autoformat go files

erik-krogh · erik-krogh · commit 08c0d8ec60ee · 2024-05-16T19:59:40.000+02:00
diff --git a/go/ql/src/Security/CWE-078/examples/CommandInjection.go b/go/ql/src/Security/CWE-078/examples/CommandInjection.go
@@ -11,4 +11,4 @@ func handler(req *http.Request) {
 	cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath))
 	cmd.Run()
 	// ...
-}
+}
diff --git a/go/ql/src/Security/CWE-078/examples/CommandInjectionGood.go b/go/ql/src/Security/CWE-078/examples/CommandInjectionGood.go
@@ -25,4 +25,4 @@ func handler(req *http.Request) {
 	cmd.Stdout = outfile
 
 	cmd.Run()
-}
+}
diff --git a/go/ql/src/Security/CWE-078/examples/CommandInjectionGood2.go b/go/ql/src/Security/CWE-078/examples/CommandInjectionGood2.go
@@ -1,23 +1,23 @@
 package main
 
 import (
-    "log"
-    "net/http"
-    "os/exec"
-    "regexp"
+	"log"
+	"net/http"
+	"os/exec"
+	"regexp"
 )
 
 func handler(req *http.Request) {
-    imageName := req.URL.Query()["imageName"][0]
-    outputPath := "/tmp/output.svg"
+	imageName := req.URL.Query()["imageName"][0]
+	outputPath := "/tmp/output.svg"
 
-    // Validate the imageName with a regular expression
-    validImageName := regexp.MustCompile(`^[a-zA-Z0-9_\-\.]+$`)
-    if !validImageName.MatchString(imageName) {
-        log.Fatal("Invalid image name")
-        return
-    }
+	// Validate the imageName with a regular expression
+	validImageName := regexp.MustCompile(`^[a-zA-Z0-9_\-\.]+$`)
+	if !validImageName.MatchString(imageName) {
+		log.Fatal("Invalid image name")
+		return
+	}
 
-    cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath))
-    cmd.Run()
-}
+	cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath))
+	cmd.Run()
+}
diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -8,14 +8,14 @@ edges
 | CommandInjection2.go:15:67:15:75 | imageName | CommandInjection2.go:15:34:15:88 | call to Sprintf | provenance | FunctionModel |
 | CommandInjection.go:9:13:9:19 | selection of URL | CommandInjection.go:9:13:9:27 | call to Query | provenance | MaD:735 |
 | CommandInjection.go:9:13:9:27 | call to Query | CommandInjection.go:10:22:10:28 | cmdName | provenance |  |
-| GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:10:13:10:27 | call to Query | provenance | MaD:735 |
-| GitSubcommands.go:10:13:10:27 | call to Query | GitSubcommands.go:12:31:12:37 | tainted | provenance |  |
-| GitSubcommands.go:10:13:10:27 | call to Query | GitSubcommands.go:13:31:13:37 | tainted | provenance |  |
-| GitSubcommands.go:10:13:10:27 | call to Query | GitSubcommands.go:14:30:14:36 | tainted | provenance |  |
-| GitSubcommands.go:10:13:10:27 | call to Query | GitSubcommands.go:15:35:15:41 | tainted | provenance |  |
-| GitSubcommands.go:10:13:10:27 | call to Query | GitSubcommands.go:16:36:16:42 | tainted | provenance |  |
-| GitSubcommands.go:32:13:32:19 | selection of URL | GitSubcommands.go:32:13:32:27 | call to Query | provenance | MaD:735 |
-| GitSubcommands.go:32:13:32:27 | call to Query | GitSubcommands.go:37:32:37:38 | tainted | provenance |  |
+| GitSubcommands.go:11:13:11:19 | selection of URL | GitSubcommands.go:11:13:11:27 | call to Query | provenance | MaD:735 |
+| GitSubcommands.go:11:13:11:27 | call to Query | GitSubcommands.go:13:31:13:37 | tainted | provenance |  |
+| GitSubcommands.go:11:13:11:27 | call to Query | GitSubcommands.go:14:31:14:37 | tainted | provenance |  |
+| GitSubcommands.go:11:13:11:27 | call to Query | GitSubcommands.go:15:30:15:36 | tainted | provenance |  |
+| GitSubcommands.go:11:13:11:27 | call to Query | GitSubcommands.go:16:35:16:41 | tainted | provenance |  |
+| GitSubcommands.go:11:13:11:27 | call to Query | GitSubcommands.go:17:36:17:42 | tainted | provenance |  |
+| GitSubcommands.go:33:13:33:19 | selection of URL | GitSubcommands.go:33:13:33:27 | call to Query | provenance | MaD:735 |
+| GitSubcommands.go:33:13:33:27 | call to Query | GitSubcommands.go:38:32:38:38 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:9:13:9:27 | call to Query | provenance | MaD:735 |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:13:25:13:31 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance |  |
@@ -118,16 +118,16 @@ nodes
 | CommandInjection.go:9:13:9:19 | selection of URL | semmle.label | selection of URL |
 | CommandInjection.go:9:13:9:27 | call to Query | semmle.label | call to Query |
 | CommandInjection.go:10:22:10:28 | cmdName | semmle.label | cmdName |
-| GitSubcommands.go:10:13:10:19 | selection of URL | semmle.label | selection of URL |
-| GitSubcommands.go:10:13:10:27 | call to Query | semmle.label | call to Query |
-| GitSubcommands.go:12:31:12:37 | tainted | semmle.label | tainted |
+| GitSubcommands.go:11:13:11:19 | selection of URL | semmle.label | selection of URL |
+| GitSubcommands.go:11:13:11:27 | call to Query | semmle.label | call to Query |
 | GitSubcommands.go:13:31:13:37 | tainted | semmle.label | tainted |
-| GitSubcommands.go:14:30:14:36 | tainted | semmle.label | tainted |
-| GitSubcommands.go:15:35:15:41 | tainted | semmle.label | tainted |
-| GitSubcommands.go:16:36:16:42 | tainted | semmle.label | tainted |
-| GitSubcommands.go:32:13:32:19 | selection of URL | semmle.label | selection of URL |
-| GitSubcommands.go:32:13:32:27 | call to Query | semmle.label | call to Query |
-| GitSubcommands.go:37:32:37:38 | tainted | semmle.label | tainted |
+| GitSubcommands.go:14:31:14:37 | tainted | semmle.label | tainted |
+| GitSubcommands.go:15:30:15:36 | tainted | semmle.label | tainted |
+| GitSubcommands.go:16:35:16:41 | tainted | semmle.label | tainted |
+| GitSubcommands.go:17:36:17:42 | tainted | semmle.label | tainted |
+| GitSubcommands.go:33:13:33:19 | selection of URL | semmle.label | selection of URL |
+| GitSubcommands.go:33:13:33:27 | call to Query | semmle.label | call to Query |
+| GitSubcommands.go:38:32:38:38 | tainted | semmle.label | tainted |
 | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | semmle.label | selection of URL |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | semmle.label | call to Query |
 | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | semmle.label | array literal [array] |
@@ -212,12 +212,12 @@ subpaths
 | ArgumentInjection.go:10:31:10:34 | path | ArgumentInjection.go:9:10:9:16 | selection of URL | ArgumentInjection.go:10:31:10:34 | path | This command depends on a $@. | ArgumentInjection.go:9:10:9:16 | selection of URL | user-provided value |
 | CommandInjection2.go:15:34:15:88 | call to Sprintf | CommandInjection2.go:13:15:13:21 | selection of URL | CommandInjection2.go:15:34:15:88 | call to Sprintf | This command depends on a $@. | CommandInjection2.go:13:15:13:21 | selection of URL | user-provided value |
 | CommandInjection.go:10:22:10:28 | cmdName | CommandInjection.go:9:13:9:19 | selection of URL | CommandInjection.go:10:22:10:28 | cmdName | This command depends on a $@. | CommandInjection.go:9:13:9:19 | selection of URL | user-provided value |
-| GitSubcommands.go:12:31:12:37 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:12:31:12:37 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |
-| GitSubcommands.go:13:31:13:37 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:13:31:13:37 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |
-| GitSubcommands.go:14:30:14:36 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:14:30:14:36 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |
-| GitSubcommands.go:15:35:15:41 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:15:35:15:41 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |
-| GitSubcommands.go:16:36:16:42 | tainted | GitSubcommands.go:10:13:10:19 | selection of URL | GitSubcommands.go:16:36:16:42 | tainted | This command depends on a $@. | GitSubcommands.go:10:13:10:19 | selection of URL | user-provided value |
-| GitSubcommands.go:37:32:37:38 | tainted | GitSubcommands.go:32:13:32:19 | selection of URL | GitSubcommands.go:37:32:37:38 | tainted | This command depends on a $@. | GitSubcommands.go:32:13:32:19 | selection of URL | user-provided value |
+| GitSubcommands.go:13:31:13:37 | tainted | GitSubcommands.go:11:13:11:19 | selection of URL | GitSubcommands.go:13:31:13:37 | tainted | This command depends on a $@. | GitSubcommands.go:11:13:11:19 | selection of URL | user-provided value |
+| GitSubcommands.go:14:31:14:37 | tainted | GitSubcommands.go:11:13:11:19 | selection of URL | GitSubcommands.go:14:31:14:37 | tainted | This command depends on a $@. | GitSubcommands.go:11:13:11:19 | selection of URL | user-provided value |
+| GitSubcommands.go:15:30:15:36 | tainted | GitSubcommands.go:11:13:11:19 | selection of URL | GitSubcommands.go:15:30:15:36 | tainted | This command depends on a $@. | GitSubcommands.go:11:13:11:19 | selection of URL | user-provided value |
+| GitSubcommands.go:16:35:16:41 | tainted | GitSubcommands.go:11:13:11:19 | selection of URL | GitSubcommands.go:16:35:16:41 | tainted | This command depends on a $@. | GitSubcommands.go:11:13:11:19 | selection of URL | user-provided value |
+| GitSubcommands.go:17:36:17:42 | tainted | GitSubcommands.go:11:13:11:19 | selection of URL | GitSubcommands.go:17:36:17:42 | tainted | This command depends on a $@. | GitSubcommands.go:11:13:11:19 | selection of URL | user-provided value |
+| GitSubcommands.go:38:32:38:38 | tainted | GitSubcommands.go:33:13:33:19 | selection of URL | GitSubcommands.go:38:32:38:38 | tainted | This command depends on a $@. | GitSubcommands.go:33:13:33:19 | selection of URL | user-provided value |
 | SanitizingDoubleDash.go:14:23:14:33 | slice expression | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:14:23:14:33 | slice expression | This command depends on a $@. | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | user-provided value |
 | SanitizingDoubleDash.go:40:23:40:30 | arrayLit | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:40:23:40:30 | arrayLit | This command depends on a $@. | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | user-provided value |
 | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | This command depends on a $@. | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | user-provided value |
diff --git a/go/ql/test/query-tests/Security/CWE-078/CommandInjection2.go b/go/ql/test/query-tests/Security/CWE-078/CommandInjection2.go
@@ -1,53 +1,53 @@
 package main
 
 import (
+	"fmt"
+	"log"
 	"net/http"
+	"os"
 	"os/exec"
-	"log"
-    "os"
-    "regexp"
-	"fmt"
+	"regexp"
 )
 
 func handler(req *http.Request) {
 	imageName := req.URL.Query()["imageName"][0]
-  	outputPath = "/tmp/output.svg"
+	outputPath = "/tmp/output.svg"
 	cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath)) // NOT OK - correctly flagged
-  	cmd.Run()
-  // ...
+	cmd.Run()
+	// ...
 }
 
 func handler2(req *http.Request) {
-    imageName := req.URL.Query()["imageName"][0]
-    outputPath := "/tmp/output.svg"
+	imageName := req.URL.Query()["imageName"][0]
+	outputPath := "/tmp/output.svg"
 
-    // Create the output file
-    outfile, err := os.Create(outputPath)
-    if err != nil {
-        log.Fatal(err)
-    }
-    defer outfile.Close()
+	// Create the output file
+	outfile, err := os.Create(outputPath)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer outfile.Close()
 
-    // Prepare the command
-    cmd := exec.Command("imagetool", imageName) // OK - and not flagged
+	// Prepare the command
+	cmd := exec.Command("imagetool", imageName) // OK - and not flagged
 
-    // Set the output to our file
-    cmd.Stdout = outfile
+	// Set the output to our file
+	cmd.Stdout = outfile
 
-    cmd.Run()
+	cmd.Run()
 }
 
 func handler3(req *http.Request) {
-    imageName := req.URL.Query()["imageName"][0]
-    outputPath := "/tmp/output.svg"
-
-    // Validate the imageName with a regular expression
-    validImageName := regexp.MustCompile(`^[a-zA-Z0-9_\-\.]+$`)
-    if !validImageName.MatchString(imageName) {
-        log.Fatal("Invalid image name")
-        return
-    }
-
-    cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath)) // OK - but falsely flagged
-    cmd.Run()
-}
+	imageName := req.URL.Query()["imageName"][0]
+	outputPath := "/tmp/output.svg"
+
+	// Validate the imageName with a regular expression
+	validImageName := regexp.MustCompile(`^[a-zA-Z0-9_\-\.]+$`)
+	if !validImageName.MatchString(imageName) {
+		log.Fatal("Invalid image name")
+		return
+	}
+
+	cmd := exec.Command("sh", "-c", fmt.Sprintf("imagetool %s > %s", imageName, outputPath)) // OK - but falsely flagged
+	cmd.Run()
+}
diff --git a/go/ql/test/query-tests/Security/CWE-078/GitSubcommands.go b/go/ql/test/query-tests/Security/CWE-078/GitSubcommands.go
@@ -1,4 +1,5 @@
 package main
+
 import (
 	"net/http"
 	"os/exec"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`package main`
	`2`	`+`
`2`	`3`	`import (`
`3`	`4`	`"net/http"`
`4`	`5`	`"os/exec"`