From df01484ab1f56b0bb9e09e8370723e4990ab8aa5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 18 Nov 2025 16:33:08 +0000 Subject: [PATCH 1/4] Initial plan From 75d068e19a30ecd2b6b1d3748cdad5f10a2dbc73 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 18 Nov 2025 16:48:59 +0000 Subject: [PATCH 2/4] Create UncontrolledAllocationSize query for Go with test files Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com> --- .../UncontrolledAllocationSize.qhelp | 50 ++++++++++++++++++ .../UncontrolledAllocationSize.ql | 39 ++++++++++++++ .../UncontrolledAllocationSize.actual | 4 ++ .../UncontrolledAllocationSize.expected | 18 +++++++ .../UncontrolledAllocationSize.qlref | 1 + .../UncontrolledAllocationSizeBad.go | 26 +++++++++ .../UncontrolledAllocationSizeGood.go | 31 +++++++++++ .../UncontrolledAllocationSize_PrintAST.bqrs | Bin 0 -> 56878 bytes .../UncontrolledAllocationSize_PrintAST.txt | 12 +++++ .../test/UncontrolledAllocationSize/go.mod | 3 ++ 10 files changed, 184 insertions(+) create mode 100644 languages/go/custom/src/UncontrolledAllocationSize/UncontrolledAllocationSize.qhelp create mode 100644 languages/go/custom/src/UncontrolledAllocationSize/UncontrolledAllocationSize.ql create mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.actual create mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.expected create mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.qlref create mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeBad.go create mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeGood.go create mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.bqrs create mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.txt create mode 100644 languages/go/custom/test/UncontrolledAllocationSize/go.mod diff --git a/languages/go/custom/src/UncontrolledAllocationSize/UncontrolledAllocationSize.qhelp b/languages/go/custom/src/UncontrolledAllocationSize/UncontrolledAllocationSize.qhelp new file mode 100644 index 0000000..64e28a9 --- /dev/null +++ b/languages/go/custom/src/UncontrolledAllocationSize/UncontrolledAllocationSize.qhelp @@ -0,0 +1,50 @@ + + + +

+Allocating memory with a size controlled by an external user can result in integer overflow or +excessive memory consumption, leading to denial of service (DoS) attacks. +

+ + + + +

+Ensure that allocation sizes are properly validated and restricted to reasonable limits before +allocating memory. Consider using a maximum size constant or validating the size against known +safe bounds. +

+ + + + +

+In the following example, the allocation size is directly controlled by user input without +validation: +

+ + + +

+In the corrected example, the allocation size is validated against a maximum value before +allocating: +

+ + + + + + +
  • + OWASP: + Denial of Service. +
    • +
  • + CWE: + CWE-770: Allocation of Resources Without Limits or Throttling. +
    • + +     +     diff --git a/languages/go/custom/src/UncontrolledAllocationSize/UncontrolledAllocationSize.ql b/languages/go/custom/src/UncontrolledAllocationSize/UncontrolledAllocationSize.ql new file mode 100644 index 0000000..78be9fa --- /dev/null +++ b/languages/go/custom/src/UncontrolledAllocationSize/UncontrolledAllocationSize.ql @@ -0,0 +1,39 @@ +/** + * @name Uncontrolled allocation size + * @description Allocating memory with a size controlled by an external user can result in integer + * overflow or denial of service (DoS). + * @kind path-problem + * @problem.severity warning + * @security-severity 7.5 + * @precision high + * @id go/uncontrolled-allocation-size + * @tags security + * external/cwe/cwe-770 + */ + +import go +import semmle.go.dataflow.DataFlow +import semmle.go.dataflow.TaintTracking + +/** + * A data flow configuration for tracking user-controlled values that flow to allocation size arguments. + */ +module UncontrolledAllocationSizeConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { + exists(CallExpr call | + call.getTarget().getName() = "make" and + sink.asExpr() = call.getArgument(1) + ) + } +} + +module UncontrolledAllocationSizeFlow = TaintTracking::Global; + +import UncontrolledAllocationSizeFlow::PathGraph + +from UncontrolledAllocationSizeFlow::PathNode source, UncontrolledAllocationSizeFlow::PathNode sink +where UncontrolledAllocationSizeFlow::flowPath(source, sink) +select sink.getNode(), source, sink, "This memory allocation depends on a $@.", + source.getNode(), "user-provided value" diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.actual b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.actual new file mode 100644 index 0000000..e217064 --- /dev/null +++ b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.actual @@ -0,0 +1,4 @@ +edges +nodes +subpaths +#select diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.expected b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.expected new file mode 100644 index 0000000..434a649 --- /dev/null +++ b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.expected @@ -0,0 +1,18 @@ +edges +| UncontrolledAllocationSizeBad.go:11:12:11:16 | selection of URL | UncontrolledAllocationSizeBad.go:11:12:11:24 | call to Query | provenance | Src:MaD:1 MaD:2 | +| UncontrolledAllocationSizeBad.go:11:12:11:24 | call to Query | UncontrolledAllocationSizeBad.go:13:15:13:20 | source | provenance | | +| UncontrolledAllocationSizeBad.go:13:15:13:20 | source | UncontrolledAllocationSizeBad.go:13:15:13:29 | call to Get | provenance | MaD:3 | +| UncontrolledAllocationSizeBad.go:13:15:13:29 | call to Get | UncontrolledAllocationSizeBad.go:14:28:14:36 | sourceStr | provenance | | +| UncontrolledAllocationSizeBad.go:14:2:14:37 | ... := ...[0] | UncontrolledAllocationSizeBad.go:20:27:20:30 | sink | provenance | | +| UncontrolledAllocationSizeBad.go:14:28:14:36 | sourceStr | UncontrolledAllocationSizeBad.go:14:2:14:37 | ... := ...[0] | provenance | Config | +nodes +| UncontrolledAllocationSizeBad.go:11:12:11:16 | selection of URL | semmle.label | selection of URL | +| UncontrolledAllocationSizeBad.go:11:12:11:24 | call to Query | semmle.label | call to Query | +| UncontrolledAllocationSizeBad.go:13:15:13:20 | source | semmle.label | source | +| UncontrolledAllocationSizeBad.go:13:15:13:29 | call to Get | semmle.label | call to Get | +| UncontrolledAllocationSizeBad.go:14:2:14:37 | ... := ...[0] | semmle.label | ... := ...[0] | +| UncontrolledAllocationSizeBad.go:14:28:14:36 | sourceStr | semmle.label | sourceStr | +| UncontrolledAllocationSizeBad.go:20:27:20:30 | sink | semmle.label | sink | +subpaths +#select +| UncontrolledAllocationSizeBad.go:20:27:20:30 | sink | UncontrolledAllocationSizeBad.go:11:12:11:16 | selection of URL | UncontrolledAllocationSizeBad.go:20:27:20:30 | sink | This memory allocation depends on a $@. | UncontrolledAllocationSizeBad.go:11:12:11:16 | selection of URL | user-provided value | diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.qlref b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.qlref new file mode 100644 index 0000000..d40f385 --- /dev/null +++ b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.qlref @@ -0,0 +1 @@ +UncontrolledAllocationSize/UncontrolledAllocationSize.ql diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeBad.go b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeBad.go new file mode 100644 index 0000000..e3fcc4e --- /dev/null +++ b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeBad.go @@ -0,0 +1,26 @@ +package main + +import ( + "encoding/json" + "fmt" + "net/http" + "strconv" +) + +func OutOfMemoryBad(w http.ResponseWriter, r *http.Request) { + source := r.URL.Query() + // Get user-controlled input + sourceStr := source.Get("size") + sink, err := strconv.Atoi(sourceStr) + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) + return + } + // BAD: Uncontrolled allocation size from user input + result := make([]string, sink) + for i := 0; i < sink; i++ { + result[i] = fmt.Sprintf("Item %d", i+1) + } + w.Header().Set("Content-Type", "application/json") + json.NewEncoder(w).Encode(result) +} diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeGood.go b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeGood.go new file mode 100644 index 0000000..ea2a638 --- /dev/null +++ b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeGood.go @@ -0,0 +1,31 @@ +package main + +import ( + "encoding/json" + "fmt" + "net/http" + "strconv" +) + +func OutOfMemoryGood(w http.ResponseWriter, r *http.Request) { + source := r.URL.Query() + MaxValue := 100 + // Get user-controlled input + sourceStr := source.Get("size") + sink, err := strconv.Atoi(sourceStr) + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) + return + } + // GOOD: Validate the size before allocation + if sink < 0 || sink > MaxValue { + http.Error(w, "Bad request", http.StatusBadRequest) + return + } + result := make([]string, sink) + for i := 0; i < sink; i++ { + result[i] = fmt.Sprintf("Item %d", i+1) + } + w.Header().Set("Content-Type\", \"application/json") + json.NewEncoder(w).Encode(result) +} diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.bqrs b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.bqrs new file mode 100644 index 0000000000000000000000000000000000000000..0480fbe3e0e653fcbb21ed7a62bd55a52a9a1815 GIT binary patch literal 56878 zcmdU2O^@S9a^2b44`5E-i;o74xpku`k@^;}hp}fDFud@#-E&*)fs#@ZyC_jjQe9Q^ zgZwA_=Nw6i`I57tsz{2(QUf#H)gmjzmoL6DGBWw=Z~yrZx!Ua#H??zxr*F zDfKVk{BEDFRQ{`Pf2;pi@i)Kz&AoccfA=Lyjw*lu&F|D|LzjQ^`#e2n%kqZb7g4rR z#V_yu*Khu*l>H$~4=O8SmDgqc>JR_>f8XBS-F=rG_w(;O@AFY*bd&zkyVHMohiG{} z_mXJ8IY#uQcboLCNYf<0%d_S8gYuS4B~cN7QU6W9{PZCzwsY@87VnE6KK|6Je(*mh zwR`{VbC#cOb8Iaa?Bc zp@`G{-23aXI2?=Ii@Z!7GL@@+K~J9Uy>#srTjl+*$crpm7T(7vy7K7#L~QtHLGfx% zQhO!%-a+HLi}K=p@t(M&%bLdXCq=Z$=iccK^;oEVPT%u^29rMh+u!LXJ+P;N_Lju* z=cIQm;^h0Vj>@`p7W_qJTGZSN{k|Ve&!5KmU*bg;WlwXj$d1Z<`X~FV=iWL>^6Fxe zE~Dhc!8%UVyw~e()1B&(D(qF(^Uq(cpHnm6vmT{)`tIKOYtE9E_dlw2ypQ#W{#i@( zn#%p0=x_C(b|AGgumTdLV|s>W)zUJV1a?$5@PMKG8SXN$!+QeiM1ETi=- zTAiPau>44xVn(4Fe6JdFQs*d1zVEZ6e!6%TWyXEz5B#AS;I4-K^enyd%Ud1yn&1uw zp11e!2XzMcyM9SUUz@-`QekU(oE!4B^*NcqLz><9J|}l8^@aZ5rL~{U6ZVW(AeY#P znkL_KnW@#f9}K6%Xc4SO<3)e5n5q6uO$U?yBpj&WY}St!(NfJFC;xx)CFJaSQMTMtK=3Ij`8#rMiDk;3N4`=$&b_`7u#U65_@DIQKgfsT z(=2`X_w=|g=3e!vo~J#Hb}whgsh^ELjQ8rlj=Kdp#<};yAII;5ca?qW%gZ!5?)KIV zvv)?|DaPr$w8J6ya`MCu5Pyyjt`N<)dw@7LgCT_oDJ(=IusOuVaUG|w;DX8?Jqukh zafTNd06c{dc@4lgDdN2=#IOpwHbi_TB@ko65@-Zof$ynMxhuK>1|I4;JY{;?P^9pN zq2Zjx2a(MIE)zvzd6W8uT5f&wFGrU%nVBaAVm!SNu#v%{HR8Gh3q!R1>l7aYEIyNf z4Gb98G^>HQ25EX+`I|J|(A;R5?&wE<5pVS505tWF6qOdN~I7_Ly;ipNcZq+n|Ny%jg{%u+)iAwmQ|f)){tudJkc z{bUj4%FjP1{wkwlox86Y0uo@tK1DD)Nz9$V0+c;%4u+g*BBn^d217y%F|2hOiOsFk z39a!4v{r*6Y%szofLc7d1Z}9%LK|4LMq*27U8Bj!47WAu3h>YpoO*5 zg0~u<6V4-rZa_;y!xxZ3=4&Ippt&=Eg61OVNEjW3L@6|bWzBu$Ag#7fx1P%#QQeJaEi_?s9D>(OoJ4h%T_(ZKl2=blbi!B?xGXh(Hsl)2Pxr`UG z3nu_C1!@T6ff|7=0UZyW8HF>noUVDU8%hCWvd>Yx%_Hs2gWcz<*EDX?EuOK zm9?Cbl+7-ZK7-UTvkiwPqFEY?&!iZkFz+Q|Jzn zfU|iQWVR1K&6J;{8|RdIFk#VG7AmgHU~GBlmB6<^enIW0oSU;IKN8+cwYQpLSn!bf zI_UL=FlXY2eNbkpeZ|vPLi`KRdFF?GWV7F1`ujAlCMC!#EC%R~ouL0-w?7PC@&b_k zCK_zS=u4J`X3*0wBiYOAu?aU+{HCV26M&SUEeV!yrfi2cr&Jeymc)a+}fCi%jkB zquqfv@--^g4cRT4umcJ3&ON){OP=39E$GY^!hM%J7b%DAsu;9YiW=j@8nhAEj((@d z<+kiB-lR+CPK)8xxECvq;WH^@W3zl0lo8k|fS(&^9b5LqGzJMhfGCPG0 zcy_oNSsfRE?Y8DH)R~Hj#XQwUVyBp4ay86gz|wB3RYOAcsO+nL0X1Z{16%v>DA|7Y z8!S7F*ydyCssyw#SeE2gr(~<>i&}2BrOQ632S3+;TujGNYOE1G0X!%-a#Imx(ru%> zEbMniU@IiAHd*{BO1?yzWIE@|88lmWg(XNq!(Xso%n0llG#IThJvGl`nY1BBHt*8y z0i9A!2lo6-c{l0!Axj^fJ6lJ5$g0dx1eyYtxu50Ps6i_{ixK0gYBaNLAm$N8hy#jN zHwhUq>X6}d;lpsR#GHd!$B=jN@;*_qcHVTNMzKCRciW9-utdN{xRt=x$ruKY)ovrO z9qs-S?GM{WU$?#7Q9lG7hT|Bq#{ANW8{HbWwT*!Vjx~l>kkeU@yMaFa=PsoKRGI~@ zG0u{*e7H08E^S+PfNauzywtrQ&RlPav-Z8R_6(V=*fTk9Iy%tT|GRoHcAA0gOoF(aML$on5!fbN@>|i-y^C!; zF;8Q$3@sHweim+Zu`RHlQrdD(9G8DLm`jc)tX@}-Dayk%$rv|YsVjlq;|6;*d!BGv z3GS6JZ53QN&~FF%f(v77zMx+OS$nWI<=WMWvC~O6&~L8a7coO$Yq~u($*|?cpcEpa zsVG({FkdS%^4c=#`?&D+|E1$@;>xC|5@4bM6cX5o=UrIzVdK+(4SI0LGnB~y6%Q|h zN|xMdRiC01_0yNl<<;L86&vtsip`#r24$DR#z1i_qX6EPW>;{lzc0duvf8jGeRy23 zZR}4JqXSxq?$(~^uwyzlJk{&a&h@YfJ9)l&q8ATQ?msv;m`*T-Z|turMs-W?I;P{n z{nMWp^_e&0iIq4(pW%xnW~}=vUTmo`B3m-#&D!6rn`{)Bumu7zCPDnX)2hgC6RB?w zKH99D7oI0LgV9oI>lh>n=CXSRO2m3=hM=Tv1oC%QB_O(`G0?B3DDA#MS~~q2_e*V3 z8Dw7nr~E!C+$nQd}R>$F8mIjUd&;L7%Fz?F~SmL%ZcpsbL^NkWIH9-WV} znOQHNfObPOM0l$lg{>!47hB@^gp_u_ z85M^elk*wYA1u4RS*Abj(m10ti|EwV21< zO6h%v&h7kk+&*;KQgDMng1Yl4RkmEjh03BL%?P`z0}J{%cFFQ!Hy)es>GNys^e2AdG_ZS;e6W=32q3hsv67*}nV9^vNn90d~zZrx1QZ9TjOeHX7*iF%0W zaDoPN%%DFowJuBN4OOBNamOXZ3Vt)VoT6h0B!p|n2B*NPx)Iopsw;X`?9(>hY>V`P zYNzDUX=nC2cAjbmeKs3+({~Nu;NxSN5!ed+B%*f#>zB|{Z&?GUZsk}AWo`*MRTE#@ zglPnJ3Hg#&LuIqEO?SOHO-M2vlbxFe{gD}e3$bHz8fr&wrFN`kLuNZfQ)_HS35#y> z|MWm@qYwA)Y0DVq2n~mBhuQ+eSSXY^WTcdO=?f+|y# zCT87|?S>o#)}1-qS!m5rBzk^2HOeF+e4YZCt*E*idRSo%J^!k^0q&NdAC@~4%O$VD zd%YY&N6D1It^5bV1#kc6yV@C*H2tCv6WXNr>4s*hKDj_=YX}C$D_H^FJgC$fjPEFi67(h~g9ZVXq`zL$pGSU)cJ_r{xLHQ~v)W!= zY=!WY-pR2}b1J_1MS8FHjY<&#J2^E*d5bol(M!)0|MaJ89vcje(S0r2ErJUzt;e+% zmWMF;V&i$MDlNha<@^O!E>X9t%Od;LJxtbaDb{a8W-E3q0*z2o2i-!FZkYrJw|jzN zqQAfjEw`rJSmKcoJk*O}s6TUntyQCT`2Cz{AH7Ml(+|!*Ys%q#@DZgb17tyR`YM6 z<(A;p?UxHnI6lp-PtDeYQ=4@-E^94T9~kTHt#4|@?d6AcFz}$mH!D zGOs|cJ@}rQ_ZGCpS2uak&v&aV*2nUf|8Um)5lqpF@77wkgm>-WE#JZN4v}vH|B}|T zD@xX8LJ9mZ(D>mddHlvM-UR<8^`DyXW6^JHR8(0V=xT*QcR~3pXLuF(quw8?760eR z-N%n+UNu|ployRqwX&yZ&J(O+gyha&ZJ z_p_LT@c@MsPz==+GhAsaugpf^HT+tL_q3U$;R{uQF}oh*X24ph4JID45!fPR{nkt8 zcs1r13oxUWa*VfQ@Q6|CX%TYc%|pT1N~xjR@I*q`&nvbOcMarplju6K(QmUWE~Zxo zW&0?hE>${qJ*G{9OA>>ux zhf(K6C|>D)oWqu;KPOF@F1+T3%@zAD68%9cs91FP1M*#)P@ zf7F*x#@4RvrktWLk9A!wYVK3iBs;;za?3Wck}DxpXJf_wq?FlE@K8Hr)qGLi4NdSSV9Q3K0urPz)cUS>LyhJ}6ZTjb@F79gMRHhzD-`9w z5w)DSrUnz#S1kUJE(lR}uv3lP>)L(Ab;9a*)EIG2z*tHmxvr=p#(&N6$!>p_7jqx zzC%kl0Cpm2T#RWEBTSG}qAkDIH^w`q6<- zolj{$yE9n!EqzvLTM8D#!x3o}%iF+8ljm)`SJXkTCz{!DU&Olx*x7cyAqpW<>{jKK z1rL$U!8bT1Ets+a(`wU_0)(dW0TUu$2_U>m%>_-_H|Cn)CMx<3`jipC#jyk$iOu2d zsJqZ#G&p}?+Jc)!4#>f~-plTqnBSE3vnFbb$kT52_0xb8ykkW0(@7A%5W=_KoKs*BBm>V?I! zA4>nxD2bi&B}!y{BABGU9RyB;)|tu{UT#1gUlm_0nee?W(0LIc)UO^u*vhN5gGj<+ zpmz?xkjYxRl3o)ghPnoGX7x8%CJ8&0z#Qs8iFzDQW*dvcT3s7;pwFx#IAFS=)DZY|uMl~K!fw;_DbrKU=A9a|84Sw;Y@&k@ueqNGTU~CBHO+nXsFv=8 z&XA$qI6h}xW!JSVcPrtpYy+o5;)BfQ0L$|q)^VbqKL~=4lVRW55p7{Lb9fPz zW$?gY@=%S)E1_Q0)k_FRoTGu_NyzMG=G?HAC+xFD537k)3UOfUjrTSX*_^{nZPcT4 z+jZDyed=wNUSEQE!Ku=FM2xeCDLSUCVL9)BAl4QkvpJ7>5-*kWvSb*r2jW_70}@>g z2&CwBE0B8y(A2$(6$Vz78(e~T3CibOk4J?t$N2SsZV%3_4bD?mQ&mp+|HzN0sUyT-=uYXu4Gs(V)Uw0fjoA}aMc zEajBrbok2YK$g?b&=XdH@kJL%F1DGX1KLaO^6vqH4t0(S+LQl*njz*MEf4ha?f7Pq=~k-CYIb$;YRERwyG@oJ4|>O+vz|}kOD(_{1qtG*K7{3T zzH#}J&L>`QUgrfs+NY>KCp{Yr5j{T-(mvX$xyRjezJZQq$m4WB_X5A~o965||4Y2c zqU>qz71>dp?~U_6J<=PQ^!*>`l@@c4-gKQ;7d6V{q)xhEIPdj(+jOUT)DuR*yhlxO z<#QhB7o&~Jd)zbiP7l#Lf8SZ;^8QD)j`wjv-}`4RnwsUW{DRN)LUwv5$I~u3f7Mn+ ztB>1=hDyzrQ#Dqz^=cTXb$>RVEP}ywI9n{nk)q?p2FqwYi&p2~BXmE~JB-Y@x( z*=M@<(zRD?mG=X^MTAZZD!h+Rbmh_eDO1WPA@OQX(t1UjCV8*y6uF}VX6V8_9pFxv Qvgoj-e-+V&o=ji)f6`}3_y7O^ literal 0 HcmV?d00001 diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.txt b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.txt new file mode 100644 index 0000000..d603fb0 --- /dev/null +++ b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.txt @@ -0,0 +1,12 @@ +Result set: edges +| source | target | key | value | ++--------+--------+-----+-------+ + +Result set: graphProperties +| key | value | ++------------------+-------+ +| semmle.graphKind | tree | + +Result set: nodes +| node | key | value | ++------+-----+-------+ diff --git a/languages/go/custom/test/UncontrolledAllocationSize/go.mod b/languages/go/custom/test/UncontrolledAllocationSize/go.mod new file mode 100644 index 0000000..45de446 --- /dev/null +++ b/languages/go/custom/test/UncontrolledAllocationSize/go.mod @@ -0,0 +1,3 @@ +module test + +go 1.21 From 19e4547768cd867a9bbdb861e3c42e664d592abb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 18 Nov 2025 16:50:09 +0000 Subject: [PATCH 3/4] Update .gitignore to exclude test artifacts Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com> --- .gitignore | 4 +++- .../UncontrolledAllocationSize.actual | 4 ---- .../UncontrolledAllocationSize_PrintAST.bqrs | Bin 56878 -> 0 bytes .../UncontrolledAllocationSize_PrintAST.txt | 12 ------------ 4 files changed, 3 insertions(+), 17 deletions(-) delete mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.actual delete mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.bqrs delete mode 100644 languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.txt diff --git a/.gitignore b/.gitignore index 0ad853f..4f99d17 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,9 @@ node_modules # Generated via `codeql-mcp-server-ci` actions workflow models-output.json -# Test databases created via `codeql test run` +# Test databases and artifacts created via `codeql test run` *.testproj +*.actual +*.bqrs trap diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.actual b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.actual deleted file mode 100644 index e217064..0000000 --- a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize.actual +++ /dev/null @@ -1,4 +0,0 @@ -edges -nodes -subpaths -#select diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.bqrs b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.bqrs deleted file mode 100644 index 0480fbe3e0e653fcbb21ed7a62bd55a52a9a1815..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 56878 zcmdU2O^@S9a^2b44`5E-i;o74xpku`k@^;}hp}fDFud@#-E&*)fs#@ZyC_jjQe9Q^ zgZwA_=Nw6i`I57tsz{2(QUf#H)gmjzmoL6DGBWw=Z~yrZx!Ua#H??zxr*F zDfKVk{BEDFRQ{`Pf2;pi@i)Kz&AoccfA=Lyjw*lu&F|D|LzjQ^`#e2n%kqZb7g4rR z#V_yu*Khu*l>H$~4=O8SmDgqc>JR_>f8XBS-F=rG_w(;O@AFY*bd&zkyVHMohiG{} z_mXJ8IY#uQcboLCNYf<0%d_S8gYuS4B~cN7QU6W9{PZCzwsY@87VnE6KK|6Je(*mh zwR`{VbC#cOb8Iaa?Bc zp@`G{-23aXI2?=Ii@Z!7GL@@+K~J9Uy>#srTjl+*$crpm7T(7vy7K7#L~QtHLGfx% zQhO!%-a+HLi}K=p@t(M&%bLdXCq=Z$=iccK^;oEVPT%u^29rMh+u!LXJ+P;N_Lju* z=cIQm;^h0Vj>@`p7W_qJTGZSN{k|Ve&!5KmU*bg;WlwXj$d1Z<`X~FV=iWL>^6Fxe zE~Dhc!8%UVyw~e()1B&(D(qF(^Uq(cpHnm6vmT{)`tIKOYtE9E_dlw2ypQ#W{#i@( zn#%p0=x_C(b|AGgumTdLV|s>W)zUJV1a?$5@PMKG8SXN$!+QeiM1ETi=- zTAiPau>44xVn(4Fe6JdFQs*d1zVEZ6e!6%TWyXEz5B#AS;I4-K^enyd%Ud1yn&1uw zp11e!2XzMcyM9SUUz@-`QekU(oE!4B^*NcqLz><9J|}l8^@aZ5rL~{U6ZVW(AeY#P znkL_KnW@#f9}K6%Xc4SO<3)e5n5q6uO$U?yBpj&WY}St!(NfJFC;xx)CFJaSQMTMtK=3Ij`8#rMiDk;3N4`=$&b_`7u#U65_@DIQKgfsT z(=2`X_w=|g=3e!vo~J#Hb}whgsh^ELjQ8rlj=Kdp#<};yAII;5ca?qW%gZ!5?)KIV zvv)?|DaPr$w8J6ya`MCu5Pyyjt`N<)dw@7LgCT_oDJ(=IusOuVaUG|w;DX8?Jqukh zafTNd06c{dc@4lgDdN2=#IOpwHbi_TB@ko65@-Zof$ynMxhuK>1|I4;JY{;?P^9pN zq2Zjx2a(MIE)zvzd6W8uT5f&wFGrU%nVBaAVm!SNu#v%{HR8Gh3q!R1>l7aYEIyNf z4Gb98G^>HQ25EX+`I|J|(A;R5?&wE<5pVS505tWF6qOdN~I7_Ly;ipNcZq+n|Ny%jg{%u+)iAwmQ|f)){tudJkc z{bUj4%FjP1{wkwlox86Y0uo@tK1DD)Nz9$V0+c;%4u+g*BBn^d217y%F|2hOiOsFk z39a!4v{r*6Y%szofLc7d1Z}9%LK|4LMq*27U8Bj!47WAu3h>YpoO*5 zg0~u<6V4-rZa_;y!xxZ3=4&Ippt&=Eg61OVNEjW3L@6|bWzBu$Ag#7fx1P%#QQeJaEi_?s9D>(OoJ4h%T_(ZKl2=blbi!B?xGXh(Hsl)2Pxr`UG z3nu_C1!@T6ff|7=0UZyW8HF>noUVDU8%hCWvd>Yx%_Hs2gWcz<*EDX?EuOK zm9?Cbl+7-ZK7-UTvkiwPqFEY?&!iZkFz+Q|Jzn zfU|iQWVR1K&6J;{8|RdIFk#VG7AmgHU~GBlmB6<^enIW0oSU;IKN8+cwYQpLSn!bf zI_UL=FlXY2eNbkpeZ|vPLi`KRdFF?GWV7F1`ujAlCMC!#EC%R~ouL0-w?7PC@&b_k zCK_zS=u4J`X3*0wBiYOAu?aU+{HCV26M&SUEeV!yrfi2cr&Jeymc)a+}fCi%jkB zquqfv@--^g4cRT4umcJ3&ON){OP=39E$GY^!hM%J7b%DAsu;9YiW=j@8nhAEj((@d z<+kiB-lR+CPK)8xxECvq;WH^@W3zl0lo8k|fS(&^9b5LqGzJMhfGCPG0 zcy_oNSsfRE?Y8DH)R~Hj#XQwUVyBp4ay86gz|wB3RYOAcsO+nL0X1Z{16%v>DA|7Y z8!S7F*ydyCssyw#SeE2gr(~<>i&}2BrOQ632S3+;TujGNYOE1G0X!%-a#Imx(ru%> zEbMniU@IiAHd*{BO1?yzWIE@|88lmWg(XNq!(Xso%n0llG#IThJvGl`nY1BBHt*8y z0i9A!2lo6-c{l0!Axj^fJ6lJ5$g0dx1eyYtxu50Ps6i_{ixK0gYBaNLAm$N8hy#jN zHwhUq>X6}d;lpsR#GHd!$B=jN@;*_qcHVTNMzKCRciW9-utdN{xRt=x$ruKY)ovrO z9qs-S?GM{WU$?#7Q9lG7hT|Bq#{ANW8{HbWwT*!Vjx~l>kkeU@yMaFa=PsoKRGI~@ zG0u{*e7H08E^S+PfNauzywtrQ&RlPav-Z8R_6(V=*fTk9Iy%tT|GRoHcAA0gOoF(aML$on5!fbN@>|i-y^C!; zF;8Q$3@sHweim+Zu`RHlQrdD(9G8DLm`jc)tX@}-Dayk%$rv|YsVjlq;|6;*d!BGv z3GS6JZ53QN&~FF%f(v77zMx+OS$nWI<=WMWvC~O6&~L8a7coO$Yq~u($*|?cpcEpa zsVG({FkdS%^4c=#`?&D+|E1$@;>xC|5@4bM6cX5o=UrIzVdK+(4SI0LGnB~y6%Q|h zN|xMdRiC01_0yNl<<;L86&vtsip`#r24$DR#z1i_qX6EPW>;{lzc0duvf8jGeRy23 zZR}4JqXSxq?$(~^uwyzlJk{&a&h@YfJ9)l&q8ATQ?msv;m`*T-Z|turMs-W?I;P{n z{nMWp^_e&0iIq4(pW%xnW~}=vUTmo`B3m-#&D!6rn`{)Bumu7zCPDnX)2hgC6RB?w zKH99D7oI0LgV9oI>lh>n=CXSRO2m3=hM=Tv1oC%QB_O(`G0?B3DDA#MS~~q2_e*V3 z8Dw7nr~E!C+$nQd}R>$F8mIjUd&;L7%Fz?F~SmL%ZcpsbL^NkWIH9-WV} znOQHNfObPOM0l$lg{>!47hB@^gp_u_ z85M^elk*wYA1u4RS*Abj(m10ti|EwV21< zO6h%v&h7kk+&*;KQgDMng1Yl4RkmEjh03BL%?P`z0}J{%cFFQ!Hy)es>GNys^e2AdG_ZS;e6W=32q3hsv67*}nV9^vNn90d~zZrx1QZ9TjOeHX7*iF%0W zaDoPN%%DFowJuBN4OOBNamOXZ3Vt)VoT6h0B!p|n2B*NPx)Iopsw;X`?9(>hY>V`P zYNzDUX=nC2cAjbmeKs3+({~Nu;NxSN5!ed+B%*f#>zB|{Z&?GUZsk}AWo`*MRTE#@ zglPnJ3Hg#&LuIqEO?SOHO-M2vlbxFe{gD}e3$bHz8fr&wrFN`kLuNZfQ)_HS35#y> z|MWm@qYwA)Y0DVq2n~mBhuQ+eSSXY^WTcdO=?f+|y# zCT87|?S>o#)}1-qS!m5rBzk^2HOeF+e4YZCt*E*idRSo%J^!k^0q&NdAC@~4%O$VD zd%YY&N6D1It^5bV1#kc6yV@C*H2tCv6WXNr>4s*hKDj_=YX}C$D_H^FJgC$fjPEFi67(h~g9ZVXq`zL$pGSU)cJ_r{xLHQ~v)W!= zY=!WY-pR2}b1J_1MS8FHjY<&#J2^E*d5bol(M!)0|MaJ89vcje(S0r2ErJUzt;e+% zmWMF;V&i$MDlNha<@^O!E>X9t%Od;LJxtbaDb{a8W-E3q0*z2o2i-!FZkYrJw|jzN zqQAfjEw`rJSmKcoJk*O}s6TUntyQCT`2Cz{AH7Ml(+|!*Ys%q#@DZgb17tyR`YM6 z<(A;p?UxHnI6lp-PtDeYQ=4@-E^94T9~kTHt#4|@?d6AcFz}$mH!D zGOs|cJ@}rQ_ZGCpS2uak&v&aV*2nUf|8Um)5lqpF@77wkgm>-WE#JZN4v}vH|B}|T zD@xX8LJ9mZ(D>mddHlvM-UR<8^`DyXW6^JHR8(0V=xT*QcR~3pXLuF(quw8?760eR z-N%n+UNu|ployRqwX&yZ&J(O+gyha&ZJ z_p_LT@c@MsPz==+GhAsaugpf^HT+tL_q3U$;R{uQF}oh*X24ph4JID45!fPR{nkt8 zcs1r13oxUWa*VfQ@Q6|CX%TYc%|pT1N~xjR@I*q`&nvbOcMarplju6K(QmUWE~Zxo zW&0?hE>${qJ*G{9OA>>ux zhf(K6C|>D)oWqu;KPOF@F1+T3%@zAD68%9cs91FP1M*#)P@ zf7F*x#@4RvrktWLk9A!wYVK3iBs;;za?3Wck}DxpXJf_wq?FlE@K8Hr)qGLi4NdSSV9Q3K0urPz)cUS>LyhJ}6ZTjb@F79gMRHhzD-`9w z5w)DSrUnz#S1kUJE(lR}uv3lP>)L(Ab;9a*)EIG2z*tHmxvr=p#(&N6$!>p_7jqx zzC%kl0Cpm2T#RWEBTSG}qAkDIH^w`q6<- zolj{$yE9n!EqzvLTM8D#!x3o}%iF+8ljm)`SJXkTCz{!DU&Olx*x7cyAqpW<>{jKK z1rL$U!8bT1Ets+a(`wU_0)(dW0TUu$2_U>m%>_-_H|Cn)CMx<3`jipC#jyk$iOu2d zsJqZ#G&p}?+Jc)!4#>f~-plTqnBSE3vnFbb$kT52_0xb8ykkW0(@7A%5W=_KoKs*BBm>V?I! zA4>nxD2bi&B}!y{BABGU9RyB;)|tu{UT#1gUlm_0nee?W(0LIc)UO^u*vhN5gGj<+ zpmz?xkjYxRl3o)ghPnoGX7x8%CJ8&0z#Qs8iFzDQW*dvcT3s7;pwFx#IAFS=)DZY|uMl~K!fw;_DbrKU=A9a|84Sw;Y@&k@ueqNGTU~CBHO+nXsFv=8 z&XA$qI6h}xW!JSVcPrtpYy+o5;)BfQ0L$|q)^VbqKL~=4lVRW55p7{Lb9fPz zW$?gY@=%S)E1_Q0)k_FRoTGu_NyzMG=G?HAC+xFD537k)3UOfUjrTSX*_^{nZPcT4 z+jZDyed=wNUSEQE!Ku=FM2xeCDLSUCVL9)BAl4QkvpJ7>5-*kWvSb*r2jW_70}@>g z2&CwBE0B8y(A2$(6$Vz78(e~T3CibOk4J?t$N2SsZV%3_4bD?mQ&mp+|HzN0sUyT-=uYXu4Gs(V)Uw0fjoA}aMc zEajBrbok2YK$g?b&=XdH@kJL%F1DGX1KLaO^6vqH4t0(S+LQl*njz*MEf4ha?f7Pq=~k-CYIb$;YRERwyG@oJ4|>O+vz|}kOD(_{1qtG*K7{3T zzH#}J&L>`QUgrfs+NY>KCp{Yr5j{T-(mvX$xyRjezJZQq$m4WB_X5A~o965||4Y2c zqU>qz71>dp?~U_6J<=PQ^!*>`l@@c4-gKQ;7d6V{q)xhEIPdj(+jOUT)DuR*yhlxO z<#QhB7o&~Jd)zbiP7l#Lf8SZ;^8QD)j`wjv-}`4RnwsUW{DRN)LUwv5$I~u3f7Mn+ ztB>1=hDyzrQ#Dqz^=cTXb$>RVEP}ywI9n{nk)q?p2FqwYi&p2~BXmE~JB-Y@x( z*=M@<(zRD?mG=X^MTAZZD!h+Rbmh_eDO1WPA@OQX(t1UjCV8*y6uF}VX6V8_9pFxv Qvgoj-e-+V&o=ji)f6`}3_y7O^ diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.txt b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.txt deleted file mode 100644 index d603fb0..0000000 --- a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSize_PrintAST.txt +++ /dev/null @@ -1,12 +0,0 @@ -Result set: edges -| source | target | key | value | -+--------+--------+-----+-------+ - -Result set: graphProperties -| key | value | -+------------------+-------+ -| semmle.graphKind | tree | - -Result set: nodes -| node | key | value | -+------+-----+-------+ From 8dfdeaa2b1abf5f0fd3875b6f9cbf400bc295a94 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 18 Nov 2025 16:53:10 +0000 Subject: [PATCH 4/4] Fix typo in UncontrolledAllocationSizeGood.go Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com> --- .../UncontrolledAllocationSizeGood.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeGood.go b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeGood.go index ea2a638..2adfd2c 100644 --- a/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeGood.go +++ b/languages/go/custom/test/UncontrolledAllocationSize/UncontrolledAllocationSizeGood.go @@ -26,6 +26,6 @@ func OutOfMemoryGood(w http.ResponseWriter, r *http.Request) { for i := 0; i < sink; i++ { result[i] = fmt.Sprintf("Item %d", i+1) } - w.Header().Set("Content-Type\", \"application/json") + w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(result) }