From 8d844e8f9059816ab386ce1ae234d56edceb43b4 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 10 Nov 2023 14:48:04 +0000 Subject: [PATCH 01/24] Switch to use-use dataflow. This will make post-update nodes easy to implement. Queries / tests that required changes: * The CleartextLogging and MissingErrorCheck queries are updated because they assumed def-use flow * The CommandInjection query works around the shortcomings of use-use flow by essentially reintroducing def-use flow when it applies a sanitizer * The OpenUrlRedirect query currently just accepts its fate; the tests are updated to avoid excess sanitization while the query comments on the problem. We should choose this approach or the CommandInjection one. --- go/ql/lib/semmle/go/dataflow/SSA.qll | 4 + go/ql/lib/semmle/go/dataflow/SsaImpl.qll | 141 ++++++ .../go/dataflow/internal/DataFlowPrivate.qll | 22 +- .../CleartextLoggingCustomizations.qll | 4 +- .../semmle/go/security/CommandInjection.qll | 22 + .../src/InconsistentCode/MissingErrorCheck.ql | 12 +- .../dataflow/FlowSteps/LocalFlowStep.expected | 87 ++-- .../go/frameworks/Echo/OpenRedirect.expected | 26 +- .../semmle/go/frameworks/Echo/test.go | 7 +- .../CWE-312/CleartextLogging.expected | 423 +++++++++++++----- .../test/query-tests/Security/CWE-312/main.go | 70 ++- .../query-tests/Security/CWE-312/passwords.go | 6 +- .../OpenUrlRedirect/OpenUrlRedirect.expected | 218 ++++----- .../CWE-601/OpenUrlRedirect/stdlib.go | 8 +- .../Security/CWE-918/RequestForgery.expected | 73 ++- .../test/query-tests/Security/CWE-918/tst.go | 6 +- 16 files changed, 776 insertions(+), 353 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/SSA.qll b/go/ql/lib/semmle/go/dataflow/SSA.qll index d13bbe2de63a..5891c0ed800b 100644 --- a/go/ql/lib/semmle/go/dataflow/SSA.qll +++ b/go/ql/lib/semmle/go/dataflow/SSA.qll @@ -197,6 +197,8 @@ class SsaExplicitDefinition extends SsaDefinition, TExplicitDef { override string prettyPrintDef() { result = "definition of " + this.getSourceVariable() } override Location getLocation() { result = this.getInstruction().getLocation() } + + IR::Instruction getAFirstUse() { firstUse(this, result) } } /** Provides a helper predicate for working with explicit SSA definitions. */ @@ -410,3 +412,5 @@ DataFlow::Node getASimilarReadNode(DataFlow::Node node) { result = readFields.similar().getAUse() ) } + +IR::Instruction getAnAdjacentUse(IR::Instruction pred) { adjacentUseUse(pred, result) } diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index 0db37ac03ce3..7380aaf60ebf 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -199,6 +199,8 @@ private module Internal { /** * Holds if the `i`th node of `bb` is a use or an SSA definition of variable `v`, with * `k` indicating whether it is the former or the latter. + * + * Note this includes phi nodes, whereas `ref` above only includes explicit writes and captures. */ private predicate ssaRef(ReachableBasicBlock bb, int i, SsaSourceVariable v, RefKind k) { useAt(bb, i, v) and k = ReadRef() @@ -290,6 +292,145 @@ private module Internal { or rewindReads(bb, i, v) = 1 and result = getDefReachingEndOf(bb.getImmediateDominator(), v) } + + private module AdjacentUsesImpl { + /** Holds if `v` is defined or used in `b`. */ + private predicate varOccursInBlock(SsaSourceVariable v, ReachableBasicBlock b) { + ssaRef(b, _, v, _) + } + + /** Holds if `v` occurs in `b` or one of `b`'s transitive successors. */ + private predicate blockPrecedesVar(SsaSourceVariable v, ReachableBasicBlock b) { + varOccursInBlock(v, b) + or + exists(getDefReachingEndOf(b, v)) + } + + /** + * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and + * in `b2` or one of its transitive successors but not in any block on the path + * between `b1` and `b2`. + */ + private predicate varBlockReaches( + SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2 + ) { + varOccursInBlock(v, b1) and + b2 = b1.getASuccessor() and + blockPrecedesVar(v, b2) + or + exists(ReachableBasicBlock mid | + varBlockReaches(v, b1, mid) and + b2 = mid.getASuccessor() and + not varOccursInBlock(v, mid) and + blockPrecedesVar(v, b2) + ) + } + + /** + * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and + * `b2` but not in any block on the path between `b1` and `b2`. + */ + private predicate varBlockStep( + SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2 + ) { + varBlockReaches(v, b1, b2) and + varOccursInBlock(v, b2) + } + + /** + * Gets the maximum rank among all SSA references to `v` in basic block `bb`. + */ + private int maxSsaRefRank(ReachableBasicBlock bb, SsaSourceVariable v) { + result = max(ssaRefRank(bb, _, v, _)) + } + + /** + * Holds if `v` occurs at index `i1` in `b1` and at index `i2` in `b2` and + * there is a path between them without any occurrence of `v`. + */ + pragma[nomagic] + predicate adjacentVarRefs( + SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 + ) { + exists(int rankix | + b1 = b2 and + ssaRefRank(b1, i1, v, _) = rankix and + ssaRefRank(b2, i2, v, _) = rankix + 1 + ) + or + maxSsaRefRank(b1, v) = ssaRefRank(b1, i1, v, _) and + varBlockStep(v, b1, b2) and + ssaRefRank(b2, i2, v, _) = 1 + } + + predicate variableUse(SsaSourceVariable v, IR::Instruction use, ReachableBasicBlock bb, int i) { + bb.getNode(i) = use and + exists(SsaVariable sv | + sv.getSourceVariable() = v and + use = sv.getAUse() + ) + } + } + + private import AdjacentUsesImpl + + /** + * Holds if the value defined at `def` can reach `use` without passing through + * any other uses, but possibly through phi nodes. + */ + cached + predicate firstUse(SsaDefinition def, IR::Instruction use) { + exists(SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 | + adjacentVarRefs(v, b1, i1, b2, i2) and + def.definesAt(b1, i1, v) and + variableUse(v, use, b2, i2) + ) + or + exists( + SsaSourceVariable v, SsaPhiNode redef, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, + int i2 + | + adjacentVarRefs(v, b1, i1, b2, i2) and + def.definesAt(b1, i1, v) and + redef.definesAt(b2, i2, v) and + firstUse(redef, use) + ) + } + + /** + * Holds if `use1` and `use2` form an adjacent use-use-pair of the same SSA + * variable, that is, the value read in `use1` can reach `use2` without passing + * through any other use or any SSA definition of the variable. + */ + cached + predicate adjacentUseUseSameVar(IR::Instruction use1, IR::Instruction use2) { + exists(SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 | + adjacentVarRefs(v, b1, i1, b2, i2) and + variableUse(v, use1, b1, i1) and + variableUse(v, use2, b2, i2) + ) + } + + /** + * Holds if `use1` and `use2` form an adjacent use-use-pair of the same + * `SsaSourceVariable`, that is, the value read in `use1` can reach `use2` + * without passing through any other use or any SSA definition of the variable + * except for phi nodes and uncertain implicit updates. + */ + cached + predicate adjacentUseUse(IR::Instruction use1, IR::Instruction use2) { + adjacentUseUseSameVar(use1, use2) + or + exists( + SsaSourceVariable v, SsaPhiNode def, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, + int i2 + | + adjacentVarRefs(v, b1, i1, b2, i2) and + variableUse(v, use1, b1, i1) and + def.definesAt(b2, i2, v) and + firstUse(def, use2) + ) + } } import Internal diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll index 2d05b211a57e..15f8a8462a15 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll @@ -65,26 +65,36 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) { else nodeTo.asInstruction() = evalAssert ) or - // Instruction -> SSA + // Instruction -> SSA defn exists(IR::Instruction pred, SsaExplicitDefinition succ | succ.getRhs() = pred and nodeFrom = instructionNode(pred) and nodeTo = ssaNode(succ) ) or - // SSA -> SSA - exists(SsaDefinition pred, SsaPseudoDefinition succ | succ.getAnInput() = pred | + // SSA defn -> SSA capture + exists(SsaExplicitDefinition pred, SsaVariableCapture succ | + // Check: should these flow from PHIs as well? Perhaps they should be included + // in the use-use graph? + succ.(SsaVariableCapture).getSourceVariable() = pred.(SsaExplicitDefinition).getSourceVariable() + | nodeFrom = ssaNode(pred) and nodeTo = ssaNode(succ) ) or - // SSA -> Instruction - exists(SsaDefinition pred, IR::Instruction succ | - succ = pred.getVariable().getAUse() and + // SSA defn -> first SSA use + exists(SsaExplicitDefinition pred, IR::Instruction succ | succ = pred.getAFirstUse() | nodeFrom = ssaNode(pred) and nodeTo = instructionNode(succ) ) or + // SSA use -> successive SSA use + // Note this case includes Phi node traversal + exists(IR::Instruction pred, IR::Instruction succ | succ = getAnAdjacentUse(pred) | + nodeFrom = instructionNode(pred) and + nodeTo = instructionNode(succ) + ) + or // GlobalFunctionNode -> use nodeFrom = any(GlobalFunctionNode fn | fn.getFunction() = nodeTo.asExpr().(FunctionName).getTarget()) diff --git a/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll b/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll index 17a7345b23e7..ce0d2080699d 100644 --- a/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll +++ b/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll @@ -55,6 +55,8 @@ module CleartextLogging { | this.asExpr().(Ident).getName() = name or + this.(DataFlow::SsaNode).getSourceVariable().getName() = name + or this.(DataFlow::FieldReadNode).getFieldName() = name or this.(DataFlow::CallNode).getCalleeName() = name @@ -143,7 +145,7 @@ module CleartextLogging { not this instanceof NonCleartextPassword and name.regexpMatch(maybePassword()) and ( - this.asExpr().(Ident).getName() = name + this.(DataFlow::SsaNode).getSourceVariable().getName() = name or exists(DataFlow::FieldReadNode fn | fn = this and diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll index 7dc6f3991fc1..c6956d86e965 100644 --- a/go/ql/lib/semmle/go/security/CommandInjection.qll +++ b/go/ql/lib/semmle/go/security/CommandInjection.qll @@ -80,6 +80,28 @@ module CommandInjection { node instanceof Sanitizer or node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement() } + + // Hack: with use-use flow, we might have x (use at line 1) -> x (use at line 2), + // x (use at line 1) -> array at line 1 and x (use at line 2) -> array at line 2, + // in the context + // + // array1 := {"--", x} + // array2 := {x, "--"} + // + // We want to taint array2 but not array1, which suggests excluding the edge x (use 1) -> array1 + // However isSanitizer only allows us to remove nodes (isSanitizerIn/Out permit removing all outgoing + // or incoming edges); we can't remove an individual edge, so instead we supply extra edges connecting + // the definition with the next use. + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists( + ArgumentArrayWithDoubleDash array, DataFlow::InstructionNode sanitized, + DataFlow::SsaNode defn + | + sanitized = array.getASanitizedElement() and sanitized = defn.getAUse() + | + pred = defn and succ = sanitized.getASuccessor() + ) + } } /** diff --git a/go/ql/src/InconsistentCode/MissingErrorCheck.ql b/go/ql/src/InconsistentCode/MissingErrorCheck.ql index d20215172674..fcd4d86ea8ce 100644 --- a/go/ql/src/InconsistentCode/MissingErrorCheck.ql +++ b/go/ql/src/InconsistentCode/MissingErrorCheck.ql @@ -72,6 +72,16 @@ predicate checksValue(IR::Instruction instruction, DataFlow::SsaNode value) { ) } +// Now that we have use-use flow, phi nodes aren't directly involved in the flow graph. TODO: change this? +DataFlow::SsaNode phiDefinedFrom(DataFlow::SsaNode node) { + result.getDefinition().(SsaPseudoDefinition).getAnInput() = node.getDefinition().getVariable() +} + +DataFlow::SsaNode definedFrom(DataFlow::SsaNode node) { + DataFlow::localFlow(node, result) or + result = phiDefinedFrom*(node) +} + /** * Matches if `call` is a function returning (`ptr`, `err`) where `ptr` may be nil, and neither * `ptr` not `err` has been checked for validity as of `node`. @@ -98,7 +108,7 @@ predicate returnUncheckedAtNode( // localFlow is used to permit checks via either an SSA phi node or ordinary assignment. returnUncheckedAtNode(call, node.getAPredecessor(), ptr, err) and not exists(DataFlow::SsaNode checked | - DataFlow::localFlow(ptr, checked) or DataFlow::localFlow(err, checked) + checked = definedFrom(ptr) or checked = definedFrom(err) | checksValue(node, checked) ) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected index c6bfdfdc1d5a..b48b6fec1a77 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected @@ -49,27 +49,28 @@ | main.go:3:6:3:10 | function test1 | main.go:34:2:34:6 | test1 | | main.go:3:12:3:12 | argument corresponding to x | main.go:3:12:3:12 | definition of x | | main.go:3:12:3:12 | definition of x | main.go:5:5:5:5 | x | -| main.go:3:12:3:12 | definition of x | main.go:6:7:6:7 | x | -| main.go:3:12:3:12 | definition of x | main.go:8:8:8:8 | x | -| main.go:3:12:3:12 | definition of x | main.go:10:7:10:7 | x | -| main.go:3:12:3:12 | definition of x | main.go:10:22:10:22 | x | | main.go:3:19:3:20 | argument corresponding to fn | main.go:3:19:3:20 | definition of fn | | main.go:3:19:3:20 | definition of fn | main.go:10:24:10:25 | fn | -| main.go:6:3:6:3 | definition of y | main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | +| main.go:5:5:5:5 | x | main.go:6:7:6:7 | x | +| main.go:5:5:5:5 | x | main.go:8:8:8:8 | x | +| main.go:6:3:6:3 | definition of y | main.go:10:12:10:12 | y | | main.go:6:7:6:7 | x | main.go:6:3:6:3 | definition of y | -| main.go:8:3:8:3 | definition of y | main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | +| main.go:6:7:6:7 | x | main.go:10:7:10:7 | x | +| main.go:8:3:8:3 | definition of y | main.go:10:12:10:12 | y | | main.go:8:7:8:8 | -... | main.go:8:3:8:3 | definition of y | +| main.go:8:8:8:8 | x | main.go:10:7:10:7 | x | | main.go:10:2:10:2 | definition of z | main.go:11:14:11:14 | z | -| main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | main.go:10:12:10:12 | y | -| main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | main.go:10:17:10:17 | y | +| main.go:10:7:10:7 | x | main.go:10:22:10:22 | x | | main.go:10:7:10:12 | ...<=... | main.go:10:7:10:27 | ...&&... | | main.go:10:7:10:27 | ...&&... | main.go:10:2:10:2 | definition of z | +| main.go:10:12:10:12 | y | main.go:10:17:10:17 | y | | main.go:10:17:10:27 | ...>=... | main.go:10:7:10:27 | ...&&... | | main.go:11:14:11:14 | z | main.go:11:9:11:15 | type conversion | | main.go:14:6:14:10 | function test2 | main.go:34:8:34:12 | test2 | | main.go:14:6:14:10 | function test2 | main.go:34:19:34:23 | test2 | +| main.go:15:2:15:4 | definition of acc | main.go:16:9:19:2 | capture variable acc | | main.go:15:9:15:9 | 0 | main.go:15:2:15:4 | definition of acc | -| main.go:16:9:19:2 | capture variable acc | main.go:17:3:17:5 | acc | +| main.go:17:3:17:7 | definition of acc | main.go:16:9:19:2 | capture variable acc | | main.go:17:3:17:7 | definition of acc | main.go:18:10:18:12 | acc | | main.go:17:3:17:7 | rhs of increment statement | main.go:17:3:17:7 | definition of acc | | main.go:22:12:22:12 | argument corresponding to b | main.go:22:12:22:12 | definition of b | @@ -84,50 +85,50 @@ | main.go:26:5:26:6 | definition of ok | main.go:27:5:27:6 | ok | | main.go:26:11:26:11 | x | main.go:26:2:26:17 | ... := ...[0] | | main.go:38:2:38:2 | definition of s | main.go:39:15:39:15 | s | -| main.go:38:2:38:2 | definition of s | main.go:40:15:40:15 | s | -| main.go:38:2:38:2 | definition of s | main.go:42:7:42:7 | s | | main.go:38:7:38:20 | slice literal | main.go:38:2:38:2 | definition of s | | main.go:39:2:39:3 | definition of s1 | main.go:40:18:40:19 | s1 | | main.go:39:8:39:25 | call to append | main.go:39:2:39:3 | definition of s1 | +| main.go:39:15:39:15 | s | main.go:40:15:40:15 | s | | main.go:40:2:40:3 | definition of s2 | main.go:43:9:43:10 | s2 | | main.go:40:8:40:23 | call to append | main.go:40:2:40:3 | definition of s2 | +| main.go:40:15:40:15 | s | main.go:42:7:42:7 | s | | main.go:41:2:41:3 | definition of s4 | main.go:42:10:42:11 | s4 | | main.go:41:8:41:21 | call to make | main.go:41:2:41:3 | definition of s4 | | main.go:46:13:46:14 | argument corresponding to xs | main.go:46:13:46:14 | definition of xs | | main.go:46:13:46:14 | definition of xs | main.go:47:20:47:21 | xs | -| main.go:46:24:46:27 | definition of keys | main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | +| main.go:46:24:46:27 | definition of keys | main.go:46:24:46:27 | implicit read of keys | +| main.go:46:24:46:27 | definition of keys | main.go:49:3:49:6 | keys | | main.go:46:24:46:27 | zero value for keys | main.go:46:24:46:27 | definition of keys | -| main.go:46:34:46:37 | definition of vals | main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | +| main.go:46:34:46:37 | definition of vals | main.go:46:34:46:37 | implicit read of vals | +| main.go:46:34:46:37 | definition of vals | main.go:48:3:48:6 | vals | | main.go:46:34:46:37 | zero value for vals | main.go:46:34:46:37 | definition of vals | | main.go:47:2:50:2 | range statement[0] | main.go:47:6:47:6 | definition of k | | main.go:47:2:50:2 | range statement[1] | main.go:47:9:47:9 | definition of v | | main.go:47:6:47:6 | definition of k | main.go:49:11:49:11 | k | | main.go:47:9:47:9 | definition of v | main.go:48:11:48:11 | v | -| main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | main.go:46:24:46:27 | implicit read of keys | -| main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | main.go:49:3:49:6 | keys | -| main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | main.go:46:34:46:37 | implicit read of vals | -| main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | main.go:48:3:48:6 | vals | -| main.go:48:3:48:6 | definition of vals | main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | +| main.go:48:3:48:6 | definition of vals | main.go:46:34:46:37 | implicit read of vals | +| main.go:48:3:48:6 | definition of vals | main.go:48:3:48:6 | vals | | main.go:48:3:48:11 | ... += ... | main.go:48:3:48:6 | definition of vals | -| main.go:49:3:49:6 | definition of keys | main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | +| main.go:49:3:49:6 | definition of keys | main.go:46:24:46:27 | implicit read of keys | +| main.go:49:3:49:6 | definition of keys | main.go:49:3:49:6 | keys | | main.go:49:3:49:11 | ... += ... | main.go:49:3:49:6 | definition of keys | | main.go:55:6:55:7 | definition of ch | main.go:56:2:56:3 | ch | -| main.go:55:6:55:7 | definition of ch | main.go:57:4:57:5 | ch | | main.go:55:6:55:7 | zero value for ch | main.go:55:6:55:7 | definition of ch | +| main.go:56:2:56:3 | ch | main.go:57:4:57:5 | ch | | main.go:61:2:61:2 | definition of x | main.go:64:11:64:11 | x | -| main.go:61:2:61:2 | definition of x | main.go:65:11:65:11 | x | | main.go:61:7:61:7 | 1 | main.go:61:2:61:2 | definition of x | | main.go:62:2:62:2 | definition of y | main.go:64:14:64:14 | y | -| main.go:62:2:62:2 | definition of y | main.go:65:14:65:14 | y | | main.go:62:7:62:7 | 2 | main.go:62:2:62:2 | definition of y | | main.go:63:2:63:2 | definition of z | main.go:64:17:64:17 | z | -| main.go:63:2:63:2 | definition of z | main.go:65:17:65:17 | z | | main.go:63:7:63:7 | 3 | main.go:63:2:63:2 | definition of z | | main.go:64:2:64:2 | definition of a | main.go:66:9:66:9 | a | | main.go:64:7:64:18 | call to min | main.go:64:2:64:2 | definition of a | | main.go:64:11:64:11 | x | main.go:64:7:64:18 | call to min | +| main.go:64:11:64:11 | x | main.go:65:11:65:11 | x | | main.go:64:14:64:14 | y | main.go:64:7:64:18 | call to min | +| main.go:64:14:64:14 | y | main.go:65:14:65:14 | y | | main.go:64:17:64:17 | z | main.go:64:7:64:18 | call to min | +| main.go:64:17:64:17 | z | main.go:65:17:65:17 | z | | main.go:65:2:65:2 | definition of b | main.go:66:12:66:12 | b | | main.go:65:7:65:18 | call to max | main.go:65:2:65:2 | definition of b | | main.go:65:11:65:11 | x | main.go:65:7:65:18 | call to max | @@ -135,62 +136,60 @@ | main.go:65:17:65:17 | z | main.go:65:7:65:18 | call to max | | strings.go:8:12:8:12 | argument corresponding to s | strings.go:8:12:8:12 | definition of s | | strings.go:8:12:8:12 | definition of s | strings.go:9:24:9:24 | s | -| strings.go:8:12:8:12 | definition of s | strings.go:10:27:10:27 | s | | strings.go:9:2:9:3 | definition of s2 | strings.go:11:20:11:21 | s2 | -| strings.go:9:2:9:3 | definition of s2 | strings.go:11:48:11:49 | s2 | | strings.go:9:8:9:38 | call to Replace | strings.go:9:2:9:3 | definition of s2 | +| strings.go:9:24:9:24 | s | strings.go:10:27:10:27 | s | | strings.go:10:2:10:3 | definition of s3 | strings.go:11:24:11:25 | s3 | -| strings.go:10:2:10:3 | definition of s3 | strings.go:11:67:11:68 | s3 | | strings.go:10:8:10:42 | call to ReplaceAll | strings.go:10:2:10:3 | definition of s3 | +| strings.go:11:20:11:21 | s2 | strings.go:11:48:11:49 | s2 | +| strings.go:11:24:11:25 | s3 | strings.go:11:67:11:68 | s3 | | url.go:8:12:8:12 | argument corresponding to b | url.go:8:12:8:12 | definition of b | | url.go:8:12:8:12 | definition of b | url.go:11:5:11:5 | b | | url.go:8:20:8:20 | argument corresponding to s | url.go:8:20:8:20 | definition of s | | url.go:8:20:8:20 | definition of s | url.go:12:46:12:46 | s | | url.go:8:20:8:20 | definition of s | url.go:14:48:14:48 | s | -| url.go:12:3:12:5 | definition of res | url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) | +| url.go:12:3:12:5 | definition of res | url.go:19:9:19:11 | res | | url.go:12:3:12:48 | ... = ...[0] | url.go:12:3:12:5 | definition of res | | url.go:12:3:12:48 | ... = ...[1] | url.go:12:8:12:10 | definition of err | -| url.go:12:8:12:10 | definition of err | url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) | -| url.go:14:3:14:5 | definition of res | url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) | +| url.go:12:8:12:10 | definition of err | url.go:16:5:16:7 | err | +| url.go:14:3:14:5 | definition of res | url.go:19:9:19:11 | res | | url.go:14:3:14:50 | ... = ...[0] | url.go:14:3:14:5 | definition of res | | url.go:14:3:14:50 | ... = ...[1] | url.go:14:8:14:10 | definition of err | -| url.go:14:8:14:10 | definition of err | url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) | -| url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) | url.go:16:5:16:7 | err | -| url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) | url.go:19:9:19:11 | res | +| url.go:14:8:14:10 | definition of err | url.go:16:5:16:7 | err | | url.go:22:12:22:12 | argument corresponding to i | url.go:22:12:22:12 | definition of i | | url.go:22:12:22:12 | definition of i | url.go:24:5:24:5 | i | | url.go:22:19:22:19 | argument corresponding to s | url.go:22:19:22:19 | definition of s | | url.go:22:19:22:19 | definition of s | url.go:23:20:23:20 | s | -| url.go:22:19:22:19 | definition of s | url.go:27:29:27:29 | s | | url.go:23:2:23:2 | definition of u | url.go:25:10:25:10 | u | | url.go:23:2:23:21 | ... := ...[0] | url.go:23:2:23:2 | definition of u | +| url.go:23:20:23:20 | s | url.go:27:29:27:29 | s | | url.go:27:2:27:2 | definition of u | url.go:28:14:28:14 | u | -| url.go:27:2:27:2 | definition of u | url.go:29:14:29:14 | u | -| url.go:27:2:27:2 | definition of u | url.go:30:11:30:11 | u | -| url.go:27:2:27:2 | definition of u | url.go:32:9:32:9 | u | | url.go:27:2:27:30 | ... = ...[0] | url.go:27:2:27:2 | definition of u | +| url.go:28:14:28:14 | u | url.go:29:14:29:14 | u | +| url.go:29:14:29:14 | u | url.go:30:11:30:11 | u | | url.go:30:2:30:3 | definition of bs | url.go:31:14:31:15 | bs | | url.go:30:2:30:27 | ... := ...[0] | url.go:30:2:30:3 | definition of bs | +| url.go:30:11:30:11 | u | url.go:32:9:32:9 | u | | url.go:32:2:32:2 | definition of u | url.go:33:14:33:14 | u | -| url.go:32:2:32:2 | definition of u | url.go:34:14:34:14 | u | -| url.go:32:2:32:2 | definition of u | url.go:35:14:35:14 | u | -| url.go:32:2:32:2 | definition of u | url.go:36:6:36:6 | u | -| url.go:32:2:32:2 | definition of u | url.go:36:25:36:25 | u | | url.go:32:2:32:23 | ... = ...[0] | url.go:32:2:32:2 | definition of u | +| url.go:33:14:33:14 | u | url.go:34:14:34:14 | u | +| url.go:34:14:34:14 | u | url.go:35:14:35:14 | u | +| url.go:35:14:35:14 | u | url.go:36:6:36:6 | u | | url.go:36:2:36:2 | definition of u | url.go:37:9:37:9 | u | +| url.go:36:6:36:6 | u | url.go:36:25:36:25 | u | | url.go:36:6:36:26 | call to ResolveReference | url.go:36:2:36:2 | definition of u | | url.go:42:2:42:3 | definition of ui | url.go:43:11:43:12 | ui | -| url.go:42:2:42:3 | definition of ui | url.go:45:14:45:15 | ui | -| url.go:42:2:42:3 | definition of ui | url.go:46:9:46:10 | ui | | url.go:42:7:42:38 | call to UserPassword | url.go:42:2:42:3 | definition of ui | | url.go:43:2:43:3 | definition of pw | url.go:44:14:44:15 | pw | | url.go:43:2:43:23 | ... := ...[0] | url.go:43:2:43:3 | definition of pw | +| url.go:43:11:43:12 | ui | url.go:45:14:45:15 | ui | +| url.go:45:14:45:15 | ui | url.go:46:9:46:10 | ui | | url.go:49:12:49:12 | argument corresponding to q | url.go:49:12:49:12 | definition of q | | url.go:49:12:49:12 | definition of q | url.go:50:25:50:25 | q | | url.go:50:2:50:2 | definition of v | url.go:51:14:51:14 | v | -| url.go:50:2:50:2 | definition of v | url.go:52:14:52:14 | v | -| url.go:50:2:50:2 | definition of v | url.go:53:9:53:9 | v | | url.go:50:2:50:26 | ... := ...[0] | url.go:50:2:50:2 | definition of v | +| url.go:51:14:51:14 | v | url.go:52:14:52:14 | v | +| url.go:52:14:52:14 | v | url.go:53:9:53:9 | v | | url.go:56:12:56:12 | argument corresponding to q | url.go:56:12:56:12 | definition of q | | url.go:56:12:56:12 | definition of q | url.go:57:29:57:29 | q | | url.go:57:2:57:8 | definition of joined1 | url.go:58:38:58:44 | joined1 | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected index 4b38e6e8c479..bebd53c1ac55 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected @@ -1,14 +1,14 @@ #select | test.go:173:20:173:24 | param | test.go:172:11:172:32 | call to Param | test.go:173:20:173:24 | param | This path to an untrusted URL redirection depends on a $@. | test.go:172:11:172:32 | call to Param | user-provided value | -| test.go:182:20:182:28 | ...+... | test.go:178:11:178:32 | call to Param | test.go:182:20:182:28 | ...+... | This path to an untrusted URL redirection depends on a $@. | test.go:178:11:178:32 | call to Param | user-provided value | +| test.go:185:20:185:29 | ...+... | test.go:178:11:178:32 | call to Param | test.go:185:20:185:29 | ...+... | This path to an untrusted URL redirection depends on a $@. | test.go:178:11:178:32 | call to Param | user-provided value | edges | test.go:172:11:172:32 | call to Param | test.go:173:20:173:24 | param | provenance | Src:MaD:2 Sink:MaD:1 | -| test.go:178:11:178:32 | call to Param | test.go:182:24:182:28 | param | provenance | Src:MaD:2 | -| test.go:182:24:182:28 | param | test.go:182:20:182:28 | ...+... | provenance | Config Sink:MaD:1 | -| test.go:190:9:190:26 | star expression | test.go:190:10:190:26 | selection of URL | provenance | Config | -| test.go:190:9:190:26 | star expression | test.go:193:21:193:23 | url | provenance | | -| test.go:190:10:190:26 | selection of URL | test.go:190:9:190:26 | star expression | provenance | Src:MaD:3 Config | -| test.go:193:21:193:23 | url | test.go:193:21:193:32 | call to String | provenance | Config Sink:MaD:1 | +| test.go:178:11:178:32 | call to Param | test.go:185:24:185:29 | param2 | provenance | Src:MaD:2 | +| test.go:185:24:185:29 | param2 | test.go:185:20:185:29 | ...+... | provenance | Config Sink:MaD:1 | +| test.go:193:9:193:26 | star expression | test.go:193:10:193:26 | selection of URL | provenance | Config | +| test.go:193:9:193:26 | star expression | test.go:196:21:196:23 | url | provenance | | +| test.go:193:10:193:26 | selection of URL | test.go:193:9:193:26 | star expression | provenance | Src:MaD:3 Config | +| test.go:196:21:196:23 | url | test.go:196:21:196:32 | call to String | provenance | Config Sink:MaD:1 | models | 1 | Sink: github.com/labstack/echo; Context; true; Redirect; ; ; Argument[1]; url-redirection; manual | | 2 | Source: github.com/labstack/echo; Context; true; Param; ; ; ReturnValue[0]; remote; manual | @@ -17,10 +17,10 @@ nodes | test.go:172:11:172:32 | call to Param | semmle.label | call to Param | | test.go:173:20:173:24 | param | semmle.label | param | | test.go:178:11:178:32 | call to Param | semmle.label | call to Param | -| test.go:182:20:182:28 | ...+... | semmle.label | ...+... | -| test.go:182:24:182:28 | param | semmle.label | param | -| test.go:190:9:190:26 | star expression | semmle.label | star expression | -| test.go:190:10:190:26 | selection of URL | semmle.label | selection of URL | -| test.go:193:21:193:23 | url | semmle.label | url | -| test.go:193:21:193:32 | call to String | semmle.label | call to String | +| test.go:185:20:185:29 | ...+... | semmle.label | ...+... | +| test.go:185:24:185:29 | param2 | semmle.label | param2 | +| test.go:193:9:193:26 | star expression | semmle.label | star expression | +| test.go:193:10:193:26 | selection of URL | semmle.label | selection of URL | +| test.go:196:21:196:23 | url | semmle.label | url | +| test.go:196:21:196:32 | call to String | semmle.label | call to String | subpaths diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go b/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go index 45f92cd19cbf..a15fb819ccc5 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go @@ -176,12 +176,15 @@ func testRedirect(ctx echo.Context) error { func testLocalRedirects(ctx echo.Context) error { param := ctx.Param("someParam") + param2 := param + param3 := param + // Gratuitious copy because sanitization of uses propagates to subsequent uses // GOOD: local redirects are unproblematic ctx.Redirect(301, "/local"+param) // BAD: this could be a non-local redirect - ctx.Redirect(301, "/"+param) + ctx.Redirect(301, "/"+param2) // GOOD: localhost redirects are unproblematic - ctx.Redirect(301, "//localhost/"+param) + ctx.Redirect(301, "//localhost/"+param3) return nil } diff --git a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected index 3435eff77754..823c2822689e 100644 --- a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected +++ b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected @@ -1,97 +1,250 @@ #select | klog.go:22:15:22:20 | header | klog.go:20:30:20:37 | selection of Header | klog.go:22:15:22:20 | header | $@ flows to a logging call. | klog.go:20:30:20:37 | selection of Header | Sensitive data returned by HTTP request headers | | klog.go:28:13:28:41 | call to Get | klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get | $@ flows to a logging call. | klog.go:28:13:28:20 | selection of Header | Sensitive data returned by HTTP request headers | -| main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | $@ flows to a logging call. | main.go:15:12:15:19 | password | Sensitive data returned by an access to password | -| main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | $@ flows to a logging call. | main.go:16:17:16:24 | password | Sensitive data returned by an access to password | -| main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | $@ flows to a logging call. | main.go:17:13:17:20 | password | Sensitive data returned by an access to password | -| main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | $@ flows to a logging call. | main.go:18:14:18:21 | password | Sensitive data returned by an access to password | -| main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | $@ flows to a logging call. | main.go:19:12:19:19 | password | Sensitive data returned by an access to password | -| main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | $@ flows to a logging call. | main.go:20:17:20:24 | password | Sensitive data returned by an access to password | -| main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | $@ flows to a logging call. | main.go:21:13:21:20 | password | Sensitive data returned by an access to password | -| main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | $@ flows to a logging call. | main.go:22:14:22:21 | password | Sensitive data returned by an access to password | -| main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | $@ flows to a logging call. | main.go:23:12:23:19 | password | Sensitive data returned by an access to password | -| main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | $@ flows to a logging call. | main.go:24:17:24:24 | password | Sensitive data returned by an access to password | -| main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | $@ flows to a logging call. | main.go:25:13:25:20 | password | Sensitive data returned by an access to password | -| main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | $@ flows to a logging call. | main.go:26:14:26:21 | password | Sensitive data returned by an access to password | -| main.go:27:16:27:23 | password | main.go:27:16:27:23 | password | main.go:27:16:27:23 | password | $@ flows to a logging call. | main.go:27:16:27:23 | password | Sensitive data returned by an access to password | -| main.go:30:10:30:17 | password | main.go:30:10:30:17 | password | main.go:30:10:30:17 | password | $@ flows to a logging call. | main.go:30:10:30:17 | password | Sensitive data returned by an access to password | -| main.go:31:15:31:22 | password | main.go:31:15:31:22 | password | main.go:31:15:31:22 | password | $@ flows to a logging call. | main.go:31:15:31:22 | password | Sensitive data returned by an access to password | -| main.go:32:11:32:18 | password | main.go:32:11:32:18 | password | main.go:32:11:32:18 | password | $@ flows to a logging call. | main.go:32:11:32:18 | password | Sensitive data returned by an access to password | -| main.go:33:12:33:19 | password | main.go:33:12:33:19 | password | main.go:33:12:33:19 | password | $@ flows to a logging call. | main.go:33:12:33:19 | password | Sensitive data returned by an access to password | -| main.go:34:10:34:17 | password | main.go:34:10:34:17 | password | main.go:34:10:34:17 | password | $@ flows to a logging call. | main.go:34:10:34:17 | password | Sensitive data returned by an access to password | -| main.go:35:15:35:22 | password | main.go:35:15:35:22 | password | main.go:35:15:35:22 | password | $@ flows to a logging call. | main.go:35:15:35:22 | password | Sensitive data returned by an access to password | -| main.go:36:11:36:18 | password | main.go:36:11:36:18 | password | main.go:36:11:36:18 | password | $@ flows to a logging call. | main.go:36:11:36:18 | password | Sensitive data returned by an access to password | -| main.go:37:12:37:19 | password | main.go:37:12:37:19 | password | main.go:37:12:37:19 | password | $@ flows to a logging call. | main.go:37:12:37:19 | password | Sensitive data returned by an access to password | -| main.go:38:10:38:17 | password | main.go:38:10:38:17 | password | main.go:38:10:38:17 | password | $@ flows to a logging call. | main.go:38:10:38:17 | password | Sensitive data returned by an access to password | -| main.go:39:15:39:22 | password | main.go:39:15:39:22 | password | main.go:39:15:39:22 | password | $@ flows to a logging call. | main.go:39:15:39:22 | password | Sensitive data returned by an access to password | -| main.go:40:11:40:18 | password | main.go:40:11:40:18 | password | main.go:40:11:40:18 | password | $@ flows to a logging call. | main.go:40:11:40:18 | password | Sensitive data returned by an access to password | -| main.go:41:12:41:19 | password | main.go:41:12:41:19 | password | main.go:41:12:41:19 | password | $@ flows to a logging call. | main.go:41:12:41:19 | password | Sensitive data returned by an access to password | -| main.go:42:14:42:21 | password | main.go:42:14:42:21 | password | main.go:42:14:42:21 | password | $@ flows to a logging call. | main.go:42:14:42:21 | password | Sensitive data returned by an access to password | -| main.go:44:12:44:19 | password | main.go:44:12:44:19 | password | main.go:44:12:44:19 | password | $@ flows to a logging call. | main.go:44:12:44:19 | password | Sensitive data returned by an access to password | -| main.go:45:17:45:24 | password | main.go:45:17:45:24 | password | main.go:45:17:45:24 | password | $@ flows to a logging call. | main.go:45:17:45:24 | password | Sensitive data returned by an access to password | -| main.go:52:35:52:42 | password | main.go:52:35:52:42 | password | main.go:52:35:52:42 | password | $@ flows to a logging call. | main.go:52:35:52:42 | password | Sensitive data returned by an access to password | -| overrides.go:13:14:13:23 | call to String | overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String | $@ flows to a logging call. | overrides.go:9:9:9:16 | password | Sensitive data returned by an access to password | -| passwords.go:9:14:9:14 | x | passwords.go:30:8:30:15 | password | passwords.go:9:14:9:14 | x | $@ flows to a logging call. | passwords.go:30:8:30:15 | password | Sensitive data returned by an access to password | -| passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | $@ flows to a logging call. | passwords.go:25:14:25:21 | password | Sensitive data returned by an access to password | +| main.go:19:12:19:19 | password | main.go:17:2:17:9 | definition of password | main.go:19:12:19:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:20:17:20:24 | password | main.go:17:2:17:9 | definition of password | main.go:20:17:20:24 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:21:13:21:20 | password | main.go:17:2:17:9 | definition of password | main.go:21:13:21:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:22:14:22:21 | password | main.go:17:2:17:9 | definition of password | main.go:22:14:22:21 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:24:13:24:20 | password | main.go:17:2:17:9 | definition of password | main.go:24:13:24:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:27:18:27:25 | password | main.go:17:2:17:9 | definition of password | main.go:27:18:27:25 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:30:14:30:21 | password | main.go:17:2:17:9 | definition of password | main.go:30:14:30:21 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:33:15:33:22 | password | main.go:17:2:17:9 | definition of password | main.go:33:15:33:22 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:36:13:36:20 | password | main.go:17:2:17:9 | definition of password | main.go:36:13:36:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:39:18:39:25 | password | main.go:17:2:17:9 | definition of password | main.go:39:18:39:25 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:42:14:42:21 | password | main.go:17:2:17:9 | definition of password | main.go:42:14:42:21 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:45:15:45:22 | password | main.go:17:2:17:9 | definition of password | main.go:45:15:45:22 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:47:16:47:23 | password | main.go:17:2:17:9 | definition of password | main.go:47:16:47:23 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:50:10:50:17 | password | main.go:17:2:17:9 | definition of password | main.go:50:10:50:17 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:51:15:51:22 | password | main.go:17:2:17:9 | definition of password | main.go:51:15:51:22 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:52:11:52:18 | password | main.go:17:2:17:9 | definition of password | main.go:52:11:52:18 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:53:12:53:19 | password | main.go:17:2:17:9 | definition of password | main.go:53:12:53:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:55:11:55:18 | password | main.go:17:2:17:9 | definition of password | main.go:55:11:55:18 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:58:16:58:23 | password | main.go:17:2:17:9 | definition of password | main.go:58:16:58:23 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:61:12:61:19 | password | main.go:17:2:17:9 | definition of password | main.go:61:12:61:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:64:13:64:20 | password | main.go:17:2:17:9 | definition of password | main.go:64:13:64:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:67:11:67:18 | password | main.go:17:2:17:9 | definition of password | main.go:67:11:67:18 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:70:16:70:23 | password | main.go:17:2:17:9 | definition of password | main.go:70:16:70:23 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:73:12:73:19 | password | main.go:17:2:17:9 | definition of password | main.go:73:12:73:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:76:13:76:20 | password | main.go:17:2:17:9 | definition of password | main.go:76:13:76:20 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:78:14:78:21 | password | main.go:17:2:17:9 | definition of password | main.go:78:14:78:21 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:80:12:80:19 | password | main.go:17:2:17:9 | definition of password | main.go:80:12:80:19 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:81:17:81:24 | password | main.go:17:2:17:9 | definition of password | main.go:81:17:81:24 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:85:29:85:34 | fields | main.go:17:2:17:9 | definition of password | main.go:85:29:85:34 | fields | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| main.go:88:35:88:42 | password | main.go:17:2:17:9 | definition of password | main.go:88:35:88:42 | password | $@ flows to a logging call. | main.go:17:2:17:9 | definition of password | Sensitive data returned by an access to password | +| overrides.go:13:14:13:23 | call to String | overrides.go:8:2:8:9 | definition of password | overrides.go:13:14:13:23 | call to String | $@ flows to a logging call. | overrides.go:8:2:8:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:9:14:9:14 | x | passwords.go:21:2:21:9 | definition of password | passwords.go:9:14:9:14 | x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:25:14:25:21 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | $@ flows to a logging call. | passwords.go:26:14:26:23 | selection of password | Sensitive data returned by an access to password | | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | $@ flows to a logging call. | passwords.go:27:14:27:26 | call to getPassword | Sensitive data returned by a call to getPassword | | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | $@ flows to a logging call. | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by a call to getPassword | -| passwords.go:32:12:32:19 | password | passwords.go:32:12:32:19 | password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:32:12:32:19 | password | Sensitive data returned by an access to password | -| passwords.go:34:14:34:35 | ...+... | passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:34:28:34:35 | password | Sensitive data returned by an access to password | +| passwords.go:32:12:32:19 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:34:14:34:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | | passwords.go:39:14:39:17 | obj1 | passwords.go:37:13:37:13 | x | passwords.go:39:14:39:17 | obj1 | $@ flows to a logging call. | passwords.go:37:13:37:13 | x | Sensitive data returned by an access to password | -| passwords.go:44:14:44:17 | obj2 | passwords.go:42:6:42:13 | password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:42:6:42:13 | password | Sensitive data returned by an access to password | -| passwords.go:47:14:47:17 | obj3 | passwords.go:48:11:48:18 | password | passwords.go:47:14:47:17 | obj3 | $@ flows to a logging call. | passwords.go:48:11:48:18 | password | Sensitive data returned by an access to password | -| passwords.go:51:14:51:27 | fixed_password | passwords.go:51:14:51:27 | fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:51:14:51:27 | fixed_password | Sensitive data returned by an access to fixed_password | -| passwords.go:88:14:88:26 | utilityObject | passwords.go:86:16:86:36 | call to make | passwords.go:88:14:88:26 | utilityObject | $@ flows to a logging call. | passwords.go:86:16:86:36 | call to make | Sensitive data returned by an access to passwordSet | -| passwords.go:91:23:91:28 | secret | passwords.go:90:12:90:19 | password | passwords.go:91:23:91:28 | secret | $@ flows to a logging call. | passwords.go:90:12:90:19 | password | Sensitive data returned by an access to password | -| passwords.go:101:15:101:40 | ...+... | passwords.go:101:33:101:40 | password | passwords.go:101:15:101:40 | ...+... | $@ flows to a logging call. | passwords.go:101:33:101:40 | password | Sensitive data returned by an access to password | -| passwords.go:107:16:107:41 | ...+... | passwords.go:107:34:107:41 | password | passwords.go:107:16:107:41 | ...+... | $@ flows to a logging call. | passwords.go:107:34:107:41 | password | Sensitive data returned by an access to password | -| passwords.go:112:15:112:40 | ...+... | passwords.go:112:33:112:40 | password | passwords.go:112:15:112:40 | ...+... | $@ flows to a logging call. | passwords.go:112:33:112:40 | password | Sensitive data returned by an access to password | -| passwords.go:116:14:116:45 | ...+... | passwords.go:116:28:116:36 | password1 | passwords.go:116:14:116:45 | ...+... | $@ flows to a logging call. | passwords.go:116:28:116:36 | password1 | Sensitive data returned by an access to password1 | -| passwords.go:125:14:125:19 | config | passwords.go:119:13:119:13 | x | passwords.go:125:14:125:19 | config | $@ flows to a logging call. | passwords.go:119:13:119:13 | x | Sensitive data returned by an access to password | -| passwords.go:125:14:125:19 | config | passwords.go:121:13:121:20 | password | passwords.go:125:14:125:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:20 | password | Sensitive data returned by an access to password | -| passwords.go:125:14:125:19 | config | passwords.go:122:13:122:25 | call to getPassword | passwords.go:125:14:125:19 | config | $@ flows to a logging call. | passwords.go:122:13:122:25 | call to getPassword | Sensitive data returned by a call to getPassword | -| passwords.go:126:14:126:21 | selection of x | passwords.go:121:13:121:20 | password | passwords.go:126:14:126:21 | selection of x | $@ flows to a logging call. | passwords.go:121:13:121:20 | password | Sensitive data returned by an access to password | -| passwords.go:127:14:127:21 | selection of y | passwords.go:122:13:122:25 | call to getPassword | passwords.go:127:14:127:21 | selection of y | $@ flows to a logging call. | passwords.go:122:13:122:25 | call to getPassword | Sensitive data returned by a call to getPassword | -| protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:12:22:12:29 | password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:12:22:12:29 | password | Sensitive data returned by an access to password | +| passwords.go:44:14:44:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:47:14:47:17 | obj3 | passwords.go:21:2:21:9 | definition of password | passwords.go:47:14:47:17 | obj3 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:51:14:51:27 | fixed_password | passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:50:2:50:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password | +| passwords.go:89:14:89:26 | utilityObject | passwords.go:87:16:87:36 | call to make | passwords.go:89:14:89:26 | utilityObject | $@ flows to a logging call. | passwords.go:87:16:87:36 | call to make | Sensitive data returned by an access to passwordSet | +| passwords.go:92:23:92:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:92:23:92:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:102:15:102:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:102:15:102:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:108:16:108:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:108:16:108:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:113:15:113:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:113:15:113:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:117:14:117:45 | ...+... | passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:14:117:45 | ...+... | $@ flows to a logging call. | passwords.go:116:6:116:14 | definition of password1 | Sensitive data returned by an access to password1 | +| passwords.go:127:14:127:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:127:14:127:19 | config | passwords.go:121:13:121:14 | x3 | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:14 | x3 | Sensitive data returned by an access to password | +| passwords.go:127:14:127:19 | config | passwords.go:124:13:124:25 | call to getPassword | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword | +| passwords.go:128:14:128:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:128:14:128:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password | +| passwords.go:129:14:129:21 | selection of y | passwords.go:124:13:124:25 | call to getPassword | passwords.go:129:14:129:21 | selection of y | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword | +| protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:9:2:9:9 | definition of password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:9:2:9:9 | definition of password | Sensitive data returned by an access to password | edges | klog.go:20:3:25:3 | range statement[1] | klog.go:21:27:21:33 | headers | provenance | | -| klog.go:20:30:20:37 | selection of Header | klog.go:20:3:25:3 | range statement[1] | provenance | Src:MaD:1 Config | +| klog.go:20:30:20:37 | selection of Header | klog.go:20:3:25:3 | range statement[1] | provenance | Src:MaD:11 Config | | klog.go:21:4:24:4 | range statement[1] | klog.go:22:15:22:20 | header | provenance | | | klog.go:21:27:21:33 | headers | klog.go:21:4:24:4 | range statement[1] | provenance | Config | -| klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get | provenance | Src:MaD:1 Config | +| klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get | provenance | Src:MaD:11 Config | +| main.go:17:2:17:9 | definition of password | main.go:19:12:19:19 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:20:17:20:24 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:21:13:21:20 | password | provenance | Sink:MaD:6 | +| main.go:17:2:17:9 | definition of password | main.go:22:14:22:21 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:24:13:24:20 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:27:18:27:25 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:30:14:30:21 | password | provenance | Sink:MaD:3 | +| main.go:17:2:17:9 | definition of password | main.go:33:15:33:22 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:36:13:36:20 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:39:18:39:25 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:42:14:42:21 | password | provenance | Sink:MaD:5 | +| main.go:17:2:17:9 | definition of password | main.go:45:15:45:22 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:47:16:47:23 | password | provenance | Sink:MaD:4 | +| main.go:17:2:17:9 | definition of password | main.go:50:10:50:17 | password | provenance | | +| main.go:17:2:17:9 | definition of password | main.go:50:10:50:17 | password | provenance | | +| main.go:50:10:50:17 | password | main.go:51:15:51:22 | password | provenance | | +| main.go:50:10:50:17 | password | main.go:51:15:51:22 | password | provenance | | +| main.go:51:15:51:22 | password | main.go:52:11:52:18 | password | provenance | | +| main.go:51:15:51:22 | password | main.go:52:11:52:18 | password | provenance | Sink:MaD:10 | +| main.go:52:11:52:18 | password | main.go:53:12:53:19 | password | provenance | | +| main.go:52:11:52:18 | password | main.go:53:12:53:19 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:55:11:55:18 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:55:11:55:18 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:58:16:58:23 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:58:16:58:23 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:61:12:61:19 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:61:12:61:19 | password | provenance | Sink:MaD:7 | +| main.go:53:12:53:19 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:53:12:53:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:53:12:53:19 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:53:12:53:19 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:58:16:58:23 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:58:16:58:23 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:61:12:61:19 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:61:12:61:19 | password | provenance | Sink:MaD:7 | +| main.go:55:11:55:18 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:55:11:55:18 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:55:11:55:18 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:55:11:55:18 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:61:12:61:19 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:61:12:61:19 | password | provenance | Sink:MaD:7 | +| main.go:58:16:58:23 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:58:16:58:23 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:58:16:58:23 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:58:16:58:23 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:64:13:64:20 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:61:12:61:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:61:12:61:19 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:61:12:61:19 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:67:11:67:18 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:64:13:64:20 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:64:13:64:20 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:64:13:64:20 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:70:16:70:23 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:67:11:67:18 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:67:11:67:18 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:67:11:67:18 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:73:12:73:19 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:73:12:73:19 | password | provenance | Sink:MaD:9 | +| main.go:70:16:70:23 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:70:16:70:23 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:70:16:70:23 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:76:13:76:20 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:73:12:73:19 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:73:12:73:19 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:76:13:76:20 | password | main.go:78:14:78:21 | password | provenance | Sink:MaD:8 | +| main.go:76:13:76:20 | password | main.go:80:12:80:19 | password | provenance | | +| main.go:76:13:76:20 | password | main.go:81:17:81:24 | password | provenance | | +| main.go:76:13:76:20 | password | main.go:84:19:84:26 | password | provenance | | +| main.go:83:2:83:7 | definition of fields | main.go:85:29:85:34 | fields | provenance | Sink:MaD:2 | +| main.go:84:19:84:26 | password | main.go:83:2:83:7 | definition of fields | provenance | Config | +| main.go:84:19:84:26 | password | main.go:88:35:88:42 | password | provenance | Sink:MaD:1 | +| overrides.go:8:2:8:9 | definition of password | overrides.go:9:9:9:16 | password | provenance | | | overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String | provenance | | | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:30:8:30:15 | password | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | provenance | | +| passwords.go:21:2:21:9 | definition of password | passwords.go:34:28:34:35 | password | provenance | | | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance | | | passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config | +| passwords.go:34:28:34:35 | password | passwords.go:42:6:42:13 | password | provenance | | | passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance | | | passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config | | passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance | | | passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config | +| passwords.go:42:6:42:13 | password | passwords.go:48:11:48:18 | password | provenance | | | passwords.go:46:6:46:9 | definition of obj3 | passwords.go:47:14:47:17 | obj3 | provenance | | | passwords.go:48:11:48:18 | password | passwords.go:46:6:46:9 | definition of obj3 | provenance | Config | -| passwords.go:85:19:87:2 | struct literal | passwords.go:88:14:88:26 | utilityObject | provenance | | -| passwords.go:86:16:86:36 | call to make | passwords.go:85:19:87:2 | struct literal | provenance | Config | -| passwords.go:90:12:90:19 | password | passwords.go:91:23:91:28 | secret | provenance | | -| passwords.go:101:33:101:40 | password | passwords.go:101:15:101:40 | ...+... | provenance | Config | -| passwords.go:107:34:107:41 | password | passwords.go:107:16:107:41 | ...+... | provenance | Config | -| passwords.go:112:33:112:40 | password | passwords.go:112:15:112:40 | ...+... | provenance | Config | -| passwords.go:116:28:116:36 | password1 | passwords.go:116:28:116:45 | call to String | provenance | Config | -| passwords.go:116:28:116:45 | call to String | passwords.go:116:14:116:45 | ...+... | provenance | Config | -| passwords.go:118:12:123:2 | struct literal | passwords.go:125:14:125:19 | config | provenance | | -| passwords.go:118:12:123:2 | struct literal [x] | passwords.go:126:14:126:19 | config [x] | provenance | | -| passwords.go:118:12:123:2 | struct literal [y] | passwords.go:127:14:127:19 | config [y] | provenance | | -| passwords.go:119:13:119:13 | x | passwords.go:118:12:123:2 | struct literal | provenance | Config | -| passwords.go:121:13:121:20 | password | passwords.go:118:12:123:2 | struct literal | provenance | Config | -| passwords.go:121:13:121:20 | password | passwords.go:118:12:123:2 | struct literal [x] | provenance | | -| passwords.go:122:13:122:25 | call to getPassword | passwords.go:118:12:123:2 | struct literal | provenance | Config | -| passwords.go:122:13:122:25 | call to getPassword | passwords.go:118:12:123:2 | struct literal [y] | provenance | | -| passwords.go:126:14:126:19 | config [x] | passwords.go:126:14:126:21 | selection of x | provenance | | -| passwords.go:127:14:127:19 | config [y] | passwords.go:127:14:127:21 | selection of y | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:92:23:92:28 | secret | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:102:33:102:40 | password | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:108:34:108:41 | password | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:113:33:113:40 | password | provenance | | +| passwords.go:48:11:48:18 | password | passwords.go:123:13:123:20 | password | provenance | | +| passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | provenance | | +| passwords.go:86:19:88:2 | struct literal | passwords.go:89:14:89:26 | utilityObject | provenance | | +| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal | provenance | Config | +| passwords.go:102:33:102:40 | password | passwords.go:102:15:102:40 | ...+... | provenance | Config | +| passwords.go:102:33:102:40 | password | passwords.go:108:34:108:41 | password | provenance | | +| passwords.go:102:33:102:40 | password | passwords.go:113:33:113:40 | password | provenance | | +| passwords.go:102:33:102:40 | password | passwords.go:123:13:123:20 | password | provenance | | +| passwords.go:108:34:108:41 | password | passwords.go:108:16:108:41 | ...+... | provenance | Config | +| passwords.go:108:34:108:41 | password | passwords.go:113:33:113:40 | password | provenance | | +| passwords.go:108:34:108:41 | password | passwords.go:123:13:123:20 | password | provenance | | +| passwords.go:113:33:113:40 | password | passwords.go:113:15:113:40 | ...+... | provenance | Config | +| passwords.go:113:33:113:40 | password | passwords.go:123:13:123:20 | password | provenance | | +| passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:28:117:36 | password1 | provenance | | +| passwords.go:117:28:117:36 | password1 | passwords.go:117:28:117:45 | call to String | provenance | Config | +| passwords.go:117:28:117:45 | call to String | passwords.go:117:14:117:45 | ...+... | provenance | Config | +| passwords.go:120:12:125:2 | struct literal | passwords.go:127:14:127:19 | config | provenance | | +| passwords.go:120:12:125:2 | struct literal [x] | passwords.go:128:14:128:19 | config [x] | provenance | | +| passwords.go:120:12:125:2 | struct literal [y] | passwords.go:129:14:129:19 | config [y] | provenance | | +| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal | provenance | Config | +| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal | provenance | Config | +| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [x] | provenance | | +| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal | provenance | Config | +| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [y] | provenance | | +| passwords.go:128:14:128:19 | config [x] | passwords.go:128:14:128:21 | selection of x | provenance | | +| passwords.go:129:14:129:19 | config [y] | passwords.go:129:14:129:21 | selection of y | provenance | | +| protobuf.go:9:2:9:9 | definition of password | protobuf.go:12:22:12:29 | password | provenance | | | protobuf.go:11:2:11:6 | definition of query [pointer, Description] | protobuf.go:12:2:12:6 | query [pointer, Description] | provenance | | -| protobuf.go:11:2:11:6 | definition of query [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance | | | protobuf.go:12:2:12:6 | implicit dereference [Description] | protobuf.go:11:2:11:6 | definition of query [pointer, Description] | provenance | | | protobuf.go:12:2:12:6 | query [pointer, Description] | protobuf.go:12:2:12:6 | implicit dereference [Description] | provenance | | +| protobuf.go:12:2:12:6 | query [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance | | | protobuf.go:12:22:12:29 | password | protobuf.go:12:2:12:6 | implicit dereference [Description] | provenance | | | protobuf.go:14:14:14:18 | query [pointer, Description] | protobuf.go:14:14:14:35 | call to GetDescription | provenance | | | protobuf.go:14:14:14:18 | query [pointer, Description] | protos/query/query.pb.go:117:7:117:7 | definition of x [pointer, Description] | provenance | | @@ -99,7 +252,17 @@ edges | protos/query/query.pb.go:119:10:119:10 | implicit dereference [Description] | protos/query/query.pb.go:119:10:119:22 | selection of Description | provenance | | | protos/query/query.pb.go:119:10:119:10 | x [pointer, Description] | protos/query/query.pb.go:119:10:119:10 | implicit dereference [Description] | provenance | | models -| 1 | Source: net/http; Request; true; Header; ; ; ; remote; manual | +| 1 | Sink: group:logrus; ; false; WithField; ; ; Argument[0..1]; log-injection; manual | +| 2 | Sink: group:logrus; ; false; WithFields; ; ; Argument[0]; log-injection; manual | +| 3 | Sink: log; ; false; Fatalf; ; ; Argument[0..1]; log-injection; manual | +| 4 | Sink: log; ; false; Output; ; ; Argument[1]; log-injection; manual | +| 5 | Sink: log; ; false; Panicf; ; ; Argument[0..1]; log-injection; manual | +| 6 | Sink: log; ; false; Printf; ; ; Argument[0..1]; log-injection; manual | +| 7 | Sink: log; Logger; true; Fatalf; ; ; Argument[0..1]; log-injection; manual | +| 8 | Sink: log; Logger; true; Output; ; ; Argument[1]; log-injection; manual | +| 9 | Sink: log; Logger; true; Panicf; ; ; Argument[0..1]; log-injection; manual | +| 10 | Sink: log; Logger; true; Printf; ; ; Argument[0..1]; log-injection; manual | +| 11 | Source: net/http; Request; true; Header; ; ; ; remote; manual | nodes | klog.go:20:3:25:3 | range statement[1] | semmle.label | range statement[1] | | klog.go:20:30:20:37 | selection of Header | semmle.label | selection of Header | @@ -108,39 +271,57 @@ nodes | klog.go:22:15:22:20 | header | semmle.label | header | | klog.go:28:13:28:20 | selection of Header | semmle.label | selection of Header | | klog.go:28:13:28:41 | call to Get | semmle.label | call to Get | -| main.go:15:12:15:19 | password | semmle.label | password | -| main.go:16:17:16:24 | password | semmle.label | password | -| main.go:17:13:17:20 | password | semmle.label | password | -| main.go:18:14:18:21 | password | semmle.label | password | +| main.go:17:2:17:9 | definition of password | semmle.label | definition of password | | main.go:19:12:19:19 | password | semmle.label | password | | main.go:20:17:20:24 | password | semmle.label | password | | main.go:21:13:21:20 | password | semmle.label | password | | main.go:22:14:22:21 | password | semmle.label | password | -| main.go:23:12:23:19 | password | semmle.label | password | -| main.go:24:17:24:24 | password | semmle.label | password | -| main.go:25:13:25:20 | password | semmle.label | password | -| main.go:26:14:26:21 | password | semmle.label | password | -| main.go:27:16:27:23 | password | semmle.label | password | -| main.go:30:10:30:17 | password | semmle.label | password | -| main.go:31:15:31:22 | password | semmle.label | password | -| main.go:32:11:32:18 | password | semmle.label | password | -| main.go:33:12:33:19 | password | semmle.label | password | -| main.go:34:10:34:17 | password | semmle.label | password | -| main.go:35:15:35:22 | password | semmle.label | password | -| main.go:36:11:36:18 | password | semmle.label | password | -| main.go:37:12:37:19 | password | semmle.label | password | -| main.go:38:10:38:17 | password | semmle.label | password | -| main.go:39:15:39:22 | password | semmle.label | password | -| main.go:40:11:40:18 | password | semmle.label | password | -| main.go:41:12:41:19 | password | semmle.label | password | +| main.go:24:13:24:20 | password | semmle.label | password | +| main.go:27:18:27:25 | password | semmle.label | password | +| main.go:30:14:30:21 | password | semmle.label | password | +| main.go:33:15:33:22 | password | semmle.label | password | +| main.go:36:13:36:20 | password | semmle.label | password | +| main.go:39:18:39:25 | password | semmle.label | password | | main.go:42:14:42:21 | password | semmle.label | password | -| main.go:44:12:44:19 | password | semmle.label | password | -| main.go:45:17:45:24 | password | semmle.label | password | -| main.go:52:35:52:42 | password | semmle.label | password | +| main.go:45:15:45:22 | password | semmle.label | password | +| main.go:47:16:47:23 | password | semmle.label | password | +| main.go:50:10:50:17 | password | semmle.label | password | +| main.go:50:10:50:17 | password | semmle.label | password | +| main.go:51:15:51:22 | password | semmle.label | password | +| main.go:51:15:51:22 | password | semmle.label | password | +| main.go:52:11:52:18 | password | semmle.label | password | +| main.go:52:11:52:18 | password | semmle.label | password | +| main.go:53:12:53:19 | password | semmle.label | password | +| main.go:53:12:53:19 | password | semmle.label | password | +| main.go:55:11:55:18 | password | semmle.label | password | +| main.go:55:11:55:18 | password | semmle.label | password | +| main.go:58:16:58:23 | password | semmle.label | password | +| main.go:58:16:58:23 | password | semmle.label | password | +| main.go:61:12:61:19 | password | semmle.label | password | +| main.go:61:12:61:19 | password | semmle.label | password | +| main.go:64:13:64:20 | password | semmle.label | password | +| main.go:64:13:64:20 | password | semmle.label | password | +| main.go:67:11:67:18 | password | semmle.label | password | +| main.go:67:11:67:18 | password | semmle.label | password | +| main.go:70:16:70:23 | password | semmle.label | password | +| main.go:70:16:70:23 | password | semmle.label | password | +| main.go:73:12:73:19 | password | semmle.label | password | +| main.go:73:12:73:19 | password | semmle.label | password | +| main.go:76:13:76:20 | password | semmle.label | password | +| main.go:76:13:76:20 | password | semmle.label | password | +| main.go:78:14:78:21 | password | semmle.label | password | +| main.go:80:12:80:19 | password | semmle.label | password | +| main.go:81:17:81:24 | password | semmle.label | password | +| main.go:83:2:83:7 | definition of fields | semmle.label | definition of fields | +| main.go:84:19:84:26 | password | semmle.label | password | +| main.go:85:29:85:34 | fields | semmle.label | fields | +| main.go:88:35:88:42 | password | semmle.label | password | +| overrides.go:8:2:8:9 | definition of password | semmle.label | definition of password | | overrides.go:9:9:9:16 | password | semmle.label | password | | overrides.go:13:14:13:23 | call to String | semmle.label | call to String | | passwords.go:8:12:8:12 | definition of x | semmle.label | definition of x | | passwords.go:9:14:9:14 | x | semmle.label | x | +| passwords.go:21:2:21:9 | definition of password | semmle.label | definition of password | | passwords.go:25:14:25:21 | password | semmle.label | password | | passwords.go:26:14:26:23 | selection of password | semmle.label | selection of password | | passwords.go:27:14:27:26 | call to getPassword | semmle.label | call to getPassword | @@ -158,32 +339,34 @@ nodes | passwords.go:46:6:46:9 | definition of obj3 | semmle.label | definition of obj3 | | passwords.go:47:14:47:17 | obj3 | semmle.label | obj3 | | passwords.go:48:11:48:18 | password | semmle.label | password | +| passwords.go:50:2:50:15 | definition of fixed_password | semmle.label | definition of fixed_password | | passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password | -| passwords.go:85:19:87:2 | struct literal | semmle.label | struct literal | -| passwords.go:86:16:86:36 | call to make | semmle.label | call to make | -| passwords.go:88:14:88:26 | utilityObject | semmle.label | utilityObject | -| passwords.go:90:12:90:19 | password | semmle.label | password | -| passwords.go:91:23:91:28 | secret | semmle.label | secret | -| passwords.go:101:15:101:40 | ...+... | semmle.label | ...+... | -| passwords.go:101:33:101:40 | password | semmle.label | password | -| passwords.go:107:16:107:41 | ...+... | semmle.label | ...+... | -| passwords.go:107:34:107:41 | password | semmle.label | password | -| passwords.go:112:15:112:40 | ...+... | semmle.label | ...+... | -| passwords.go:112:33:112:40 | password | semmle.label | password | -| passwords.go:116:14:116:45 | ...+... | semmle.label | ...+... | -| passwords.go:116:28:116:36 | password1 | semmle.label | password1 | -| passwords.go:116:28:116:45 | call to String | semmle.label | call to String | -| passwords.go:118:12:123:2 | struct literal | semmle.label | struct literal | -| passwords.go:118:12:123:2 | struct literal [x] | semmle.label | struct literal [x] | -| passwords.go:118:12:123:2 | struct literal [y] | semmle.label | struct literal [y] | -| passwords.go:119:13:119:13 | x | semmle.label | x | -| passwords.go:121:13:121:20 | password | semmle.label | password | -| passwords.go:122:13:122:25 | call to getPassword | semmle.label | call to getPassword | -| passwords.go:125:14:125:19 | config | semmle.label | config | -| passwords.go:126:14:126:19 | config [x] | semmle.label | config [x] | -| passwords.go:126:14:126:21 | selection of x | semmle.label | selection of x | -| passwords.go:127:14:127:19 | config [y] | semmle.label | config [y] | -| passwords.go:127:14:127:21 | selection of y | semmle.label | selection of y | +| passwords.go:86:19:88:2 | struct literal | semmle.label | struct literal | +| passwords.go:87:16:87:36 | call to make | semmle.label | call to make | +| passwords.go:89:14:89:26 | utilityObject | semmle.label | utilityObject | +| passwords.go:92:23:92:28 | secret | semmle.label | secret | +| passwords.go:102:15:102:40 | ...+... | semmle.label | ...+... | +| passwords.go:102:33:102:40 | password | semmle.label | password | +| passwords.go:108:16:108:41 | ...+... | semmle.label | ...+... | +| passwords.go:108:34:108:41 | password | semmle.label | password | +| passwords.go:113:15:113:40 | ...+... | semmle.label | ...+... | +| passwords.go:113:33:113:40 | password | semmle.label | password | +| passwords.go:116:6:116:14 | definition of password1 | semmle.label | definition of password1 | +| passwords.go:117:14:117:45 | ...+... | semmle.label | ...+... | +| passwords.go:117:28:117:36 | password1 | semmle.label | password1 | +| passwords.go:117:28:117:45 | call to String | semmle.label | call to String | +| passwords.go:120:12:125:2 | struct literal | semmle.label | struct literal | +| passwords.go:120:12:125:2 | struct literal [x] | semmle.label | struct literal [x] | +| passwords.go:120:12:125:2 | struct literal [y] | semmle.label | struct literal [y] | +| passwords.go:121:13:121:14 | x3 | semmle.label | x3 | +| passwords.go:123:13:123:20 | password | semmle.label | password | +| passwords.go:124:13:124:25 | call to getPassword | semmle.label | call to getPassword | +| passwords.go:127:14:127:19 | config | semmle.label | config | +| passwords.go:128:14:128:19 | config [x] | semmle.label | config [x] | +| passwords.go:128:14:128:21 | selection of x | semmle.label | selection of x | +| passwords.go:129:14:129:19 | config [y] | semmle.label | config [y] | +| passwords.go:129:14:129:21 | selection of y | semmle.label | selection of y | +| protobuf.go:9:2:9:9 | definition of password | semmle.label | definition of password | | protobuf.go:11:2:11:6 | definition of query [pointer, Description] | semmle.label | definition of query [pointer, Description] | | protobuf.go:12:2:12:6 | implicit dereference [Description] | semmle.label | implicit dereference [Description] | | protobuf.go:12:2:12:6 | query [pointer, Description] | semmle.label | query [pointer, Description] | diff --git a/go/ql/test/query-tests/Security/CWE-312/main.go b/go/ql/test/query-tests/Security/CWE-312/main.go index d91166455571..39f184fcb40d 100644 --- a/go/ql/test/query-tests/Security/CWE-312/main.go +++ b/go/ql/test/query-tests/Security/CWE-312/main.go @@ -4,11 +4,15 @@ package main //go:generate depstubber -vendor github.com/golang/glog "" Info import ( + "log" + "math/rand" + "github.com/golang/glog" "github.com/sirupsen/logrus" - "log" ) +var i int = rand.Int() + func main() { password := "P4ssw0rd" @@ -16,14 +20,30 @@ func main() { log.Printf("", password) log.Printf(password, "") log.Println(password) - log.Fatal(password) - log.Fatalf("", password) - log.Fatalf(password, "") - log.Fatalln(password) - log.Panic(password) - log.Panicf("", password) - log.Panicf(password, "") - log.Panicln(password) + if i == 0 { + log.Fatal(password) + } + if i == 1 { + log.Fatalf("", password) + } + if i == 2 { + log.Fatalf(password, "") + } + if i == 3 { + log.Fatalln(password) + } + if i == 4 { + log.Panic(password) + } + if i == 5 { + log.Panicf("", password) + } + if i == 6 { + log.Panicf(password, "") + } + if i == 7 { + log.Panicln(password) + } log.Output(0, password) l := log.Default() @@ -31,14 +51,30 @@ func main() { l.Printf("", password) l.Printf(password, "") l.Println(password) - l.Fatal(password) - l.Fatalf("", password) - l.Fatalf(password, "") - l.Fatalln(password) - l.Panic(password) - l.Panicf("", password) - l.Panicf(password, "") - l.Panicln(password) + if i == 10 { + l.Fatal(password) + } + if i == 11 { + l.Fatalf("", password) + } + if i == 12 { + l.Fatalf(password, "") + } + if i == 13 { + l.Fatalln(password) + } + if i == 14 { + l.Panic(password) + } + if i == 15 { + l.Panicf("", password) + } + if i == 16 { + l.Panicf(password, "") + } + if i == 17 { + l.Panicln(password) + } l.Output(0, password) glog.Info(password) diff --git a/go/ql/test/query-tests/Security/CWE-312/passwords.go b/go/ql/test/query-tests/Security/CWE-312/passwords.go index 5f0b291016db..4fdfd0986055 100644 --- a/go/ql/test/query-tests/Security/CWE-312/passwords.go +++ b/go/ql/test/query-tests/Security/CWE-312/passwords.go @@ -65,7 +65,8 @@ func test() { log.Println(actually_secure_password) // OK var user1 cryptedStruct - user1.cryptedPassword = x + x2 := "perhaps sensitive" + user1.cryptedPassword = x2 log.Println(user1) // OK var user2 passStruct @@ -115,8 +116,9 @@ func test() { var password1 stringable = stringable{"arstneio"} log.Println(name + ", " + password1.String()) // NOT OK + x3 := "sheepbatterystaplecorrect" config := Config{ - password: x, + password: x3, hostname: "tarski", x: password, y: getPassword(), diff --git a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected index f8d193348ba0..65d24e8b45b6 100644 --- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected +++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected @@ -2,69 +2,71 @@ | OpenUrlRedirect.go:10:23:10:42 | call to Get | OpenUrlRedirect.go:10:23:10:28 | selection of Form | OpenUrlRedirect.go:10:23:10:42 | call to Get | This path to an untrusted URL redirection depends on a $@. | OpenUrlRedirect.go:10:23:10:28 | selection of Form | user-provided value | | stdlib.go:15:30:15:35 | target | stdlib.go:13:13:13:18 | selection of Form | stdlib.go:15:30:15:35 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:13:13:13:18 | selection of Form | user-provided value | | stdlib.go:24:30:24:35 | target | stdlib.go:22:13:22:18 | selection of Form | stdlib.go:24:30:24:35 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:22:13:22:18 | selection of Form | user-provided value | -| stdlib.go:35:30:35:39 | ...+... | stdlib.go:31:13:31:18 | selection of Form | stdlib.go:35:30:35:39 | ...+... | This path to an untrusted URL redirection depends on a $@. | stdlib.go:31:13:31:18 | selection of Form | user-provided value | -| stdlib.go:46:23:46:28 | target | stdlib.go:44:13:44:18 | selection of Form | stdlib.go:46:23:46:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:44:13:44:18 | selection of Form | user-provided value | -| stdlib.go:67:23:67:40 | ...+... | stdlib.go:64:13:64:18 | selection of Form | stdlib.go:67:23:67:40 | ...+... | This path to an untrusted URL redirection depends on a $@. | stdlib.go:64:13:64:18 | selection of Form | user-provided value | -| stdlib.go:92:23:92:28 | target | stdlib.go:89:13:89:18 | selection of Form | stdlib.go:92:23:92:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:89:13:89:18 | selection of Form | user-provided value | -| stdlib.go:152:23:152:28 | target | stdlib.go:146:13:146:18 | selection of Form | stdlib.go:152:23:152:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:146:13:146:18 | selection of Form | user-provided value | -| stdlib.go:184:23:184:28 | target | stdlib.go:182:13:182:33 | call to FormValue | stdlib.go:184:23:184:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:182:13:182:33 | call to FormValue | user-provided value | -| stdlib.go:192:23:192:33 | selection of Path | stdlib.go:190:36:190:56 | call to FormValue | stdlib.go:192:23:192:33 | selection of Path | This path to an untrusted URL redirection depends on a $@. | stdlib.go:190:36:190:56 | call to FormValue | user-provided value | -| stdlib.go:194:23:194:42 | call to EscapedPath | stdlib.go:190:36:190:56 | call to FormValue | stdlib.go:194:23:194:42 | call to EscapedPath | This path to an untrusted URL redirection depends on a $@. | stdlib.go:190:36:190:56 | call to FormValue | user-provided value | +| stdlib.go:39:30:39:40 | ...+... | stdlib.go:33:13:33:18 | selection of Form | stdlib.go:39:30:39:40 | ...+... | This path to an untrusted URL redirection depends on a $@. | stdlib.go:33:13:33:18 | selection of Form | user-provided value | +| stdlib.go:50:23:50:28 | target | stdlib.go:48:13:48:18 | selection of Form | stdlib.go:50:23:50:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:48:13:48:18 | selection of Form | user-provided value | +| stdlib.go:71:23:71:40 | ...+... | stdlib.go:68:13:68:18 | selection of Form | stdlib.go:71:23:71:40 | ...+... | This path to an untrusted URL redirection depends on a $@. | stdlib.go:68:13:68:18 | selection of Form | user-provided value | +| stdlib.go:96:23:96:28 | target | stdlib.go:93:13:93:18 | selection of Form | stdlib.go:96:23:96:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:93:13:93:18 | selection of Form | user-provided value | +| stdlib.go:156:23:156:28 | target | stdlib.go:150:13:150:18 | selection of Form | stdlib.go:156:23:156:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:150:13:150:18 | selection of Form | user-provided value | +| stdlib.go:188:23:188:28 | target | stdlib.go:186:13:186:33 | call to FormValue | stdlib.go:188:23:188:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:186:13:186:33 | call to FormValue | user-provided value | +| stdlib.go:196:23:196:33 | selection of Path | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:196:23:196:33 | selection of Path | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value | +| stdlib.go:198:23:198:42 | call to EscapedPath | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:198:23:198:42 | call to EscapedPath | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value | edges | OpenUrlRedirect.go:10:23:10:28 | selection of Form | OpenUrlRedirect.go:10:23:10:42 | call to Get | provenance | Src:MaD:2 Config Sink:MaD:1 | | stdlib.go:13:13:13:18 | selection of Form | stdlib.go:13:13:13:32 | call to Get | provenance | Src:MaD:2 Config | | stdlib.go:13:13:13:32 | call to Get | stdlib.go:15:30:15:35 | target | provenance | | | stdlib.go:22:13:22:18 | selection of Form | stdlib.go:22:13:22:32 | call to Get | provenance | Src:MaD:2 Config | | stdlib.go:22:13:22:32 | call to Get | stdlib.go:24:30:24:35 | target | provenance | | -| stdlib.go:31:13:31:18 | selection of Form | stdlib.go:31:13:31:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:31:13:31:32 | call to Get | stdlib.go:35:34:35:39 | target | provenance | | -| stdlib.go:35:34:35:39 | target | stdlib.go:35:30:35:39 | ...+... | provenance | Config | -| stdlib.go:44:13:44:18 | selection of Form | stdlib.go:44:13:44:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:44:13:44:32 | call to Get | stdlib.go:46:23:46:28 | target | provenance | Sink:MaD:1 | -| stdlib.go:64:13:64:18 | selection of Form | stdlib.go:64:13:64:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:64:13:64:32 | call to Get | stdlib.go:67:23:67:28 | target | provenance | | -| stdlib.go:67:23:67:28 | target | stdlib.go:67:23:67:37 | ...+... | provenance | Config | -| stdlib.go:67:23:67:37 | ...+... | stdlib.go:67:23:67:40 | ...+... | provenance | Config Sink:MaD:1 | -| stdlib.go:89:13:89:18 | selection of Form | stdlib.go:89:13:89:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:89:13:89:32 | call to Get | stdlib.go:90:3:90:8 | target | provenance | | -| stdlib.go:90:3:90:8 | target | stdlib.go:90:3:90:25 | ... += ... | provenance | Config | -| stdlib.go:90:3:90:25 | ... += ... | stdlib.go:92:23:92:28 | target | provenance | Sink:MaD:1 | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL, pointer] | stdlib.go:112:4:112:4 | r [pointer, URL, pointer] | provenance | | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL] | stdlib.go:112:4:112:4 | r [pointer, URL] | provenance | | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL] | stdlib.go:113:24:113:24 | r [pointer, URL] | provenance | | -| stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | stdlib.go:107:54:107:54 | definition of r [pointer, URL, pointer] | provenance | | -| stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | stdlib.go:112:4:112:8 | selection of URL [pointer] | provenance | | -| stdlib.go:112:4:112:4 | implicit dereference [URL] | stdlib.go:107:54:107:54 | definition of r [pointer, URL] | provenance | | -| stdlib.go:112:4:112:4 | implicit dereference [URL] | stdlib.go:112:4:112:8 | selection of URL | provenance | | -| stdlib.go:112:4:112:4 | r [pointer, URL, pointer] | stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | provenance | | -| stdlib.go:112:4:112:4 | r [pointer, URL] | stdlib.go:112:4:112:4 | implicit dereference [URL] | provenance | | -| stdlib.go:112:4:112:8 | implicit dereference | stdlib.go:112:4:112:8 | selection of URL | provenance | Config | -| stdlib.go:112:4:112:8 | implicit dereference | stdlib.go:112:4:112:8 | selection of URL [pointer] | provenance | | -| stdlib.go:112:4:112:8 | selection of URL | stdlib.go:112:4:112:4 | implicit dereference [URL] | provenance | Src:MaD:4 | -| stdlib.go:112:4:112:8 | selection of URL | stdlib.go:112:4:112:8 | implicit dereference | provenance | Src:MaD:4 Config | -| stdlib.go:112:4:112:8 | selection of URL [pointer] | stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | provenance | | -| stdlib.go:112:4:112:8 | selection of URL [pointer] | stdlib.go:112:4:112:8 | implicit dereference | provenance | | -| stdlib.go:113:24:113:24 | implicit dereference [URL] | stdlib.go:113:24:113:28 | selection of URL | provenance | | -| stdlib.go:113:24:113:24 | r [pointer, URL] | stdlib.go:113:24:113:24 | implicit dereference [URL] | provenance | | -| stdlib.go:113:24:113:28 | selection of URL | stdlib.go:113:24:113:37 | call to String | provenance | Src:MaD:4 Config Sink:MaD:1 | -| stdlib.go:146:13:146:18 | selection of Form | stdlib.go:146:13:146:32 | call to Get | provenance | Src:MaD:2 Config | -| stdlib.go:146:13:146:32 | call to Get | stdlib.go:152:23:152:28 | target | provenance | Sink:MaD:1 | -| stdlib.go:159:10:159:15 | star expression | stdlib.go:159:11:159:15 | selection of URL | provenance | Config | -| stdlib.go:159:10:159:15 | star expression | stdlib.go:162:24:162:26 | url | provenance | | -| stdlib.go:159:11:159:15 | selection of URL | stdlib.go:159:10:159:15 | star expression | provenance | Src:MaD:4 Config | -| stdlib.go:162:24:162:26 | url | stdlib.go:162:24:162:35 | call to String | provenance | Config Sink:MaD:1 | -| stdlib.go:173:35:173:39 | selection of URL | stdlib.go:173:35:173:52 | call to RequestURI | provenance | Src:MaD:4 Config | -| stdlib.go:173:35:173:52 | call to RequestURI | stdlib.go:173:24:173:52 | ...+... | provenance | Config Sink:MaD:1 | -| stdlib.go:182:13:182:33 | call to FormValue | stdlib.go:184:23:184:28 | target | provenance | Src:MaD:3 Sink:MaD:1 | -| stdlib.go:190:3:190:8 | definition of target | stdlib.go:192:23:192:28 | target | provenance | | -| stdlib.go:190:3:190:8 | definition of target | stdlib.go:194:23:194:28 | target | provenance | | -| stdlib.go:190:3:190:57 | ... := ...[0] | stdlib.go:190:3:190:8 | definition of target | provenance | | -| stdlib.go:190:36:190:56 | call to FormValue | stdlib.go:190:3:190:57 | ... := ...[0] | provenance | Src:MaD:3 Config | -| stdlib.go:192:23:192:28 | implicit dereference | stdlib.go:190:3:190:8 | definition of target | provenance | Config | -| stdlib.go:192:23:192:28 | implicit dereference | stdlib.go:192:23:192:33 | selection of Path | provenance | Config Sink:MaD:1 | -| stdlib.go:192:23:192:28 | target | stdlib.go:192:23:192:28 | implicit dereference | provenance | Config | -| stdlib.go:192:23:192:28 | target | stdlib.go:192:23:192:33 | selection of Path | provenance | Config Sink:MaD:1 | -| stdlib.go:194:23:194:28 | target | stdlib.go:194:23:194:42 | call to EscapedPath | provenance | Config Sink:MaD:1 | +| stdlib.go:33:13:33:18 | selection of Form | stdlib.go:33:13:33:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:33:13:33:32 | call to Get | stdlib.go:39:34:39:40 | target2 | provenance | | +| stdlib.go:39:34:39:40 | target2 | stdlib.go:39:30:39:40 | ...+... | provenance | Config | +| stdlib.go:48:13:48:18 | selection of Form | stdlib.go:48:13:48:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:48:13:48:32 | call to Get | stdlib.go:50:23:50:28 | target | provenance | Sink:MaD:1 | +| stdlib.go:68:13:68:18 | selection of Form | stdlib.go:68:13:68:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:68:13:68:32 | call to Get | stdlib.go:71:23:71:28 | target | provenance | | +| stdlib.go:71:23:71:28 | target | stdlib.go:71:23:71:37 | ...+... | provenance | Config | +| stdlib.go:71:23:71:37 | ...+... | stdlib.go:71:23:71:40 | ...+... | provenance | Config Sink:MaD:1 | +| stdlib.go:93:13:93:18 | selection of Form | stdlib.go:93:13:93:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:93:13:93:32 | call to Get | stdlib.go:94:3:94:8 | target | provenance | | +| stdlib.go:94:3:94:8 | target | stdlib.go:94:3:94:25 | ... += ... | provenance | Config | +| stdlib.go:94:3:94:25 | ... += ... | stdlib.go:96:23:96:28 | target | provenance | Sink:MaD:1 | +| stdlib.go:111:54:111:54 | definition of r [pointer, URL, pointer] | stdlib.go:115:6:115:6 | r [pointer, URL, pointer] | provenance | | +| stdlib.go:111:54:111:54 | definition of r [pointer, URL] | stdlib.go:115:6:115:6 | r [pointer, URL] | provenance | | +| stdlib.go:115:6:115:6 | r [pointer, URL, pointer] | stdlib.go:116:4:116:4 | r [pointer, URL, pointer] | provenance | | +| stdlib.go:115:6:115:6 | r [pointer, URL] | stdlib.go:116:4:116:4 | r [pointer, URL] | provenance | | +| stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | stdlib.go:111:54:111:54 | definition of r [pointer, URL, pointer] | provenance | | +| stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | stdlib.go:116:4:116:8 | selection of URL [pointer] | provenance | | +| stdlib.go:116:4:116:4 | implicit dereference [URL] | stdlib.go:111:54:111:54 | definition of r [pointer, URL] | provenance | | +| stdlib.go:116:4:116:4 | implicit dereference [URL] | stdlib.go:116:4:116:8 | selection of URL | provenance | | +| stdlib.go:116:4:116:4 | r [pointer, URL, pointer] | stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | provenance | | +| stdlib.go:116:4:116:4 | r [pointer, URL] | stdlib.go:116:4:116:4 | implicit dereference [URL] | provenance | | +| stdlib.go:116:4:116:4 | r [pointer, URL] | stdlib.go:117:24:117:24 | r [pointer, URL] | provenance | | +| stdlib.go:116:4:116:8 | implicit dereference | stdlib.go:116:4:116:8 | selection of URL | provenance | Config | +| stdlib.go:116:4:116:8 | implicit dereference | stdlib.go:116:4:116:8 | selection of URL [pointer] | provenance | | +| stdlib.go:116:4:116:8 | selection of URL | stdlib.go:116:4:116:4 | implicit dereference [URL] | provenance | Src:MaD:4 | +| stdlib.go:116:4:116:8 | selection of URL | stdlib.go:116:4:116:8 | implicit dereference | provenance | Src:MaD:4 Config | +| stdlib.go:116:4:116:8 | selection of URL [pointer] | stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | provenance | | +| stdlib.go:116:4:116:8 | selection of URL [pointer] | stdlib.go:116:4:116:8 | implicit dereference | provenance | | +| stdlib.go:117:24:117:24 | implicit dereference [URL] | stdlib.go:117:24:117:28 | selection of URL | provenance | | +| stdlib.go:117:24:117:24 | r [pointer, URL] | stdlib.go:117:24:117:24 | implicit dereference [URL] | provenance | | +| stdlib.go:117:24:117:28 | selection of URL | stdlib.go:117:24:117:37 | call to String | provenance | Src:MaD:4 Config Sink:MaD:1 | +| stdlib.go:150:13:150:18 | selection of Form | stdlib.go:150:13:150:32 | call to Get | provenance | Src:MaD:2 Config | +| stdlib.go:150:13:150:32 | call to Get | stdlib.go:156:23:156:28 | target | provenance | Sink:MaD:1 | +| stdlib.go:163:10:163:15 | star expression | stdlib.go:163:11:163:15 | selection of URL | provenance | Config | +| stdlib.go:163:10:163:15 | star expression | stdlib.go:166:24:166:26 | url | provenance | | +| stdlib.go:163:11:163:15 | selection of URL | stdlib.go:163:10:163:15 | star expression | provenance | Src:MaD:4 Config | +| stdlib.go:166:24:166:26 | url | stdlib.go:166:24:166:35 | call to String | provenance | Config Sink:MaD:1 | +| stdlib.go:177:35:177:39 | selection of URL | stdlib.go:177:35:177:52 | call to RequestURI | provenance | Src:MaD:4 Config | +| stdlib.go:177:35:177:52 | call to RequestURI | stdlib.go:177:24:177:52 | ...+... | provenance | Config Sink:MaD:1 | +| stdlib.go:186:13:186:33 | call to FormValue | stdlib.go:188:23:188:28 | target | provenance | Src:MaD:3 Sink:MaD:1 | +| stdlib.go:194:3:194:8 | definition of target | stdlib.go:196:23:196:28 | target | provenance | | +| stdlib.go:194:3:194:57 | ... := ...[0] | stdlib.go:194:3:194:8 | definition of target | provenance | | +| stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:194:3:194:57 | ... := ...[0] | provenance | Src:MaD:3 Config | +| stdlib.go:196:23:196:28 | implicit dereference | stdlib.go:194:3:194:8 | definition of target | provenance | Config | +| stdlib.go:196:23:196:28 | implicit dereference | stdlib.go:196:23:196:33 | selection of Path | provenance | Config Sink:MaD:1 | +| stdlib.go:196:23:196:28 | target | stdlib.go:196:23:196:28 | implicit dereference | provenance | Config | +| stdlib.go:196:23:196:28 | target | stdlib.go:196:23:196:33 | selection of Path | provenance | Config Sink:MaD:1 | +| stdlib.go:196:23:196:28 | target | stdlib.go:198:23:198:28 | target | provenance | | +| stdlib.go:198:23:198:28 | target | stdlib.go:198:23:198:42 | call to EscapedPath | provenance | Config Sink:MaD:1 | models | 1 | Sink: net/http; ; false; Redirect; ; ; Argument[2]; url-redirection[0]; manual | | 2 | Source: net/http; Request; true; Form; ; ; ; remote; manual | @@ -79,54 +81,56 @@ nodes | stdlib.go:22:13:22:18 | selection of Form | semmle.label | selection of Form | | stdlib.go:22:13:22:32 | call to Get | semmle.label | call to Get | | stdlib.go:24:30:24:35 | target | semmle.label | target | -| stdlib.go:31:13:31:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:31:13:31:32 | call to Get | semmle.label | call to Get | -| stdlib.go:35:30:35:39 | ...+... | semmle.label | ...+... | -| stdlib.go:35:34:35:39 | target | semmle.label | target | -| stdlib.go:44:13:44:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:44:13:44:32 | call to Get | semmle.label | call to Get | -| stdlib.go:46:23:46:28 | target | semmle.label | target | -| stdlib.go:64:13:64:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:64:13:64:32 | call to Get | semmle.label | call to Get | -| stdlib.go:67:23:67:28 | target | semmle.label | target | -| stdlib.go:67:23:67:37 | ...+... | semmle.label | ...+... | -| stdlib.go:67:23:67:40 | ...+... | semmle.label | ...+... | -| stdlib.go:89:13:89:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:89:13:89:32 | call to Get | semmle.label | call to Get | -| stdlib.go:90:3:90:8 | target | semmle.label | target | -| stdlib.go:90:3:90:25 | ... += ... | semmle.label | ... += ... | -| stdlib.go:92:23:92:28 | target | semmle.label | target | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL, pointer] | semmle.label | definition of r [pointer, URL, pointer] | -| stdlib.go:107:54:107:54 | definition of r [pointer, URL] | semmle.label | definition of r [pointer, URL] | -| stdlib.go:112:4:112:4 | implicit dereference [URL, pointer] | semmle.label | implicit dereference [URL, pointer] | -| stdlib.go:112:4:112:4 | implicit dereference [URL] | semmle.label | implicit dereference [URL] | -| stdlib.go:112:4:112:4 | r [pointer, URL, pointer] | semmle.label | r [pointer, URL, pointer] | -| stdlib.go:112:4:112:4 | r [pointer, URL] | semmle.label | r [pointer, URL] | -| stdlib.go:112:4:112:8 | implicit dereference | semmle.label | implicit dereference | -| stdlib.go:112:4:112:8 | selection of URL | semmle.label | selection of URL | -| stdlib.go:112:4:112:8 | selection of URL [pointer] | semmle.label | selection of URL [pointer] | -| stdlib.go:113:24:113:24 | implicit dereference [URL] | semmle.label | implicit dereference [URL] | -| stdlib.go:113:24:113:24 | r [pointer, URL] | semmle.label | r [pointer, URL] | -| stdlib.go:113:24:113:28 | selection of URL | semmle.label | selection of URL | -| stdlib.go:113:24:113:37 | call to String | semmle.label | call to String | -| stdlib.go:146:13:146:18 | selection of Form | semmle.label | selection of Form | -| stdlib.go:146:13:146:32 | call to Get | semmle.label | call to Get | -| stdlib.go:152:23:152:28 | target | semmle.label | target | -| stdlib.go:159:10:159:15 | star expression | semmle.label | star expression | -| stdlib.go:159:11:159:15 | selection of URL | semmle.label | selection of URL | -| stdlib.go:162:24:162:26 | url | semmle.label | url | -| stdlib.go:162:24:162:35 | call to String | semmle.label | call to String | -| stdlib.go:173:24:173:52 | ...+... | semmle.label | ...+... | -| stdlib.go:173:35:173:39 | selection of URL | semmle.label | selection of URL | -| stdlib.go:173:35:173:52 | call to RequestURI | semmle.label | call to RequestURI | -| stdlib.go:182:13:182:33 | call to FormValue | semmle.label | call to FormValue | -| stdlib.go:184:23:184:28 | target | semmle.label | target | -| stdlib.go:190:3:190:8 | definition of target | semmle.label | definition of target | -| stdlib.go:190:3:190:57 | ... := ...[0] | semmle.label | ... := ...[0] | -| stdlib.go:190:36:190:56 | call to FormValue | semmle.label | call to FormValue | -| stdlib.go:192:23:192:28 | implicit dereference | semmle.label | implicit dereference | -| stdlib.go:192:23:192:28 | target | semmle.label | target | -| stdlib.go:192:23:192:33 | selection of Path | semmle.label | selection of Path | -| stdlib.go:194:23:194:28 | target | semmle.label | target | -| stdlib.go:194:23:194:42 | call to EscapedPath | semmle.label | call to EscapedPath | +| stdlib.go:33:13:33:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:33:13:33:32 | call to Get | semmle.label | call to Get | +| stdlib.go:39:30:39:40 | ...+... | semmle.label | ...+... | +| stdlib.go:39:34:39:40 | target2 | semmle.label | target2 | +| stdlib.go:48:13:48:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:48:13:48:32 | call to Get | semmle.label | call to Get | +| stdlib.go:50:23:50:28 | target | semmle.label | target | +| stdlib.go:68:13:68:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:68:13:68:32 | call to Get | semmle.label | call to Get | +| stdlib.go:71:23:71:28 | target | semmle.label | target | +| stdlib.go:71:23:71:37 | ...+... | semmle.label | ...+... | +| stdlib.go:71:23:71:40 | ...+... | semmle.label | ...+... | +| stdlib.go:93:13:93:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:93:13:93:32 | call to Get | semmle.label | call to Get | +| stdlib.go:94:3:94:8 | target | semmle.label | target | +| stdlib.go:94:3:94:25 | ... += ... | semmle.label | ... += ... | +| stdlib.go:96:23:96:28 | target | semmle.label | target | +| stdlib.go:111:54:111:54 | definition of r [pointer, URL, pointer] | semmle.label | definition of r [pointer, URL, pointer] | +| stdlib.go:111:54:111:54 | definition of r [pointer, URL] | semmle.label | definition of r [pointer, URL] | +| stdlib.go:115:6:115:6 | r [pointer, URL, pointer] | semmle.label | r [pointer, URL, pointer] | +| stdlib.go:115:6:115:6 | r [pointer, URL] | semmle.label | r [pointer, URL] | +| stdlib.go:116:4:116:4 | implicit dereference [URL, pointer] | semmle.label | implicit dereference [URL, pointer] | +| stdlib.go:116:4:116:4 | implicit dereference [URL] | semmle.label | implicit dereference [URL] | +| stdlib.go:116:4:116:4 | r [pointer, URL, pointer] | semmle.label | r [pointer, URL, pointer] | +| stdlib.go:116:4:116:4 | r [pointer, URL] | semmle.label | r [pointer, URL] | +| stdlib.go:116:4:116:8 | implicit dereference | semmle.label | implicit dereference | +| stdlib.go:116:4:116:8 | selection of URL | semmle.label | selection of URL | +| stdlib.go:116:4:116:8 | selection of URL [pointer] | semmle.label | selection of URL [pointer] | +| stdlib.go:117:24:117:24 | implicit dereference [URL] | semmle.label | implicit dereference [URL] | +| stdlib.go:117:24:117:24 | r [pointer, URL] | semmle.label | r [pointer, URL] | +| stdlib.go:117:24:117:28 | selection of URL | semmle.label | selection of URL | +| stdlib.go:117:24:117:37 | call to String | semmle.label | call to String | +| stdlib.go:150:13:150:18 | selection of Form | semmle.label | selection of Form | +| stdlib.go:150:13:150:32 | call to Get | semmle.label | call to Get | +| stdlib.go:156:23:156:28 | target | semmle.label | target | +| stdlib.go:163:10:163:15 | star expression | semmle.label | star expression | +| stdlib.go:163:11:163:15 | selection of URL | semmle.label | selection of URL | +| stdlib.go:166:24:166:26 | url | semmle.label | url | +| stdlib.go:166:24:166:35 | call to String | semmle.label | call to String | +| stdlib.go:177:24:177:52 | ...+... | semmle.label | ...+... | +| stdlib.go:177:35:177:39 | selection of URL | semmle.label | selection of URL | +| stdlib.go:177:35:177:52 | call to RequestURI | semmle.label | call to RequestURI | +| stdlib.go:186:13:186:33 | call to FormValue | semmle.label | call to FormValue | +| stdlib.go:188:23:188:28 | target | semmle.label | target | +| stdlib.go:194:3:194:8 | definition of target | semmle.label | definition of target | +| stdlib.go:194:3:194:57 | ... := ...[0] | semmle.label | ... := ...[0] | +| stdlib.go:194:36:194:56 | call to FormValue | semmle.label | call to FormValue | +| stdlib.go:196:23:196:28 | implicit dereference | semmle.label | implicit dereference | +| stdlib.go:196:23:196:28 | target | semmle.label | target | +| stdlib.go:196:23:196:33 | selection of Path | semmle.label | selection of Path | +| stdlib.go:198:23:198:28 | target | semmle.label | target | +| stdlib.go:198:23:198:42 | call to EscapedPath | semmle.label | call to EscapedPath | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go index 0ccacd7d87e7..f6cd1e5576f2 100644 --- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go +++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go @@ -28,13 +28,17 @@ func serveStdlib() { http.HandleFunc("/ex2", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() + // Taking gratuitous copies of target so that sanitizing the use in + // the first request doesn't also sanitize other uses target := r.Form.Get("target") + target2 := target + target3 := target // GOOD: local redirects are unproblematic w.Header().Set("Location", "/local"+target) // BAD: this could be a non-local redirect - w.Header().Set("Location", "/"+target) + w.Header().Set("Location", "/"+target2) // GOOD: localhost redirects are unproblematic - w.Header().Set("Location", "//localhost/"+target) + w.Header().Set("Location", "//localhost/"+target3) w.WriteHeader(302) }) diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index 76097b7a5c0b..f67991cc2211 100644 --- a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -1,12 +1,12 @@ #select | RequestForgery.go:11:15:11:66 | call to Get | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | The $@ of this request depends on a $@. | RequestForgery.go:11:24:11:65 | ...+... | URL | RequestForgery.go:8:12:8:34 | call to FormValue | user-provided value | -| tst.go:14:2:14:18 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | The $@ of this request depends on a $@. | tst.go:14:11:14:17 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:18:2:18:38 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | The $@ of this request depends on a $@. | tst.go:18:12:18:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:22:2:22:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:21:34:21:40 | tainted | The $@ of this request depends on a $@. | tst.go:21:34:21:40 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:25:2:25:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:24:66:24:72 | tainted | The $@ of this request depends on a $@. | tst.go:24:66:24:72 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:27:2:27:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:27:11:27:29 | ...+... | The $@ of this request depends on a $@. | tst.go:27:11:27:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:29:2:29:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:29:11:29:40 | ...+... | The $@ of this request depends on a $@. | tst.go:29:11:29:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:37:2:37:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:37:11:37:20 | call to String | The $@ of this request depends on a $@. | tst.go:37:11:37:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:18:2:18:18 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:18:11:18:17 | tainted | The $@ of this request depends on a $@. | tst.go:18:11:18:17 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:22:2:22:38 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:22:12:22:18 | tainted | The $@ of this request depends on a $@. | tst.go:22:12:22:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:26:2:26:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:25:34:25:40 | tainted | The $@ of this request depends on a $@. | tst.go:25:34:25:40 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:29:2:29:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:28:66:28:72 | tainted | The $@ of this request depends on a $@. | tst.go:28:66:28:72 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:31:2:31:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:31:11:31:29 | ...+... | The $@ of this request depends on a $@. | tst.go:31:11:31:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:33:2:33:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:33:11:33:40 | ...+... | The $@ of this request depends on a $@. | tst.go:33:11:33:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:41:2:41:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:41:11:41:20 | call to String | The $@ of this request depends on a $@. | tst.go:41:11:41:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | | websocket.go:65:12:65:53 | call to Dial | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:65:27:65:40 | untrustedInput | WebSocket URL | websocket.go:60:21:60:31 | call to Referer | user-provided value | | websocket.go:79:13:79:40 | call to DialConfig | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:78:36:78:49 | untrustedInput | WebSocket URL | websocket.go:74:21:74:31 | call to Referer | user-provided value | | websocket.go:91:3:91:50 | call to Dial | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:91:31:91:44 | untrustedInput | WebSocket URL | websocket.go:88:21:88:31 | call to Referer | user-provided value | @@ -18,23 +18,22 @@ | websocket.go:204:3:204:25 | call to New | websocket.go:202:21:202:31 | call to Referer | websocket.go:204:11:204:24 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:204:11:204:24 | untrustedInput | WebSocket URL | websocket.go:202:21:202:31 | call to Referer | user-provided value | edges | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:21:34:21:40 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:24:66:24:72 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:27:11:27:29 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:29:11:29:40 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:36:11:36:17 | tainted | provenance | Src:MaD:1 | -| tst.go:35:2:35:2 | definition of u [pointer] | tst.go:36:2:36:2 | u [pointer] | provenance | | -| tst.go:36:2:36:2 | implicit dereference | tst.go:35:2:35:2 | definition of u [pointer] | provenance | | -| tst.go:36:2:36:2 | implicit dereference | tst.go:36:2:36:2 | u | provenance | | -| tst.go:36:2:36:2 | implicit dereference | tst.go:37:11:37:11 | u | provenance | | -| tst.go:36:2:36:2 | u | tst.go:36:2:36:2 | implicit dereference | provenance | | -| tst.go:36:2:36:2 | u | tst.go:37:11:37:11 | u | provenance | | -| tst.go:36:2:36:2 | u [pointer] | tst.go:36:2:36:2 | implicit dereference | provenance | | -| tst.go:36:11:36:17 | tainted | tst.go:36:2:36:2 | u | provenance | Config | -| tst.go:36:11:36:17 | tainted | tst.go:37:11:37:11 | u | provenance | Config | -| tst.go:37:11:37:11 | u | tst.go:37:11:37:20 | call to String | provenance | MaD:3 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:18:11:18:17 | tainted | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:22:12:22:18 | tainted | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:25:34:25:40 | tainted | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:28:66:28:72 | tainted | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:31:11:31:29 | ...+... | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:33:11:33:40 | ...+... | provenance | Src:MaD:1 | +| tst.go:10:13:10:35 | call to FormValue | tst.go:40:11:40:18 | tainted2 | provenance | Src:MaD:1 | +| tst.go:39:2:39:2 | definition of u [pointer] | tst.go:40:2:40:2 | u [pointer] | provenance | | +| tst.go:40:2:40:2 | implicit dereference | tst.go:39:2:39:2 | definition of u [pointer] | provenance | | +| tst.go:40:2:40:2 | implicit dereference | tst.go:40:2:40:2 | u | provenance | | +| tst.go:40:2:40:2 | u | tst.go:40:2:40:2 | implicit dereference | provenance | | +| tst.go:40:2:40:2 | u | tst.go:41:11:41:11 | u | provenance | | +| tst.go:40:2:40:2 | u [pointer] | tst.go:40:2:40:2 | implicit dereference | provenance | | +| tst.go:40:11:40:18 | tainted2 | tst.go:40:2:40:2 | u | provenance | Config | +| tst.go:40:11:40:18 | tainted2 | tst.go:41:11:41:11 | u | provenance | Config | +| tst.go:41:11:41:11 | u | tst.go:41:11:41:20 | call to String | provenance | MaD:3 | | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2 | | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2 | | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:2 | @@ -52,19 +51,19 @@ nodes | RequestForgery.go:8:12:8:34 | call to FormValue | semmle.label | call to FormValue | | RequestForgery.go:11:24:11:65 | ...+... | semmle.label | ...+... | | tst.go:10:13:10:35 | call to FormValue | semmle.label | call to FormValue | -| tst.go:14:11:14:17 | tainted | semmle.label | tainted | -| tst.go:18:12:18:18 | tainted | semmle.label | tainted | -| tst.go:21:34:21:40 | tainted | semmle.label | tainted | -| tst.go:24:66:24:72 | tainted | semmle.label | tainted | -| tst.go:27:11:27:29 | ...+... | semmle.label | ...+... | -| tst.go:29:11:29:40 | ...+... | semmle.label | ...+... | -| tst.go:35:2:35:2 | definition of u [pointer] | semmle.label | definition of u [pointer] | -| tst.go:36:2:36:2 | implicit dereference | semmle.label | implicit dereference | -| tst.go:36:2:36:2 | u | semmle.label | u | -| tst.go:36:2:36:2 | u [pointer] | semmle.label | u [pointer] | -| tst.go:36:11:36:17 | tainted | semmle.label | tainted | -| tst.go:37:11:37:11 | u | semmle.label | u | -| tst.go:37:11:37:20 | call to String | semmle.label | call to String | +| tst.go:18:11:18:17 | tainted | semmle.label | tainted | +| tst.go:22:12:22:18 | tainted | semmle.label | tainted | +| tst.go:25:34:25:40 | tainted | semmle.label | tainted | +| tst.go:28:66:28:72 | tainted | semmle.label | tainted | +| tst.go:31:11:31:29 | ...+... | semmle.label | ...+... | +| tst.go:33:11:33:40 | ...+... | semmle.label | ...+... | +| tst.go:39:2:39:2 | definition of u [pointer] | semmle.label | definition of u [pointer] | +| tst.go:40:2:40:2 | implicit dereference | semmle.label | implicit dereference | +| tst.go:40:2:40:2 | u | semmle.label | u | +| tst.go:40:2:40:2 | u [pointer] | semmle.label | u [pointer] | +| tst.go:40:11:40:18 | tainted2 | semmle.label | tainted2 | +| tst.go:41:11:41:11 | u | semmle.label | u | +| tst.go:41:11:41:20 | call to String | semmle.label | call to String | | websocket.go:60:21:60:31 | call to Referer | semmle.label | call to Referer | | websocket.go:65:27:65:40 | untrustedInput | semmle.label | untrustedInput | | websocket.go:74:21:74:31 | call to Referer | semmle.label | call to Referer | diff --git a/go/ql/test/query-tests/Security/CWE-918/tst.go b/go/ql/test/query-tests/Security/CWE-918/tst.go index 0e04429580c8..8c60b4a66f45 100644 --- a/go/ql/test/query-tests/Security/CWE-918/tst.go +++ b/go/ql/test/query-tests/Security/CWE-918/tst.go @@ -8,6 +8,10 @@ import ( func handler2(w http.ResponseWriter, req *http.Request) { tainted := req.FormValue("target") + // Gratuitous copy due to use-use flow propagating sanitization when + // used as a suffix in the last two OK cases forwards onto the final + // Not OK case. + tainted2 := tainted http.Get("example.com") // OK @@ -33,7 +37,7 @@ func handler2(w http.ResponseWriter, req *http.Request) { http.Get("http://example.com/?" + tainted) // OK u, _ := url.Parse("http://example.com/relative-path") - u.Host = tainted + u.Host = tainted2 http.Get(u.String()) // Not OK } From 06404d81475ba2fb072aa85e7744b129f03e8600 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 28 Nov 2023 16:02:14 +0000 Subject: [PATCH 02/24] Add missing QLDoc --- go/ql/lib/semmle/go/dataflow/SSA.qll | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/go/ql/lib/semmle/go/dataflow/SSA.qll b/go/ql/lib/semmle/go/dataflow/SSA.qll index 5891c0ed800b..b255c14f66c0 100644 --- a/go/ql/lib/semmle/go/dataflow/SSA.qll +++ b/go/ql/lib/semmle/go/dataflow/SSA.qll @@ -198,6 +198,11 @@ class SsaExplicitDefinition extends SsaDefinition, TExplicitDef { override Location getLocation() { result = this.getInstruction().getLocation() } + /** + * Gets the first instruction that the value of this `SsaDefinition` can + * reach without passing through any other instructions, but possibly through + * phi nodes. + */ IR::Instruction getAFirstUse() { firstUse(this, result) } } @@ -413,4 +418,11 @@ DataFlow::Node getASimilarReadNode(DataFlow::Node node) { ) } +/** + * Gets an instruction such that `pred` and `result` form an adjacent + * use-use-pair of the same`SsaSourceVariable`, that is, the value read in + * `pred` can reach `result` without passing through any other use or any SSA + * definition of the variable except for phi nodes and uncertain implicit + * updates. + */ IR::Instruction getAnAdjacentUse(IR::Instruction pred) { adjacentUseUse(pred, result) } From d8002a05499dc34bc104200ae58ffcb048c90fec Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 28 Nov 2023 13:25:45 +0000 Subject: [PATCH 03/24] Clean up code in basicLocalFlowStep No changes in functionality. --- .../semmle/go/dataflow/internal/DataFlowPrivate.qll | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll index 15f8a8462a15..ee612bde0e44 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll @@ -69,22 +69,22 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) { exists(IR::Instruction pred, SsaExplicitDefinition succ | succ.getRhs() = pred and nodeFrom = instructionNode(pred) and - nodeTo = ssaNode(succ) + nodeTo = ssaNode(succ.getVariable()) ) or // SSA defn -> SSA capture exists(SsaExplicitDefinition pred, SsaVariableCapture succ | // Check: should these flow from PHIs as well? Perhaps they should be included // in the use-use graph? - succ.(SsaVariableCapture).getSourceVariable() = pred.(SsaExplicitDefinition).getSourceVariable() + succ.getSourceVariable() = pred.getSourceVariable() | - nodeFrom = ssaNode(pred) and - nodeTo = ssaNode(succ) + nodeFrom = ssaNode(pred.getVariable()) and + nodeTo = ssaNode(succ.getVariable()) ) or // SSA defn -> first SSA use exists(SsaExplicitDefinition pred, IR::Instruction succ | succ = pred.getAFirstUse() | - nodeFrom = ssaNode(pred) and + nodeFrom = ssaNode(pred.getVariable()) and nodeTo = instructionNode(succ) ) or From 1904daf3b1b4a810b344113223ee4f6ea305f090 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 28 Nov 2023 15:47:55 +0000 Subject: [PATCH 04/24] Include first step from SsaVariableCapture Without this change the test go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.qlref was failing. --- go/ql/lib/semmle/go/dataflow/SSA.qll | 14 +++++++------- .../go/dataflow/internal/DataFlowPrivate.qll | 3 ++- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/SSA.qll b/go/ql/lib/semmle/go/dataflow/SSA.qll index b255c14f66c0..98dae5f3d014 100644 --- a/go/ql/lib/semmle/go/dataflow/SSA.qll +++ b/go/ql/lib/semmle/go/dataflow/SSA.qll @@ -166,6 +166,13 @@ class SsaDefinition extends TSsaDefinition { ) { this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) } + + /** + * Gets the first instruction that the value of this `SsaDefinition` can + * reach without passing through any other instructions, but possibly through + * phi nodes. + */ + IR::Instruction getAFirstUse() { firstUse(this, result) } } /** @@ -197,13 +204,6 @@ class SsaExplicitDefinition extends SsaDefinition, TExplicitDef { override string prettyPrintDef() { result = "definition of " + this.getSourceVariable() } override Location getLocation() { result = this.getInstruction().getLocation() } - - /** - * Gets the first instruction that the value of this `SsaDefinition` can - * reach without passing through any other instructions, but possibly through - * phi nodes. - */ - IR::Instruction getAFirstUse() { firstUse(this, result) } } /** Provides a helper predicate for working with explicit SSA definitions. */ diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll index ee612bde0e44..3b8ed07c1a3b 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll @@ -83,7 +83,8 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) { ) or // SSA defn -> first SSA use - exists(SsaExplicitDefinition pred, IR::Instruction succ | succ = pred.getAFirstUse() | + exists(SsaDefinition pred, IR::Instruction succ | succ = pred.getAFirstUse() | + (pred instanceof SsaExplicitDefinition or pred instanceof SsaVariableCapture) and nodeFrom = ssaNode(pred.getVariable()) and nodeTo = instructionNode(succ) ) From 9d887954c82feadfb9b7d19618845b21165748da Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 29 Nov 2023 11:19:00 +0000 Subject: [PATCH 05/24] Adjust SafeFormatArgumentSanitizer to use-use flow Make it sanitize the result of the call rather than the input, so that further uses of the input are still tainted. This means that it catches things like `log.Print(fmt.Sprintf("user %q logged in.\n", username))` where the argument to the LoggerCall contains a StringFormatCall, but it misses things like `log.Printf("user %q logged in.\n", username)`. So we extract the logic into a predicate and apply it as a condition in the sink as well. The downside of this approach is that if there are two tainted inputs and only one has a safe format argument then we still sanitize the result. Hopefully this is rare. --- .../security/LogInjectionCustomizations.qll | 34 ++++++++++++++++--- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll index 188256f9643b..1b8e4e77e844 100644 --- a/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll +++ b/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll @@ -35,7 +35,15 @@ module LogInjection { /** An argument to a logging mechanism. */ class LoggerSink extends Sink { - LoggerSink() { this = any(LoggerCall log).getAMessageComponent() } + LoggerSink() { + exists(LoggerCall call | + this = call.getAMessageComponent() and + // exclude arguments to `call` which have a safe format argument, which + // aren't caught by SafeFormatArgumentSanitizer as that sanitizes the + // result of the call. + not safeFormatArgument(this, call) + ) + } } /** @@ -47,6 +55,22 @@ module LogInjection { ReplaceSanitizer() { this.getReplacedString() = ["\r", "\n"] } } + /** + * Holds if `arg` is an argument to `call` that is formatted using the `%q` + * directive. This formatting directive replaces newline characters with + * escape sequences, so `arg` would not be a sink for log injection. + */ + private predicate safeFormatArgument( + DataFlow::Node arg, StringOps::Formatting::StringFormatCall call + ) { + exists(string safeDirective | + // Mark "%q" formats as safe, but not "%#q", which would preserve newline characters. + safeDirective.regexpMatch("%[^%#]*q") + | + arg = call.getOperand(_, safeDirective) + ) + } + /** * An argument that is formatted using the `%q` directive, considered as a sanitizer * for log injection. @@ -55,10 +79,10 @@ module LogInjection { */ private class SafeFormatArgumentSanitizer extends Sanitizer { SafeFormatArgumentSanitizer() { - exists(StringOps::Formatting::StringFormatCall call, string safeDirective | - this = call.getOperand(_, safeDirective) and - // Mark "%q" formats as safe, but not "%#q", which would preserve newline characters. - safeDirective.regexpMatch("%[^%#]*q") + exists(DataFlow::Node arg, StringOps::Formatting::StringFormatCall call | + safeFormatArgument(arg, call) + | + this = call.getAResult() ) } } From f67555a8c8cce17b206018b76a28be116bce9ab7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 10 Nov 2023 14:58:52 +0000 Subject: [PATCH 06/24] Test result that was missing is now found --- .../library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go index 14b9a43b5991..c9d732e74002 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go @@ -158,7 +158,7 @@ func simpleflow() { ch := make(chan string) ch <- a.Src1().(string) taint16 := test.StepArgCollectionContentRes(ch) - b.Sink1(taint16) // $ MISSING: hasTaintFlow="taint16" // currently fails due to lack of post-update nodes after send statements + b.Sink1(taint16) // $ hasTaintFlow="taint16" c1 := test.C{""} c1.Set(a.Src1().(string)) From 03204cfaab36f6ea882dcb8ea1a69525cd7b56bf Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 10 Nov 2023 15:28:21 +0000 Subject: [PATCH 07/24] Expected changes in dataflow edges --- .../CWE-1004/CookieWithoutHttpOnly.expected | 35 ++++++++----------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected b/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected index 5c7bef1155ef..0c60eb3f97ef 100644 --- a/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected +++ b/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected @@ -255,8 +255,6 @@ edges | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | provenance | | -| CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | -| CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance | | | CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | provenance | Config | @@ -272,8 +270,6 @@ edges | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | | | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | | -| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | -| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | provenance | | @@ -282,12 +278,14 @@ edges | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | | -| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | -| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | +| CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | +| CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance | | | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | Config | @@ -298,7 +296,6 @@ edges | CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | provenance | Config | | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:147:2:147:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | provenance | | -| CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance | | | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance | | @@ -312,14 +309,14 @@ edges | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance | | | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance | | -| CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:147:2:147:8 | session [pointer] | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance | | -| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | session | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:149:2:149:8 | session | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance | | | CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance | Config | | CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | CookieWithoutHttpOnly.go:149:20:151:2 | &... | provenance | | @@ -329,8 +326,6 @@ edges | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | provenance | | -| CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | -| CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance | | | CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance | | @@ -346,8 +341,6 @@ edges | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | | | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | | -| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | -| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | provenance | | @@ -356,12 +349,14 @@ edges | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | | -| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | -| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | +| CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | +| CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance | | | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | Config | @@ -376,8 +371,6 @@ edges | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | provenance | | | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | provenance | | -| CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | -| CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance | | | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance | | @@ -393,8 +386,6 @@ edges | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | provenance | | | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | | | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | | -| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | -| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | provenance | | @@ -403,12 +394,14 @@ edges | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | | -| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | -| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | +| CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | | | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | | +| CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | +| CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance | | | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | Config | | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | Config | From 487dba3538e97189be8d8bb316aceecd348611bf Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 29 Nov 2023 15:25:56 +0000 Subject: [PATCH 08/24] f extra edge --- .../semmle/go/frameworks/Twirp/RequestForgery.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected index 6bda68257ef4..8953a03513ad 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected @@ -10,6 +10,7 @@ edges | rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | rpc/notes/service.twirp.go:544:27:544:29 | buf | provenance | | | rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | provenance | Src:MaD:1 MaD:3 | | rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | provenance | | +| rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | rpc/notes/service.twirp.go:576:35:576:44 | reqContent | provenance | | | rpc/notes/service.twirp.go:544:27:544:29 | buf | rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | provenance | MaD:2 | | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | provenance | | | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | server/main.go:19:56:19:61 | definition of params | provenance | | From c040c9aa8474ab38e9126226d717d20f8dcdd152 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 29 Nov 2023 15:30:29 +0000 Subject: [PATCH 09/24] Line numbers change because 3 lines were added --- .../go/frameworks/Echo/TaintedPath.expected | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected b/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected index c579c480fb3e..6a26aba5d76f 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected @@ -1,16 +1,16 @@ #select -| test.go:222:17:222:24 | filepath | test.go:221:15:221:38 | call to QueryParam | test.go:222:17:222:24 | filepath | This path depends on a $@. | test.go:221:15:221:38 | call to QueryParam | user-provided value | -| test.go:226:23:226:30 | filepath | test.go:225:15:225:38 | call to QueryParam | test.go:226:23:226:30 | filepath | This path depends on a $@. | test.go:225:15:225:38 | call to QueryParam | user-provided value | +| test.go:225:17:225:24 | filepath | test.go:224:15:224:38 | call to QueryParam | test.go:225:17:225:24 | filepath | This path depends on a $@. | test.go:224:15:224:38 | call to QueryParam | user-provided value | +| test.go:229:23:229:30 | filepath | test.go:228:15:228:38 | call to QueryParam | test.go:229:23:229:30 | filepath | This path depends on a $@. | test.go:228:15:228:38 | call to QueryParam | user-provided value | edges -| test.go:221:15:221:38 | call to QueryParam | test.go:222:17:222:24 | filepath | provenance | Src:MaD:3 Sink:MaD:2 | -| test.go:225:15:225:38 | call to QueryParam | test.go:226:23:226:30 | filepath | provenance | Src:MaD:3 Sink:MaD:1 | +| test.go:224:15:224:38 | call to QueryParam | test.go:225:17:225:24 | filepath | provenance | Src:MaD:3 Sink:MaD:2 | +| test.go:228:15:228:38 | call to QueryParam | test.go:229:23:229:30 | filepath | provenance | Src:MaD:3 Sink:MaD:1 | models | 1 | Sink: github.com/labstack/echo; Context; true; Attachment; ; ; Argument[0]; path-injection; manual | | 2 | Sink: github.com/labstack/echo; Context; true; File; ; ; Argument[0]; path-injection; manual | | 3 | Source: github.com/labstack/echo; Context; true; QueryParam; ; ; ReturnValue[0]; remote; manual | nodes -| test.go:221:15:221:38 | call to QueryParam | semmle.label | call to QueryParam | -| test.go:222:17:222:24 | filepath | semmle.label | filepath | -| test.go:225:15:225:38 | call to QueryParam | semmle.label | call to QueryParam | -| test.go:226:23:226:30 | filepath | semmle.label | filepath | +| test.go:224:15:224:38 | call to QueryParam | semmle.label | call to QueryParam | +| test.go:225:17:225:24 | filepath | semmle.label | filepath | +| test.go:228:15:228:38 | call to QueryParam | semmle.label | call to QueryParam | +| test.go:229:23:229:30 | filepath | semmle.label | filepath | subpaths From 8b6a1731a27f3ae477d1125fcf6f04cc85176b85 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 29 Nov 2023 15:30:59 +0000 Subject: [PATCH 10/24] Changes in edges in .expected files --- .../dataflow/FlowSteps/LocalFlowStep.expected | 1 + .../PromotedFields/LocalFlowStep.expected | 112 ++++++------ .../Beego/CleartextLogging.expected | 169 ++++++++++++++---- 3 files changed, 192 insertions(+), 90 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected index b48b6fec1a77..5ea7b8c73026 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected @@ -70,6 +70,7 @@ | main.go:14:6:14:10 | function test2 | main.go:34:19:34:23 | test2 | | main.go:15:2:15:4 | definition of acc | main.go:16:9:19:2 | capture variable acc | | main.go:15:9:15:9 | 0 | main.go:15:2:15:4 | definition of acc | +| main.go:16:9:19:2 | capture variable acc | main.go:17:3:17:5 | acc | | main.go:17:3:17:7 | definition of acc | main.go:16:9:19:2 | capture variable acc | | main.go:17:3:17:7 | definition of acc | main.go:18:10:18:12 | acc | | main.go:17:3:17:7 | rhs of increment statement | main.go:17:3:17:7 | definition of acc | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected index d61d6be9c5f9..a74e39db2f1a 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected @@ -79,106 +79,106 @@ | main.go:7:6:7:9 | function sink | main.go:149:2:149:5 | sink | | main.go:7:6:7:9 | function sink | main.go:150:2:150:5 | sink | | main.go:22:2:22:6 | definition of outer | main.go:25:7:25:11 | outer | -| main.go:22:2:22:6 | definition of outer | main.go:26:7:26:11 | outer | -| main.go:22:2:22:6 | definition of outer | main.go:27:7:27:11 | outer | -| main.go:22:2:22:6 | definition of outer | main.go:28:7:28:11 | outer | | main.go:22:11:24:2 | struct literal | main.go:22:2:22:6 | definition of outer | +| main.go:25:7:25:11 | outer | main.go:26:7:26:11 | outer | +| main.go:26:7:26:11 | outer | main.go:27:7:27:11 | outer | +| main.go:27:7:27:11 | outer | main.go:28:7:28:11 | outer | | main.go:30:2:30:7 | definition of outerp | main.go:33:7:33:12 | outerp | -| main.go:30:2:30:7 | definition of outerp | main.go:34:7:34:12 | outerp | -| main.go:30:2:30:7 | definition of outerp | main.go:35:7:35:12 | outerp | -| main.go:30:2:30:7 | definition of outerp | main.go:36:7:36:12 | outerp | | main.go:30:12:32:2 | &... | main.go:30:2:30:7 | definition of outerp | +| main.go:33:7:33:12 | outerp | main.go:34:7:34:12 | outerp | +| main.go:34:7:34:12 | outerp | main.go:35:7:35:12 | outerp | +| main.go:35:7:35:12 | outerp | main.go:36:7:36:12 | outerp | | main.go:40:2:40:6 | definition of outer | main.go:41:7:41:11 | outer | -| main.go:40:2:40:6 | definition of outer | main.go:42:7:42:11 | outer | -| main.go:40:2:40:6 | definition of outer | main.go:43:7:43:11 | outer | -| main.go:40:2:40:6 | definition of outer | main.go:44:7:44:11 | outer | | main.go:40:11:40:40 | struct literal | main.go:40:2:40:6 | definition of outer | +| main.go:41:7:41:11 | outer | main.go:42:7:42:11 | outer | +| main.go:42:7:42:11 | outer | main.go:43:7:43:11 | outer | +| main.go:43:7:43:11 | outer | main.go:44:7:44:11 | outer | | main.go:46:2:46:7 | definition of outerp | main.go:47:7:47:12 | outerp | -| main.go:46:2:46:7 | definition of outerp | main.go:48:7:48:12 | outerp | -| main.go:46:2:46:7 | definition of outerp | main.go:49:7:49:12 | outerp | -| main.go:46:2:46:7 | definition of outerp | main.go:50:7:50:12 | outerp | | main.go:46:12:46:42 | &... | main.go:46:2:46:7 | definition of outerp | +| main.go:47:7:47:12 | outerp | main.go:48:7:48:12 | outerp | +| main.go:48:7:48:12 | outerp | main.go:49:7:49:12 | outerp | +| main.go:49:7:49:12 | outerp | main.go:50:7:50:12 | outerp | | main.go:54:2:54:6 | definition of inner | main.go:55:19:55:23 | inner | | main.go:54:11:54:25 | struct literal | main.go:54:2:54:6 | definition of inner | | main.go:55:2:55:7 | definition of middle | main.go:56:17:56:22 | middle | | main.go:55:12:55:24 | struct literal | main.go:55:2:55:7 | definition of middle | | main.go:56:2:56:6 | definition of outer | main.go:57:7:57:11 | outer | -| main.go:56:2:56:6 | definition of outer | main.go:58:7:58:11 | outer | -| main.go:56:2:56:6 | definition of outer | main.go:59:7:59:11 | outer | -| main.go:56:2:56:6 | definition of outer | main.go:60:7:60:11 | outer | | main.go:56:11:56:23 | struct literal | main.go:56:2:56:6 | definition of outer | +| main.go:57:7:57:11 | outer | main.go:58:7:58:11 | outer | +| main.go:58:7:58:11 | outer | main.go:59:7:59:11 | outer | +| main.go:59:7:59:11 | outer | main.go:60:7:60:11 | outer | | main.go:62:2:62:7 | definition of innerp | main.go:63:20:63:25 | innerp | | main.go:62:12:62:26 | struct literal | main.go:62:2:62:7 | definition of innerp | | main.go:63:2:63:8 | definition of middlep | main.go:64:18:64:24 | middlep | | main.go:63:13:63:26 | struct literal | main.go:63:2:63:8 | definition of middlep | | main.go:64:2:64:7 | definition of outerp | main.go:65:7:65:12 | outerp | -| main.go:64:2:64:7 | definition of outerp | main.go:66:7:66:12 | outerp | -| main.go:64:2:64:7 | definition of outerp | main.go:67:7:67:12 | outerp | -| main.go:64:2:64:7 | definition of outerp | main.go:68:7:68:12 | outerp | | main.go:64:12:64:25 | struct literal | main.go:64:2:64:7 | definition of outerp | +| main.go:65:7:65:12 | outerp | main.go:66:7:66:12 | outerp | +| main.go:66:7:66:12 | outerp | main.go:67:7:67:12 | outerp | +| main.go:67:7:67:12 | outerp | main.go:68:7:68:12 | outerp | | main.go:72:2:72:6 | definition of inner | main.go:73:26:73:30 | inner | | main.go:72:11:72:25 | struct literal | main.go:72:2:72:6 | definition of inner | | main.go:73:2:73:7 | definition of middle | main.go:74:25:74:30 | middle | | main.go:73:12:73:31 | struct literal | main.go:73:2:73:7 | definition of middle | | main.go:74:2:74:6 | definition of outer | main.go:75:7:75:11 | outer | -| main.go:74:2:74:6 | definition of outer | main.go:76:7:76:11 | outer | -| main.go:74:2:74:6 | definition of outer | main.go:77:7:77:11 | outer | -| main.go:74:2:74:6 | definition of outer | main.go:78:7:78:11 | outer | | main.go:74:11:74:31 | struct literal | main.go:74:2:74:6 | definition of outer | +| main.go:75:7:75:11 | outer | main.go:76:7:76:11 | outer | +| main.go:76:7:76:11 | outer | main.go:77:7:77:11 | outer | +| main.go:77:7:77:11 | outer | main.go:78:7:78:11 | outer | | main.go:80:2:80:7 | definition of innerp | main.go:81:27:81:32 | innerp | | main.go:80:12:80:26 | struct literal | main.go:80:2:80:7 | definition of innerp | | main.go:81:2:81:8 | definition of middlep | main.go:82:26:82:32 | middlep | | main.go:81:13:81:33 | struct literal | main.go:81:2:81:8 | definition of middlep | | main.go:82:2:82:7 | definition of outerp | main.go:83:7:83:12 | outerp | -| main.go:82:2:82:7 | definition of outerp | main.go:84:7:84:12 | outerp | -| main.go:82:2:82:7 | definition of outerp | main.go:85:7:85:12 | outerp | -| main.go:82:2:82:7 | definition of outerp | main.go:86:7:86:12 | outerp | | main.go:82:12:82:33 | struct literal | main.go:82:2:82:7 | definition of outerp | +| main.go:83:7:83:12 | outerp | main.go:84:7:84:12 | outerp | +| main.go:84:7:84:12 | outerp | main.go:85:7:85:12 | outerp | +| main.go:85:7:85:12 | outerp | main.go:86:7:86:12 | outerp | | main.go:90:6:90:10 | definition of outer | main.go:91:2:91:6 | outer | -| main.go:90:6:90:10 | definition of outer | main.go:92:7:92:11 | outer | -| main.go:90:6:90:10 | definition of outer | main.go:93:7:93:11 | outer | -| main.go:90:6:90:10 | definition of outer | main.go:94:7:94:11 | outer | -| main.go:90:6:90:10 | definition of outer | main.go:95:7:95:11 | outer | | main.go:90:6:90:10 | zero value for outer | main.go:90:6:90:10 | definition of outer | +| main.go:91:2:91:6 | outer | main.go:92:7:92:11 | outer | +| main.go:92:7:92:11 | outer | main.go:93:7:93:11 | outer | +| main.go:93:7:93:11 | outer | main.go:94:7:94:11 | outer | +| main.go:94:7:94:11 | outer | main.go:95:7:95:11 | outer | | main.go:97:6:97:11 | definition of outerp | main.go:98:2:98:7 | outerp | -| main.go:97:6:97:11 | definition of outerp | main.go:99:7:99:12 | outerp | -| main.go:97:6:97:11 | definition of outerp | main.go:100:7:100:12 | outerp | -| main.go:97:6:97:11 | definition of outerp | main.go:101:7:101:12 | outerp | -| main.go:97:6:97:11 | definition of outerp | main.go:102:7:102:12 | outerp | | main.go:97:6:97:11 | zero value for outerp | main.go:97:6:97:11 | definition of outerp | +| main.go:98:2:98:7 | outerp | main.go:99:7:99:12 | outerp | +| main.go:99:7:99:12 | outerp | main.go:100:7:100:12 | outerp | +| main.go:100:7:100:12 | outerp | main.go:101:7:101:12 | outerp | +| main.go:101:7:101:12 | outerp | main.go:102:7:102:12 | outerp | | main.go:106:6:106:10 | definition of outer | main.go:107:2:107:6 | outer | -| main.go:106:6:106:10 | definition of outer | main.go:108:7:108:11 | outer | -| main.go:106:6:106:10 | definition of outer | main.go:109:7:109:11 | outer | -| main.go:106:6:106:10 | definition of outer | main.go:110:7:110:11 | outer | -| main.go:106:6:106:10 | definition of outer | main.go:111:7:111:11 | outer | | main.go:106:6:106:10 | zero value for outer | main.go:106:6:106:10 | definition of outer | +| main.go:107:2:107:6 | outer | main.go:108:7:108:11 | outer | +| main.go:108:7:108:11 | outer | main.go:109:7:109:11 | outer | +| main.go:109:7:109:11 | outer | main.go:110:7:110:11 | outer | +| main.go:110:7:110:11 | outer | main.go:111:7:111:11 | outer | | main.go:113:6:113:11 | definition of outerp | main.go:114:2:114:7 | outerp | -| main.go:113:6:113:11 | definition of outerp | main.go:115:7:115:12 | outerp | -| main.go:113:6:113:11 | definition of outerp | main.go:116:7:116:12 | outerp | -| main.go:113:6:113:11 | definition of outerp | main.go:117:7:117:12 | outerp | -| main.go:113:6:113:11 | definition of outerp | main.go:118:7:118:12 | outerp | | main.go:113:6:113:11 | zero value for outerp | main.go:113:6:113:11 | definition of outerp | +| main.go:114:2:114:7 | outerp | main.go:115:7:115:12 | outerp | +| main.go:115:7:115:12 | outerp | main.go:116:7:116:12 | outerp | +| main.go:116:7:116:12 | outerp | main.go:117:7:117:12 | outerp | +| main.go:117:7:117:12 | outerp | main.go:118:7:118:12 | outerp | | main.go:122:6:122:10 | definition of outer | main.go:123:2:123:6 | outer | -| main.go:122:6:122:10 | definition of outer | main.go:124:7:124:11 | outer | -| main.go:122:6:122:10 | definition of outer | main.go:125:7:125:11 | outer | -| main.go:122:6:122:10 | definition of outer | main.go:126:7:126:11 | outer | -| main.go:122:6:122:10 | definition of outer | main.go:127:7:127:11 | outer | | main.go:122:6:122:10 | zero value for outer | main.go:122:6:122:10 | definition of outer | +| main.go:123:2:123:6 | outer | main.go:124:7:124:11 | outer | +| main.go:124:7:124:11 | outer | main.go:125:7:125:11 | outer | +| main.go:125:7:125:11 | outer | main.go:126:7:126:11 | outer | +| main.go:126:7:126:11 | outer | main.go:127:7:127:11 | outer | | main.go:129:6:129:11 | definition of outerp | main.go:130:2:130:7 | outerp | -| main.go:129:6:129:11 | definition of outerp | main.go:131:7:131:12 | outerp | -| main.go:129:6:129:11 | definition of outerp | main.go:132:7:132:12 | outerp | -| main.go:129:6:129:11 | definition of outerp | main.go:133:7:133:12 | outerp | -| main.go:129:6:129:11 | definition of outerp | main.go:134:7:134:12 | outerp | | main.go:129:6:129:11 | zero value for outerp | main.go:129:6:129:11 | definition of outerp | +| main.go:130:2:130:7 | outerp | main.go:131:7:131:12 | outerp | +| main.go:131:7:131:12 | outerp | main.go:132:7:132:12 | outerp | +| main.go:132:7:132:12 | outerp | main.go:133:7:133:12 | outerp | +| main.go:133:7:133:12 | outerp | main.go:134:7:134:12 | outerp | | main.go:138:6:138:10 | definition of outer | main.go:139:2:139:6 | outer | -| main.go:138:6:138:10 | definition of outer | main.go:140:7:140:11 | outer | -| main.go:138:6:138:10 | definition of outer | main.go:141:7:141:11 | outer | -| main.go:138:6:138:10 | definition of outer | main.go:142:7:142:11 | outer | -| main.go:138:6:138:10 | definition of outer | main.go:143:7:143:11 | outer | | main.go:138:6:138:10 | zero value for outer | main.go:138:6:138:10 | definition of outer | +| main.go:139:2:139:6 | outer | main.go:140:7:140:11 | outer | +| main.go:140:7:140:11 | outer | main.go:141:7:141:11 | outer | +| main.go:141:7:141:11 | outer | main.go:142:7:142:11 | outer | +| main.go:142:7:142:11 | outer | main.go:143:7:143:11 | outer | | main.go:145:6:145:11 | definition of outerp | main.go:146:2:146:7 | outerp | -| main.go:145:6:145:11 | definition of outerp | main.go:147:7:147:12 | outerp | -| main.go:145:6:145:11 | definition of outerp | main.go:148:7:148:12 | outerp | -| main.go:145:6:145:11 | definition of outerp | main.go:149:7:149:12 | outerp | -| main.go:145:6:145:11 | definition of outerp | main.go:150:7:150:12 | outerp | | main.go:145:6:145:11 | zero value for outerp | main.go:145:6:145:11 | definition of outerp | +| main.go:146:2:146:7 | outerp | main.go:147:7:147:12 | outerp | +| main.go:147:7:147:12 | outerp | main.go:148:7:148:12 | outerp | +| main.go:148:7:148:12 | outerp | main.go:149:7:149:12 | outerp | +| main.go:149:7:149:12 | outerp | main.go:150:7:150:12 | outerp | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected b/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected index 6fd719423566..af5be1041ab5 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected @@ -1,72 +1,173 @@ edges +| test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | +| test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | +| test.go:154:14:154:21 | password | test.go:155:17:155:24 | password | +| test.go:154:14:154:21 | password | test.go:155:17:155:24 | password | +| test.go:155:17:155:24 | password | test.go:156:14:156:21 | password | +| test.go:155:17:155:24 | password | test.go:156:14:156:21 | password | +| test.go:156:14:156:21 | password | test.go:157:18:157:25 | password | +| test.go:156:14:156:21 | password | test.go:157:18:157:25 | password | +| test.go:157:18:157:25 | password | test.go:158:14:158:21 | password | +| test.go:157:18:157:25 | password | test.go:158:14:158:21 | password | +| test.go:158:14:158:21 | password | test.go:159:13:159:20 | password | +| test.go:158:14:158:21 | password | test.go:159:13:159:20 | password | +| test.go:159:13:159:20 | password | test.go:160:22:160:29 | password | +| test.go:159:13:159:20 | password | test.go:160:22:160:29 | password | +| test.go:160:22:160:29 | password | test.go:161:15:161:22 | password | +| test.go:160:22:160:29 | password | test.go:161:15:161:22 | password | +| test.go:161:15:161:22 | password | test.go:162:14:162:21 | password | +| test.go:161:15:161:22 | password | test.go:162:14:162:21 | password | +| test.go:162:14:162:21 | password | test.go:163:13:163:20 | password | +| test.go:162:14:162:21 | password | test.go:163:13:163:20 | password | +| test.go:163:13:163:20 | password | test.go:164:16:164:23 | password | +| test.go:163:13:163:20 | password | test.go:164:16:164:23 | password | +| test.go:164:16:164:23 | password | test.go:165:13:165:20 | password | +| test.go:164:16:164:23 | password | test.go:165:13:165:20 | password | +| test.go:165:13:165:20 | password | test.go:166:16:166:23 | password | +| test.go:165:13:165:20 | password | test.go:166:16:166:23 | password | +| test.go:166:16:166:23 | password | test.go:167:13:167:20 | password | +| test.go:166:16:166:23 | password | test.go:167:13:167:20 | password | +| test.go:167:13:167:20 | password | test.go:168:17:168:24 | password | +| test.go:167:13:167:20 | password | test.go:168:17:168:24 | password | +| test.go:168:17:168:24 | password | test.go:169:13:169:20 | password | +| test.go:168:17:168:24 | password | test.go:169:13:169:20 | password | +| test.go:169:13:169:20 | password | test.go:170:12:170:19 | password | +| test.go:169:13:169:20 | password | test.go:170:12:170:19 | password | +| test.go:170:12:170:19 | password | test.go:171:21:171:28 | password | +| test.go:170:12:170:19 | password | test.go:171:21:171:28 | password | +| test.go:171:21:171:28 | password | test.go:172:14:172:21 | password | +| test.go:171:21:171:28 | password | test.go:172:14:172:21 | password | +| test.go:172:14:172:21 | password | test.go:173:13:173:20 | password | +| test.go:172:14:172:21 | password | test.go:173:13:173:20 | password | +| test.go:173:13:173:20 | password | test.go:174:12:174:19 | password | +| test.go:173:13:173:20 | password | test.go:174:12:174:19 | password | +| test.go:174:12:174:19 | password | test.go:175:15:175:22 | password | +| test.go:174:12:174:19 | password | test.go:175:15:175:22 | password | +| test.go:175:15:175:22 | password | test.go:176:15:176:22 | password | +| test.go:175:15:175:22 | password | test.go:176:15:176:22 | password | +| test.go:176:15:176:22 | password | test.go:177:18:177:25 | password | +| test.go:176:15:176:22 | password | test.go:177:18:177:25 | password | +| test.go:177:18:177:25 | password | test.go:178:15:178:22 | password | +| test.go:177:18:177:25 | password | test.go:178:15:178:22 | password | +| test.go:178:15:178:22 | password | test.go:179:19:179:26 | password | +| test.go:178:15:178:22 | password | test.go:179:19:179:26 | password | +| test.go:179:19:179:26 | password | test.go:180:15:180:22 | password | +| test.go:179:19:179:26 | password | test.go:180:15:180:22 | password | +| test.go:180:15:180:22 | password | test.go:181:14:181:21 | password | +| test.go:180:15:180:22 | password | test.go:181:14:181:21 | password | +| test.go:181:14:181:21 | password | test.go:182:23:182:30 | password | +| test.go:181:14:181:21 | password | test.go:182:23:182:30 | password | +| test.go:182:23:182:30 | password | test.go:183:16:183:23 | password | +| test.go:182:23:182:30 | password | test.go:183:16:183:23 | password | +| test.go:183:16:183:23 | password | test.go:184:15:184:22 | password | +| test.go:183:16:183:23 | password | test.go:184:15:184:22 | password | +| test.go:184:15:184:22 | password | test.go:185:14:185:21 | password | +| test.go:184:15:184:22 | password | test.go:185:14:185:21 | password | +| test.go:185:14:185:21 | password | test.go:186:17:186:24 | password | +| test.go:185:14:185:21 | password | test.go:186:17:186:24 | password | +| test.go:186:17:186:24 | password | test.go:187:16:187:23 | password | nodes +| test.go:153:17:153:24 | definition of password | semmle.label | definition of password | | test.go:154:14:154:21 | password | semmle.label | password | +| test.go:154:14:154:21 | password | semmle.label | password | +| test.go:155:17:155:24 | password | semmle.label | password | | test.go:155:17:155:24 | password | semmle.label | password | | test.go:156:14:156:21 | password | semmle.label | password | +| test.go:156:14:156:21 | password | semmle.label | password | | test.go:157:18:157:25 | password | semmle.label | password | +| test.go:157:18:157:25 | password | semmle.label | password | +| test.go:158:14:158:21 | password | semmle.label | password | | test.go:158:14:158:21 | password | semmle.label | password | | test.go:159:13:159:20 | password | semmle.label | password | +| test.go:159:13:159:20 | password | semmle.label | password | +| test.go:160:22:160:29 | password | semmle.label | password | | test.go:160:22:160:29 | password | semmle.label | password | | test.go:161:15:161:22 | password | semmle.label | password | +| test.go:161:15:161:22 | password | semmle.label | password | +| test.go:162:14:162:21 | password | semmle.label | password | | test.go:162:14:162:21 | password | semmle.label | password | | test.go:163:13:163:20 | password | semmle.label | password | +| test.go:163:13:163:20 | password | semmle.label | password | +| test.go:164:16:164:23 | password | semmle.label | password | | test.go:164:16:164:23 | password | semmle.label | password | | test.go:165:13:165:20 | password | semmle.label | password | +| test.go:165:13:165:20 | password | semmle.label | password | +| test.go:166:16:166:23 | password | semmle.label | password | | test.go:166:16:166:23 | password | semmle.label | password | | test.go:167:13:167:20 | password | semmle.label | password | +| test.go:167:13:167:20 | password | semmle.label | password | +| test.go:168:17:168:24 | password | semmle.label | password | | test.go:168:17:168:24 | password | semmle.label | password | | test.go:169:13:169:20 | password | semmle.label | password | +| test.go:169:13:169:20 | password | semmle.label | password | +| test.go:170:12:170:19 | password | semmle.label | password | | test.go:170:12:170:19 | password | semmle.label | password | | test.go:171:21:171:28 | password | semmle.label | password | +| test.go:171:21:171:28 | password | semmle.label | password | +| test.go:172:14:172:21 | password | semmle.label | password | | test.go:172:14:172:21 | password | semmle.label | password | | test.go:173:13:173:20 | password | semmle.label | password | +| test.go:173:13:173:20 | password | semmle.label | password | +| test.go:174:12:174:19 | password | semmle.label | password | | test.go:174:12:174:19 | password | semmle.label | password | | test.go:175:15:175:22 | password | semmle.label | password | +| test.go:175:15:175:22 | password | semmle.label | password | +| test.go:176:15:176:22 | password | semmle.label | password | | test.go:176:15:176:22 | password | semmle.label | password | | test.go:177:18:177:25 | password | semmle.label | password | +| test.go:177:18:177:25 | password | semmle.label | password | +| test.go:178:15:178:22 | password | semmle.label | password | | test.go:178:15:178:22 | password | semmle.label | password | | test.go:179:19:179:26 | password | semmle.label | password | +| test.go:179:19:179:26 | password | semmle.label | password | +| test.go:180:15:180:22 | password | semmle.label | password | | test.go:180:15:180:22 | password | semmle.label | password | | test.go:181:14:181:21 | password | semmle.label | password | +| test.go:181:14:181:21 | password | semmle.label | password | +| test.go:182:23:182:30 | password | semmle.label | password | | test.go:182:23:182:30 | password | semmle.label | password | | test.go:183:16:183:23 | password | semmle.label | password | +| test.go:183:16:183:23 | password | semmle.label | password | +| test.go:184:15:184:22 | password | semmle.label | password | | test.go:184:15:184:22 | password | semmle.label | password | | test.go:185:14:185:21 | password | semmle.label | password | +| test.go:185:14:185:21 | password | semmle.label | password | +| test.go:186:17:186:24 | password | semmle.label | password | | test.go:186:17:186:24 | password | semmle.label | password | | test.go:187:16:187:23 | password | semmle.label | password | subpaths #select -| test.go:154:14:154:21 | password | test.go:154:14:154:21 | password | test.go:154:14:154:21 | password | $@ flows to a logging call. | test.go:154:14:154:21 | password | Sensitive data returned by an access to password | -| test.go:155:17:155:24 | password | test.go:155:17:155:24 | password | test.go:155:17:155:24 | password | $@ flows to a logging call. | test.go:155:17:155:24 | password | Sensitive data returned by an access to password | -| test.go:156:14:156:21 | password | test.go:156:14:156:21 | password | test.go:156:14:156:21 | password | $@ flows to a logging call. | test.go:156:14:156:21 | password | Sensitive data returned by an access to password | -| test.go:157:18:157:25 | password | test.go:157:18:157:25 | password | test.go:157:18:157:25 | password | $@ flows to a logging call. | test.go:157:18:157:25 | password | Sensitive data returned by an access to password | -| test.go:158:14:158:21 | password | test.go:158:14:158:21 | password | test.go:158:14:158:21 | password | $@ flows to a logging call. | test.go:158:14:158:21 | password | Sensitive data returned by an access to password | -| test.go:159:13:159:20 | password | test.go:159:13:159:20 | password | test.go:159:13:159:20 | password | $@ flows to a logging call. | test.go:159:13:159:20 | password | Sensitive data returned by an access to password | -| test.go:160:22:160:29 | password | test.go:160:22:160:29 | password | test.go:160:22:160:29 | password | $@ flows to a logging call. | test.go:160:22:160:29 | password | Sensitive data returned by an access to password | -| test.go:161:15:161:22 | password | test.go:161:15:161:22 | password | test.go:161:15:161:22 | password | $@ flows to a logging call. | test.go:161:15:161:22 | password | Sensitive data returned by an access to password | -| test.go:162:14:162:21 | password | test.go:162:14:162:21 | password | test.go:162:14:162:21 | password | $@ flows to a logging call. | test.go:162:14:162:21 | password | Sensitive data returned by an access to password | -| test.go:163:13:163:20 | password | test.go:163:13:163:20 | password | test.go:163:13:163:20 | password | $@ flows to a logging call. | test.go:163:13:163:20 | password | Sensitive data returned by an access to password | -| test.go:164:16:164:23 | password | test.go:164:16:164:23 | password | test.go:164:16:164:23 | password | $@ flows to a logging call. | test.go:164:16:164:23 | password | Sensitive data returned by an access to password | -| test.go:165:13:165:20 | password | test.go:165:13:165:20 | password | test.go:165:13:165:20 | password | $@ flows to a logging call. | test.go:165:13:165:20 | password | Sensitive data returned by an access to password | -| test.go:166:16:166:23 | password | test.go:166:16:166:23 | password | test.go:166:16:166:23 | password | $@ flows to a logging call. | test.go:166:16:166:23 | password | Sensitive data returned by an access to password | -| test.go:167:13:167:20 | password | test.go:167:13:167:20 | password | test.go:167:13:167:20 | password | $@ flows to a logging call. | test.go:167:13:167:20 | password | Sensitive data returned by an access to password | -| test.go:168:17:168:24 | password | test.go:168:17:168:24 | password | test.go:168:17:168:24 | password | $@ flows to a logging call. | test.go:168:17:168:24 | password | Sensitive data returned by an access to password | -| test.go:169:13:169:20 | password | test.go:169:13:169:20 | password | test.go:169:13:169:20 | password | $@ flows to a logging call. | test.go:169:13:169:20 | password | Sensitive data returned by an access to password | -| test.go:170:12:170:19 | password | test.go:170:12:170:19 | password | test.go:170:12:170:19 | password | $@ flows to a logging call. | test.go:170:12:170:19 | password | Sensitive data returned by an access to password | -| test.go:171:21:171:28 | password | test.go:171:21:171:28 | password | test.go:171:21:171:28 | password | $@ flows to a logging call. | test.go:171:21:171:28 | password | Sensitive data returned by an access to password | -| test.go:172:14:172:21 | password | test.go:172:14:172:21 | password | test.go:172:14:172:21 | password | $@ flows to a logging call. | test.go:172:14:172:21 | password | Sensitive data returned by an access to password | -| test.go:173:13:173:20 | password | test.go:173:13:173:20 | password | test.go:173:13:173:20 | password | $@ flows to a logging call. | test.go:173:13:173:20 | password | Sensitive data returned by an access to password | -| test.go:174:12:174:19 | password | test.go:174:12:174:19 | password | test.go:174:12:174:19 | password | $@ flows to a logging call. | test.go:174:12:174:19 | password | Sensitive data returned by an access to password | -| test.go:175:15:175:22 | password | test.go:175:15:175:22 | password | test.go:175:15:175:22 | password | $@ flows to a logging call. | test.go:175:15:175:22 | password | Sensitive data returned by an access to password | -| test.go:176:15:176:22 | password | test.go:176:15:176:22 | password | test.go:176:15:176:22 | password | $@ flows to a logging call. | test.go:176:15:176:22 | password | Sensitive data returned by an access to password | -| test.go:177:18:177:25 | password | test.go:177:18:177:25 | password | test.go:177:18:177:25 | password | $@ flows to a logging call. | test.go:177:18:177:25 | password | Sensitive data returned by an access to password | -| test.go:178:15:178:22 | password | test.go:178:15:178:22 | password | test.go:178:15:178:22 | password | $@ flows to a logging call. | test.go:178:15:178:22 | password | Sensitive data returned by an access to password | -| test.go:179:19:179:26 | password | test.go:179:19:179:26 | password | test.go:179:19:179:26 | password | $@ flows to a logging call. | test.go:179:19:179:26 | password | Sensitive data returned by an access to password | -| test.go:180:15:180:22 | password | test.go:180:15:180:22 | password | test.go:180:15:180:22 | password | $@ flows to a logging call. | test.go:180:15:180:22 | password | Sensitive data returned by an access to password | -| test.go:181:14:181:21 | password | test.go:181:14:181:21 | password | test.go:181:14:181:21 | password | $@ flows to a logging call. | test.go:181:14:181:21 | password | Sensitive data returned by an access to password | -| test.go:182:23:182:30 | password | test.go:182:23:182:30 | password | test.go:182:23:182:30 | password | $@ flows to a logging call. | test.go:182:23:182:30 | password | Sensitive data returned by an access to password | -| test.go:183:16:183:23 | password | test.go:183:16:183:23 | password | test.go:183:16:183:23 | password | $@ flows to a logging call. | test.go:183:16:183:23 | password | Sensitive data returned by an access to password | -| test.go:184:15:184:22 | password | test.go:184:15:184:22 | password | test.go:184:15:184:22 | password | $@ flows to a logging call. | test.go:184:15:184:22 | password | Sensitive data returned by an access to password | -| test.go:185:14:185:21 | password | test.go:185:14:185:21 | password | test.go:185:14:185:21 | password | $@ flows to a logging call. | test.go:185:14:185:21 | password | Sensitive data returned by an access to password | -| test.go:186:17:186:24 | password | test.go:186:17:186:24 | password | test.go:186:17:186:24 | password | $@ flows to a logging call. | test.go:186:17:186:24 | password | Sensitive data returned by an access to password | -| test.go:187:16:187:23 | password | test.go:187:16:187:23 | password | test.go:187:16:187:23 | password | $@ flows to a logging call. | test.go:187:16:187:23 | password | Sensitive data returned by an access to password | +| test.go:154:14:154:21 | password | test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:155:17:155:24 | password | test.go:153:17:153:24 | definition of password | test.go:155:17:155:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:156:14:156:21 | password | test.go:153:17:153:24 | definition of password | test.go:156:14:156:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:157:18:157:25 | password | test.go:153:17:153:24 | definition of password | test.go:157:18:157:25 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:158:14:158:21 | password | test.go:153:17:153:24 | definition of password | test.go:158:14:158:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:159:13:159:20 | password | test.go:153:17:153:24 | definition of password | test.go:159:13:159:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:160:22:160:29 | password | test.go:153:17:153:24 | definition of password | test.go:160:22:160:29 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:161:15:161:22 | password | test.go:153:17:153:24 | definition of password | test.go:161:15:161:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:162:14:162:21 | password | test.go:153:17:153:24 | definition of password | test.go:162:14:162:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:163:13:163:20 | password | test.go:153:17:153:24 | definition of password | test.go:163:13:163:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:164:16:164:23 | password | test.go:153:17:153:24 | definition of password | test.go:164:16:164:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:165:13:165:20 | password | test.go:153:17:153:24 | definition of password | test.go:165:13:165:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:166:16:166:23 | password | test.go:153:17:153:24 | definition of password | test.go:166:16:166:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:167:13:167:20 | password | test.go:153:17:153:24 | definition of password | test.go:167:13:167:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:168:17:168:24 | password | test.go:153:17:153:24 | definition of password | test.go:168:17:168:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:169:13:169:20 | password | test.go:153:17:153:24 | definition of password | test.go:169:13:169:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:170:12:170:19 | password | test.go:153:17:153:24 | definition of password | test.go:170:12:170:19 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:171:21:171:28 | password | test.go:153:17:153:24 | definition of password | test.go:171:21:171:28 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:172:14:172:21 | password | test.go:153:17:153:24 | definition of password | test.go:172:14:172:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:173:13:173:20 | password | test.go:153:17:153:24 | definition of password | test.go:173:13:173:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:174:12:174:19 | password | test.go:153:17:153:24 | definition of password | test.go:174:12:174:19 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:175:15:175:22 | password | test.go:153:17:153:24 | definition of password | test.go:175:15:175:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:176:15:176:22 | password | test.go:153:17:153:24 | definition of password | test.go:176:15:176:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:177:18:177:25 | password | test.go:153:17:153:24 | definition of password | test.go:177:18:177:25 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:178:15:178:22 | password | test.go:153:17:153:24 | definition of password | test.go:178:15:178:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:179:19:179:26 | password | test.go:153:17:153:24 | definition of password | test.go:179:19:179:26 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:180:15:180:22 | password | test.go:153:17:153:24 | definition of password | test.go:180:15:180:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:181:14:181:21 | password | test.go:153:17:153:24 | definition of password | test.go:181:14:181:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:182:23:182:30 | password | test.go:153:17:153:24 | definition of password | test.go:182:23:182:30 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:183:16:183:23 | password | test.go:153:17:153:24 | definition of password | test.go:183:16:183:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:184:15:184:22 | password | test.go:153:17:153:24 | definition of password | test.go:184:15:184:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:185:14:185:21 | password | test.go:153:17:153:24 | definition of password | test.go:185:14:185:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:186:17:186:24 | password | test.go:153:17:153:24 | definition of password | test.go:186:17:186:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | +| test.go:187:16:187:23 | password | test.go:153:17:153:24 | definition of password | test.go:187:16:187:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password | From ef9f740ccbcc929da6b3b16bb2b157529d266494 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 29 Nov 2023 15:36:55 +0000 Subject: [PATCH 11/24] Extra edge to captured variable --- .../UnhandledCloseWritableHandle.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected b/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected index 672e1a5cc8f1..88a364dfb76d 100644 --- a/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected +++ b/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected @@ -10,6 +10,7 @@ edges | tests.go:8:24:8:24 | definition of f | tests.go:9:8:9:8 | f | provenance | | | tests.go:12:32:12:32 | definition of f | tests.go:13:13:15:2 | capture variable f | provenance | | +| tests.go:12:32:12:32 | definition of f | tests.go:14:3:14:3 | f | provenance | | | tests.go:13:13:15:2 | capture variable f | tests.go:14:3:14:3 | f | provenance | | | tests.go:31:5:31:78 | ... := ...[0] | tests.go:32:21:32:21 | f | provenance | Src:MaD:1 | | tests.go:31:5:31:78 | ... := ...[0] | tests.go:33:29:33:29 | f | provenance | Src:MaD:1 | From ad0b836fe579e2b654ea36ac7fee0ceed6ec39d8 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 30 Nov 2023 14:17:18 +0000 Subject: [PATCH 12/24] Fix Allocation Size Overflow for use-use flow We have an operator expression like `x * 5`. We want to follow where the value of the operator expression goes. We used to follow local flow from an operand, but now there is flow from that operand to the next use of the variable. The fix is to explicitly start local flow from the operator expression. There are also some expected edge changes due to use-use flow. --- .../AllocationSizeOverflowCustomizations.qll | 23 +++++++++++-------- .../CWE-190/AllocationSizeOverflow.expected | 10 ++++++-- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll index 60841b048f43..3eced801f209 100644 --- a/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll +++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll @@ -32,7 +32,10 @@ module AllocationSizeOverflow { /** * A data-flow node that is an operand to an operation that may overflow. */ - abstract class OverflowProneOperand extends DataFlow::Node { } + abstract class OverflowProneOperand extends DataFlow::Node { + /** Gets the operation that may overflow that `this` is an operand of. */ + abstract DataFlow::Node getOverflowProneOperation(); + } /** * A data-flow node that represents the size argument of an allocation, such as the `n` in @@ -91,8 +94,7 @@ module AllocationSizeOverflow { AllocationSize allocsz; DefaultSink() { - this instanceof OverflowProneOperand and - localStep*(this, allocsz) and + localStep*(this.(OverflowProneOperand).getOverflowProneOperation(), allocsz) and not allocsz instanceof AllocationSizeCheckBarrier } @@ -134,15 +136,18 @@ module AllocationSizeOverflow { /** An operand of an arithmetic expression that could cause overflow. */ private class DefaultOverflowProneOperand extends OverflowProneOperand { + OperatorExpr parent; + DefaultOverflowProneOperand() { - exists(OperatorExpr parent | isOverflowProne(parent) | - this.asExpr() = parent.getAnOperand() and - // only consider outermost operands to avoid double reporting - not exists(OperatorExpr grandparent | parent = grandparent.getAnOperand().stripParens() | - isOverflowProne(grandparent) - ) + isOverflowProne(parent) and + this.asExpr() = parent.getAnOperand() and + // only consider outermost operands to avoid double reporting + not exists(OperatorExpr grandparent | parent = grandparent.getAnOperand().stripParens() | + isOverflowProne(grandparent) ) } + + override DataFlow::Node getOverflowProneOperation() { result.asExpr() = parent } } /** diff --git a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected index 3a9de1ebe600..ec1835a6f8ac 100644 --- a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected +++ b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected @@ -17,10 +17,13 @@ edges | tst2.go:14:2:14:29 | ... := ...[0] | tst2.go:15:26:15:29 | data | provenance | | | tst2.go:15:26:15:29 | data | tst2.go:15:22:15:30 | call to len | provenance | Config | | tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:7:26:7:33 | jsonData | provenance | | -| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:24:20:24:27 | jsonData | provenance | | -| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:32:20:32:27 | jsonData | provenance | | | tst3.go:7:26:7:33 | jsonData | tst3.go:7:22:7:34 | call to len | provenance | Config | +| tst3.go:7:26:7:33 | jsonData | tst3.go:9:32:9:39 | jsonData | provenance | | +| tst3.go:9:32:9:39 | jsonData | tst3.go:11:9:11:16 | jsonData | provenance | | +| tst3.go:11:9:11:16 | jsonData | tst3.go:16:20:16:27 | jsonData | provenance | | +| tst3.go:16:20:16:27 | jsonData | tst3.go:24:20:24:27 | jsonData | provenance | | | tst3.go:24:20:24:27 | jsonData | tst3.go:24:16:24:28 | call to len | provenance | Config | +| tst3.go:24:20:24:27 | jsonData | tst3.go:32:20:32:27 | jsonData | provenance | | | tst3.go:32:20:32:27 | jsonData | tst3.go:32:16:32:28 | call to len | provenance | Config | | tst.go:14:2:14:30 | ... = ...[0] | tst.go:15:26:15:33 | jsonData | provenance | | | tst.go:15:26:15:33 | jsonData | tst.go:15:22:15:34 | call to len | provenance | Config | @@ -45,6 +48,9 @@ nodes | tst3.go:6:2:6:31 | ... := ...[0] | semmle.label | ... := ...[0] | | tst3.go:7:22:7:34 | call to len | semmle.label | call to len | | tst3.go:7:26:7:33 | jsonData | semmle.label | jsonData | +| tst3.go:9:32:9:39 | jsonData | semmle.label | jsonData | +| tst3.go:11:9:11:16 | jsonData | semmle.label | jsonData | +| tst3.go:16:20:16:27 | jsonData | semmle.label | jsonData | | tst3.go:24:16:24:28 | call to len | semmle.label | call to len | | tst3.go:24:20:24:27 | jsonData | semmle.label | jsonData | | tst3.go:32:16:32:28 | call to len | semmle.label | call to len | From 68128b36ed7a1c64e1659d6b7bb85706dc7ea510 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 30 Nov 2023 15:02:06 +0000 Subject: [PATCH 13/24] Expected test changes (odd because post update nodes are still at the def) --- .../CWE-078/CommandInjection.expected | 16 +++++++------ .../Security/CWE-078/SanitizingDoubleDash.go | 22 ++++++++--------- .../Security/CWE-089/SqlInjection.expected | 24 +++++++++---------- 3 files changed, 32 insertions(+), 30 deletions(-) diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected index dff32df4e1ff..78dde84a9475 100644 --- a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected +++ b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -48,14 +48,14 @@ edges | GitSubcommands.go:11:13:11:27 | call to Query | GitSubcommands.go:17:36:17:42 | tainted | provenance | | | GitSubcommands.go:33:13:33:19 | selection of URL | GitSubcommands.go:33:13:33:27 | call to Query | provenance | Src:MaD:2 MaD:7 | | GitSubcommands.go:33:13:33:27 | call to Query | GitSubcommands.go:38:32:38:38 | tainted | provenance | | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:13:25:13:31 | tainted | provenance | | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance | | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance | Config | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance | Config | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:68:31:68:37 | tainted | provenance | Config | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance | Config | | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:9:13:9:27 | call to Query | provenance | Src:MaD:2 MaD:7 | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:13:25:13:31 | tainted | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:68:31:68:37 | tainted | provenance | | -| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance | | +| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | provenance | | | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:13:25:13:31 | tainted | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | provenance | | | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | SanitizingDoubleDash.go:14:23:14:33 | slice element node | provenance | | @@ -67,6 +67,7 @@ edges | SanitizingDoubleDash.go:39:31:39:37 | tainted | SanitizingDoubleDash.go:39:14:39:44 | []type{args} [array] | provenance | | | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | provenance | | | SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | provenance | | +| SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | provenance | | | SanitizingDoubleDash.go:53:14:53:35 | call to append | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance | | | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | MaD:4 | @@ -180,6 +181,7 @@ nodes | GitSubcommands.go:33:13:33:19 | selection of URL | semmle.label | selection of URL | | GitSubcommands.go:33:13:33:27 | call to Query | semmle.label | call to Query | | GitSubcommands.go:38:32:38:38 | tainted | semmle.label | tainted | +| SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | semmle.label | definition of tainted | | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | semmle.label | selection of URL | | SanitizingDoubleDash.go:9:13:9:27 | call to Query | semmle.label | call to Query | | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | semmle.label | array literal [array] | diff --git a/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go b/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go index d69a970f0d09..0428df550868 100644 --- a/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go +++ b/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go @@ -93,62 +93,62 @@ func testDoubleDashIrrelevant(req *http.Request) { { arrayLit := [1]string{tainted} - exec.Command("sudo", arrayLit[:]...) + exec.Command("sudo", arrayLit[:]...) // BAD } { arrayLit := [2]string{"--", tainted} - exec.Command("sudo", arrayLit[:]...) + exec.Command("sudo", arrayLit[:]...) // BAD } { arrayLit := []string{"--", tainted} - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{} arrayLit = append(arrayLit, "--", tainted) - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{} arrayLit = append(arrayLit, tainted, "--") - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{"--"} arrayLit = append(arrayLit, tainted) - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{tainted} arrayLit = append(arrayLit, "--") - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{"--"} arrayLit = append(arrayLit, "something else") arrayLit = append(arrayLit, tainted) - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { arrayLit := []string{"something else"} arrayLit = append(arrayLit, tainted) arrayLit = append(arrayLit, "--") - exec.Command("sudo", arrayLit...) + exec.Command("sudo", arrayLit...) // BAD } { - exec.Command("sudo", "--", tainted) + exec.Command("sudo", "--", tainted) // BAD } { - exec.Command("sudo", tainted, "--") + exec.Command("sudo", tainted, "--") // BAD } } diff --git a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 1ce8c3d1dcf6..542f1b5b89c2 100644 --- a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -117,22 +117,22 @@ edges | main.go:61:5:61:15 | RequestData [pointer, Category] | main.go:61:4:61:15 | star expression [Category] | provenance | | | mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:42:28:42:41 | untrustedInput | provenance | Src:MaD:20 | | mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:50:34:50:39 | filter | provenance | | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:61:27:61:32 | filter | provenance | Sink:MaD:4 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:63:23:63:28 | filter | provenance | Sink:MaD:5 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:64:22:64:27 | filter | provenance | Sink:MaD:6 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:66:32:66:37 | filter | provenance | Sink:MaD:7 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:69:17:69:22 | filter | provenance | Sink:MaD:8 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:70:20:70:25 | filter | provenance | Sink:MaD:9 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:71:29:71:34 | filter | provenance | Sink:MaD:10 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:72:30:72:35 | filter | provenance | Sink:MaD:11 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:73:29:73:34 | filter | provenance | Sink:MaD:12 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:78:23:78:28 | filter | provenance | Sink:MaD:13 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:79:23:79:28 | filter | provenance | Sink:MaD:14 | -| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:80:22:80:27 | filter | provenance | Sink:MaD:15 | | mongoDB.go:42:28:42:41 | untrustedInput | mongoDB.go:42:19:42:42 | struct literal | provenance | Config | | mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:57:22:57:29 | pipeline | provenance | Sink:MaD:3 | | mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:81:18:81:25 | pipeline | provenance | Sink:MaD:16 | | mongoDB.go:50:34:50:39 | filter | mongoDB.go:50:23:50:40 | struct literal | provenance | Config | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:61:27:61:32 | filter | provenance | Sink:MaD:4 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:63:23:63:28 | filter | provenance | Sink:MaD:5 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:64:22:64:27 | filter | provenance | Sink:MaD:6 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:66:32:66:37 | filter | provenance | Sink:MaD:7 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:69:17:69:22 | filter | provenance | Sink:MaD:8 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:70:20:70:25 | filter | provenance | Sink:MaD:9 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:71:29:71:34 | filter | provenance | Sink:MaD:10 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:72:30:72:35 | filter | provenance | Sink:MaD:11 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:73:29:73:34 | filter | provenance | Sink:MaD:12 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:78:23:78:28 | filter | provenance | Sink:MaD:13 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:79:23:79:28 | filter | provenance | Sink:MaD:14 | +| mongoDB.go:50:34:50:39 | filter | mongoDB.go:80:22:80:27 | filter | provenance | Sink:MaD:15 | models | 1 | Sink: database/sql; DB; true; Query; ; ; Argument[0]; sql-injection; manual | | 2 | Sink: database/sql; Tx; true; Query; ; ; Argument[0]; sql-injection; manual | From 818ebea5cdebcba7fc67a24fcd1961205605b224 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Tue, 26 Jan 2021 14:00:06 +0000 Subject: [PATCH 14/24] Optimise join order for varBlockReaches --- go/ql/lib/semmle/go/dataflow/SsaImpl.qll | 39 +++++++++++++++++++++--- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index 7380aaf60ebf..fb1ec99c3105 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -306,6 +306,38 @@ private module Internal { exists(getDefReachingEndOf(b, v)) } + /** + * Holds if `v` occurs in `b1` and `b2` is one of `b1`'s successors. + * + * Factored out of `varBlockReaches` to force join order compared to the larger + * set `blockPrecedesVar(v, b2)`. + */ + pragma[noinline] + private predicate varBlockReachesBaseCand( + SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2 + ) { + varOccursInBlock(v, b1) and + b2 = b1.getASuccessor() + } + + /** + * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and + * in `b2` or one of its transitive successors but not in any block on the path + * between `b1` and `b2`. Unlike `varBlockReaches` this may include blocks `b2` + * where `v` is dead. + * + * Factored out of `varBlockReaches` to force join order compared to the larger + * set `blockPrecedesVar(v, b2)`. + */ + pragma[noinline] + private predicate varBlockReachesRecCand( + SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock mid, ReachableBasicBlock b2 + ) { + varBlockReaches(v, b1, mid) and + not varOccursInBlock(v, mid) and + b2 = mid.getASuccessor() + } + /** * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and * in `b2` or one of its transitive successors but not in any block on the path @@ -314,14 +346,11 @@ private module Internal { private predicate varBlockReaches( SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2 ) { - varOccursInBlock(v, b1) and - b2 = b1.getASuccessor() and + varBlockReachesBaseCand(v, b1, b2) and blockPrecedesVar(v, b2) or exists(ReachableBasicBlock mid | - varBlockReaches(v, b1, mid) and - b2 = mid.getASuccessor() and - not varOccursInBlock(v, mid) and + varBlockReachesRecCand(v, b1, mid, b2) and blockPrecedesVar(v, b2) ) } From 6c863c633b7d44963009dfccb9942e7c13bf19cb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 30 Nov 2023 21:23:22 +0000 Subject: [PATCH 15/24] Fix IncorrectIntegerConversion for use-use flow We were assuming that `sink` only had one successor, the TypeCastNode, but it can now have an adjacent use as well. --- go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql b/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql index a310f024a2d0..ce5081a92e92 100644 --- a/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql +++ b/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql @@ -18,7 +18,8 @@ import semmle.go.security.IncorrectIntegerConversionLib import Flow::PathGraph from - Flow::PathNode source, Flow::PathNode sink, DataFlow::CallNode call, DataFlow::Node sinkConverted + Flow::PathNode source, Flow::PathNode sink, DataFlow::CallNode call, + DataFlow::TypeCastNode sinkConverted where Flow::flowPath(source, sink) and call.getResult(0) = source.getNode() and From 5a09b1515c34c990a4ed967896da2f1e87f64246 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 6 Mar 2025 14:41:44 +0000 Subject: [PATCH 16/24] accept edge changes --- .../DecompressionBombs.expected | 2 +- .../Beego/CleartextLogging.expected | 134 +++++------------- .../Security/CWE-022/TaintedPath.expected | 2 +- 3 files changed, 36 insertions(+), 102 deletions(-) diff --git a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected index 34703cdeef4e..46bccc77a976 100644 --- a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected +++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected @@ -68,9 +68,9 @@ edges | test.go:91:15:91:26 | selection of Body | test.go:555:19:555:22 | definition of file | provenance | Src:MaD:1 | | test.go:93:5:93:16 | selection of Body | test.go:580:9:580:12 | definition of file | provenance | Src:MaD:1 | | test.go:128:20:128:27 | definition of filename | test.go:130:33:130:40 | filename | provenance | | -| test.go:128:20:128:27 | definition of filename | test.go:143:51:143:58 | filename | provenance | | | test.go:130:2:130:41 | ... := ...[0] | test.go:132:12:132:12 | f | provenance | | | test.go:130:33:130:40 | filename | test.go:130:2:130:41 | ... := ...[0] | provenance | Config | +| test.go:130:33:130:40 | filename | test.go:143:51:143:58 | filename | provenance | | | test.go:132:3:132:19 | ... := ...[0] | test.go:134:37:134:38 | rc | provenance | | | test.go:132:12:132:12 | f | test.go:132:3:132:19 | ... := ...[0] | provenance | MaD:4 | | test.go:143:2:143:59 | ... := ...[0] | test.go:145:12:145:12 | f | provenance | | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected b/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected index af5be1041ab5..0983d245453b 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected @@ -1,138 +1,72 @@ edges -| test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | -| test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | -| test.go:154:14:154:21 | password | test.go:155:17:155:24 | password | -| test.go:154:14:154:21 | password | test.go:155:17:155:24 | password | -| test.go:155:17:155:24 | password | test.go:156:14:156:21 | password | -| test.go:155:17:155:24 | password | test.go:156:14:156:21 | password | -| test.go:156:14:156:21 | password | test.go:157:18:157:25 | password | -| test.go:156:14:156:21 | password | test.go:157:18:157:25 | password | -| test.go:157:18:157:25 | password | test.go:158:14:158:21 | password | -| test.go:157:18:157:25 | password | test.go:158:14:158:21 | password | -| test.go:158:14:158:21 | password | test.go:159:13:159:20 | password | -| test.go:158:14:158:21 | password | test.go:159:13:159:20 | password | -| test.go:159:13:159:20 | password | test.go:160:22:160:29 | password | -| test.go:159:13:159:20 | password | test.go:160:22:160:29 | password | -| test.go:160:22:160:29 | password | test.go:161:15:161:22 | password | -| test.go:160:22:160:29 | password | test.go:161:15:161:22 | password | -| test.go:161:15:161:22 | password | test.go:162:14:162:21 | password | -| test.go:161:15:161:22 | password | test.go:162:14:162:21 | password | -| test.go:162:14:162:21 | password | test.go:163:13:163:20 | password | -| test.go:162:14:162:21 | password | test.go:163:13:163:20 | password | -| test.go:163:13:163:20 | password | test.go:164:16:164:23 | password | -| test.go:163:13:163:20 | password | test.go:164:16:164:23 | password | -| test.go:164:16:164:23 | password | test.go:165:13:165:20 | password | -| test.go:164:16:164:23 | password | test.go:165:13:165:20 | password | -| test.go:165:13:165:20 | password | test.go:166:16:166:23 | password | -| test.go:165:13:165:20 | password | test.go:166:16:166:23 | password | -| test.go:166:16:166:23 | password | test.go:167:13:167:20 | password | -| test.go:166:16:166:23 | password | test.go:167:13:167:20 | password | -| test.go:167:13:167:20 | password | test.go:168:17:168:24 | password | -| test.go:167:13:167:20 | password | test.go:168:17:168:24 | password | -| test.go:168:17:168:24 | password | test.go:169:13:169:20 | password | -| test.go:168:17:168:24 | password | test.go:169:13:169:20 | password | -| test.go:169:13:169:20 | password | test.go:170:12:170:19 | password | -| test.go:169:13:169:20 | password | test.go:170:12:170:19 | password | -| test.go:170:12:170:19 | password | test.go:171:21:171:28 | password | -| test.go:170:12:170:19 | password | test.go:171:21:171:28 | password | -| test.go:171:21:171:28 | password | test.go:172:14:172:21 | password | -| test.go:171:21:171:28 | password | test.go:172:14:172:21 | password | -| test.go:172:14:172:21 | password | test.go:173:13:173:20 | password | -| test.go:172:14:172:21 | password | test.go:173:13:173:20 | password | -| test.go:173:13:173:20 | password | test.go:174:12:174:19 | password | -| test.go:173:13:173:20 | password | test.go:174:12:174:19 | password | -| test.go:174:12:174:19 | password | test.go:175:15:175:22 | password | -| test.go:174:12:174:19 | password | test.go:175:15:175:22 | password | -| test.go:175:15:175:22 | password | test.go:176:15:176:22 | password | -| test.go:175:15:175:22 | password | test.go:176:15:176:22 | password | -| test.go:176:15:176:22 | password | test.go:177:18:177:25 | password | -| test.go:176:15:176:22 | password | test.go:177:18:177:25 | password | -| test.go:177:18:177:25 | password | test.go:178:15:178:22 | password | -| test.go:177:18:177:25 | password | test.go:178:15:178:22 | password | -| test.go:178:15:178:22 | password | test.go:179:19:179:26 | password | -| test.go:178:15:178:22 | password | test.go:179:19:179:26 | password | -| test.go:179:19:179:26 | password | test.go:180:15:180:22 | password | -| test.go:179:19:179:26 | password | test.go:180:15:180:22 | password | -| test.go:180:15:180:22 | password | test.go:181:14:181:21 | password | -| test.go:180:15:180:22 | password | test.go:181:14:181:21 | password | -| test.go:181:14:181:21 | password | test.go:182:23:182:30 | password | -| test.go:181:14:181:21 | password | test.go:182:23:182:30 | password | -| test.go:182:23:182:30 | password | test.go:183:16:183:23 | password | -| test.go:182:23:182:30 | password | test.go:183:16:183:23 | password | -| test.go:183:16:183:23 | password | test.go:184:15:184:22 | password | -| test.go:183:16:183:23 | password | test.go:184:15:184:22 | password | -| test.go:184:15:184:22 | password | test.go:185:14:185:21 | password | -| test.go:184:15:184:22 | password | test.go:185:14:185:21 | password | -| test.go:185:14:185:21 | password | test.go:186:17:186:24 | password | -| test.go:185:14:185:21 | password | test.go:186:17:186:24 | password | -| test.go:186:17:186:24 | password | test.go:187:16:187:23 | password | +| test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:155:17:155:24 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:156:14:156:21 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:157:18:157:25 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:158:14:158:21 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:159:13:159:20 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:160:22:160:29 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:161:15:161:22 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:162:14:162:21 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:163:13:163:20 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:164:16:164:23 | password | provenance | | +| test.go:153:17:153:24 | definition of password | test.go:165:13:165:20 | password | provenance | Sink:MaD:379 | +| test.go:153:17:153:24 | definition of password | test.go:166:16:166:23 | password | provenance | Sink:MaD:380 | +| test.go:153:17:153:24 | definition of password | test.go:167:13:167:20 | password | provenance | Sink:MaD:381 | +| test.go:153:17:153:24 | definition of password | test.go:168:17:168:24 | password | provenance | Sink:MaD:382 | +| test.go:153:17:153:24 | definition of password | test.go:169:13:169:20 | password | provenance | Sink:MaD:383 | +| test.go:153:17:153:24 | definition of password | test.go:170:12:170:19 | password | provenance | Sink:MaD:384 | +| test.go:153:17:153:24 | definition of password | test.go:171:21:171:28 | password | provenance | Sink:MaD:385 | +| test.go:153:17:153:24 | definition of password | test.go:172:14:172:21 | password | provenance | Sink:MaD:386 | +| test.go:153:17:153:24 | definition of password | test.go:173:13:173:20 | password | provenance | Sink:MaD:387 | +| test.go:153:17:153:24 | definition of password | test.go:174:12:174:19 | password | provenance | Sink:MaD:388 | +| test.go:153:17:153:24 | definition of password | test.go:175:15:175:22 | password | provenance | Sink:MaD:389 | +| test.go:153:17:153:24 | definition of password | test.go:176:15:176:22 | password | provenance | Sink:MaD:390 | +| test.go:153:17:153:24 | definition of password | test.go:177:18:177:25 | password | provenance | Sink:MaD:391 | +| test.go:153:17:153:24 | definition of password | test.go:178:15:178:22 | password | provenance | Sink:MaD:392 | +| test.go:153:17:153:24 | definition of password | test.go:179:19:179:26 | password | provenance | Sink:MaD:393 | +| test.go:153:17:153:24 | definition of password | test.go:180:15:180:22 | password | provenance | Sink:MaD:394 | +| test.go:153:17:153:24 | definition of password | test.go:181:14:181:21 | password | provenance | Sink:MaD:395 | +| test.go:153:17:153:24 | definition of password | test.go:182:23:182:30 | password | provenance | Sink:MaD:396 | +| test.go:153:17:153:24 | definition of password | test.go:183:16:183:23 | password | provenance | Sink:MaD:397 | +| test.go:153:17:153:24 | definition of password | test.go:184:15:184:22 | password | provenance | Sink:MaD:398 | +| test.go:153:17:153:24 | definition of password | test.go:185:14:185:21 | password | provenance | Sink:MaD:399 | +| test.go:153:17:153:24 | definition of password | test.go:186:17:186:24 | password | provenance | Sink:MaD:400 | +| test.go:153:17:153:24 | definition of password | test.go:187:16:187:23 | password | provenance | | nodes | test.go:153:17:153:24 | definition of password | semmle.label | definition of password | | test.go:154:14:154:21 | password | semmle.label | password | -| test.go:154:14:154:21 | password | semmle.label | password | -| test.go:155:17:155:24 | password | semmle.label | password | | test.go:155:17:155:24 | password | semmle.label | password | | test.go:156:14:156:21 | password | semmle.label | password | -| test.go:156:14:156:21 | password | semmle.label | password | | test.go:157:18:157:25 | password | semmle.label | password | -| test.go:157:18:157:25 | password | semmle.label | password | -| test.go:158:14:158:21 | password | semmle.label | password | | test.go:158:14:158:21 | password | semmle.label | password | | test.go:159:13:159:20 | password | semmle.label | password | -| test.go:159:13:159:20 | password | semmle.label | password | -| test.go:160:22:160:29 | password | semmle.label | password | | test.go:160:22:160:29 | password | semmle.label | password | | test.go:161:15:161:22 | password | semmle.label | password | -| test.go:161:15:161:22 | password | semmle.label | password | -| test.go:162:14:162:21 | password | semmle.label | password | | test.go:162:14:162:21 | password | semmle.label | password | | test.go:163:13:163:20 | password | semmle.label | password | -| test.go:163:13:163:20 | password | semmle.label | password | -| test.go:164:16:164:23 | password | semmle.label | password | | test.go:164:16:164:23 | password | semmle.label | password | | test.go:165:13:165:20 | password | semmle.label | password | -| test.go:165:13:165:20 | password | semmle.label | password | -| test.go:166:16:166:23 | password | semmle.label | password | | test.go:166:16:166:23 | password | semmle.label | password | | test.go:167:13:167:20 | password | semmle.label | password | -| test.go:167:13:167:20 | password | semmle.label | password | -| test.go:168:17:168:24 | password | semmle.label | password | | test.go:168:17:168:24 | password | semmle.label | password | | test.go:169:13:169:20 | password | semmle.label | password | -| test.go:169:13:169:20 | password | semmle.label | password | -| test.go:170:12:170:19 | password | semmle.label | password | | test.go:170:12:170:19 | password | semmle.label | password | | test.go:171:21:171:28 | password | semmle.label | password | -| test.go:171:21:171:28 | password | semmle.label | password | -| test.go:172:14:172:21 | password | semmle.label | password | | test.go:172:14:172:21 | password | semmle.label | password | | test.go:173:13:173:20 | password | semmle.label | password | -| test.go:173:13:173:20 | password | semmle.label | password | -| test.go:174:12:174:19 | password | semmle.label | password | | test.go:174:12:174:19 | password | semmle.label | password | | test.go:175:15:175:22 | password | semmle.label | password | -| test.go:175:15:175:22 | password | semmle.label | password | -| test.go:176:15:176:22 | password | semmle.label | password | | test.go:176:15:176:22 | password | semmle.label | password | | test.go:177:18:177:25 | password | semmle.label | password | -| test.go:177:18:177:25 | password | semmle.label | password | -| test.go:178:15:178:22 | password | semmle.label | password | | test.go:178:15:178:22 | password | semmle.label | password | | test.go:179:19:179:26 | password | semmle.label | password | -| test.go:179:19:179:26 | password | semmle.label | password | -| test.go:180:15:180:22 | password | semmle.label | password | | test.go:180:15:180:22 | password | semmle.label | password | | test.go:181:14:181:21 | password | semmle.label | password | -| test.go:181:14:181:21 | password | semmle.label | password | -| test.go:182:23:182:30 | password | semmle.label | password | | test.go:182:23:182:30 | password | semmle.label | password | | test.go:183:16:183:23 | password | semmle.label | password | -| test.go:183:16:183:23 | password | semmle.label | password | -| test.go:184:15:184:22 | password | semmle.label | password | | test.go:184:15:184:22 | password | semmle.label | password | | test.go:185:14:185:21 | password | semmle.label | password | -| test.go:185:14:185:21 | password | semmle.label | password | -| test.go:186:17:186:24 | password | semmle.label | password | | test.go:186:17:186:24 | password | semmle.label | password | | test.go:187:16:187:23 | password | semmle.label | password | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected index 839d35f663ce..cfb3c63b4a5f 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected @@ -6,8 +6,8 @@ edges | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:14:18:14:30 | call to Query | provenance | Src:MaD:2 MaD:3 | | TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:17:29:17:40 | tainted_path | provenance | Sink:MaD:1 | | TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:21:57:21:68 | tainted_path | provenance | | -| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:68:39:68:56 | ...+... | provenance | | | TaintedPath.go:21:57:21:68 | tainted_path | TaintedPath.go:21:28:21:69 | call to Join | provenance | FunctionModel Sink:MaD:1 | +| TaintedPath.go:21:57:21:68 | tainted_path | TaintedPath.go:68:39:68:56 | ...+... | provenance | | | TaintedPath.go:68:39:68:56 | ...+... | TaintedPath.go:68:28:68:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 | models | 1 | Sink: io/ioutil; ; false; ReadFile; ; ; Argument[0]; path-injection; manual | From 7f5e973c12cf17b0a1b7d30ad91b3c48412deb2c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 6 Mar 2025 14:43:59 +0000 Subject: [PATCH 17/24] Accept fixed test result --- .../library-tests/semmle/go/dataflow/ExternalValueFlow/test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go index f118880d4978..3c172e6082d2 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go @@ -158,7 +158,7 @@ func simpleflow() { ch := make(chan string) ch <- a.Src1().(string) taint16 := test.StepArgCollectionContentRes(ch) - b.Sink1(taint16) // $ MISSING: hasValueFlow="taint16" // currently fails due to lack of post-update nodes after send statements + b.Sink1(taint16) // $ hasValueFlow="taint16" c1 := test.C{""} c1.Set(a.Src1().(string)) From c30897843596f76a0beebb7249e47971e2e3edf5 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 6 Mar 2025 15:05:17 +0000 Subject: [PATCH 18/24] Make insecure randomness test more realistic --- .../InsecureRandomness/InsecureRandomness.expected | 9 +++------ .../Security/CWE-338/InsecureRandomness/sample.go | 2 +- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected index b2659fffde78..40be0e8df691 100644 --- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected +++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected @@ -1,8 +1,7 @@ #select | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | InsecureRandomness.go:12:18:12:40 | call to Intn | random number | | sample.go:26:25:26:30 | call to Guid | sample.go:15:49:15:61 | call to Uint32 | sample.go:26:25:26:30 | call to Guid | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:15:49:15:61 | call to Uint32 | random number | -| sample.go:37:25:37:29 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:25:37:29 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number | -| sample.go:37:32:37:36 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:32:37:36 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number | +| sample.go:37:35:37:39 | nonce | sample.go:34:12:34:40 | call to New | sample.go:37:35:37:39 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number | | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | sample.go:43:17:43:39 | call to Intn | random number | | sample.go:58:32:58:43 | type conversion | sample.go:55:17:55:42 | call to Intn | sample.go:58:32:58:43 | type conversion | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:55:17:55:42 | call to Intn | random number | edges @@ -13,8 +12,7 @@ edges | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | []type{args} [array] | provenance | | | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | call to Sprintf | provenance | FunctionModel | | sample.go:16:9:16:15 | slice expression | sample.go:26:25:26:30 | call to Guid | provenance | | -| sample.go:33:2:33:6 | definition of nonce | sample.go:37:25:37:29 | nonce | provenance | | -| sample.go:33:2:33:6 | definition of nonce | sample.go:37:32:37:36 | nonce | provenance | | +| sample.go:33:2:33:6 | definition of nonce | sample.go:37:35:37:39 | nonce | provenance | | | sample.go:34:12:34:40 | call to New | sample.go:35:14:35:19 | random | provenance | | | sample.go:35:14:35:19 | random | sample.go:33:2:33:6 | definition of nonce | provenance | MaD:2 | | sample.go:55:17:55:42 | call to Intn | sample.go:56:29:56:38 | randNumber | provenance | | @@ -36,8 +34,7 @@ nodes | sample.go:33:2:33:6 | definition of nonce | semmle.label | definition of nonce | | sample.go:34:12:34:40 | call to New | semmle.label | call to New | | sample.go:35:14:35:19 | random | semmle.label | random | -| sample.go:37:25:37:29 | nonce | semmle.label | nonce | -| sample.go:37:32:37:36 | nonce | semmle.label | nonce | +| sample.go:37:35:37:39 | nonce | semmle.label | nonce | | sample.go:43:17:43:39 | call to Intn | semmle.label | call to Intn | | sample.go:44:17:44:39 | call to Intn | semmle.label | call to Intn | | sample.go:45:17:45:39 | call to Intn | semmle.label | call to Intn | diff --git a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go index df703ff0dfa0..9eef81f63bb4 100644 --- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go +++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go @@ -34,7 +34,7 @@ func encrypt(data []byte, password string) []byte { random := rand.New(rand.NewSource(999)) io.ReadFull(random, nonce) - ciphertext := gcm.Seal(nonce, nonce, data, nil) // BAD: use of an insecure rng to generate a nonce + ciphertext := gcm.Seal(data[:0], nonce, data, nil) // BAD: use of an insecure rng to generate a nonce return ciphertext } From a3dbc5e1cfc4fa780896ce25ed4328c49a70e325 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 7 Mar 2025 20:50:02 +0000 Subject: [PATCH 19/24] Fix TypeAssertionCheck to not block successor flow By moving it from the expression evaluation to the type assertion evaluation we don't block flow to successor uses of the same variable. --- .../go/security/IncorrectIntegerConversionLib.qll | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll index 9125ab6e400a..8cb5eee7f636 100644 --- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll +++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll @@ -290,13 +290,17 @@ private predicate integerTypeBound(IntegerType it, int bitSize, int architecture * the type assertion succeeded. If it is not checked then there will be a * run-time panic if the type assertion fails, so we can assume it succeeded. */ -class TypeAssertionCheck extends DataFlow::ExprNode, FlowStateTransformer { +class TypeAssertionCheck extends DataFlow::InstructionNode, FlowStateTransformer { IntegerType it; TypeAssertionCheck() { - exists(TypeAssertExpr tae | - this = DataFlow::exprNode(tae.getExpr()) and - it = tae.getTypeExpr().getType().getUnderlyingType() + exists(IR::Instruction evalAssert, TypeAssertExpr assert | + it = assert.getTypeExpr().getType().getUnderlyingType() and + evalAssert = IR::evalExprInstruction(assert) + | + if exists(IR::extractTupleElement(evalAssert, _)) + then this.asInstruction() = IR::extractTupleElement(evalAssert, 0) + else this.asInstruction() = evalAssert ) } From 635b722d7c2d8dd9c4f1daf8d0c2df8f6356fd9a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 12 Mar 2025 21:08:05 +0000 Subject: [PATCH 20/24] Improve SSA tests for variables in closures --- .../semmle/go/dataflow/SSA/DefUse.expected | 16 ++++++--- .../go/dataflow/SSA/SsaDefinition.expected | 16 +++++++-- .../go/dataflow/SSA/SsaWithFields.expected | 26 ++++++++++---- .../semmle/go/dataflow/SSA/VarDefs.expected | 33 +++++++++++------- .../semmle/go/dataflow/SSA/VarUses.expected | 34 ++++++++++++++----- .../semmle/go/dataflow/SSA/main.go | 18 ++++++++++ 6 files changed, 107 insertions(+), 36 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/DefUse.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/DefUse.expected index aad16b89ab6b..9fe33491cfd8 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/DefUse.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/DefUse.expected @@ -28,7 +28,15 @@ | main.go:84:15:84:15 | x | main.go:83:2:83:2 | definition of x | main.go:83:2:83:2 | x | | main.go:97:2:97:8 | wrapper | main.go:95:22:95:28 | definition of wrapper | main.go:95:22:95:28 | wrapper | | main.go:100:9:100:9 | x | main.go:97:2:99:3 | capture variable x | main.go:96:2:96:2 | x | -| main.go:117:2:117:2 | p | main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | main.go:110:6:110:6 | p | -| main.go:119:12:119:12 | p | main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | main.go:110:6:110:6 | p | -| main.go:119:17:119:17 | p | main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | main.go:110:6:110:6 | p | -| main.go:119:24:119:24 | p | main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | main.go:110:6:110:6 | p | +| main.go:105:2:105:8 | wrapper | main.go:103:20:103:26 | definition of wrapper | main.go:103:20:103:26 | wrapper | +| main.go:106:8:106:8 | x | main.go:105:16:108:2 | capture variable x | main.go:104:2:104:2 | x | +| main.go:107:7:107:7 | y | main.go:106:3:106:3 | definition of y | main.go:106:3:106:3 | y | +| main.go:109:9:109:9 | x | main.go:104:2:104:2 | definition of x | main.go:104:2:104:2 | x | +| main.go:114:2:114:8 | wrapper | main.go:112:29:112:35 | definition of wrapper | main.go:112:29:112:35 | wrapper | +| main.go:115:8:115:8 | x | main.go:114:16:117:2 | capture variable x | main.go:113:2:113:2 | x | +| main.go:116:7:116:7 | y | main.go:115:3:115:3 | definition of y | main.go:115:3:115:3 | y | +| main.go:118:9:118:9 | x | main.go:114:2:117:3 | capture variable x | main.go:113:2:113:2 | x | +| main.go:135:2:135:2 | p | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | main.go:128:6:128:6 | p | +| main.go:137:12:137:12 | p | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | main.go:128:6:128:6 | p | +| main.go:137:17:137:17 | p | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | main.go:128:6:128:6 | p | +| main.go:137:24:137:24 | p | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | main.go:128:6:128:6 | p | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected index bd905b5c2a70..ddff7565818c 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected @@ -36,6 +36,16 @@ | main.go:96:2:96:2 | definition of x | | main.go:97:2:99:3 | capture variable x | | main.go:98:3:98:3 | definition of x | -| main.go:112:3:112:3 | definition of p | -| main.go:114:3:114:3 | definition of p | -| main.go:117:2:117:2 | p = phi(def@112:3, def@114:3) | +| main.go:103:20:103:26 | definition of wrapper | +| main.go:104:2:104:2 | definition of x | +| main.go:105:16:108:2 | capture variable x | +| main.go:106:3:106:3 | definition of y | +| main.go:112:29:112:35 | definition of wrapper | +| main.go:113:2:113:2 | definition of x | +| main.go:114:2:117:3 | capture variable x | +| main.go:114:16:117:2 | capture variable x | +| main.go:115:3:115:3 | definition of y | +| main.go:116:3:116:3 | definition of x | +| main.go:130:3:130:3 | definition of p | +| main.go:132:3:132:3 | definition of p | +| main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected index 245a82acc839..40b9195fc879 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected @@ -37,10 +37,22 @@ | main.go:96:2:96:2 | (def@96:2) | x | | main.go:97:2:99:3 | (capture@97:2) | x | | main.go:98:3:98:3 | (def@98:3) | x | -| main.go:112:3:112:3 | (def@112:3) | p | -| main.go:114:3:114:3 | (def@114:3) | p | -| main.go:117:2:117:2 | (phi@117:2) | p | -| main.go:117:2:117:2 | (phi@117:2).a | p.a | -| main.go:117:2:117:2 | (phi@117:2).b | p.b | -| main.go:117:2:117:2 | (phi@117:2).b.a | p.b.a | -| main.go:117:2:117:2 | (phi@117:2).c | p.c | +| main.go:103:20:103:26 | (def@103:20) | wrapper | +| main.go:103:20:103:26 | (def@103:20).s | wrapper.s | +| main.go:104:2:104:2 | (def@104:2) | x | +| main.go:105:16:108:2 | (capture@105:16) | x | +| main.go:106:3:106:3 | (def@106:3) | y | +| main.go:112:29:112:35 | (def@112:29) | wrapper | +| main.go:112:29:112:35 | (def@112:29).s | wrapper.s | +| main.go:113:2:113:2 | (def@113:2) | x | +| main.go:114:2:117:3 | (capture@114:2) | x | +| main.go:114:16:117:2 | (capture@114:16) | x | +| main.go:115:3:115:3 | (def@115:3) | y | +| main.go:116:3:116:3 | (def@116:3) | x | +| main.go:130:3:130:3 | (def@130:3) | p | +| main.go:132:3:132:3 | (def@132:3) | p | +| main.go:135:2:135:2 | (phi@135:2) | p | +| main.go:135:2:135:2 | (phi@135:2).a | p.a | +| main.go:135:2:135:2 | (phi@135:2).b | p.b | +| main.go:135:2:135:2 | (phi@135:2).b.a | p.b.a | +| main.go:135:2:135:2 | (phi@135:2).c | p.c | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarDefs.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarDefs.expected index 2cadf9f87abf..6149ddfbb54a 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarDefs.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarDefs.expected @@ -32,16 +32,23 @@ | main.go:95:22:95:28 | initialization of wrapper | main.go:95:22:95:28 | wrapper | main.go:95:22:95:28 | argument corresponding to wrapper | | main.go:96:2:96:2 | assignment to x | main.go:96:2:96:2 | x | main.go:96:7:96:7 | 0 | | main.go:98:3:98:3 | assignment to x | main.go:96:2:96:2 | x | main.go:98:7:98:7 | 1 | -| main.go:110:6:110:6 | assignment to p | main.go:110:6:110:6 | p | main.go:110:6:110:6 | zero value for p | -| main.go:112:3:112:3 | assignment to p | main.go:110:6:110:6 | p | main.go:112:7:112:24 | struct literal | -| main.go:112:9:112:9 | init of 2 | main.go:104:2:104:2 | a | main.go:112:9:112:9 | 2 | -| main.go:112:12:112:18 | init of struct literal | main.go:105:2:105:2 | b | main.go:112:12:112:18 | struct literal | -| main.go:112:14:112:14 | init of 1 | main.go:89:2:89:2 | a | main.go:112:14:112:14 | 1 | -| main.go:112:17:112:17 | init of 5 | main.go:90:2:90:2 | b | main.go:112:17:112:17 | 5 | -| main.go:112:21:112:23 | init of 'n' | main.go:106:2:106:2 | c | main.go:112:21:112:23 | 'n' | -| main.go:114:3:114:3 | assignment to p | main.go:110:6:110:6 | p | main.go:114:7:114:24 | struct literal | -| main.go:114:9:114:9 | init of 3 | main.go:104:2:104:2 | a | main.go:114:9:114:9 | 3 | -| main.go:114:12:114:18 | init of struct literal | main.go:105:2:105:2 | b | main.go:114:12:114:18 | struct literal | -| main.go:114:14:114:14 | init of 4 | main.go:89:2:89:2 | a | main.go:114:14:114:14 | 4 | -| main.go:114:17:114:17 | init of 5 | main.go:90:2:90:2 | b | main.go:114:17:114:17 | 5 | -| main.go:114:21:114:23 | init of '2' | main.go:106:2:106:2 | c | main.go:114:21:114:23 | '2' | +| main.go:103:20:103:26 | initialization of wrapper | main.go:103:20:103:26 | wrapper | main.go:103:20:103:26 | argument corresponding to wrapper | +| main.go:104:2:104:2 | assignment to x | main.go:104:2:104:2 | x | main.go:104:7:104:7 | 0 | +| main.go:106:3:106:3 | assignment to y | main.go:106:3:106:3 | y | main.go:106:8:106:8 | x | +| main.go:112:29:112:35 | initialization of wrapper | main.go:112:29:112:35 | wrapper | main.go:112:29:112:35 | argument corresponding to wrapper | +| main.go:113:2:113:2 | assignment to x | main.go:113:2:113:2 | x | main.go:113:7:113:7 | 0 | +| main.go:115:3:115:3 | assignment to y | main.go:115:3:115:3 | y | main.go:115:8:115:12 | ...+... | +| main.go:116:3:116:3 | assignment to x | main.go:113:2:113:2 | x | main.go:116:7:116:7 | y | +| main.go:128:6:128:6 | assignment to p | main.go:128:6:128:6 | p | main.go:128:6:128:6 | zero value for p | +| main.go:130:3:130:3 | assignment to p | main.go:128:6:128:6 | p | main.go:130:7:130:24 | struct literal | +| main.go:130:9:130:9 | init of 2 | main.go:122:2:122:2 | a | main.go:130:9:130:9 | 2 | +| main.go:130:12:130:18 | init of struct literal | main.go:123:2:123:2 | b | main.go:130:12:130:18 | struct literal | +| main.go:130:14:130:14 | init of 1 | main.go:89:2:89:2 | a | main.go:130:14:130:14 | 1 | +| main.go:130:17:130:17 | init of 5 | main.go:90:2:90:2 | b | main.go:130:17:130:17 | 5 | +| main.go:130:21:130:23 | init of 'n' | main.go:124:2:124:2 | c | main.go:130:21:130:23 | 'n' | +| main.go:132:3:132:3 | assignment to p | main.go:128:6:128:6 | p | main.go:132:7:132:24 | struct literal | +| main.go:132:9:132:9 | init of 3 | main.go:122:2:122:2 | a | main.go:132:9:132:9 | 3 | +| main.go:132:12:132:18 | init of struct literal | main.go:123:2:123:2 | b | main.go:132:12:132:18 | struct literal | +| main.go:132:14:132:14 | init of 4 | main.go:89:2:89:2 | a | main.go:132:14:132:14 | 4 | +| main.go:132:17:132:17 | init of 5 | main.go:90:2:90:2 | b | main.go:132:17:132:17 | 5 | +| main.go:132:21:132:23 | init of '2' | main.go:124:2:124:2 | c | main.go:132:21:132:23 | '2' | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarUses.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarUses.expected index 332f859f0519..2e6b3c855c36 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarUses.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/VarUses.expected @@ -28,13 +28,29 @@ | main.go:84:15:84:15 | x | main.go:83:2:83:2 | x | | main.go:97:2:97:8 | wrapper | main.go:95:22:95:28 | wrapper | | main.go:97:2:97:10 | selection of s | main.go:95:38:95:38 | s | +| main.go:97:2:97:10 | selection of s | main.go:103:36:103:36 | s | +| main.go:97:2:97:10 | selection of s | main.go:112:45:112:45 | s | | main.go:100:9:100:9 | x | main.go:96:2:96:2 | x | -| main.go:117:2:117:2 | p | main.go:110:6:110:6 | p | -| main.go:117:2:117:4 | selection of b | main.go:105:2:105:2 | b | -| main.go:119:12:119:12 | p | main.go:110:6:110:6 | p | -| main.go:119:12:119:14 | selection of a | main.go:104:2:104:2 | a | -| main.go:119:17:119:17 | p | main.go:110:6:110:6 | p | -| main.go:119:17:119:19 | selection of b | main.go:105:2:105:2 | b | -| main.go:119:17:119:21 | selection of a | main.go:89:2:89:2 | a | -| main.go:119:24:119:24 | p | main.go:110:6:110:6 | p | -| main.go:119:24:119:26 | selection of c | main.go:106:2:106:2 | c | +| main.go:105:2:105:8 | wrapper | main.go:103:20:103:26 | wrapper | +| main.go:105:2:105:10 | selection of s | main.go:95:38:95:38 | s | +| main.go:105:2:105:10 | selection of s | main.go:103:36:103:36 | s | +| main.go:105:2:105:10 | selection of s | main.go:112:45:112:45 | s | +| main.go:106:8:106:8 | x | main.go:104:2:104:2 | x | +| main.go:107:7:107:7 | y | main.go:106:3:106:3 | y | +| main.go:109:9:109:9 | x | main.go:104:2:104:2 | x | +| main.go:114:2:114:8 | wrapper | main.go:112:29:112:35 | wrapper | +| main.go:114:2:114:10 | selection of s | main.go:95:38:95:38 | s | +| main.go:114:2:114:10 | selection of s | main.go:103:36:103:36 | s | +| main.go:114:2:114:10 | selection of s | main.go:112:45:112:45 | s | +| main.go:115:8:115:8 | x | main.go:113:2:113:2 | x | +| main.go:116:7:116:7 | y | main.go:115:3:115:3 | y | +| main.go:118:9:118:9 | x | main.go:113:2:113:2 | x | +| main.go:135:2:135:2 | p | main.go:128:6:128:6 | p | +| main.go:135:2:135:4 | selection of b | main.go:123:2:123:2 | b | +| main.go:137:12:137:12 | p | main.go:128:6:128:6 | p | +| main.go:137:12:137:14 | selection of a | main.go:122:2:122:2 | a | +| main.go:137:17:137:17 | p | main.go:128:6:128:6 | p | +| main.go:137:17:137:19 | selection of b | main.go:123:2:123:2 | b | +| main.go:137:17:137:21 | selection of a | main.go:89:2:89:2 | a | +| main.go:137:24:137:24 | p | main.go:128:6:128:6 | p | +| main.go:137:24:137:26 | selection of c | main.go:124:2:124:2 | c | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/main.go b/go/ql/test/library-tests/semmle/go/dataflow/SSA/main.go index cda85fdfc664..3967c14469f4 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/main.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/main.go @@ -100,6 +100,24 @@ func updateInClosure(wrapper struct{ s }) int { return x } +func readInClosure(wrapper struct{ s }) int { + x := 0 + wrapper.s.foo(func() { + y := x + _ = y + }) + return x +} + +func readAndUpdateInClosure(wrapper struct{ s }) int { + x := 0 + wrapper.s.foo(func() { + y := x + 1 + x = y + }) + return x +} + type t struct { a int b s From a15ab9956253def0251956043bbbc5d47ff4038c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sat, 1 Mar 2025 21:46:22 +0000 Subject: [PATCH 21/24] Invoke `SsaImplCommon::Make` --- go/ql/lib/semmle/go/dataflow/SsaImpl.qll | 49 ++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index fb1ec99c3105..fe86f4a30909 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -5,6 +5,7 @@ */ import go +private import codeql.ssa.Ssa as SsaImplCommon cached private module Internal { @@ -460,6 +461,54 @@ private module Internal { firstUse(def, use2) ) } + + private module SsaInput implements SsaImplCommon::InputSig { + private import go as G + + class BasicBlock = G::BasicBlock; + + class ControlFlowNode = G::ControlFlow::Node; + + BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { + result = bb.getImmediateDominator() + } + + BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() } + + class SourceVariable = SsaSourceVariable; + + /** + * Holds if the `i`th node of basic block `bb` is a (potential) write to source + * variable `v`. The Boolean `certain` indicates whether the write is certain. + * + * This includes implicit writes via calls. + */ + predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) { + defAt(bb, i, v) and + certain = true + } + + /** + * Holds if the `i`th of basic block `bb` reads source variable `v`. + * + * This includes implicit reads via calls. + */ + predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) { + useAt(bb, i, v) and certain = true + or + mayCapture(bb, i, v) and certain = false + } + } + + import SsaImplCommon::Make as Impl + + final class SsaInputDefinition = Impl::Definition; + + final class SsaInputWriteDefinition = Impl::WriteDefinition; + + final class SsaInputUncertainWriteDefinition = Impl::UncertainWriteDefinition; + + final class SsaInputPhiNode = Impl::PhiNode; } import Internal From 5bc4ccfcd51ffdbbe2f2a382efcb911e22ae51a7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sat, 8 Mar 2025 23:00:40 +0000 Subject: [PATCH 22/24] Refactor: reorder parameters of `SsaDefinition.definesAt` Match the order used in the shared SSA library --- go/ql/lib/semmle/go/dataflow/SSA.qll | 18 +++++++++--------- go/ql/lib/semmle/go/dataflow/SsaImpl.qll | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/SSA.qll b/go/ql/lib/semmle/go/dataflow/SSA.qll index 98dae5f3d014..dc2f1aa903be 100644 --- a/go/ql/lib/semmle/go/dataflow/SSA.qll +++ b/go/ql/lib/semmle/go/dataflow/SSA.qll @@ -127,7 +127,7 @@ class SsaDefinition extends TSsaDefinition { * Phi nodes are considered to be at index `-1`, all other definitions at the index of * the control flow node they correspond to. */ - abstract predicate definesAt(ReachableBasicBlock bb, int idx, SsaSourceVariable v); + abstract predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int idx); /** * INTERNAL: Use `toString()` instead. @@ -187,13 +187,13 @@ class SsaExplicitDefinition extends SsaDefinition, TExplicitDef { /** Gets the right-hand side of the definition. */ IR::Instruction getRhs() { this.getInstruction().writes(_, result) } - override predicate definesAt(ReachableBasicBlock bb, int i, SsaSourceVariable v) { + override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) { this = TExplicitDef(bb, i, v) } - override ReachableBasicBlock getBasicBlock() { this.definesAt(result, _, _) } + override ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) } - override SsaSourceVariable getSourceVariable() { this = TExplicitDef(_, _, result) } + override SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) } override string prettyPrintRef() { exists(Location loc | loc = this.getLocation() | @@ -242,20 +242,20 @@ abstract class SsaImplicitDefinition extends SsaDefinition { * at any function call that may affect the value of the variable. */ class SsaVariableCapture extends SsaImplicitDefinition, TCapture { - override predicate definesAt(ReachableBasicBlock bb, int i, SsaSourceVariable v) { + override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) { this = TCapture(bb, i, v) } - override ReachableBasicBlock getBasicBlock() { this.definesAt(result, _, _) } + override ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) } - override SsaSourceVariable getSourceVariable() { this.definesAt(_, _, result) } + override SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) } override string getKind() { result = "capture" } override string prettyPrintDef() { result = "capture variable " + this.getSourceVariable() } override Location getLocation() { - exists(ReachableBasicBlock bb, int i | this.definesAt(bb, i, _) | + exists(ReachableBasicBlock bb, int i | this.definesAt(_, bb, i) | result = bb.getNode(i).getLocation() ) } @@ -288,7 +288,7 @@ class SsaPhiNode extends SsaPseudoDefinition, TPhi { result = getDefReachingEndOf(this.getBasicBlock().getAPredecessor(), this.getSourceVariable()) } - override predicate definesAt(ReachableBasicBlock bb, int i, SsaSourceVariable v) { + override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) { bb = this.getBasicBlock() and v = this.getSourceVariable() and i = -1 } diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index fe86f4a30909..30a37d3b68e9 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -71,7 +71,7 @@ private module Internal { pragma[noinline] private predicate inDefDominanceFrontier(ReachableJoinBlock bb, SsaSourceVariable v) { exists(ReachableBasicBlock defbb, SsaDefinition def | - def.definesAt(defbb, _, v) and + def.definesAt(v, defbb, _) and bb.inDominanceFrontierOf(defbb) ) } @@ -206,7 +206,7 @@ private module Internal { private predicate ssaRef(ReachableBasicBlock bb, int i, SsaSourceVariable v, RefKind k) { useAt(bb, i, v) and k = ReadRef() or - any(SsaDefinition def).definesAt(bb, i, v) and k = WriteRef() + any(SsaDefinition def).definesAt(v, bb, i) and k = WriteRef() } /** @@ -248,7 +248,7 @@ private module Internal { */ private SsaDefinition getLocalDefinition(ReachableBasicBlock bb, int i, SsaSourceVariable v) { exists(int r | r = rewindReads(bb, i, v) | - exists(int j | result.definesAt(bb, j, v) and ssaRefRank(bb, j, v, _) = r - 1) + exists(int j | result.definesAt(v, bb, j) and ssaRefRank(bb, j, v, _) = r - 1) ) } @@ -270,7 +270,7 @@ private module Internal { exists(int lastRef | lastRef = max(int i | ssaRef(bb, i, v, _)) | result = getLocalDefinition(bb, lastRef, v) or - result.definesAt(bb, lastRef, v) and + result.definesAt(v, bb, lastRef) and liveAtSuccEntry(bb, v) ) or @@ -279,7 +279,7 @@ private module Internal { // then one must dominate the other, so we can find the reaching definition // by following the idominance relation backwards. result = getDefReachingEndOfImmediateDominator(bb, v) and - not exists(SsaDefinition ssa | ssa.definesAt(bb, _, v)) and + not exists(SsaDefinition ssa | ssa.definesAt(v, bb, _)) and liveAtSuccEntry(bb, v) } @@ -412,7 +412,7 @@ private module Internal { predicate firstUse(SsaDefinition def, IR::Instruction use) { exists(SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 | adjacentVarRefs(v, b1, i1, b2, i2) and - def.definesAt(b1, i1, v) and + def.definesAt(v, b1, i1) and variableUse(v, use, b2, i2) ) or @@ -421,8 +421,8 @@ private module Internal { int i2 | adjacentVarRefs(v, b1, i1, b2, i2) and - def.definesAt(b1, i1, v) and - redef.definesAt(b2, i2, v) and + def.definesAt(v, b1, i1) and + redef.definesAt(v, b2, i2) and firstUse(redef, use) ) } @@ -457,7 +457,7 @@ private module Internal { | adjacentVarRefs(v, b1, i1, b2, i2) and variableUse(v, use1, b1, i1) and - def.definesAt(b2, i2, v) and + def.definesAt(v, b2, i2) and firstUse(def, use2) ) } From 521b97155173403639e76d3013a52c3c7812e17a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 10 Mar 2025 19:16:00 +0000 Subject: [PATCH 23/24] Base SSA classes on shared SSA library --- go/ql/lib/semmle/go/dataflow/SSA.qll | 81 +++++++------------- go/ql/lib/semmle/go/dataflow/SsaImpl.qll | 97 +++--------------------- 2 files changed, 37 insertions(+), 141 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/SSA.qll b/go/ql/lib/semmle/go/dataflow/SSA.qll index dc2f1aa903be..828c948dfce5 100644 --- a/go/ql/lib/semmle/go/dataflow/SSA.qll +++ b/go/ql/lib/semmle/go/dataflow/SSA.qll @@ -61,7 +61,7 @@ private predicate unresolvedIdentifier(Ident id, string name) { /** * An SSA variable. */ -class SsaVariable extends TSsaDefinition { +class SsaVariable instanceof SsaDefinition { /** Gets the source variable corresponding to this SSA variable. */ SsaSourceVariable getSourceVariable() { result = this.(SsaDefinition).getSourceVariable() } @@ -107,27 +107,26 @@ class SsaVariable extends TSsaDefinition { /** * An SSA definition. */ -class SsaDefinition extends TSsaDefinition { +class SsaDefinition instanceof ZZZDefinition { + /** + * Holds if this SSA definition defines `v` at index `i` in basic block `bb`. + * Phi nodes are considered to be at index `-1`, while normal variable writes + * are at the index of the control flow node they wrap. + */ + predicate definesAt(SsaSourceVariable v, BasicBlock bb, int i) { + this.(ZZZDefinition).definesAt(v, bb, i) + } + /** Gets the SSA variable defined by this definition. */ SsaVariable getVariable() { result = this } /** Gets the source variable defined by this definition. */ - abstract SsaSourceVariable getSourceVariable(); + SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) } /** * Gets the basic block to which this definition belongs. */ - abstract ReachableBasicBlock getBasicBlock(); - - /** - * INTERNAL: Use `getBasicBlock()` and `getSourceVariable()` instead. - * - * Holds if this is a definition of source variable `v` at index `idx` in basic block `bb`. - * - * Phi nodes are considered to be at index `-1`, all other definitions at the index of - * the control flow node they correspond to. - */ - abstract predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int idx); + ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) } /** * INTERNAL: Use `toString()` instead. @@ -146,12 +145,12 @@ class SsaDefinition extends TSsaDefinition { /** Gets the innermost function or file to which this SSA definition belongs. */ ControlFlow::Root getRoot() { result = this.getBasicBlock().getRoot() } + /** Gets the location of this SSA definition. */ + Location getLocation() { result = this.(ZZZDefinition).getLocation() } + /** Gets a textual representation of this element. */ string toString() { result = this.prettyPrintDef() } - /** Gets the source location for this element. */ - abstract Location getLocation(); - /** * DEPRECATED: Use `getLocation()` instead. * @@ -178,23 +177,17 @@ class SsaDefinition extends TSsaDefinition { /** * An SSA definition that corresponds to an explicit assignment or other variable definition. */ -class SsaExplicitDefinition extends SsaDefinition, TExplicitDef { +class SsaExplicitDefinition extends SsaDefinition { + SsaExplicitDefinition() { not this instanceof SsaImplicitDefinition } + /** Gets the instruction where the definition happens. */ IR::Instruction getInstruction() { - exists(BasicBlock bb, int i | this = TExplicitDef(bb, i, _) | result = bb.getNode(i)) + exists(BasicBlock bb, int i | this.definesAt(_, bb, i) | result = bb.getNode(i)) } /** Gets the right-hand side of the definition. */ IR::Instruction getRhs() { this.getInstruction().writes(_, result) } - override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) { - this = TExplicitDef(bb, i, v) - } - - override ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) } - - override SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) } - override string prettyPrintRef() { exists(Location loc | loc = this.getLocation() | result = "def@" + loc.getStartLine() + ":" + loc.getStartColumn() @@ -202,8 +195,6 @@ class SsaExplicitDefinition extends SsaDefinition, TExplicitDef { } override string prettyPrintDef() { result = "definition of " + this.getSourceVariable() } - - override Location getLocation() { result = this.getInstruction().getLocation() } } /** Provides a helper predicate for working with explicit SSA definitions. */ @@ -230,8 +221,6 @@ abstract class SsaImplicitDefinition extends SsaDefinition { result = this.getKind() + "@" + loc.getStartLine() + ":" + loc.getStartColumn() ) } - - override Location getLocation() { result = this.getBasicBlock().getLocation() } } /** @@ -241,24 +230,16 @@ abstract class SsaImplicitDefinition extends SsaDefinition { * Capturing definitions appear at the beginning of such functions, as well as * at any function call that may affect the value of the variable. */ -class SsaVariableCapture extends SsaImplicitDefinition, TCapture { - override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) { - this = TCapture(bb, i, v) +class SsaVariableCapture extends SsaImplicitDefinition { + SsaVariableCapture() { + exists(BasicBlock bb, int i, SsaSourceVariable v | this.definesAt(v, bb, i) | + mayCapture(bb, i, v) + ) } - override ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) } - - override SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) } - override string getKind() { result = "capture" } override string prettyPrintDef() { result = "capture variable " + this.getSourceVariable() } - - override Location getLocation() { - exists(ReachableBasicBlock bb, int i | this.definesAt(_, bb, i) | - result = bb.getNode(i).getLocation() - ) - } } /** @@ -283,26 +264,16 @@ abstract class SsaPseudoDefinition extends SsaImplicitDefinition { * in the flow graph where otherwise two or more definitions for the variable * would be visible. */ -class SsaPhiNode extends SsaPseudoDefinition, TPhi { +class SsaPhiNode extends SsaPseudoDefinition instanceof ZZZPhiNode { override SsaVariable getAnInput() { result = getDefReachingEndOf(this.getBasicBlock().getAPredecessor(), this.getSourceVariable()) } - override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) { - bb = this.getBasicBlock() and v = this.getSourceVariable() and i = -1 - } - - override ReachableBasicBlock getBasicBlock() { this = TPhi(result, _) } - - override SsaSourceVariable getSourceVariable() { this = TPhi(_, result) } - override string getKind() { result = "phi" } override string prettyPrintDef() { result = this.getSourceVariable() + " = phi(" + this.ppInputs() + ")" } - - override Location getLocation() { result = this.getBasicBlock().getLocation() } } /** diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index 30a37d3b68e9..f219200b365e 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -21,61 +21,6 @@ private module Internal { bb.getNode(i).(IR::Instruction).reads(v) } - /** - * A data type representing SSA definitions. - * - * We distinguish three kinds of SSA definitions: - * - * 1. Variable definitions, including declarations, assignments and increments/decrements. - * 2. Pseudo-definitions for captured variables at the beginning of the capturing function - * as well as after calls. - * 3. Phi nodes. - * - * SSA definitions are only introduced where necessary. In particular, - * unreachable code has no SSA definitions associated with it, and neither - * have dead assignments (that is, assignments whose value is never read). - */ - cached - newtype TSsaDefinition = - /** - * An SSA definition that corresponds to an explicit assignment or other variable definition. - */ - TExplicitDef(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - defAt(bb, i, v) and - (liveAfterDef(bb, i, v) or v.isCaptured()) - } or - /** - * An SSA definition representing the capturing of an SSA-convertible variable - * in the closure of a nested function. - * - * Capturing definitions appear at the beginning of such functions, as well as - * at any function call that may affect the value of the variable. - */ - TCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - mayCapture(bb, i, v) and - liveAfterDef(bb, i, v) - } or - /** - * An SSA phi node, that is, a pseudo-definition for a variable at a point - * in the flow graph where otherwise two or more definitions for the variable - * would be visible. - */ - TPhi(ReachableJoinBlock bb, SsaSourceVariable v) { - liveAtEntry(bb, v) and - inDefDominanceFrontier(bb, v) - } - - /** - * Holds if `bb` is in the dominance frontier of a block containing a definition of `v`. - */ - pragma[noinline] - private predicate inDefDominanceFrontier(ReachableJoinBlock bb, SsaSourceVariable v) { - exists(ReachableBasicBlock defbb, SsaDefinition def | - def.definesAt(v, defbb, _) and - bb.inDominanceFrontierOf(defbb) - ) - } - /** * Holds if `v` is a captured variable which is declared in `declFun` and read in `useFun`. */ @@ -104,7 +49,8 @@ private module Internal { * modeling updates to captured variable `v`. Whether the definition is actually * introduced depends on whether `v` is live at this point in the program. */ - private predicate mayCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) { + cached + predicate mayCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) { exists(FuncDef capturingContainer, FuncDef declContainer | // capture initial value of variable declared in enclosing scope readsCapturedVar(capturingContainer, v, declContainer) and @@ -143,31 +89,6 @@ private module Internal { ref(bb, i, v, tp) } - /** - * Gets the maximum rank among all references to `v` in basic block `bb`. - */ - private int maxRefRank(ReachableBasicBlock bb, SsaSourceVariable v) { - result = max(refRank(bb, _, v, _)) - } - - /** - * Holds if variable `v` is live after the `i`th node of basic block `bb`, where - * `i` is the index of a node that may assign or capture `v`. - * - * For the purposes of this predicate, function calls are considered as writes of captured variables. - */ - private predicate liveAfterDef(ReachableBasicBlock bb, int i, SsaSourceVariable v) { - exists(int r | r = refRank(bb, i, v, WriteRef()) | - // the next reference to `v` inside `bb` is a read - r + 1 = refRank(bb, _, v, ReadRef()) - or - // this is the last reference to `v` inside `bb`, but `v` is live at entry - // to a successor basic block of `bb` - r = maxRefRank(bb, v) and - liveAtSuccEntry(bb, v) - ) - } - /** * Holds if variable `v` is live at the beginning of basic block `bb`. * @@ -486,6 +407,8 @@ private module Internal { predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) { defAt(bb, i, v) and certain = true + or + mayCapture(bb, i, v) and certain = true } /** @@ -496,19 +419,21 @@ private module Internal { predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) { useAt(bb, i, v) and certain = true or - mayCapture(bb, i, v) and certain = false + mayCapture(bb, i, v) and certain = true } } import SsaImplCommon::Make as Impl - final class SsaInputDefinition = Impl::Definition; + final class ZZZDefinition = Impl::Definition; - final class SsaInputWriteDefinition = Impl::WriteDefinition; + final class ZZZWriteDefinition = Impl::WriteDefinition; - final class SsaInputUncertainWriteDefinition = Impl::UncertainWriteDefinition; + final class ZZZUncertainWriteDefinition = Impl::UncertainWriteDefinition; - final class SsaInputPhiNode = Impl::PhiNode; + final class ZZZPhiNode = Impl::PhiNode; } import Internal + +predicate captures = Internal::mayCapture/3; From d49f05ff783ab6101b1b13d5eaf48a3eb032b6f5 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sat, 15 Mar 2025 00:34:57 +0000 Subject: [PATCH 24/24] Test changes --- .../dataflow/FlowSteps/LocalFlowStep.expected | 2 -- .../GlobalValueNumber.expected | 3 --- .../go/dataflow/SSA/SsaDefinition.expected | 2 -- .../go/dataflow/SSA/SsaWithFields.expected | 2 -- .../frameworks/Twirp/RequestForgery.expected | 24 ------------------- .../UnhandledCloseWritableHandle.expected | 14 ----------- .../DeadStoreOfLocal.expected | 2 ++ 7 files changed, 2 insertions(+), 47 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected index 5ea7b8c73026..5b6842bfaab5 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected @@ -68,8 +68,6 @@ | main.go:11:14:11:14 | z | main.go:11:9:11:15 | type conversion | | main.go:14:6:14:10 | function test2 | main.go:34:8:34:12 | test2 | | main.go:14:6:14:10 | function test2 | main.go:34:19:34:23 | test2 | -| main.go:15:2:15:4 | definition of acc | main.go:16:9:19:2 | capture variable acc | -| main.go:15:9:15:9 | 0 | main.go:15:2:15:4 | definition of acc | | main.go:16:9:19:2 | capture variable acc | main.go:17:3:17:5 | acc | | main.go:17:3:17:7 | definition of acc | main.go:16:9:19:2 | capture variable acc | | main.go:17:3:17:7 | definition of acc | main.go:18:10:18:12 | acc | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/GlobalValueNumbering/GlobalValueNumber.expected b/go/ql/test/library-tests/semmle/go/dataflow/GlobalValueNumbering/GlobalValueNumber.expected index 93b3593ec94e..328ebf25f517 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/GlobalValueNumbering/GlobalValueNumber.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/GlobalValueNumbering/GlobalValueNumber.expected @@ -27,12 +27,9 @@ | main.go:29:8:29:8 | 5 | main.go:29:8:29:8 | 5 | | main.go:30:9:30:9 | 6 | main.go:30:9:30:9 | 6 | | main.go:30:9:30:9 | definition of res | main.go:30:9:30:9 | 6 | -| main.go:33:15:33:17 | definition of res | main.go:10:7:10:7 | 0 | | main.go:33:15:33:17 | zero value for res | main.go:10:7:10:7 | 0 | -| main.go:34:2:34:4 | definition of res | main.go:34:8:34:8 | 7 | | main.go:34:8:34:8 | 7 | main.go:34:8:34:8 | 7 | | main.go:35:8:37:4 | function call | main.go:35:8:37:4 | function call | -| main.go:36:3:36:5 | definition of res | main.go:36:9:36:9 | 8 | | main.go:36:9:36:9 | 8 | main.go:36:9:36:9 | 8 | | main.go:38:9:38:9 | 9 | main.go:38:9:38:9 | 9 | | main.go:38:9:38:9 | definition of res | main.go:38:9:38:9 | 9 | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected index ddff7565818c..750b6d3bf4d2 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected @@ -35,7 +35,6 @@ | main.go:95:22:95:28 | definition of wrapper | | main.go:96:2:96:2 | definition of x | | main.go:97:2:99:3 | capture variable x | -| main.go:98:3:98:3 | definition of x | | main.go:103:20:103:26 | definition of wrapper | | main.go:104:2:104:2 | definition of x | | main.go:105:16:108:2 | capture variable x | @@ -45,7 +44,6 @@ | main.go:114:2:117:3 | capture variable x | | main.go:114:16:117:2 | capture variable x | | main.go:115:3:115:3 | definition of y | -| main.go:116:3:116:3 | definition of x | | main.go:130:3:130:3 | definition of p | | main.go:132:3:132:3 | definition of p | | main.go:135:2:135:2 | p = phi(def@130:3, def@132:3) | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected index 40b9195fc879..0fe8c998c16f 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaWithFields.expected @@ -36,7 +36,6 @@ | main.go:95:22:95:28 | (def@95:22).s | wrapper.s | | main.go:96:2:96:2 | (def@96:2) | x | | main.go:97:2:99:3 | (capture@97:2) | x | -| main.go:98:3:98:3 | (def@98:3) | x | | main.go:103:20:103:26 | (def@103:20) | wrapper | | main.go:103:20:103:26 | (def@103:20).s | wrapper.s | | main.go:104:2:104:2 | (def@104:2) | x | @@ -48,7 +47,6 @@ | main.go:114:2:117:3 | (capture@114:2) | x | | main.go:114:16:117:2 | (capture@114:16) | x | | main.go:115:3:115:3 | (def@115:3) | y | -| main.go:116:3:116:3 | (def@116:3) | x | | main.go:130:3:130:3 | (def@130:3) | p | | main.go:132:3:132:3 | (def@132:3) | p | | main.go:135:2:135:2 | (phi@135:2) | p | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected index 8953a03513ad..116ea34839b9 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected @@ -1,47 +1,23 @@ #select -| server/main.go:30:38:30:48 | selection of Text | rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | server/main.go:30:38:30:48 | selection of Text | The $@ of this request depends on a $@. | server/main.go:30:38:30:48 | selection of Text | URL | rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | user-provided value | | server/main.go:30:38:30:48 | selection of Text | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | The $@ of this request depends on a $@. | server/main.go:30:38:30:48 | selection of Text | URL | server/main.go:19:56:19:61 | definition of params | user-provided value | edges | client/main.go:16:35:16:78 | &... | server/main.go:19:56:19:61 | definition of params | provenance | | | rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | provenance | | | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | server/main.go:19:56:19:61 | definition of params | provenance | | -| rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | rpc/notes/service.twirp.go:495:35:495:44 | reqContent | provenance | | -| rpc/notes/service.twirp.go:495:35:495:44 | reqContent | server/main.go:19:56:19:61 | definition of params | provenance | | -| rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | rpc/notes/service.twirp.go:544:27:544:29 | buf | provenance | | -| rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | provenance | Src:MaD:1 MaD:3 | -| rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | provenance | | -| rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | rpc/notes/service.twirp.go:576:35:576:44 | reqContent | provenance | | -| rpc/notes/service.twirp.go:544:27:544:29 | buf | rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | provenance | MaD:2 | | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | provenance | | | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | server/main.go:19:56:19:61 | definition of params | provenance | | -| rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | rpc/notes/service.twirp.go:576:35:576:44 | reqContent | provenance | | -| rpc/notes/service.twirp.go:576:35:576:44 | reqContent | server/main.go:19:56:19:61 | definition of params | provenance | | | server/main.go:19:56:19:61 | definition of params | server/main.go:19:56:19:61 | definition of params [Return] | provenance | | | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | provenance | | | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | provenance | | | server/main.go:19:56:19:61 | definition of params [Return] | client/main.go:16:35:16:78 | &... | provenance | | | server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | provenance | | -| server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | provenance | | | server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | provenance | | -| server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | provenance | | -models -| 1 | Source: net/http; Request; true; Body; ; ; ; remote; manual | -| 2 | Summary: google.golang.org/protobuf/proto; ; false; Unmarshal; ; ; Argument[0]; Argument[1]; taint; manual | -| 3 | Summary: io; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual | nodes | client/main.go:16:35:16:78 | &... | semmle.label | &... | | rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | semmle.label | definition of typedReq | | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | semmle.label | typedReq | -| rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | semmle.label | capture variable reqContent | -| rpc/notes/service.twirp.go:495:35:495:44 | reqContent | semmle.label | reqContent | -| rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | semmle.label | ... := ...[0] | -| rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | semmle.label | selection of Body | -| rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | semmle.label | definition of reqContent | -| rpc/notes/service.twirp.go:544:27:544:29 | buf | semmle.label | buf | | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | semmle.label | definition of typedReq | | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | semmle.label | typedReq | -| rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | semmle.label | capture variable reqContent | -| rpc/notes/service.twirp.go:576:35:576:44 | reqContent | semmle.label | reqContent | | server/main.go:19:56:19:61 | definition of params | semmle.label | definition of params | | server/main.go:19:56:19:61 | definition of params | semmle.label | definition of params | | server/main.go:19:56:19:61 | definition of params [Return] | semmle.label | definition of params [Return] | diff --git a/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected b/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected index 88a364dfb76d..773be5fe11cf 100644 --- a/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected +++ b/go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.expected @@ -1,25 +1,16 @@ #select | tests.go:9:8:9:8 | f | tests.go:31:5:31:78 | ... := ...[0] | tests.go:9:8:9:8 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:31:15:31:78 | call to OpenFile | call to OpenFile | | tests.go:9:8:9:8 | f | tests.go:45:5:45:76 | ... := ...[0] | tests.go:9:8:9:8 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:45:15:45:76 | call to OpenFile | call to OpenFile | -| tests.go:14:3:14:3 | f | tests.go:31:5:31:78 | ... := ...[0] | tests.go:14:3:14:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:31:15:31:78 | call to OpenFile | call to OpenFile | -| tests.go:14:3:14:3 | f | tests.go:45:5:45:76 | ... := ...[0] | tests.go:14:3:14:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:45:15:45:76 | call to OpenFile | call to OpenFile | | tests.go:56:3:56:3 | f | tests.go:54:5:54:78 | ... := ...[0] | tests.go:56:3:56:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:54:15:54:78 | call to OpenFile | call to OpenFile | | tests.go:68:3:68:3 | f | tests.go:66:5:66:76 | ... := ...[0] | tests.go:68:3:68:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:66:15:66:76 | call to OpenFile | call to OpenFile | | tests.go:110:9:110:9 | f | tests.go:108:5:108:78 | ... := ...[0] | tests.go:110:9:110:9 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:108:15:108:78 | call to OpenFile | call to OpenFile | | tests.go:129:3:129:3 | f | tests.go:125:5:125:78 | ... := ...[0] | tests.go:129:3:129:3 | f | File handle may be writable as a result of data flow from a $@ and closing it may result in data loss upon failure, which is not handled explicitly. | tests.go:125:15:125:78 | call to OpenFile | call to OpenFile | edges | tests.go:8:24:8:24 | definition of f | tests.go:9:8:9:8 | f | provenance | | -| tests.go:12:32:12:32 | definition of f | tests.go:13:13:15:2 | capture variable f | provenance | | -| tests.go:12:32:12:32 | definition of f | tests.go:14:3:14:3 | f | provenance | | -| tests.go:13:13:15:2 | capture variable f | tests.go:14:3:14:3 | f | provenance | | | tests.go:31:5:31:78 | ... := ...[0] | tests.go:32:21:32:21 | f | provenance | Src:MaD:1 | -| tests.go:31:5:31:78 | ... := ...[0] | tests.go:33:29:33:29 | f | provenance | Src:MaD:1 | | tests.go:32:21:32:21 | f | tests.go:8:24:8:24 | definition of f | provenance | | -| tests.go:33:29:33:29 | f | tests.go:12:32:12:32 | definition of f | provenance | | | tests.go:45:5:45:76 | ... := ...[0] | tests.go:46:21:46:21 | f | provenance | Src:MaD:1 | -| tests.go:45:5:45:76 | ... := ...[0] | tests.go:47:29:47:29 | f | provenance | Src:MaD:1 | | tests.go:46:21:46:21 | f | tests.go:8:24:8:24 | definition of f | provenance | | -| tests.go:47:29:47:29 | f | tests.go:12:32:12:32 | definition of f | provenance | | | tests.go:54:5:54:78 | ... := ...[0] | tests.go:56:3:56:3 | f | provenance | Src:MaD:1 | | tests.go:66:5:66:76 | ... := ...[0] | tests.go:68:3:68:3 | f | provenance | Src:MaD:1 | | tests.go:108:5:108:78 | ... := ...[0] | tests.go:110:9:110:9 | f | provenance | Src:MaD:1 | @@ -29,15 +20,10 @@ models nodes | tests.go:8:24:8:24 | definition of f | semmle.label | definition of f | | tests.go:9:8:9:8 | f | semmle.label | f | -| tests.go:12:32:12:32 | definition of f | semmle.label | definition of f | -| tests.go:13:13:15:2 | capture variable f | semmle.label | capture variable f | -| tests.go:14:3:14:3 | f | semmle.label | f | | tests.go:31:5:31:78 | ... := ...[0] | semmle.label | ... := ...[0] | | tests.go:32:21:32:21 | f | semmle.label | f | -| tests.go:33:29:33:29 | f | semmle.label | f | | tests.go:45:5:45:76 | ... := ...[0] | semmle.label | ... := ...[0] | | tests.go:46:21:46:21 | f | semmle.label | f | -| tests.go:47:29:47:29 | f | semmle.label | f | | tests.go:54:5:54:78 | ... := ...[0] | semmle.label | ... := ...[0] | | tests.go:56:3:56:3 | f | semmle.label | f | | tests.go:66:5:66:76 | ... := ...[0] | semmle.label | ... := ...[0] | diff --git a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.expected b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.expected index 5b2010251ef7..d9444556f2ca 100644 --- a/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.expected +++ b/go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.expected @@ -16,6 +16,8 @@ | testdata.go:172:3:172:3 | assignment to x | This definition of x is never used. | | testdata.go:180:3:180:5 | increment statement | This definition of x is never used. | | testdata.go:201:2:201:2 | assignment to x | This definition of x is never used. | +| testdata.go:227:3:227:5 | increment statement | This definition of x is never used. | +| testdata.go:235:3:235:3 | assignment to x | This definition of x is never used. | | testdata.go:262:2:262:2 | assignment to x | This definition of x is never used. | | testdata.go:268:2:268:2 | assignment to x | This definition of x is never used. | | testdata.go:309:2:309:2 | assignment to a | This definition of a is never used. |