False positive in `go/log-injection` #9016

New issue

Closed

Assignees

owen-mc

Labels

Go false-positive

@antoineco

Description

@antoineco

antoineco

opened

on May 3, 2022

Description of the false positive

📄 Code snippet

CodeQL reports (via GitHub integration) that the following log write receives unsanitized user input:

switch eventType := sanitizeUserInput(event.Type); eventType {
// ...
default:
	h.logger.Warn("Content not supported: ", strconv.Quote(eventType)) // <-- false positive 'go/log-injection'
}

This is untrue.
The user input is explicitly sanitized at the beginning of the switch case (in fact, we fixed it earlier this year thanks to CodeQL! 🙌 ):

var newlineToSpace = strings.NewReplacer("\n", " ", "\r", " ")
// sanitizeUserInput removes unwanted characters from the given string.
// It also guarantees the safe logging of data that potentially originates from
// user input (CWE-117, https://cwe.mitre.org/data/definitions/117.html).
func sanitizeUserInput(s string) string {
	return newlineToSpace.Replace(s)
}

Metadata

Assignees

@owen-mc
owen-mc

Labels

Go false-positive

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

False positive in `go/log-injection` #9016

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

False positive in go/log-injection #9016

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

False positive in `go/log-injection` #9016