Go: Fix false positives when logging using %T
#19053
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates several test files to properly flag logging calls that include the format specifier "%T", ensuring that arguments corresponding to "%T" are not mistakenly reported as vulnerabilities. Key changes include:
- Insertion of a package-level variable "v" in LoggerCall/main.go to support usage of "%T" in tests.
- Updates in multiple test files (glog.go, stdlib.go, logrus.go, and various query-tests) to mark logging calls with "%T" and adjust alert annotations.
- Addition of a change note documenting the behavioral change for LoggerCall::getAMessageComponent.
Reviewed Changes
Copilot reviewed 11 out of 14 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go | Added declaration for "v" and repositioned the main function to support updated logging tests. |
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go | Inserted additional logging calls with "%T" annotations. |
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go | Updated test cases for logging calls that use "%T". |
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go | Added test cases for logrus calls using "%T". |
| go/ql/test/query-tests/Security/CWE-312/main.go | Revised logging calls and alert markers in various logging function calls. |
| go/ql/lib/change-notes/2025-03-18-loggercall-type-format-specifier.md | Added a change note documenting the new behavior regarding "%T". |
| go/ql/test/query-tests/Security/CWE-312/protobuf.go | Adjusted alert markers in logging the query description. |
| go/ql/test/query-tests/Security/CWE-312/passwords.go | Updated inline annotation markers for logging calls and their sources. |
| go/ql/test/query-tests/Security/CWE-312/klog.go | Revised alert markers in klog calls and added source annotation for header iteration. |
| go/ql/test/query-tests/Security/CWE-117/LogInjection.go | Updated logging calls to include both username and password in tests, with corresponding alert markers. |
| go/ql/test/query-tests/Security/CWE-312/overrides.go | Modified inline markers for overridden string methods and their usage. |
Files not reviewed (3)
- go/ql/lib/semmle/go/Concepts.qll: Language not supported
- go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected: Language not supported
- go/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref: Language not supported
Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more
There was a problem hiding this comment.
Thanks for tackling this FP! I have added a few comments and questions.
Additional questions:
- There's a commit which makes the tests more "realistic". What prompted that and are there any concrete gaps in the test coverage that are addressed? If so, would it be worth capturing that in the commit message or description?
go/ql/lib/semmle/go/Concepts.qll
Outdated
| * Exclude components corresponding to the format specifier "%T" as this | ||
| * prints the type of the argument, which is not considered vulnerable. | ||
| */ | ||
| DataFlow::Node getAMessageComponent() { | ||
| result = super.getAMessageComponent() and | ||
| not exists(string formatSpecifier | | ||
| formatSpecifier.regexpMatch("%[^%]*T") and | ||
| result = this.(StringOps::Formatting::StringFormatCall).getOperand(_, formatSpecifier) | ||
| ) | ||
| } |
There was a problem hiding this comment.
Is this the right place for this? Given that it's in Concepts, I'd think this should be more general than what we need for one specific query?
There was a problem hiding this comment.
This predicate is used in three places (outside of tests). Two of them are sinks of logging queries, where we want to exclude %T arguments. The last one is trying to rule out oauth flows that use printer calls and scan calls, which makes it likely that it's done in a terminal, and I think for that purpose it will make no difference but it's probably slightly better to rule out %T arguments. It seemed good to catch at least the first two cases. The alternative would be to add another predicate, getAPrintedMessageComponent, which has this new restriction, but the result would just be that we don't use getAMessageComponent anywhere any more. So I think it's okay to change the meaning of this predicate since it's making it closer to what anyone would want to use it for.
There was a problem hiding this comment.
My concern is that introducing query-specific logic here could be quite confusing for anyone who wants to use getAMessageComponent in the future to query all the components of a LoggerCall. It's easy to miss the comment that explains that it has non-intuitive behaviour and it might not be obvious during testing (of a new query). So while it might be fine for current uses, I don't think it's a good move for maintainability.
Rather than adding a new predicate to LoggerCall, I think it would be better to add a new class that extends LoggerCalls which is specific to the go/clear-text-logging query (and others) where we then override getAMessageComponent and filter %T components out.
There was a problem hiding this comment.
I don't agree. No one cares about things which have their type logged. I can make a new class, but it means the old one will literally not be used in our library. Anyone who wants that behaviour can make a copy of LoggerCall and change the behaviour of getAMessageComponent. I will make the comment more prominent so that the intention is clearer.
|
|
||
| func main() { | ||
| stdlib() |
There was a problem hiding this comment.
What's the motivation for this change?
There was a problem hiding this comment.
To remove linter warnings about lots of unused things 😆 .
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * `LoggerCall::getAMessageComponent` no longer returns arguments to logger calls which correspond to the verb `%T` in a format specifier. This will remove false positives in "Log entries created from user input" (`go/log-injection`) and "Clear-text logging of sensitive information" (`go/clear-text-logging`), and it may lead to more results in "Use of constant `state` value in OAuth 2.0 URL" (`go/constant-oauth2-state`). |
There was a problem hiding this comment.
Mirroring a review comment I think I wrote on another PR before: but this change note seems very implementation-oriented. Is that relevant to the target audience for this? I think if the goal is to address the FP in go/log-injection, then the change note should emphasise that. Otherwise, if we are communicating a change in the library, then we should consider whether the change has to be backwards compatible.
There was a problem hiding this comment.
I'm in two minds about whether to describe it as a change to the library, which happens to affect two queries in a very direct way, or as a change to two queries, with few/no details for anyone who might be using the predicate in the library that has been changed.
There was a problem hiding this comment.
I think that just reinforces my view in #19053 (comment) that this is a query change which is wrongly executed as a library change. If the intent is for this to fix the FP in the queries, then we should make sure that it is implemented and documented accordingly.
| glog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text | ||
| glog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text | ||
| glog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text | ||
| glog.Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text | ||
| glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text |
There was a problem hiding this comment.
Is this change because the tests in the first commit were written so that they pass without the fix?
There was a problem hiding this comment.
Yes. I guess I could have marked them as SPURIOUS in the first commit.
There was a problem hiding this comment.
I think it would be good to make sure that if we add tests before a fix is implemented (even in the same PR) to either mark them as SPURIOUS or just have them fail. Ideally the latter if there's a fix in the same PR (as is the case here) so that you don't add the tests in one commit and then change every line again in the next.
There was a problem hiding this comment.
I marked them as SPURIOUS.
|
I had the "realistic" test changes stashed from when I converted go models to models-as-data. There aren't any concrete gaps that are covered by it. But it makes the tests closer to real code and exercises our models slightly more. For example, it makes it much clearer which functions use a format string, and if we ever treat those differently (as we kind of do in this PR) then it's easier to see what's going on. Another example: our tests tend to ignore that calls to fatal logging functions mean that all code after that is dead code, so if our analysis was more detailed then we might say "actually there isn't a result there because that's dead code". So it's better to put calls to fatal functions inside a conditional. |
go/ql/lib/semmle/go/Concepts.qll
Outdated
| * components corresponding to the format specifier "%T" are excluded as | ||
| * their type is logged rather than their value. | ||
| */ | ||
| DataFlow::Node getAMessageComponent() { |
There was a problem hiding this comment.
Suggesting keeping getAMessageComponent with the old semantics (i.e., get any formatted input, regardless of how it is formatted) and adding a new one, perhaps getAValueFormattedMessageComponent that excludes things formatted in such a way that disregards their value.
go/ql/lib/semmle/go/Concepts.qll
Outdated
| DataFlow::Node getAMessageComponent() { | ||
| result = super.getAMessageComponent() and | ||
| not exists(string formatSpecifier | | ||
| formatSpecifier.regexpMatch("%[^%]*T") and |
There was a problem hiding this comment.
| formatSpecifier.regexpMatch("%[^%]*T") and | |
| formatSpecifier.matches("%T") and |
This is cheaper, and we already know format specifiers begin with %
|
@smowton I've addressed your review comments. I only force-pushed to edit history to mark the tests in the first commit as SPURIOUS. |
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * False positives in "Log entries created from user input" (`go/log-injection`) and "Clear-text logging of sensitive information" (`go/clear-text-logging`) which correspond to the verb `%T` in a format specifier have been removed. There may also be more results in "Use of constant `state` value in OAuth 2.0 URL" (`go/constant-oauth2-state`). |
There was a problem hiding this comment.
Should this be less results, for the same reason?
There was a problem hiding this comment.
In go/constant-oauth2-state, arguments to loggercalls are used to rule out some alerts. So less arguments to loggercalls means more alerts, potentially. (In practice I doubt there will be any alert changes for that query.)
go/ql/src/change-notes/2025-03-20-logging-false-positive-type-format-specifier.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Michael B. Gale <[email protected]>
|
@mbg Please re-review. |
LoggerCall::getAMessageComponentno longer returns arguments to logger calls which correspond to the verb%Tin a format specifier. This will remove false positives in "Log entries created from user input" (go/log-injection) and "Clear-text logging of sensitive information" (go/clear-text-logging), and it may lead to more results in "Use of constantstatevalue in OAuth 2.0 URL" (go/constant-oauth2-state).I've made a library change note but may change it to a query change note, pending discussion with colleagues.
Prompted by #18926.