added qhelp file

Author: danielriddell21

go/ql/src/experimental/CWE-117/LogSanitizer.qhelp

@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>If unsanitized user input is written to a log entry, a malicious user may
+be able to forge new log entries.</p>
+
+<p>Forgery can occur if a user provides some input with characters that are interpreted
+when the log output is displayed. If the log is displayed as a plain text file, then new
+line characters can be used by a malicious user. If the log is displayed as HTML, then
+arbitrary HTML may be included to spoof log entries.</p>
+</overview>
+
+<recommendation>
+<p>
+User input should be suitably encoded before it is logged.
+</p>
+<p>
+If the log entries are plain text then line breaks should be removed from user input, using
+<code>strings.Replace</code> or similar. Care should also be taken that user input is clearly marked
+in log entries, and that a malicious user cannot cause confusion in other ways.
+</p>
+<p>
+For log entries that will be displayed in HTML, user input should be HTML encoded using
+<code>html.EscapeString</code> or similar before being logged, to prevent forgery and
+other forms of HTML injection.
+</p>
+
+</recommendation>
+
+<example>
+<p>
+In the following example, a user name, provided by the user, is logged using a logging framework without any sanitization.
+</p>
+<sample src="example/example_bad.go" />
+<p>
+In the next example, <code>strings.Replace</code> is used to ensure no line endings are present in the user input.
+</p>
+<sample src="example/example_good.go" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://www.owasp.org/index.php/Log_Injection">Log Injection</a>.</li>
+</references>
+</qhelp>

go/ql/src/experimental/CWE-117/LogSanitizer.ql

@@ -1,38 +1,38 @@
 /**
- * LogSanitizer.ql
- *
- * Filter/suppress log-injection findings when the taint flow can be shown to
- * pass through a sanitizer (including zap custom encoders).
- *
- * NOTE: This is a conservative template. Integrate with your existing
- * taint-tracking / source/sink predicates used by your log-injection rules.
+ * @name Log entries created from user input
+ * @description Building log entries from user-controlled sources is vulnerable to
+ *              insertion of forged log entries by a malicious user.
+ * @kind path-problem
+ * @problem.severity error
+ * @id go/log-injection
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-287
  */
 
+import go
+import semmle.go.security.LogInjection
+import LogInjection::Flow::PathGraph
+
+from LogInjection::Flow::PathNode source, LogInjection::Flow::PathNode sink
+where LogInjection::Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
+  "user-provided value"
+
 import go
 import go.security.dataflow.TaintTracking as T
-// adjust imports above if your repo uses a different taint package
 
-// Reuse the library predicates
 import LogSanitizer
 
-/**
- * A wrapper sink used for demonstration. Replace with the actual log sink
- * definitions used by your log-injection query if you want precise suppression.
- */
 class LogSink extends T.Sink {
   LogSink() { this = T.Sink("LogSink") }
 }
 
-/**
- * Find flows from sources to log sinks but ignore flows that pass through a sanitizer.
- * This query demonstrates the pattern — adapt to concrete source/sink definitions.
- */
 from T.Source src, T.Sink sink, Function sanitizerFn
 where
   src.flowsTo(sink) and
   not exists(sanitizerFn |
     isSanitizer(sanitizerFn) and
-    // sanitizer function appears somewhere on the flow path
     src.flowsTo(sanitizerFn) and
     sanitizerFn.flowsTo(sink)
   )