CodeQL for Golang

• CodeQL Library for Go

• Modeling data flow in Go libraries

• Query file metadata and alert message style guide

• CodeQL query help for Go

Taint Analysis

Taint analysis is a kind of Data Flow Analysis, and it identifies every source of user data and follows each piece of data through the system to make sure it gets sanitized.

Source –> Middle –> Sink

Sample Security Queries

CWE-020

CWE-020: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. CWE-020_QL_Query

CWE-022

CWE-022: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. CWE-022_QL_Query

CWE-078

CWE-078: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. CWE-078_QL_Query

CWE-079: XSS

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-079_QL_Query

CWE-089: SQLi

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. CWE-089_QL_Query

CWE-190

CWE-190: Integer Overflow or Wraparound

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. CWE-190_QL_Query

CWE-209

CWE-209: Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data. CWE-209_QL_Query

CWE-295

CWE-295: Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. CWE-295_QL_Query

CWE-312

CWE-312: Cleartext Storage of Sensitive Information

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. CWE-312_QL_Query

CWE-322

CWE-322: Key Exchange without Entity Authentication

The software performs a key exchange with an actor without verifying the identity of that actor. CWE-322_QL_Query

CWE-327

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. CWE-327_QL_Query

CWE-352: CSRF

CWE-352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. CWE-352_QL_Query

CWE-601: Open Redirect

CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. CWE-601_QL_Query

CWE-640

CWE-640: Weak Password Recovery Mechanism for Forgotten Password

The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. CWE-640_QL_Query

CWE-643

CWE-643: Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)

The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. CWE-643_QL_Query

CWE-681

CWE-681: Incorrect Conversion between Numeric Types

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. CWE-681_QL_Query

CWE-798

CWE-798: Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CWE-798_QL_Query

CWE-918

CWE-918: Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. CWE-918_QL_Query

Other Sample Queries in the Official Repo

Filtering

• Classify Different Kinds of Files

Inconsistent Code

Constant Length Comparison

Comparing the length of an array to a constant before indexing it using a loop variable may indicate a logic error.

Inconsistent Loop Orientation

A ‘for’ loop that increments its loop variable but checks it against a lower bound, or decrements its loop variable but checks it against an upper bound, will either stop iterating immediately or keep iterating indefinitely, and is usually indicative of a typo.

Off-by-one comparison against length

An array index is compared with the length of the array, and then used in an indexing operation that could be out of bounds.

Missing Error Check

When a function returns a pointer alongside an error value, one should normally assume that the pointer may be nil until either the pointer or error has been checked.

Mistyped Exponentiation

Using ^ as exponentiation is a mistake, as it is the bitwise exclusive-or operator.

Whitespace contradicts operator precedence

Nested expressions where the formatting contradicts the grouping enforced by operator precedence are difficult to read and may even indicate a bug.

Metrics

FLinesOfCode

Measures the number of lines of code in each file, ignoring lines that contain only comments or whitespace.

FLinesOfComment

Files with few lines of comment might not have sufficient documentation to make them understandable.

Redundant Code

• CompareIdenticalValues
• DeadStoreOfField
• DeadStoreOfLocal
• DuplicateBranches
• DuplicateCondition
• DuplicateSwitchCase
• ExprHasNoEffect
• ImpossibleInterfaceNilCheck
• NegativeLengthCheck
• RedundantExpression
• RedundantRecover
• SelfAssignment
• ShiftOutOfRange
• UnreachableStatement

Experimental Security Queries

There are some experimental CodeQL Queries and Libraries in the official repo:

• CWE-327: Insecure Randomness & Weak Crypto Algorithm
• CWE-807: Sensitive Condition Bypass
• CWE-840: Conditional Bypass
• Integer Overflow
• Unsafe

Reference

• Github - CodeQL Go
• CWE