Convert .qlref test to inline expectations

Author: owen-mc

go/ql/src/experimental/CWE-525/WebCacheDeception.ql

@@ -1,4 +1,4 @@
-/*
+/**
  * @name Web Cache Deception
  * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
  * @kind problem

go/ql/test/experimental/CWE-090/LDAPInjection.go

@@ -54,31 +54,31 @@ func main() {}
 // bad is an example of a bad implementation
 func (ld *Ldap) bad(req *http.Request) {
 	// ...
-	untrusted := req.UserAgent()
+	untrusted := req.UserAgent() // $ Source
 	goldap.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	goldapv3.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	gopkgldapv2.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	client := &ldapclient.LDAPClient{}
-	client.Authenticate(untrusted, "123456") // BAD: untrusted filter
-	client.GetGroupsOfUser(untrusted)        // BAD: untrusted filter
+	client.Authenticate(untrusted, "123456") // $ Alert // BAD: untrusted filter
+	client.GetGroupsOfUser(untrusted)        // $ Alert // BAD: untrusted filter
 	// ...
 }
 

go/ql/test/experimental/CWE-090/LDAPInjection.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-090/LDAPInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-203/Timing.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-203/Timing.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-203/timing.go

@@ -12,9 +12,9 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"
 
-	headerSecret := req.Header.Get(secretHeader)
+	headerSecret := req.Header.Get(secretHeader) // $ Source
 	secretStr := string(secret)
-	if len(headerSecret) != 0 && headerSecret != secretStr {
+	if len(headerSecret) != 0 && headerSecret != secretStr { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil
@@ -25,9 +25,9 @@ func bad2(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"
 
-	headerSecret := req.Header.Get(secretHeader)
+	headerSecret := req.Header.Get(secretHeader) // $ Source
 	secretStr := string(secret)
-	if len(headerSecret) != 0 && strings.Compare(headerSecret, secretStr) != 0 {
+	if len(headerSecret) != 0 && strings.Compare(headerSecret, secretStr) != 0 { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil
@@ -38,8 +38,8 @@ func bad4(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"
 
-	headerSecret := req.Header.Get(secretHeader)
-	if len(secret) != 0 && headerSecret != "SecretStringLiteral" {
+	headerSecret := req.Header.Get(secretHeader)                   // $ Source
+	if len(secret) != 0 && headerSecret != "SecretStringLiteral" { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil

go/ql/test/experimental/CWE-285/PamAuthBypass.qlref

@@ -1 +1,2 @@
-experimental/CWE-285/PamAuthBypass.ql
+query: experimental/CWE-285/PamAuthBypass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-285/main.go

@@ -9,7 +9,7 @@ import (
 func bad() error {
 	t, _ := pam.StartFunc("", "", func(s pam.Style, msg string) (string, error) {
 		return "", nil
-	})
+	}) // $ Alert
 	return t.Authenticate(0)
 
 }

go/ql/test/experimental/CWE-287/ImproperLdapAuth.go

@@ -15,7 +15,7 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	ldapServer := "ldap.example.com"
 	ldapPort := 389
 	bindDN := "cn=admin,dc=example,dc=com"
-	bindPassword := req.URL.Query()["password"][0]
+	bindPassword := req.URL.Query()["password"][0] // $ Source
 
 	// Connect to the LDAP server
 	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))
@@ -25,7 +25,7 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	defer l.Close()
 
 	// BAD: user input is not sanetized
-	err = l.Bind(bindDN, bindPassword)
+	err = l.Bind(bindDN, bindPassword) // $ Alert
 	if err != nil {
 		return fmt.Errorf("LDAP bind failed: %v", err), err
 	}
@@ -84,7 +84,7 @@ func bad2(req *http.Request) {
 	ldapPort := 389
 	bindDN := "cn=admin,dc=example,dc=com"
 	// BAD : empty password
-	bindPassword := ""
+	bindPassword := "" // $ Source
 
 	// Connect to the LDAP server
 	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))
@@ -94,7 +94,7 @@ func bad2(req *http.Request) {
 	defer l.Close()
 
 	// BAD : bindPassword is empty
-	err = l.Bind(bindDN, bindPassword)
+	err = l.Bind(bindDN, bindPassword) // $ Alert
 	if err != nil {
 		log.Fatalf("LDAP bind failed: %v", err)
 	}

go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-287/ImproperLdapAuth.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected

@@ -1,3 +1,6 @@
+#select
+| go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:24:32:24:37 | JwtKey | This  $@. | go-jose.v3.go:13:21:13:33 | "AllYourBase" | Constant Key is used as JWT Secret key |
+| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This  $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key |
 edges
 | go-jose.v3.go:13:14:13:34 | type conversion | go-jose.v3.go:24:32:24:37 | JwtKey | provenance |  |
 | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:13:14:13:34 | type conversion | provenance |  |
@@ -11,6 +14,3 @@ nodes
 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | semmle.label | "AllYourBase" |
 | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | semmle.label | JwtKey1 |
 subpaths
-#select
-| go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:24:32:24:37 | JwtKey | This  $@. | go-jose.v3.go:13:21:13:33 | "AllYourBase" | Constant Key is used as JWT Secret key |
-| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This  $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key |