Put code snippets from qhelp in test folder

owen-mc · owen-mc · commit 1b49bcc3b38d · 2020-06-16T15:44:51.000+01:00
diff --git a/ql/test/query-tests/Security/CWE-640/EmailBad.go b/ql/test/query-tests/Security/CWE-640/EmailBad.go
@@ -0,0 +1,13 @@
+package main
+
+import (
+	"net/http"
+	"net/smtp"
+)
+
+func mail(w http.ResponseWriter, r *http.Request) {
+	host := r.Header.Get("Host")
+	token := backend.getUserSecretResetToken(email)
+	body := "Click to reset password: " + host + "/" + token
+	smtp.SendMail("test.test", nil, "from@from.com", nil, []byte(body))
+}
diff --git a/ql/test/query-tests/Security/CWE-640/EmailGood.go b/ql/test/query-tests/Security/CWE-640/EmailGood.go
@@ -0,0 +1,13 @@
+package main
+
+import (
+	"net/http"
+	"net/smtp"
+)
+
+func mailGood(w http.ResponseWriter, r *http.Request) {
+	host := config["Host"]
+	token := backend.getUserSecretResetToken(email)
+	body := "Click to reset password: " + host + "/" + token
+	smtp.SendMail("test.test", nil, "from@from.com", nil, []byte(body))
+}
diff --git a/ql/test/query-tests/Security/CWE-640/EmailInjection.expected b/ql/test/query-tests/Security/CWE-640/EmailInjection.expected
@@ -1,43 +1,43 @@
 edges
-| email.go:24:10:24:17 | selection of Header : Header | email.go:27:56:27:67 | type conversion |
-| email.go:34:21:34:31 | call to Referer : string | email.go:36:57:36:78 | type conversion |
-| email.go:42:21:42:31 | call to Referer : string | email.go:45:3:45:7 | definition of write |
-| email.go:51:21:51:31 | call to Referer : string | email.go:57:46:57:59 | untrustedInput |
-| email.go:51:21:51:31 | call to Referer : string | email.go:58:52:58:65 | untrustedInput |
-| email.go:63:21:63:31 | call to Referer : string | email.go:68:16:68:22 | content |
-| email.go:73:21:73:31 | call to Referer : string | email.go:81:50:81:56 | content |
-| email.go:73:21:73:31 | call to Referer : string | email.go:81:59:81:65 | content |
-| email.go:73:21:73:31 | call to Referer : string | email.go:82:16:82:22 | content |
-| email.go:87:21:87:31 | call to Referer : string | email.go:94:37:94:50 | untrustedInput |
-| email.go:87:21:87:31 | call to Referer : string | email.go:98:16:98:23 | content2 |
+| EmailBad.go:9:10:9:17 | selection of Header : Header | EmailBad.go:12:56:12:67 | type conversion |
+| main.go:26:21:26:31 | call to Referer : string | main.go:28:57:28:78 | type conversion |
+| main.go:34:21:34:31 | call to Referer : string | main.go:37:3:37:7 | definition of write |
+| main.go:43:21:43:31 | call to Referer : string | main.go:49:46:49:59 | untrustedInput |
+| main.go:43:21:43:31 | call to Referer : string | main.go:50:52:50:65 | untrustedInput |
+| main.go:55:21:55:31 | call to Referer : string | main.go:60:16:60:22 | content |
+| main.go:65:21:65:31 | call to Referer : string | main.go:73:50:73:56 | content |
+| main.go:65:21:65:31 | call to Referer : string | main.go:73:59:73:65 | content |
+| main.go:65:21:65:31 | call to Referer : string | main.go:74:16:74:22 | content |
+| main.go:79:21:79:31 | call to Referer : string | main.go:86:37:86:50 | untrustedInput |
+| main.go:79:21:79:31 | call to Referer : string | main.go:90:16:90:23 | content2 |
 nodes
-| email.go:24:10:24:17 | selection of Header : Header | semmle.label | selection of Header : Header |
-| email.go:27:56:27:67 | type conversion | semmle.label | type conversion |
-| email.go:34:21:34:31 | call to Referer : string | semmle.label | call to Referer : string |
-| email.go:36:57:36:78 | type conversion | semmle.label | type conversion |
-| email.go:42:21:42:31 | call to Referer : string | semmle.label | call to Referer : string |
-| email.go:45:3:45:7 | definition of write | semmle.label | definition of write |
-| email.go:51:21:51:31 | call to Referer : string | semmle.label | call to Referer : string |
-| email.go:57:46:57:59 | untrustedInput | semmle.label | untrustedInput |
-| email.go:58:52:58:65 | untrustedInput | semmle.label | untrustedInput |
-| email.go:63:21:63:31 | call to Referer : string | semmle.label | call to Referer : string |
-| email.go:68:16:68:22 | content | semmle.label | content |
-| email.go:73:21:73:31 | call to Referer : string | semmle.label | call to Referer : string |
-| email.go:81:50:81:56 | content | semmle.label | content |
-| email.go:81:59:81:65 | content | semmle.label | content |
-| email.go:82:16:82:22 | content | semmle.label | content |
-| email.go:87:21:87:31 | call to Referer : string | semmle.label | call to Referer : string |
-| email.go:94:37:94:50 | untrustedInput | semmle.label | untrustedInput |
-| email.go:98:16:98:23 | content2 | semmle.label | content2 |
+| EmailBad.go:9:10:9:17 | selection of Header : Header | semmle.label | selection of Header : Header |
+| EmailBad.go:12:56:12:67 | type conversion | semmle.label | type conversion |
+| main.go:26:21:26:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:28:57:28:78 | type conversion | semmle.label | type conversion |
+| main.go:34:21:34:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:37:3:37:7 | definition of write | semmle.label | definition of write |
+| main.go:43:21:43:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:49:46:49:59 | untrustedInput | semmle.label | untrustedInput |
+| main.go:50:52:50:65 | untrustedInput | semmle.label | untrustedInput |
+| main.go:55:21:55:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:60:16:60:22 | content | semmle.label | content |
+| main.go:65:21:65:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:73:50:73:56 | content | semmle.label | content |
+| main.go:73:59:73:65 | content | semmle.label | content |
+| main.go:74:16:74:22 | content | semmle.label | content |
+| main.go:79:21:79:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:86:37:86:50 | untrustedInput | semmle.label | untrustedInput |
+| main.go:90:16:90:23 | content2 | semmle.label | content2 |
 #select
-| email.go:27:56:27:67 | type conversion | email.go:24:10:24:17 | selection of Header : Header | email.go:27:56:27:67 | type conversion | Email content may contain $@. | email.go:24:10:24:17 | selection of Header | untrusted input |
-| email.go:36:57:36:78 | type conversion | email.go:34:21:34:31 | call to Referer : string | email.go:36:57:36:78 | type conversion | Email content may contain $@. | email.go:34:21:34:31 | call to Referer | untrusted input |
-| email.go:45:3:45:7 | definition of write | email.go:42:21:42:31 | call to Referer : string | email.go:45:3:45:7 | definition of write | Email content may contain $@. | email.go:42:21:42:31 | call to Referer | untrusted input |
-| email.go:57:46:57:59 | untrustedInput | email.go:51:21:51:31 | call to Referer : string | email.go:57:46:57:59 | untrustedInput | Email content may contain $@. | email.go:51:21:51:31 | call to Referer | untrusted input |
-| email.go:58:52:58:65 | untrustedInput | email.go:51:21:51:31 | call to Referer : string | email.go:58:52:58:65 | untrustedInput | Email content may contain $@. | email.go:51:21:51:31 | call to Referer | untrusted input |
-| email.go:68:16:68:22 | content | email.go:63:21:63:31 | call to Referer : string | email.go:68:16:68:22 | content | Email content may contain $@. | email.go:63:21:63:31 | call to Referer | untrusted input |
-| email.go:81:50:81:56 | content | email.go:73:21:73:31 | call to Referer : string | email.go:81:50:81:56 | content | Email content may contain $@. | email.go:73:21:73:31 | call to Referer | untrusted input |
-| email.go:81:59:81:65 | content | email.go:73:21:73:31 | call to Referer : string | email.go:81:59:81:65 | content | Email content may contain $@. | email.go:73:21:73:31 | call to Referer | untrusted input |
-| email.go:82:16:82:22 | content | email.go:73:21:73:31 | call to Referer : string | email.go:82:16:82:22 | content | Email content may contain $@. | email.go:73:21:73:31 | call to Referer | untrusted input |
-| email.go:94:37:94:50 | untrustedInput | email.go:87:21:87:31 | call to Referer : string | email.go:94:37:94:50 | untrustedInput | Email content may contain $@. | email.go:87:21:87:31 | call to Referer | untrusted input |
-| email.go:98:16:98:23 | content2 | email.go:87:21:87:31 | call to Referer : string | email.go:98:16:98:23 | content2 | Email content may contain $@. | email.go:87:21:87:31 | call to Referer | untrusted input |
+| EmailBad.go:12:56:12:67 | type conversion | EmailBad.go:9:10:9:17 | selection of Header : Header | EmailBad.go:12:56:12:67 | type conversion | Email content may contain $@. | EmailBad.go:9:10:9:17 | selection of Header | untrusted input |
+| main.go:28:57:28:78 | type conversion | main.go:26:21:26:31 | call to Referer : string | main.go:28:57:28:78 | type conversion | Email content may contain $@. | main.go:26:21:26:31 | call to Referer | untrusted input |
+| main.go:37:3:37:7 | definition of write | main.go:34:21:34:31 | call to Referer : string | main.go:37:3:37:7 | definition of write | Email content may contain $@. | main.go:34:21:34:31 | call to Referer | untrusted input |
+| main.go:49:46:49:59 | untrustedInput | main.go:43:21:43:31 | call to Referer : string | main.go:49:46:49:59 | untrustedInput | Email content may contain $@. | main.go:43:21:43:31 | call to Referer | untrusted input |
+| main.go:50:52:50:65 | untrustedInput | main.go:43:21:43:31 | call to Referer : string | main.go:50:52:50:65 | untrustedInput | Email content may contain $@. | main.go:43:21:43:31 | call to Referer | untrusted input |
+| main.go:60:16:60:22 | content | main.go:55:21:55:31 | call to Referer : string | main.go:60:16:60:22 | content | Email content may contain $@. | main.go:55:21:55:31 | call to Referer | untrusted input |
+| main.go:73:50:73:56 | content | main.go:65:21:65:31 | call to Referer : string | main.go:73:50:73:56 | content | Email content may contain $@. | main.go:65:21:65:31 | call to Referer | untrusted input |
+| main.go:73:59:73:65 | content | main.go:65:21:65:31 | call to Referer : string | main.go:73:59:73:65 | content | Email content may contain $@. | main.go:65:21:65:31 | call to Referer | untrusted input |
+| main.go:74:16:74:22 | content | main.go:65:21:65:31 | call to Referer : string | main.go:74:16:74:22 | content | Email content may contain $@. | main.go:65:21:65:31 | call to Referer | untrusted input |
+| main.go:86:37:86:50 | untrustedInput | main.go:79:21:79:31 | call to Referer : string | main.go:86:37:86:50 | untrustedInput | Email content may contain $@. | main.go:79:21:79:31 | call to Referer | untrusted input |
+| main.go:90:16:90:23 | content2 | main.go:79:21:79:31 | call to Referer : string | main.go:90:16:90:23 | content2 | Email content may contain $@. | main.go:79:21:79:31 | call to Referer | untrusted input |
diff --git a/ql/test/query-tests/Security/CWE-640/main.go b/ql/test/query-tests/Security/CWE-640/main.go
@@ -11,23 +11,15 @@ import (
 	sendgrid "github.com/sendgrid/sendgrid-go/helpers/mail"
 )
 
-// OK
-func mailGood(w http.ResponseWriter, r *http.Request) {
-	host := config["Host"]
-	token := backend.getUserSecretResetToken(email)
-	body := "Click to reset password: " + host + "/" + token
-	smtp.SendMail("test.test", nil, "from@from.com", nil, []byte(body))
-}
+func main() {
+	var w http.ResponseWriter
+	var r *http.Request
 
-// Not OK
-func mail(w http.ResponseWriter, r *http.Request) {
-	host := r.Header.Get("Host")
-	token := backend.getUserSecretResetToken(email)
-	body := "Click to reset password: " + host + "/" + token
-	smtp.SendMail("test.test", nil, "from@from.com", nil, []byte(body))
-}
+	// Not OK
+	mail(w, r)
 
-func main() {
+	// OK
+	mailGood(w, r)
 
 	// Not OK
 	http.HandleFunc("/ex0", func(w http.ResponseWriter, r *http.Request) {
