wip zap tests

Author: danielriddell21

go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll

@@ -84,4 +84,33 @@ module LogInjection {
       )
     }
   }
-}
+
+  /**
+   * Returns true if `t` is a zap encoder type that is considered safe.
+   *
+   * We intentionally whitelist *only* JSONEncoder.
+   * Other encoders may not escape newline characters and therefore
+   * must NOT be treated as sanitizers.
+   */
+  private predicate isSafeZapEncoder(Type t) {
+    exists(Type zapEncoder |
+      // Matches go.uber.org/zap/zapcore.JSONEncoder
+      zapEncoder.hasQualifiedName("go.uber.org/zap/zapcore", "JSONEncoder") and
+      t = zapEncoder
+    )
+  }
+
+  /**
+   * Zap encoder sanitizer class.
+   *
+   * This extends the Sanitizer class used by the go/log-injection query.
+   */
+  class ZapEncoderSanitizer extends Sanitizer {
+    ZapEncoderSanitizer() {
+      exists(Type t |
+        this.getType() = t and
+        isSafeZapEncoder(t)
+      )
+    }
+  }
+}

go/ql/src/experimental/CWE-117/LogSanitizer.qll renamed to go/ql/lib/semmle/go/security/LogInjectionCustomizations/ZapEncoderSanitizer.qll

@@ -1,8 +1,6 @@
 /**
- * LogSanitizer.qll
- *
- * Predicates to identify sanitizer functions and zap encoder-like types.
- * Template: adjust whitelist entries as needed.
+ * Provides a taint tracking configuration for zap encoders that are known to remove or escape
+ * newline characters, thus mitigating log injection (CWE-117).
  */
 
 import go

go/ql/src/experimental/CWE-117/LogSanitizer.qhelp renamed to go/ql/src/experimental/CWE-117-ZapEncoder/LogSanitizer.qhelp

@@ -0,0 +1,35 @@
+package main
+
+import (
+    "go.uber.org/zap"
+    "go.uber.org/zap/zapcore"
+    "os"
+)
+
+func LogWithSafeZapEncoder() {
+    unsafeInput := os.Getenv("UNTRUSTED")  // treat this as “source”
+
+    // Create a safe JSON encoder (that we whitelist)
+    encoderCfg := zap.NewProductionEncoderConfig()
+    jsonEncoder := zapcore.NewJSONEncoder(encoderCfg)
+
+    // Build logger using that encoder
+    core := zapcore.NewCore(jsonEncoder, zapcore.AddSync(os.Stdout), zapcore.DebugLevel)
+    logger := zap.New(core)
+
+    logger.Info("user input", zap.String("data", unsafeInput))
+}
+
+func LogWithUnsafeZapEncoder() {
+    unsafeInput := os.Getenv("UNTRUSTED")  // source
+
+    // Suppose a “custom” encoder that does *not* sanitize newline
+    // For test purposes, just use console encoder but pretend it’s unsafe
+    encoderCfg := zap.NewProductionEncoderConfig()
+    consoleEncoder := zapcore.NewConsoleEncoder(encoderCfg)
+
+    core := zapcore.NewCore(consoleEncoder, zapcore.AddSync(os.Stdout), zapcore.DebugLevel)
+    logger := zap.New(core)
+
+    logger.Info("user input", zap.String("data", unsafeInput))
+}

go/ql/src/experimental/CWE-117/LogSanitizer.ql renamed to go/ql/src/experimental/CWE-117-ZapEncoder/LogSanitizer.ql

@@ -0,0 +1 @@
+query: experimental/CWE-117-ZapEncoder/LogInjection.ql

go/ql/src/experimental/CWE-117/example/example_bad.go renamed to go/ql/src/experimental/CWE-117-ZapEncoder/example/example_bad.go

@@ -0,0 +1,7 @@
+module example/zaploginjection
+
+go 1.25.4
+
+require go.uber.org/zap v1.27.1
+
+require go.uber.org/multierr v1.10.0 // indirect