-
Notifications
You must be signed in to change notification settings - Fork 126
Untrusted data flow to external API #388
Untrusted data flow to external API #388
Conversation
deebcfd to
dadf275
Compare
dadf275 to
3217afa
Compare
3217afa to
dec92c9
Compare
|
@lcartey if you have time you could try out this go version of "Untrusted data flow to external API" and give feedback before it's merged. |
Add "github.com/golang/mock/gomock", several packages under "github.com/stretchr/testify", £gotest.tools/assert", "k8s.io/client-go/testing" and "testing"
See github/codeql-go-team#219 for issue to model this better
dec92c9 to
bf78189
Compare
smowton
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some minor things to attend to, mostly lgtm
ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
Outdated
Show resolved
Hide resolved
1817d20 to
4d23cef
Compare
Co-authored-by: Chris Smowton <smowton@github.com>
4d23cef to
0ee00d8
Compare
|
@rvermeulen I know you wrote something similar recently, do you want to take a look? |
shati-patel
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! I've added relevant suggestions to all the places they're repeated, so apologies for the duplicated comments 🙈
There aren't any change notes yet, could you add them before this is merged?
ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.qhelp
Outdated
Show resolved
Hide resolved
ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.qhelp
Outdated
Show resolved
Hide resolved
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
When the taint was in the receiver, we were excluding methods which return nothing or a boolean.
6f22b0a to
bfbf102
Compare
|
I have addressed all review comments. I will run a distcompare job over the weekend as there are one or two library changes which will affect other queries (mainly adding more testing frameworks). |
|
The distcompare job looks fine. No changes in what results we find. The timings are about the same - certainly within expected variation. |
I have based this on the java version (cf. github/codeql#3938).