Skip to content

Commit 46f2c5d

Browse files
danielriddell21danielriddell21
committed
wip zap tests
1 parent 9ad152f commit 46f2c5d

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

77 files changed

+10282
-4
lines changed

go/ql/src/experimental/CWE-117/LogSanitizer.qll renamed to go/ql/lib/semmle/go/security/LogInjectionCustomizations/ZapEncoderSanitizer.qll

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,6 @@
11
/**
2-
* LogSanitizer.qll
3-
*
4-
* Predicates to identify sanitizer functions and zap encoder-like types.
5-
* Template: adjust whitelist entries as needed.
2+
* Provides a taint tracking configuration for zap encoders that are known to remove or escape
3+
* newline characters, thus mitigating log injection (CWE-117).
64
*/
75

86
import go

go/ql/src/experimental/CWE-117/LogSanitizer.qhelp renamed to go/ql/src/experimental/CWE-117-ZapEncoder/LogSanitizer.qhelp

File renamed without changes.

go/ql/src/experimental/CWE-117/LogSanitizer.ql renamed to go/ql/src/experimental/CWE-117-ZapEncoder/LogSanitizer.ql

File renamed without changes.

go/ql/src/experimental/CWE-117/example/example_bad.go renamed to go/ql/src/experimental/CWE-117-ZapEncoder/example/example_bad.go

File renamed without changes.

go/ql/src/experimental/CWE-117/example/example_good.go renamed to go/ql/src/experimental/CWE-117-ZapEncoder/example/example_good.go

File renamed without changes.

go/ql/test/experimental/CWE-117-ZapEncoder/LogInjection.expected

Whitespace-only changes.

go/ql/test/experimental/CWE-117-ZapEncoder/LogInjection.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
package main
2+
3+
import (
4+
"go.uber.org/zap"
5+
"go.uber.org/zap/zapcore"
6+
"os"
7+
)
8+
9+
func LogWithSafeZapEncoder() {
10+
unsafeInput := os.Getenv("UNTRUSTED") // treat this as “source”
11+
12+
// Create a safe JSON encoder (that we whitelist)
13+
encoderCfg := zap.NewProductionEncoderConfig()
14+
jsonEncoder := zapcore.NewJSONEncoder(encoderCfg)
15+
16+
// Build logger using that encoder
17+
core := zapcore.NewCore(jsonEncoder, zapcore.AddSync(os.Stdout), zapcore.DebugLevel)
18+
logger := zap.New(core)
19+
20+
logger.Info("user input", zap.String("data", unsafeInput))
21+
}
22+
23+
func LogWithUnsafeZapEncoder() {
24+
unsafeInput := os.Getenv("UNTRUSTED") // source
25+
26+
// Suppose a “custom” encoder that does *not* sanitize newline
27+
// For test purposes, just use console encoder but pretend it’s unsafe
28+
encoderCfg := zap.NewProductionEncoderConfig()
29+
consoleEncoder := zapcore.NewConsoleEncoder(encoderCfg)
30+
31+
core := zapcore.NewCore(consoleEncoder, zapcore.AddSync(os.Stdout), zapcore.DebugLevel)
32+
logger := zap.New(core)
33+
34+
logger.Info("user input", zap.String("data", unsafeInput))
35+
}

go/ql/test/experimental/CWE-117-ZapEncoder/LogInjection.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
query: experimental/CWE-117-ZapEncoder/LogInjection.ql

go/ql/test/experimental/CWE-117-ZapEncoder/go.mod

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
module example/zaploginjection
2+
3+
go 1.25.4
4+
5+
require go.uber.org/zap v1.27.1
6+
7+
require go.uber.org/multierr v1.10.0 // indirect

go/ql/test/experimental/CWE-117-ZapEncoder/vendor/go.uber.org/multierr/.codecov.yml

Lines changed: 15 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)