Add tests for heuristic logger calls

Author: owen-mc

go/ql/test/query-tests/Security/CWE-117/LogInjection.go

@@ -30,6 +30,7 @@ import (
 
 func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 	username := req.URL.Query()["username"][0]
+	slice := []any{"username", username}
 	testFlag := req.URL.Query()["testFlag"][0]
 
 	{
@@ -412,8 +413,34 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.Named(username) // $ hasTaintFlow="username"
 		sLogger.With(username)  // $ hasTaintFlow="username"
 	}
+	// heuristic logger interface
+	{
+		logger.Printf(username)                // $ hasTaintFlow="username"
+		logger.Printf("%s", username)          // $ hasTaintFlow="username"
+		simpleLogger.Tracew(username)          // $ hasTaintFlow="username"
+		simpleLogger.Tracew("%s", username)    // $ hasTaintFlow="username"
+		simpleLogger.Debugw("%s %s", slice...) // $ hasTaintFlow="slice"
+	}
+
+}
+
+type Logger interface {
+	Printf(string, ...interface{})
 }
 
+type SimpleLogger interface {
+	Debugw(msg string, keysAndValues ...any)
+	Infow(msg string, keysAndValues ...any)
+	Warnw(msg string, keysAndValues ...any)
+	Errorw(msg string, keysAndValues ...any)
+	Tracew(msg string, keysAndValues ...any)
+}
+
+var (
+	logger       Logger
+	simpleLogger SimpleLogger
+)
+
 // GOOD: The user-provided value is escaped before being written to the log.
 func handlerGood(req *http.Request) {
 	username := req.URL.Query()["username"][0]
@@ -649,5 +676,4 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		}
 		sLogger.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 	}
-
 }

go/ql/test/query-tests/Security/CWE-117/go.mod

@@ -1,14 +1,33 @@
 module main
 
-go 1.14
+go 1.23
 
 require (
 	github.com/astaxie/beego v1.12.3
+	github.com/davecgh/go-spew v1.1.1
 	github.com/elazarl/goproxy v0.0.0-20211114080932-d06c3be7c11b
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
-	github.com/kr/text v0.2.0 // indirect
 	github.com/sirupsen/logrus v1.8.1
-	github.com/stretchr/testify v1.6.0 // indirect
-	golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect
+	go.uber.org/zap v1.27.0
 	k8s.io/klog v1.0.0
 )
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/golang/protobuf v1.4.2 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/prometheus/client_golang v1.7.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.10.0 // indirect
+	github.com/prometheus/procfs v0.1.3 // indirect
+	github.com/shiena/ansicolor v0.0.0-20151119151921-a422bbe96644 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect
+	golang.org/x/net v0.0.0-20190620200207-3b0461eec859 // indirect
+	golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect
+	golang.org/x/text v0.3.0 // indirect
+	google.golang.org/protobuf v1.23.0 // indirect
+	gopkg.in/yaml.v2 v2.2.8 // indirect
+)

go/ql/test/query-tests/Security/CWE-117/vendor/modules.txt

@@ -1,24 +1,134 @@
 # github.com/astaxie/beego v1.12.3
-## explicit
+## explicit; go 1.13
 github.com/astaxie/beego
+github.com/astaxie/beego/config
+github.com/astaxie/beego/context
+github.com/astaxie/beego/context/param
+github.com/astaxie/beego/grace
+github.com/astaxie/beego/logs
+github.com/astaxie/beego/session
+github.com/astaxie/beego/toolbox
+github.com/astaxie/beego/utils
+# github.com/beorn7/perks v1.0.1
+## explicit; go 1.11
+github.com/beorn7/perks/quantile
+# github.com/cespare/xxhash/v2 v2.1.1
+## explicit; go 1.11
+github.com/cespare/xxhash/v2
+# github.com/davecgh/go-spew v1.1.1
+## explicit
+github.com/davecgh/go-spew/spew
 # github.com/elazarl/goproxy v0.0.0-20211114080932-d06c3be7c11b
 ## explicit
 github.com/elazarl/goproxy
 # github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 ## explicit
 github.com/golang/glog
-# github.com/kr/text v0.2.0
+# github.com/golang/protobuf v1.4.2
+## explicit; go 1.9
+github.com/golang/protobuf/proto
+github.com/golang/protobuf/ptypes
+github.com/golang/protobuf/ptypes/any
+github.com/golang/protobuf/ptypes/duration
+github.com/golang/protobuf/ptypes/timestamp
+# github.com/hashicorp/golang-lru v0.5.4
+## explicit; go 1.12
+github.com/hashicorp/golang-lru
+github.com/hashicorp/golang-lru/simplelru
+# github.com/matttproud/golang_protobuf_extensions v1.0.1
 ## explicit
-github.com/kr/text
-# github.com/sirupsen/logrus v1.8.1
+github.com/matttproud/golang_protobuf_extensions/pbutil
+# github.com/prometheus/client_golang v1.7.0
+## explicit; go 1.11
+github.com/prometheus/client_golang/prometheus
+github.com/prometheus/client_golang/prometheus/internal
+github.com/prometheus/client_golang/prometheus/promhttp
+# github.com/prometheus/client_model v0.2.0
+## explicit; go 1.9
+github.com/prometheus/client_model/go
+# github.com/prometheus/common v0.10.0
+## explicit; go 1.11
+github.com/prometheus/common/expfmt
+github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg
+github.com/prometheus/common/model
+# github.com/prometheus/procfs v0.1.3
+## explicit; go 1.12
+github.com/prometheus/procfs
+github.com/prometheus/procfs/internal/fs
+github.com/prometheus/procfs/internal/util
+# github.com/shiena/ansicolor v0.0.0-20151119151921-a422bbe96644
 ## explicit
+github.com/shiena/ansicolor
+# github.com/sirupsen/logrus v1.8.1
+## explicit; go 1.13
 github.com/sirupsen/logrus
-# github.com/stretchr/testify v1.6.0
+# go.uber.org/multierr v1.10.0
+## explicit; go 1.19
+go.uber.org/multierr
+# go.uber.org/zap v1.27.0
+## explicit; go 1.19
+go.uber.org/zap
+go.uber.org/zap/buffer
+go.uber.org/zap/internal
+go.uber.org/zap/internal/bufferpool
+go.uber.org/zap/internal/color
+go.uber.org/zap/internal/exit
+go.uber.org/zap/internal/pool
+go.uber.org/zap/internal/stacktrace
+go.uber.org/zap/zapcore
+# golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
 ## explicit
-github.com/stretchr/testify
+golang.org/x/crypto/acme
+golang.org/x/crypto/acme/autocert
+# golang.org/x/net v0.0.0-20190620200207-3b0461eec859
+## explicit; go 1.11
+golang.org/x/net/idna
 # golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f
+## explicit; go 1.12
+golang.org/x/sys/internal/unsafeheader
+golang.org/x/sys/unix
+golang.org/x/sys/windows
+# golang.org/x/text v0.3.0
 ## explicit
-golang.org/x/sys
-# k8s.io/klog v1.0.0
+golang.org/x/text/secure/bidirule
+golang.org/x/text/transform
+golang.org/x/text/unicode/bidi
+golang.org/x/text/unicode/norm
+# google.golang.org/protobuf v1.23.0
+## explicit; go 1.9
+google.golang.org/protobuf/encoding/prototext
+google.golang.org/protobuf/encoding/protowire
+google.golang.org/protobuf/internal/descfmt
+google.golang.org/protobuf/internal/descopts
+google.golang.org/protobuf/internal/detrand
+google.golang.org/protobuf/internal/encoding/defval
+google.golang.org/protobuf/internal/encoding/messageset
+google.golang.org/protobuf/internal/encoding/tag
+google.golang.org/protobuf/internal/encoding/text
+google.golang.org/protobuf/internal/errors
+google.golang.org/protobuf/internal/fieldnum
+google.golang.org/protobuf/internal/fieldsort
+google.golang.org/protobuf/internal/filedesc
+google.golang.org/protobuf/internal/filetype
+google.golang.org/protobuf/internal/flags
+google.golang.org/protobuf/internal/genname
+google.golang.org/protobuf/internal/impl
+google.golang.org/protobuf/internal/mapsort
+google.golang.org/protobuf/internal/pragma
+google.golang.org/protobuf/internal/set
+google.golang.org/protobuf/internal/strs
+google.golang.org/protobuf/internal/version
+google.golang.org/protobuf/proto
+google.golang.org/protobuf/reflect/protoreflect
+google.golang.org/protobuf/reflect/protoregistry
+google.golang.org/protobuf/runtime/protoiface
+google.golang.org/protobuf/runtime/protoimpl
+google.golang.org/protobuf/types/known/anypb
+google.golang.org/protobuf/types/known/durationpb
+google.golang.org/protobuf/types/known/timestamppb
+# gopkg.in/yaml.v2 v2.2.8
 ## explicit
+gopkg.in/yaml.v2
+# k8s.io/klog v1.0.0
+## explicit; go 1.12
 k8s.io/klog