Skip to content

Commit 0aea3eb

Browse files
danielriddell21danielriddell21
committed
merged into existing cwe-117
1 parent 46f2c5d commit 0aea3eb

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

80 files changed

+86
-461
lines changed

go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,4 +84,33 @@ module LogInjection {
8484
)
8585
}
8686
}
87-
}
87+
88+
/**
89+
* Returns true if `t` is a zap encoder type that is considered safe.
90+
*
91+
* We intentionally whitelist *only* JSONEncoder.
92+
* Other encoders may not escape newline characters and therefore
93+
* must NOT be treated as sanitizers.
94+
*/
95+
private predicate isSafeZapEncoder(Type t) {
96+
exists(Type zapEncoder |
97+
// Matches go.uber.org/zap/zapcore.JSONEncoder
98+
zapEncoder.hasQualifiedName("go.uber.org/zap/zapcore", "JSONEncoder") and
99+
t = zapEncoder
100+
)
101+
}
102+
103+
/**
104+
* Zap encoder sanitizer class.
105+
*
106+
* This extends the Sanitizer class used by the go/log-injection query.
107+
*/
108+
class ZapEncoderSanitizer extends Sanitizer {
109+
ZapEncoderSanitizer() {
110+
exists(Type t |
111+
this.getType() = t and
112+
isSafeZapEncoder(t)
113+
)
114+
}
115+
}
116+
}

go/ql/lib/semmle/go/security/LogInjectionCustomizations/ZapEncoderSanitizer.qll

Lines changed: 0 additions & 60 deletions
This file was deleted.

go/ql/src/experimental/CWE-117-ZapEncoder/LogSanitizer.qhelp

Lines changed: 0 additions & 46 deletions
This file was deleted.

go/ql/src/experimental/CWE-117-ZapEncoder/LogSanitizer.ql

Lines changed: 0 additions & 39 deletions
This file was deleted.

go/ql/src/experimental/CWE-117-ZapEncoder/example/example_bad.go

Lines changed: 0 additions & 12 deletions
This file was deleted.

go/ql/src/experimental/CWE-117-ZapEncoder/example/example_good.go

Lines changed: 0 additions & 30 deletions
This file was deleted.

go/ql/test/experimental/CWE-117-ZapEncoder/LogInjection.expected

Whitespace-only changes.

go/ql/test/experimental/CWE-117-ZapEncoder/LogInjection.go

Lines changed: 0 additions & 35 deletions
This file was deleted.

go/ql/test/experimental/CWE-117-ZapEncoder/LogInjection.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

go/ql/test/experimental/CWE-117-ZapEncoder/go.mod

Lines changed: 0 additions & 7 deletions
This file was deleted.

0 commit comments

Comments
 (0)