diff --git a/go/ql/lib/semmle/go/dataflow/SSA.qll b/go/ql/lib/semmle/go/dataflow/SSA.qll index d13bbe2de63a..828c948dfce5 100644 --- a/go/ql/lib/semmle/go/dataflow/SSA.qll +++ b/go/ql/lib/semmle/go/dataflow/SSA.qll @@ -61,7 +61,7 @@ private predicate unresolvedIdentifier(Ident id, string name) { /** * An SSA variable. */ -class SsaVariable extends TSsaDefinition { +class SsaVariable instanceof SsaDefinition { /** Gets the source variable corresponding to this SSA variable. */ SsaSourceVariable getSourceVariable() { result = this.(SsaDefinition).getSourceVariable() } @@ -107,27 +107,26 @@ class SsaVariable extends TSsaDefinition { /** * An SSA definition. */ -class SsaDefinition extends TSsaDefinition { +class SsaDefinition instanceof ZZZDefinition { + /** + * Holds if this SSA definition defines `v` at index `i` in basic block `bb`. + * Phi nodes are considered to be at index `-1`, while normal variable writes + * are at the index of the control flow node they wrap. + */ + predicate definesAt(SsaSourceVariable v, BasicBlock bb, int i) { + this.(ZZZDefinition).definesAt(v, bb, i) + } + /** Gets the SSA variable defined by this definition. */ SsaVariable getVariable() { result = this } /** Gets the source variable defined by this definition. */ - abstract SsaSourceVariable getSourceVariable(); + SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) } /** * Gets the basic block to which this definition belongs. */ - abstract ReachableBasicBlock getBasicBlock(); - - /** - * INTERNAL: Use `getBasicBlock()` and `getSourceVariable()` instead. - * - * Holds if this is a definition of source variable `v` at index `idx` in basic block `bb`. - * - * Phi nodes are considered to be at index `-1`, all other definitions at the index of - * the control flow node they correspond to. - */ - abstract predicate definesAt(ReachableBasicBlock bb, int idx, SsaSourceVariable v); + ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) } /** * INTERNAL: Use `toString()` instead. @@ -146,12 +145,12 @@ class SsaDefinition extends TSsaDefinition { /** Gets the innermost function or file to which this SSA definition belongs. */ ControlFlow::Root getRoot() { result = this.getBasicBlock().getRoot() } + /** Gets the location of this SSA definition. */ + Location getLocation() { result = this.(ZZZDefinition).getLocation() } + /** Gets a textual representation of this element. */ string toString() { result = this.prettyPrintDef() } - /** Gets the source location for this element. */ - abstract Location getLocation(); - /** * DEPRECATED: Use `getLocation()` instead. * @@ -166,28 +165,29 @@ class SsaDefinition extends TSsaDefinition { ) { this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) } + + /** + * Gets the first instruction that the value of this `SsaDefinition` can + * reach without passing through any other instructions, but possibly through + * phi nodes. + */ + IR::Instruction getAFirstUse() { firstUse(this, result) } } /** * An SSA definition that corresponds to an explicit assignment or other variable definition. */ -class SsaExplicitDefinition extends SsaDefinition, TExplicitDef { +class SsaExplicitDefinition extends SsaDefinition { + SsaExplicitDefinition() { not this instanceof SsaImplicitDefinition } + /** Gets the instruction where the definition happens. */ IR::Instruction getInstruction() { - exists(BasicBlock bb, int i | this = TExplicitDef(bb, i, _) | result = bb.getNode(i)) + exists(BasicBlock bb, int i | this.definesAt(_, bb, i) | result = bb.getNode(i)) } /** Gets the right-hand side of the definition. */ IR::Instruction getRhs() { this.getInstruction().writes(_, result) } - override predicate definesAt(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - this = TExplicitDef(bb, i, v) - } - - override ReachableBasicBlock getBasicBlock() { this.definesAt(result, _, _) } - - override SsaSourceVariable getSourceVariable() { this = TExplicitDef(_, _, result) } - override string prettyPrintRef() { exists(Location loc | loc = this.getLocation() | result = "def@" + loc.getStartLine() + ":" + loc.getStartColumn() @@ -195,8 +195,6 @@ class SsaExplicitDefinition extends SsaDefinition, TExplicitDef { } override string prettyPrintDef() { result = "definition of " + this.getSourceVariable() } - - override Location getLocation() { result = this.getInstruction().getLocation() } } /** Provides a helper predicate for working with explicit SSA definitions. */ @@ -223,8 +221,6 @@ abstract class SsaImplicitDefinition extends SsaDefinition { result = this.getKind() + "@" + loc.getStartLine() + ":" + loc.getStartColumn() ) } - - override Location getLocation() { result = this.getBasicBlock().getLocation() } } /** @@ -234,24 +230,16 @@ abstract class SsaImplicitDefinition extends SsaDefinition { * Capturing definitions appear at the beginning of such functions, as well as * at any function call that may affect the value of the variable. */ -class SsaVariableCapture extends SsaImplicitDefinition, TCapture { - override predicate definesAt(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - this = TCapture(bb, i, v) +class SsaVariableCapture extends SsaImplicitDefinition { + SsaVariableCapture() { + exists(BasicBlock bb, int i, SsaSourceVariable v | this.definesAt(v, bb, i) | + mayCapture(bb, i, v) + ) } - override ReachableBasicBlock getBasicBlock() { this.definesAt(result, _, _) } - - override SsaSourceVariable getSourceVariable() { this.definesAt(_, _, result) } - override string getKind() { result = "capture" } override string prettyPrintDef() { result = "capture variable " + this.getSourceVariable() } - - override Location getLocation() { - exists(ReachableBasicBlock bb, int i | this.definesAt(bb, i, _) | - result = bb.getNode(i).getLocation() - ) - } } /** @@ -276,26 +264,16 @@ abstract class SsaPseudoDefinition extends SsaImplicitDefinition { * in the flow graph where otherwise two or more definitions for the variable * would be visible. */ -class SsaPhiNode extends SsaPseudoDefinition, TPhi { +class SsaPhiNode extends SsaPseudoDefinition instanceof ZZZPhiNode { override SsaVariable getAnInput() { result = getDefReachingEndOf(this.getBasicBlock().getAPredecessor(), this.getSourceVariable()) } - override predicate definesAt(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - bb = this.getBasicBlock() and v = this.getSourceVariable() and i = -1 - } - - override ReachableBasicBlock getBasicBlock() { this = TPhi(result, _) } - - override SsaSourceVariable getSourceVariable() { this = TPhi(_, result) } - override string getKind() { result = "phi" } override string prettyPrintDef() { result = this.getSourceVariable() + " = phi(" + this.ppInputs() + ")" } - - override Location getLocation() { result = this.getBasicBlock().getLocation() } } /** @@ -410,3 +388,12 @@ DataFlow::Node getASimilarReadNode(DataFlow::Node node) { result = readFields.similar().getAUse() ) } + +/** + * Gets an instruction such that `pred` and `result` form an adjacent + * use-use-pair of the same`SsaSourceVariable`, that is, the value read in + * `pred` can reach `result` without passing through any other use or any SSA + * definition of the variable except for phi nodes and uncertain implicit + * updates. + */ +IR::Instruction getAnAdjacentUse(IR::Instruction pred) { adjacentUseUse(pred, result) } diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index 0db37ac03ce3..f219200b365e 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -5,6 +5,7 @@ */ import go +private import codeql.ssa.Ssa as SsaImplCommon cached private module Internal { @@ -20,61 +21,6 @@ private module Internal { bb.getNode(i).(IR::Instruction).reads(v) } - /** - * A data type representing SSA definitions. - * - * We distinguish three kinds of SSA definitions: - * - * 1. Variable definitions, including declarations, assignments and increments/decrements. - * 2. Pseudo-definitions for captured variables at the beginning of the capturing function - * as well as after calls. - * 3. Phi nodes. - * - * SSA definitions are only introduced where necessary. In particular, - * unreachable code has no SSA definitions associated with it, and neither - * have dead assignments (that is, assignments whose value is never read). - */ - cached - newtype TSsaDefinition = - /** - * An SSA definition that corresponds to an explicit assignment or other variable definition. - */ - TExplicitDef(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - defAt(bb, i, v) and - (liveAfterDef(bb, i, v) or v.isCaptured()) - } or - /** - * An SSA definition representing the capturing of an SSA-convertible variable - * in the closure of a nested function. - * - * Capturing definitions appear at the beginning of such functions, as well as - * at any function call that may affect the value of the variable. - */ - TCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - mayCapture(bb, i, v) and - liveAfterDef(bb, i, v) - } or - /** - * An SSA phi node, that is, a pseudo-definition for a variable at a point - * in the flow graph where otherwise two or more definitions for the variable - * would be visible. - */ - TPhi(ReachableJoinBlock bb, SsaSourceVariable v) { - liveAtEntry(bb, v) and - inDefDominanceFrontier(bb, v) - } - - /** - * Holds if `bb` is in the dominance frontier of a block containing a definition of `v`. - */ - pragma[noinline] - private predicate inDefDominanceFrontier(ReachableJoinBlock bb, SsaSourceVariable v) { - exists(ReachableBasicBlock defbb, SsaDefinition def | - def.definesAt(defbb, _, v) and - bb.inDominanceFrontierOf(defbb) - ) - } - /** * Holds if `v` is a captured variable which is declared in `declFun` and read in `useFun`. */ @@ -103,7 +49,8 @@ private module Internal { * modeling updates to captured variable `v`. Whether the definition is actually * introduced depends on whether `v` is live at this point in the program. */ - private predicate mayCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) { + cached + predicate mayCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) { exists(FuncDef capturingContainer, FuncDef declContainer | // capture initial value of variable declared in enclosing scope readsCapturedVar(capturingContainer, v, declContainer) and @@ -142,31 +89,6 @@ private module Internal { ref(bb, i, v, tp) } - /** - * Gets the maximum rank among all references to `v` in basic block `bb`. - */ - private int maxRefRank(ReachableBasicBlock bb, SsaSourceVariable v) { - result = max(refRank(bb, _, v, _)) - } - - /** - * Holds if variable `v` is live after the `i`th node of basic block `bb`, where - * `i` is the index of a node that may assign or capture `v`. - * - * For the purposes of this predicate, function calls are considered as writes of captured variables. - */ - private predicate liveAfterDef(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - exists(int r | r = refRank(bb, i, v, WriteRef()) | - // the next reference to `v` inside `bb` is a read - r + 1 = refRank(bb, _, v, ReadRef()) - or - // this is the last reference to `v` inside `bb`, but `v` is live at entry - // to a successor basic block of `bb` - r = maxRefRank(bb, v) and - liveAtSuccEntry(bb, v) - ) - } - /** * Holds if variable `v` is live at the beginning of basic block `bb`. * @@ -199,11 +121,13 @@ private module Internal { /** * Holds if the `i`th node of `bb` is a use or an SSA definition of variable `v`, with * `k` indicating whether it is the former or the latter. + * + * Note this includes phi nodes, whereas `ref` above only includes explicit writes and captures. */ private predicate ssaRef(ReachableBasicBlock bb, int i, SsaSourceVariable v, RefKind k) { useAt(bb, i, v) and k = ReadRef() or - any(SsaDefinition def).definesAt(bb, i, v) and k = WriteRef() + any(SsaDefinition def).definesAt(v, bb, i) and k = WriteRef() } /** @@ -245,7 +169,7 @@ private module Internal { */ private SsaDefinition getLocalDefinition(ReachableBasicBlock bb, int i, SsaSourceVariable v) { exists(int r | r = rewindReads(bb, i, v) | - exists(int j | result.definesAt(bb, j, v) and ssaRefRank(bb, j, v, _) = r - 1) + exists(int j | result.definesAt(v, bb, j) and ssaRefRank(bb, j, v, _) = r - 1) ) } @@ -267,7 +191,7 @@ private module Internal { exists(int lastRef | lastRef = max(int i | ssaRef(bb, i, v, _)) | result = getLocalDefinition(bb, lastRef, v) or - result.definesAt(bb, lastRef, v) and + result.definesAt(v, bb, lastRef) and liveAtSuccEntry(bb, v) ) or @@ -276,7 +200,7 @@ private module Internal { // then one must dominate the other, so we can find the reaching definition // by following the idominance relation backwards. result = getDefReachingEndOfImmediateDominator(bb, v) and - not exists(SsaDefinition ssa | ssa.definesAt(bb, _, v)) and + not exists(SsaDefinition ssa | ssa.definesAt(v, bb, _)) and liveAtSuccEntry(bb, v) } @@ -290,6 +214,226 @@ private module Internal { or rewindReads(bb, i, v) = 1 and result = getDefReachingEndOf(bb.getImmediateDominator(), v) } + + private module AdjacentUsesImpl { + /** Holds if `v` is defined or used in `b`. */ + private predicate varOccursInBlock(SsaSourceVariable v, ReachableBasicBlock b) { + ssaRef(b, _, v, _) + } + + /** Holds if `v` occurs in `b` or one of `b`'s transitive successors. */ + private predicate blockPrecedesVar(SsaSourceVariable v, ReachableBasicBlock b) { + varOccursInBlock(v, b) + or + exists(getDefReachingEndOf(b, v)) + } + + /** + * Holds if `v` occurs in `b1` and `b2` is one of `b1`'s successors. + * + * Factored out of `varBlockReaches` to force join order compared to the larger + * set `blockPrecedesVar(v, b2)`. + */ + pragma[noinline] + private predicate varBlockReachesBaseCand( + SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2 + ) { + varOccursInBlock(v, b1) and + b2 = b1.getASuccessor() + } + + /** + * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and + * in `b2` or one of its transitive successors but not in any block on the path + * between `b1` and `b2`. Unlike `varBlockReaches` this may include blocksĀ `b2` + * where `v` is dead. + * + * Factored out of `varBlockReaches` to force join order compared to the larger + * set `blockPrecedesVar(v, b2)`. + */ + pragma[noinline] + private predicate varBlockReachesRecCand( + SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock mid, ReachableBasicBlock b2 + ) { + varBlockReaches(v, b1, mid) and + not varOccursInBlock(v, mid) and + b2 = mid.getASuccessor() + } + + /** + * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and + * in `b2` or one of its transitive successors but not in any block on the path + * between `b1` and `b2`. + */ + private predicate varBlockReaches( + SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2 + ) { + varBlockReachesBaseCand(v, b1, b2) and + blockPrecedesVar(v, b2) + or + exists(ReachableBasicBlock mid | + varBlockReachesRecCand(v, b1, mid, b2) and + blockPrecedesVar(v, b2) + ) + } + + /** + * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and + * `b2` but not in any block on the path between `b1` and `b2`. + */ + private predicate varBlockStep( + SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2 + ) { + varBlockReaches(v, b1, b2) and + varOccursInBlock(v, b2) + } + + /** + * Gets the maximum rank among all SSA references to `v` in basic block `bb`. + */ + private int maxSsaRefRank(ReachableBasicBlock bb, SsaSourceVariable v) { + result = max(ssaRefRank(bb, _, v, _)) + } + + /** + * Holds if `v` occurs at index `i1` in `b1` and at index `i2` in `b2` and + * there is a path between them without any occurrence of `v`. + */ + pragma[nomagic] + predicate adjacentVarRefs( + SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 + ) { + exists(int rankix | + b1 = b2 and + ssaRefRank(b1, i1, v, _) = rankix and + ssaRefRank(b2, i2, v, _) = rankix + 1 + ) + or + maxSsaRefRank(b1, v) = ssaRefRank(b1, i1, v, _) and + varBlockStep(v, b1, b2) and + ssaRefRank(b2, i2, v, _) = 1 + } + + predicate variableUse(SsaSourceVariable v, IR::Instruction use, ReachableBasicBlock bb, int i) { + bb.getNode(i) = use and + exists(SsaVariable sv | + sv.getSourceVariable() = v and + use = sv.getAUse() + ) + } + } + + private import AdjacentUsesImpl + + /** + * Holds if the value defined at `def` can reach `use` without passing through + * any other uses, but possibly through phi nodes. + */ + cached + predicate firstUse(SsaDefinition def, IR::Instruction use) { + exists(SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 | + adjacentVarRefs(v, b1, i1, b2, i2) and + def.definesAt(v, b1, i1) and + variableUse(v, use, b2, i2) + ) + or + exists( + SsaSourceVariable v, SsaPhiNode redef, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, + int i2 + | + adjacentVarRefs(v, b1, i1, b2, i2) and + def.definesAt(v, b1, i1) and + redef.definesAt(v, b2, i2) and + firstUse(redef, use) + ) + } + + /** + * Holds if `use1` and `use2` form an adjacent use-use-pair of the same SSA + * variable, that is, the value read in `use1` can reach `use2` without passing + * through any other use or any SSA definition of the variable. + */ + cached + predicate adjacentUseUseSameVar(IR::Instruction use1, IR::Instruction use2) { + exists(SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 | + adjacentVarRefs(v, b1, i1, b2, i2) and + variableUse(v, use1, b1, i1) and + variableUse(v, use2, b2, i2) + ) + } + + /** + * Holds if `use1` and `use2` form an adjacent use-use-pair of the same + * `SsaSourceVariable`, that is, the value read in `use1` can reach `use2` + * without passing through any other use or any SSA definition of the variable + * except for phi nodes and uncertain implicit updates. + */ + cached + predicate adjacentUseUse(IR::Instruction use1, IR::Instruction use2) { + adjacentUseUseSameVar(use1, use2) + or + exists( + SsaSourceVariable v, SsaPhiNode def, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, + int i2 + | + adjacentVarRefs(v, b1, i1, b2, i2) and + variableUse(v, use1, b1, i1) and + def.definesAt(v, b2, i2) and + firstUse(def, use2) + ) + } + + private module SsaInput implements SsaImplCommon::InputSig { + private import go as G + + class BasicBlock = G::BasicBlock; + + class ControlFlowNode = G::ControlFlow::Node; + + BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { + result = bb.getImmediateDominator() + } + + BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() } + + class SourceVariable = SsaSourceVariable; + + /** + * Holds if the `i`th node of basic block `bb` is a (potential) write to source + * variable `v`. The Boolean `certain` indicates whether the write is certain. + * + * This includes implicit writes via calls. + */ + predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) { + defAt(bb, i, v) and + certain = true + or + mayCapture(bb, i, v) and certain = true + } + + /** + * Holds if the `i`th of basic block `bb` reads source variable `v`. + * + * This includes implicit reads via calls. + */ + predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) { + useAt(bb, i, v) and certain = true + or + mayCapture(bb, i, v) and certain = true + } + } + + import SsaImplCommon::Make as Impl + + final class ZZZDefinition = Impl::Definition; + + final class ZZZWriteDefinition = Impl::WriteDefinition; + + final class ZZZUncertainWriteDefinition = Impl::UncertainWriteDefinition; + + final class ZZZPhiNode = Impl::PhiNode; } import Internal + +predicate captures = Internal::mayCapture/3; diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll index 2d05b211a57e..3b8ed07c1a3b 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll @@ -65,23 +65,34 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) { else nodeTo.asInstruction() = evalAssert ) or - // Instruction -> SSA + // Instruction -> SSA defn exists(IR::Instruction pred, SsaExplicitDefinition succ | succ.getRhs() = pred and nodeFrom = instructionNode(pred) and - nodeTo = ssaNode(succ) + nodeTo = ssaNode(succ.getVariable()) ) or - // SSA -> SSA - exists(SsaDefinition pred, SsaPseudoDefinition succ | succ.getAnInput() = pred | - nodeFrom = ssaNode(pred) and - nodeTo = ssaNode(succ) + // SSA defn -> SSA capture + exists(SsaExplicitDefinition pred, SsaVariableCapture succ | + // Check: should these flow from PHIs as well? Perhaps they should be included + // in the use-use graph? + succ.getSourceVariable() = pred.getSourceVariable() + | + nodeFrom = ssaNode(pred.getVariable()) and + nodeTo = ssaNode(succ.getVariable()) ) or - // SSA -> Instruction - exists(SsaDefinition pred, IR::Instruction succ | - succ = pred.getVariable().getAUse() and - nodeFrom = ssaNode(pred) and + // SSA defn -> first SSA use + exists(SsaDefinition pred, IR::Instruction succ | succ = pred.getAFirstUse() | + (pred instanceof SsaExplicitDefinition or pred instanceof SsaVariableCapture) and + nodeFrom = ssaNode(pred.getVariable()) and + nodeTo = instructionNode(succ) + ) + or + // SSA use -> successive SSA use + // Note this case includes Phi node traversal + exists(IR::Instruction pred, IR::Instruction succ | succ = getAnAdjacentUse(pred) | + nodeFrom = instructionNode(pred) and nodeTo = instructionNode(succ) ) or diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll index 60841b048f43..3eced801f209 100644 --- a/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll +++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll @@ -32,7 +32,10 @@ module AllocationSizeOverflow { /** * A data-flow node that is an operand to an operation that may overflow. */ - abstract class OverflowProneOperand extends DataFlow::Node { } + abstract class OverflowProneOperand extends DataFlow::Node { + /** Gets the operation that may overflow that `this` is an operand of. */ + abstract DataFlow::Node getOverflowProneOperation(); + } /** * A data-flow node that represents the size argument of an allocation, such as the `n` in @@ -91,8 +94,7 @@ module AllocationSizeOverflow { AllocationSize allocsz; DefaultSink() { - this instanceof OverflowProneOperand and - localStep*(this, allocsz) and + localStep*(this.(OverflowProneOperand).getOverflowProneOperation(), allocsz) and not allocsz instanceof AllocationSizeCheckBarrier } @@ -134,15 +136,18 @@ module AllocationSizeOverflow { /** An operand of an arithmetic expression that could cause overflow. */ private class DefaultOverflowProneOperand extends OverflowProneOperand { + OperatorExpr parent; + DefaultOverflowProneOperand() { - exists(OperatorExpr parent | isOverflowProne(parent) | - this.asExpr() = parent.getAnOperand() and - // only consider outermost operands to avoid double reporting - not exists(OperatorExpr grandparent | parent = grandparent.getAnOperand().stripParens() | - isOverflowProne(grandparent) - ) + isOverflowProne(parent) and + this.asExpr() = parent.getAnOperand() and + // only consider outermost operands to avoid double reporting + not exists(OperatorExpr grandparent | parent = grandparent.getAnOperand().stripParens() | + isOverflowProne(grandparent) ) } + + override DataFlow::Node getOverflowProneOperation() { result.asExpr() = parent } } /** diff --git a/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll b/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll index 17a7345b23e7..ce0d2080699d 100644 --- a/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll +++ b/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll @@ -55,6 +55,8 @@ module CleartextLogging { | this.asExpr().(Ident).getName() = name or + this.(DataFlow::SsaNode).getSourceVariable().getName() = name + or this.(DataFlow::FieldReadNode).getFieldName() = name or this.(DataFlow::CallNode).getCalleeName() = name @@ -143,7 +145,7 @@ module CleartextLogging { not this instanceof NonCleartextPassword and name.regexpMatch(maybePassword()) and ( - this.asExpr().(Ident).getName() = name + this.(DataFlow::SsaNode).getSourceVariable().getName() = name or exists(DataFlow::FieldReadNode fn | fn = this and diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll index 7dc6f3991fc1..c6956d86e965 100644 --- a/go/ql/lib/semmle/go/security/CommandInjection.qll +++ b/go/ql/lib/semmle/go/security/CommandInjection.qll @@ -80,6 +80,28 @@ module CommandInjection { node instanceof Sanitizer or node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement() } + + // Hack: with use-use flow, we might have x (use at line 1) -> x (use at line 2), + // x (use at line 1) -> array at line 1 and x (use at line 2) -> array at line 2, + // in the context + // + // array1 := {"--", x} + // array2 := {x, "--"} + // + // We want to taint array2 but not array1, which suggests excluding the edge x (use 1) -> array1 + // However isSanitizer only allows us to remove nodes (isSanitizerIn/Out permit removing all outgoing + // or incoming edges); we can't remove an individual edge, so instead we supply extra edges connecting + // the definition with the next use. + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists( + ArgumentArrayWithDoubleDash array, DataFlow::InstructionNode sanitized, + DataFlow::SsaNode defn + | + sanitized = array.getASanitizedElement() and sanitized = defn.getAUse() + | + pred = defn and succ = sanitized.getASuccessor() + ) + } } /** diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll index 9125ab6e400a..8cb5eee7f636 100644 --- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll +++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll @@ -290,13 +290,17 @@ private predicate integerTypeBound(IntegerType it, int bitSize, int architecture * the type assertion succeeded. If it is not checked then there will be a * run-time panic if the type assertion fails, so we can assume it succeeded. */ -class TypeAssertionCheck extends DataFlow::ExprNode, FlowStateTransformer { +class TypeAssertionCheck extends DataFlow::InstructionNode, FlowStateTransformer { IntegerType it; TypeAssertionCheck() { - exists(TypeAssertExpr tae | - this = DataFlow::exprNode(tae.getExpr()) and - it = tae.getTypeExpr().getType().getUnderlyingType() + exists(IR::Instruction evalAssert, TypeAssertExpr assert | + it = assert.getTypeExpr().getType().getUnderlyingType() and + evalAssert = IR::evalExprInstruction(assert) + | + if exists(IR::extractTupleElement(evalAssert, _)) + then this.asInstruction() = IR::extractTupleElement(evalAssert, 0) + else this.asInstruction() = evalAssert ) } diff --git a/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll index 188256f9643b..1b8e4e77e844 100644 --- a/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll +++ b/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll @@ -35,7 +35,15 @@ module LogInjection { /** An argument to a logging mechanism. */ class LoggerSink extends Sink { - LoggerSink() { this = any(LoggerCall log).getAMessageComponent() } + LoggerSink() { + exists(LoggerCall call | + this = call.getAMessageComponent() and + // exclude arguments to `call` which have a safe format argument, which + // aren't caught by SafeFormatArgumentSanitizer as that sanitizes the + // result of the call. + not safeFormatArgument(this, call) + ) + } } /** @@ -47,6 +55,22 @@ module LogInjection { ReplaceSanitizer() { this.getReplacedString() = ["\r", "\n"] } } + /** + * Holds if `arg` is an argument to `call` that is formatted using the `%q` + * directive. This formatting directive replaces newline characters with + * escape sequences, so `arg` would not be a sink for log injection. + */ + private predicate safeFormatArgument( + DataFlow::Node arg, StringOps::Formatting::StringFormatCall call + ) { + exists(string safeDirective | + // Mark "%q" formats as safe, but not "%#q", which would preserve newline characters. + safeDirective.regexpMatch("%[^%#]*q") + | + arg = call.getOperand(_, safeDirective) + ) + } + /** * An argument that is formatted using the `%q` directive, considered as a sanitizer * for log injection. @@ -55,10 +79,10 @@ module LogInjection { */ private class SafeFormatArgumentSanitizer extends Sanitizer { SafeFormatArgumentSanitizer() { - exists(StringOps::Formatting::StringFormatCall call, string safeDirective | - this = call.getOperand(_, safeDirective) and - // Mark "%q" formats as safe, but not "%#q", which would preserve newline characters. - safeDirective.regexpMatch("%[^%#]*q") + exists(DataFlow::Node arg, StringOps::Formatting::StringFormatCall call | + safeFormatArgument(arg, call) + | + this = call.getAResult() ) } } diff --git a/go/ql/src/InconsistentCode/MissingErrorCheck.ql b/go/ql/src/InconsistentCode/MissingErrorCheck.ql index d20215172674..fcd4d86ea8ce 100644 --- a/go/ql/src/InconsistentCode/MissingErrorCheck.ql +++ b/go/ql/src/InconsistentCode/MissingErrorCheck.ql @@ -72,6 +72,16 @@ predicate checksValue(IR::Instruction instruction, DataFlow::SsaNode value) { ) } +// Now that we have use-use flow, phi nodes aren't directly involved in the flow graph. TODO: change this? +DataFlow::SsaNode phiDefinedFrom(DataFlow::SsaNode node) { + result.getDefinition().(SsaPseudoDefinition).getAnInput() = node.getDefinition().getVariable() +} + +DataFlow::SsaNode definedFrom(DataFlow::SsaNode node) { + DataFlow::localFlow(node, result) or + result = phiDefinedFrom*(node) +} + /** * Matches if `call` is a function returning (`ptr`, `err`) where `ptr` may be nil, and neither * `ptr` not `err` has been checked for validity as of `node`. @@ -98,7 +108,7 @@ predicate returnUncheckedAtNode( // localFlow is used to permit checks via either an SSA phi node or ordinary assignment. returnUncheckedAtNode(call, node.getAPredecessor(), ptr, err) and not exists(DataFlow::SsaNode checked | - DataFlow::localFlow(ptr, checked) or DataFlow::localFlow(err, checked) + checked = definedFrom(ptr) or checked = definedFrom(err) | checksValue(node, checked) ) diff --git a/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql b/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql index a310f024a2d0..ce5081a92e92 100644 --- a/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql +++ b/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql @@ -18,7 +18,8 @@ import semmle.go.security.IncorrectIntegerConversionLib import Flow::PathGraph from - Flow::PathNode source, Flow::PathNode sink, DataFlow::CallNode call, DataFlow::Node sinkConverted + Flow::PathNode source, Flow::PathNode sink, DataFlow::CallNode call, + DataFlow::TypeCastNode sinkConverted where Flow::flowPath(source, sink) and call.getResult(0) = source.getNode() and diff --git a/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected b/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected index 5c7bef1155ef..0c60eb3f97ef 100644 --- a/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected +++ b/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected @@ -255,8 +255,6 @@ edges | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | provenance | | -| CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | -| CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance | | | CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | provenance | Config | @@ -272,8 +270,6 @@ edges | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | | | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | | -| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | -| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | provenance | | @@ -282,12 +278,14 @@ edges | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | | -| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | -| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | +| CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | +| CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | Config | @@ -298,7 +296,6 @@ edges | CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | provenance | Config | | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:147:2:147:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | provenance | | -| CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance | | | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance | | @@ -312,14 +309,14 @@ edges | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance | | | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance | | -| CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:147:2:147:8 | session [pointer] | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance | | -| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | session | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:149:2:149:8 | session | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance | Config | | CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | CookieWithoutHttpOnly.go:149:20:151:2 | &... | provenance | | @@ -329,8 +326,6 @@ edges | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | provenance | | -| CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | -| CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance | | | CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance | | @@ -346,8 +341,6 @@ edges | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | | | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | | -| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | -| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | provenance | | @@ -356,12 +349,14 @@ edges | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | | -| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | -| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | +| CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | +| CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | Config | @@ -376,8 +371,6 @@ edges | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | provenance | | -| CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | -| CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance | | | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance | | @@ -393,8 +386,6 @@ edges | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | | | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | | -| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | -| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | provenance | | @@ -403,12 +394,14 @@ edges | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | | -| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | -| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | +| CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | +| CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | Config | diff --git a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected index 34703cdeef4e..46bccc77a976 100644 --- a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected +++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected @@ -68,9 +68,9 @@ edges | test.go:91:15:91:26 | selection of Body | test.go:555:19:555:22 | definition of file | provenance | Src:MaD:1 | | test.go:93:5:93:16 | selection of Body | test.go:580:9:580:12 | definition of file | provenance | Src:MaD:1 | | test.go:128:20:128:27 | definition of filename | test.go:130:33:130:40 | filename | provenance | | -| test.go:128:20:128:27 | definition of filename | test.go:143:51:143:58 | filename | provenance | | | test.go:130:2:130:41 | ... := ...[0] | test.go:132:12:132:12 | f | provenance | | | test.go:130:33:130:40 | filename | test.go:130:2:130:41 | ... := ...[0] | provenance | Config | +| test.go:130:33:130:40 | filename | test.go:143:51:143:58 | filename | provenance | | | test.go:132:3:132:19 | ... := ...[0] | test.go:134:37:134:38 | rc | provenance | | | test.go:132:12:132:12 | f | test.go:132:3:132:19 | ... := ...[0] | provenance | MaD:4 | | test.go:143:2:143:59 | ... := ...[0] | test.go:145:12:145:12 | f | provenance | | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go index 14b9a43b5991..c9d732e74002 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go @@ -158,7 +158,7 @@ func simpleflow() { ch := make(chan string) ch <- a.Src1().(string) taint16 := test.StepArgCollectionContentRes(ch) - b.Sink1(taint16) // $ MISSING: hasTaintFlow="taint16" // currently fails due to lack of post-update nodes after send statements + b.Sink1(taint16) // $ hasTaintFlow="taint16" c1 := test.C{""} c1.Set(a.Src1().(string)) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go index f118880d4978..3c172e6082d2 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go @@ -158,7 +158,7 @@ func simpleflow() { ch := make(chan string) ch <- a.Src1().(string) taint16 := test.StepArgCollectionContentRes(ch) - b.Sink1(taint16) // $ MISSING: hasValueFlow="taint16" // currently fails due to lack of post-update nodes after send statements + b.Sink1(taint16) // $ hasValueFlow="taint16" c1 := test.C{""} c1.Set(a.Src1().(string)) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected index c6bfdfdc1d5a..5b6842bfaab5 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected @@ -49,27 +49,27 @@ | main.go:3:6:3:10 | function test1 | main.go:34:2:34:6 | test1 | | main.go:3:12:3:12 | argument corresponding to x | main.go:3:12:3:12 | definition of x | | main.go:3:12:3:12 | definition of x | main.go:5:5:5:5 | x | -| main.go:3:12:3:12 | definition of x | main.go:6:7:6:7 | x | -| main.go:3:12:3:12 | definition of x | main.go:8:8:8:8 | x | -| main.go:3:12:3:12 | definition of x | main.go:10:7:10:7 | x | -| main.go:3:12:3:12 | definition of x | main.go:10:22:10:22 | x | | main.go:3:19:3:20 | argument corresponding to fn | main.go:3:19:3:20 | definition of fn | | main.go:3:19:3:20 | definition of fn | main.go:10:24:10:25 | fn | -| main.go:6:3:6:3 | definition of y | main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | +| main.go:5:5:5:5 | x | main.go:6:7:6:7 | x | +| main.go:5:5:5:5 | x | main.go:8:8:8:8 | x | +| main.go:6:3:6:3 | definition of y | main.go:10:12:10:12 | y | | main.go:6:7:6:7 | x | main.go:6:3:6:3 | definition of y | -| main.go:8:3:8:3 | definition of y | main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | +| main.go:6:7:6:7 | x | main.go:10:7:10:7 | x | +| main.go:8:3:8:3 | definition of y | main.go:10:12:10:12 | y | | main.go:8:7:8:8 | -... | main.go:8:3:8:3 | definition of y | +| main.go:8:8:8:8 | x | main.go:10:7:10:7 | x | | main.go:10:2:10:2 | definition of z | main.go:11:14:11:14 | z | -| main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | main.go:10:12:10:12 | y | -| main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | main.go:10:17:10:17 | y | +| main.go:10:7:10:7 | x | main.go:10:22:10:22 | x | | main.go:10:7:10:12 | ...<=... | main.go:10:7:10:27 | ...&&... | | main.go:10:7:10:27 | ...&&... | main.go:10:2:10:2 | definition of z | +| main.go:10:12:10:12 | y | main.go:10:17:10:17 | y | | main.go:10:17:10:27 | ...>=... | main.go:10:7:10:27 | ...&&... | | main.go:11:14:11:14 | z | main.go:11:9:11:15 | type conversion | | main.go:14:6:14:10 | function test2 | main.go:34:8:34:12 | test2 | | main.go:14:6:14:10 | function test2 | main.go:34:19:34:23 | test2 | -| main.go:15:9:15:9 | 0 | main.go:15:2:15:4 | definition of acc | | main.go:16:9:19:2 | capture variable acc | main.go:17:3:17:5 | acc | +| main.go:17:3:17:7 | definition of acc | main.go:16:9:19:2 | capture variable acc | | main.go:17:3:17:7 | definition of acc | main.go:18:10:18:12 | acc | | main.go:17:3:17:7 | rhs of increment statement | main.go:17:3:17:7 | definition of acc | | main.go:22:12:22:12 | argument corresponding to b | main.go:22:12:22:12 | definition of b | @@ -84,50 +84,50 @@ | main.go:26:5:26:6 | definition of ok | main.go:27:5:27:6 | ok | | main.go:26:11:26:11 | x | main.go:26:2:26:17 | ... := ...[0] | | main.go:38:2:38:2 | definition of s | main.go:39:15:39:15 | s | -| main.go:38:2:38:2 | definition of s | main.go:40:15:40:15 | s | -| main.go:38:2:38:2 | definition of s | main.go:42:7:42:7 | s | | main.go:38:7:38:20 | slice literal | main.go:38:2:38:2 | definition of s | | main.go:39:2:39:3 | definition of s1 | main.go:40:18:40:19 | s1 | | main.go:39:8:39:25 | call to append | main.go:39:2:39:3 | definition of s1 | +| main.go:39:15:39:15 | s | main.go:40:15:40:15 | s | | main.go:40:2:40:3 | definition of s2 | main.go:43:9:43:10 | s2 | | main.go:40:8:40:23 | call to append | main.go:40:2:40:3 | definition of s2 | +| main.go:40:15:40:15 | s | main.go:42:7:42:7 | s | | main.go:41:2:41:3 | definition of s4 | main.go:42:10:42:11 | s4 | | main.go:41:8:41:21 | call to make | main.go:41:2:41:3 | definition of s4 | | main.go:46:13:46:14 | argument corresponding to xs | main.go:46:13:46:14 | definition of xs | | main.go:46:13:46:14 | definition of xs | main.go:47:20:47:21 | xs | -| main.go:46:24:46:27 | definition of keys | main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | +| main.go:46:24:46:27 | definition of keys | main.go:46:24:46:27 | implicit read of keys | +| main.go:46:24:46:27 | definition of keys | main.go:49:3:49:6 | keys | | main.go:46:24:46:27 | zero value for keys | main.go:46:24:46:27 | definition of keys | -| main.go:46:34:46:37 | definition of vals | main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | +| main.go:46:34:46:37 | definition of vals | main.go:46:34:46:37 | implicit read of vals | +| main.go:46:34:46:37 | definition of vals | main.go:48:3:48:6 | vals | | main.go:46:34:46:37 | zero value for vals | main.go:46:34:46:37 | definition of vals | | main.go:47:2:50:2 | range statement[0] | main.go:47:6:47:6 | definition of k | | main.go:47:2:50:2 | range statement[1] | main.go:47:9:47:9 | definition of v | | main.go:47:6:47:6 | definition of k | main.go:49:11:49:11 | k | | main.go:47:9:47:9 | definition of v | main.go:48:11:48:11 | v | -| main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | main.go:46:24:46:27 | implicit read of keys | -| main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | main.go:49:3:49:6 | keys | -| main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | main.go:46:34:46:37 | implicit read of vals | -| main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | main.go:48:3:48:6 | vals | -| main.go:48:3:48:6 | definition of vals | main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | +| main.go:48:3:48:6 | definition of vals | main.go:46:34:46:37 | implicit read of vals | +| main.go:48:3:48:6 | definition of vals | main.go:48:3:48:6 | vals | | main.go:48:3:48:11 | ... += ... | main.go:48:3:48:6 | definition of vals | -| main.go:49:3:49:6 | definition of keys | main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | +| main.go:49:3:49:6 | definition of keys | main.go:46:24:46:27 | implicit read of keys | +| main.go:49:3:49:6 | definition of keys | main.go:49:3:49:6 | keys | | main.go:49:3:49:11 | ... += ... | main.go:49:3:49:6 | definition of keys | | main.go:55:6:55:7 | definition of ch | main.go:56:2:56:3 | ch | -| main.go:55:6:55:7 | definition of ch | main.go:57:4:57:5 | ch | | main.go:55:6:55:7 | zero value for ch | main.go:55:6:55:7 | definition of ch | +| main.go:56:2:56:3 | ch | main.go:57:4:57:5 | ch | | main.go:61:2:61:2 | definition of x | main.go:64:11:64:11 | x | -| main.go:61:2:61:2 | definition of x | main.go:65:11:65:11 | x | | main.go:61:7:61:7 | 1 | main.go:61:2:61:2 | definition of x | | main.go:62:2:62:2 | definition of y | main.go:64:14:64:14 | y | -| main.go:62:2:62:2 | definition of y | main.go:65:14:65:14 | y | | main.go:62:7:62:7 | 2 | main.go:62:2:62:2 | definition of y | | main.go:63:2:63:2 | definition of z | main.go:64:17:64:17 | z | -| main.go:63:2:63:2 | definition of z | main.go:65:17:65:17 | z | | main.go:63:7:63:7 | 3 | main.go:63:2:63:2 | definition of z | | main.go:64:2:64:2 | definition of a | main.go:66:9:66:9 | a | | main.go:64:7:64:18 | call to min | main.go:64:2:64:2 | definition of a | | main.go:64:11:64:11 | x | main.go:64:7:64:18 | call to min | +| main.go:64:11:64:11 | x | main.go:65:11:65:11 | x | | main.go:64:14:64:14 | y | main.go:64:7:64:18 | call to min | +| main.go:64:14:64:14 | y | main.go:65:14:65:14 | y | | main.go:64:17:64:17 | z | main.go:64:7:64:18 | call to min | +| main.go:64:17:64:17 | z | main.go:65:17:65:17 | z | | main.go:65:2:65:2 | definition of b | main.go:66:12:66:12 | b | | main.go:65:7:65:18 | call to max | main.go:65:2:65:2 | definition of b | | main.go:65:11:65:11 | x | main.go:65:7:65:18 | call to max | @@ -135,62 +135,60 @@ | main.go:65:17:65:17 | z | main.go:65:7:65:18 | call to max | | strings.go:8:12:8:12 | argument corresponding to s | strings.go:8:12:8:12 | definition of s | | strings.go:8:12:8:12 | definition of s | strings.go:9:24:9:24 | s | -| strings.go:8:12:8:12 | definition of s | strings.go:10:27:10:27 | s | | strings.go:9:2:9:3 | definition of s2 | strings.go:11:20:11:21 | s2 | -| strings.go:9:2:9:3 | definition of s2 | strings.go:11:48:11:49 | s2 | | strings.go:9:8:9:38 | call to Replace | strings.go:9:2:9:3 | definition of s2 | +| strings.go:9:24:9:24 | s | strings.go:10:27:10:27 | s | | strings.go:10:2:10:3 | definition of s3 | strings.go:11:24:11:25 | s3 | -| strings.go:10:2:10:3 | definition of s3 | strings.go:11:67:11:68 | s3 | | strings.go:10:8:10:42 | call to ReplaceAll | strings.go:10:2:10:3 | definition of s3 | +| strings.go:11:20:11:21 | s2 | strings.go:11:48:11:49 | s2 | +| strings.go:11:24:11:25 | s3 | strings.go:11:67:11:68 | s3 | | url.go:8:12:8:12 | argument corresponding to b | url.go:8:12:8:12 | definition of b | | url.go:8:12:8:12 | definition of b | url.go:11:5:11:5 | b | | url.go:8:20:8:20 | argument corresponding to s | url.go:8:20:8:20 | definition of s | | url.go:8:20:8:20 | definition of s | url.go:12:46:12:46 | s | | url.go:8:20:8:20 | definition of s | url.go:14:48:14:48 | s | -| url.go:12:3:12:5 | definition of res | url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) | +| url.go:12:3:12:5 | definition of res | url.go:19:9:19:11 | res | | url.go:12:3:12:48 | ... = ...[0] | url.go:12:3:12:5 | definition of res | | url.go:12:3:12:48 | ... = ...[1] | url.go:12:8:12:10 | definition of err | -| url.go:12:8:12:10 | definition of err | url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) | -| url.go:14:3:14:5 | definition of res | url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) | +| url.go:12:8:12:10 | definition of err | url.go:16:5:16:7 | err | +| url.go:14:3:14:5 | definition of res | url.go:19:9:19:11 | res | | url.go:14:3:14:50 | ... = ...[0] | url.go:14:3:14:5 | definition of res | | url.go:14:3:14:50 | ... = ...[1] | url.go:14:8:14:10 | definition of err | -| url.go:14:8:14:10 | definition of err | url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) | -| url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) | url.go:16:5:16:7 | err | -| url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) | url.go:19:9:19:11 | res | +| url.go:14:8:14:10 | definition of err | url.go:16:5:16:7 | err | | url.go:22:12:22:12 | argument corresponding to i | url.go:22:12:22:12 | definition of i | | url.go:22:12:22:12 | definition of i | url.go:24:5:24:5 | i | | url.go:22:19:22:19 | argument corresponding to s | url.go:22:19:22:19 | definition of s | | url.go:22:19:22:19 | definition of s | url.go:23:20:23:20 | s | -| url.go:22:19:22:19 | definition of s | url.go:27:29:27:29 | s | | url.go:23:2:23:2 | definition of u | url.go:25:10:25:10 | u | | url.go:23:2:23:21 | ... := ...[0] | url.go:23:2:23:2 | definition of u | +| url.go:23:20:23:20 | s | url.go:27:29:27:29 | s | | url.go:27:2:27:2 | definition of u | url.go:28:14:28:14 | u | -| url.go:27:2:27:2 | definition of u | url.go:29:14:29:14 | u | -| url.go:27:2:27:2 | definition of u | url.go:30:11:30:11 | u | -| url.go:27:2:27:2 | definition of u | url.go:32:9:32:9 | u | | url.go:27:2:27:30 | ... = ...[0] | url.go:27:2:27:2 | definition of u | +| url.go:28:14:28:14 | u | url.go:29:14:29:14 | u | +| url.go:29:14:29:14 | u | url.go:30:11:30:11 | u | | url.go:30:2:30:3 | definition of bs | url.go:31:14:31:15 | bs | | url.go:30:2:30:27 | ... := ...[0] | url.go:30:2:30:3 | definition of bs | +| url.go:30:11:30:11 | u | url.go:32:9:32:9 | u | | url.go:32:2:32:2 | definition of u | url.go:33:14:33:14 | u | -| url.go:32:2:32:2 | definition of u | url.go:34:14:34:14 | u | -| url.go:32:2:32:2 | definition of u | url.go:35:14:35:14 | u | -| url.go:32:2:32:2 | definition of u | url.go:36:6:36:6 | u | -| url.go:32:2:32:2 | definition of u | url.go:36:25:36:25 | u | | url.go:32:2:32:23 | ... = ...[0] | url.go:32:2:32:2 | definition of u | +| url.go:33:14:33:14 | u | url.go:34:14:34:14 | u | +| url.go:34:14:34:14 | u | url.go:35:14:35:14 | u | +| url.go:35:14:35:14 | u | url.go:36:6:36:6 | u | | url.go:36:2:36:2 | definition of u | url.go:37:9:37:9 | u | +| url.go:36:6:36:6 | u | url.go:36:25:36:25 | u | | url.go:36:6:36:26 | call to ResolveReference | url.go:36:2:36:2 | definition of u | | url.go:42:2:42:3 | definition of ui | url.go:43:11:43:12 | ui | -| url.go:42:2:42:3 | definition of ui | url.go:45:14:45:15 | ui | -| url.go:42:2:42:3 | definition of ui | url.go:46:9:46:10 | ui | | url.go:42:7:42:38 | call to UserPassword | url.go:42:2:42:3 | definition of ui | | url.go:43:2:43:3 | definition of pw | url.go:44:14:44:15 | pw | | url.go:43:2:43:23 | ... := ...[0] | url.go:43:2:43:3 | definition of pw | +| url.go:43:11:43:12 | ui | url.go:45:14:45:15 | ui | +| url.go:45:14:45:15 | ui | url.go:46:9:46:10 | ui | | url.go:49:12:49:12 | argument corresponding to q | url.go:49:12:49:12 | definition of q | | url.go:49:12:49:12 | definition of q | url.go:50:25:50:25 | q | | url.go:50:2:50:2 | definition of v | url.go:51:14:51:14 | v | -| url.go:50:2:50:2 | definition of v | url.go:52:14:52:14 | v | -| url.go:50:2:50:2 | definition of v | url.go:53:9:53:9 | v | | url.go:50:2:50:26 | ... := ...[0] | url.go:50:2:50:2 | definition of v | +| url.go:51:14:51:14 | v | url.go:52:14:52:14 | v | +| url.go:52:14:52:14 | v | url.go:53:9:53:9 | v | | url.go:56:12:56:12 | argument corresponding to q | url.go:56:12:56:12 | definition of q | | url.go:56:12:56:12 | definition of q | url.go:57:29:57:29 | q | | url.go:57:2:57:8 | definition of joined1 | url.go:58:38:58:44 | joined1 | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/GlobalValueNumbering/GlobalValueNumber.expected b/go/ql/test/library-tests/semmle/go/dataflow/GlobalValueNumbering/GlobalValueNumber.expected index 93b3593ec94e..328ebf25f517 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/GlobalValueNumbering/GlobalValueNumber.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/GlobalValueNumbering/GlobalValueNumber.expected @@ -27,12 +27,9 @@ | main.go:29:8:29:8 | 5 | main.go:29:8:29:8 | 5 | | main.go:30:9:30:9 | 6 | main.go:30:9:30:9 | 6 | | main.go:30:9:30:9 | definition of res | main.go:30:9:30:9 | 6 | -| main.go:33:15:33:17 | definition of res | main.go:10:7:10:7 | 0 | | main.go:33:15:33:17 | zero value for res | main.go:10:7:10:7 | 0 | -| main.go:34:2:34:4 | definition of res | main.go:34:8:34:8 | 7 | | main.go:34:8:34:8 | 7 | main.go:34:8:34:8 | 7 | | main.go:35:8:37:4 | function call | main.go:35:8:37:4 | function call | -| main.go:36:3:36:5 | definition of res | main.go:36:9:36:9 | 8 | | main.go:36:9:36:9 | 8 | main.go:36:9:36:9 | 8 | | main.go:38:9:38:9 | 9 | main.go:38:9:38:9 | 9 | | main.go:38:9:38:9 | definition of res | main.go:38:9:38:9 | 9 | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected index d61d6be9c5f9..a74e39db2f1a 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected @@ -79,106 +79,106 @@ | main.go:7:6:7:9 | function sink | main.go:149:2:149:5 | sink | | main.go:7:6:7:9 | function sink | main.go:150:2:150:5 | sink | | main.go:22:2:22:6 | definition of outer | main.go:25:7:25:11 | outer | -| main.go:22:2:22:6 | definition of outer | main.go:26:7:26:11 | outer | -| main.go:22:2:22:6 | definition of outer | main.go:27:7:27:11 | outer | -| main.go:22:2:22:6 | definition of outer | main.go:28:7:28:11 | outer | | main.go:22:11:24:2 | struct literal | main.go:22:2:22:6 | definition of outer | +| main.go:25:7:25:11 | outer | main.go:26:7:26:11 | outer | +| main.go:26:7:26:11 | outer | main.go:27:7:27:11 | outer | +| main.go:27:7:27:11 | outer | main.go:28:7:28:11 | outer | | main.go:30:2:30:7 | definition of outerp | main.go:33:7:33:12 | outerp | -| main.go:30:2:30:7 | definition of outerp | main.go:34:7:34:12 | outerp | -| main.go:30:2:30:7 | definition of outerp | main.go:35:7:35:12 | outerp | -| main.go:30:2:30:7 | definition of outerp | main.go:36:7:36:12 | outerp | | main.go:30:12:32:2 | &... | main.go:30:2:30:7 | definition of outerp | +| main.go:33:7:33:12 | outerp | main.go:34:7:34:12 | outerp | +| main.go:34:7:34:12 | outerp | main.go:35:7:35:12 | outerp | +| main.go:35:7:35:12 | outerp | main.go:36:7:36:12 | outerp | | main.go:40:2:40:6 | definition of outer | main.go:41:7:41:11 | outer | -| main.go:40:2:40:6 | definition of outer | main.go:42:7:42:11 | outer | -| main.go:40:2:40:6 | definition of outer | main.go:43:7:43:11 | outer | -| main.go:40:2:40:6 | definition of outer | main.go:44:7:44:11 | outer | | main.go:40:11:40:40 | struct literal | main.go:40:2:40:6 | definition of outer | +| main.go:41:7:41:11 | outer | main.go:42:7:42:11 | outer | +| main.go:42:7:42:11 | outer | main.go:43:7:43:11 | outer | +| main.go:43:7:43:11 | outer | main.go:44:7:44:11 | outer | | main.go:46:2:46:7 | definition of outerp | main.go:47:7:47:12 | outerp | -| main.go:46:2:46:7 | definition of outerp | main.go:48:7:48:12 | outerp | -| main.go:46:2:46:7 | definition of outerp | main.go:49:7:49:12 | outerp | -| main.go:46:2:46:7 | definition of outerp | main.go:50:7:50:12 | outerp | | main.go:46:12:46:42 | &... | main.go:46:2:46:7 | definition of outerp | +| main.go:47:7:47:12 | outerp | main.go:48:7:48:12 | outerp | +| main.go:48:7:48:12 | outerp | main.go:49:7:49:12 | outerp | +| main.go:49:7:49:12 | outerp | main.go:50:7:50:12 | outerp | | main.go:54:2:54:6 | definition of inner | main.go:55:19:55:23 | inner | | main.go:54:11:54:25 | struct literal | main.go:54:2:54:6 | definition of inner | | main.go:55:2:55:7 | definition of middle | main.go:56:17:56:22 | middle | | main.go:55:12:55:24 | struct literal | main.go:55:2:55:7 | definition of middle | | main.go:56:2:56:6 | definition of outer | main.go:57:7:57:11 | outer | -| main.go:56:2:56:6 | definition of outer | main.go:58:7:58:11 | outer | -| main.go:56:2:56:6 | definition of outer | main.go:59:7:59:11 | outer | -| main.go:56:2:56:6 | definition of outer | main.go:60:7:60:11 | outer | | main.go:56:11:56:23 | struct literal | main.go:56:2:56:6 | definition of outer | +| main.go:57:7:57:11 | outer | main.go:58:7:58:11 | outer | +| main.go:58:7:58:11 | outer | main.go:59:7:59:11 | outer | +| main.go:59:7:59:11 | outer | main.go:60:7:60:11 | outer | | main.go:62:2:62:7 | definition of innerp | main.go:63:20:63:25 | innerp | | main.go:62:12:62:26 | struct literal | main.go:62:2:62:7 | definition of innerp | | main.go:63:2:63:8 | definition of middlep | main.go:64:18:64:24 | middlep | | main.go:63:13:63:26 | struct literal | main.go:63:2:63:8 | definition of middlep | | main.go:64:2:64:7 | definition of outerp | main.go:65:7:65:12 | outerp | -| main.go:64:2:64:7 | definition of outerp | main.go:66:7:66:12 | outerp | -| main.go:64:2:64:7 | definition of outerp | main.go:67:7:67:12 | outerp | -| main.go:64:2:64:7 | definition of outerp | main.go:68:7:68:12 | outerp | | main.go:64:12:64:25 | struct literal | main.go:64:2:64:7 | definition of outerp | +| main.go:65:7:65:12 | outerp | main.go:66:7:66:12 | outerp | +| main.go:66:7:66:12 | outerp | main.go:67:7:67:12 | outerp | +| main.go:67:7:67:12 | outerp | main.go:68:7:68:12 | outerp | | main.go:72:2:72:6 | definition of inner | main.go:73:26:73:30 | inner | | main.go:72:11:72:25 | struct literal | main.go:72:2:72:6 | definition of inner | | main.go:73:2:73:7 | definition of middle | main.go:74:25:74:30 | middle | | main.go:73:12:73:31 | struct literal | main.go:73:2:73:7 | definition of middle | | main.go:74:2:74:6 | definition of outer | main.go:75:7:75:11 | outer | -| main.go:74:2:74:6 | definition of outer | main.go:76:7:76:11 | outer | -| main.go:74:2:74:6 | definition of outer | main.go:77:7:77:11 | outer | -| main.go:74:2:74:6 | definition of outer | main.go:78:7:78:11 | outer | | main.go:74:11:74:31 | struct literal | main.go:74:2:74:6 | definition of outer | +| main.go:75:7:75:11 | outer | main.go:76:7:76:11 | outer | +| main.go:76:7:76:11 | outer | main.go:77:7:77:11 | outer | +| main.go:77:7:77:11 | outer | main.go:78:7:78:11 | outer | | main.go:80:2:80:7 | definition of innerp | main.go:81:27:81:32 | innerp | | main.go:80:12:80:26 | struct literal | main.go:80:2:80:7 | definition of innerp | | main.go:81:2:81:8 | definition of middlep | main.go:82:26:82:32 | middlep | | main.go:81:13:81:33 | struct literal | main.go:81:2:81:8 | definition of middlep | | main.go:82:2:82:7 | definition of outerp | main.go:83:7:83:12 | outerp | -| main.go:82:2:82:7 | definition of outerp | main.go:84:7:84:12 | outerp | -| main.go:82:2:82:7 | definition of outerp | main.go:85:7:85:12 | outerp | -| main.go:82:2:82:7 | definition of outerp | main.go:86:7:86:12 | outerp | | main.go:82:12:82:33 | struct literal | main.go:82:2:82:7 | definition of outerp | +| main.go:83:7:83:12 | outerp | main.go:84:7:84:12 | outerp | +| main.go:84:7:84:12 | outerp | main.go:85:7:85:12 | outerp | +| main.go:85:7:85:12 | outerp | main.go:86:7:86:12 | outerp | | main.go:90:6:90:10 | definition of outer | main.go:91:2:91:6 | outer | -| main.go:90:6:90:10 | definition of outer | main.go:92:7:92:11 | outer | -| main.go:90:6:90:10 | definition of outer | main.go:93:7:93:11 | outer | -| main.go:90:6:90:10 | definition of outer | main.go:94:7:94:11 | outer | -| main.go:90:6:90:10 | definition of outer | main.go:95:7:95:11 | outer | | main.go:90:6:90:10 | zero value for outer | main.go:90:6:90:10 | definition of outer | +| main.go:91:2:91:6 | outer | main.go:92:7:92:11 | outer | +| main.go:92:7:92:11 | outer | main.go:93:7:93:11 | outer | +| main.go:93:7:93:11 | outer | main.go:94:7:94:11 | outer | +| main.go:94:7:94:11 | outer | main.go:95:7:95:11 | outer | | main.go:97:6:97:11 | definition of outerp | main.go:98:2:98:7 | outerp | -| main.go:97:6:97:11 | definition of outerp | main.go:99:7:99:12 | outerp | -| main.go:97:6:97:11 | definition of outerp | main.go:100:7:100:12 | outerp | -| main.go:97:6:97:11 | definition of outerp | main.go:101:7:101:12 | outerp | -| main.go:97:6:97:11 | definition of outerp | main.go:102:7:102:12 | outerp | | main.go:97:6:97:11 | zero value for outerp | main.go:97:6:97:11 | definition of outerp | +| main.go:98:2:98:7 | outerp | main.go:99:7:99:12 | outerp | +| main.go:99:7:99:12 | outerp | main.go:100:7:100:12 | outerp | +| main.go:100:7:100:12 | outerp | main.go:101:7:101:12 | outerp | +| main.go:101:7:101:12 | outerp | main.go:102:7:102:12 | outerp | | main.go:106:6:106:10 | definition of outer | main.go:107:2:107:6 | outer | -| main.go:106:6:106:10 | definition of outer | main.go:108:7:108:11 | outer | -| main.go:106:6:106:10 | definition of outer | main.go:109:7:109:11 | outer | -| main.go:106:6:106:10 | definition of outer | main.go:110:7:110:11 | outer | -| main.go:106:6:106:10 | definition of outer | main.go:111:7:111:11 | outer | | main.go:106:6:106:10 | zero value for outer | main.go:106:6:106:10 | definition of outer | +| main.go:107:2:107:6 | outer | main.go:108:7:108:11 | outer | +| main.go:108:7:108:11 | outer | main.go:109:7:109:11 | outer | +| main.go:109:7:109:11 | outer | main.go:110:7:110:11 | outer | +| main.go:110:7:110:11 | outer | main.go:111:7:111:11 | outer | | main.go:113:6:113:11 | definition of outerp | main.go:114:2:114:7 | outerp | -| main.go:113:6:113:11 | definition of outerp | main.go:115:7:115:12 | outerp | -| main.go:113:6:113:11 | definition of outerp | main.go:116:7:116:12 | outerp | -| main.go:113:6:113:11 | definition of outerp | main.go:117:7:117:12 | outerp | -| main.go:113:6:113:11 | definition of outerp | main.go:118:7:118:12 | outerp | | main.go:113:6:113:11 | zero value for outerp | main.go:113:6:113:11 | definition of outerp | +| main.go:114:2:114:7 | outerp | main.go:115:7:115:12 | outerp | +| main.go:115:7:115:12 | outerp | main.go:116:7:116:12 | outerp | +| main.go:116:7:116:12 | outerp | main.go:117:7:117:12 | outerp | +| main.go:117:7:117:12 | outerp | main.go:118:7:118:12 | outerp | | main.go:122:6:122:10 | definition of outer | main.go:123:2:123:6 | outer | -| main.go:122:6:122:10 | definition of outer | main.go:124:7:124:11 | outer | -| main.go:122:6:122:10 | definition of outer | main.go:125:7:125:11 | outer | -| main.go:122:6:122:10 | definition of outer | main.go:126:7:126:11 | outer | -| main.go:122:6:122:10 | definition of outer | main.go:127:7:127:11 | outer | | main.go:122:6:122:10 | zero value for outer | main.go:122:6:122:10 | definition of outer | +| main.go:123:2:123:6 | outer | main.go:124:7:124:11 | outer | +| main.go:124:7:124:11 | outer | main.go:125:7:125:11 | outer | +| main.go:125:7:125:11 | outer | main.go:126:7:126:11 | outer | +| main.go:126:7:126:11 | outer | main.go:127:7:127:11 | outer | | main.go:129:6:129:11 | definition of outerp | main.go:130:2:130:7 | outerp | -| main.go:129:6:129:11 | definition of outerp | main.go:131:7:131:12 | outerp | -| main.go:129:6:129:11 | definition of outerp | main.go:132:7:132:12 | outerp | -| main.go:129:6:129:11 | definition of outerp | main.go:133:7:133:12 | outerp | -| main.go:129:6:129:11 | definition of outerp | main.go:134:7:134:12 | outerp | | main.go:129:6:129:11 | zero value for outerp | main.go:129:6:129:11 | definition of outerp | +| main.go:130:2:130:7 | outerp | main.go:131:7:131:12 | outerp | +| main.go:131:7:131:12 | outerp | main.go:132:7:132:12 | outerp | +| main.go:132:7:132:12 | outerp | main.go:133:7:133:12 | outerp | +| main.go:133:7:133:12 | outerp | main.go:134:7:134:12 | outerp | | main.go:138:6:138:10 | definition of outer | main.go:139:2:139:6 | outer | -| main.go:138:6:138:10 | definition of outer | main.go:140:7:140:11 | outer | -| main.go:138:6:138:10 | definition of outer | main.go:141:7:141:11 | outer | -| main.go:138:6:138:10 | definition of outer | main.go:142:7:142:11 | outer | -| main.go:138:6:138:10 | definition of outer | main.go:143:7:143:11 | outer | | main.go:138:6:138:10 | zero value for outer | main.go:138:6:138:10 | definition of outer | +| main.go:139:2:139:6 | outer | main.go:140:7:140:11 | outer | +| main.go:140:7:140:11 | outer | main.go:141:7:141:11 | outer | +| main.go:141:7:141:11 | outer | main.go:142:7:142:11 | outer | +| main.go:142:7:142:11 | outer | main.go:143:7:143:11 | outer | | main.go:145:6:145:11 | definition of outerp | main.go:146:2:146:7 | outerp | -| main.go:145:6:145:11 | definition of outerp | main.go:147:7:147:12 | outerp | -| main.go:145:6:145:11 | definition of outerp | main.go:148:7:148:12 | outerp | -| main.go:145:6:145:11 | definition of outerp | main.go:149:7:149:12 | outerp | -| main.go:145:6:145:11 | definition of outerp | main.go:150:7:150:12 | outerp | | main.go:145:6:145:11 | zero value for outerp | main.go:145:6:145:11 | definition of outerp | +| main.go:146:2:146:7 | outerp | main.go:147:7:147:12 | outerp | +| main.go:147:7:147:12 | outerp | main.go:148:7:148:12 | outerp | +| main.go:148:7:148:12 | outerp | main.go:149:7:149:12 | outerp | +| main.go:149:7:149:12 | outerp | main.go:150:7:150:12 | outerp | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/DefUse.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/DefUse.expected index aad16b89ab6b..9fe33491cfd8 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/DefUse.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/DefUse.expected @@ -28,7 +28,15 @@ | main.go:84:15:84:15 | x | main.go:83:2:83:2 | definition of x | main.go:83:2:83:2 | x | | main.go:97:2:97:8 | wrapper | main.go:95:22:95:28 | definition of wrapper | main.go:95:22:95:28 | wrapper | | main.go:100:9:100:9 | x | main.go:97:2:99:3 | capture variable x | main.go:96:2:96:2 | x | -| main.go:117:2:117:2 | p | main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | main.go:110:6:110:6 | p | -| main.go:119:12:119:12 | p | main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | main.go:110:6:110:6 | p | -| main.go:119:17:119:17 | p | main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | main.go:110:6:110:6 | p | -| main.go:119:24:119:24 | p | main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | main.go:110:6:110:6 | p | +| main.go:105:2:105:8 | wrapper | main.go:103:20:103:26 | definition of wrapper | main.go:103:20:103:26 | wrapper | +| main.go:106:8:106:8 | x | main.go:105:16:108:2 | capture variable x | main.go:104:2:104:2 | x | +| main.go:107:7:107:7 | y | main.go:106:3:106:3 | definition of y | main.go:106:3:106:3 | y | +| main.go:109:9:109:9 | x | main.go:104:2:104:2 | definition of x | main.go:104:2:104:2 | x | +| main.go:114:2:114:8 | wrapper | main.go:112:29:112:35 | definition of wrapper | main.go:112:29:112:35 | wrapper | +| main.go:115:8:115:8 | x | main.go:114:16:117:2 | capture variable x | main.go:113:2:113:2 | x | +| main.go:116:7:116:7 | y | main.go:115:3:115:3 | definition of y | main.go:115:3:115:3 | y | +| main.go:118:9:118:9 | x | main.go:114:2:117:3 | capture variable x | main.go:113:2:113:2 | x | +| main.go:135:2:135:2 | p | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | main.go:128:6:128:6 | p | +| main.go:137:12:137:12 | p | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | main.go:128:6:128:6 | p | +| main.go:137:17:137:17 | p | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | main.go:128:6:128:6 | p | +| main.go:137:24:137:24 | p | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | main.go:128:6:128:6 | p | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected index bd905b5c2a70..750b6d3bf4d2 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected @@ -35,7 +35,15 @@ | main.go:95:22:95:28 | definition of wrapper | | main.go:96:2:96:2 | definition of x | | main.go:97:2:99:3 | capture variable x | -| main.go:98:3:98:3 | definition of x | -| main.go:112:3:112:3 | definition of p | -| main.go:114:3:114:3 | definition of p | -| main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | +| main.go:103:20:103:26 | definition of wrapper | +| main.go:104:2:104:2 | definition of x | +| main.go:105:16:108:2 | capture variable x | +| main.go:106:3:106:3 | definition of y | +| main.go:112:29:112:35 | definition of wrapper | +| main.go:113:2:113:2 | definition of x | +| main.go:114:2:117:3 | capture variable x | +| main.go:114:16:117:2 | capture variable x | +| main.go:115:3:115:3 | definition of y | +| main.go:130:3:130:3 | definition of p | +| main.go:132:3:132:3 | definition of p | +| main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected index 245a82acc839..0fe8c998c16f 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected @@ -36,11 +36,21 @@ | main.go:95:22:95:28 | (def@95:22).s | wrapper.s | | main.go:96:2:96:2 | (def@96:2) | x | | main.go:97:2:99:3 | (capture@97:2) | x | -| main.go:98:3:98:3 | (def@98:3) | x | -| main.go:112:3:112:3 | (def@112:3) | p | -| main.go:114:3:114:3 | (def@114:3) | p | -| main.go:117:2:117:2 | (phi@117:2) | p | -| main.go:117:2:117:2 | (phi@117:2).a | p.a | -| main.go:117:2:117:2 | (phi@117:2).b | p.b | -| main.go:117:2:117:2 | (phi@117:2).b.a | p.b.a | -| main.go:117:2:117:2 | (phi@117:2).c | p.c | +| main.go:103:20:103:26 | (def@103:20) | wrapper | +| main.go:103:20:103:26 | (def@103:20).s | wrapper.s | +| main.go:104:2:104:2 | (def@104:2) | x | +| main.go:105:16:108:2 | (capture@105:16) | x | +| main.go:106:3:106:3 | (def@106:3) | y | +| main.go:112:29:112:35 | (def@112:29) | wrapper | +| main.go:112:29:112:35 | (def@112:29).s | wrapper.s | +| main.go:113:2:113:2 | (def@113:2) | x | +| main.go:114:2:117:3 | (capture@114:2) | x | +| main.go:114:16:117:2 | (capture@114:16) | x | +| main.go:115:3:115:3 | (def@115:3) | y | +| main.go:130:3:130:3 | (def@130:3) | p | +| main.go:132:3:132:3 | (def@132:3) | p | +| main.go:135:2:135:2 | (phi@135:2) | p | +| main.go:135:2:135:2 | (phi@135:2).a | p.a | +| main.go:135:2:135:2 | (phi@135:2).b | p.b | +| main.go:135:2:135:2 | (phi@135:2).b.a | p.b.a | +| main.go:135:2:135:2 | (phi@135:2).c | p.c | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarDefs.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarDefs.expected index 2cadf9f87abf..6149ddfbb54a 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarDefs.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarDefs.expected @@ -32,16 +32,23 @@ | main.go:95:22:95:28 | initialization of wrapper | main.go:95:22:95:28 | wrapper | main.go:95:22:95:28 | argument corresponding to wrapper | | main.go:96:2:96:2 | assignment to x | main.go:96:2:96:2 | x | main.go:96:7:96:7 | 0 | | main.go:98:3:98:3 | assignment to x | main.go:96:2:96:2 | x | main.go:98:7:98:7 | 1 | -| main.go:110:6:110:6 | assignment to p | main.go:110:6:110:6 | p | main.go:110:6:110:6 | zero value for p | -| main.go:112:3:112:3 | assignment to p | main.go:110:6:110:6 | p | main.go:112:7:112:24 | struct literal | -| main.go:112:9:112:9 | init of 2 | main.go:104:2:104:2 | a | main.go:112:9:112:9 | 2 | -| main.go:112:12:112:18 | init of struct literal | main.go:105:2:105:2 | b | main.go:112:12:112:18 | struct literal | -| main.go:112:14:112:14 | init of 1 | main.go:89:2:89:2 | a | main.go:112:14:112:14 | 1 | -| main.go:112:17:112:17 | init of 5 | main.go:90:2:90:2 | b | main.go:112:17:112:17 | 5 | -| main.go:112:21:112:23 | init of 'n' | main.go:106:2:106:2 | c | main.go:112:21:112:23 | 'n' | -| main.go:114:3:114:3 | assignment to p | main.go:110:6:110:6 | p | main.go:114:7:114:24 | struct literal | -| main.go:114:9:114:9 | init of 3 | main.go:104:2:104:2 | a | main.go:114:9:114:9 | 3 | -| main.go:114:12:114:18 | init of struct literal | main.go:105:2:105:2 | b | main.go:114:12:114:18 | struct literal | -| main.go:114:14:114:14 | init of 4 | main.go:89:2:89:2 | a | main.go:114:14:114:14 | 4 | -| main.go:114:17:114:17 | init of 5 | main.go:90:2:90:2 | b | main.go:114:17:114:17 | 5 | -| main.go:114:21:114:23 | init of '2' | main.go:106:2:106:2 | c | main.go:114:21:114:23 | '2' | +| main.go:103:20:103:26 | initialization of wrapper | main.go:103:20:103:26 | wrapper | main.go:103:20:103:26 | argument corresponding to wrapper | +| main.go:104:2:104:2 | assignment to x | main.go:104:2:104:2 | x | main.go:104:7:104:7 | 0 | +| main.go:106:3:106:3 | assignment to y | main.go:106:3:106:3 | y | main.go:106:8:106:8 | x | +| main.go:112:29:112:35 | initialization of wrapper | main.go:112:29:112:35 | wrapper | main.go:112:29:112:35 | argument corresponding to wrapper | +| main.go:113:2:113:2 | assignment to x | main.go:113:2:113:2 | x | main.go:113:7:113:7 | 0 | +| main.go:115:3:115:3 | assignment to y | main.go:115:3:115:3 | y | main.go:115:8:115:12 | ...+... | +| main.go:116:3:116:3 | assignment to x | main.go:113:2:113:2 | x | main.go:116:7:116:7 | y | +| main.go:128:6:128:6 | assignment to p | main.go:128:6:128:6 | p | main.go:128:6:128:6 | zero value for p | +| main.go:130:3:130:3 | assignment to p | main.go:128:6:128:6 | p | main.go:130:7:130:24 | struct literal | +| main.go:130:9:130:9 | init of 2 | main.go:122:2:122:2 | a | main.go:130:9:130:9 | 2 | +| main.go:130:12:130:18 | init of struct literal | main.go:123:2:123:2 | b | main.go:130:12:130:18 | struct literal | +| main.go:130:14:130:14 | init of 1 | main.go:89:2:89:2 | a | main.go:130:14:130:14 | 1 | +| main.go:130:17:130:17 | init of 5 | main.go:90:2:90:2 | b | main.go:130:17:130:17 | 5 | +| main.go:130:21:130:23 | init of 'n' | main.go:124:2:124:2 | c | main.go:130:21:130:23 | 'n' | +| main.go:132:3:132:3 | assignment to p | main.go:128:6:128:6 | p | main.go:132:7:132:24 | struct literal | +| main.go:132:9:132:9 | init of 3 | main.go:122:2:122:2 | a | main.go:132:9:132:9 | 3 | +| main.go:132:12:132:18 | init of struct literal | main.go:123:2:123:2 | b | main.go:132:12:132:18 | struct literal | +| main.go:132:14:132:14 | init of 4 | main.go:89:2:89:2 | a | main.go:132:14:132:14 | 4 | +| main.go:132:17:132:17 | init of 5 | main.go:90:2:90:2 | b | main.go:132:17:132:17 | 5 | +| main.go:132:21:132:23 | init of '2' | main.go:124:2:124:2 | c | main.go:132:21:132:23 | '2' | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarUses.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarUses.expected index 332f859f0519..2e6b3c855c36 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarUses.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarUses.expected @@ -28,13 +28,29 @@ | main.go:84:15:84:15 | x | main.go:83:2:83:2 | x | | main.go:97:2:97:8 | wrapper | main.go:95:22:95:28 | wrapper | | main.go:97:2:97:10 | selection of s | main.go:95:38:95:38 | s | +| main.go:97:2:97:10 | selection of s | main.go:103:36:103:36 | s | +| main.go:97:2:97:10 | selection of s | main.go:112:45:112:45 | s | | main.go:100:9:100:9 | x | main.go:96:2:96:2 | x | -| main.go:117:2:117:2 | p | main.go:110:6:110:6 | p | -| main.go:117:2:117:4 | selection of b | main.go:105:2:105:2 | b | -| main.go:119:12:119:12 | p | main.go:110:6:110:6 | p | -| main.go:119:12:119:14 | selection of a | main.go:104:2:104:2 | a | -| main.go:119:17:119:17 | p | main.go:110:6:110:6 | p | -| main.go:119:17:119:19 | selection of b | main.go:105:2:105:2 | b | -| main.go:119:17:119:21 | selection of a | main.go:89:2:89:2 | a | -| main.go:119:24:119:24 | p | main.go:110:6:110:6 | p | -| main.go:119:24:119:26 | selection of c | main.go:106:2:106:2 | c | +| main.go:105:2:105:8 | wrapper | main.go:103:20:103:26 | wrapper | +| main.go:105:2:105:10 | selection of s | main.go:95:38:95:38 | s | +| main.go:105:2:105:10 | selection of s | main.go:103:36:103:36 | s | +| main.go:105:2:105:10 | selection of s | main.go:112:45:112:45 | s | +| main.go:106:8:106:8 | x | main.go:104:2:104:2 | x | +| main.go:107:7:107:7 | y | main.go:106:3:106:3 | y | +| main.go:109:9:109:9 | x | main.go:104:2:104:2 | x | +| main.go:114:2:114:8 | wrapper | main.go:112:29:112:35 | wrapper | +| main.go:114:2:114:10 | selection of s | main.go:95:38:95:38 | s | +| main.go:114:2:114:10 | selection of s | main.go:103:36:103:36 | s | +| main.go:114:2:114:10 | selection of s | main.go:112:45:112:45 | s | +| main.go:115:8:115:8 | x | main.go:113:2:113:2 | x | +| main.go:116:7:116:7 | y | main.go:115:3:115:3 | y | +| main.go:118:9:118:9 | x | main.go:113:2:113:2 | x | +| main.go:135:2:135:2 | p | main.go:128:6:128:6 | p | +| main.go:135:2:135:4 | selection of b | main.go:123:2:123:2 | b | +| main.go:137:12:137:12 | p | main.go:128:6:128:6 | p | +| main.go:137:12:137:14 | selection of a | main.go:122:2:122:2 | a | +| main.go:137:17:137:17 | p | main.go:128:6:128:6 | p | +| main.go:137:17:137:19 | selection of b | main.go:123:2:123:2 | b | +| main.go:137:17:137:21 | selection of a | main.go:89:2:89:2 | a | +| main.go:137:24:137:24 | p | main.go:128:6:128:6 | p | +| main.go:137:24:137:26 | selection of c | main.go:124:2:124:2 | c | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/main.go b/go/ql/test/library-tests/semmle/go/dataflow/SSA/main.go index cda85fdfc664..3967c14469f4 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/main.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/main.go @@ -100,6 +100,24 @@ func updateInClosure(wrapper struct{ s }) int { return x } +func readInClosure(wrapper struct{ s }) int { + x := 0 + wrapper.s.foo(func() { + y := x + _ = y + }) + return x +} + +func readAndUpdateInClosure(wrapper struct{ s }) int { + x := 0 + wrapper.s.foo(func() { + y := x + 1 + x = y + }) + return x +} + type t struct { a int b s diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected b/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected index 6fd719423566..0983d245453b 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected @@ -1,5 +1,40 @@ edges +| test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:155:17:155:24 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:156:14:156:21 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:157:18:157:25 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:158:14:158:21 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:159:13:159:20 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:160:22:160:29 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:161:15:161:22 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:162:14:162:21 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:163:13:163:20 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:164:16:164:23 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:165:13:165:20 | password | provenance | Sink:MaD:379 | +| test.go:153:17:153:24 | definition of password | test.go:166:16:166:23 | password | provenance | Sink:MaD:380 | +| test.go:153:17:153:24 | definition of password | test.go:167:13:167:20 | password | provenance | Sink:MaD:381 | +| test.go:153:17:153:24 | definition of password | test.go:168:17:168:24 | password | provenance | Sink:MaD:382 | +| test.go:153:17:153:24 | definition of password | test.go:169:13:169:20 | password | provenance | Sink:MaD:383 | +| test.go:153:17:153:24 | definition of password | test.go:170:12:170:19 | password | provenance | Sink:MaD:384 | +| test.go:153:17:153:24 | definition of password | test.go:171:21:171:28 | password | provenance | Sink:MaD:385 | +| test.go:153:17:153:24 | definition of password | test.go:172:14:172:21 | password | provenance | Sink:MaD:386 | +| test.go:153:17:153:24 | definition of password | test.go:173:13:173:20 | password | provenance | Sink:MaD:387 | +| test.go:153:17:153:24 | definition of password | test.go:174:12:174:19 | password | provenance | Sink:MaD:388 | +| test.go:153:17:153:24 | definition of password | test.go:175:15:175:22 | password | provenance | Sink:MaD:389 | +| test.go:153:17:153:24 | definition of password | test.go:176:15:176:22 | password | provenance | Sink:MaD:390 | +| test.go:153:17:153:24 | definition of password | test.go:177:18:177:25 | password | provenance | Sink:MaD:391 | +| test.go:153:17:153:24 | definition of password | test.go:178:15:178:22 | password | provenance | Sink:MaD:392 | +| test.go:153:17:153:24 | definition of password | test.go:179:19:179:26 | password | provenance | Sink:MaD:393 | +| test.go:153:17:153:24 | definition of password | test.go:180:15:180:22 | password | provenance | Sink:MaD:394 | +| test.go:153:17:153:24 | definition of password | test.go:181:14:181:21 | password | provenance | Sink:MaD:395 | +| test.go:153:17:153:24 | definition of password | test.go:182:23:182:30 | password | provenance | Sink:MaD:396 | +| test.go:153:17:153:24 | definition of password | test.go:183:16:183:23 | password | provenance | Sink:MaD:397 | +| test.go:153:17:153:24 | definition of password | test.go:184:15:184:22 | password | provenance | Sink:MaD:398 | +| test.go:153:17:153:24 | definition of password | test.go:185:14:185:21 | password | provenance | Sink:MaD:399 | +| test.go:153:17:153:24 | definition of password | test.go:186:17:186:24 | password | provenance | Sink:MaD:400 | +| test.go:153:17:153:24 | definition of password | test.go:187:16:187:23 | password | provenance | | nodes +| test.go:153:17:153:24 | definition of password | semmle.label | definition of password | | test.go:154:14:154:21 | password | semmle.label | password | | test.go:155:17:155:24 | password | semmle.label | password | | test.go:156:14:156:21 | password | semmle.label | password | @@ -36,37 +71,37 @@ nodes | test.go:187:16:187:23 | password | semmle.label | password | subpaths #select -| test.go:154:14:154:21 | password | test.go:154:14:154:21 | password | test.go:154:14:154:21 | password | $@ flows to a logging call. | test.go:154:14:154:21 | password | Sensitive data returned by an access to password | -| test.go:155:17:155:24 | password | test.go:155:17:155:24 | password | test.go:155:17:155:24 | password | $@ flows to a logging call. | test.go:155:17:155:24 | password | Sensitive data returned by an access to password | -| test.go:156:14:156:21 | password | test.go:156:14:156:21 | password | test.go:156:14:156:21 | password | $@ flows to a logging call. | test.go:156:14:156:21 | password | Sensitive data returned by an access to password | -| test.go:157:18:157:25 | password | test.go:157:18:157:25 | password | test.go:157:18:157:25 | password | $@ flows to a logging call. | test.go:157:18:157:25 | password | Sensitive data returned by an access to password | -| test.go:158:14:158:21 | password | test.go:158:14:158:21 | password | test.go:158:14:158:21 | password | $@ flows to a logging call. | test.go:158:14:158:21 | password | Sensitive data returned by an access to password | -| test.go:159:13:159:20 | password | test.go:159:13:159:20 | password | test.go:159:13:159:20 | password | $@ flows to a logging call. | test.go:159:13:159:20 | password | Sensitive data returned by an access to password | -| test.go:160:22:160:29 | password | test.go:160:22:160:29 | password | test.go:160:22:160:29 | password | $@ flows to a logging call. | test.go:160:22:160:29 | password | Sensitive data returned by an access to password | -| test.go:161:15:161:22 | password | test.go:161:15:161:22 | password | test.go:161:15:161:22 | password | $@ flows to a logging call. | test.go:161:15:161:22 | password | Sensitive data returned by an access to password | -| test.go:162:14:162:21 | password | test.go:162:14:162:21 | password | test.go:162:14:162:21 | password | $@ flows to a logging call. | test.go:162:14:162:21 | password | Sensitive data returned by an access to password | -| test.go:163:13:163:20 | password | test.go:163:13:163:20 | password | test.go:163:13:163:20 | password | $@ flows to a logging call. | test.go:163:13:163:20 | password | Sensitive data returned by an access to password | -| test.go:164:16:164:23 | password | test.go:164:16:164:23 | password | test.go:164:16:164:23 | password | $@ flows to a logging call. | test.go:164:16:164:23 | password | Sensitive data returned by an access to password | -| test.go:165:13:165:20 | password | test.go:165:13:165:20 | password | test.go:165:13:165:20 | password | $@ flows to a logging call. | test.go:165:13:165:20 | password | Sensitive data returned by an access to password | -| test.go:166:16:166:23 | password | test.go:166:16:166:23 | password | test.go:166:16:166:23 | password | $@ flows to a logging call. | test.go:166:16:166:23 | password | Sensitive data returned by an access to password | -| test.go:167:13:167:20 | password | test.go:167:13:167:20 | password | test.go:167:13:167:20 | password | $@ flows to a logging call. | test.go:167:13:167:20 | password | Sensitive data returned by an access to password | -| test.go:168:17:168:24 | password | test.go:168:17:168:24 | password | test.go:168:17:168:24 | password | $@ flows to a logging call. | test.go:168:17:168:24 | password | Sensitive data returned by an access to password | -| test.go:169:13:169:20 | password | test.go:169:13:169:20 | password | test.go:169:13:169:20 | password | $@ flows to a logging call. | test.go:169:13:169:20 | password | Sensitive data returned by an access to password | -| test.go:170:12:170:19 | password | test.go:170:12:170:19 | password | test.go:170:12:170:19 | password | $@ flows to a logging call. | test.go:170:12:170:19 | password | Sensitive data returned by an access to password | -| test.go:171:21:171:28 | password | test.go:171:21:171:28 | password | test.go:171:21:171:28 | password | $@ flows to a logging call. | test.go:171:21:171:28 | password | Sensitive data returned by an access to password | -| test.go:172:14:172:21 | password | test.go:172:14:172:21 | password | test.go:172:14:172:21 | password | $@ flows to a logging call. | test.go:172:14:172:21 | password | Sensitive data returned by an access to password | -| test.go:173:13:173:20 | password | test.go:173:13:173:20 | password | test.go:173:13:173:20 | password | $@ flows to a logging call. | test.go:173:13:173:20 | password | Sensitive data returned by an access to password | -| test.go:174:12:174:19 | password | test.go:174:12:174:19 | password | test.go:174:12:174:19 | password | $@ flows to a logging call. | test.go:174:12:174:19 | password | Sensitive data returned by an access to password | -| test.go:175:15:175:22 | password | test.go:175:15:175:22 | password | test.go:175:15:175:22 | password | $@ flows to a logging call. | test.go:175:15:175:22 | password | Sensitive data returned by an access to password | -| test.go:176:15:176:22 | password | test.go:176:15:176:22 | password | test.go:176:15:176:22 | password | $@ flows to a logging call. | test.go:176:15:176:22 | password | Sensitive data returned by an access to password | -| test.go:177:18:177:25 | password | test.go:177:18:177:25 | password | test.go:177:18:177:25 | password | $@ flows to a logging call. | test.go:177:18:177:25 | password | Sensitive data returned by an access to password | -| test.go:178:15:178:22 | password | test.go:178:15:178:22 | password | test.go:178:15:178:22 | password | $@ flows to a logging call. | test.go:178:15:178:22 | password | Sensitive data returned by an access to password | -| test.go:179:19:179:26 | password | test.go:179:19:179:26 | password | test.go:179:19:179:26 | password | $@ flows to a logging call. | test.go:179:19:179:26 | password | Sensitive data returned by an access to password | -| test.go:180:15:180:22 | password | test.go:180:15:180:22 | password | test.go:180:15:180:22 | password | $@ flows to a logging call. | test.go:180:15:180:22 | password | Sensitive data returned by an access to password | -| test.go:181:14:181:21 | password | test.go:181:14:181:21 | password | test.go:181:14:181:21 | password | $@ flows to a logging call. | test.go:181:14:181:21 | password | Sensitive data returned by an access to password | -| test.go:182:23:182:30 | password | test.go:182:23:182:30 | password | test.go:182:23:182:30 | password | $@ flows to a logging call. | test.go:182:23:182:30 | password | Sensitive data returned by an access to password | -| test.go:183:16:183:23 | password | test.go:183:16:183:23 | password | test.go:183:16:183:23 | password | $@ flows to a logging call. | test.go:183:16:183:23 | password | Sensitive data returned by an access to password | -| test.go:184:15:184:22 | password | test.go:184:15:184:22 | password | test.go:184:15:184:22 | password | $@ flows to a logging call. | test.go:184:15:184:22 | password | Sensitive data returned by an access to password | -| test.go:185:14:185:21 | password | test.go:185:14:185:21 | password | test.go:185:14:185:21 | password | $@ flows to a logging call. | test.go:185:14:185:21 | password | Sensitive data returned by an access to password | -| test.go:186:17:186:24 | password | test.go:186:17:186:24 | password | test.go:186:17:186:24 | password | $@ flows to a logging call. | test.go:186:17:186:24 | password | Sensitive data returned by an access to password | -| test.go:187:16:187:23 | password | test.go:187:16:187:23 | password | test.go:187:16:187:23 | password | $@ flows to a logging call. | test.go:187:16:187:23 | password | Sensitive data returned by an access to password | +| test.go:154:14:154:21 | password | test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:155:17:155:24 | password | test.go:153:17:153:24 | definition of password | test.go:155:17:155:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:156:14:156:21 | password | test.go:153:17:153:24 | definition of password | test.go:156:14:156:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:157:18:157:25 | password | test.go:153:17:153:24 | definition of password | test.go:157:18:157:25 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:158:14:158:21 | password | test.go:153:17:153:24 | definition of password | test.go:158:14:158:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:159:13:159:20 | password | test.go:153:17:153:24 | definition of password | test.go:159:13:159:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:160:22:160:29 | password | test.go:153:17:153:24 | definition of password | test.go:160:22:160:29 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:161:15:161:22 | password | test.go:153:17:153:24 | definition of password | test.go:161:15:161:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:162:14:162:21 | password | test.go:153:17:153:24 | definition of password | test.go:162:14:162:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:163:13:163:20 | password | test.go:153:17:153:24 | definition of password | test.go:163:13:163:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:164:16:164:23 | password | test.go:153:17:153:24 | definition of password | test.go:164:16:164:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:165:13:165:20 | password | test.go:153:17:153:24 | definition of password | test.go:165:13:165:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:166:16:166:23 | password | test.go:153:17:153:24 | definition of password | test.go:166:16:166:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:167:13:167:20 | password | test.go:153:17:153:24 | definition of password | test.go:167:13:167:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:168:17:168:24 | password | test.go:153:17:153:24 | definition of password | test.go:168:17:168:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:169:13:169:20 | password | test.go:153:17:153:24 | definition of password | test.go:169:13:169:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:170:12:170:19 | password | test.go:153:17:153:24 | definition of password | test.go:170:12:170:19 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:171:21:171:28 | password | test.go:153:17:153:24 | definition of password | test.go:171:21:171:28 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:172:14:172:21 | password | test.go:153:17:153:24 | definition of password | test.go:172:14:172:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:173:13:173:20 | password | test.go:153:17:153:24 | definition of password | test.go:173:13:173:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:174:12:174:19 | password | test.go:153:17:153:24 | definition of password | test.go:174:12:174:19 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:175:15:175:22 | password | test.go:153:17:153:24 | definition of password | test.go:175:15:175:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:176:15:176:22 | password | test.go:153:17:153:24 | definition of password | test.go:176:15:176:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:177:18:177:25 | password | test.go:153:17:153:24 | definition of password | test.go:177:18:177:25 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:178:15:178:22 | password | test.go:153:17:153:24 | definition of password | test.go:178:15:178:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:179:19:179:26 | password | test.go:153:17:153:24 | definition of password | test.go:179:19:179:26 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:180:15:180:22 | password | test.go:153:17:153:24 | definition of password | test.go:180:15:180:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:181:14:181:21 | password | test.go:153:17:153:24 | definition of password | test.go:181:14:181:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:182:23:182:30 | password | test.go:153:17:153:24 | definition of password | test.go:182:23:182:30 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:183:16:183:23 | password | test.go:153:17:153:24 | definition of password | test.go:183:16:183:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:184:15:184:22 | password | test.go:153:17:153:24 | definition of password | test.go:184:15:184:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:185:14:185:21 | password | test.go:153:17:153:24 | definition of password | test.go:185:14:185:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:186:17:186:24 | password | test.go:153:17:153:24 | definition of password | test.go:186:17:186:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:187:16:187:23 | password | test.go:153:17:153:24 | definition of password | test.go:187:16:187:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected index 4b38e6e8c479..bebd53c1ac55 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected @@ -1,14 +1,14 @@ #select | test.go:173:20:173:24 | param | test.go:172:11:172:32 | call to Param | test.go:173:20:173:24 | param | This path to an untrusted URL redirection depends on a $@. | test.go:172:11:172:32 | call to Param | user-provided value | -| test.go:182:20:182:28 | ...+... | test.go:178:11:178:32 | call to Param | test.go:182:20:182:28 | ...+... | This path to an untrusted URL redirection depends on a $@. | test.go:178:11:178:32 | call to Param | user-provided value | +| test.go:185:20:185:29 | ...+... | test.go:178:11:178:32 | call to Param | test.go:185:20:185:29 | ...+... | This path to an untrusted URL redirection depends on a $@. | test.go:178:11:178:32 | call to Param | user-provided value | edges | test.go:172:11:172:32 | call to Param | test.go:173:20:173:24 | param | provenance | Src:MaD:2 Sink:MaD:1 | -| test.go:178:11:178:32 | call to Param | test.go:182:24:182:28 | param | provenance | Src:MaD:2 | -| test.go:182:24:182:28 | param | test.go:182:20:182:28 | ...+... | provenance | Config Sink:MaD:1 | -| test.go:190:9:190:26 | star expression | test.go:190:10:190:26 | selection of URL | provenance | Config | -| test.go:190:9:190:26 | star expression | test.go:193:21:193:23 | url | provenance | | -| test.go:190:10:190:26 | selection of URL | test.go:190:9:190:26 | star expression | provenance | Src:MaD:3 Config | -| test.go:193:21:193:23 | url | test.go:193:21:193:32 | call to String | provenance | Config Sink:MaD:1 | +| test.go:178:11:178:32 | call to Param | test.go:185:24:185:29 | param2 | provenance | Src:MaD:2 | +| test.go:185:24:185:29 | param2 | test.go:185:20:185:29 | ...+... | provenance | Config Sink:MaD:1 | +| test.go:193:9:193:26 | star expression | test.go:193:10:193:26 | selection of URL | provenance | Config | +| test.go:193:9:193:26 | star expression | test.go:196:21:196:23 | url | provenance | | +| test.go:193:10:193:26 | selection of URL | test.go:193:9:193:26 | star expression | provenance | Src:MaD:3 Config | +| test.go:196:21:196:23 | url | test.go:196:21:196:32 | call to String | provenance | Config Sink:MaD:1 | models | 1 | Sink: github.com/labstack/echo; Context; true; Redirect; ; ; Argument[1]; url-redirection; manual | | 2 | Source: github.com/labstack/echo; Context; true; Param; ; ; ReturnValue[0]; remote; manual | @@ -17,10 +17,10 @@ nodes | test.go:172:11:172:32 | call to Param | semmle.label | call to Param | | test.go:173:20:173:24 | param | semmle.label | param | | test.go:178:11:178:32 | call to Param | semmle.label | call to Param | -| test.go:182:20:182:28 | ...+... | semmle.label | ...+... | -| test.go:182:24:182:28 | param | semmle.label | param | -| test.go:190:9:190:26 | star expression | semmle.label | star expression | -| test.go:190:10:190:26 | selection of URL | semmle.label | selection of URL | -| test.go:193:21:193:23 | url | semmle.label | url | -| test.go:193:21:193:32 | call to String | semmle.label | call to String | +| test.go:185:20:185:29 | ...+... | semmle.label | ...+... | +| test.go:185:24:185:29 | param2 | semmle.label | param2 | +| test.go:193:9:193:26 | star expression | semmle.label | star expression | +| test.go:193:10:193:26 | selection of URL | semmle.label | selection of URL | +| test.go:196:21:196:23 | url | semmle.label | url | +| test.go:196:21:196:32 | call to String | semmle.label | call to String | subpaths diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected b/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected index c579c480fb3e..6a26aba5d76f 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected @@ -1,16 +1,16 @@ #select -| test.go:222:17:222:24 | filepath | test.go:221:15:221:38 | call to QueryParam | test.go:222:17:222:24 | filepath | This path depends on a $@. | test.go:221:15:221:38 | call to QueryParam | user-provided value | -| test.go:226:23:226:30 | filepath | test.go:225:15:225:38 | call to QueryParam | test.go:226:23:226:30 | filepath | This path depends on a $@. | test.go:225:15:225:38 | call to QueryParam | user-provided value | +| test.go:225:17:225:24 | filepath | test.go:224:15:224:38 | call to QueryParam | test.go:225:17:225:24 | filepath | This path depends on a $@. | test.go:224:15:224:38 | call to QueryParam | user-provided value | +| test.go:229:23:229:30 | filepath | test.go:228:15:228:38 | call to QueryParam | test.go:229:23:229:30 | filepath | This path depends on a $@. | test.go:228:15:228:38 | call to QueryParam | user-provided value | edges -| test.go:221:15:221:38 | call to QueryParam | test.go:222:17:222:24 | filepath | provenance | Src:MaD:3 Sink:MaD:2 | -| test.go:225:15:225:38 | call to QueryParam | test.go:226:23:226:30 | filepath | provenance | Src:MaD:3 Sink:MaD:1 | +| test.go:224:15:224:38 | call to QueryParam | test.go:225:17:225:24 | filepath | provenance | Src:MaD:3 Sink:MaD:2 | +| test.go:228:15:228:38 | call to QueryParam | test.go:229:23:229:30 | filepath | provenance | Src:MaD:3 Sink:MaD:1 | models | 1 | Sink: github.com/labstack/echo; Context; true; Attachment; ; ; Argument[0]; path-injection; manual | | 2 | Sink: github.com/labstack/echo; Context; true; File; ; ; Argument[0]; path-injection; manual | | 3 | Source: github.com/labstack/echo; Context; true; QueryParam; ; ; ReturnValue[0]; remote; manual | nodes -| test.go:221:15:221:38 | call to QueryParam | semmle.label | call to QueryParam | -| test.go:222:17:222:24 | filepath | semmle.label | filepath | -| test.go:225:15:225:38 | call to QueryParam | semmle.label | call to QueryParam | -| test.go:226:23:226:30 | filepath | semmle.label | filepath | +| test.go:224:15:224:38 | call to QueryParam | semmle.label | call to QueryParam | +| test.go:225:17:225:24 | filepath | semmle.label | filepath | +| test.go:228:15:228:38 | call to QueryParam | semmle.label | call to QueryParam | +| test.go:229:23:229:30 | filepath | semmle.label | filepath | subpaths diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go b/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go index 45f92cd19cbf..a15fb819ccc5 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go @@ -176,12 +176,15 @@ func testRedirect(ctx echo.Context) error { func testLocalRedirects(ctx echo.Context) error { param := ctx.Param("someParam") + param2 := param + param3 := param + // Gratuitious copy because sanitization of uses propagates to subsequent uses // GOOD: local redirects are unproblematic ctx.Redirect(301, "/local"+param) // BAD: this could be a non-local redirect - ctx.Redirect(301, "/"+param) + ctx.Redirect(301, "/"+param2) // GOOD: localhost redirects are unproblematic - ctx.Redirect(301, "//localhost/"+param) + ctx.Redirect(301, "//localhost/"+param3) return nil } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected index 6bda68257ef4..116ea34839b9 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected @@ -1,46 +1,23 @@ #select -| server/main.go:30:38:30:48 | selection of Text | rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | server/main.go:30:38:30:48 | selection of Text | The $@ of this request depends on a $@. | server/main.go:30:38:30:48 | selection of Text | URL | rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | user-provided value | | server/main.go:30:38:30:48 | selection of Text | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | The $@ of this request depends on a $@. | server/main.go:30:38:30:48 | selection of Text | URL | server/main.go:19:56:19:61 | definition of params | user-provided value | edges | client/main.go:16:35:16:78 | &... | server/main.go:19:56:19:61 | definition of params | provenance | | | rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | provenance | | | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | server/main.go:19:56:19:61 | definition of params | provenance | | -| rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | rpc/notes/service.twirp.go:495:35:495:44 | reqContent | provenance | | -| rpc/notes/service.twirp.go:495:35:495:44 | reqContent | server/main.go:19:56:19:61 | definition of params | provenance | | -| rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | rpc/notes/service.twirp.go:544:27:544:29 | buf | provenance | | -| rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | provenance | Src:MaD:1 MaD:3 | -| rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | provenance | | -| rpc/notes/service.twirp.go:544:27:544:29 | buf | rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | provenance | MaD:2 | | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | provenance | | | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | server/main.go:19:56:19:61 | definition of params | provenance | | -| rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | rpc/notes/service.twirp.go:576:35:576:44 | reqContent | provenance | | -| rpc/notes/service.twirp.go:576:35:576:44 | reqContent | server/main.go:19:56:19:61 | definition of params | provenance | | | server/main.go:19:56:19:61 | definition of params | server/main.go:19:56:19:61 | definition of params [Return] | provenance | | | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | provenance | | | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | provenance | | | server/main.go:19:56:19:61 | definition of params [Return] | client/main.go:16:35:16:78 | &... | provenance | | | server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | provenance | | -| server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | provenance | | | server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | provenance | | -| server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | provenance | | -models -| 1 | Source: net/http; Request; true; Body; ; ; ; remote; manual | -| 2 | Summary: google.golang.org/protobuf/proto; ; false; Unmarshal; ; ; Argument[0]; Argument[1]; taint; manual | -| 3 | Summary: io; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual | nodes | client/main.go:16:35:16:78 | &... | semmle.label | &... | | rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | semmle.label | definition of typedReq | | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | semmle.label | typedReq | -| rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | semmle.label | capture variable reqContent | -| rpc/notes/service.twirp.go:495:35:495:44 | reqContent | semmle.label | reqContent | -| rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | semmle.label | ... := ...[0] | -| rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | semmle.label | selection of Body | -| rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | semmle.label | definition of reqContent | -| rpc/notes/service.twirp.go:544:27:544:29 | buf | semmle.label | buf | | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | semmle.label | definition of typedReq | | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | semmle.label | typedReq | -| rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | semmle.label | capture variable reqContent | -| rpc/notes/service.twirp.go:576:35:576:44 | reqContent | semmle.label | reqContent | | server/main.go:19:56:19:61 | definition of params | semmle.label | definition of params | | server/main.go:19:56:19:61 | definition of params | semmle.label | definition of params | | server/main.go:19:56:19:61 | definition of params [Return] | semmle.label | definition of params [Return] | diff --git a/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected b/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected index 672e1a5cc8f1..773be5fe11cf 100644 --- a/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected +++ b/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected @@ -1,24 +1,16 @@ #select | tests.go:9:8:9:8 | f | tests.go:31:5:31:78 | ... := ...[0] | tests.go:9:8:9:8 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:31:15:31:78 | call to OpenFile | call to OpenFile | | tests.go:9:8:9:8 | f | tests.go:45:5:45:76 | ... := ...[0] | tests.go:9:8:9:8 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:45:15:45:76 | call to OpenFile | call to OpenFile | -| tests.go:14:3:14:3 | f | tests.go:31:5:31:78 | ... := ...[0] | tests.go:14:3:14:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:31:15:31:78 | call to OpenFile | call to OpenFile | -| tests.go:14:3:14:3 | f | tests.go:45:5:45:76 | ... := ...[0] | tests.go:14:3:14:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:45:15:45:76 | call to OpenFile | call to OpenFile | | tests.go:56:3:56:3 | f | tests.go:54:5:54:78 | ... := ...[0] | tests.go:56:3:56:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:54:15:54:78 | call to OpenFile | call to OpenFile | | tests.go:68:3:68:3 | f | tests.go:66:5:66:76 | ... := ...[0] | tests.go:68:3:68:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:66:15:66:76 | call to OpenFile | call to OpenFile | | tests.go:110:9:110:9 | f | tests.go:108:5:108:78 | ... := ...[0] | tests.go:110:9:110:9 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:108:15:108:78 | call to OpenFile | call to OpenFile | | tests.go:129:3:129:3 | f | tests.go:125:5:125:78 | ... := ...[0] | tests.go:129:3:129:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:125:15:125:78 | call to OpenFile | call to OpenFile | edges | tests.go:8:24:8:24 | definition of f | tests.go:9:8:9:8 | f | provenance | | -| tests.go:12:32:12:32 | definition of f | tests.go:13:13:15:2 | capture variable f | provenance | | -| tests.go:13:13:15:2 | capture variable f | tests.go:14:3:14:3 | f | provenance | | | tests.go:31:5:31:78 | ... := ...[0] | tests.go:32:21:32:21 | f | provenance | Src:MaD:1 | -| tests.go:31:5:31:78 | ... := ...[0] | tests.go:33:29:33:29 | f | provenance | Src:MaD:1 | | tests.go:32:21:32:21 | f | tests.go:8:24:8:24 | definition of f | provenance | | -| tests.go:33:29:33:29 | f | tests.go:12:32:12:32 | definition of f | provenance | | | tests.go:45:5:45:76 | ... := ...[0] | tests.go:46:21:46:21 | f | provenance | Src:MaD:1 | -| tests.go:45:5:45:76 | ... := ...[0] | tests.go:47:29:47:29 | f | provenance | Src:MaD:1 | | tests.go:46:21:46:21 | f | tests.go:8:24:8:24 | definition of f | provenance | | -| tests.go:47:29:47:29 | f | tests.go:12:32:12:32 | definition of f | provenance | | | tests.go:54:5:54:78 | ... := ...[0] | tests.go:56:3:56:3 | f | provenance | Src:MaD:1 | | tests.go:66:5:66:76 | ... := ...[0] | tests.go:68:3:68:3 | f | provenance | Src:MaD:1 | | tests.go:108:5:108:78 | ... := ...[0] | tests.go:110:9:110:9 | f | provenance | Src:MaD:1 | @@ -28,15 +20,10 @@ models nodes | tests.go:8:24:8:24 | definition of f | semmle.label | definition of f | | tests.go:9:8:9:8 | f | semmle.label | f | -| tests.go:12:32:12:32 | definition of f | semmle.label | definition of f | -| tests.go:13:13:15:2 | capture variable f | semmle.label | capture variable f | -| tests.go:14:3:14:3 | f | semmle.label | f | | tests.go:31:5:31:78 | ... := ...[0] | semmle.label | ... := ...[0] | | tests.go:32:21:32:21 | f | semmle.label | f | -| tests.go:33:29:33:29 | f | semmle.label | f | | tests.go:45:5:45:76 | ... := ...[0] | semmle.label | ... := ...[0] | | tests.go:46:21:46:21 | f | semmle.label | f | -| tests.go:47:29:47:29 | f | semmle.label | f | | tests.go:54:5:54:78 | ... := ...[0] | semmle.label | ... := ...[0] | | tests.go:56:3:56:3 | f | semmle.label | f | | tests.go:66:5:66:76 | ... := ...[0] | semmle.label | ... := ...[0] | diff --git a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.expected b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.expected index 5b2010251ef7..d9444556f2ca 100644 --- a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.expected +++ b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.expected @@ -16,6 +16,8 @@ | testdata.go:172:3:172:3 | assignment to x | This definition of x is never used. | | testdata.go:180:3:180:5 | increment statement | This definition of x is never used. | | testdata.go:201:2:201:2 | assignment to x | This definition of x is never used. | +| testdata.go:227:3:227:5 | increment statement | This definition of x is never used. | +| testdata.go:235:3:235:3 | assignment to x | This definition of x is never used. | | testdata.go:262:2:262:2 | assignment to x | This definition of x is never used. | | testdata.go:268:2:268:2 | assignment to x | This definition of x is never used. | | testdata.go:309:2:309:2 | assignment to a | This definition of a is never used. | diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected index 839d35f663ce..cfb3c63b4a5f 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected @@ -6,8 +6,8 @@ edges | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:14:18:14:30 | call to Query | provenance | Src:MaD:2 MaD:3 | | TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:17:29:17:40 | tainted_path | provenance | Sink:MaD:1 | | TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:21:57:21:68 | tainted_path | provenance | | -| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:68:39:68:56 | ...+... | provenance | | | TaintedPath.go:21:57:21:68 | tainted_path | TaintedPath.go:21:28:21:69 | call to Join | provenance | FunctionModel Sink:MaD:1 | +| TaintedPath.go:21:57:21:68 | tainted_path | TaintedPath.go:68:39:68:56 | ...+... | provenance | | | TaintedPath.go:68:39:68:56 | ...+... | TaintedPath.go:68:28:68:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 | models | 1 | Sink: io/ioutil; ; false; ReadFile; ; ; Argument[0]; path-injection; manual | diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected index dff32df4e1ff..78dde84a9475 100644 --- a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected +++ b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -48,14 +48,14 @@ edges | GitSubcommands.go:11:13:11:27 | call to Query | GitSubcommands.go:17:36:17:42 | tainted | provenance | | | GitSubcommands.go:33:13:33:19 | selection of URL | GitSubcommands.go:33:13:33:27 | call to Query | provenance | Src:MaD:2 MaD:7 | | GitSubcommands.go:33:13:33:27 | call to Query | GitSubcommands.go:38:32:38:38 | tainted | provenance | | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:13:25:13:31 | tainted | provenance | | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance | | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance | Config | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance | Config | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:68:31:68:37 | tainted | provenance | Config | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance | Config | | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:9:13:9:27 | call to Query | provenance | Src:MaD:2 MaD:7 | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:13:25:13:31 | tainted | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:68:31:68:37 | tainted | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance | | +| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | provenance | | | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:13:25:13:31 | tainted | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | provenance | | | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | SanitizingDoubleDash.go:14:23:14:33 | slice element node | provenance | | @@ -67,6 +67,7 @@ edges | SanitizingDoubleDash.go:39:31:39:37 | tainted | SanitizingDoubleDash.go:39:14:39:44 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | provenance | | +| SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | provenance | | | SanitizingDoubleDash.go:53:14:53:35 | call to append | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | MaD:4 | @@ -180,6 +181,7 @@ nodes | GitSubcommands.go:33:13:33:19 | selection of URL | semmle.label | selection of URL | | GitSubcommands.go:33:13:33:27 | call to Query | semmle.label | call to Query | | GitSubcommands.go:38:32:38:38 | tainted | semmle.label | tainted | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | semmle.label | definition of tainted | | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | semmle.label | selection of URL | | SanitizingDoubleDash.go:9:13:9:27 | call to Query | semmle.label | call to Query | | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | semmle.label | array literal [array] | diff --git a/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go b/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go index d69a970f0d09..0428df550868 100644 --- a/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go +++ b/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go @@ -93,62 +93,62 @@ func testDoubleDashIrrelevant(req *http.Request) { { arrayLit := [1]string{tainted} - exec.Command("sudo", arrayLit[:]...) + exec.Command("sudo", arrayLit[:]...) // BAD } { arrayLit := [2]string{"--", tainted} - exec.Command("sudo", arrayLit[:]...) + exec.Command("sudo", arrayLit[:]...) // BAD } { arrayLit := []string{"--", tainted} - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{} arrayLit = append(arrayLit, "--", tainted) - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{} arrayLit = append(arrayLit, tainted, "--") - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{"--"} arrayLit = append(arrayLit, tainted) - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{tainted} arrayLit = append(arrayLit, "--") - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{"--"} arrayLit = append(arrayLit, "something else") arrayLit = append(arrayLit, tainted) - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{"something else"} arrayLit = append(arrayLit, tainted) arrayLit = append(arrayLit, "--") - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { - exec.Command("sudo", "--", tainted) + exec.Command("sudo", "--", tainted) // BAD } { - exec.Command("sudo", tainted, "--") + exec.Command("sudo", tainted, "--") // BAD } } diff --git a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 1ce8c3d1dcf6..542f1b5b89c2 100644 --- a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -117,22 +117,22 @@ edges | main.go:61:5:61:15 | RequestData [pointer, Category] | main.go:61:4:61:15 | star expression [Category] | provenance | | | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:42:28:42:41 | untrustedInput | provenance | Src:MaD:20 | | mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:50:34:50:39 | filter | provenance | | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:61:27:61:32 | filter | provenance | Sink:MaD:4 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:63:23:63:28 | filter | provenance | Sink:MaD:5 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:64:22:64:27 | filter | provenance | Sink:MaD:6 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:66:32:66:37 | filter | provenance | Sink:MaD:7 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:69:17:69:22 | filter | provenance | Sink:MaD:8 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:70:20:70:25 | filter | provenance | Sink:MaD:9 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:71:29:71:34 | filter | provenance | Sink:MaD:10 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:72:30:72:35 | filter | provenance | Sink:MaD:11 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:73:29:73:34 | filter | provenance | Sink:MaD:12 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:78:23:78:28 | filter | provenance | Sink:MaD:13 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:79:23:79:28 | filter | provenance | Sink:MaD:14 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:80:22:80:27 | filter | provenance | Sink:MaD:15 | | mongoDB.go:42:28:42:41 | untrustedInput | mongoDB.go:42:19:42:42 | struct literal | provenance | Config | | mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:57:22:57:29 | pipeline | provenance | Sink:MaD:3 | | mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:81:18:81:25 | pipeline | provenance | Sink:MaD:16 | | mongoDB.go:50:34:50:39 | filter | mongoDB.go:50:23:50:40 | struct literal | provenance | Config | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:61:27:61:32 | filter | provenance | Sink:MaD:4 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:63:23:63:28 | filter | provenance | Sink:MaD:5 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:64:22:64:27 | filter | provenance | Sink:MaD:6 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:66:32:66:37 | filter | provenance | Sink:MaD:7 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:69:17:69:22 | filter | provenance | Sink:MaD:8 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:70:20:70:25 | filter | provenance | Sink:MaD:9 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:71:29:71:34 | filter | provenance | Sink:MaD:10 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:72:30:72:35 | filter | provenance | Sink:MaD:11 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:73:29:73:34 | filter | provenance | Sink:MaD:12 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:78:23:78:28 | filter | provenance | Sink:MaD:13 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:79:23:79:28 | filter | provenance | Sink:MaD:14 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:80:22:80:27 | filter | provenance | Sink:MaD:15 | models | 1 | Sink: database/sql; DB; true; Query; ; ; Argument[0]; sql-injection; manual | | 2 | Sink: database/sql; Tx; true; Query; ; ; Argument[0]; sql-injection; manual | diff --git a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected index 3a9de1ebe600..ec1835a6f8ac 100644 --- a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected +++ b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected @@ -17,10 +17,13 @@ edges | tst2.go:14:2:14:29 | ... := ...[0] | tst2.go:15:26:15:29 | data | provenance | | | tst2.go:15:26:15:29 | data | tst2.go:15:22:15:30 | call to len | provenance | Config | | tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:7:26:7:33 | jsonData | provenance | | -| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:24:20:24:27 | jsonData | provenance | | -| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:32:20:32:27 | jsonData | provenance | | | tst3.go:7:26:7:33 | jsonData | tst3.go:7:22:7:34 | call to len | provenance | Config | +| tst3.go:7:26:7:33 | jsonData | tst3.go:9:32:9:39 | jsonData | provenance | | +| tst3.go:9:32:9:39 | jsonData | tst3.go:11:9:11:16 | jsonData | provenance | | +| tst3.go:11:9:11:16 | jsonData | tst3.go:16:20:16:27 | jsonData | provenance | | +| tst3.go:16:20:16:27 | jsonData | tst3.go:24:20:24:27 | jsonData | provenance | | | tst3.go:24:20:24:27 | jsonData | tst3.go:24:16:24:28 | call to len | provenance | Config | +| tst3.go:24:20:24:27 | jsonData | tst3.go:32:20:32:27 | jsonData | provenance | | | tst3.go:32:20:32:27 | jsonData | tst3.go:32:16:32:28 | call to len | provenance | Config | | tst.go:14:2:14:30 | ... = ...[0] | tst.go:15:26:15:33 | jsonData | provenance | | | tst.go:15:26:15:33 | jsonData | tst.go:15:22:15:34 | call to len | provenance | Config | @@ -45,6 +48,9 @@ nodes | tst3.go:6:2:6:31 | ... := ...[0] | semmle.label | ... := ...[0] | | tst3.go:7:22:7:34 | call to len | semmle.label | call to len | | tst3.go:7:26:7:33 | jsonData | semmle.label | jsonData | +| tst3.go:9:32:9:39 | jsonData | semmle.label | jsonData | +| tst3.go:11:9:11:16 | jsonData | semmle.label | jsonData | +| tst3.go:16:20:16:27 | jsonData | semmle.label | jsonData | | tst3.go:24:16:24:28 | call to len | semmle.label | call to len | | tst3.go:24:20:24:27 | jsonData | semmle.label | jsonData | | tst3.go:32:16:32:28 | call to len | semmle.label | call to len | diff --git a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected index 3435eff77754..823c2822689e 100644 --- a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected +++ b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected @@ -1,97 +1,250 @@ #select | klog.go:22:15:22:20 | header | klog.go:20:30:20:37 | selection of Header | klog.go:22:15:22:20 | header | $@ flows to a logging call. | klog.go:20:30:20:37 | selection of Header | Sensitive data returned by HTTP request headers | | klog.go:28:13:28:41 | call to Get | klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get | $@ flows to a logging call. | klog.go:28:13:28:20 | selection of Header | Sensitive data returned by HTTP request headers | -| main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | $@ flows to a logging call. | main.go:15:12:15:19 | password | Sensitive data returned by an access to password | -| main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | $@ flows to a logging call. | main.go:16:17:16:24 | password | Sensitive data returned by an access to password | -| main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | $@ flows to a logging call. | main.go:17:13:17:20 | password | Sensitive data returned by an access to password | -| main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | $@ flows to a logging call. | main.go:18:14:18:21 | password | Sensitive data returned by an access to password | -| main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | $@ flows to a logging call. | main.go:19:12:19:19 | password | Sensitive data returned by an access to password | -| main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | $@ flows to a logging call. | main.go:20:17:20:24 | password | Sensitive data returned by an access to password | -| main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | $@ flows to a logging call. | main.go:21:13:21:20 | password | Sensitive data returned by an access to password | -| main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | $@ flows to a logging call. | main.go:22:14:22:21 | password | Sensitive data returned by an access to password | -| main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | $@ flows to a logging call. | main.go:23:12:23:19 | password | Sensitive data returned by an access to password | -| main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | $@ flows to a logging call. | main.go:24:17:24:24 | password | Sensitive data returned by an access to password | -| main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | $@ flows to a logging call. | main.go:25:13:25:20 | password | Sensitive data returned by an access to password | -| main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | $@ flows to a logging call. | main.go:26:14:26:21 | password | Sensitive data returned by an access to password | -| main.go:27:16:27:23 | password | main.go:27:16:27:23 | password | main.go:27:16:27:23 | password | $@ flows to a logging call. | main.go:27:16:27:23 | password | Sensitive data returned by an access to password | -| main.go:30:10:30:17 | password | main.go:30:10:30:17 | password | main.go:30:10:30:17 | password | $@ flows to a logging call. | main.go:30:10:30:17 | password | Sensitive data returned by an access to password | -| main.go:31:15:31:22 | password | main.go:31:15:31:22 | password | main.go:31:15:31:22 | password | $@ flows to a logging call. | main.go:31:15:31:22 | password | Sensitive data returned by an access to password | -| main.go:32:11:32:18 | password | main.go:32:11:32:18 | password | main.go:32:11:32:18 | password | $@ flows to a logging call. | main.go:32:11:32:18 | password | Sensitive data returned by an access to password | -| main.go:33:12:33:19 | password | main.go:33:12:33:19 | password | main.go:33:12:33:19 | password | $@ flows to a logging call. | main.go:33:12:33:19 | password | Sensitive data returned by an access to password | -| main.go:34:10:34:17 | password | main.go:34:10:34:17 | password | main.go:34:10:34:17 | password | $@ flows to a logging call. | main.go:34:10:34:17 | password | Sensitive data returned by an access to password | -| main.go:35:15:35:22 | password | main.go:35:15:35:22 | password | main.go:35:15:35:22 | password | $@ flows to a logging call. | main.go:35:15:35:22 | password | Sensitive data returned by an access to password | -| main.go:36:11:36:18 | password | main.go:36:11:36:18 | password | main.go:36:11:36:18 | password | $@ flows to a logging call. | main.go:36:11:36:18 | password | Sensitive data returned by an access to password | -| main.go:37:12:37:19 | password | main.go:37:12:37:19 | password | main.go:37:12:37:19 | password | $@ flows to a logging call. | main.go:37:12:37:19 | password | Sensitive data returned by an access to password | -| main.go:38:10:38:17 | password | main.go:38:10:38:17 | password | main.go:38:10:38:17 | password | $@ flows to a logging call. | main.go:38:10:38:17 | password | Sensitive data returned by an access to password | -| main.go:39:15:39:22 | password | main.go:39:15:39:22 | password | main.go:39:15:39:22 | password | $@ flows to a logging call. | main.go:39:15:39:22 | password | Sensitive data returned by an access to password | -| main.go:40:11:40:18 | password | main.go:40:11:40:18 | password | main.go:40:11:40:18 | password | $@ flows to a logging call. | main.go:40:11:40:18 | password | Sensitive data returned by an access to password | -| main.go:41:12:41:19 | password | main.go:41:12:41:19 | password | main.go:41:12:41:19 | password | $@ flows to a logging call. | main.go:41:12:41:19 | password | Sensitive data returned by an access to password | -| main.go:42:14:42:21 | password | main.go:42:14:42:21 | password | main.go:42:14:42:21 | password | $@ flows to a logging call. | main.go:42:14:42:21 | password | Sensitive data returned by an access to password | -| main.go:44:12:44:19 | password | main.go:44:12:44:19 | password | main.go:44:12:44:19 | password | $@ flows to a logging call. | main.go:44:12:44:19 | password | Sensitive data returned by an access to password | -| main.go:45:17:45:24 | password | main.go:45:17:45:24 | password | main.go:45:17:45:24 | password | $@ flows to a logging call. | main.go:45:17:45:24 | password | Sensitive data returned by an access to password | -| main.go:52:35:52:42 | password | main.go:52:35:52:42 | password | main.go:52:35:52:42 | password | $@ flows to a logging call. | main.go:52:35:52:42 | password | Sensitive data returned by an access to password | -| overrides.go:13:14:13:23 | call to String | overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String | $@ flows to a logging call. | overrides.go:9:9:9:16 | password | Sensitive data returned by an access to password | -| passwords.go:9:14:9:14 | x | passwords.go:30:8:30:15 | password | passwords.go:9:14:9:14 | x | $@ flows to a logging call. | passwords.go:30:8:30:15 | password | Sensitive data returned by an access to password | -| passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | $@ flows to a logging call. | passwords.go:25:14:25:21 | password | Sensitive data returned by an access to password | +| main.go:19:12:19:19 | password | main.go:17:2:17:9 | definition of password | main.go:19:12:19:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:20:17:20:24 | password | main.go:17:2:17:9 | definition of password | main.go:20:17:20:24 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:21:13:21:20 | password | main.go:17:2:17:9 | definition of password | main.go:21:13:21:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:22:14:22:21 | password | main.go:17:2:17:9 | definition of password | main.go:22:14:22:21 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:24:13:24:20 | password | main.go:17:2:17:9 | definition of password | main.go:24:13:24:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:27:18:27:25 | password | main.go:17:2:17:9 | definition of password | main.go:27:18:27:25 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:30:14:30:21 | password | main.go:17:2:17:9 | definition of password | main.go:30:14:30:21 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:33:15:33:22 | password | main.go:17:2:17:9 | definition of password | main.go:33:15:33:22 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:36:13:36:20 | password | main.go:17:2:17:9 | definition of password | main.go:36:13:36:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:39:18:39:25 | password | main.go:17:2:17:9 | definition of password | main.go:39:18:39:25 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:42:14:42:21 | password | main.go:17:2:17:9 | definition of password | main.go:42:14:42:21 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:45:15:45:22 | password | main.go:17:2:17:9 | definition of password | main.go:45:15:45:22 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:47:16:47:23 | password | main.go:17:2:17:9 | definition of password | main.go:47:16:47:23 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:50:10:50:17 | password | main.go:17:2:17:9 | definition of password | main.go:50:10:50:17 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:51:15:51:22 | password | main.go:17:2:17:9 | definition of password | main.go:51:15:51:22 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:52:11:52:18 | password | main.go:17:2:17:9 | definition of password | main.go:52:11:52:18 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:53:12:53:19 | password | main.go:17:2:17:9 | definition of password | main.go:53:12:53:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:55:11:55:18 | password | main.go:17:2:17:9 | definition of password | main.go:55:11:55:18 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:58:16:58:23 | password | main.go:17:2:17:9 | definition of password | main.go:58:16:58:23 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:61:12:61:19 | password | main.go:17:2:17:9 | definition of password | main.go:61:12:61:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:64:13:64:20 | password | main.go:17:2:17:9 | definition of password | main.go:64:13:64:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:67:11:67:18 | password | main.go:17:2:17:9 | definition of password | main.go:67:11:67:18 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:70:16:70:23 | password | main.go:17:2:17:9 | definition of password | main.go:70:16:70:23 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:73:12:73:19 | password | main.go:17:2:17:9 | definition of password | main.go:73:12:73:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:76:13:76:20 | password | main.go:17:2:17:9 | definition of password | main.go:76:13:76:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:78:14:78:21 | password | main.go:17:2:17:9 | definition of password | main.go:78:14:78:21 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:80:12:80:19 | password | main.go:17:2:17:9 | definition of password | main.go:80:12:80:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:81:17:81:24 | password | main.go:17:2:17:9 | definition of password | main.go:81:17:81:24 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:85:29:85:34 | fields | main.go:17:2:17:9 | definition of password | main.go:85:29:85:34 | fields | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:88:35:88:42 | password | main.go:17:2:17:9 | definition of password | main.go:88:35:88:42 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| overrides.go:13:14:13:23 | call to String | overrides.go:8:2:8:9 | definition of password | overrides.go:13:14:13:23 | call to String | $@ flows to a logging call. | overrides.go:8:2:8:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:9:14:9:14 | x | passwords.go:21:2:21:9 | definition of password | passwords.go:9:14:9:14 | x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:25:14:25:21 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | $@ flows to a logging call. | passwords.go:26:14:26:23 | selection of password | Sensitive data returned by an access to password | | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | $@ flows to a logging call. | passwords.go:27:14:27:26 | call to getPassword | Sensitive data returned by a call to getPassword | | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | $@ flows to a logging call. | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by a call to getPassword | -| passwords.go:32:12:32:19 | password | passwords.go:32:12:32:19 | password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:32:12:32:19 | password | Sensitive data returned by an access to password | -| passwords.go:34:14:34:35 | ...+... | passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:34:28:34:35 | password | Sensitive data returned by an access to password | +| passwords.go:32:12:32:19 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:34:14:34:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | | passwords.go:39:14:39:17 | obj1 | passwords.go:37:13:37:13 | x | passwords.go:39:14:39:17 | obj1 | $@ flows to a logging call. | passwords.go:37:13:37:13 | x | Sensitive data returned by an access to password | -| passwords.go:44:14:44:17 | obj2 | passwords.go:42:6:42:13 | password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:42:6:42:13 | password | Sensitive data returned by an access to password | -| passwords.go:47:14:47:17 | obj3 | passwords.go:48:11:48:18 | password | passwords.go:47:14:47:17 | obj3 | $@ flows to a logging call. | passwords.go:48:11:48:18 | password | Sensitive data returned by an access to password | -| passwords.go:51:14:51:27 | fixed_password | passwords.go:51:14:51:27 | fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:51:14:51:27 | fixed_password | Sensitive data returned by an access to fixed_password | -| passwords.go:88:14:88:26 | utilityObject | passwords.go:86:16:86:36 | call to make | passwords.go:88:14:88:26 | utilityObject | $@ flows to a logging call. | passwords.go:86:16:86:36 | call to make | Sensitive data returned by an access to passwordSet | -| passwords.go:91:23:91:28 | secret | passwords.go:90:12:90:19 | password | passwords.go:91:23:91:28 | secret | $@ flows to a logging call. | passwords.go:90:12:90:19 | password | Sensitive data returned by an access to password | -| passwords.go:101:15:101:40 | ...+... | passwords.go:101:33:101:40 | password | passwords.go:101:15:101:40 | ...+... | $@ flows to a logging call. | passwords.go:101:33:101:40 | password | Sensitive data returned by an access to password | -| passwords.go:107:16:107:41 | ...+... | passwords.go:107:34:107:41 | password | passwords.go:107:16:107:41 | ...+... | $@ flows to a logging call. | passwords.go:107:34:107:41 | password | Sensitive data returned by an access to password | -| passwords.go:112:15:112:40 | ...+... | passwords.go:112:33:112:40 | password | passwords.go:112:15:112:40 | ...+... | $@ flows to a logging call. | passwords.go:112:33:112:40 | password | Sensitive data returned by an access to password | -| passwords.go:116:14:116:45 | ...+... | passwords.go:116:28:116:36 | password1 | passwords.go:116:14:116:45 | ...+... | $@ flows to a logging call. | passwords.go:116:28:116:36 | password1 | Sensitive data returned by an access to password1 | -| passwords.go:125:14:125:19 | config | passwords.go:119:13:119:13 | x | passwords.go:125:14:125:19 | config | $@ flows to a logging call. | passwords.go:119:13:119:13 | x | Sensitive data returned by an access to password | -| passwords.go:125:14:125:19 | config | passwords.go:121:13:121:20 | password | passwords.go:125:14:125:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:20 | password | Sensitive data returned by an access to password | -| passwords.go:125:14:125:19 | config | passwords.go:122:13:122:25 | call to getPassword | passwords.go:125:14:125:19 | config | $@ flows to a logging call. | passwords.go:122:13:122:25 | call to getPassword | Sensitive data returned by a call to getPassword | -| passwords.go:126:14:126:21 | selection of x | passwords.go:121:13:121:20 | password | passwords.go:126:14:126:21 | selection of x | $@ flows to a logging call. | passwords.go:121:13:121:20 | password | Sensitive data returned by an access to password | -| passwords.go:127:14:127:21 | selection of y | passwords.go:122:13:122:25 | call to getPassword | passwords.go:127:14:127:21 | selection of y | $@ flows to a logging call. | passwords.go:122:13:122:25 | call to getPassword | Sensitive data returned by a call to getPassword | -| protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:12:22:12:29 | password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:12:22:12:29 | password | Sensitive data returned by an access to password | +| passwords.go:44:14:44:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:47:14:47:17 | obj3 | passwords.go:21:2:21:9 | definition of password | passwords.go:47:14:47:17 | obj3 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:51:14:51:27 | fixed_password | passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:50:2:50:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password | +| passwords.go:89:14:89:26 | utilityObject | passwords.go:87:16:87:36 | call to make | passwords.go:89:14:89:26 | utilityObject | $@ flows to a logging call. | passwords.go:87:16:87:36 | call to make | Sensitive data returned by an access to passwordSet | +| passwords.go:92:23:92:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:92:23:92:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:102:15:102:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:102:15:102:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:108:16:108:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:108:16:108:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:113:15:113:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:113:15:113:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:117:14:117:45 | ...+... | passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:14:117:45 | ...+... | $@ flows to a logging call. | passwords.go:116:6:116:14 | definition of password1 | Sensitive data returned by an access to password1 | +| passwords.go:127:14:127:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:127:14:127:19 | config | passwords.go:121:13:121:14 | x3 | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:14 | x3 | Sensitive data returned by an access to password | +| passwords.go:127:14:127:19 | config | passwords.go:124:13:124:25 | call to getPassword | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword | +| passwords.go:128:14:128:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:128:14:128:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:129:14:129:21 | selection of y | passwords.go:124:13:124:25 | call to getPassword | passwords.go:129:14:129:21 | selection of y | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword | +| protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:9:2:9:9 | definition of password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:9:2:9:9 | definition of password | Sensitive data returned by an access to password | edges | klog.go:20:3:25:3 | range statement[1] | klog.go:21:27:21:33 | headers | provenance | | -| klog.go:20:30:20:37 | selection of Header | klog.go:20:3:25:3 | range statement[1] | provenance | Src:MaD:1 Config | +| klog.go:20:30:20:37 | selection of Header | klog.go:20:3:25:3 | range statement[1] | provenance | Src:MaD:11 Config | | klog.go:21:4:24:4 | range statement[1] | klog.go:22:15:22:20 | header | provenance | | | klog.go:21:27:21:33 | headers | klog.go:21:4:24:4 | range statement[1] | provenance | Config | -| klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get | provenance | Src:MaD:1 Config | +| klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get | provenance | Src:MaD:11 Config | +| main.go:17:2:17:9 | definition of password | main.go:19:12:19:19 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:20:17:20:24 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:21:13:21:20 | password | provenance | Sink:MaD:6 | +| main.go:17:2:17:9 | definition of password | main.go:22:14:22:21 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:24:13:24:20 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:27:18:27:25 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:30:14:30:21 | password | provenance | Sink:MaD:3 | +| main.go:17:2:17:9 | definition of password | main.go:33:15:33:22 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:36:13:36:20 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:39:18:39:25 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:42:14:42:21 | password | provenance | Sink:MaD:5 | +| main.go:17:2:17:9 | definition of password | main.go:45:15:45:22 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:47:16:47:23 | password | provenance | Sink:MaD:4 | +| main.go:17:2:17:9 | definition of password | main.go:50:10:50:17 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:50:10:50:17 | password | provenance | | +| main.go:50:10:50:17 | password | main.go:51:15:51:22 | password | provenance | | +| main.go:50:10:50:17 | password | main.go:51:15:51:22 | password | provenance | | +| main.go:51:15:51:22 | password | main.go:52:11:52:18 | password | provenance | | +| main.go:51:15:51:22 | password | main.go:52:11:52:18 | password | provenance | Sink:MaD:10 | +| main.go:52:11:52:18 | password | main.go:53:12:53:19 | password | provenance | | +| main.go:52:11:52:18 | password | main.go:53:12:53:19 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:55:11:55:18 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:55:11:55:18 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:58:16:58:23 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:58:16:58:23 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:61:12:61:19 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:61:12:61:19 | password | provenance | Sink:MaD:7 | +| main.go:53:12:53:19 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:53:12:53:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:53:12:53:19 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:58:16:58:23 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:58:16:58:23 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:61:12:61:19 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:61:12:61:19 | password | provenance | Sink:MaD:7 | +| main.go:55:11:55:18 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:55:11:55:18 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:55:11:55:18 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:61:12:61:19 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:61:12:61:19 | password | provenance | Sink:MaD:7 | +| main.go:58:16:58:23 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:58:16:58:23 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:58:16:58:23 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:61:12:61:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:61:12:61:19 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:64:13:64:20 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:64:13:64:20 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:67:11:67:18 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:67:11:67:18 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:70:16:70:23 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:70:16:70:23 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:73:12:73:19 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:76:13:76:20 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:76:13:76:20 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:76:13:76:20 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:76:13:76:20 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:83:2:83:7 | definition of fields | main.go:85:29:85:34 | fields | provenance | Sink:MaD:2 | +| main.go:84:19:84:26 | password | main.go:83:2:83:7 | definition of fields | provenance | Config | +| main.go:84:19:84:26 | password | main.go:88:35:88:42 | password | provenance | Sink:MaD:1 | +| overrides.go:8:2:8:9 | definition of password | overrides.go:9:9:9:16 | password | provenance | | | overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String | provenance | | | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:30:8:30:15 | password | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:34:28:34:35 | password | provenance | | | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance | | | passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config | +| passwords.go:34:28:34:35 | password | passwords.go:42:6:42:13 | password | provenance | | | passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance | | | passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config | | passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance | | | passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config | +| passwords.go:42:6:42:13 | password | passwords.go:48:11:48:18 | password | provenance | | | passwords.go:46:6:46:9 | definition of obj3 | passwords.go:47:14:47:17 | obj3 | provenance | | | passwords.go:48:11:48:18 | password | passwords.go:46:6:46:9 | definition of obj3 | provenance | Config | -| passwords.go:85:19:87:2 | struct literal | passwords.go:88:14:88:26 | utilityObject | provenance | | -| passwords.go:86:16:86:36 | call to make | passwords.go:85:19:87:2 | struct literal | provenance | Config | -| passwords.go:90:12:90:19 | password | passwords.go:91:23:91:28 | secret | provenance | | -| passwords.go:101:33:101:40 | password | passwords.go:101:15:101:40 | ...+... | provenance | Config | -| passwords.go:107:34:107:41 | password | passwords.go:107:16:107:41 | ...+... | provenance | Config | -| passwords.go:112:33:112:40 | password | passwords.go:112:15:112:40 | ...+... | provenance | Config | -| passwords.go:116:28:116:36 | password1 | passwords.go:116:28:116:45 | call to String | provenance | Config | -| passwords.go:116:28:116:45 | call to String | passwords.go:116:14:116:45 | ...+... | provenance | Config | -| passwords.go:118:12:123:2 | struct literal | passwords.go:125:14:125:19 | config | provenance | | -| passwords.go:118:12:123:2 | struct literal [x] | passwords.go:126:14:126:19 | config [x] | provenance | | -| passwords.go:118:12:123:2 | struct literal [y] | passwords.go:127:14:127:19 | config [y] | provenance | | -| passwords.go:119:13:119:13 | x | passwords.go:118:12:123:2 | struct literal | provenance | Config | -| passwords.go:121:13:121:20 | password | passwords.go:118:12:123:2 | struct literal | provenance | Config | -| passwords.go:121:13:121:20 | password | passwords.go:118:12:123:2 | struct literal [x] | provenance | | -| passwords.go:122:13:122:25 | call to getPassword | passwords.go:118:12:123:2 | struct literal | provenance | Config | -| passwords.go:122:13:122:25 | call to getPassword | passwords.go:118:12:123:2 | struct literal [y] | provenance | | -| passwords.go:126:14:126:19 | config [x] | passwords.go:126:14:126:21 | selection of x | provenance | | -| passwords.go:127:14:127:19 | config [y] | passwords.go:127:14:127:21 | selection of y | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:92:23:92:28 | secret | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:102:33:102:40 | password | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:108:34:108:41 | password | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:113:33:113:40 | password | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:123:13:123:20 | password | provenance | | +| passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | provenance | | +| passwords.go:86:19:88:2 | struct literal | passwords.go:89:14:89:26 | utilityObject | provenance | | +| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal | provenance | Config | +| passwords.go:102:33:102:40 | password | passwords.go:102:15:102:40 | ...+... | provenance | Config | +| passwords.go:102:33:102:40 | password | passwords.go:108:34:108:41 | password | provenance | | +| passwords.go:102:33:102:40 | password | passwords.go:113:33:113:40 | password | provenance | | +| passwords.go:102:33:102:40 | password | passwords.go:123:13:123:20 | password | provenance | | +| passwords.go:108:34:108:41 | password | passwords.go:108:16:108:41 | ...+... | provenance | Config | +| passwords.go:108:34:108:41 | password | passwords.go:113:33:113:40 | password | provenance | | +| passwords.go:108:34:108:41 | password | passwords.go:123:13:123:20 | password | provenance | | +| passwords.go:113:33:113:40 | password | passwords.go:113:15:113:40 | ...+... | provenance | Config | +| passwords.go:113:33:113:40 | password | passwords.go:123:13:123:20 | password | provenance | | +| passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:28:117:36 | password1 | provenance | | +| passwords.go:117:28:117:36 | password1 | passwords.go:117:28:117:45 | call to String | provenance | Config | +| passwords.go:117:28:117:45 | call to String | passwords.go:117:14:117:45 | ...+... | provenance | Config | +| passwords.go:120:12:125:2 | struct literal | passwords.go:127:14:127:19 | config | provenance | | +| passwords.go:120:12:125:2 | struct literal [x] | passwords.go:128:14:128:19 | config [x] | provenance | | +| passwords.go:120:12:125:2 | struct literal [y] | passwords.go:129:14:129:19 | config [y] | provenance | | +| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal | provenance | Config | +| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal | provenance | Config | +| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [x] | provenance | | +| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal | provenance | Config | +| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [y] | provenance | | +| passwords.go:128:14:128:19 | config [x] | passwords.go:128:14:128:21 | selection of x | provenance | | +| passwords.go:129:14:129:19 | config [y] | passwords.go:129:14:129:21 | selection of y | provenance | | +| protobuf.go:9:2:9:9 | definition of password | protobuf.go:12:22:12:29 | password | provenance | | | protobuf.go:11:2:11:6 | definition of query [pointer, Description] | protobuf.go:12:2:12:6 | query [pointer, Description] | provenance | | -| protobuf.go:11:2:11:6 | definition of query [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance | | | protobuf.go:12:2:12:6 | implicit dereference [Description] | protobuf.go:11:2:11:6 | definition of query [pointer, Description] | provenance | | | protobuf.go:12:2:12:6 | query [pointer, Description] | protobuf.go:12:2:12:6 | implicit dereference [Description] | provenance | | +| protobuf.go:12:2:12:6 | query [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance | | | protobuf.go:12:22:12:29 | password | protobuf.go:12:2:12:6 | implicit dereference [Description] | provenance | | | protobuf.go:14:14:14:18 | query [pointer, Description] | protobuf.go:14:14:14:35 | call to GetDescription | provenance | | | protobuf.go:14:14:14:18 | query [pointer, Description] | protos/query/query.pb.go:117:7:117:7 | definition of x [pointer, Description] | provenance | | @@ -99,7 +252,17 @@ edges | protos/query/query.pb.go:119:10:119:10 | implicit dereference [Description] | protos/query/query.pb.go:119:10:119:22 | selection of Description | provenance | | | protos/query/query.pb.go:119:10:119:10 | x [pointer, Description] | protos/query/query.pb.go:119:10:119:10 | implicit dereference [Description] | provenance | | models -| 1 | Source: net/http; Request; true; Header; ; ; ; remote; manual | +| 1 | Sink: group:logrus; ; false; WithField; ; ; Argument[0..1]; log-injection; manual | +| 2 | Sink: group:logrus; ; false; WithFields; ; ; Argument[0]; log-injection; manual | +| 3 | Sink: log; ; false; Fatalf; ; ; Argument[0..1]; log-injection; manual | +| 4 | Sink: log; ; false; Output; ; ; Argument[1]; log-injection; manual | +| 5 | Sink: log; ; false; Panicf; ; ; Argument[0..1]; log-injection; manual | +| 6 | Sink: log; ; false; Printf; ; ; Argument[0..1]; log-injection; manual | +| 7 | Sink: log; Logger; true; Fatalf; ; ; Argument[0..1]; log-injection; manual | +| 8 | Sink: log; Logger; true; Output; ; ; Argument[1]; log-injection; manual | +| 9 | Sink: log; Logger; true; Panicf; ; ; Argument[0..1]; log-injection; manual | +| 10 | Sink: log; Logger; true; Printf; ; ; Argument[0..1]; log-injection; manual | +| 11 | Source: net/http; Request; true; Header; ; ; ; remote; manual | nodes | klog.go:20:3:25:3 | range statement[1] | semmle.label | range statement[1] | | klog.go:20:30:20:37 | selection of Header | semmle.label | selection of Header | @@ -108,39 +271,57 @@ nodes | klog.go:22:15:22:20 | header | semmle.label | header | | klog.go:28:13:28:20 | selection of Header | semmle.label | selection of Header | | klog.go:28:13:28:41 | call to Get | semmle.label | call to Get | -| main.go:15:12:15:19 | password | semmle.label | password | -| main.go:16:17:16:24 | password | semmle.label | password | -| main.go:17:13:17:20 | password | semmle.label | password | -| main.go:18:14:18:21 | password | semmle.label | password | +| main.go:17:2:17:9 | definition of password | semmle.label | definition of password | | main.go:19:12:19:19 | password | semmle.label | password | | main.go:20:17:20:24 | password | semmle.label | password | | main.go:21:13:21:20 | password | semmle.label | password | | main.go:22:14:22:21 | password | semmle.label | password | -| main.go:23:12:23:19 | password | semmle.label | password | -| main.go:24:17:24:24 | password | semmle.label | password | -| main.go:25:13:25:20 | password | semmle.label | password | -| main.go:26:14:26:21 | password | semmle.label | password | -| main.go:27:16:27:23 | password | semmle.label | password | -| main.go:30:10:30:17 | password | semmle.label | password | -| main.go:31:15:31:22 | password | semmle.label | password | -| main.go:32:11:32:18 | password | semmle.label | password | -| main.go:33:12:33:19 | password | semmle.label | password | -| main.go:34:10:34:17 | password | semmle.label | password | -| main.go:35:15:35:22 | password | semmle.label | password | -| main.go:36:11:36:18 | password | semmle.label | password | -| main.go:37:12:37:19 | password | semmle.label | password | -| main.go:38:10:38:17 | password | semmle.label | password | -| main.go:39:15:39:22 | password | semmle.label | password | -| main.go:40:11:40:18 | password | semmle.label | password | -| main.go:41:12:41:19 | password | semmle.label | password | +| main.go:24:13:24:20 | password | semmle.label | password | +| main.go:27:18:27:25 | password | semmle.label | password | +| main.go:30:14:30:21 | password | semmle.label | password | +| main.go:33:15:33:22 | password | semmle.label | password | +| main.go:36:13:36:20 | password | semmle.label | password | +| main.go:39:18:39:25 | password | semmle.label | password | | main.go:42:14:42:21 | password | semmle.label | password | -| main.go:44:12:44:19 | password | semmle.label | password | -| main.go:45:17:45:24 | password | semmle.label | password | -| main.go:52:35:52:42 | password | semmle.label | password | +| main.go:45:15:45:22 | password | semmle.label | password | +| main.go:47:16:47:23 | password | semmle.label | password | +| main.go:50:10:50:17 | password | semmle.label | password | +| main.go:50:10:50:17 | password | semmle.label | password | +| main.go:51:15:51:22 | password | semmle.label | password | +| main.go:51:15:51:22 | password | semmle.label | password | +| main.go:52:11:52:18 | password | semmle.label | password | +| main.go:52:11:52:18 | password | semmle.label | password | +| main.go:53:12:53:19 | password | semmle.label | password | +| main.go:53:12:53:19 | password | semmle.label | password | +| main.go:55:11:55:18 | password | semmle.label | password | +| main.go:55:11:55:18 | password | semmle.label | password | +| main.go:58:16:58:23 | password | semmle.label | password | +| main.go:58:16:58:23 | password | semmle.label | password | +| main.go:61:12:61:19 | password | semmle.label | password | +| main.go:61:12:61:19 | password | semmle.label | password | +| main.go:64:13:64:20 | password | semmle.label | password | +| main.go:64:13:64:20 | password | semmle.label | password | +| main.go:67:11:67:18 | password | semmle.label | password | +| main.go:67:11:67:18 | password | semmle.label | password | +| main.go:70:16:70:23 | password | semmle.label | password | +| main.go:70:16:70:23 | password | semmle.label | password | +| main.go:73:12:73:19 | password | semmle.label | password | +| main.go:73:12:73:19 | password | semmle.label | password | +| main.go:76:13:76:20 | password | semmle.label | password | +| main.go:76:13:76:20 | password | semmle.label | password | +| main.go:78:14:78:21 | password | semmle.label | password | +| main.go:80:12:80:19 | password | semmle.label | password | +| main.go:81:17:81:24 | password | semmle.label | password | +| main.go:83:2:83:7 | definition of fields | semmle.label | definition of fields | +| main.go:84:19:84:26 | password | semmle.label | password | +| main.go:85:29:85:34 | fields | semmle.label | fields | +| main.go:88:35:88:42 | password | semmle.label | password | +| overrides.go:8:2:8:9 | definition of password | semmle.label | definition of password | | overrides.go:9:9:9:16 | password | semmle.label | password | | overrides.go:13:14:13:23 | call to String | semmle.label | call to String | | passwords.go:8:12:8:12 | definition of x | semmle.label | definition of x | | passwords.go:9:14:9:14 | x | semmle.label | x | +| passwords.go:21:2:21:9 | definition of password | semmle.label | definition of password | | passwords.go:25:14:25:21 | password | semmle.label | password | | passwords.go:26:14:26:23 | selection of password | semmle.label | selection of password | | passwords.go:27:14:27:26 | call to getPassword | semmle.label | call to getPassword | @@ -158,32 +339,34 @@ nodes | passwords.go:46:6:46:9 | definition of obj3 | semmle.label | definition of obj3 | | passwords.go:47:14:47:17 | obj3 | semmle.label | obj3 | | passwords.go:48:11:48:18 | password | semmle.label | password | +| passwords.go:50:2:50:15 | definition of fixed_password | semmle.label | definition of fixed_password | | passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password | -| passwords.go:85:19:87:2 | struct literal | semmle.label | struct literal | -| passwords.go:86:16:86:36 | call to make | semmle.label | call to make | -| passwords.go:88:14:88:26 | utilityObject | semmle.label | utilityObject | -| passwords.go:90:12:90:19 | password | semmle.label | password | -| passwords.go:91:23:91:28 | secret | semmle.label | secret | -| passwords.go:101:15:101:40 | ...+... | semmle.label | ...+... | -| passwords.go:101:33:101:40 | password | semmle.label | password | -| passwords.go:107:16:107:41 | ...+... | semmle.label | ...+... | -| passwords.go:107:34:107:41 | password | semmle.label | password | -| passwords.go:112:15:112:40 | ...+... | semmle.label | ...+... | -| passwords.go:112:33:112:40 | password | semmle.label | password | -| passwords.go:116:14:116:45 | ...+... | semmle.label | ...+... | -| passwords.go:116:28:116:36 | password1 | semmle.label | password1 | -| passwords.go:116:28:116:45 | call to String | semmle.label | call to String | -| passwords.go:118:12:123:2 | struct literal | semmle.label | struct literal | -| passwords.go:118:12:123:2 | struct literal [x] | semmle.label | struct literal [x] | -| passwords.go:118:12:123:2 | struct literal [y] | semmle.label | struct literal [y] | -| passwords.go:119:13:119:13 | x | semmle.label | x | -| passwords.go:121:13:121:20 | password | semmle.label | password | -| passwords.go:122:13:122:25 | call to getPassword | semmle.label | call to getPassword | -| passwords.go:125:14:125:19 | config | semmle.label | config | -| passwords.go:126:14:126:19 | config [x] | semmle.label | config [x] | -| passwords.go:126:14:126:21 | selection of x | semmle.label | selection of x | -| passwords.go:127:14:127:19 | config [y] | semmle.label | config [y] | -| passwords.go:127:14:127:21 | selection of y | semmle.label | selection of y | +| passwords.go:86:19:88:2 | struct literal | semmle.label | struct literal | +| passwords.go:87:16:87:36 | call to make | semmle.label | call to make | +| passwords.go:89:14:89:26 | utilityObject | semmle.label | utilityObject | +| passwords.go:92:23:92:28 | secret | semmle.label | secret | +| passwords.go:102:15:102:40 | ...+... | semmle.label | ...+... | +| passwords.go:102:33:102:40 | password | semmle.label | password | +| passwords.go:108:16:108:41 | ...+... | semmle.label | ...+... | +| passwords.go:108:34:108:41 | password | semmle.label | password | +| passwords.go:113:15:113:40 | ...+... | semmle.label | ...+... | +| passwords.go:113:33:113:40 | password | semmle.label | password | +| passwords.go:116:6:116:14 | definition of password1 | semmle.label | definition of password1 | +| passwords.go:117:14:117:45 | ...+... | semmle.label | ...+... | +| passwords.go:117:28:117:36 | password1 | semmle.label | password1 | +| passwords.go:117:28:117:45 | call to String | semmle.label | call to String | +| passwords.go:120:12:125:2 | struct literal | semmle.label | struct literal | +| passwords.go:120:12:125:2 | struct literal [x] | semmle.label | struct literal [x] | +| passwords.go:120:12:125:2 | struct literal [y] | semmle.label | struct literal [y] | +| passwords.go:121:13:121:14 | x3 | semmle.label | x3 | +| passwords.go:123:13:123:20 | password | semmle.label | password | +| passwords.go:124:13:124:25 | call to getPassword | semmle.label | call to getPassword | +| passwords.go:127:14:127:19 | config | semmle.label | config | +| passwords.go:128:14:128:19 | config [x] | semmle.label | config [x] | +| passwords.go:128:14:128:21 | selection of x | semmle.label | selection of x | +| passwords.go:129:14:129:19 | config [y] | semmle.label | config [y] | +| passwords.go:129:14:129:21 | selection of y | semmle.label | selection of y | +| protobuf.go:9:2:9:9 | definition of password | semmle.label | definition of password | | protobuf.go:11:2:11:6 | definition of query [pointer, Description] | semmle.label | definition of query [pointer, Description] | | protobuf.go:12:2:12:6 | implicit dereference [Description] | semmle.label | implicit dereference [Description] | | protobuf.go:12:2:12:6 | query [pointer, Description] | semmle.label | query [pointer, Description] | diff --git a/go/ql/test/query-tests/Security/CWE-312/main.go b/go/ql/test/query-tests/Security/CWE-312/main.go index d91166455571..39f184fcb40d 100644 --- a/go/ql/test/query-tests/Security/CWE-312/main.go +++ b/go/ql/test/query-tests/Security/CWE-312/main.go @@ -4,11 +4,15 @@ package main //go:generate depstubber -vendor github.com/golang/glog "" Info import ( + "log" + "math/rand" + "github.com/golang/glog" "github.com/sirupsen/logrus" - "log" ) +var i int = rand.Int() + func main() { password := "P4ssw0rd" @@ -16,14 +20,30 @@ func main() { log.Printf("", password) log.Printf(password, "") log.Println(password) - log.Fatal(password) - log.Fatalf("", password) - log.Fatalf(password, "") - log.Fatalln(password) - log.Panic(password) - log.Panicf("", password) - log.Panicf(password, "") - log.Panicln(password) + if i == 0 { + log.Fatal(password) + } + if i == 1 { + log.Fatalf("", password) + } + if i == 2 { + log.Fatalf(password, "") + } + if i == 3 { + log.Fatalln(password) + } + if i == 4 { + log.Panic(password) + } + if i == 5 { + log.Panicf("", password) + } + if i == 6 { + log.Panicf(password, "") + } + if i == 7 { + log.Panicln(password) + } log.Output(0, password) l := log.Default() @@ -31,14 +51,30 @@ func main() { l.Printf("", password) l.Printf(password, "") l.Println(password) - l.Fatal(password) - l.Fatalf("", password) - l.Fatalf(password, "") - l.Fatalln(password) - l.Panic(password) - l.Panicf("", password) - l.Panicf(password, "") - l.Panicln(password) + if i == 10 { + l.Fatal(password) + } + if i == 11 { + l.Fatalf("", password) + } + if i == 12 { + l.Fatalf(password, "") + } + if i == 13 { + l.Fatalln(password) + } + if i == 14 { + l.Panic(password) + } + if i == 15 { + l.Panicf("", password) + } + if i == 16 { + l.Panicf(password, "") + } + if i == 17 { + l.Panicln(password) + } l.Output(0, password) glog.Info(password) diff --git a/go/ql/test/query-tests/Security/CWE-312/passwords.go b/go/ql/test/query-tests/Security/CWE-312/passwords.go index 5f0b291016db..4fdfd0986055 100644 --- a/go/ql/test/query-tests/Security/CWE-312/passwords.go +++ b/go/ql/test/query-tests/Security/CWE-312/passwords.go @@ -65,7 +65,8 @@ func test() { log.Println(actually_secure_password) // OK var user1 cryptedStruct - user1.cryptedPassword = x + x2 := "perhaps sensitive" + user1.cryptedPassword = x2 log.Println(user1) // OK var user2 passStruct @@ -115,8 +116,9 @@ func test() { var password1 stringable = stringable{"arstneio"} log.Println(name + ", " + password1.String()) // NOT OK + x3 := "sheepbatterystaplecorrect" config := Config{ - password: x, + password: x3, hostname: "tarski", x: password, y: getPassword(), diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected index b2659fffde78..40be0e8df691 100644 --- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected +++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected @@ -1,8 +1,7 @@ #select | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | InsecureRandomness.go:12:18:12:40 | call to Intn | random number | | sample.go:26:25:26:30 | call to Guid | sample.go:15:49:15:61 | call to Uint32 | sample.go:26:25:26:30 | call to Guid | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:15:49:15:61 | call to Uint32 | random number | -| sample.go:37:25:37:29 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:25:37:29 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number | -| sample.go:37:32:37:36 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:32:37:36 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number | +| sample.go:37:35:37:39 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:35:37:39 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number | | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | sample.go:43:17:43:39 | call to Intn | random number | | sample.go:58:32:58:43 | type conversion | sample.go:55:17:55:42 | call to Intn | sample.go:58:32:58:43 | type conversion | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:55:17:55:42 | call to Intn | random number | edges @@ -13,8 +12,7 @@ edges | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | []type{args} [array] | provenance | | | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | call to Sprintf | provenance | FunctionModel | | sample.go:16:9:16:15 | slice expression | sample.go:26:25:26:30 | call to Guid | provenance | | -| sample.go:33:2:33:6 | definition of nonce | sample.go:37:25:37:29 | nonce | provenance | | -| sample.go:33:2:33:6 | definition of nonce | sample.go:37:32:37:36 | nonce | provenance | | +| sample.go:33:2:33:6 | definition of nonce | sample.go:37:35:37:39 | nonce | provenance | | | sample.go:34:12:34:40 | call to New | sample.go:35:14:35:19 | random | provenance | | | sample.go:35:14:35:19 | random | sample.go:33:2:33:6 | definition of nonce | provenance | MaD:2 | | sample.go:55:17:55:42 | call to Intn | sample.go:56:29:56:38 | randNumber | provenance | | @@ -36,8 +34,7 @@ nodes | sample.go:33:2:33:6 | definition of nonce | semmle.label | definition of nonce | | sample.go:34:12:34:40 | call to New | semmle.label | call to New | | sample.go:35:14:35:19 | random | semmle.label | random | -| sample.go:37:25:37:29 | nonce | semmle.label | nonce | -| sample.go:37:32:37:36 | nonce | semmle.label | nonce | +| sample.go:37:35:37:39 | nonce | semmle.label | nonce | | sample.go:43:17:43:39 | call to Intn | semmle.label | call to Intn | | sample.go:44:17:44:39 | call to Intn | semmle.label | call to Intn | | sample.go:45:17:45:39 | call to Intn | semmle.label | call to Intn | diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go index df703ff0dfa0..9eef81f63bb4 100644 --- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go +++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go @@ -34,7 +34,7 @@ func encrypt(data []byte, password string) []byte { random := rand.New(rand.NewSource(999)) io.ReadFull(random, nonce) - ciphertext := gcm.Seal(nonce, nonce, data, nil) // BAD: use of an insecure rng to generate a nonce + ciphertext := gcm.Seal(data[:0], nonce, data, nil) // BAD: use of an insecure rng to generate a nonce return ciphertext } diff --git a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected index f8d193348ba0..65d24e8b45b6 100644 --- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected +++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected @@ -2,69 +2,71 @@ | OpenUrlRedirect.go:10:23:10:42 | call to Get | OpenUrlRedirect.go:10:23:10:28 | selection of Form | OpenUrlRedirect.go:10:23:10:42 | call to Get | This path to an untrusted URL redirection depends on a $@. | OpenUrlRedirect.go:10:23:10:28 | selection of Form | user-provided value | | stdlib.go:15:30:15:35 | target | stdlib.go:13:13:13:18 | selection of Form | stdlib.go:15:30:15:35 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:13:13:13:18 | selection of Form | user-provided value | | stdlib.go:24:30:24:35 | target | stdlib.go:22:13:22:18 | selection of Form | stdlib.go:24:30:24:35 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:22:13:22:18 | selection of Form | user-provided value | -| stdlib.go:35:30:35:39 | ...+... | stdlib.go:31:13:31:18 | selection of Form | stdlib.go:35:30:35:39 | ...+... | This path to an untrusted URL redirection depends on a $@. | stdlib.go:31:13:31:18 | selection of Form | user-provided value | -| stdlib.go:46:23:46:28 | target | stdlib.go:44:13:44:18 | selection of Form | stdlib.go:46:23:46:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:44:13:44:18 | selection of Form | user-provided value | -| stdlib.go:67:23:67:40 | ...+... | stdlib.go:64:13:64:18 | selection of Form | stdlib.go:67:23:67:40 | ...+... | This path to an untrusted URL redirection depends on a $@. | stdlib.go:64:13:64:18 | selection of Form | user-provided value | -| stdlib.go:92:23:92:28 | target | stdlib.go:89:13:89:18 | selection of Form | stdlib.go:92:23:92:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:89:13:89:18 | selection of Form | user-provided value | -| stdlib.go:152:23:152:28 | target | stdlib.go:146:13:146:18 | selection of Form | stdlib.go:152:23:152:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:146:13:146:18 | selection of Form | user-provided value | -| stdlib.go:184:23:184:28 | target | stdlib.go:182:13:182:33 | call to FormValue | stdlib.go:184:23:184:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:182:13:182:33 | call to FormValue | user-provided value | -| stdlib.go:192:23:192:33 | selection of Path | stdlib.go:190:36:190:56 | call to FormValue | stdlib.go:192:23:192:33 | selection of Path | This path to an untrusted URL redirection depends on a $@. | stdlib.go:190:36:190:56 | call to FormValue | user-provided value | -| stdlib.go:194:23:194:42 | call to EscapedPath | stdlib.go:190:36:190:56 | call to FormValue | stdlib.go:194:23:194:42 | call to EscapedPath | This path to an untrusted URL redirection depends on a $@. | stdlib.go:190:36:190:56 | call to FormValue | user-provided value | +| stdlib.go:39:30:39:40 | ...+... | stdlib.go:33:13:33:18 | selection of Form | stdlib.go:39:30:39:40 | ...+... | This path to an untrusted URL redirection depends on a $@. | stdlib.go:33:13:33:18 | selection of Form | user-provided value | +| stdlib.go:50:23:50:28 | target | stdlib.go:48:13:48:18 | selection of Form | stdlib.go:50:23:50:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:48:13:48:18 | selection of Form | user-provided value | +| stdlib.go:71:23:71:40 | ...+... | stdlib.go:68:13:68:18 | selection of Form | stdlib.go:71:23:71:40 | ...+... | This path to an untrusted URL redirection depends on a $@. | stdlib.go:68:13:68:18 | selection of Form | user-provided value | +| stdlib.go:96:23:96:28 | target | stdlib.go:93:13:93:18 | selection of Form | stdlib.go:96:23:96:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:93:13:93:18 | selection of Form | user-provided value | +| stdlib.go:156:23:156:28 | target | stdlib.go:150:13:150:18 | selection of Form | stdlib.go:156:23:156:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:150:13:150:18 | selection of Form | user-provided value | +| stdlib.go:188:23:188:28 | target | stdlib.go:186:13:186:33 | call to FormValue | stdlib.go:188:23:188:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:186:13:186:33 | call to FormValue | user-provided value | +| stdlib.go:196:23:196:33 | selection of Path | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:196:23:196:33 | selection of Path | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value | +| stdlib.go:198:23:198:42 | call to EscapedPath | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:198:23:198:42 | call to EscapedPath | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value | edges | OpenUrlRedirect.go:10:23:10:28 | selection of Form | OpenUrlRedirect.go:10:23:10:42 | call to Get | provenance | Src:MaD:2 Config Sink:MaD:1 | | stdlib.go:13:13:13:18 | selection of Form | stdlib.go:13:13:13:32 | call to Get | provenance | Src:MaD:2 Config | | stdlib.go:13:13:13:32 | call to Get | stdlib.go:15:30:15:35 | target | provenance | | | stdlib.go:22:13:22:18 | selection of Form | stdlib.go:22:13:22:32 | call to Get | provenance | Src:MaD:2 Config | | stdlib.go:22:13:22:32 | call to Get | stdlib.go:24:30:24:35 | target | provenance | | -| stdlib.go:31:13:31:18 | selection of Form | stdlib.go:31:13:31:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:31:13:31:32 | call to Get | stdlib.go:35:34:35:39 | target | provenance | | -| stdlib.go:35:34:35:39 | target | stdlib.go:35:30:35:39 | ...+... | provenance | Config | -| stdlib.go:44:13:44:18 | selection of Form | stdlib.go:44:13:44:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:44:13:44:32 | call to Get | stdlib.go:46:23:46:28 | target | provenance | Sink:MaD:1 | -| stdlib.go:64:13:64:18 | selection of Form | stdlib.go:64:13:64:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:64:13:64:32 | call to Get | stdlib.go:67:23:67:28 | target | provenance | | -| stdlib.go:67:23:67:28 | target | stdlib.go:67:23:67:37 | ...+... | provenance | Config | -| stdlib.go:67:23:67:37 | ...+... | stdlib.go:67:23:67:40 | ...+... | provenance | Config Sink:MaD:1 | -| stdlib.go:89:13:89:18 | selection of Form | stdlib.go:89:13:89:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:89:13:89:32 | call to Get | stdlib.go:90:3:90:8 | target | provenance | | -| stdlib.go:90:3:90:8 | target | stdlib.go:90:3:90:25 | ... += ... | provenance | Config | -| stdlib.go:90:3:90:25 | ... += ... | stdlib.go:92:23:92:28 | target | provenance | Sink:MaD:1 | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL, pointer] | stdlib.go:112:4:112:4 | r [pointer, URL, pointer] | provenance | | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL] | stdlib.go:112:4:112:4 | r [pointer, URL] | provenance | | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL] | stdlib.go:113:24:113:24 | r [pointer, URL] | provenance | | -| stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | stdlib.go:107:54:107:54 | definition of r [pointer, URL, pointer] | provenance | | -| stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | stdlib.go:112:4:112:8 | selection of URL [pointer] | provenance | | -| stdlib.go:112:4:112:4 | implicit dereference [URL] | stdlib.go:107:54:107:54 | definition of r [pointer, URL] | provenance | | -| stdlib.go:112:4:112:4 | implicit dereference [URL] | stdlib.go:112:4:112:8 | selection of URL | provenance | | -| stdlib.go:112:4:112:4 | r [pointer, URL, pointer] | stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | provenance | | -| stdlib.go:112:4:112:4 | r [pointer, URL] | stdlib.go:112:4:112:4 | implicit dereference [URL] | provenance | | -| stdlib.go:112:4:112:8 | implicit dereference | stdlib.go:112:4:112:8 | selection of URL | provenance | Config | -| stdlib.go:112:4:112:8 | implicit dereference | stdlib.go:112:4:112:8 | selection of URL [pointer] | provenance | | -| stdlib.go:112:4:112:8 | selection of URL | stdlib.go:112:4:112:4 | implicit dereference [URL] | provenance | Src:MaD:4 | -| stdlib.go:112:4:112:8 | selection of URL | stdlib.go:112:4:112:8 | implicit dereference | provenance | Src:MaD:4 Config | -| stdlib.go:112:4:112:8 | selection of URL [pointer] | stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | provenance | | -| stdlib.go:112:4:112:8 | selection of URL [pointer] | stdlib.go:112:4:112:8 | implicit dereference | provenance | | -| stdlib.go:113:24:113:24 | implicit dereference [URL] | stdlib.go:113:24:113:28 | selection of URL | provenance | | -| stdlib.go:113:24:113:24 | r [pointer, URL] | stdlib.go:113:24:113:24 | implicit dereference [URL] | provenance | | -| stdlib.go:113:24:113:28 | selection of URL | stdlib.go:113:24:113:37 | call to String | provenance | Src:MaD:4 Config Sink:MaD:1 | -| stdlib.go:146:13:146:18 | selection of Form | stdlib.go:146:13:146:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:146:13:146:32 | call to Get | stdlib.go:152:23:152:28 | target | provenance | Sink:MaD:1 | -| stdlib.go:159:10:159:15 | star expression | stdlib.go:159:11:159:15 | selection of URL | provenance | Config | -| stdlib.go:159:10:159:15 | star expression | stdlib.go:162:24:162:26 | url | provenance | | -| stdlib.go:159:11:159:15 | selection of URL | stdlib.go:159:10:159:15 | star expression | provenance | Src:MaD:4 Config | -| stdlib.go:162:24:162:26 | url | stdlib.go:162:24:162:35 | call to String | provenance | Config Sink:MaD:1 | -| stdlib.go:173:35:173:39 | selection of URL | stdlib.go:173:35:173:52 | call to RequestURI | provenance | Src:MaD:4 Config | -| stdlib.go:173:35:173:52 | call to RequestURI | stdlib.go:173:24:173:52 | ...+... | provenance | Config Sink:MaD:1 | -| stdlib.go:182:13:182:33 | call to FormValue | stdlib.go:184:23:184:28 | target | provenance | Src:MaD:3 Sink:MaD:1 | -| stdlib.go:190:3:190:8 | definition of target | stdlib.go:192:23:192:28 | target | provenance | | -| stdlib.go:190:3:190:8 | definition of target | stdlib.go:194:23:194:28 | target | provenance | | -| stdlib.go:190:3:190:57 | ... := ...[0] | stdlib.go:190:3:190:8 | definition of target | provenance | | -| stdlib.go:190:36:190:56 | call to FormValue | stdlib.go:190:3:190:57 | ... := ...[0] | provenance | Src:MaD:3 Config | -| stdlib.go:192:23:192:28 | implicit dereference | stdlib.go:190:3:190:8 | definition of target | provenance | Config | -| stdlib.go:192:23:192:28 | implicit dereference | stdlib.go:192:23:192:33 | selection of Path | provenance | Config Sink:MaD:1 | -| stdlib.go:192:23:192:28 | target | stdlib.go:192:23:192:28 | implicit dereference | provenance | Config | -| stdlib.go:192:23:192:28 | target | stdlib.go:192:23:192:33 | selection of Path | provenance | Config Sink:MaD:1 | -| stdlib.go:194:23:194:28 | target | stdlib.go:194:23:194:42 | call to EscapedPath | provenance | Config Sink:MaD:1 | +| stdlib.go:33:13:33:18 | selection of Form | stdlib.go:33:13:33:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:33:13:33:32 | call to Get | stdlib.go:39:34:39:40 | target2 | provenance | | +| stdlib.go:39:34:39:40 | target2 | stdlib.go:39:30:39:40 | ...+... | provenance | Config | +| stdlib.go:48:13:48:18 | selection of Form | stdlib.go:48:13:48:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:48:13:48:32 | call to Get | stdlib.go:50:23:50:28 | target | provenance | Sink:MaD:1 | +| stdlib.go:68:13:68:18 | selection of Form | stdlib.go:68:13:68:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:68:13:68:32 | call to Get | stdlib.go:71:23:71:28 | target | provenance | | +| stdlib.go:71:23:71:28 | target | stdlib.go:71:23:71:37 | ...+... | provenance | Config | +| stdlib.go:71:23:71:37 | ...+... | stdlib.go:71:23:71:40 | ...+... | provenance | Config Sink:MaD:1 | +| stdlib.go:93:13:93:18 | selection of Form | stdlib.go:93:13:93:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:93:13:93:32 | call to Get | stdlib.go:94:3:94:8 | target | provenance | | +| stdlib.go:94:3:94:8 | target | stdlib.go:94:3:94:25 | ... += ... | provenance | Config | +| stdlib.go:94:3:94:25 | ... += ... | stdlib.go:96:23:96:28 | target | provenance | Sink:MaD:1 | +| stdlib.go:111:54:111:54 | definition of r [pointer, URL, pointer] | stdlib.go:115:6:115:6 | r [pointer, URL, pointer] | provenance | | +| stdlib.go:111:54:111:54 | definition of r [pointer, URL] | stdlib.go:115:6:115:6 | r [pointer, URL] | provenance | | +| stdlib.go:115:6:115:6 | r [pointer, URL, pointer] | stdlib.go:116:4:116:4 | r [pointer, URL, pointer] | provenance | | +| stdlib.go:115:6:115:6 | r [pointer, URL] | stdlib.go:116:4:116:4 | r [pointer, URL] | provenance | | +| stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | stdlib.go:111:54:111:54 | definition of r [pointer, URL, pointer] | provenance | | +| stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | stdlib.go:116:4:116:8 | selection of URL [pointer] | provenance | | +| stdlib.go:116:4:116:4 | implicit dereference [URL] | stdlib.go:111:54:111:54 | definition of r [pointer, URL] | provenance | | +| stdlib.go:116:4:116:4 | implicit dereference [URL] | stdlib.go:116:4:116:8 | selection of URL | provenance | | +| stdlib.go:116:4:116:4 | r [pointer, URL, pointer] | stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | provenance | | +| stdlib.go:116:4:116:4 | r [pointer, URL] | stdlib.go:116:4:116:4 | implicit dereference [URL] | provenance | | +| stdlib.go:116:4:116:4 | r [pointer, URL] | stdlib.go:117:24:117:24 | r [pointer, URL] | provenance | | +| stdlib.go:116:4:116:8 | implicit dereference | stdlib.go:116:4:116:8 | selection of URL | provenance | Config | +| stdlib.go:116:4:116:8 | implicit dereference | stdlib.go:116:4:116:8 | selection of URL [pointer] | provenance | | +| stdlib.go:116:4:116:8 | selection of URL | stdlib.go:116:4:116:4 | implicit dereference [URL] | provenance | Src:MaD:4 | +| stdlib.go:116:4:116:8 | selection of URL | stdlib.go:116:4:116:8 | implicit dereference | provenance | Src:MaD:4 Config | +| stdlib.go:116:4:116:8 | selection of URL [pointer] | stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | provenance | | +| stdlib.go:116:4:116:8 | selection of URL [pointer] | stdlib.go:116:4:116:8 | implicit dereference | provenance | | +| stdlib.go:117:24:117:24 | implicit dereference [URL] | stdlib.go:117:24:117:28 | selection of URL | provenance | | +| stdlib.go:117:24:117:24 | r [pointer, URL] | stdlib.go:117:24:117:24 | implicit dereference [URL] | provenance | | +| stdlib.go:117:24:117:28 | selection of URL | stdlib.go:117:24:117:37 | call to String | provenance | Src:MaD:4 Config Sink:MaD:1 | +| stdlib.go:150:13:150:18 | selection of Form | stdlib.go:150:13:150:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:150:13:150:32 | call to Get | stdlib.go:156:23:156:28 | target | provenance | Sink:MaD:1 | +| stdlib.go:163:10:163:15 | star expression | stdlib.go:163:11:163:15 | selection of URL | provenance | Config | +| stdlib.go:163:10:163:15 | star expression | stdlib.go:166:24:166:26 | url | provenance | | +| stdlib.go:163:11:163:15 | selection of URL | stdlib.go:163:10:163:15 | star expression | provenance | Src:MaD:4 Config | +| stdlib.go:166:24:166:26 | url | stdlib.go:166:24:166:35 | call to String | provenance | Config Sink:MaD:1 | +| stdlib.go:177:35:177:39 | selection of URL | stdlib.go:177:35:177:52 | call to RequestURI | provenance | Src:MaD:4 Config | +| stdlib.go:177:35:177:52 | call to RequestURI | stdlib.go:177:24:177:52 | ...+... | provenance | Config Sink:MaD:1 | +| stdlib.go:186:13:186:33 | call to FormValue | stdlib.go:188:23:188:28 | target | provenance | Src:MaD:3 Sink:MaD:1 | +| stdlib.go:194:3:194:8 | definition of target | stdlib.go:196:23:196:28 | target | provenance | | +| stdlib.go:194:3:194:57 | ... := ...[0] | stdlib.go:194:3:194:8 | definition of target | provenance | | +| stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:194:3:194:57 | ... := ...[0] | provenance | Src:MaD:3 Config | +| stdlib.go:196:23:196:28 | implicit dereference | stdlib.go:194:3:194:8 | definition of target | provenance | Config | +| stdlib.go:196:23:196:28 | implicit dereference | stdlib.go:196:23:196:33 | selection of Path | provenance | Config Sink:MaD:1 | +| stdlib.go:196:23:196:28 | target | stdlib.go:196:23:196:28 | implicit dereference | provenance | Config | +| stdlib.go:196:23:196:28 | target | stdlib.go:196:23:196:33 | selection of Path | provenance | Config Sink:MaD:1 | +| stdlib.go:196:23:196:28 | target | stdlib.go:198:23:198:28 | target | provenance | | +| stdlib.go:198:23:198:28 | target | stdlib.go:198:23:198:42 | call to EscapedPath | provenance | Config Sink:MaD:1 | models | 1 | Sink: net/http; ; false; Redirect; ; ; Argument[2]; url-redirection[0]; manual | | 2 | Source: net/http; Request; true; Form; ; ; ; remote; manual | @@ -79,54 +81,56 @@ nodes | stdlib.go:22:13:22:18 | selection of Form | semmle.label | selection of Form | | stdlib.go:22:13:22:32 | call to Get | semmle.label | call to Get | | stdlib.go:24:30:24:35 | target | semmle.label | target | -| stdlib.go:31:13:31:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:31:13:31:32 | call to Get | semmle.label | call to Get | -| stdlib.go:35:30:35:39 | ...+... | semmle.label | ...+... | -| stdlib.go:35:34:35:39 | target | semmle.label | target | -| stdlib.go:44:13:44:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:44:13:44:32 | call to Get | semmle.label | call to Get | -| stdlib.go:46:23:46:28 | target | semmle.label | target | -| stdlib.go:64:13:64:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:64:13:64:32 | call to Get | semmle.label | call to Get | -| stdlib.go:67:23:67:28 | target | semmle.label | target | -| stdlib.go:67:23:67:37 | ...+... | semmle.label | ...+... | -| stdlib.go:67:23:67:40 | ...+... | semmle.label | ...+... | -| stdlib.go:89:13:89:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:89:13:89:32 | call to Get | semmle.label | call to Get | -| stdlib.go:90:3:90:8 | target | semmle.label | target | -| stdlib.go:90:3:90:25 | ... += ... | semmle.label | ... += ... | -| stdlib.go:92:23:92:28 | target | semmle.label | target | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL, pointer] | semmle.label | definition of r [pointer, URL, pointer] | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL] | semmle.label | definition of r [pointer, URL] | -| stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | semmle.label | implicit dereference [URL, pointer] | -| stdlib.go:112:4:112:4 | implicit dereference [URL] | semmle.label | implicit dereference [URL] | -| stdlib.go:112:4:112:4 | r [pointer, URL, pointer] | semmle.label | r [pointer, URL, pointer] | -| stdlib.go:112:4:112:4 | r [pointer, URL] | semmle.label | r [pointer, URL] | -| stdlib.go:112:4:112:8 | implicit dereference | semmle.label | implicit dereference | -| stdlib.go:112:4:112:8 | selection of URL | semmle.label | selection of URL | -| stdlib.go:112:4:112:8 | selection of URL [pointer] | semmle.label | selection of URL [pointer] | -| stdlib.go:113:24:113:24 | implicit dereference [URL] | semmle.label | implicit dereference [URL] | -| stdlib.go:113:24:113:24 | r [pointer, URL] | semmle.label | r [pointer, URL] | -| stdlib.go:113:24:113:28 | selection of URL | semmle.label | selection of URL | -| stdlib.go:113:24:113:37 | call to String | semmle.label | call to String | -| stdlib.go:146:13:146:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:146:13:146:32 | call to Get | semmle.label | call to Get | -| stdlib.go:152:23:152:28 | target | semmle.label | target | -| stdlib.go:159:10:159:15 | star expression | semmle.label | star expression | -| stdlib.go:159:11:159:15 | selection of URL | semmle.label | selection of URL | -| stdlib.go:162:24:162:26 | url | semmle.label | url | -| stdlib.go:162:24:162:35 | call to String | semmle.label | call to String | -| stdlib.go:173:24:173:52 | ...+... | semmle.label | ...+... | -| stdlib.go:173:35:173:39 | selection of URL | semmle.label | selection of URL | -| stdlib.go:173:35:173:52 | call to RequestURI | semmle.label | call to RequestURI | -| stdlib.go:182:13:182:33 | call to FormValue | semmle.label | call to FormValue | -| stdlib.go:184:23:184:28 | target | semmle.label | target | -| stdlib.go:190:3:190:8 | definition of target | semmle.label | definition of target | -| stdlib.go:190:3:190:57 | ... := ...[0] | semmle.label | ... := ...[0] | -| stdlib.go:190:36:190:56 | call to FormValue | semmle.label | call to FormValue | -| stdlib.go:192:23:192:28 | implicit dereference | semmle.label | implicit dereference | -| stdlib.go:192:23:192:28 | target | semmle.label | target | -| stdlib.go:192:23:192:33 | selection of Path | semmle.label | selection of Path | -| stdlib.go:194:23:194:28 | target | semmle.label | target | -| stdlib.go:194:23:194:42 | call to EscapedPath | semmle.label | call to EscapedPath | +| stdlib.go:33:13:33:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:33:13:33:32 | call to Get | semmle.label | call to Get | +| stdlib.go:39:30:39:40 | ...+... | semmle.label | ...+... | +| stdlib.go:39:34:39:40 | target2 | semmle.label | target2 | +| stdlib.go:48:13:48:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:48:13:48:32 | call to Get | semmle.label | call to Get | +| stdlib.go:50:23:50:28 | target | semmle.label | target | +| stdlib.go:68:13:68:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:68:13:68:32 | call to Get | semmle.label | call to Get | +| stdlib.go:71:23:71:28 | target | semmle.label | target | +| stdlib.go:71:23:71:37 | ...+... | semmle.label | ...+... | +| stdlib.go:71:23:71:40 | ...+... | semmle.label | ...+... | +| stdlib.go:93:13:93:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:93:13:93:32 | call to Get | semmle.label | call to Get | +| stdlib.go:94:3:94:8 | target | semmle.label | target | +| stdlib.go:94:3:94:25 | ... += ... | semmle.label | ... += ... | +| stdlib.go:96:23:96:28 | target | semmle.label | target | +| stdlib.go:111:54:111:54 | definition of r [pointer, URL, pointer] | semmle.label | definition of r [pointer, URL, pointer] | +| stdlib.go:111:54:111:54 | definition of r [pointer, URL] | semmle.label | definition of r [pointer, URL] | +| stdlib.go:115:6:115:6 | r [pointer, URL, pointer] | semmle.label | r [pointer, URL, pointer] | +| stdlib.go:115:6:115:6 | r [pointer, URL] | semmle.label | r [pointer, URL] | +| stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | semmle.label | implicit dereference [URL, pointer] | +| stdlib.go:116:4:116:4 | implicit dereference [URL] | semmle.label | implicit dereference [URL] | +| stdlib.go:116:4:116:4 | r [pointer, URL, pointer] | semmle.label | r [pointer, URL, pointer] | +| stdlib.go:116:4:116:4 | r [pointer, URL] | semmle.label | r [pointer, URL] | +| stdlib.go:116:4:116:8 | implicit dereference | semmle.label | implicit dereference | +| stdlib.go:116:4:116:8 | selection of URL | semmle.label | selection of URL | +| stdlib.go:116:4:116:8 | selection of URL [pointer] | semmle.label | selection of URL [pointer] | +| stdlib.go:117:24:117:24 | implicit dereference [URL] | semmle.label | implicit dereference [URL] | +| stdlib.go:117:24:117:24 | r [pointer, URL] | semmle.label | r [pointer, URL] | +| stdlib.go:117:24:117:28 | selection of URL | semmle.label | selection of URL | +| stdlib.go:117:24:117:37 | call to String | semmle.label | call to String | +| stdlib.go:150:13:150:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:150:13:150:32 | call to Get | semmle.label | call to Get | +| stdlib.go:156:23:156:28 | target | semmle.label | target | +| stdlib.go:163:10:163:15 | star expression | semmle.label | star expression | +| stdlib.go:163:11:163:15 | selection of URL | semmle.label | selection of URL | +| stdlib.go:166:24:166:26 | url | semmle.label | url | +| stdlib.go:166:24:166:35 | call to String | semmle.label | call to String | +| stdlib.go:177:24:177:52 | ...+... | semmle.label | ...+... | +| stdlib.go:177:35:177:39 | selection of URL | semmle.label | selection of URL | +| stdlib.go:177:35:177:52 | call to RequestURI | semmle.label | call to RequestURI | +| stdlib.go:186:13:186:33 | call to FormValue | semmle.label | call to FormValue | +| stdlib.go:188:23:188:28 | target | semmle.label | target | +| stdlib.go:194:3:194:8 | definition of target | semmle.label | definition of target | +| stdlib.go:194:3:194:57 | ... := ...[0] | semmle.label | ... := ...[0] | +| stdlib.go:194:36:194:56 | call to FormValue | semmle.label | call to FormValue | +| stdlib.go:196:23:196:28 | implicit dereference | semmle.label | implicit dereference | +| stdlib.go:196:23:196:28 | target | semmle.label | target | +| stdlib.go:196:23:196:33 | selection of Path | semmle.label | selection of Path | +| stdlib.go:198:23:198:28 | target | semmle.label | target | +| stdlib.go:198:23:198:42 | call to EscapedPath | semmle.label | call to EscapedPath | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go index 0ccacd7d87e7..f6cd1e5576f2 100644 --- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go +++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go @@ -28,13 +28,17 @@ func serveStdlib() { http.HandleFunc("/ex2", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() + // Taking gratuitous copies of target so that sanitizing the use in + // the first request doesn't also sanitize other uses target := r.Form.Get("target") + target2 := target + target3 := target // GOOD: local redirects are unproblematic w.Header().Set("Location", "/local"+target) // BAD: this could be a non-local redirect - w.Header().Set("Location", "/"+target) + w.Header().Set("Location", "/"+target2) // GOOD: localhost redirects are unproblematic - w.Header().Set("Location", "//localhost/"+target) + w.Header().Set("Location", "//localhost/"+target3) w.WriteHeader(302) }) diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index 76097b7a5c0b..f67991cc2211 100644 --- a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -1,12 +1,12 @@ #select | RequestForgery.go:11:15:11:66 | call to Get | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | The $@ of this request depends on a $@. | RequestForgery.go:11:24:11:65 | ...+... | URL | RequestForgery.go:8:12:8:34 | call to FormValue | user-provided value | -| tst.go:14:2:14:18 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | The $@ of this request depends on a $@. | tst.go:14:11:14:17 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:18:2:18:38 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | The $@ of this request depends on a $@. | tst.go:18:12:18:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:22:2:22:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:21:34:21:40 | tainted | The $@ of this request depends on a $@. | tst.go:21:34:21:40 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:25:2:25:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:24:66:24:72 | tainted | The $@ of this request depends on a $@. | tst.go:24:66:24:72 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:27:2:27:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:27:11:27:29 | ...+... | The $@ of this request depends on a $@. | tst.go:27:11:27:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:29:2:29:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:29:11:29:40 | ...+... | The $@ of this request depends on a $@. | tst.go:29:11:29:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:37:2:37:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:37:11:37:20 | call to String | The $@ of this request depends on a $@. | tst.go:37:11:37:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:18:2:18:18 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:18:11:18:17 | tainted | The $@ of this request depends on a $@. | tst.go:18:11:18:17 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:22:2:22:38 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:22:12:22:18 | tainted | The $@ of this request depends on a $@. | tst.go:22:12:22:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:26:2:26:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:25:34:25:40 | tainted | The $@ of this request depends on a $@. | tst.go:25:34:25:40 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:29:2:29:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:28:66:28:72 | tainted | The $@ of this request depends on a $@. | tst.go:28:66:28:72 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:31:2:31:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:31:11:31:29 | ...+... | The $@ of this request depends on a $@. | tst.go:31:11:31:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:33:2:33:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:33:11:33:40 | ...+... | The $@ of this request depends on a $@. | tst.go:33:11:33:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:41:2:41:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:41:11:41:20 | call to String | The $@ of this request depends on a $@. | tst.go:41:11:41:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | | websocket.go:65:12:65:53 | call to Dial | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:65:27:65:40 | untrustedInput | WebSocket URL | websocket.go:60:21:60:31 | call to Referer | user-provided value | | websocket.go:79:13:79:40 | call to DialConfig | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:78:36:78:49 | untrustedInput | WebSocket URL | websocket.go:74:21:74:31 | call to Referer | user-provided value | | websocket.go:91:3:91:50 | call to Dial | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:91:31:91:44 | untrustedInput | WebSocket URL | websocket.go:88:21:88:31 | call to Referer | user-provided value | @@ -18,23 +18,22 @@ | websocket.go:204:3:204:25 | call to New | websocket.go:202:21:202:31 | call to Referer | websocket.go:204:11:204:24 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:204:11:204:24 | untrustedInput | WebSocket URL | websocket.go:202:21:202:31 | call to Referer | user-provided value | edges | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:21:34:21:40 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:24:66:24:72 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:27:11:27:29 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:29:11:29:40 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:36:11:36:17 | tainted | provenance | Src:MaD:1 | -| tst.go:35:2:35:2 | definition of u [pointer] | tst.go:36:2:36:2 | u [pointer] | provenance | | -| tst.go:36:2:36:2 | implicit dereference | tst.go:35:2:35:2 | definition of u [pointer] | provenance | | -| tst.go:36:2:36:2 | implicit dereference | tst.go:36:2:36:2 | u | provenance | | -| tst.go:36:2:36:2 | implicit dereference | tst.go:37:11:37:11 | u | provenance | | -| tst.go:36:2:36:2 | u | tst.go:36:2:36:2 | implicit dereference | provenance | | -| tst.go:36:2:36:2 | u | tst.go:37:11:37:11 | u | provenance | | -| tst.go:36:2:36:2 | u [pointer] | tst.go:36:2:36:2 | implicit dereference | provenance | | -| tst.go:36:11:36:17 | tainted | tst.go:36:2:36:2 | u | provenance | Config | -| tst.go:36:11:36:17 | tainted | tst.go:37:11:37:11 | u | provenance | Config | -| tst.go:37:11:37:11 | u | tst.go:37:11:37:20 | call to String | provenance | MaD:3 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:18:11:18:17 | tainted | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:22:12:22:18 | tainted | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:25:34:25:40 | tainted | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:28:66:28:72 | tainted | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:31:11:31:29 | ...+... | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:33:11:33:40 | ...+... | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:40:11:40:18 | tainted2 | provenance | Src:MaD:1 | +| tst.go:39:2:39:2 | definition of u [pointer] | tst.go:40:2:40:2 | u [pointer] | provenance | | +| tst.go:40:2:40:2 | implicit dereference | tst.go:39:2:39:2 | definition of u [pointer] | provenance | | +| tst.go:40:2:40:2 | implicit dereference | tst.go:40:2:40:2 | u | provenance | | +| tst.go:40:2:40:2 | u | tst.go:40:2:40:2 | implicit dereference | provenance | | +| tst.go:40:2:40:2 | u | tst.go:41:11:41:11 | u | provenance | | +| tst.go:40:2:40:2 | u [pointer] | tst.go:40:2:40:2 | implicit dereference | provenance | | +| tst.go:40:11:40:18 | tainted2 | tst.go:40:2:40:2 | u | provenance | Config | +| tst.go:40:11:40:18 | tainted2 | tst.go:41:11:41:11 | u | provenance | Config | +| tst.go:41:11:41:11 | u | tst.go:41:11:41:20 | call to String | provenance | MaD:3 | | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2 | | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2 | | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:2 | @@ -52,19 +51,19 @@ nodes | RequestForgery.go:8:12:8:34 | call to FormValue | semmle.label | call to FormValue | | RequestForgery.go:11:24:11:65 | ...+... | semmle.label | ...+... | | tst.go:10:13:10:35 | call to FormValue | semmle.label | call to FormValue | -| tst.go:14:11:14:17 | tainted | semmle.label | tainted | -| tst.go:18:12:18:18 | tainted | semmle.label | tainted | -| tst.go:21:34:21:40 | tainted | semmle.label | tainted | -| tst.go:24:66:24:72 | tainted | semmle.label | tainted | -| tst.go:27:11:27:29 | ...+... | semmle.label | ...+... | -| tst.go:29:11:29:40 | ...+... | semmle.label | ...+... | -| tst.go:35:2:35:2 | definition of u [pointer] | semmle.label | definition of u [pointer] | -| tst.go:36:2:36:2 | implicit dereference | semmle.label | implicit dereference | -| tst.go:36:2:36:2 | u | semmle.label | u | -| tst.go:36:2:36:2 | u [pointer] | semmle.label | u [pointer] | -| tst.go:36:11:36:17 | tainted | semmle.label | tainted | -| tst.go:37:11:37:11 | u | semmle.label | u | -| tst.go:37:11:37:20 | call to String | semmle.label | call to String | +| tst.go:18:11:18:17 | tainted | semmle.label | tainted | +| tst.go:22:12:22:18 | tainted | semmle.label | tainted | +| tst.go:25:34:25:40 | tainted | semmle.label | tainted | +| tst.go:28:66:28:72 | tainted | semmle.label | tainted | +| tst.go:31:11:31:29 | ...+... | semmle.label | ...+... | +| tst.go:33:11:33:40 | ...+... | semmle.label | ...+... | +| tst.go:39:2:39:2 | definition of u [pointer] | semmle.label | definition of u [pointer] | +| tst.go:40:2:40:2 | implicit dereference | semmle.label | implicit dereference | +| tst.go:40:2:40:2 | u | semmle.label | u | +| tst.go:40:2:40:2 | u [pointer] | semmle.label | u [pointer] | +| tst.go:40:11:40:18 | tainted2 | semmle.label | tainted2 | +| tst.go:41:11:41:11 | u | semmle.label | u | +| tst.go:41:11:41:20 | call to String | semmle.label | call to String | | websocket.go:60:21:60:31 | call to Referer | semmle.label | call to Referer | | websocket.go:65:27:65:40 | untrustedInput | semmle.label | untrustedInput | | websocket.go:74:21:74:31 | call to Referer | semmle.label | call to Referer | diff --git a/go/ql/test/query-tests/Security/CWE-918/tst.go b/go/ql/test/query-tests/Security/CWE-918/tst.go index 0e04429580c8..8c60b4a66f45 100644 --- a/go/ql/test/query-tests/Security/CWE-918/tst.go +++ b/go/ql/test/query-tests/Security/CWE-918/tst.go @@ -8,6 +8,10 @@ import ( func handler2(w http.ResponseWriter, req *http.Request) { tainted := req.FormValue("target") + // Gratuitous copy due to use-use flow propagating sanitization when + // used as a suffix in the last two OK cases forwards onto the final + // Not OK case. + tainted2 := tainted http.Get("example.com") // OK @@ -33,7 +37,7 @@ func handler2(w http.ResponseWriter, req *http.Request) { http.Get("http://example.com/?" + tainted) // OK u, _ := url.Parse("http://example.com/relative-path") - u.Host = tainted + u.Host = tainted2 http.Get(u.String()) // Not OK }