Add taint-tracking for `errors`, `expvar`, `database/sql`, `database/sql/driver` packages by gagliardetto · Pull Request #342 · github/codeql-go

gagliardetto · 2020-09-15T16:08:10Z

codebox commands:

codebox --out-dir=./generated/latest --pkg=/usr/local/go/src/errors --http
codebox --out-dir=./generated/latest --pkg=/usr/local/go/src/expvar --http

codebox --out-dir=./generated/latest --pkg=/usr/local/go/src/database/sql --http
codebox --out-dir=./generated/latest --pkg=/usr/local/go/src/database/sql/driver --http

Part of #167

smowton · 2020-09-17T13:15:01Z

I evaluated this third tranche of stdlib improvements and found mostly new true positives (around 10-15 of them), all due to fmt.Errorf propagating taint. There were also a small number of new false positives, but these were due to existing weaknesses of taint tracking, not due to the added models.

ql/src/semmle/go/frameworks/SQL.qll

…s its own model.

Merge #339 #340 #342 #346 #347

gagliardetto mentioned this pull request Sep 15, 2020

Expand Taint-Tracking to include 67 std-lib packages (with tests) #167

Closed

smowton reviewed Sep 17, 2020

View reviewed changes

ql/src/semmle/go/frameworks/SQL.qll Outdated Show resolved Hide resolved

gagliardetto added 7 commits September 20, 2020 15:38

Taint-track package errors

2938274

Taint-track package expvar

55a8e24

Add taint-tracking to database/sql package in the SQL module

6f0bfbf

Add database/sql/driver taint-tracking

5e4d755

Add database/sql/driver taint-tracking

24e8a18

Extend QueryString::Range with database/sql/driver interfaces' methods

3fd6f9c

Remove model for a method that satisfies an interface that already ha…

5e7b279

…s its own model.

gagliardetto force-pushed the standard-lib-pt-9 branch from 1a8c3b8 to 5e7b279 Compare September 20, 2020 13:38

smowton approved these changes Sep 22, 2020

View reviewed changes

gagliardetto mentioned this pull request Sep 22, 2020

Merge #339 #340 #342 #346 #347 #349

Merged

smowton added a commit that referenced this pull request Sep 23, 2020

Merge pull request #349 from gagliardetto/stdlib-339-340-342-346-347

a094ddb

Merge #339 #340 #342 #346 #347

smowton merged commit 3155140 into github:main Sep 23, 2020

smowton mentioned this pull request Sep 23, 2020

Add taint-tracking for crypto/* packages #347

Merged

smowton added the no-change-note-required label Sep 24, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add taint-tracking for `errors`, `expvar`, `database/sql`, `database/sql/driver` packages#342

Add taint-tracking for `errors`, `expvar`, `database/sql`, `database/sql/driver` packages#342
smowton merged 7 commits intogithub:mainfrom
gagliardetto:standard-lib-pt-9

gagliardetto commented Sep 15, 2020 •

edited

Loading

Uh oh!

smowton commented Sep 17, 2020 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

gagliardetto commented Sep 15, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

smowton commented Sep 17, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

gagliardetto commented Sep 15, 2020 •

edited

Loading

smowton commented Sep 17, 2020 •

edited

Loading