Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing string replacement sanitizers to log-injection and string-break #11910

Merged
merged 6 commits into from Jan 19, 2023
Merged

Add missing string replacement sanitizers to log-injection and string-break #11910

merged 6 commits into from Jan 19, 2023

Conversation

owen-mc
Copy link
Contributor

@owen-mc owen-mc commented Jan 17, 2023

Add strings.Replacer.Replace and strings.Replacer.WriteString as sanitizers for log-injection and string-break.

This is a resurrection of github/codeql-go#731.

@owen-mc owen-mc requested a review from a team as a code owner January 17, 2023 14:24
@owen-mc owen-mc mentioned this pull request Jan 17, 2023
Closed
@owen-mc owen-mc force-pushed the go/log-injection-sanitizer-newreplacer-replace branch from 6282385 to 9d2d4f4 Compare January 17, 2023 15:43
@owen-mc
Copy link
Contributor Author

owen-mc commented Jan 17, 2023

Performance evaluation showed no changes

mbg
mbg previously approved these changes Jan 17, 2023
View reviewed changes
Copy link
Member

@mbg mbg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me aside from the one question I added, but might also be good for @smowton to sanity check in case I have missed something.

go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll Outdated
Comment on lines 65 to 93
class StringsNewReplacerCall extends DataFlow::CallNode {
StringsNewReplacerCall() { this.getTarget().hasQualifiedName("strings", "NewReplacer") }

/**
* Gets an argument to this call corresponding to a string that will be
* replaced.
*/
DataFlow::Node getAReplacedArgument() {
exists(int n | n % 2 = 0 and result = this.getArgument(n))
}
}

/**
* A configuration for tracking flow from a call to `strings.NewReplacer` to
* the receiver of a call to `strings.Replacer.Replace` or
* `strings.Replacer.WriteString`.
*/
class StringsNewReplacerConfiguration extends DataFlow2::Configuration {
StringsNewReplacerConfiguration() { this = "StringsNewReplacerConfiguration" }

override predicate isSource(DataFlow::Node source) { source instanceof StringsNewReplacerCall }

override predicate isSink(DataFlow::Node sink) {
exists(DataFlow::MethodCallNode call |
sink = call.getReceiver() and
call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"])
)
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part seems to be identical between LogInjectionCustomizations and StringBreakCustomizations. Would it make sense / be possible to de-duplicate this in a shared location?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea. It feels like something that should be usable in many different places. I've moved it to StringOps.qll, which should hopefully make that simple. I've started a performance evaluation as this is a fairly major change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The performance analysis was neutral.

smowton
smowton previously approved these changes Jan 17, 2023
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good -- no comments on top of @mbg's query

@owen-mc owen-mc dismissed stale reviews from smowton and mbg via 3fda9f6 January 18, 2023 15:42
@owen-mc owen-mc force-pushed the go/log-injection-sanitizer-newreplacer-replace branch from 9d2d4f4 to 3fda9f6 Compare January 18, 2023 15:42
@owen-mc
Copy link
Contributor Author

owen-mc commented Jan 19, 2023

I've updated this to use its own copy of the dataflow library. The failing QLDoc test is because of an undocumented predicate in the dataflow library, which obviously I'm not going to fix in this PR, so I believe it should be ignored.

smowton
smowton approved these changes Jan 19, 2023
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made an import of an internal library private; otherwise LGTM

@mbg mbg merged commit 14cc27e into github:main Jan 19, 2023
@owen-mc owen-mc deleted the go/log-injection-sanitizer-newreplacer-replace branch January 19, 2023 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smowton smowton smowton approved these changes

@mbg mbg mbg left review comments

Assignees
No one assigned
Labels
documentation Go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@owen-mc @mbg @smowton