codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

Treat zap custom encoders as sanitizers for log-injection checks

Open danielriddell21 opened this issue 1 month ago • 5 comments

Summary

Add an experimental CodeQL helper and query to treat custom zap encoders (types implementing go.uber.org/zap/zapcore.Encoder) as sanitizers for the purposes of log-injection detection. This reduces false positives where applications use a custom encoder to escape or sanitize log field values.

Notes for reviewers

  • This change is non-invasive: it adds an experimental suppression query rather than modifying built-in log-injection rules directly.

Risks

  • If a type implements zapcore.Encoder but does not actually sanitize input, this change could suppress a genuine finding. Use the whitelist to exclude such types.

danielriddell21 avatar Nov 25 '25 18:11 danielriddell21

This PR doesn't make much sense. I don't think the tests would pass.

There is already a query called go/log-injection. It is located at go/ql/src/Security/CWE-117/LogInjection.ql. All sanitizers for it are in go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll. Tests for it are at go/ql/test/query-tests/Security/CWE-117/LogInjection.go. Note that we already include variations on strings.ReplaceAll(s, "\n", "X") as a sanitizer.

owen-mc avatar Nov 25 '25 19:11 owen-mc

This PR doesn't make much sense. I don't think the tests would pass.

There is already a query called go/log-injection. It is located at go/ql/src/Security/CWE-117/LogInjection.ql. All sanitizers for it are in go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll. Tests for it are at go/ql/test/query-tests/Security/CWE-117/LogInjection.go. Note that we already include variations on strings.ReplaceAll(s, "\n", "X") as a sanitizer.

Hi @owen-mc thanks for looking. I am pretty new to codeql.

So I will try and move all the stuff into the correct place when its ready. Am I okay to tag you when It is ready for a review?

danielriddell21 avatar Nov 25 '25 20:11 danielriddell21

My aim is to allow using a zap encoder with a sanitise within as a valid way to suppress a CWE 117

danielriddell21 avatar Nov 25 '25 20:11 danielriddell21

Things are in the right place now, but the tests still don't make any sense. May I ask, are you using an LLM coding assistant? Yes, please tag me when you have got the tests passing locally on your machine, or you are stuck and need help with the CodeQL.

owen-mc avatar Nov 25 '25 22:11 owen-mc

Things are in the right place now, but the tests still don't make any sense. May I ask, are you using an LLM coding assistant? Yes, please tag me when you have got the tests passing locally on your machine, or you are stuck and need help with the CodeQL.

Not now, I used it originally so I could understand better what I would have to do, but actually it created a complete mess so I am starting again following your contribution guide

danielriddell21 avatar Nov 30 '25 14:11 danielriddell21