Skip to content

Treat zap custom encoders as sanitizers for log-injection checks #20912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Treat zap custom encoders as sanitizers for log-injection checks #20912

wants to merge 8 commits into from
+50 −1

Conversation

@danielriddell21
Copy link

@danielriddell21 danielriddell21 commented Nov 25, 2025
edited
Loading

Summary

Add an experimental CodeQL helper and query to treat custom zap encoders (types implementing go.uber.org/zap/zapcore.Encoder) as sanitizers for the purposes of log-injection detection. This reduces false positives where applications use a custom encoder to escape or sanitize log field values.

Notes for reviewers

  • This change is non-invasive: it adds an experimental suppression query rather than modifying built-in log-injection rules directly.

Risks

  • If a type implements zapcore.Encoder but does not actually sanitize input, this change could suppress a genuine finding. Use the whitelist to exclude such types.

@danielriddell21 danielriddell21 requested a review from a team as a code owner November 25, 2025 18:11
@github-actions github-actions bot added the Go label Nov 25, 2025
@danielriddell21 danielriddell21 marked this pull request as draft November 25, 2025 18:33
@danielriddell21 danielriddell21 changed the title Feature/zap encoder sanitizer Treat zap custom encoders as sanitizers for log-injection checks Nov 25, 2025
@danielriddell21 danielriddell21 force-pushed the feature/zap-encoder-sanitizer branch from d9379df to 360014f Compare November 25, 2025 19:18
@danielriddell21 danielriddell21 marked this pull request as ready for review November 25, 2025 19:19
@owen-mc
Copy link
Contributor

owen-mc commented Nov 25, 2025

This PR doesn't make much sense. I don't think the tests would pass.

There is already a query called go/log-injection. It is located at go/ql/src/Security/CWE-117/LogInjection.ql. All sanitizers for it are in go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll. Tests for it are at go/ql/test/query-tests/Security/CWE-117/LogInjection.go. Note that we already include variations on strings.ReplaceAll(s, "\n", "X") as a sanitizer.

@danielriddell21 danielriddell21 marked this pull request as draft November 25, 2025 20:05
@danielriddell21
Copy link
Author

danielriddell21 commented Nov 25, 2025
edited
Loading

This PR doesn't make much sense. I don't think the tests would pass.

There is already a query called go/log-injection. It is located at go/ql/src/Security/CWE-117/LogInjection.ql. All sanitizers for it are in go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll. Tests for it are at go/ql/test/query-tests/Security/CWE-117/LogInjection.go. Note that we already include variations on strings.ReplaceAll(s, "\n", "X") as a sanitizer.

Hi @owen-mc thanks for looking. I am pretty new to codeql.

So I will try and move all the stuff into the correct place when its ready. Am I okay to tag you when It is ready for a review?

@danielriddell21 danielriddell21 force-pushed the feature/zap-encoder-sanitizer branch from 0aea3eb to 997d300 Compare November 25, 2025 20:33
@danielriddell21
Copy link
Author

danielriddell21 commented Nov 25, 2025

My aim is to allow using a zap encoder with a sanitise within as a valid way to suppress a CWE 117

@owen-mc
Copy link
Contributor

owen-mc commented Nov 25, 2025

Things are in the right place now, but the tests still don't make any sense. May I ask, are you using an LLM coding assistant? Yes, please tag me when you have got the tests passing locally on your machine, or you are stuck and need help with the CodeQL.

owen-mc
owen-mc reviewed Nov 25, 2025
View reviewed changes
go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll
private predicate isSafeZapEncoder(Type t) {
exists(Type zapEncoder |
// Matches go.uber.org/zap/zapcore.JSONEncoder
zapEncoder.hasQualifiedName("go.uber.org/zap/zapcore", "JSONEncoder") and
Copy link
Contributor

@owen-mc owen-mc Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This type doesn't exist, at least according to https://pkg.go.dev/go.uber.org/zap/zapcore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@owen-mc owen-mc owen-mc left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielriddell21 @owen-mc