No user-facing changes.
- The query
go/incorrect-integer-conversionnow correctly recognizes more guards of the formif val <= xto protect a conversionuintX(val).
- The query "Incorrect conversion between integer types" (
go/incorrect-integer-conversion) has been improved. It can now detect parsing an unsigned integer type (likeuint32) and converting it to the signed integer type of the same size (likeint32), which may lead to more results. It also treatsintanduintmore carefully, which may lead to more results or fewer incorrect results.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The query "Arbitrary file write during zip extraction ("zip slip")" (
go/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The receiver arguments of
net/http.Header.Setand.Delare no longer flagged by querygo/untrusted-data-to-external-api.
No user-facing changes.
No user-facing changes.
- The query
go/incorrect-integer-conversionnow correctly recognizes guards of the formif val <= xto protect a conversionuintX(val)whenxis in the range(math.MaxIntX, math.MaxUintX].
- Added a new query,
go/unhandled-writable-file-close, to detect instances where writable file handles are closed without appropriate checks for errors.
- The precision of the
go/log-injectionquery was decreased fromhightomedium, since it may not be able to identify every way in which log data may be sanitized. This also aligns it with the precision of comparable queries for other languages.
No user-facing changes.
- Replacing "\r" or "\n" using the functions
strings.ReplaceAll,strings.Replace,strings.Replacer.Replaceandstrings.Replacer.WriteStringhas been added as a sanitizer for the queries "Log entries created from user input". - The functions
strings.Replacer.Replaceandstrings.Replacer.WriteStringhave been added as sanitizers for the query "Potentially unsafe quoting".
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Query
go/clear-text-loggingnow excludesGetXmethods of protobufMessagestructs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.
- The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
No user-facing changes.
- Added the
security-severitytag and CWE tag to thego/insecure-hostkeycallbackquery.
- The alert message of many queries have been changed to make the message consistent with other languages.
- The query
go/path-injectionno longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
- Added a new query,
go/unexpected-nil-value, to find calls toWrapfrompkg/errorswhere the error argument is always nil.
- Fixed sanitization by calls to
strings.Replaceandstrings.ReplaceAllin queriesgo/log-injectionandgo/unsafe-quoting.
- A new query Log entries created from user input (
go/log-injection) has been added. The query reports user-provided data reaching calls to logging methods.
- A new query "Log entries created from user input" (
go/log-injection) has been added. The query reports user-provided data reaching calls to logging methods.
- The query "Incorrect conversion between integer types" has been improved to
treat
math.MaxUintandmath.MaxIntas the values they would be on a 32-bit architecture. This should lead to fewer false positive results.