Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Commit 0ee7bbb

Browse files
smowtonsmowton
committed
Extend oauth2 tests
1 parent f61c62d commit 0ee7bbb

File tree

2 files changed

+175
-32
lines changed

2 files changed

+175
-32
lines changed

ql/test/experimental/CWE-352/ConstantOauth2State.expected

Lines changed: 57 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,35 +1,60 @@
11
edges
2-
| ConstantOauth2State.go:18:26:18:32 | "state" : string literal | ConstantOauth2State.go:48:26:48:41 | stateStringConst |
3-
| ConstantOauth2State.go:18:26:18:32 | "state" : string literal | ConstantOauth2State.go:145:26:145:41 | stateStringConst |
4-
| ConstantOauth2State.go:18:26:18:32 | "state" : string literal | ConstantOauth2State.go:167:26:167:41 | stateStringConst |
5-
| ConstantOauth2State.go:18:26:18:32 | "state" : string literal | ConstantOauth2State.go:189:26:189:41 | stateStringConst |
6-
| ConstantOauth2State.go:20:22:20:28 | "state" : string | ConstantOauth2State.go:63:26:63:39 | stateStringVar |
7-
| ConstantOauth2State.go:78:11:78:25 | call to newFixedState : string | ConstantOauth2State.go:79:26:79:30 | state |
8-
| ConstantOauth2State.go:84:9:84:15 | "state" : string | ConstantOauth2State.go:78:11:78:25 | call to newFixedState : string |
9-
| ConstantOauth2State.go:145:9:145:42 | call to AuthCodeURL : string | ConstantOauth2State.go:146:54:146:56 | url |
10-
| ConstantOauth2State.go:167:9:167:42 | call to AuthCodeURL : string | ConstantOauth2State.go:168:54:168:56 | url |
11-
| ConstantOauth2State.go:189:9:189:42 | call to AuthCodeURL : string | ConstantOauth2State.go:190:28:190:30 | url |
2+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:50:26:50:41 | stateStringConst |
3+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:147:26:147:41 | stateStringConst |
4+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:169:26:169:41 | stateStringConst |
5+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:191:26:191:41 | stateStringConst |
6+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:210:26:210:41 | stateStringConst |
7+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:232:26:232:41 | stateStringConst |
8+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:249:26:249:41 | stateStringConst |
9+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:266:26:266:41 | stateStringConst |
10+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:282:26:282:41 | stateStringConst |
11+
| ConstantOauth2State.go:22:22:22:28 | "state" : string | ConstantOauth2State.go:65:26:65:39 | stateStringVar |
12+
| ConstantOauth2State.go:80:11:80:25 | call to newFixedState : string | ConstantOauth2State.go:81:26:81:30 | state |
13+
| ConstantOauth2State.go:86:9:86:15 | "state" : string | ConstantOauth2State.go:80:11:80:25 | call to newFixedState : string |
14+
| ConstantOauth2State.go:147:9:147:42 | call to AuthCodeURL : string | ConstantOauth2State.go:148:54:148:56 | url |
15+
| ConstantOauth2State.go:169:9:169:42 | call to AuthCodeURL : string | ConstantOauth2State.go:170:54:170:56 | url |
16+
| ConstantOauth2State.go:191:9:191:42 | call to AuthCodeURL : string | ConstantOauth2State.go:192:54:192:56 | url |
17+
| ConstantOauth2State.go:210:9:210:42 | call to AuthCodeURL : string | ConstantOauth2State.go:211:54:211:56 | url |
18+
| ConstantOauth2State.go:232:9:232:42 | call to AuthCodeURL : string | ConstantOauth2State.go:233:28:233:30 | url |
19+
| ConstantOauth2State.go:239:17:239:39 | "http://localhost:8080" : string | ConstantOauth2State.go:249:9:249:12 | conf |
20+
| ConstantOauth2State.go:256:38:256:60 | "http://localhost:8080" : string | ConstantOauth2State.go:266:9:266:12 | conf |
21+
| ConstantOauth2State.go:272:17:272:21 | "oob" : string | ConstantOauth2State.go:282:9:282:12 | conf |
1222
nodes
13-
| ConstantOauth2State.go:18:26:18:32 | "state" : string literal | semmle.label | "state" : string literal |
14-
| ConstantOauth2State.go:20:22:20:28 | "state" : string | semmle.label | "state" : string |
15-
| ConstantOauth2State.go:33:26:33:32 | "state" | semmle.label | "state" |
16-
| ConstantOauth2State.go:48:26:48:41 | stateStringConst | semmle.label | stateStringConst |
17-
| ConstantOauth2State.go:63:26:63:39 | stateStringVar | semmle.label | stateStringVar |
18-
| ConstantOauth2State.go:78:11:78:25 | call to newFixedState : string | semmle.label | call to newFixedState : string |
19-
| ConstantOauth2State.go:79:26:79:30 | state | semmle.label | state |
20-
| ConstantOauth2State.go:84:9:84:15 | "state" : string | semmle.label | "state" : string |
21-
| ConstantOauth2State.go:145:9:145:42 | call to AuthCodeURL : string | semmle.label | call to AuthCodeURL : string |
22-
| ConstantOauth2State.go:145:26:145:41 | stateStringConst | semmle.label | stateStringConst |
23-
| ConstantOauth2State.go:146:54:146:56 | url | semmle.label | url |
24-
| ConstantOauth2State.go:167:9:167:42 | call to AuthCodeURL : string | semmle.label | call to AuthCodeURL : string |
25-
| ConstantOauth2State.go:167:26:167:41 | stateStringConst | semmle.label | stateStringConst |
26-
| ConstantOauth2State.go:168:54:168:56 | url | semmle.label | url |
27-
| ConstantOauth2State.go:189:9:189:42 | call to AuthCodeURL : string | semmle.label | call to AuthCodeURL : string |
28-
| ConstantOauth2State.go:189:26:189:41 | stateStringConst | semmle.label | stateStringConst |
29-
| ConstantOauth2State.go:190:28:190:30 | url | semmle.label | url |
23+
| ConstantOauth2State.go:20:26:20:32 | "state" : string literal | semmle.label | "state" : string literal |
24+
| ConstantOauth2State.go:22:22:22:28 | "state" : string | semmle.label | "state" : string |
25+
| ConstantOauth2State.go:35:26:35:32 | "state" | semmle.label | "state" |
26+
| ConstantOauth2State.go:50:26:50:41 | stateStringConst | semmle.label | stateStringConst |
27+
| ConstantOauth2State.go:65:26:65:39 | stateStringVar | semmle.label | stateStringVar |
28+
| ConstantOauth2State.go:80:11:80:25 | call to newFixedState : string | semmle.label | call to newFixedState : string |
29+
| ConstantOauth2State.go:81:26:81:30 | state | semmle.label | state |
30+
| ConstantOauth2State.go:86:9:86:15 | "state" : string | semmle.label | "state" : string |
31+
| ConstantOauth2State.go:147:9:147:42 | call to AuthCodeURL : string | semmle.label | call to AuthCodeURL : string |
32+
| ConstantOauth2State.go:147:26:147:41 | stateStringConst | semmle.label | stateStringConst |
33+
| ConstantOauth2State.go:148:54:148:56 | url | semmle.label | url |
34+
| ConstantOauth2State.go:169:9:169:42 | call to AuthCodeURL : string | semmle.label | call to AuthCodeURL : string |
35+
| ConstantOauth2State.go:169:26:169:41 | stateStringConst | semmle.label | stateStringConst |
36+
| ConstantOauth2State.go:170:54:170:56 | url | semmle.label | url |
37+
| ConstantOauth2State.go:191:9:191:42 | call to AuthCodeURL : string | semmle.label | call to AuthCodeURL : string |
38+
| ConstantOauth2State.go:191:26:191:41 | stateStringConst | semmle.label | stateStringConst |
39+
| ConstantOauth2State.go:192:54:192:56 | url | semmle.label | url |
40+
| ConstantOauth2State.go:210:9:210:42 | call to AuthCodeURL : string | semmle.label | call to AuthCodeURL : string |
41+
| ConstantOauth2State.go:210:26:210:41 | stateStringConst | semmle.label | stateStringConst |
42+
| ConstantOauth2State.go:211:54:211:56 | url | semmle.label | url |
43+
| ConstantOauth2State.go:232:9:232:42 | call to AuthCodeURL : string | semmle.label | call to AuthCodeURL : string |
44+
| ConstantOauth2State.go:232:26:232:41 | stateStringConst | semmle.label | stateStringConst |
45+
| ConstantOauth2State.go:233:28:233:30 | url | semmle.label | url |
46+
| ConstantOauth2State.go:239:17:239:39 | "http://localhost:8080" : string | semmle.label | "http://localhost:8080" : string |
47+
| ConstantOauth2State.go:249:9:249:12 | conf | semmle.label | conf |
48+
| ConstantOauth2State.go:249:26:249:41 | stateStringConst | semmle.label | stateStringConst |
49+
| ConstantOauth2State.go:256:38:256:60 | "http://localhost:8080" : string | semmle.label | "http://localhost:8080" : string |
50+
| ConstantOauth2State.go:266:9:266:12 | conf | semmle.label | conf |
51+
| ConstantOauth2State.go:266:26:266:41 | stateStringConst | semmle.label | stateStringConst |
52+
| ConstantOauth2State.go:272:17:272:21 | "oob" : string | semmle.label | "oob" : string |
53+
| ConstantOauth2State.go:282:9:282:12 | conf | semmle.label | conf |
54+
| ConstantOauth2State.go:282:26:282:41 | stateStringConst | semmle.label | stateStringConst |
3055
#select
31-
| ConstantOauth2State.go:33:26:33:32 | "state" | ConstantOauth2State.go:33:26:33:32 | "state" | ConstantOauth2State.go:33:26:33:32 | "state" | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:33:26:33:32 | "state" | state string |
32-
| ConstantOauth2State.go:48:26:48:41 | stateStringConst | ConstantOauth2State.go:18:26:18:32 | "state" : string literal | ConstantOauth2State.go:48:26:48:41 | stateStringConst | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:18:26:18:32 | "state" | state string |
33-
| ConstantOauth2State.go:63:26:63:39 | stateStringVar | ConstantOauth2State.go:20:22:20:28 | "state" : string | ConstantOauth2State.go:63:26:63:39 | stateStringVar | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:20:22:20:28 | "state" | state string |
34-
| ConstantOauth2State.go:79:26:79:30 | state | ConstantOauth2State.go:84:9:84:15 | "state" : string | ConstantOauth2State.go:79:26:79:30 | state | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:84:9:84:15 | "state" | state string |
35-
| ConstantOauth2State.go:189:26:189:41 | stateStringConst | ConstantOauth2State.go:18:26:18:32 | "state" : string literal | ConstantOauth2State.go:189:26:189:41 | stateStringConst | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:18:26:18:32 | "state" | state string |
56+
| ConstantOauth2State.go:35:26:35:32 | "state" | ConstantOauth2State.go:35:26:35:32 | "state" | ConstantOauth2State.go:35:26:35:32 | "state" | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:35:26:35:32 | "state" | state string |
57+
| ConstantOauth2State.go:50:26:50:41 | stateStringConst | ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:50:26:50:41 | stateStringConst | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:20:26:20:32 | "state" | state string |
58+
| ConstantOauth2State.go:65:26:65:39 | stateStringVar | ConstantOauth2State.go:22:22:22:28 | "state" : string | ConstantOauth2State.go:65:26:65:39 | stateStringVar | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:22:22:22:28 | "state" | state string |
59+
| ConstantOauth2State.go:81:26:81:30 | state | ConstantOauth2State.go:86:9:86:15 | "state" : string | ConstantOauth2State.go:81:26:81:30 | state | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:86:9:86:15 | "state" | state string |
60+
| ConstantOauth2State.go:232:26:232:41 | stateStringConst | ConstantOauth2State.go:20:26:20:32 | "state" : string literal | ConstantOauth2State.go:232:26:232:41 | stateStringConst | Using a constant $@ to create oauth2 URLs. | ConstantOauth2State.go:20:26:20:32 | "state" | state string |

ql/test/experimental/CWE-352/ConstantOauth2State.go

Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,10 @@ package main
33
//go:generate depstubber -vendor golang.org/x/oauth2 Config,Endpoint
44

55
import (
6+
"bufio"
67
"crypto/rand"
78
"encoding/base64"
9+
"errors"
810
"fmt"
911
"log"
1012
"net/http"
@@ -175,6 +177,47 @@ func okWithConstStateFPrinter(w http.ResponseWriter) {
175177
_ = code
176178
// ...
177179
}
180+
func okWithConstStateBufio(w http.ResponseWriter) {
181+
conf := &oauth2.Config{
182+
ClientID: "YOUR_CLIENT_ID",
183+
ClientSecret: "YOUR_CLIENT_SECRET",
184+
Scopes: []string{"SCOPE1", "SCOPE2"},
185+
Endpoint: oauth2.Endpoint{
186+
AuthURL: "https://provider.com/o/oauth2/auth",
187+
TokenURL: "https://provider.com/o/oauth2/token",
188+
},
189+
}
190+
191+
url := conf.AuthCodeURL(stateStringConst) // OK, because we're supposedly not exposed to the web, but within a terminal.
192+
fmt.Printf("Visit the URL for the auth dialog: %v", url)
193+
// ...
194+
195+
scanner := bufio.NewScanner(os.Stdin)
196+
_ = scanner
197+
// ...
198+
}
199+
func okWithConstStateLogger(w http.ResponseWriter) {
200+
conf := &oauth2.Config{
201+
ClientID: "YOUR_CLIENT_ID",
202+
ClientSecret: "YOUR_CLIENT_SECRET",
203+
Scopes: []string{"SCOPE1", "SCOPE2"},
204+
Endpoint: oauth2.Endpoint{
205+
AuthURL: "https://provider.com/o/oauth2/auth",
206+
TokenURL: "https://provider.com/o/oauth2/token",
207+
},
208+
}
209+
210+
url := conf.AuthCodeURL(stateStringConst) // OK, because we're supposedly not exposed to the web, but within a terminal.
211+
log.Printf("Visit the URL for the auth dialog: %v", url)
212+
// ...
213+
214+
var code string
215+
if _, err := fmt.Fscan(os.Stdin, &code); err != nil {
216+
log.Fatal(err)
217+
}
218+
_ = code
219+
// ...
220+
}
178221
func badWithConstStatePrinter(w http.ResponseWriter) {
179222
conf := &oauth2.Config{
180223
ClientID: "YOUR_CLIENT_ID",
@@ -190,3 +233,78 @@ func badWithConstStatePrinter(w http.ResponseWriter) {
190233
fmt.Printf("LOG: URL %v", url)
191234
// ...
192235
}
236+
237+
func okWithLocalUrl(w http.ResponseWriter) {
238+
conf := &oauth2.Config{
239+
RedirectURL: "http://localhost:8080",
240+
ClientID: "YOUR_CLIENT_ID",
241+
ClientSecret: "YOUR_CLIENT_SECRET",
242+
Scopes: []string{"SCOPE1", "SCOPE2"},
243+
Endpoint: oauth2.Endpoint{
244+
AuthURL: "https://provider.com/o/oauth2/auth",
245+
TokenURL: "https://provider.com/o/oauth2/token",
246+
},
247+
}
248+
249+
url := conf.AuthCodeURL(stateStringConst) // OK because the config uses a local url
250+
_ = url
251+
}
252+
253+
func okWithLocalUrlSprintf(w http.ResponseWriter) {
254+
port := 8080
255+
conf := &oauth2.Config{
256+
RedirectURL: fmt.Sprintf("%s:%d", "http://localhost:8080", port),
257+
ClientID: "YOUR_CLIENT_ID",
258+
ClientSecret: "YOUR_CLIENT_SECRET",
259+
Scopes: []string{"SCOPE1", "SCOPE2"},
260+
Endpoint: oauth2.Endpoint{
261+
AuthURL: "https://provider.com/o/oauth2/auth",
262+
TokenURL: "https://provider.com/o/oauth2/token",
263+
},
264+
}
265+
266+
url := conf.AuthCodeURL(stateStringConst) // OK because the config uses a local url
267+
_ = url
268+
}
269+
270+
func okWithOutOfBoundsToken(w http.ResponseWriter) {
271+
conf := &oauth2.Config{
272+
RedirectURL: "oob",
273+
ClientID: "YOUR_CLIENT_ID",
274+
ClientSecret: "YOUR_CLIENT_SECRET",
275+
Scopes: []string{"SCOPE1", "SCOPE2"},
276+
Endpoint: oauth2.Endpoint{
277+
AuthURL: "https://provider.com/o/oauth2/auth",
278+
TokenURL: "https://provider.com/o/oauth2/token",
279+
},
280+
}
281+
282+
url := conf.AuthCodeURL(stateStringConst) // OK because the config uses a token indicating out-of-band communication
283+
_ = url
284+
}
285+
286+
func tryGetState(success bool) (string, string, int, error) {
287+
if success {
288+
return NewCSRFToken(), "dummy", 0, nil
289+
} else {
290+
return "", "", 0, errors.New("success not set")
291+
}
292+
}
293+
294+
func okConstantOnlySuppliedAlongsideError(w http.ResponseWriter) {
295+
conf := &oauth2.Config{
296+
ClientID: "YOUR_CLIENT_ID",
297+
ClientSecret: "YOUR_CLIENT_SECRET",
298+
Scopes: []string{"SCOPE1", "SCOPE2"},
299+
Endpoint: oauth2.Endpoint{
300+
AuthURL: "https://provider.com/o/oauth2/auth",
301+
TokenURL: "https://provider.com/o/oauth2/token",
302+
},
303+
}
304+
305+
token, _, _, err := tryGetState(len(os.Args)%3 == 1)
306+
if err != nil {
307+
url := conf.AuthCodeURL(token) // OK because constant states coming from tryGetState only occur with errors
308+
_ = url
309+
}
310+
}

0 commit comments

Comments
 (0)