diff --git a/go/ql/lib/go.qll b/go/ql/lib/go.qll index 16f2f1702faa..682342aad95a 100644 --- a/go/ql/lib/go.qll +++ b/go/ql/lib/go.qll @@ -40,6 +40,7 @@ import semmle.go.frameworks.ElazarlGoproxy import semmle.go.frameworks.Email import semmle.go.frameworks.Encoding import semmle.go.frameworks.Fasthttp +import semmle.go.frameworks.Gin import semmle.go.frameworks.GinCors import semmle.go.frameworks.Glog import semmle.go.frameworks.GoJose diff --git a/go/ql/lib/semmle/go/concepts/HTTP.qll b/go/ql/lib/semmle/go/concepts/HTTP.qll index 9bf5b6a7ad84..41f3caec03d8 100644 --- a/go/ql/lib/semmle/go/concepts/HTTP.qll +++ b/go/ql/lib/semmle/go/concepts/HTTP.qll @@ -380,4 +380,96 @@ module Http { /** Gets a node that is used in a check that is tested before this handler is run. */ predicate guardedBy(DataFlow::Node check) { super.guardedBy(check) } } + + /** Provides a class for modeling HTTP response cookie writes. */ + module CookieWrite { + /** + * An write of an HTTP Cookie to an HTTP response. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `HTTP::CookieWrite` instead. + */ + abstract class Range extends DataFlow::Node { + /** Gets the name of the cookie written. */ + abstract DataFlow::Node getName(); + + /** Gets the value of the cookie written. */ + abstract DataFlow::Node getValue(); + + /** Gets the `Secure` attribute of the cookie written. */ + abstract DataFlow::Node getSecure(); + + /** Gets the `HttpOnly` attribute of the cookie written. */ + abstract DataFlow::Node getHttpOnly(); + } + } + + /** + * An write of an HTTP Cookie to an HTTP response. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `HTTP::CookieWrite::Range` instead. + */ + class CookieWrite extends DataFlow::Node instanceof CookieWrite::Range { + /** Gets the name of the cookie written. */ + DataFlow::Node getName() { result = super.getName() } + + /** Gets the value of the cookie written. */ + DataFlow::Node getValue() { result = super.getValue() } + + /** Gets the `Secure` attribute of the cookie written. */ + DataFlow::Node getSecure() { result = super.getSecure() } + + /** Gets the `HttpOnly` attribute of the cookie written. */ + DataFlow::Node getHttpOnly() { result = super.getHttpOnly() } + } + + /** Provides a class for modeling the options of an HTTP cookie. */ + module CookieOptions { + /** + * An HTTP Cookie object. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `HTTP::CookieOptions` instead. + */ + abstract class Range extends DataFlow::Node { + /** Gets the node representing the cookie object for the options being set. */ + abstract DataFlow::Node getCookieOutput(); + + /** Gets the name of the cookie represented. */ + abstract DataFlow::Node getName(); + + /** Gets the value of the cookie represented. */ + abstract DataFlow::Node getValue(); + + /** Gets the `Secure` attribute of the cookie represented. */ + abstract DataFlow::Node getSecure(); + + /** Gets the `HttpOnly` attribute of the cookie represented. */ + abstract DataFlow::Node getHttpOnly(); + } + } + + /** + * An HTTP Cookie. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `HTTP::CookieOptions::Range` instead. + */ + class CookieOptions extends DataFlow::Node instanceof CookieOptions::Range { + /** Gets the node representing the cookie object for the options being set. */ + DataFlow::Node getCookieOutput() { result = super.getCookieOutput() } + + /** Gets the name of the cookie represented. */ + DataFlow::Node getName() { result = super.getName() } + + /** Gets the value of the cookie represented. */ + DataFlow::Node getValue() { result = super.getValue() } + + /** Gets the `Secure` attribute of the cookie represented. */ + DataFlow::Node getSecure() { result = super.getSecure() } + + /** Gets the `HttpOnly` attribute of the cookie represented. */ + DataFlow::Node getHttpOnly() { result = super.getHttpOnly() } + } } diff --git a/go/ql/lib/semmle/go/frameworks/Gin.qll b/go/ql/lib/semmle/go/frameworks/Gin.qll new file mode 100644 index 000000000000..71ed5d931fa3 --- /dev/null +++ b/go/ql/lib/semmle/go/frameworks/Gin.qll @@ -0,0 +1,24 @@ +/** + * Provides classes for modeling the `github.com/gin-gonic/gin` package. + */ + +import go +import semmle.go.concepts.HTTP + +/** Provides models for the `gin-gonic/gin` package. */ +module Gin { + /** Gets the package name `github.com/gin-gonic/gin`. */ + string packagePath() { result = package("github.com/gin-gonic/gin", "") } + + private class GinCookieWrite extends Http::CookieWrite::Range, DataFlow::MethodCallNode { + GinCookieWrite() { this.getTarget().hasQualifiedName(packagePath(), "Context", "SetCookie") } + + override DataFlow::Node getName() { result = this.getArgument(0) } + + override DataFlow::Node getValue() { result = this.getArgument(1) } + + override DataFlow::Node getSecure() { result = this.getArgument(5) } + + override DataFlow::Node getHttpOnly() { result = this.getArgument(6) } + } +} diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll index 88c9605502f6..fd86effa9754 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll @@ -293,4 +293,38 @@ module NetHttp { override DataFlow::Node getAPathArgument() { result = this.getArgument(2) } } + + private class CookieWrite extends Http::CookieWrite::Range, DataFlow::CallNode { + CookieWrite() { this.getTarget().hasQualifiedName(package("net/http", ""), "SetCookie") } + + override DataFlow::Node getName() { result = this.getArgument(1) } + + override DataFlow::Node getValue() { result = this.getArgument(1) } + + override DataFlow::Node getSecure() { result = this.getArgument(1) } + + override DataFlow::Node getHttpOnly() { result = this.getArgument(1) } + } + + private class CookieFieldWrite extends Http::CookieOptions::Range { + Write w; + Field f; + DataFlow::Node written; + string fieldName; + + CookieFieldWrite() { + f.hasQualifiedName(package("net/http", ""), "Cookie", fieldName) and + w.writesField(this, f, written) + } + + override DataFlow::Node getCookieOutput() { result = this } + + override DataFlow::Node getName() { fieldName = "Name" and result = written } + + override DataFlow::Node getValue() { fieldName = "Value" and result = written } + + override DataFlow::Node getSecure() { fieldName = "Secure" and result = written } + + override DataFlow::Node getHttpOnly() { fieldName = "HttpOnly" and result = written } + } } diff --git a/go/ql/lib/semmle/go/security/SecureCookies.qll b/go/ql/lib/semmle/go/security/SecureCookies.qll new file mode 100644 index 000000000000..f700c0303371 --- /dev/null +++ b/go/ql/lib/semmle/go/security/SecureCookies.qll @@ -0,0 +1,108 @@ +/** Provides classes and predicates for identifying HTTP cookies with insecure attributes. */ + +import go +import semmle.go.concepts.HTTP +import semmle.go.dataflow.DataFlow + +/** + * Holds if the expression or its value has a sensitive name + */ +private predicate isSensitiveExpr(Expr expr, string val) { + ( + val = expr.getStringValue() or + val = expr.(Name).getTarget().getName() + ) and + val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and + not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*") +} + +private module SensitiveCookieNameConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { isSensitiveExpr(source.asExpr(), _) } + + predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getName()) } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Http::CookieOptions co | co.getName() = pred and co.getCookieOutput() = succ) + } +} + +/** Tracks flow from sensitive names to HTTP cookie writes. */ +module SensitiveCookieNameFlow = TaintTracking::Global; + +private module BooleanCookieSecureConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source.getType().getUnderlyingType() instanceof BoolType + } + + predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getSecure()) } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Http::CookieOptions co | co.getSecure() = pred and co.getCookieOutput() = succ) + } +} + +/** Tracks flow from boolean expressions to the `Secure` attribute of HTTP cookie writes. */ +module BooleanCookieSecureFlow = TaintTracking::Global; + +private module BooleanCookieHttpOnlyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source.getType().getUnderlyingType() instanceof BoolType + } + + predicate isSink(DataFlow::Node sink) { exists(Http::CookieWrite cw | sink = cw.getHttpOnly()) } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Http::CookieOptions co | co.getHttpOnly() = pred and co.getCookieOutput() = succ) + } +} + +/** Tracks flow from boolean expressions to the `HttpOnly` attribute of HTTP cookie writes. */ +module BooleanCookieHttpOnlyFlow = TaintTracking::Global; + +/** Holds if `cw` has the `Secure` attribute left at its default value of `false`. */ +predicate isInsecureDefault(Http::CookieWrite cw) { + not BooleanCookieSecureFlow::flow(_, cw.getSecure()) +} + +/** Holds if `cw` has the `Secure` attribute explicitly set to `false`, from the expression `boolFalse`. */ +predicate isInsecureDirect(Http::CookieWrite cw, Expr boolFalse) { + BooleanCookieSecureFlow::flow(DataFlow::exprNode(boolFalse), cw.getSecure()) and + boolFalse.getBoolValue() = false +} + +/** Holds if `cw` has the `Secure` attribute set to `false`, either explicitly or by default. */ +predicate isInsecureCookie(Http::CookieWrite cw) { + isInsecureDefault(cw) or + isInsecureDirect(cw, _) +} + +/** Holds if `cw` has the `HttpOnly` attribute left at its default value of `false`. */ +predicate isNonHttpOnlyDefault(Http::CookieWrite cw) { + not BooleanCookieHttpOnlyFlow::flow(_, cw.getHttpOnly()) +} + +/** Holds if `cw` has the `HttpOnly` attribute explicitly set to `false`, from the expression `boolFalse`. */ +predicate isNonHttpOnlyDirect(Http::CookieWrite cw, Expr boolFalse) { + BooleanCookieHttpOnlyFlow::flow(DataFlow::exprNode(boolFalse), cw.getHttpOnly()) and + boolFalse.getBoolValue() = false +} + +/** Holds if `cw` has the `HttpOnly` attribute set to `false`, either explicitly or by default. */ +predicate isNonHttpOnlyCookie(Http::CookieWrite cw) { + isNonHttpOnlyDefault(cw) or + isNonHttpOnlyDirect(cw, _) +} + +/** + * Holds if `cw` has the sensitive name `name`, from the expression `nameExpr`. + * `source` and `sink` represent the data flow path from the sensitive name expression to the cookie write. + */ +predicate isSensitiveCookie( + Http::CookieWrite cw, Expr nameExpr, string name, SensitiveCookieNameFlow::PathNode source, + SensitiveCookieNameFlow::PathNode sink +) { + SensitiveCookieNameFlow::flowPath(source, sink) and + source.getNode().asExpr() = nameExpr and + sink.getNode() = cw.getName() and + isSensitiveExpr(nameExpr, name) +} diff --git a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql new file mode 100644 index 000000000000..a37b842c29d2 --- /dev/null +++ b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql @@ -0,0 +1,27 @@ +/** + * @name 'HttpOnly' attribute is not set to true + * @description Omitting the 'HttpOnly' attribute for security sensitive data allows + * malicious JavaScript to steal it in case of XSS vulnerability. Always set + * 'HttpOnly' to 'true' to authentication related cookie to make it + * not accessible by JavaScript. + * @kind path-problem + * @problem.severity warning + * @precision high + * @security-severity 5.0 + * @id go/cookie-httponly-not-set + * @tags security + * external/cwe/cwe-1004 + */ + +import go +import semmle.go.security.SecureCookies +import SensitiveCookieNameFlow::PathGraph + +from + Http::CookieWrite cw, Expr sensitiveNameExpr, string name, + SensitiveCookieNameFlow::PathNode source, SensitiveCookieNameFlow::PathNode sink +where + isSensitiveCookie(cw, sensitiveNameExpr, name, source, sink) and + isNonHttpOnlyCookie(cw) +select cw, source, sink, "Sensitive cookie $@ does not set HttpOnly attribute to true.", + sensitiveNameExpr, name diff --git a/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql b/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql new file mode 100644 index 000000000000..8efec355d1f8 --- /dev/null +++ b/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql @@ -0,0 +1,18 @@ +/** + * @name 'Secure' attribute is not set to true + * @description todo + * @kind problem + * @problem.severity warning + * @precision high + * @security-severity 5.0 + * @id go/cookie-secure-not-set + * @tags security + * external/cwe/cwe-1004 + */ + +import go +import semmle.go.security.SecureCookies + +from Http::CookieWrite cw +where isInsecureCookie(cw) +select cw, "Cookie does not set Secure attribute to true." diff --git a/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected new file mode 100644 index 000000000000..93988411db21 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected @@ -0,0 +1,139 @@ +#select +| CookieWithoutHttpOnly.go:14:2:14:22 | call to SetCookie | CookieWithoutHttpOnly.go:11:10:11:18 | "session" | CookieWithoutHttpOnly.go:14:20:14:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:11:10:11:18 | "session" | session | +| CookieWithoutHttpOnly.go:23:2:23:22 | call to SetCookie | CookieWithoutHttpOnly.go:19:13:19:21 | "session" | CookieWithoutHttpOnly.go:23:20:23:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:19:13:19:21 | "session" | session | +| CookieWithoutHttpOnly.go:50:2:50:22 | call to SetCookie | CookieWithoutHttpOnly.go:46:10:46:18 | "session" | CookieWithoutHttpOnly.go:50:20:50:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:46:10:46:18 | "session" | session | +| CookieWithoutHttpOnly.go:60:2:60:22 | call to SetCookie | CookieWithoutHttpOnly.go:56:13:56:21 | "session" | CookieWithoutHttpOnly.go:60:20:60:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:56:13:56:21 | "session" | session | +| CookieWithoutHttpOnly.go:90:2:90:22 | call to SetCookie | CookieWithoutHttpOnly.go:86:10:86:18 | "session" | CookieWithoutHttpOnly.go:90:20:90:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:86:10:86:18 | "session" | session | +| CookieWithoutHttpOnly.go:109:2:109:22 | call to SetCookie | CookieWithoutHttpOnly.go:103:10:103:18 | "session" | CookieWithoutHttpOnly.go:109:20:109:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:103:10:103:18 | "session" | session | +| CookieWithoutHttpOnly.go:119:2:119:22 | call to SetCookie | CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | CookieWithoutHttpOnly.go:119:20:119:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | login_name | +| CookieWithoutHttpOnly.go:119:2:119:22 | call to SetCookie | CookieWithoutHttpOnly.go:115:10:115:16 | session | CookieWithoutHttpOnly.go:119:20:119:21 | &... | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:115:10:115:16 | session | session | +| CookieWithoutHttpOnly.go:131:4:131:71 | call to SetCookie | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | Sensitive cookie $@ does not set HttpOnly attribute to true. | CookieWithoutHttpOnly.go:131:16:131:24 | "session" | session | +edges +| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | CookieWithoutHttpOnly.go:14:21:14:21 | c | provenance | | +| CookieWithoutHttpOnly.go:11:10:11:18 | "session" | CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:14:21:14:21 | c | CookieWithoutHttpOnly.go:14:20:14:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:14:21:14:21 | c | CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | CookieWithoutHttpOnly.go:23:21:23:21 | c | provenance | | +| CookieWithoutHttpOnly.go:19:13:19:21 | "session" | CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:23:21:23:21 | c | CookieWithoutHttpOnly.go:23:20:23:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:23:21:23:21 | c | CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | CookieWithoutHttpOnly.go:32:21:32:21 | c | provenance | | +| CookieWithoutHttpOnly.go:28:13:28:21 | "session" | CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:32:21:32:21 | c | CookieWithoutHttpOnly.go:32:20:32:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:32:21:32:21 | c | CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | CookieWithoutHttpOnly.go:41:21:41:21 | c | provenance | | +| CookieWithoutHttpOnly.go:37:10:37:18 | "session" | CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:41:21:41:21 | c | CookieWithoutHttpOnly.go:41:20:41:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:41:21:41:21 | c | CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | CookieWithoutHttpOnly.go:50:21:50:21 | c | provenance | | +| CookieWithoutHttpOnly.go:46:10:46:18 | "session" | CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:50:21:50:21 | c | CookieWithoutHttpOnly.go:50:20:50:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:50:21:50:21 | c | CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | CookieWithoutHttpOnly.go:60:21:60:21 | c | provenance | | +| CookieWithoutHttpOnly.go:56:13:56:21 | "session" | CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:60:21:60:21 | c | CookieWithoutHttpOnly.go:60:20:60:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:60:21:60:21 | c | CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | CookieWithoutHttpOnly.go:70:21:70:21 | c | provenance | | +| CookieWithoutHttpOnly.go:66:13:66:21 | "session" | CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:70:21:70:21 | c | CookieWithoutHttpOnly.go:70:20:70:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:70:21:70:21 | c | CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | CookieWithoutHttpOnly.go:80:21:80:21 | c | provenance | | +| CookieWithoutHttpOnly.go:76:10:76:18 | "session" | CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:80:21:80:21 | c | CookieWithoutHttpOnly.go:80:20:80:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:80:21:80:21 | c | CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | CookieWithoutHttpOnly.go:90:21:90:21 | c | provenance | | +| CookieWithoutHttpOnly.go:86:10:86:18 | "session" | CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:90:21:90:21 | c | CookieWithoutHttpOnly.go:90:20:90:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:90:21:90:21 | c | CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:103:10:103:18 | "session" | CookieWithoutHttpOnly.go:105:10:105:13 | name | provenance | | +| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | CookieWithoutHttpOnly.go:109:21:109:21 | c | provenance | | +| CookieWithoutHttpOnly.go:105:10:105:13 | name | CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:109:21:109:21 | c | CookieWithoutHttpOnly.go:109:20:109:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:109:21:109:21 | c | CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | provenance | | +| CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | CookieWithoutHttpOnly.go:115:10:115:16 | session | provenance | | +| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | CookieWithoutHttpOnly.go:119:21:119:21 | c | provenance | | +| CookieWithoutHttpOnly.go:115:10:115:16 | session | CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | provenance | Config | +| CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:119:21:119:21 | c | CookieWithoutHttpOnly.go:119:20:119:21 | &... | provenance | | +| CookieWithoutHttpOnly.go:119:21:119:21 | c | CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | provenance | | +nodes +| CookieWithoutHttpOnly.go:10:7:13:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:11:10:11:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:14:20:14:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:14:20:14:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:14:21:14:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:18:7:22:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:19:13:19:21 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:23:20:23:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:23:20:23:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:23:21:23:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:27:7:31:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:28:13:28:21 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:32:20:32:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:32:20:32:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:32:21:32:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:36:7:39:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:37:10:37:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:41:20:41:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:41:20:41:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:41:21:41:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:45:7:48:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:46:10:46:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:50:20:50:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:50:20:50:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:50:21:50:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:55:7:59:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:56:13:56:21 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:60:20:60:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:60:20:60:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:60:21:60:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:65:7:69:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:66:13:66:21 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:70:20:70:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:70:20:70:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:70:21:70:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:75:7:78:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:76:10:76:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:80:20:80:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:80:20:80:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:80:21:80:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:85:7:88:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:86:10:86:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:90:20:90:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:90:20:90:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:90:21:90:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:103:10:103:18 | "session" | semmle.label | "session" | +| CookieWithoutHttpOnly.go:104:7:107:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:105:10:105:13 | name | semmle.label | name | +| CookieWithoutHttpOnly.go:109:20:109:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:109:20:109:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:109:21:109:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:113:13:113:24 | "login_name" | semmle.label | "login_name" | +| CookieWithoutHttpOnly.go:114:7:117:2 | struct literal | semmle.label | struct literal | +| CookieWithoutHttpOnly.go:115:10:115:16 | session | semmle.label | session | +| CookieWithoutHttpOnly.go:119:20:119:21 | &... | semmle.label | &... | +| CookieWithoutHttpOnly.go:119:20:119:21 | &... [pointer] | semmle.label | &... [pointer] | +| CookieWithoutHttpOnly.go:119:21:119:21 | c | semmle.label | c | +| CookieWithoutHttpOnly.go:131:16:131:24 | "session" | semmle.label | "session" | +subpaths diff --git a/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.go b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.go new file mode 100644 index 000000000000..0e3958aca2e5 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.go @@ -0,0 +1,136 @@ +package main + +import ( + "net/http" + + "github.com/gin-gonic/gin" +) + +func handler1(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly set to false by default +} + +func handler2(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + HttpOnly: false, + } + http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false +} + +func handler3(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", + Value: "secret", + HttpOnly: true, + } + http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true +} + +func handler4(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", + Value: "secret", + } + c.HttpOnly = true + http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true +} + +func handler5(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + c.HttpOnly = false + http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false +} + +func handler6(w http.ResponseWriter, r *http.Request) { + val := false + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + HttpOnly: val, + } + http.SetCookie(w, &c) // $ Alert // BAD: HttpOnly explicitly set to false +} + +func handler7(w http.ResponseWriter, r *http.Request) { + val := true + c := http.Cookie{ + Name: "session", + Value: "secret", + HttpOnly: val, + } + http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true +} + +func handler8(w http.ResponseWriter, r *http.Request) { + val := true + c := http.Cookie{ + Name: "session", + Value: "secret", + } + c.HttpOnly = val + http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true +} + +func handler9(w http.ResponseWriter, r *http.Request) { + val := false + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + c.HttpOnly = val + http.SetCookie(w, &c) // $ Alert //BAD: HttpOnly explicitly set to false +} + +func handler10(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "consent", + Value: "1", + } + c.HttpOnly = false + http.SetCookie(w, &c) // GOOD: Name is not auth related +} + +func handler11(w http.ResponseWriter, r *http.Request) { + name := "session" // $ Source + c := http.Cookie{ + Name: name, + Value: "secret", + } + c.HttpOnly = false + http.SetCookie(w, &c) // $ Alert // BAD: auth related name +} + +func handler12(w http.ResponseWriter, r *http.Request) { + session := "login_name" // $ Source + c := http.Cookie{ + Name: session, // $ Source + Value: "secret", + } + c.HttpOnly = false + http.SetCookie(w, &c) // $ Alert // BAD: auth related name +} + +func main() { + + router := gin.Default() + + router.GET("/cookie", func(c *gin.Context) { + + _, err := c.Cookie("session") + + if err != nil { + c.SetCookie("session", "test", 3600, "/", "localhost", false, false) // $ Alert // BAD: httpOnly set to false + } + }) + + router.Run() +} diff --git a/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref new file mode 100644 index 000000000000..3f81c27e867f --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref @@ -0,0 +1,2 @@ +query: security/CWE-1004/CookieWithoutHttpOnly.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-1004/go.mod b/go/ql/test/query-tests/Security/CWE-1004/go.mod new file mode 100644 index 000000000000..5ab32129a9b9 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/go.mod @@ -0,0 +1,8 @@ +module example.com/m + +go 1.14 + +require ( + github.com/gin-gonic/gin v1.7.1 + github.com/gorilla/sessions v1.2.1 + ) diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE new file mode 100644 index 000000000000..1ff7f3706055 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Manuel Martínez-Almeida + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go new file mode 100644 index 000000000000..43fd634edcd3 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go @@ -0,0 +1,12 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin/binding, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin/binding (exports: ; functions: YAML) + +// Package binding is a stub of github.com/gin-gonic/gin/binding, generated by depstubber. +package binding + +import () + +var YAML interface{} = nil diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go new file mode 100644 index 000000000000..e343d5f2aa08 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go @@ -0,0 +1,677 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin (exports: Context; functions: Default) + +// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber. +package gin + +import ( + bufio "bufio" + template "html/template" + io "io" + multipart "mime/multipart" + net "net" + http "net/http" + time "time" +) + +type Context struct { + Request *http.Request + Writer ResponseWriter + Params Params + Keys map[string]interface{} + Errors interface{} + Accepted []string +} + +func (_ *Context) Abort() {} + +func (_ *Context) AbortWithError(_ int, _ error) *Error { + return nil +} + +func (_ *Context) AbortWithStatus(_ int) {} + +func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {} + +func (_ *Context) AsciiJSON(_ int, _ interface{}) {} + +func (_ *Context) Bind(_ interface{}) error { + return nil +} + +func (_ *Context) BindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) BindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) BindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) BindUri(_ interface{}) error { + return nil +} + +func (_ *Context) BindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) BindXML(_ interface{}) error { + return nil +} + +func (_ *Context) BindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) ClientIP() string { + return "" +} + +func (_ *Context) ContentType() string { + return "" +} + +func (_ *Context) Cookie(_ string) (string, error) { + return "", nil +} + +func (_ *Context) Copy() *Context { + return nil +} + +func (_ *Context) Data(_ int, _ string, _ []byte) {} + +func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {} + +func (_ *Context) Deadline() (time.Time, bool) { + return time.Time{}, false +} + +func (_ *Context) DefaultPostForm(_ string, _ string) string { + return "" +} + +func (_ *Context) DefaultQuery(_ string, _ string) string { + return "" +} + +func (_ *Context) Done() <-chan struct{} { + return nil +} + +func (_ *Context) Err() error { + return nil +} + +func (_ *Context) Error(_ error) *Error { + return nil +} + +func (_ *Context) File(_ string) {} + +func (_ *Context) FileAttachment(_ string, _ string) {} + +func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {} + +func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) { + return nil, nil +} + +func (_ *Context) FullPath() string { + return "" +} + +func (_ *Context) Get(_ string) (interface{}, bool) { + return nil, false +} + +func (_ *Context) GetBool(_ string) bool { + return false +} + +func (_ *Context) GetDuration(_ string) time.Duration { + return 0 +} + +func (_ *Context) GetFloat64(_ string) float64 { + return 0 +} + +func (_ *Context) GetHeader(_ string) string { + return "" +} + +func (_ *Context) GetInt(_ string) int { + return 0 +} + +func (_ *Context) GetInt64(_ string) int64 { + return 0 +} + +func (_ *Context) GetPostForm(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetPostFormArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetQuery(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetQueryArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetRawData() ([]byte, error) { + return nil, nil +} + +func (_ *Context) GetString(_ string) string { + return "" +} + +func (_ *Context) GetStringMap(_ string) map[string]interface{} { + return nil +} + +func (_ *Context) GetStringMapString(_ string) map[string]string { + return nil +} + +func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string { + return nil +} + +func (_ *Context) GetStringSlice(_ string) []string { + return nil +} + +func (_ *Context) GetTime(_ string) time.Time { + return time.Time{} +} + +func (_ *Context) GetUint(_ string) uint { + return 0 +} + +func (_ *Context) GetUint64(_ string) uint64 { + return 0 +} + +func (_ *Context) HTML(_ int, _ string, _ interface{}) {} + +func (_ *Context) Handler() HandlerFunc { + return nil +} + +func (_ *Context) HandlerName() string { + return "" +} + +func (_ *Context) HandlerNames() []string { + return nil +} + +func (_ *Context) Header(_ string, _ string) {} + +func (_ *Context) IndentedJSON(_ int, _ interface{}) {} + +func (_ *Context) IsAborted() bool { + return false +} + +func (_ *Context) IsWebsocket() bool { + return false +} + +func (_ *Context) JSON(_ int, _ interface{}) {} + +func (_ *Context) JSONP(_ int, _ interface{}) {} + +func (_ *Context) MultipartForm() (*multipart.Form, error) { + return nil, nil +} + +func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) MustGet(_ string) interface{} { + return nil +} + +func (_ *Context) Negotiate(_ int, _ Negotiate) {} + +func (_ *Context) NegotiateFormat(_ ...string) string { + return "" +} + +func (_ *Context) Next() {} + +func (_ *Context) Param(_ string) string { + return "" +} + +func (_ *Context) PostForm(_ string) string { + return "" +} + +func (_ *Context) PostFormArray(_ string) []string { + return nil +} + +func (_ *Context) PostFormMap(_ string) map[string]string { + return nil +} + +func (_ *Context) ProtoBuf(_ int, _ interface{}) {} + +func (_ *Context) PureJSON(_ int, _ interface{}) {} + +func (_ *Context) Query(_ string) string { + return "" +} + +func (_ *Context) QueryArray(_ string) []string { + return nil +} + +func (_ *Context) QueryMap(_ string) map[string]string { + return nil +} + +func (_ *Context) Redirect(_ int, _ string) {} + +func (_ *Context) RemoteIP() (net.IP, bool) { + return nil, false +} + +func (_ *Context) Render(_ int, _ interface{}) {} + +func (_ *Context) SSEvent(_ string, _ interface{}) {} + +func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error { + return nil +} + +func (_ *Context) SecureJSON(_ int, _ interface{}) {} + +func (_ *Context) Set(_ string, _ interface{}) {} + +func (_ *Context) SetAccepted(_ ...string) {} + +func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {} + +func (_ *Context) SetSameSite(_ http.SameSite) {} + +func (_ *Context) ShouldBind(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindUri(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindXML(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) Status(_ int) {} + +func (_ *Context) Stream(_ func(io.Writer) bool) bool { + return false +} + +func (_ *Context) String(_ int, _ string, _ ...interface{}) {} + +func (_ *Context) Value(_ interface{}) interface{} { + return nil +} + +func (_ *Context) XML(_ int, _ interface{}) {} + +func (_ *Context) YAML(_ int, _ interface{}) {} + +func Default() *Engine { + return nil +} + +type Engine struct { + RouterGroup RouterGroup + RedirectTrailingSlash bool + RedirectFixedPath bool + HandleMethodNotAllowed bool + ForwardedByClientIP bool + RemoteIPHeaders []string + TrustedProxies []string + AppEngine bool + UseRawPath bool + UnescapePathValues bool + MaxMultipartMemory int64 + RemoveExtraSlash bool + HTMLRender interface{} + FuncMap template.FuncMap +} + +func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) BasePath() string { + return "" +} + +func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Delims(_ string, _ string) *Engine { + return nil +} + +func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) HandleContext(_ *Context) {} + +func (_ *Engine) LoadHTMLFiles(_ ...string) {} + +func (_ *Engine) LoadHTMLGlob(_ string) {} + +func (_ *Engine) NoMethod(_ ...HandlerFunc) {} + +func (_ *Engine) NoRoute(_ ...HandlerFunc) {} + +func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Routes() RoutesInfo { + return nil +} + +func (_ *Engine) Run(_ ...string) error { + return nil +} + +func (_ *Engine) RunFd(_ int) error { + return nil +} + +func (_ *Engine) RunListener(_ net.Listener) error { + return nil +} + +func (_ *Engine) RunTLS(_ string, _ string, _ string) error { + return nil +} + +func (_ *Engine) RunUnix(_ string) error { + return nil +} + +func (_ *Engine) SecureJsonPrefix(_ string) *Engine { + return nil +} + +func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {} + +func (_ *Engine) SetFuncMap(_ template.FuncMap) {} + +func (_ *Engine) SetHTMLTemplate(_ *template.Template) {} + +func (_ *Engine) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *Engine) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type Error struct { + Err error + Type ErrorType + Meta interface{} +} + +func (_ Error) Error() string { + return "" +} + +func (_ *Error) IsType(_ ErrorType) bool { + return false +} + +func (_ *Error) JSON() interface{} { + return nil +} + +func (_ *Error) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ *Error) SetMeta(_ interface{}) *Error { + return nil +} + +func (_ *Error) SetType(_ ErrorType) *Error { + return nil +} + +func (_ *Error) Unwrap() error { + return nil +} + +type ErrorType uint64 + +type HandlerFunc func(*Context) + +type HandlersChain []HandlerFunc + +func (_ HandlersChain) Last() HandlerFunc { + return nil +} + +type IRoutes interface { + Any(_ string, _ ...HandlerFunc) IRoutes + DELETE(_ string, _ ...HandlerFunc) IRoutes + GET(_ string, _ ...HandlerFunc) IRoutes + HEAD(_ string, _ ...HandlerFunc) IRoutes + Handle(_ string, _ string, _ ...HandlerFunc) IRoutes + OPTIONS(_ string, _ ...HandlerFunc) IRoutes + PATCH(_ string, _ ...HandlerFunc) IRoutes + POST(_ string, _ ...HandlerFunc) IRoutes + PUT(_ string, _ ...HandlerFunc) IRoutes + Static(_ string, _ string) IRoutes + StaticFS(_ string, _ http.FileSystem) IRoutes + StaticFile(_ string, _ string) IRoutes + Use(_ ...HandlerFunc) IRoutes +} + +type Negotiate struct { + Offered []string + HTMLName string + HTMLData interface{} + JSONData interface{} + XMLData interface{} + YAMLData interface{} + Data interface{} +} + +type Param struct { + Key string + Value string +} + +type Params []Param + +func (_ Params) ByName(_ string) string { + return "" +} + +func (_ Params) Get(_ string) (string, bool) { + return "", false +} + +type ResponseWriter interface { + CloseNotify() <-chan bool + Flush() + Header() http.Header + Hijack() (net.Conn, *bufio.ReadWriter, error) + Pusher() http.Pusher + Size() int + Status() int + Write(_ []byte) (int, error) + WriteHeader(_ int) + WriteHeaderNow() + WriteString(_ string) (int, error) + Written() bool +} + +type RouteInfo struct { + Method string + Path string + Handler string + HandlerFunc HandlerFunc +} + +type RouterGroup struct { + Handlers HandlersChain +} + +func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) BasePath() string { + return "" +} + +func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type RoutesInfo []RouteInfo diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go new file mode 100644 index 000000000000..2ebc3858163f --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/github.com/gorilla/sessions/stub.go @@ -0,0 +1,75 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore) + +// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber. +package sessions + +import ( + http "net/http" +) + +type CookieStore struct { + Codecs []interface{} + Options *Options +} + +func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) { + return nil, nil +} + +func (_ *CookieStore) MaxAge(_ int) {} + +func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) { + return nil, nil +} + +func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error { + return nil +} + +func NewCookieStore(_ ...[]byte) *CookieStore { + return nil +} + +type Options struct { + Path string + Domain string + MaxAge int + Secure bool + HttpOnly bool + SameSite http.SameSite +} + +type Session struct { + ID string + Values map[interface{}]interface{} + Options *Options + IsNew bool +} + +func (_ *Session) AddFlash(_ interface{}, _ ...string) {} + +func (_ *Session) Flashes(_ ...string) []interface{} { + return nil +} + +func (_ *Session) Name() string { + return "" +} + +func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error { + return nil +} + +func (_ *Session) Store() Store { + return nil +} + +type Store interface { + Get(_ *http.Request, _ string) (*Session, error) + New(_ *http.Request, _ string) (*Session, error) + Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error +} diff --git a/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt b/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt new file mode 100644 index 000000000000..f38695b1ffcb --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-1004/vendor/modules.txt @@ -0,0 +1,6 @@ +# github.com/gin-gonic/gin v1.7.1 +## explicit +github.com/gin-gonic/gin +# github.com/gorilla/sessions v1.2.1 +## explicit +github.com/gorilla/sessions diff --git a/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.expected b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.expected new file mode 100644 index 000000000000..1695d82a4f75 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.expected @@ -0,0 +1,6 @@ +| CookieWithoutSecure.go:14:2:14:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:23:2:23:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:50:2:50:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:60:2:60:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:90:2:90:22 | call to SetCookie | Cookie does not set Secure attribute to true. | +| CookieWithoutSecure.go:102:4:102:71 | call to SetCookie | Cookie does not set Secure attribute to true. | diff --git a/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.go b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.go new file mode 100644 index 000000000000..a066babb6e29 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.go @@ -0,0 +1,107 @@ +package main + +import ( + "net/http" + + "github.com/gin-gonic/gin" +) + +func handler1(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + http.SetCookie(w, &c) // $ Alert // BAD: Secure set to false by default +} + +func handler2(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + Secure: false, + } + http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false +} + +func handler3(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", + Value: "secret", + Secure: true, + } + http.SetCookie(w, &c) // GOOD: Secure explicitly set to true +} + +func handler4(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", + Value: "secret", + } + c.Secure = true + http.SetCookie(w, &c) // GOOD: Secure explicitly set to true +} + +func handler5(w http.ResponseWriter, r *http.Request) { + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + c.Secure = false + http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false +} + +func handler6(w http.ResponseWriter, r *http.Request) { + val := false + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + Secure: val, + } + http.SetCookie(w, &c) // $ Alert // BAD: Secure explicitly set to false +} + +func handler7(w http.ResponseWriter, r *http.Request) { + val := true + c := http.Cookie{ + Name: "session", + Value: "secret", + Secure: val, + } + http.SetCookie(w, &c) // GOOD: Secure explicitly set to true +} + +func handler8(w http.ResponseWriter, r *http.Request) { + val := true + c := http.Cookie{ + Name: "session", + Value: "secret", + } + c.Secure = val + http.SetCookie(w, &c) // GOOD: Secure explicitly set to true +} + +func handler9(w http.ResponseWriter, r *http.Request) { + val := false + c := http.Cookie{ + Name: "session", // $ Source + Value: "secret", + } + c.Secure = val + http.SetCookie(w, &c) // $ Alert //BAD: Secure explicitly set to false +} + +func main() { + + router := gin.Default() + + router.GET("/cookie", func(c *gin.Context) { + + _, err := c.Cookie("session") + + if err != nil { + c.SetCookie("session", "test", 3600, "/", "localhost", false, false) // $ Alert // BAD: Secure set to false + } + }) + + router.Run() +} diff --git a/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref new file mode 100644 index 000000000000..dc326b1e91eb --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref @@ -0,0 +1,2 @@ +query: security/CWE-614/CookieWithoutSecure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-614/go.mod b/go/ql/test/query-tests/Security/CWE-614/go.mod new file mode 100644 index 000000000000..5ab32129a9b9 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/go.mod @@ -0,0 +1,8 @@ +module example.com/m + +go 1.14 + +require ( + github.com/gin-gonic/gin v1.7.1 + github.com/gorilla/sessions v1.2.1 + ) diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/LICENSE b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/LICENSE new file mode 100644 index 000000000000..1ff7f3706055 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Manuel Martínez-Almeida + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/binding/stub.go b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/binding/stub.go new file mode 100644 index 000000000000..43fd634edcd3 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/binding/stub.go @@ -0,0 +1,12 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin/binding, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin/binding (exports: ; functions: YAML) + +// Package binding is a stub of github.com/gin-gonic/gin/binding, generated by depstubber. +package binding + +import () + +var YAML interface{} = nil diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/stub.go b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/stub.go new file mode 100644 index 000000000000..e343d5f2aa08 --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gin-gonic/gin/stub.go @@ -0,0 +1,677 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin (exports: Context; functions: Default) + +// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber. +package gin + +import ( + bufio "bufio" + template "html/template" + io "io" + multipart "mime/multipart" + net "net" + http "net/http" + time "time" +) + +type Context struct { + Request *http.Request + Writer ResponseWriter + Params Params + Keys map[string]interface{} + Errors interface{} + Accepted []string +} + +func (_ *Context) Abort() {} + +func (_ *Context) AbortWithError(_ int, _ error) *Error { + return nil +} + +func (_ *Context) AbortWithStatus(_ int) {} + +func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {} + +func (_ *Context) AsciiJSON(_ int, _ interface{}) {} + +func (_ *Context) Bind(_ interface{}) error { + return nil +} + +func (_ *Context) BindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) BindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) BindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) BindUri(_ interface{}) error { + return nil +} + +func (_ *Context) BindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) BindXML(_ interface{}) error { + return nil +} + +func (_ *Context) BindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) ClientIP() string { + return "" +} + +func (_ *Context) ContentType() string { + return "" +} + +func (_ *Context) Cookie(_ string) (string, error) { + return "", nil +} + +func (_ *Context) Copy() *Context { + return nil +} + +func (_ *Context) Data(_ int, _ string, _ []byte) {} + +func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {} + +func (_ *Context) Deadline() (time.Time, bool) { + return time.Time{}, false +} + +func (_ *Context) DefaultPostForm(_ string, _ string) string { + return "" +} + +func (_ *Context) DefaultQuery(_ string, _ string) string { + return "" +} + +func (_ *Context) Done() <-chan struct{} { + return nil +} + +func (_ *Context) Err() error { + return nil +} + +func (_ *Context) Error(_ error) *Error { + return nil +} + +func (_ *Context) File(_ string) {} + +func (_ *Context) FileAttachment(_ string, _ string) {} + +func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {} + +func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) { + return nil, nil +} + +func (_ *Context) FullPath() string { + return "" +} + +func (_ *Context) Get(_ string) (interface{}, bool) { + return nil, false +} + +func (_ *Context) GetBool(_ string) bool { + return false +} + +func (_ *Context) GetDuration(_ string) time.Duration { + return 0 +} + +func (_ *Context) GetFloat64(_ string) float64 { + return 0 +} + +func (_ *Context) GetHeader(_ string) string { + return "" +} + +func (_ *Context) GetInt(_ string) int { + return 0 +} + +func (_ *Context) GetInt64(_ string) int64 { + return 0 +} + +func (_ *Context) GetPostForm(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetPostFormArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetQuery(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetQueryArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetRawData() ([]byte, error) { + return nil, nil +} + +func (_ *Context) GetString(_ string) string { + return "" +} + +func (_ *Context) GetStringMap(_ string) map[string]interface{} { + return nil +} + +func (_ *Context) GetStringMapString(_ string) map[string]string { + return nil +} + +func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string { + return nil +} + +func (_ *Context) GetStringSlice(_ string) []string { + return nil +} + +func (_ *Context) GetTime(_ string) time.Time { + return time.Time{} +} + +func (_ *Context) GetUint(_ string) uint { + return 0 +} + +func (_ *Context) GetUint64(_ string) uint64 { + return 0 +} + +func (_ *Context) HTML(_ int, _ string, _ interface{}) {} + +func (_ *Context) Handler() HandlerFunc { + return nil +} + +func (_ *Context) HandlerName() string { + return "" +} + +func (_ *Context) HandlerNames() []string { + return nil +} + +func (_ *Context) Header(_ string, _ string) {} + +func (_ *Context) IndentedJSON(_ int, _ interface{}) {} + +func (_ *Context) IsAborted() bool { + return false +} + +func (_ *Context) IsWebsocket() bool { + return false +} + +func (_ *Context) JSON(_ int, _ interface{}) {} + +func (_ *Context) JSONP(_ int, _ interface{}) {} + +func (_ *Context) MultipartForm() (*multipart.Form, error) { + return nil, nil +} + +func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) MustGet(_ string) interface{} { + return nil +} + +func (_ *Context) Negotiate(_ int, _ Negotiate) {} + +func (_ *Context) NegotiateFormat(_ ...string) string { + return "" +} + +func (_ *Context) Next() {} + +func (_ *Context) Param(_ string) string { + return "" +} + +func (_ *Context) PostForm(_ string) string { + return "" +} + +func (_ *Context) PostFormArray(_ string) []string { + return nil +} + +func (_ *Context) PostFormMap(_ string) map[string]string { + return nil +} + +func (_ *Context) ProtoBuf(_ int, _ interface{}) {} + +func (_ *Context) PureJSON(_ int, _ interface{}) {} + +func (_ *Context) Query(_ string) string { + return "" +} + +func (_ *Context) QueryArray(_ string) []string { + return nil +} + +func (_ *Context) QueryMap(_ string) map[string]string { + return nil +} + +func (_ *Context) Redirect(_ int, _ string) {} + +func (_ *Context) RemoteIP() (net.IP, bool) { + return nil, false +} + +func (_ *Context) Render(_ int, _ interface{}) {} + +func (_ *Context) SSEvent(_ string, _ interface{}) {} + +func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error { + return nil +} + +func (_ *Context) SecureJSON(_ int, _ interface{}) {} + +func (_ *Context) Set(_ string, _ interface{}) {} + +func (_ *Context) SetAccepted(_ ...string) {} + +func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {} + +func (_ *Context) SetSameSite(_ http.SameSite) {} + +func (_ *Context) ShouldBind(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindUri(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindXML(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) Status(_ int) {} + +func (_ *Context) Stream(_ func(io.Writer) bool) bool { + return false +} + +func (_ *Context) String(_ int, _ string, _ ...interface{}) {} + +func (_ *Context) Value(_ interface{}) interface{} { + return nil +} + +func (_ *Context) XML(_ int, _ interface{}) {} + +func (_ *Context) YAML(_ int, _ interface{}) {} + +func Default() *Engine { + return nil +} + +type Engine struct { + RouterGroup RouterGroup + RedirectTrailingSlash bool + RedirectFixedPath bool + HandleMethodNotAllowed bool + ForwardedByClientIP bool + RemoteIPHeaders []string + TrustedProxies []string + AppEngine bool + UseRawPath bool + UnescapePathValues bool + MaxMultipartMemory int64 + RemoveExtraSlash bool + HTMLRender interface{} + FuncMap template.FuncMap +} + +func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) BasePath() string { + return "" +} + +func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Delims(_ string, _ string) *Engine { + return nil +} + +func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) HandleContext(_ *Context) {} + +func (_ *Engine) LoadHTMLFiles(_ ...string) {} + +func (_ *Engine) LoadHTMLGlob(_ string) {} + +func (_ *Engine) NoMethod(_ ...HandlerFunc) {} + +func (_ *Engine) NoRoute(_ ...HandlerFunc) {} + +func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Routes() RoutesInfo { + return nil +} + +func (_ *Engine) Run(_ ...string) error { + return nil +} + +func (_ *Engine) RunFd(_ int) error { + return nil +} + +func (_ *Engine) RunListener(_ net.Listener) error { + return nil +} + +func (_ *Engine) RunTLS(_ string, _ string, _ string) error { + return nil +} + +func (_ *Engine) RunUnix(_ string) error { + return nil +} + +func (_ *Engine) SecureJsonPrefix(_ string) *Engine { + return nil +} + +func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {} + +func (_ *Engine) SetFuncMap(_ template.FuncMap) {} + +func (_ *Engine) SetHTMLTemplate(_ *template.Template) {} + +func (_ *Engine) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *Engine) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type Error struct { + Err error + Type ErrorType + Meta interface{} +} + +func (_ Error) Error() string { + return "" +} + +func (_ *Error) IsType(_ ErrorType) bool { + return false +} + +func (_ *Error) JSON() interface{} { + return nil +} + +func (_ *Error) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ *Error) SetMeta(_ interface{}) *Error { + return nil +} + +func (_ *Error) SetType(_ ErrorType) *Error { + return nil +} + +func (_ *Error) Unwrap() error { + return nil +} + +type ErrorType uint64 + +type HandlerFunc func(*Context) + +type HandlersChain []HandlerFunc + +func (_ HandlersChain) Last() HandlerFunc { + return nil +} + +type IRoutes interface { + Any(_ string, _ ...HandlerFunc) IRoutes + DELETE(_ string, _ ...HandlerFunc) IRoutes + GET(_ string, _ ...HandlerFunc) IRoutes + HEAD(_ string, _ ...HandlerFunc) IRoutes + Handle(_ string, _ string, _ ...HandlerFunc) IRoutes + OPTIONS(_ string, _ ...HandlerFunc) IRoutes + PATCH(_ string, _ ...HandlerFunc) IRoutes + POST(_ string, _ ...HandlerFunc) IRoutes + PUT(_ string, _ ...HandlerFunc) IRoutes + Static(_ string, _ string) IRoutes + StaticFS(_ string, _ http.FileSystem) IRoutes + StaticFile(_ string, _ string) IRoutes + Use(_ ...HandlerFunc) IRoutes +} + +type Negotiate struct { + Offered []string + HTMLName string + HTMLData interface{} + JSONData interface{} + XMLData interface{} + YAMLData interface{} + Data interface{} +} + +type Param struct { + Key string + Value string +} + +type Params []Param + +func (_ Params) ByName(_ string) string { + return "" +} + +func (_ Params) Get(_ string) (string, bool) { + return "", false +} + +type ResponseWriter interface { + CloseNotify() <-chan bool + Flush() + Header() http.Header + Hijack() (net.Conn, *bufio.ReadWriter, error) + Pusher() http.Pusher + Size() int + Status() int + Write(_ []byte) (int, error) + WriteHeader(_ int) + WriteHeaderNow() + WriteString(_ string) (int, error) + Written() bool +} + +type RouteInfo struct { + Method string + Path string + Handler string + HandlerFunc HandlerFunc +} + +type RouterGroup struct { + Handlers HandlersChain +} + +func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) BasePath() string { + return "" +} + +func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type RoutesInfo []RouteInfo diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go new file mode 100644 index 000000000000..2ebc3858163f --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/github.com/gorilla/sessions/stub.go @@ -0,0 +1,75 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore) + +// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber. +package sessions + +import ( + http "net/http" +) + +type CookieStore struct { + Codecs []interface{} + Options *Options +} + +func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) { + return nil, nil +} + +func (_ *CookieStore) MaxAge(_ int) {} + +func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) { + return nil, nil +} + +func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error { + return nil +} + +func NewCookieStore(_ ...[]byte) *CookieStore { + return nil +} + +type Options struct { + Path string + Domain string + MaxAge int + Secure bool + HttpOnly bool + SameSite http.SameSite +} + +type Session struct { + ID string + Values map[interface{}]interface{} + Options *Options + IsNew bool +} + +func (_ *Session) AddFlash(_ interface{}, _ ...string) {} + +func (_ *Session) Flashes(_ ...string) []interface{} { + return nil +} + +func (_ *Session) Name() string { + return "" +} + +func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error { + return nil +} + +func (_ *Session) Store() Store { + return nil +} + +type Store interface { + Get(_ *http.Request, _ string) (*Session, error) + New(_ *http.Request, _ string) (*Session, error) + Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error +} diff --git a/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt b/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt new file mode 100644 index 000000000000..f38695b1ffcb --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-614/vendor/modules.txt @@ -0,0 +1,6 @@ +# github.com/gin-gonic/gin v1.7.1 +## explicit +github.com/gin-gonic/gin +# github.com/gorilla/sessions v1.2.1 +## explicit +github.com/gorilla/sessions