69:11:69:57 | call to Sprintf | provenance | MaD:245 |
| new-tests.go:69:48:69:56 | selection of safe | new-tests.go:69:11:69:57 | []type{args} [array] | provenance | |
| new-tests.go:69:48:69:56 | selection of safe | new-tests.go:69:11:69:57 | call to Sprintf | provenance | FunctionModel |
| new-tests.go:74:12:74:58 | []type{args} [array] | new-tests.go:74:12:74:58 | call to Sprintf | provenance | MaD:242 |
| new-tests.go:74:12:74:58 | []type{args} [array] | new-tests.go:74:12:74:58 | call to Sprintf | provenance | MaD:245 |
| new-tests.go:74:49:74:57 | selection of word | new-tests.go:74:12:74:58 | []type{args} [array] | provenance | |
| new-tests.go:74:49:74:57 | selection of word | new-tests.go:74:12:74:58 | call to Sprintf | provenance | FunctionModel |
| new-tests.go:78:18:78:24 | selection of URL | new-tests.go:78:18:78:32 | call to Query | provenance | MaD:732 |
| new-tests.go:78:18:78:32 | call to Query | new-tests.go:78:18:78:46 | call to Get | provenance | MaD:739 |
| new-tests.go:78:18:78:24 | selection of URL | new-tests.go:78:18:78:32 | call to Query | provenance | MaD:735 |
| new-tests.go:78:18:78:32 | call to Query | new-tests.go:78:18:78:46 | call to Get | provenance | MaD:742 |
| new-tests.go:78:18:78:46 | call to Get | new-tests.go:79:11:79:46 | ...+... | provenance | |
| new-tests.go:81:18:81:67 | call to TrimPrefix | new-tests.go:82:11:82:46 | ...+... | provenance | |
| new-tests.go:81:37:81:43 | selection of URL | new-tests.go:81:37:81:48 | selection of Path | provenance | |
| new-tests.go:81:37:81:48 | selection of Path | new-tests.go:81:18:81:67 | call to TrimPrefix | provenance | MaD:855 |
| new-tests.go:81:37:81:48 | selection of Path | new-tests.go:81:18:81:67 | call to TrimPrefix | provenance | MaD:858 |
| new-tests.go:86:10:86:20 | call to Vars | new-tests.go:88:11:88:46 | ...+... | provenance | |
| new-tests.go:95:18:95:45 | call to URLParam | new-tests.go:96:11:96:46 | ...+... | provenance | |
nodes

2
go/ql/test/library-tests/semmle/go/dataflow/DefaultTaintSanitizer/DefaultSanitizer.expected
Просмотреть файл

@ -1,6 +1,6 @@
edges
| Builtin.go:6:2:6:2 | definition of b | Builtin.go:8:9:8:17 | type conversion | provenance | |
| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:6:2:6:2 | definition of b | provenance | MaD:550 |
| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:6:2:6:2 | definition of b | provenance | MaD:553 |
nodes
| Builtin.go:6:2:6:2 | definition of b | semmle.label | definition of b |
| Builtin.go:7:2:7:15 | selection of Body | semmle.label | selection of Body |

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/completetest.expected → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/completetest.expected
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/completetest.ext.yml → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/completetest.ext.yml
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/completetest.ql → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/completetest.ql
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/go.mod → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/go.mod
Просмотреть файл

25
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/sinks.expected → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.expected
Просмотреть файл

@ -21,15 +21,16 @@ invalidModelRow
| test.go:113:10:113:20 | index expression | qltest |
| test.go:117:10:117:16 | taint15 | qltest |
| test.go:121:10:121:17 | index expression | qltest |
| test.go:126:10:126:16 | taint16 | qltest |
| test.go:130:10:130:13 | selection of F | qltest |
| test.go:133:10:133:17 | call to Get | qltest |
| test.go:137:10:137:17 | call to Get | qltest |
| test.go:142:10:142:17 | call to Get | qltest |
| test.go:146:10:146:14 | selection of F | qltest |
| test.go:149:10:149:32 | call to GetThroughPointer | qltest |
| test.go:153:10:153:32 | call to GetThroughPointer | qltest |
| test.go:158:10:158:32 | call to GetThroughPointer | qltest |
| test.go:164:17:164:20 | arg1 | qltest |
| test.go:164:23:164:26 | arg2 | qltest |
| test.go:164:29:164:32 | arg3 | qltest |
| test.go:127:10:127:18 | index expression | qltest |
| test.go:132:10:132:16 | taint16 | qltest |
| test.go:136:10:136:13 | selection of F | qltest |
| test.go:139:10:139:17 | call to Get | qltest |
| test.go:143:10:143:17 | call to Get | qltest |
| test.go:148:10:148:17 | call to Get | qltest |
| test.go:152:10:152:14 | selection of F | qltest |
| test.go:155:10:155:32 | call to GetThroughPointer | qltest |
| test.go:159:10:159:32 | call to GetThroughPointer | qltest |
| test.go:164:10:164:32 | call to GetThroughPointer | qltest |
| test.go:170:17:170:20 | arg1 | qltest |
| test.go:170:23:170:26 | arg2 | qltest |
| test.go:170:29:170:32 | arg3 | qltest |

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/sinks.ext.yml → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.ext.yml
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/sinks.ql → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.ql
Просмотреть файл

18
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/srcs.expected → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected
Просмотреть файл

@ -12,12 +12,12 @@ invalidModelRow
| test.go:91:46:91:53 | call to Src1 | qltest |
| test.go:95:35:95:42 | call to Src1 | qltest |
| test.go:99:42:99:49 | call to Src1 | qltest |
| test.go:124:8:124:15 | call to Src1 | qltest |
| test.go:129:9:129:16 | call to Src1 | qltest |
| test.go:132:15:132:22 | call to Src1 | qltest |
| test.go:136:9:136:16 | call to Src1 | qltest |
| test.go:140:9:140:16 | call to Src1 | qltest |
| test.go:145:24:145:31 | call to Src1 | qltest |
| test.go:148:17:148:24 | call to Src1 | qltest |
| test.go:152:24:152:31 | call to Src1 | qltest |
| test.go:156:24:156:31 | call to Src1 | qltest |
| test.go:130:8:130:15 | call to Src1 | qltest |
| test.go:135:9:135:16 | call to Src1 | qltest |
| test.go:138:15:138:22 | call to Src1 | qltest |
| test.go:142:9:142:16 | call to Src1 | qltest |
| test.go:146:9:146:16 | call to Src1 | qltest |
| test.go:151:24:151:31 | call to Src1 | qltest |
| test.go:154:17:154:24 | call to Src1 | qltest |
| test.go:158:24:158:31 | call to Src1 | qltest |
| test.go:162:24:162:31 | call to Src1 | qltest |

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/srcs.ext.yml → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.ext.yml
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/srcs.ql → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.ql
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/steps.expected → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/steps.expected
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/steps.ext.yml → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/steps.ext.yml
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/steps.ql → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/steps.ql
Просмотреть файл

6
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/test.go → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go
Просмотреть файл

@ -120,6 +120,12 @@ func simpleflow() {
slice = append(slice, src)
b.Sink1(slice[0]) // $ hasTaintFlow="index expression"
slice1 := make([]string, 2)
slice1[0] = src.(string)
slice2 := make([]string, 2)
copy(slice2, slice1)
b.Sink1(slice2[0]) // $ hasTaintFlow="index expression"
ch := make(chan string)
ch <- a.Src1().(string)
taint16 := test.StepArgCollectionContentRes(ch)

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/vendor/github.com/nonexistent/test/stub.go → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/vendor/github.com/nonexistent/test/stub.go сгенерированный поставляемый
Просмотреть файл

0
go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/vendor/modules.txt → go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/vendor/modules.txt поставляемый
Просмотреть файл

2
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.expected Normal file
Просмотреть файл

@ -0,0 +1,2 @@
invalidModelRow
testFailures

40
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ext.yml Normal file
Просмотреть файл

@ -0,0 +1,40 @@
extensions:
- addsTo:
pack: codeql/go-all
extensible: summaryModel
data:
- ["github.com/nonexistent/test", "T", False, "StepArgRes", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "T", False, "StepArgRes1", "", "", "Argument[0]", "ReturnValue[1]", "value", "manual"]
- ["github.com/nonexistent/test", "T", False, "StepArgArg", "", "", "Argument[0]", "Argument[1]", "value", "manual"]
- ["github.com/nonexistent/test", "T", False, "StepArgQual", "", "", "Argument[0]", "Argument[-1]", "value", "manual"]
- ["github.com/nonexistent/test", "T", False, "StepQualRes", "", "", "Argument[-1]", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "T", False, "StepQualArg", "", "", "Argument[-1]", "Argument[0]", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgResNoQual", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgResArrayContent", "", "", "Argument[0]", "ReturnValue.ArrayElement", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgArrayContentRes", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgResCollectionContent", "", "", "Argument[0]", "ReturnValue.Element", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgCollectionContentRes", "", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgResMapKeyContent", "", "", "Argument[0]", "ReturnValue.MapKey", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgMapKeyContentRes", "", "", "Argument[0].MapKey", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgResMapValueContent", "", "", "Argument[0]", "ReturnValue.MapValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "StepArgMapValueContentRes", "", "", "Argument[0].MapValue", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "GetElement", "", "", "Argument[0].Element", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "GetMapKey", "", "", "Argument[0].MapKey", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "", False, "SetElement", "", "", "Argument[0]", "ReturnValue.Element", "value", "manual"]
- ["github.com/nonexistent/test", "C", False, "Get", "", "", "Argument[-1].Field[github.com/nonexistent/test.C.F]", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "C", False, "GetThroughPointer", "", "", "Argument[-1].Dereference.Field[github.com/nonexistent/test.C.F]", "ReturnValue", "value", "manual"]
- ["github.com/nonexistent/test", "C", False, "Set", "", "", "Argument[0]", "Argument[-1].Field[github.com/nonexistent/test.C.F]", "value", "manual"]
- ["github.com/nonexistent/test", "C", False, "SetThroughPointer", "", "", "Argument[0]", "Argument[-1].Dereference.Field[github.com/nonexistent/test.C.F]", "value", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
- ["github.com/nonexistent/test", "A", False, "Src1", "", "", "ReturnValue", "qltest", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sinkModel
data:
- ["github.com/nonexistent/test", "B", False, "Sink1", "", "", "Argument[0]", "qltest", "manual"]
- ["github.com/nonexistent/test", "B", False, "SinkManyArgs", "", "", "Argument[0..2]", "qltest", "manual"]

17
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql Normal file
Просмотреть файл

@ -0,0 +1,17 @@
/**
* @kind path-problem
*/
import go
import semmle.go.dataflow.ExternalFlow
import ModelValidation
import semmle.go.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
import TestUtilities.InlineFlowTest
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { sourceNode(src, "qltest") }
predicate isSink(DataFlow::Node src) { sinkNode(src, "qltest") }
}
import ValueFlowTest<Config>

5
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/go.mod Normal file
Просмотреть файл

@ -0,0 +1,5 @@
module semmle.go.Packages
go 1.13
require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

42
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected Normal file
Просмотреть файл

@ -0,0 +1,42 @@
invalidModelRow
#select
| test.go:47:10:47:12 | arg | qltest |
| test.go:48:2:48:13 | type assertion | qltest |
| test.go:61:10:61:15 | taint1 | qltest |
| test.go:64:10:64:15 | taint2 | qltest |
| test.go:68:10:68:15 | taint3 | qltest |
| test.go:72:10:72:15 | taint4 | qltest |
| test.go:75:10:75:15 | taint5 | qltest |
| test.go:79:10:79:15 | taint6 | qltest |
| test.go:82:10:82:15 | taint7 | qltest |
| test.go:85:10:85:18 | index expression | qltest |
| test.go:89:10:89:15 | taint9 | qltest |
| test.go:92:10:92:33 | call to GetElement | qltest |
| test.go:93:10:93:18 | <-... | qltest |
| test.go:97:10:97:16 | taint11 | qltest |
| test.go:100:10:100:32 | call to GetMapKey | qltest |
| test.go:102:11:102:11 | k | qltest |
| test.go:105:11:105:11 | k | qltest |
| test.go:110:10:110:16 | taint13 | qltest |
| test.go:113:10:113:20 | index expression | qltest |
| test.go:117:10:117:16 | taint15 | qltest |
| test.go:121:10:121:17 | index expression | qltest |
| test.go:127:10:127:18 | index expression | qltest |
| test.go:132:10:132:16 | taint16 | qltest |
| test.go:136:10:136:13 | selection of F | qltest |
| test.go:139:10:139:17 | call to Get | qltest |
| test.go:143:10:143:17 | call to Get | qltest |
| test.go:148:10:148:17 | call to Get | qltest |
| test.go:152:10:152:14 | selection of F | qltest |
| test.go:155:10:155:32 | call to GetThroughPointer | qltest |
| test.go:159:10:159:32 | call to GetThroughPointer | qltest |
| test.go:164:10:164:32 | call to GetThroughPointer | qltest |
| test.go:170:17:170:20 | arg1 | qltest |
| test.go:170:23:170:26 | arg2 | qltest |
| test.go:170:29:170:32 | arg3 | qltest |
| test.go:173:10:173:26 | call to max | qltest |
| test.go:174:10:174:26 | call to max | qltest |
| test.go:175:10:175:26 | call to max | qltest |
| test.go:176:10:176:26 | call to min | qltest |
| test.go:177:10:177:26 | call to min | qltest |
| test.go:178:10:178:26 | call to min | qltest |

8
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.ext.yml Normal file
Просмотреть файл

@ -0,0 +1,8 @@
extensions:
- addsTo:
pack: codeql/go-all
extensible: sinkModel
data:
- ["github.com/nonexistent/test", "B", False, "Sink1", "", "", "Argument[0]", "qltest", "manual"]
- ["github.com/nonexistent/test", "B", False, "SinkMethod", "", "", "Argument[-1]", "qltest", "manual"]
- ["github.com/nonexistent/test", "B", False, "SinkManyArgs", "", "", "Argument[0..2]", "qltest", "manual"]

7
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.ql Normal file
Просмотреть файл

@ -0,0 +1,7 @@
import go
import semmle.go.dataflow.ExternalFlow
import ModelValidation
from DataFlow::Node node, string kind
where sinkNode(node, kind)
select node, kind

23
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected Normal file
Просмотреть файл

@ -0,0 +1,23 @@
invalidModelRow
#select
| test.go:10:6:10:8 | definition of arg | qltest-arg |
| test.go:38:8:38:15 | call to Src1 | qltest |
| test.go:39:8:39:15 | call to Src2 | qltest |
| test.go:39:8:39:15 | call to Src2 | qltest-w-subtypes |
| test.go:40:8:40:16 | call to Src2 | qltest-w-subtypes |
| test.go:41:2:41:21 | ... = ...[0] | qltest |
| test.go:41:2:41:21 | ... = ...[1] | qltest-w-subtypes |
| test.go:42:2:42:22 | ... = ...[1] | qltest-w-subtypes |
| test.go:58:9:58:16 | call to Src1 | qltest |
| test.go:91:46:91:53 | call to Src1 | qltest |
| test.go:95:35:95:42 | call to Src1 | qltest |
| test.go:99:42:99:49 | call to Src1 | qltest |
| test.go:130:8:130:15 | call to Src1 | qltest |
| test.go:135:9:135:16 | call to Src1 | qltest |
| test.go:138:15:138:22 | call to Src1 | qltest |
| test.go:142:9:142:16 | call to Src1 | qltest |
| test.go:146:9:146:16 | call to Src1 | qltest |
| test.go:151:24:151:31 | call to Src1 | qltest |
| test.go:154:17:154:24 | call to Src1 | qltest |
| test.go:158:24:158:31 | call to Src1 | qltest |
| test.go:162:24:162:31 | call to Src1 | qltest |

11
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.ext.yml Normal file
Просмотреть файл

@ -0,0 +1,11 @@
extensions:
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
- ["github.com/nonexistent/test", "A", False, "Src1", "", "", "ReturnValue", "qltest", "manual"]
- ["github.com/nonexistent/test", "A", False, "Src2", "", "", "ReturnValue", "qltest", "manual"]
- ["github.com/nonexistent/test", "A", True, "Src2", "", "", "ReturnValue", "qltest-w-subtypes", "manual"]
- ["github.com/nonexistent/test", "A", False, "SrcArg", "", "", "Argument[0]", "qltest-arg", "manual"]
- ["github.com/nonexistent/test", "A", False, "Src3", "", "", "ReturnValue[0]", "qltest", "manual"]
- ["github.com/nonexistent/test", "A", True, "Src3", "", "", "ReturnValue[1]", "qltest-w-subtypes", "manual"]

7
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.ql Normal file
Просмотреть файл

@ -0,0 +1,7 @@
import go
import semmle.go.dataflow.ExternalFlow
import ModelValidation
from DataFlow::Node node, string kind
where sourceNode(node, kind)
select node, kind

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше