-
Notifications
You must be signed in to change notification settings - Fork 127
CWE-117 False positive #635
Comments
Thanks for the report; I agree this looks weird. If this is happening on a public repository, can you share a link to the repo and the analysis result? |
Hi @hmakholm, I have been trying some things in the meantime but I have now reset to the commit I submitted this false positive under. |
I have also been seeing this, but in a private repository. In my case it appears that the lines I have fixed are being added as a "fixed" item, but an equivalent item is being created. |
Thanks for the heads-up; fixed in #637 |
Can we handle the case below?
here: https://github.com/llhuii/sedna/security/code-scanning/10?query=ref%3Arefs%2Fheads%2Fmain |
looks like it's actually
So yes that ought to be noticed by the sanitizer written in the PR above. If it was a sanitizer guard as you've written it in your comment we'd need to do a bit more. |
Fix committed; will be reflected on code scanning at the next distribution upgrade, which will likely go live mid-January |
I would prefer this sanitizer guard rather over reassignment Reassignment would be weird since it has already been checked. |
So replacing and then comparing is a weird sanitizer guard, since you've done the work and may as well just use the replaced string. I'd be happy to make read-only string-searching operations sanitizer guards though. |
We continue to see false-positive alerts for CWE-117 |
CodeQL has caught several instances where we may be susceptible to [log forgery][cql]. This change ensures that we strip newlines from log messages that include potentially user-supplied strings. Several redundant error logs are removed--we should generally not log an error when returning an error. Errors should be logged where they are handled. This change also properly escapes URL paths when constructing them from protobuf messages. Note that CodeQL continued to mark some of these uses as issues, but we've marked them as false-positive. See github/codeql-go#635 and github/codeql-go#650. [cql]: https://codeql.github.com/codeql-query-help/go/go-log-injection/ Signed-off-by: Oliver Gould <ver@buoyant.io>
CodeQL has caught several instances where we may be susceptible to [log forgery][cql]. This change ensures that we strip newlines from log messages that include potentially user-supplied strings. Several redundant error logs are removed--we should generally not log an error when returning an error. Errors should be logged where they are handled. This change also properly escapes URL paths when constructing them from protobuf messages. Note that CodeQL continued to mark some of these uses as issues, but we've marked them as false-positive. See github/codeql-go#635 and github/codeql-go#650. [cql]: https://codeql.github.com/codeql-query-help/go/go-log-injection/ Signed-off-by: Oliver Gould <ver@buoyant.io>
CodeQL has caught several instances where we may be susceptible to [log forgery][cql]. This change ensures that we strip newlines from log messages that include potentially user-supplied strings. Several redundant error logs are removed--we should generally not log an error when returning an error. Errors should be logged where they are handled. This change also properly escapes URL paths when constructing them from protobuf messages. Note that CodeQL continued to mark some of these uses as issues, but we've marked them as false-positive. See github/codeql-go#635 and github/codeql-go#650. [cql]: https://codeql.github.com/codeql-query-help/go/go-log-injection/ Signed-off-by: Oliver Gould <ver@buoyant.io>
@olix0r When I look at the codescanning results for that PR it's saying that 7 alerts were fixed, including the one from your screenshot. I'm not sure if things got sorted out after a delay or if the place where you took the screenshot just didn't make it very clear that it was showing a fixed alert. |
@owen-mc Thanks, it's possible I was confused by the UI--I thought that was indicating that some issues were fixed and others were still active. As I recall, the workflow did not succeed until all of those issues were acknowledged. In any case, we're no longer impacted by this :) |
CodeQL has caught several instances where we may be susceptible to [log forgery][cql]. This change ensures that we strip newlines from log messages that include potentially user-supplied strings. Several redundant error logs are removed--we should generally not log an error when returning an error. Errors should be logged where they are handled. This change also properly escapes URL paths when constructing them from protobuf messages. Note that CodeQL continued to mark some of these uses as issues, but we've marked them as false-positive. See github/codeql-go#635 and github/codeql-go#650. [cql]: https://codeql.github.com/codeql-query-help/go/go-log-injection/ Signed-off-by: Oliver Gould <ver@buoyant.io>
CWE-117: Improper Output Neutralization for Logs
CWE-117 is being reported by CodeQL in the following code:
Despite this code being near identical to the provided "good" example
here.
Here is a screen shot of the output logs for further clarification
![Screenshot from 2021-12-13 18-14-19](https://user-images.githubusercontent.com/22576024/145868317-1380a543-ed47-46e6-ad6d-bf91bd4dbb16.png)
It appears that CodeQL completely ignores the above two functions performing the string replacement.
The text was updated successfully, but these errors were encountered: