- Added the gin cors library to the CorsMisconfiguration.ql query
- A bug has been fixed that meant that value flow through an array was not tracked correctly in some circumstances. Taint flow was tracked correctly.
- Added Request.Cookie to reflected XSS sanitizers.
- Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing
Callable. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results.
- Deleted the deprecated
isBarrierGuardpredicate from the dataflow library and its uses, useisBarrierand theBarrierGuardmodule instead. - Support has been added for file system access sinks in the following libraries: net/http, Afero, beego, Echo, Fiber, Gin, Iris.
- Added
GoKit.qlltogo.qllenabling the GoKit framework by default
- Added Numeric and Boolean types to SQL injection sanitzers.
No user-facing changes.
- Added http.Error to XSS sanitzers.
No user-facing changes.
- Logrus'
WithContextmethods are no longer treated as if they output the values stored in that context to a log message.
- The
DataFlow::StateConfigSigsignature module has gained default implementations forisBarrier/2andisAdditionalFlowStep/4. Hence it is no longer needed to providenone()implementations of these predicates if they are not needed.
- Data flow configurations can now include a predicate
neverSkip(Node node)in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations. - Parameter nodes now exist for unused parameters as well as used parameters.
- Add support for v4 of the Go Micro framework.
- Support for the Bun framework has been added.
- Support for gqlgen has been added.
- Support for the go-pg framework has been improved.
- The
LogInjection::Configurationtaint flow configuration class has been deprecated. Use theLogInjection::Flowmodule instead.
- When a result of path query flows through a function modeled using
DataFlow::FunctionModelorTaintTracking::FunctionModel, the path now includes nodes corresponding to the input and output to the function. This brings it in line with functions modeled using Models-as-Data.
No user-facing changes.
No user-facing changes.
- Fixed data flow through variadic function parameters. The arguments corresponding to a variadic parameter are no longer returned by
CallNode.getArgument(int i)andCallNode.getAnArgument(), and hence aren'tArgumentNodes. They now have one result, which is anImplicitVarargsSlicenode. For example, a callf(a, b, c)to a functionf(T...)is treated likef([]T{a, b, c}). The old behaviour is preserved byCallNode.getSyntacticArgument(int i)andCallNode.getASyntacticArgument().CallExpr.getArgument(int i)andCallExpr.getAnArgument()are unchanged, and will still have three results in the example given.
- Taking a slice is now considered a sanitizer for
SafeUrlFlow.
- The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
- Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular
DataFlow::hasFlowPath,DataFlow::hasFlow,DataFlow::hasFlowTo, andDataFlow::hasFlowToExprwere accidentally exposed in a single version.
No user-facing changes.
- Added support for merging two
PathGraphs via disjoint union to allow results from multiple data flow computations in a singlepath-problemquery.
- The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
No user-facing changes.
- Go 1.20 is now supported. The extractor now functions as expected when Go 1.20 is installed; the definition of
implementsComparablehas been updated according to Go 1.20's new, more-liberal rules; and taint flow models have been added for relevant, new standard-library functions.
- Support for the Twirp framework has been added.
No user-facing changes.
No user-facing changes.
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.
- The predicate
getNumParameteronFuncTypeExprhas been changed to actually give the number of parameters. It previously gave the number of parameter declarations.getNumParameterDeclhas been introduced to preserve this functionality. - The definition of
mayHaveSideEffectsforReturnStmtwas incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstancesglobalValueNumbermay have incorrectly treated two values as the same when they were in fact distinct. - Queries that care about SQL, such as
go/sql-injection, now recognise SQL-consuming functions belonging to thegorqliteandGoFramepackages. rsynchas been added to the list of commands which may evaluate its parameters as a shell command.
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added support for
BeegoInput.RequestBodyas a source of untrusted data.
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release.
- Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Fixed data-flow to captured variable references.
- We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow.
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.
- Go 1.18 generics are now extracted and can be explored using the new CodeQL classes
TypeParamDecl,GenericFunctionInstantiationExpr,GenericTypeInstantiationExpr,TypeSetTerm, andTypeSetLiteralType, as well as using new predicates defined on the existingInterfaceType. Class- and predicate-level documentation can be found in the Go CodeQL library reference.
- The method predicate
getACalleeIncludingExternalsonDataFlow::CallNodeand the functionviableCallableinDataFlowDispatchnow also work for calls to functions via a variable, where the function can be determined using local flow.
- Fixed a bug where dataflow steps were ignored if both ends were inside the initialiser routine of a file-level variable.
- The
codeql/go-upgradesCodeQL pack has been removed. All database upgrade scripts have been merged into thecodeql/go-allCodeQL pack.
Function's predicategetACallnow returns more results in some situations. It now always returns callers that may call a method indirectly via an interface method that it implements. Previously this only happened if the method was in the source code being analysed.