diff --git a/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js b/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js index 40cb0148b573..4596dc7be398 100644 --- a/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js +++ b/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js @@ -13,7 +13,7 @@ express().post('/some/path', function (req, res) { // NOT OK: unguarded entity expansion libxmljs.parseXmlString(req.param("some-xml"), { noent: true }) // $ Alert // NOT OK: unguarded entity expansion - libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: true })// $ Source=files $ Alert=files + libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: true })// $ Alert // OK - no entity expansion libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: false }) diff --git a/rust/ql/test/query-tests/security/CWE-312/test_logging.rs b/rust/ql/test/query-tests/security/CWE-312/test_logging.rs index ab8013689906..970a9caf0ee5 100644 --- a/rust/ql/test/query-tests/security/CWE-312/test_logging.rs +++ b/rust/ql/test/query-tests/security/CWE-312/test_logging.rs @@ -39,51 +39,51 @@ impl std::fmt::Display for MyStruct2 { fn test_log(harmless: String, password: String, encrypted_password: String) { // logging macros - debug!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - error!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - info!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - trace!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - warn!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - log!(Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging] + debug!("message = {}", password); // $ Alert[rust/cleartext-logging] + error!("message = {}", password); // $ Alert[rust/cleartext-logging] + info!("message = {}", password); // $ Alert[rust/cleartext-logging] + trace!("message = {}", password); // $ Alert[rust/cleartext-logging] + warn!("message = {}", password); // $ Alert[rust/cleartext-logging] + log!(Level::Error, "message = {}", password); // $ Alert[rust/cleartext-logging] // debug! macro, various formatting debug!("message"); debug!("message = {}", harmless); - debug!("message = {}", password); // $ Source Alert[rust/cleartext-logging] + debug!("message = {}", password); // $ Alert[rust/cleartext-logging] debug!("message = {}", encrypted_password); - debug!("message = {} {}", harmless, password); // $ Source Alert[rust/cleartext-logging] + debug!("message = {} {}", harmless, password); // $ Alert[rust/cleartext-logging] debug!("message = {harmless}"); - debug!("message = {harmless} {}", password); // $ Source Alert[rust/cleartext-logging] - debug!("message = {password}"); // $ Source Alert[rust/cleartext-logging] - debug!("message = {password:?}"); // $ Source Alert[rust/cleartext-logging] + debug!("message = {harmless} {}", password); // $ Alert[rust/cleartext-logging] + debug!("message = {password}"); // $ Alert[rust/cleartext-logging] + debug!("message = {password:?}"); // $ Alert[rust/cleartext-logging] debug!(target: "target", "message = {}", harmless); - debug!(target: "target", "message = {}", password); // $ Source Alert[rust/cleartext-logging] - debug!(target: &password, "message = {}", harmless); // $ Source Alert[rust/cleartext-logging] + debug!(target: "target", "message = {}", password); // $ Alert[rust/cleartext-logging] + debug!(target: &password, "message = {}", harmless); // $ Alert[rust/cleartext-logging] // log! macro, various formatting log!(Level::Error, "message = {}", harmless); - log!(Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging] + log!(Level::Error, "message = {}", password); // $ Alert[rust/cleartext-logging] log!(target: "target", Level::Error, "message = {}", harmless); - log!(target: "target", Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging] - log!(target: &password, Level::Error, "message = {}", harmless); // $ Source Alert[rust/cleartext-logging] + log!(target: "target", Level::Error, "message = {}", password); // $ Alert[rust/cleartext-logging] + log!(target: &password, Level::Error, "message = {}", harmless); // $ Alert[rust/cleartext-logging] // structured logging error!(value = 1; "message = {}", harmless); - error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] + error!(value = 1; "message = {}", password); // $ Alert[rust/cleartext-logging] error!(target: "target", value = 1; "message"); - error!(target: "target", value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] - error!(target: &password, value = 1; "message"); // $ Source Alert[rust/cleartext-logging] - error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] + error!(target: "target", value = 1; "message = {}", password); // $ Alert[rust/cleartext-logging] + error!(target: &password, value = 1; "message"); // $ Alert[rust/cleartext-logging] + error!(value = 1; "message = {}", password); // $ Alert[rust/cleartext-logging] error!(value = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging] error!(value:? = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging] let value1 = 1; error!(value1; "message = {}", harmless); - error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] + error!(value1; "message = {}", password); // $ Alert[rust/cleartext-logging] error!(target: "target", value1; "message"); - error!(target: "target", value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] - error!(target: &password, value1; "message"); // $ Source Alert[rust/cleartext-logging] - error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging] + error!(target: "target", value1; "message = {}", password); // $ Alert[rust/cleartext-logging] + error!(target: &password, value1; "message"); // $ Alert[rust/cleartext-logging] + error!(value1; "message = {}", password); // $ Alert[rust/cleartext-logging] let value2 = password.as_str(); error!(value2; "message"); // $ MISSING: Alert[rust/cleartext-logging] @@ -115,7 +115,7 @@ fn test_log(harmless: String, password: String, encrypted_password: String) { } // logging with a call - trace!("message = {}", get_password()); // $ Source Alert[rust/cleartext-logging] + trace!("message = {}", get_password()); // $ Alert[rust/cleartext-logging] let str1 = "123456".to_string(); trace!("message = {}", &str1); // $ MISSING: Alert[rust/cleartext-logging] @@ -149,36 +149,36 @@ fn test_log(harmless: String, password: String, encrypted_password: String) { } fn test_std(password: String, i: i32, opt_i: Option) { - print!("message = {}\n", password); // $ Source Alert[rust/cleartext-logging] - println!("message = {}", password); // $ Source Alert[rust/cleartext-logging] - eprint!("message = {}\n", password); // $ Source Alert[rust/cleartext-logging] - eprintln!("message = {}", password); // $ Source Alert[rust/cleartext-logging] + print!("message = {}\n", password); // $ Alert[rust/cleartext-logging] + println!("message = {}", password); // $ Alert[rust/cleartext-logging] + eprint!("message = {}\n", password); // $ Alert[rust/cleartext-logging] + eprintln!("message = {}", password); // $ Alert[rust/cleartext-logging] match i { - 1 => { panic!("message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 2 => { todo!("message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 3 => { unimplemented!("message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 4 => { unreachable!("message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 5 => { assert!(false, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 6 => { assert_eq!(1, 2, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 7 => { assert_ne!(1, 1, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 8 => { debug_assert!(false, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 9 => { debug_assert_eq!(1, 2, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 10 => { debug_assert_ne!(1, 1, "message = {}", password); } // $ Source Alert[rust/cleartext-logging] - 11 => { _ = opt_i.expect(format!("message = {}", password).as_str()); } // $ Source Alert[rust/cleartext-logging] + 1 => { panic!("message = {}", password); } // $ Alert[rust/cleartext-logging] + 2 => { todo!("message = {}", password); } // $ Alert[rust/cleartext-logging] + 3 => { unimplemented!("message = {}", password); } // $ Alert[rust/cleartext-logging] + 4 => { unreachable!("message = {}", password); } // $ Alert[rust/cleartext-logging] + 5 => { assert!(false, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 6 => { assert_eq!(1, 2, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 7 => { assert_ne!(1, 1, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 8 => { debug_assert!(false, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 9 => { debug_assert_eq!(1, 2, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 10 => { debug_assert_ne!(1, 1, "message = {}", password); } // $ Alert[rust/cleartext-logging] + 11 => { _ = opt_i.expect(format!("message = {}", password).as_str()); } // $ Alert[rust/cleartext-logging] _ => {} } std::io::stdout().lock().write_fmt(format_args!("message = {}\n", password)); // $ MISSING: Alert[rust/cleartext-logging] std::io::stderr().lock().write_fmt(format_args!("message = {}\n", password)); // $ MISSING: Alert[rust/cleartext-logging] - std::io::stdout().lock().write(format!("message = {}\n", password).as_bytes()); // $ Source Alert[rust/cleartext-logging] - std::io::stdout().lock().write_all(format!("message = {}\n", password).as_bytes()); // $ Source Alert[rust/cleartext-logging] + std::io::stdout().lock().write(format!("message = {}\n", password).as_bytes()); // $ Alert[rust/cleartext-logging] + std::io::stdout().lock().write_all(format!("message = {}\n", password).as_bytes()); // $ Alert[rust/cleartext-logging] let mut out = std::io::stdout().lock(); - out.write(format!("message = {}\n", password).as_bytes()); // $ Source Alert[rust/cleartext-logging] + out.write(format!("message = {}\n", password).as_bytes()); // $ Alert[rust/cleartext-logging] let mut err = std::io::stderr().lock(); - err.write(format!("message = {}\n", password).as_bytes()); // $ Source Alert[rust/cleartext-logging] + err.write(format!("message = {}\n", password).as_bytes()); // $ Alert[rust/cleartext-logging] } fn main() { diff --git a/shared/util/codeql/util/test/InlineExpectationsTest.qll b/shared/util/codeql/util/test/InlineExpectationsTest.qll index 8dde42b51678..a3143c4848e4 100644 --- a/shared/util/codeql/util/test/InlineExpectationsTest.qll +++ b/shared/util/codeql/util/test/InlineExpectationsTest.qll @@ -645,6 +645,21 @@ module TestPostProcessing { private import InlineExpectationsTest as InlineExpectationsTest private import InlineExpectationsTest::Make + /** Holds if the given locations refer to the same lines, but possibly with different column numbers. */ + bindingset[loc1, loc2] + pragma[inline_late] + private predicate sameLineInfo(Input::Location loc1, Input::Location loc2) { + exists(string file, int line1, int line2 | + loc1.hasLocationInfo(file, line1, _, line2, _) and + loc2.hasLocationInfo(file, line1, _, line2, _) + ) + } + + pragma[nomagic] + private predicate mainQueryResult(int row, int column, Input::Location loc) { + queryResults(mainResultSet(), row, column, Input2::getRelativeUrl(loc)) + } + /** * Gets the tag to be used for the path-problem source at result row `row`. * @@ -653,8 +668,10 @@ module TestPostProcessing { */ private string getSourceTag(int row) { getQueryKind() = "path-problem" and - exists(string loc | queryResults(mainResultSet(), row, 2, loc) | - if queryResults(mainResultSet(), row, 0, loc) then result = "Alert" else result = "Source" + exists(Input::Location sourceLoc, Input::Location selectLoc | + mainQueryResult(row, 0, selectLoc) and + mainQueryResult(row, 2, sourceLoc) and + if sameLineInfo(selectLoc, sourceLoc) then result = "Alert" else result = "Source" ) } @@ -719,13 +736,10 @@ module TestPostProcessing { int row, Input::Location location, string element, string tag, string value ) { getQueryKind() = "path-problem" and - exists(string loc | - queryResults(mainResultSet(), row, 2, loc) and - queryResults(mainResultSet(), row, 3, element) and - tag = getSourceTag(row) and - value = "" and - Input2::getRelativeUrl(location) = loc - ) + mainQueryResult(row, 2, location) and + queryResults(mainResultSet(), row, 3, element) and + tag = getSourceTag(row) and + value = "" } predicate hasActualResult(Input::Location location, string element, string tag, string value) { @@ -759,24 +773,18 @@ module TestPostProcessing { int row, Input::Location location, string element, string tag ) { getQueryKind() = "path-problem" and - exists(string loc | - queryResults(mainResultSet(), row, 4, loc) and - queryResults(mainResultSet(), row, 5, element) and - tag = getSinkTag(row) and - Input2::getRelativeUrl(location) = loc - ) + mainQueryResult(row, 4, location) and + queryResults(mainResultSet(), row, 5, element) and + tag = getSinkTag(row) } private predicate hasAlert(int row, Input::Location location, string element, string tag) { getQueryKind() = ["problem", "path-problem"] and - exists(string loc | - queryResults(mainResultSet(), row, 0, loc) and - queryResults(mainResultSet(), row, 2, element) and - tag = "Alert" and - Input2::getRelativeUrl(location) = loc and - not hasPathProblemSource(row, location, _, _, _) and - not hasPathProblemSink(row, location, _, _) - ) + mainQueryResult(row, 0, location) and + queryResults(mainResultSet(), row, 2, element) and + tag = "Alert" and + not hasPathProblemSource(row, location, _, _, _) and + not hasPathProblemSink(row, location, _, _) } /**