Apply suggestions from code review

co-authored-by: Owen Mansel-Chan <[email protected]>
github · Jan 10, 2024 · cf94554 · cf94554
1 parent 1909adf
commit cf94554
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 17 deletions.
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll
@@ -8,24 +8,38 @@ import go
 module Log {
   private class LogFunction extends Function {
     LogFunction() {
-      exists(string fn | fn.matches(["Fatal%", "Panic%", "Print%", "Output"]) |
+      exists(string fn | fn.matches(["Fatal%", "Panic%", "Print%"]) |
         this.hasQualifiedName("log", fn)
         or
         this.(Method).hasQualifiedName("log", "Logger", fn)
       )
     }
   }
 
+  private class LogOutput extends Method {
+    LogOutput() { this.hasQualifiedName("log", "Logger", "Output") }
+  }
+
   private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction {
     LogFormatter() { this.getName().matches("%f") }
 
     override int getFormatStringIndex() { result = 0 }
   }
 
   private class LogCall extends LoggerCall::Range, DataFlow::CallNode {
-    LogCall() { this = any(LogFunction f).getACall() }
+    DataFlow::Node messageComponent;
+
+    LogCall() {
+      exists(Function f | this = f.getACall() |
+        f instanceof LogFunction and
+        messageComponent = this.getASyntacticArgument()
+        or
+        f instanceof LogOutput and
+        messageComponent = this.getSyntacticArgument(1)
+      )
+    }
 
-    override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
+    override DataFlow::Node getAMessageComponent() { result = messageComponent }
   }
 
   /** A fatal log function, which calls `os.Exit`. */

diff --git a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -6,8 +6,6 @@ edges
 | klog.go:21:11:21:16 | definition of header | klog.go:22:15:22:20 | header |
 | klog.go:21:27:21:33 | headers | klog.go:21:4:24:4 | range statement[1] |
 | klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get |
-| main.go:20:2:20:7 | definition of fields | main.go:22:29:22:34 | fields |
-| main.go:21:19:21:26 | password | main.go:20:2:20:7 | definition of fields |
 | overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String |
 | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x |
 | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x |
@@ -63,13 +61,34 @@ nodes
 | klog.go:22:15:22:20 | header | semmle.label | header |
 | klog.go:28:13:28:20 | selection of Header | semmle.label | selection of Header |
 | klog.go:28:13:28:41 | call to Get | semmle.label | call to Get |
-| main.go:15:14:15:21 | password | semmle.label | password |
-| main.go:17:12:17:19 | password | semmle.label | password |
-| main.go:18:17:18:24 | password | semmle.label | password |
-| main.go:20:2:20:7 | definition of fields | semmle.label | definition of fields |
-| main.go:21:19:21:26 | password | semmle.label | password |
-| main.go:22:29:22:34 | fields | semmle.label | fields |
-| main.go:25:35:25:42 | password | semmle.label | password |
+| main.go:15:12:15:19 | password | semmle.label | password |
+| main.go:16:17:16:24 | password | semmle.label | password |
+| main.go:17:13:17:20 | password | semmle.label | password |
+| main.go:18:14:18:21 | password | semmle.label | password |
+| main.go:19:12:19:19 | password | semmle.label | password |
+| main.go:20:17:20:24 | password | semmle.label | password |
+| main.go:21:13:21:20 | password | semmle.label | password |
+| main.go:22:14:22:21 | password | semmle.label | password |
+| main.go:23:12:23:19 | password | semmle.label | password |
+| main.go:24:17:24:24 | password | semmle.label | password |
+| main.go:25:13:25:20 | password | semmle.label | password |
+| main.go:26:14:26:21 | password | semmle.label | password |
+| main.go:29:10:29:17 | password | semmle.label | password |
+| main.go:30:15:30:22 | password | semmle.label | password |
+| main.go:31:11:31:18 | password | semmle.label | password |
+| main.go:32:12:32:19 | password | semmle.label | password |
+| main.go:33:10:33:17 | password | semmle.label | password |
+| main.go:34:15:34:22 | password | semmle.label | password |
+| main.go:35:11:35:18 | password | semmle.label | password |
+| main.go:36:12:36:19 | password | semmle.label | password |
+| main.go:37:10:37:17 | password | semmle.label | password |
+| main.go:38:15:38:22 | password | semmle.label | password |
+| main.go:39:11:39:18 | password | semmle.label | password |
+| main.go:40:12:40:19 | password | semmle.label | password |
+| main.go:41:14:41:21 | password | semmle.label | password |
+| main.go:43:12:43:19 | password | semmle.label | password |
+| main.go:44:17:44:24 | password | semmle.label | password |
+| main.go:51:35:51:42 | password | semmle.label | password |
 | overrides.go:9:9:9:16 | password | semmle.label | password |
 | overrides.go:13:14:13:23 | call to String | semmle.label | call to String |
 | passwords.go:8:12:8:12 | definition of x | semmle.label | definition of x |
@@ -139,11 +158,34 @@ subpaths
 #select
 | klog.go:22:15:22:20 | header | klog.go:20:30:20:37 | selection of Header | klog.go:22:15:22:20 | header | $@ flows to a logging call. | klog.go:20:30:20:37 | selection of Header | Sensitive data returned by HTTP request headers |
 | klog.go:28:13:28:41 | call to Get | klog.go:28:13:28:20 | selection of Header | klog.go:28:13:28:41 | call to Get | $@ flows to a logging call. | klog.go:28:13:28:20 | selection of Header | Sensitive data returned by HTTP request headers |
-| main.go:15:14:15:21 | password | main.go:15:14:15:21 | password | main.go:15:14:15:21 | password | $@ flows to a logging call. | main.go:15:14:15:21 | password | Sensitive data returned by an access to password |
-| main.go:17:12:17:19 | password | main.go:17:12:17:19 | password | main.go:17:12:17:19 | password | $@ flows to a logging call. | main.go:17:12:17:19 | password | Sensitive data returned by an access to password |
-| main.go:18:17:18:24 | password | main.go:18:17:18:24 | password | main.go:18:17:18:24 | password | $@ flows to a logging call. | main.go:18:17:18:24 | password | Sensitive data returned by an access to password |
-| main.go:22:29:22:34 | fields | main.go:21:19:21:26 | password | main.go:22:29:22:34 | fields | $@ flows to a logging call. | main.go:21:19:21:26 | password | Sensitive data returned by an access to password |
-| main.go:25:35:25:42 | password | main.go:25:35:25:42 | password | main.go:25:35:25:42 | password | $@ flows to a logging call. | main.go:25:35:25:42 | password | Sensitive data returned by an access to password |
+| main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | $@ flows to a logging call. | main.go:15:12:15:19 | password | Sensitive data returned by an access to password |
+| main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | $@ flows to a logging call. | main.go:16:17:16:24 | password | Sensitive data returned by an access to password |
+| main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | $@ flows to a logging call. | main.go:17:13:17:20 | password | Sensitive data returned by an access to password |
+| main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | $@ flows to a logging call. | main.go:18:14:18:21 | password | Sensitive data returned by an access to password |
+| main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | $@ flows to a logging call. | main.go:19:12:19:19 | password | Sensitive data returned by an access to password |
+| main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | $@ flows to a logging call. | main.go:20:17:20:24 | password | Sensitive data returned by an access to password |
+| main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | $@ flows to a logging call. | main.go:21:13:21:20 | password | Sensitive data returned by an access to password |
+| main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | $@ flows to a logging call. | main.go:22:14:22:21 | password | Sensitive data returned by an access to password |
+| main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | $@ flows to a logging call. | main.go:23:12:23:19 | password | Sensitive data returned by an access to password |
+| main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | $@ flows to a logging call. | main.go:24:17:24:24 | password | Sensitive data returned by an access to password |
+| main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | $@ flows to a logging call. | main.go:25:13:25:20 | password | Sensitive data returned by an access to password |
+| main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | $@ flows to a logging call. | main.go:26:14:26:21 | password | Sensitive data returned by an access to password |
+| main.go:29:10:29:17 | password | main.go:29:10:29:17 | password | main.go:29:10:29:17 | password | $@ flows to a logging call. | main.go:29:10:29:17 | password | Sensitive data returned by an access to password |
+| main.go:30:15:30:22 | password | main.go:30:15:30:22 | password | main.go:30:15:30:22 | password | $@ flows to a logging call. | main.go:30:15:30:22 | password | Sensitive data returned by an access to password |
+| main.go:31:11:31:18 | password | main.go:31:11:31:18 | password | main.go:31:11:31:18 | password | $@ flows to a logging call. | main.go:31:11:31:18 | password | Sensitive data returned by an access to password |
+| main.go:32:12:32:19 | password | main.go:32:12:32:19 | password | main.go:32:12:32:19 | password | $@ flows to a logging call. | main.go:32:12:32:19 | password | Sensitive data returned by an access to password |
+| main.go:33:10:33:17 | password | main.go:33:10:33:17 | password | main.go:33:10:33:17 | password | $@ flows to a logging call. | main.go:33:10:33:17 | password | Sensitive data returned by an access to password |
+| main.go:34:15:34:22 | password | main.go:34:15:34:22 | password | main.go:34:15:34:22 | password | $@ flows to a logging call. | main.go:34:15:34:22 | password | Sensitive data returned by an access to password |
+| main.go:35:11:35:18 | password | main.go:35:11:35:18 | password | main.go:35:11:35:18 | password | $@ flows to a logging call. | main.go:35:11:35:18 | password | Sensitive data returned by an access to password |
+| main.go:36:12:36:19 | password | main.go:36:12:36:19 | password | main.go:36:12:36:19 | password | $@ flows to a logging call. | main.go:36:12:36:19 | password | Sensitive data returned by an access to password |
+| main.go:37:10:37:17 | password | main.go:37:10:37:17 | password | main.go:37:10:37:17 | password | $@ flows to a logging call. | main.go:37:10:37:17 | password | Sensitive data returned by an access to password |
+| main.go:38:15:38:22 | password | main.go:38:15:38:22 | password | main.go:38:15:38:22 | password | $@ flows to a logging call. | main.go:38:15:38:22 | password | Sensitive data returned by an access to password |
+| main.go:39:11:39:18 | password | main.go:39:11:39:18 | password | main.go:39:11:39:18 | password | $@ flows to a logging call. | main.go:39:11:39:18 | password | Sensitive data returned by an access to password |
+| main.go:40:12:40:19 | password | main.go:40:12:40:19 | password | main.go:40:12:40:19 | password | $@ flows to a logging call. | main.go:40:12:40:19 | password | Sensitive data returned by an access to password |
+| main.go:41:14:41:21 | password | main.go:41:14:41:21 | password | main.go:41:14:41:21 | password | $@ flows to a logging call. | main.go:41:14:41:21 | password | Sensitive data returned by an access to password |
+| main.go:43:12:43:19 | password | main.go:43:12:43:19 | password | main.go:43:12:43:19 | password | $@ flows to a logging call. | main.go:43:12:43:19 | password | Sensitive data returned by an access to password |
+| main.go:44:17:44:24 | password | main.go:44:17:44:24 | password | main.go:44:17:44:24 | password | $@ flows to a logging call. | main.go:44:17:44:24 | password | Sensitive data returned by an access to password |
+| main.go:51:35:51:42 | password | main.go:51:35:51:42 | password | main.go:51:35:51:42 | password | $@ flows to a logging call. | main.go:51:35:51:42 | password | Sensitive data returned by an access to password |
 | overrides.go:13:14:13:23 | call to String | overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String | $@ flows to a logging call. | overrides.go:9:9:9:16 | password | Sensitive data returned by an access to password |
 | passwords.go:9:14:9:14 | x | passwords.go:30:8:30:15 | password | passwords.go:9:14:9:14 | x | $@ flows to a logging call. | passwords.go:30:8:30:15 | password | Sensitive data returned by an access to password |
 | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | $@ flows to a logging call. | passwords.go:25:14:25:21 | password | Sensitive data returned by an access to password |

diff --git a/go/ql/test/query-tests/Security/CWE-312/main.go b/go/ql/test/query-tests/Security/CWE-312/main.go
@@ -12,7 +12,33 @@ import (
 func main() {
 	password := "P4ssw0rd"
 
+	log.Print(password)
+	log.Printf("", password)
+	log.Printf(password, "")
 	log.Println(password)
+	log.Fatal(password)
+	log.Fatalf("", password)
+	log.Fatalf(password, "")
+	log.Fatalln(password)
+	log.Panic(password)
+	log.Panicf("", password)
+	log.Panicf(password, "")
+	log.Panicln(password)
+
+	l := log.Default()
+	l.Print(password)
+	l.Printf("", password)
+	l.Printf(password, "")
+	l.Println(password)
+	l.Fatal(password)
+	l.Fatalf("", password)
+	l.Fatalf(password, "")
+	l.Fatalln(password)
+	l.Panic(password)
+	l.Panicf("", password)
+	l.Panicf(password, "")
+	l.Panicln(password)
+	l.Output(0, password)
 
 	glog.Info(password)
 	logrus.Warning(password)