Don't consider arguments with %T as logger call components

Author: owen-mc

go/ql/lib/semmle/go/Concepts.qll

@@ -355,8 +355,19 @@ module RegexpReplaceFunction {
  * extend `LoggerCall::Range` instead.
  */
 class LoggerCall extends DataFlow::Node instanceof LoggerCall::Range {
-  /** Gets a node that is a part of the logged message. */
-  DataFlow::Node getAMessageComponent() { result = super.getAMessageComponent() }
+  /**
+   * Gets a node that is a part of the logged message.
+   *
+   * Exclude components corresponding to the format specifier "%T" as this
+   * prints the type of the argument, which is not considered vulnerable.
+   */
+  DataFlow::Node getAMessageComponent() {
+    result = super.getAMessageComponent() and
+    not exists(string formatSpecifier |
+      formatSpecifier.regexpMatch("%[^%]*T") and
+      result = this.(StringOps::Formatting::StringFormatCall).getOperand(_, formatSpecifier)
+    )
+  }
 }
 
 /** Provides a class for modeling new logging APIs. */

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go

@@ -31,11 +31,11 @@ func glogTest() {
 	glog.Warningln(text)       // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	glog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	glog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	glog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	glog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
+	glog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text
+	glog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text
+	glog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text
+	glog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text
+	glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
 
 	klog.Error(text)           // $ logger=text
 	klog.ErrorDepth(0, text)   // $ logger=text
@@ -59,9 +59,9 @@ func glogTest() {
 	klog.Warningln(text)       // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	klog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	klog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	klog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	klog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	klog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
+	klog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text
+	klog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text
+	klog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text
+	klog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text
+	klog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go

@@ -34,6 +34,6 @@ func logrusCalls() {
 	logrus.FatalFn(fn)       // $ logger=fn
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	logrus.Infof("%s: found type %T", text, v)  // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	logrus.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
+	logrus.Infof("%s: found type %T", text, v)  // $ logger="%s: found type %T" logger=text
+	logrus.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go

@@ -18,9 +18,9 @@ func stdlib() {
 	logger.Println(text)     // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	logger.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	logger.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	logger.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
+	logger.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
+	logger.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
+	logger.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
 
 	log.SetPrefix("prefix: ")
 	log.Fatal(text)       // $ logger=text
@@ -34,7 +34,7 @@ func stdlib() {
 	log.Println(text)     // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	log.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	log.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
-	log.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text SPURIOUS: logger=v
+	log.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
+	log.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
+	log.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text
 }