From 0044b69952c2febd030f2467adc62fc94b54d24a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Mar 2023 10:24:38 +0000 Subject: [PATCH] Bump golang.org/x/sys in /go/ql/test/experimental/CWE-321 Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.0.0-20210917161153-d61c044b1678 to 0.1.0. - [Release notes](https://github.com/golang/sys/releases) - [Commits](https://github.com/golang/sys/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go/ql/test/experimental/CWE-321/go.mod | 2 +- .../appleboy/gin-jwt/v2/.editorconfig | 42 + .../github.com/appleboy/gin-jwt/v2/.gitignore | 27 + .../github.com/appleboy/gin-jwt/v2/LICENSE | 21 + .../github.com/appleboy/gin-jwt/v2/README.md | 347 + .../appleboy/gin-jwt/v2/auth_jwt.go | 821 ++ .../github.com/appleboy/gin-jwt/v2/stub.go | 93 - .../github.com/cristalhq/jwt/v3/LICENSE | 21 + .../github.com/cristalhq/jwt/v3/README.md | 113 + .../github.com/cristalhq/jwt/v3/algo.go | 81 + .../github.com/cristalhq/jwt/v3/algo_eddsa.go | 65 + .../github.com/cristalhq/jwt/v3/algo_es.go | 132 + .../github.com/cristalhq/jwt/v3/algo_hs.go | 111 + .../github.com/cristalhq/jwt/v3/algo_ps.go | 127 + .../github.com/cristalhq/jwt/v3/algo_rs.go | 102 + .../github.com/cristalhq/jwt/v3/audience.go | 46 + .../github.com/cristalhq/jwt/v3/build.go | 178 + .../github.com/cristalhq/jwt/v3/claims.go | 90 + .../vendor/github.com/cristalhq/jwt/v3/doc.go | 7 + .../github.com/cristalhq/jwt/v3/errors.go | 37 + .../github.com/cristalhq/jwt/v3/fuzz.go | 17 + .../vendor/github.com/cristalhq/jwt/v3/jwt.go | 91 + .../cristalhq/jwt/v3/numeric_date.go | 44 + .../github.com/cristalhq/jwt/v3/parse.go | 86 + .../github.com/cristalhq/jwt/v3/stub.go | 26 - .../vendor/github.com/davecgh/go-spew/LICENSE | 15 + .../github.com/davecgh/go-spew/spew/bypass.go | 145 + .../davecgh/go-spew/spew/bypasssafe.go | 38 + .../github.com/davecgh/go-spew/spew/common.go | 341 + .../github.com/davecgh/go-spew/spew/config.go | 306 + .../github.com/davecgh/go-spew/spew/doc.go | 211 + .../github.com/davecgh/go-spew/spew/dump.go | 509 + .../github.com/davecgh/go-spew/spew/format.go | 419 + .../github.com/davecgh/go-spew/spew/spew.go | 148 + .../github.com/gin-contrib/sse/.travis.yml | 26 + .../vendor/github.com/gin-contrib/sse/LICENSE | 21 + .../github.com/gin-contrib/sse/README.md | 58 + .../github.com/gin-contrib/sse/sse-decoder.go | 116 + .../github.com/gin-contrib/sse/sse-encoder.go | 110 + .../github.com/gin-contrib/sse/writer.go | 24 + .../github.com/gin-gonic/gin/.gitignore | 7 + .../github.com/gin-gonic/gin/.travis.yml | 48 + .../github.com/gin-gonic/gin/AUTHORS.md | 233 + .../github.com/gin-gonic/gin/BENCHMARKS.md | 666 ++ .../github.com/gin-gonic/gin/CHANGELOG.md | 454 + .../gin-gonic/gin/CODE_OF_CONDUCT.md | 46 + .../github.com/gin-gonic/gin/CONTRIBUTING.md | 13 + .../vendor/github.com/gin-gonic/gin/LICENSE | 21 + .../vendor/github.com/gin-gonic/gin/Makefile | 71 + .../vendor/github.com/gin-gonic/gin/README.md | 2252 +++++ .../vendor/github.com/gin-gonic/gin/auth.go | 91 + .../gin-gonic/gin/binding/binding.go | 118 + .../gin/binding/binding_nomsgpack.go | 112 + .../gin/binding/default_validator.go | 85 + .../github.com/gin-gonic/gin/binding/form.go | 63 + .../gin-gonic/gin/binding/form_mapping.go | 392 + .../gin-gonic/gin/binding/header.go | 34 + .../github.com/gin-gonic/gin/binding/json.go | 56 + .../gin-gonic/gin/binding/msgpack.go | 38 + .../gin/binding/multipart_form_mapping.go | 66 + .../gin-gonic/gin/binding/protobuf.go | 36 + .../github.com/gin-gonic/gin/binding/query.go | 21 + .../github.com/gin-gonic/gin/binding/uri.go | 18 + .../github.com/gin-gonic/gin/binding/xml.go | 33 + .../github.com/gin-gonic/gin/binding/yaml.go | 35 + .../github.com/gin-gonic/gin/codecov.yml | 5 + .../github.com/gin-gonic/gin/context.go | 1192 +++ .../gin-gonic/gin/context_appengine.go | 12 + .../vendor/github.com/gin-gonic/gin/debug.go | 103 + .../github.com/gin-gonic/gin/deprecated.go | 21 + .../vendor/github.com/gin-gonic/gin/doc.go | 6 + .../vendor/github.com/gin-gonic/gin/errors.go | 174 + .../vendor/github.com/gin-gonic/gin/fs.go | 45 + .../vendor/github.com/gin-gonic/gin/gin.go | 643 ++ .../gin/internal/bytesconv/bytesconv.go | 24 + .../gin-gonic/gin/internal/json/json.go | 23 + .../gin-gonic/gin/internal/json/jsoniter.go | 24 + .../vendor/github.com/gin-gonic/gin/logger.go | 271 + .../vendor/github.com/gin-gonic/gin/mode.go | 92 + .../vendor/github.com/gin-gonic/gin/path.go | 150 + .../github.com/gin-gonic/gin/recovery.go | 171 + .../github.com/gin-gonic/gin/render/data.go | 25 + .../github.com/gin-gonic/gin/render/html.go | 92 + .../github.com/gin-gonic/gin/render/json.go | 193 + .../gin-gonic/gin/render/msgpack.go | 42 + .../gin-gonic/gin/render/protobuf.go | 36 + .../github.com/gin-gonic/gin/render/reader.go | 48 + .../gin-gonic/gin/render/redirect.go | 29 + .../github.com/gin-gonic/gin/render/render.go | 40 + .../github.com/gin-gonic/gin/render/text.go | 41 + .../github.com/gin-gonic/gin/render/xml.go | 28 + .../github.com/gin-gonic/gin/render/yaml.go | 36 + .../gin-gonic/gin/response_writer.go | 126 + .../github.com/gin-gonic/gin/routergroup.go | 230 + .../vendor/github.com/gin-gonic/gin/stub.go | 681 -- .../github.com/gin-gonic/gin/test_helpers.go | 16 + .../vendor/github.com/gin-gonic/gin/tree.go | 867 ++ .../vendor/github.com/gin-gonic/gin/utils.go | 153 + .../github.com/gin-gonic/gin/version.go | 8 + .../vendor/github.com/go-kit/kit/LICENSE | 22 + .../github.com/go-kit/kit/auth/jwt/README.md | 122 + .../go-kit/kit/auth/jwt/middleware.go | 146 + .../github.com/go-kit/kit/auth/jwt/stub.go | 12 - .../go-kit/kit/auth/jwt/transport.go | 89 + .../github.com/go-kit/kit/endpoint/doc.go | 5 + .../go-kit/kit/endpoint/endpoint.go | 40 + .../github.com/go-kit/kit/transport/doc.go | 2 + .../go-kit/kit/transport/error_handler.go | 39 + .../go-kit/kit/transport/grpc/README.md | 54 + .../go-kit/kit/transport/grpc/client.go | 140 + .../go-kit/kit/transport/grpc/doc.go | 2 + .../kit/transport/grpc/encode_decode.go | 29 + .../transport/grpc/request_response_funcs.go | 81 + .../go-kit/kit/transport/grpc/server.go | 168 + .../go-kit/kit/transport/http/client.go | 219 + .../go-kit/kit/transport/http/doc.go | 2 + .../kit/transport/http/encode_decode.go | 36 + .../transport/http/request_response_funcs.go | 133 + .../go-kit/kit/transport/http/server.go | 244 + .../vendor/github.com/go-kit/log/.gitignore | 15 + .../vendor/github.com/go-kit/log/LICENSE | 21 + .../vendor/github.com/go-kit/log/README.md | 151 + .../vendor/github.com/go-kit/log/doc.go | 116 + .../github.com/go-kit/log/json_logger.go | 91 + .../vendor/github.com/go-kit/log/log.go | 179 + .../github.com/go-kit/log/logfmt_logger.go | 62 + .../github.com/go-kit/log/nop_logger.go | 8 + .../vendor/github.com/go-kit/log/stdlib.go | 151 + .../vendor/github.com/go-kit/log/sync.go | 113 + .../vendor/github.com/go-kit/log/value.go | 110 + .../github.com/go-logfmt/logfmt/.gitignore | 1 + .../github.com/go-logfmt/logfmt/CHANGELOG.md | 48 + .../github.com/go-logfmt/logfmt/LICENSE | 22 + .../github.com/go-logfmt/logfmt/README.md | 33 + .../github.com/go-logfmt/logfmt/decode.go | 237 + .../vendor/github.com/go-logfmt/logfmt/doc.go | 6 + .../github.com/go-logfmt/logfmt/encode.go | 322 + .../github.com/go-logfmt/logfmt/jsonstring.go | 277 + .../go-playground/locales/.gitignore | 24 + .../go-playground/locales/.travis.yml | 26 + .../github.com/go-playground/locales/LICENSE | 21 + .../go-playground/locales/README.md | 172 + .../locales/currency/currency.go | 308 + .../github.com/go-playground/locales/logo.png | Bin 0 -> 37360 bytes .../github.com/go-playground/locales/rules.go | 293 + .../universal-translator/.gitignore | 25 + .../universal-translator/.travis.yml | 27 + .../universal-translator/LICENSE | 21 + .../universal-translator/README.md | 89 + .../universal-translator/errors.go | 148 + .../universal-translator/import_export.go | 274 + .../universal-translator/logo.png | Bin 0 -> 16598 bytes .../universal-translator/translator.go | 420 + .../universal_translator.go | 113 + .../go-playground/validator/v10/.gitignore | 30 + .../go-playground/validator/v10/.travis.yml | 29 + .../go-playground/validator/v10/LICENSE | 22 + .../go-playground/validator/v10/Makefile | 18 + .../go-playground/validator/v10/README.md | 299 + .../go-playground/validator/v10/baked_in.go | 2285 +++++ .../go-playground/validator/v10/cache.go | 322 + .../validator/v10/country_codes.go | 162 + .../go-playground/validator/v10/doc.go | 1308 +++ .../go-playground/validator/v10/errors.go | 275 + .../validator/v10/field_level.go | 119 + .../go-playground/validator/v10/logo.png | Bin 0 -> 13443 bytes .../go-playground/validator/v10/regexes.go | 101 + .../validator/v10/struct_level.go | 175 + .../validator/v10/translations.go | 11 + .../go-playground/validator/v10/util.go | 288 + .../go-playground/validator/v10/validator.go | 477 + .../validator/v10/validator_instance.go | 619 ++ .../github.com/golang-jwt/jwt/v4/.gitignore | 4 + .../github.com/golang-jwt/jwt/v4/LICENSE | 9 + .../golang-jwt/jwt/v4/MIGRATION_GUIDE.md | 22 + .../github.com/golang-jwt/jwt/v4/README.md | 123 + .../golang-jwt/jwt/v4/VERSION_HISTORY.md | 135 + .../github.com/golang-jwt/jwt/v4/claims.go | 273 + .../github.com/golang-jwt/jwt/v4/doc.go | 4 + .../github.com/golang-jwt/jwt/v4/ecdsa.go | 142 + .../golang-jwt/jwt/v4/ecdsa_utils.go | 69 + .../github.com/golang-jwt/jwt/v4/ed25519.go | 85 + .../golang-jwt/jwt/v4/ed25519_utils.go | 64 + .../github.com/golang-jwt/jwt/v4/errors.go | 112 + .../github.com/golang-jwt/jwt/v4/hmac.go | 95 + .../golang-jwt/jwt/v4/map_claims.go | 151 + .../github.com/golang-jwt/jwt/v4/none.go | 52 + .../github.com/golang-jwt/jwt/v4/parser.go | 170 + .../golang-jwt/jwt/v4/parser_option.go | 29 + .../github.com/golang-jwt/jwt/v4/rsa.go | 101 + .../github.com/golang-jwt/jwt/v4/rsa_pss.go | 142 + .../github.com/golang-jwt/jwt/v4/rsa_utils.go | 105 + .../golang-jwt/jwt/v4/signing_method.go | 46 + .../golang-jwt/jwt/v4/staticcheck.conf | 1 + .../github.com/golang-jwt/jwt/v4/stub.go | 328 - .../github.com/golang-jwt/jwt/v4/token.go | 128 + .../github.com/golang-jwt/jwt/v4/types.go | 131 + .../vendor/github.com/golang/protobuf/AUTHORS | 3 + .../github.com/golang/protobuf/CONTRIBUTORS | 3 + .../vendor/github.com/golang/protobuf/LICENSE | 28 + .../golang/protobuf/proto/buffer.go | 324 + .../golang/protobuf/proto/defaults.go | 63 + .../golang/protobuf/proto/deprecated.go | 113 + .../golang/protobuf/proto/discard.go | 58 + .../golang/protobuf/proto/extensions.go | 356 + .../golang/protobuf/proto/properties.go | 306 + .../github.com/golang/protobuf/proto/proto.go | 167 + .../golang/protobuf/proto/registry.go | 317 + .../golang/protobuf/proto/text_decode.go | 801 ++ .../golang/protobuf/proto/text_encode.go | 560 ++ .../github.com/golang/protobuf/proto/wire.go | 78 + .../golang/protobuf/proto/wrappers.go | 34 + .../github.com/golang/protobuf/ptypes/any.go | 179 + .../golang/protobuf/ptypes/any/any.pb.go | 62 + .../github.com/golang/protobuf/ptypes/doc.go | 10 + .../golang/protobuf/ptypes/duration.go | 76 + .../protobuf/ptypes/duration/duration.pb.go | 63 + .../golang/protobuf/ptypes/timestamp.go | 112 + .../protobuf/ptypes/timestamp/timestamp.pb.go | 64 + .../github.com/json-iterator/go/.codecov.yml | 3 + .../github.com/json-iterator/go/.gitignore | 4 + .../github.com/json-iterator/go/.travis.yml | 14 + .../github.com/json-iterator/go/Gopkg.lock | 21 + .../github.com/json-iterator/go/Gopkg.toml | 26 + .../github.com/json-iterator/go/LICENSE | 21 + .../github.com/json-iterator/go/README.md | 85 + .../github.com/json-iterator/go/adapter.go | 150 + .../vendor/github.com/json-iterator/go/any.go | 325 + .../github.com/json-iterator/go/any_array.go | 278 + .../github.com/json-iterator/go/any_bool.go | 137 + .../github.com/json-iterator/go/any_float.go | 83 + .../github.com/json-iterator/go/any_int32.go | 74 + .../github.com/json-iterator/go/any_int64.go | 74 + .../json-iterator/go/any_invalid.go | 82 + .../github.com/json-iterator/go/any_nil.go | 69 + .../github.com/json-iterator/go/any_number.go | 123 + .../github.com/json-iterator/go/any_object.go | 374 + .../github.com/json-iterator/go/any_str.go | 166 + .../github.com/json-iterator/go/any_uint32.go | 74 + .../github.com/json-iterator/go/any_uint64.go | 74 + .../github.com/json-iterator/go/build.sh | 12 + .../github.com/json-iterator/go/config.go | 375 + .../go/fuzzy_mode_convert_table.md | 7 + .../github.com/json-iterator/go/iter.go | 349 + .../github.com/json-iterator/go/iter_array.go | 64 + .../github.com/json-iterator/go/iter_float.go | 342 + .../github.com/json-iterator/go/iter_int.go | 346 + .../json-iterator/go/iter_object.go | 267 + .../github.com/json-iterator/go/iter_skip.go | 130 + .../json-iterator/go/iter_skip_sloppy.go | 163 + .../json-iterator/go/iter_skip_strict.go | 99 + .../github.com/json-iterator/go/iter_str.go | 215 + .../github.com/json-iterator/go/jsoniter.go | 18 + .../github.com/json-iterator/go/pool.go | 42 + .../github.com/json-iterator/go/reflect.go | 337 + .../json-iterator/go/reflect_array.go | 104 + .../json-iterator/go/reflect_dynamic.go | 70 + .../json-iterator/go/reflect_extension.go | 483 + .../json-iterator/go/reflect_json_number.go | 112 + .../go/reflect_json_raw_message.go | 76 + .../json-iterator/go/reflect_map.go | 346 + .../json-iterator/go/reflect_marshaler.go | 225 + .../json-iterator/go/reflect_native.go | 453 + .../json-iterator/go/reflect_optional.go | 129 + .../json-iterator/go/reflect_slice.go | 99 + .../go/reflect_struct_decoder.go | 1097 ++ .../go/reflect_struct_encoder.go | 211 + .../github.com/json-iterator/go/stream.go | 210 + .../json-iterator/go/stream_float.go | 111 + .../github.com/json-iterator/go/stream_int.go | 190 + .../github.com/json-iterator/go/stream_str.go | 372 + .../github.com/json-iterator/go/test.sh | 12 + .../github.com/leodido/go-urn/.gitignore | 11 + .../github.com/leodido/go-urn/.travis.yml | 18 + .../vendor/github.com/leodido/go-urn/LICENSE | 21 + .../github.com/leodido/go-urn/README.md | 55 + .../github.com/leodido/go-urn/machine.go | 1691 ++++ .../github.com/leodido/go-urn/machine.go.rl | 159 + .../vendor/github.com/leodido/go-urn/makefile | 39 + .../vendor/github.com/leodido/go-urn/urn.go | 63 + .../vendor/github.com/lestrrat/go-jwx/LICENSE | 22 + .../lestrrat/go-jwx/internal/base64/base64.go | 28 + .../lestrrat/go-jwx/jwa/compression.go | 43 + .../lestrrat/go-jwx/jwa/content_encryption.go | 47 + .../lestrrat/go-jwx/jwa/elliptic.go | 44 + .../github.com/lestrrat/go-jwx/jwa/jwa.go | 17 + .../lestrrat/go-jwx/jwa/key_encryption.go | 58 + .../lestrrat/go-jwx/jwa/key_type.go | 45 + .../lestrrat/go-jwx/jwa/signature.go | 54 + .../lestrrat/go-jwx/jwk/certchain.go | 49 + .../github.com/lestrrat/go-jwx/jwk/ecdsa.go | 307 + .../github.com/lestrrat/go-jwx/jwk/headers.go | 382 + .../lestrrat/go-jwx/jwk/interface.go | 104 + .../github.com/lestrrat/go-jwx/jwk/jwk.go | 240 + .../github.com/lestrrat/go-jwx/jwk/rsa.go | 346 + .../github.com/lestrrat/go-jwx/jwk/stub.go | 39 - .../lestrrat/go-jwx/jwk/symmetric.go | 118 + .../github.com/lestrrat/go-pdebug/.gitignore | 24 + .../github.com/lestrrat/go-pdebug/.travis.yml | 14 + .../github.com/lestrrat/go-pdebug/LICENSE | 21 + .../github.com/lestrrat/go-pdebug/README.md | 99 + .../lestrrat/go-pdebug/autoflag_off.go | 15 + .../lestrrat/go-pdebug/autoflag_on.go | 6 + .../github.com/lestrrat/go-pdebug/common.go | 43 + .../lestrrat/go-pdebug/debug_off.go | 39 + .../github.com/lestrrat/go-pdebug/debug_on.go | 170 + .../github.com/lestrrat/go-pdebug/doc.go | 15 + .../vendor/github.com/mattn/go-isatty/LICENSE | 9 + .../github.com/mattn/go-isatty/README.md | 50 + .../vendor/github.com/mattn/go-isatty/doc.go | 2 + .../github.com/mattn/go-isatty/go.test.sh | 12 + .../github.com/mattn/go-isatty/isatty_bsd.go | 19 + .../mattn/go-isatty/isatty_others.go | 16 + .../mattn/go-isatty/isatty_plan9.go | 23 + .../mattn/go-isatty/isatty_solaris.go | 21 + .../mattn/go-isatty/isatty_tcgets.go | 19 + .../mattn/go-isatty/isatty_windows.go | 125 + .../modern-go/concurrent/.gitignore | 1 + .../modern-go/concurrent/.travis.yml | 14 + .../github.com/modern-go/concurrent/LICENSE | 201 + .../github.com/modern-go/concurrent/README.md | 49 + .../modern-go/concurrent/executor.go | 14 + .../modern-go/concurrent/go_above_19.go | 15 + .../modern-go/concurrent/go_below_19.go | 33 + .../github.com/modern-go/concurrent/log.go | 13 + .../github.com/modern-go/concurrent/test.sh | 12 + .../concurrent/unbounded_executor.go | 119 + .../github.com/modern-go/reflect2/.gitignore | 2 + .../github.com/modern-go/reflect2/.travis.yml | 15 + .../github.com/modern-go/reflect2/Gopkg.lock | 9 + .../github.com/modern-go/reflect2/Gopkg.toml | 31 + .../github.com/modern-go/reflect2/LICENSE | 201 + .../github.com/modern-go/reflect2/README.md | 71 + .../modern-go/reflect2/go_above_118.go | 23 + .../modern-go/reflect2/go_above_19.go | 17 + .../modern-go/reflect2/go_below_118.go | 21 + .../github.com/modern-go/reflect2/reflect2.go | 300 + .../modern-go/reflect2/reflect2_amd64.s | 0 .../modern-go/reflect2/reflect2_kind.go | 30 + .../modern-go/reflect2/relfect2_386.s | 0 .../modern-go/reflect2/relfect2_amd64p32.s | 0 .../modern-go/reflect2/relfect2_arm.s | 0 .../modern-go/reflect2/relfect2_arm64.s | 0 .../modern-go/reflect2/relfect2_mips64x.s | 0 .../modern-go/reflect2/relfect2_mipsx.s | 0 .../modern-go/reflect2/relfect2_ppc64x.s | 0 .../modern-go/reflect2/relfect2_s390x.s | 0 .../modern-go/reflect2/safe_field.go | 58 + .../github.com/modern-go/reflect2/safe_map.go | 101 + .../modern-go/reflect2/safe_slice.go | 92 + .../modern-go/reflect2/safe_struct.go | 29 + .../modern-go/reflect2/safe_type.go | 78 + .../github.com/modern-go/reflect2/type_map.go | 70 + .../modern-go/reflect2/unsafe_array.go | 65 + .../modern-go/reflect2/unsafe_eface.go | 59 + .../modern-go/reflect2/unsafe_field.go | 74 + .../modern-go/reflect2/unsafe_iface.go | 64 + .../modern-go/reflect2/unsafe_link.go | 76 + .../modern-go/reflect2/unsafe_map.go | 130 + .../modern-go/reflect2/unsafe_ptr.go | 46 + .../modern-go/reflect2/unsafe_slice.go | 177 + .../modern-go/reflect2/unsafe_struct.go | 59 + .../modern-go/reflect2/unsafe_type.go | 85 + .../vendor/github.com/pkg/errors/.gitignore | 24 + .../vendor/github.com/pkg/errors/.travis.yml | 10 + .../vendor/github.com/pkg/errors/LICENSE | 23 + .../vendor/github.com/pkg/errors/Makefile | 44 + .../vendor/github.com/pkg/errors/README.md | 59 + .../vendor/github.com/pkg/errors/appveyor.yml | 32 + .../vendor/github.com/pkg/errors/errors.go | 288 + .../vendor/github.com/pkg/errors/go113.go | 38 + .../vendor/github.com/pkg/errors/stack.go | 177 + .../github.com/square/go-jose/v3/.gitignore | 2 + .../square/go-jose/v3/.golangci.yml | 53 + .../github.com/square/go-jose/v3/.travis.yml | 33 + .../square/go-jose/v3/BUG-BOUNTY.md | 10 + .../square/go-jose/v3/CONTRIBUTING.md | 15 + .../github.com/square/go-jose/v3/LICENSE | 202 + .../github.com/square/go-jose/v3/README.md | 122 + .../square/go-jose/v3/asymmetric.go | 592 ++ .../square/go-jose/v3/cipher/cbc_hmac.go | 196 + .../square/go-jose/v3/cipher/concat_kdf.go | 75 + .../square/go-jose/v3/cipher/ecdh_es.go | 86 + .../square/go-jose/v3/cipher/key_wrap.go | 109 + .../github.com/square/go-jose/v3/crypter.go | 535 + .../github.com/square/go-jose/v3/doc.go | 27 + .../github.com/square/go-jose/v3/encoding.go | 187 + .../github.com/square/go-jose/v3/json/LICENSE | 27 + .../square/go-jose/v3/json/README.md | 13 + .../square/go-jose/v3/json/decode.go | 1183 +++ .../square/go-jose/v3/json/encode.go | 1197 +++ .../square/go-jose/v3/json/indent.go | 141 + .../square/go-jose/v3/json/scanner.go | 623 ++ .../square/go-jose/v3/json/stream.go | 480 + .../github.com/square/go-jose/v3/json/tags.go | 44 + .../github.com/square/go-jose/v3/jwe.go | 295 + .../github.com/square/go-jose/v3/jwk.go | 759 ++ .../github.com/square/go-jose/v3/jws.go | 366 + .../github.com/square/go-jose/v3/opaque.go | 83 + .../github.com/square/go-jose/v3/shared.go | 520 + .../github.com/square/go-jose/v3/signing.go | 440 + .../github.com/square/go-jose/v3/stub.go | 219 - .../github.com/square/go-jose/v3/symmetric.go | 495 + .../ugorji/go/codec/0_importpath.go | 7 + .../vendor/github.com/ugorji/go/codec/LICENSE | 22 + .../vendor/github.com/ugorji/go/codec/binc.go | 1219 +++ .../github.com/ugorji/go/codec/build.sh | 272 + .../vendor/github.com/ugorji/go/codec/cbor.go | 846 ++ .../github.com/ugorji/go/codec/codecgen.go | 13 + .../github.com/ugorji/go/codec/decode.go | 2034 ++++ .../vendor/github.com/ugorji/go/codec/doc.go | 226 + .../github.com/ugorji/go/codec/encode.go | 1373 +++ .../ugorji/go/codec/fast-path.generated.go | 8950 +++++++++++++++++ .../ugorji/go/codec/fast-path.go.tmpl | 503 + .../ugorji/go/codec/fast-path.not.go | 41 + .../github.com/ugorji/go/codec/float.go | 313 + .../ugorji/go/codec/gen-dec-array.go.tmpl | 90 + .../ugorji/go/codec/gen-dec-map.go.tmpl | 53 + .../ugorji/go/codec/gen-enc-chan.go.tmpl | 27 + .../ugorji/go/codec/gen-helper.generated.go | 273 + .../ugorji/go/codec/gen-helper.go.tmpl | 241 + .../ugorji/go/codec/gen.generated.go | 187 + .../vendor/github.com/ugorji/go/codec/gen.go | 2339 +++++ .../go/codec/goversion_arrayof_gte_go15.go | 14 + .../go/codec/goversion_arrayof_lt_go15.go | 14 + .../go/codec/goversion_fmt_time_gte_go15.go | 12 + .../go/codec/goversion_fmt_time_lt_go15.go | 15 + .../go/codec/goversion_makemap_gte_go19.go | 15 + .../go/codec/goversion_makemap_lt_go19.go | 12 + .../go/codec/goversion_maprange_gte_go112.go | 44 + .../go/codec/goversion_maprange_lt_go112.go | 47 + ...version_unexportedembeddedptr_gte_go110.go | 8 + ...oversion_unexportedembeddedptr_lt_go110.go | 8 + .../go/codec/goversion_unsupported_lt_go14.go | 17 + .../go/codec/goversion_vendor_eq_go15.go | 10 + .../go/codec/goversion_vendor_eq_go16.go | 10 + .../go/codec/goversion_vendor_gte_go17.go | 8 + .../go/codec/goversion_vendor_lt_go15.go | 8 + .../github.com/ugorji/go/codec/helper.go | 2682 +++++ .../github.com/ugorji/go/codec/helper.s | 0 .../ugorji/go/codec/helper_internal.go | 124 + .../ugorji/go/codec/helper_not_unsafe.go | 409 + .../ugorji/go/codec/helper_unsafe.go | 867 ++ .../vendor/github.com/ugorji/go/codec/json.go | 1493 +++ .../ugorji/go/codec/mammoth-test.go.tmpl | 162 + .../ugorji/go/codec/mammoth2-test.go.tmpl | 94 + .../github.com/ugorji/go/codec/msgpack.go | 1108 ++ .../github.com/ugorji/go/codec/prebuild.go | 136 + .../github.com/ugorji/go/codec/reader.go | 1017 ++ .../ugorji/go/codec/register_ext.go | 38 + .../vendor/github.com/ugorji/go/codec/rpc.go | 222 + .../github.com/ugorji/go/codec/simple.go | 647 ++ .../ugorji/go/codec/sort-slice.generated.go | 266 + .../ugorji/go/codec/sort-slice.go.tmpl | 64 + .../ugorji/go/codec/test-cbor-goldens.json | 639 ++ .../vendor/github.com/ugorji/go/codec/test.py | 126 + .../github.com/ugorji/go/codec/writer.go | 267 + .../vendor/golang.org/x/crypto/AUTHORS | 3 + .../vendor/golang.org/x/crypto/CONTRIBUTORS | 3 + .../vendor/golang.org/x/crypto/LICENSE | 27 + .../vendor/golang.org/x/crypto/PATENTS | 22 + .../golang.org/x/crypto/ed25519/ed25519.go | 223 + .../x/crypto/ed25519/ed25519_go113.go | 74 + .../ed25519/internal/edwards25519/const.go | 1422 +++ .../internal/edwards25519/edwards25519.go | 1793 ++++ .../golang.org/x/crypto/pbkdf2/pbkdf2.go | 77 + .../vendor/golang.org/x/crypto/sha3/doc.go | 66 + .../vendor/golang.org/x/crypto/sha3/hashes.go | 97 + .../x/crypto/sha3/hashes_generic.go | 28 + .../golang.org/x/crypto/sha3/keccakf.go | 413 + .../golang.org/x/crypto/sha3/keccakf_amd64.go | 14 + .../golang.org/x/crypto/sha3/keccakf_amd64.s | 391 + .../golang.org/x/crypto/sha3/register.go | 19 + .../vendor/golang.org/x/crypto/sha3/sha3.go | 193 + .../golang.org/x/crypto/sha3/sha3_s390x.go | 285 + .../golang.org/x/crypto/sha3/sha3_s390x.s | 34 + .../vendor/golang.org/x/crypto/sha3/shake.go | 173 + .../golang.org/x/crypto/sha3/shake_generic.go | 20 + .../vendor/golang.org/x/crypto/sha3/xor.go | 24 + .../golang.org/x/crypto/sha3/xor_generic.go | 28 + .../golang.org/x/crypto/sha3/xor_unaligned.go | 68 + .../CWE-321/vendor/golang.org/x/net/AUTHORS | 3 + .../vendor/golang.org/x/net/CONTRIBUTORS | 3 + .../CWE-321/vendor/golang.org/x/net/LICENSE | 27 + .../CWE-321/vendor/golang.org/x/net/PATENTS | 22 + .../golang.org/x/net/http/httpguts/guts.go | 50 + .../golang.org/x/net/http/httpguts/httplex.go | 348 + .../vendor/golang.org/x/net/http2/.gitignore | 2 + .../vendor/golang.org/x/net/http2/Dockerfile | 51 + .../vendor/golang.org/x/net/http2/Makefile | 3 + .../vendor/golang.org/x/net/http2/ascii.go | 53 + .../vendor/golang.org/x/net/http2/ciphers.go | 641 ++ .../x/net/http2/client_conn_pool.go | 313 + .../golang.org/x/net/http2/databuffer.go | 146 + .../vendor/golang.org/x/net/http2/errors.go | 145 + .../vendor/golang.org/x/net/http2/flow.go | 52 + .../vendor/golang.org/x/net/http2/frame.go | 1614 +++ .../vendor/golang.org/x/net/http2/go111.go | 30 + .../vendor/golang.org/x/net/http2/go115.go | 27 + .../vendor/golang.org/x/net/http2/gotrack.go | 170 + .../golang.org/x/net/http2/headermap.go | 87 + .../golang.org/x/net/http2/hpack/encode.go | 240 + .../golang.org/x/net/http2/hpack/hpack.go | 504 + .../golang.org/x/net/http2/hpack/huffman.go | 229 + .../golang.org/x/net/http2/hpack/tables.go | 479 + .../vendor/golang.org/x/net/http2/http2.go | 385 + .../golang.org/x/net/http2/not_go111.go | 21 + .../golang.org/x/net/http2/not_go115.go | 31 + .../vendor/golang.org/x/net/http2/pipe.go | 168 + .../vendor/golang.org/x/net/http2/server.go | 3021 ++++++ .../golang.org/x/net/http2/transport.go | 2908 ++++++ .../vendor/golang.org/x/net/http2/write.go | 370 + .../golang.org/x/net/http2/writesched.go | 248 + .../x/net/http2/writesched_priority.go | 452 + .../x/net/http2/writesched_random.go | 77 + .../golang.org/x/net/idna/idna10.0.0.go | 770 ++ .../vendor/golang.org/x/net/idna/idna9.0.0.go | 718 ++ .../vendor/golang.org/x/net/idna/punycode.go | 203 + .../golang.org/x/net/idna/tables10.0.0.go | 4560 +++++++++ .../golang.org/x/net/idna/tables11.0.0.go | 4654 +++++++++ .../golang.org/x/net/idna/tables12.0.0.go | 4734 +++++++++ .../golang.org/x/net/idna/tables13.0.0.go | 4840 +++++++++ .../golang.org/x/net/idna/tables9.0.0.go | 4487 +++++++++ .../vendor/golang.org/x/net/idna/trie.go | 72 + .../vendor/golang.org/x/net/idna/trieval.go | 119 + .../x/net/internal/timeseries/timeseries.go | 525 + .../vendor/golang.org/x/net/trace/events.go | 532 + .../golang.org/x/net/trace/histogram.go | 365 + .../vendor/golang.org/x/net/trace/trace.go | 1130 +++ .../CWE-321/vendor/golang.org/x/sys/LICENSE | 27 + .../CWE-321/vendor/golang.org/x/sys/PATENTS | 22 + .../golang.org/x/sys/cpu/asm_aix_ppc64.s | 18 + .../vendor/golang.org/x/sys/cpu/byteorder.go | 66 + .../vendor/golang.org/x/sys/cpu/cpu.go | 287 + .../vendor/golang.org/x/sys/cpu/cpu_aix.go | 34 + .../vendor/golang.org/x/sys/cpu/cpu_arm.go | 73 + .../vendor/golang.org/x/sys/cpu/cpu_arm64.go | 172 + .../vendor/golang.org/x/sys/cpu/cpu_arm64.s | 32 + .../golang.org/x/sys/cpu/cpu_gc_arm64.go | 12 + .../golang.org/x/sys/cpu/cpu_gc_s390x.go | 22 + .../vendor/golang.org/x/sys/cpu/cpu_gc_x86.go | 17 + .../golang.org/x/sys/cpu/cpu_gccgo_arm64.go | 12 + .../golang.org/x/sys/cpu/cpu_gccgo_s390x.go | 23 + .../golang.org/x/sys/cpu/cpu_gccgo_x86.c | 38 + .../golang.org/x/sys/cpu/cpu_gccgo_x86.go | 33 + .../vendor/golang.org/x/sys/cpu/cpu_linux.go | 16 + .../golang.org/x/sys/cpu/cpu_linux_arm.go | 39 + .../golang.org/x/sys/cpu/cpu_linux_arm64.go | 71 + .../golang.org/x/sys/cpu/cpu_linux_mips64x.go | 24 + .../golang.org/x/sys/cpu/cpu_linux_noinit.go | 10 + .../golang.org/x/sys/cpu/cpu_linux_ppc64x.go | 32 + .../golang.org/x/sys/cpu/cpu_linux_s390x.go | 40 + .../golang.org/x/sys/cpu/cpu_loong64.go | 13 + .../golang.org/x/sys/cpu/cpu_mips64x.go | 16 + .../vendor/golang.org/x/sys/cpu/cpu_mipsx.go | 12 + .../golang.org/x/sys/cpu/cpu_netbsd_arm64.go | 173 + .../golang.org/x/sys/cpu/cpu_openbsd_arm64.go | 65 + .../golang.org/x/sys/cpu/cpu_openbsd_arm64.s | 11 + .../golang.org/x/sys/cpu/cpu_other_arm.go | 10 + .../golang.org/x/sys/cpu/cpu_other_arm64.go | 10 + .../golang.org/x/sys/cpu/cpu_other_mips64x.go | 13 + .../golang.org/x/sys/cpu/cpu_other_ppc64x.go | 15 + .../golang.org/x/sys/cpu/cpu_other_riscv64.go | 12 + .../vendor/golang.org/x/sys/cpu/cpu_ppc64x.go | 17 + .../golang.org/x/sys/cpu/cpu_riscv64.go | 12 + .../vendor/golang.org/x/sys/cpu/cpu_s390x.go | 172 + .../vendor/golang.org/x/sys/cpu/cpu_s390x.s | 58 + .../vendor/golang.org/x/sys/cpu/cpu_wasm.go | 18 + .../vendor/golang.org/x/sys/cpu/cpu_x86.go | 145 + .../vendor/golang.org/x/sys/cpu/cpu_x86.s | 28 + .../vendor/golang.org/x/sys/cpu/cpu_zos.go | 10 + .../golang.org/x/sys/cpu/cpu_zos_s390x.go | 25 + .../golang.org/x/sys/cpu/hwcap_linux.go | 56 + .../golang.org/x/sys/cpu/syscall_aix_gccgo.go | 27 + .../x/sys/cpu/syscall_aix_ppc64_gc.go | 36 + .../vendor/golang.org/x/sys/unix/.gitignore | 2 + .../vendor/golang.org/x/sys/unix/README.md | 184 + .../golang.org/x/sys/unix/affinity_linux.go | 86 + .../vendor/golang.org/x/sys/unix/aliases.go | 15 + .../golang.org/x/sys/unix/asm_aix_ppc64.s | 18 + .../golang.org/x/sys/unix/asm_bsd_386.s | 29 + .../golang.org/x/sys/unix/asm_bsd_amd64.s | 29 + .../golang.org/x/sys/unix/asm_bsd_arm.s | 29 + .../golang.org/x/sys/unix/asm_bsd_arm64.s | 29 + .../golang.org/x/sys/unix/asm_bsd_ppc64.s | 31 + .../golang.org/x/sys/unix/asm_bsd_riscv64.s | 29 + .../golang.org/x/sys/unix/asm_linux_386.s | 66 + .../golang.org/x/sys/unix/asm_linux_amd64.s | 58 + .../golang.org/x/sys/unix/asm_linux_arm.s | 57 + .../golang.org/x/sys/unix/asm_linux_arm64.s | 53 + .../golang.org/x/sys/unix/asm_linux_loong64.s | 54 + .../golang.org/x/sys/unix/asm_linux_mips64x.s | 57 + .../golang.org/x/sys/unix/asm_linux_mipsx.s | 55 + .../golang.org/x/sys/unix/asm_linux_ppc64x.s | 45 + .../golang.org/x/sys/unix/asm_linux_riscv64.s | 49 + .../golang.org/x/sys/unix/asm_linux_s390x.s | 57 + .../x/sys/unix/asm_openbsd_mips64.s | 30 + .../golang.org/x/sys/unix/asm_solaris_amd64.s | 18 + .../golang.org/x/sys/unix/asm_zos_s390x.s | 426 + .../golang.org/x/sys/unix/bluetooth_linux.go | 36 + .../golang.org/x/sys/unix/cap_freebsd.go | 196 + .../vendor/golang.org/x/sys/unix/constants.go | 14 + .../golang.org/x/sys/unix/dev_aix_ppc.go | 27 + .../golang.org/x/sys/unix/dev_aix_ppc64.go | 29 + .../golang.org/x/sys/unix/dev_darwin.go | 24 + .../golang.org/x/sys/unix/dev_dragonfly.go | 30 + .../golang.org/x/sys/unix/dev_freebsd.go | 30 + .../vendor/golang.org/x/sys/unix/dev_linux.go | 42 + .../golang.org/x/sys/unix/dev_netbsd.go | 29 + .../golang.org/x/sys/unix/dev_openbsd.go | 29 + .../vendor/golang.org/x/sys/unix/dev_zos.go | 29 + .../vendor/golang.org/x/sys/unix/dirent.go | 103 + .../golang.org/x/sys/unix/endian_big.go | 10 + .../golang.org/x/sys/unix/endian_little.go | 10 + .../vendor/golang.org/x/sys/unix/env_unix.go | 32 + .../vendor/golang.org/x/sys/unix/epoll_zos.go | 221 + .../vendor/golang.org/x/sys/unix/fcntl.go | 37 + .../golang.org/x/sys/unix/fcntl_darwin.go | 24 + .../x/sys/unix/fcntl_linux_32bit.go | 14 + .../vendor/golang.org/x/sys/unix/fdset.go | 30 + .../golang.org/x/sys/unix/fstatfs_zos.go | 164 + .../vendor/golang.org/x/sys/unix/gccgo.go | 60 + .../vendor/golang.org/x/sys/unix/gccgo_c.c | 45 + .../x/sys/unix/gccgo_linux_amd64.go | 21 + .../golang.org/x/sys/unix/ifreq_linux.go | 142 + .../vendor/golang.org/x/sys/unix/ioctl.go | 75 + .../golang.org/x/sys/unix/ioctl_linux.go | 233 + .../vendor/golang.org/x/sys/unix/ioctl_zos.go | 74 + .../vendor/golang.org/x/sys/unix/mkall.sh | 249 + .../vendor/golang.org/x/sys/unix/mkerrors.sh | 778 ++ .../golang.org/x/sys/unix/pagesize_unix.go | 16 + .../golang.org/x/sys/unix/pledge_openbsd.go | 163 + .../golang.org/x/sys/unix/ptrace_darwin.go | 12 + .../golang.org/x/sys/unix/ptrace_ios.go | 12 + .../vendor/golang.org/x/sys/unix/race.go | 31 + .../vendor/golang.org/x/sys/unix/race0.go | 26 + .../x/sys/unix/readdirent_getdents.go | 13 + .../x/sys/unix/readdirent_getdirentries.go | 20 + .../x/sys/unix/sockcmsg_dragonfly.go | 16 + .../golang.org/x/sys/unix/sockcmsg_linux.go | 85 + .../golang.org/x/sys/unix/sockcmsg_unix.go | 93 + .../x/sys/unix/sockcmsg_unix_other.go | 47 + .../vendor/golang.org/x/sys/unix/syscall.go | 87 + .../golang.org/x/sys/unix/syscall_aix.go | 600 ++ .../golang.org/x/sys/unix/syscall_aix_ppc.go | 54 + .../x/sys/unix/syscall_aix_ppc64.go | 85 + .../golang.org/x/sys/unix/syscall_bsd.go | 625 ++ .../golang.org/x/sys/unix/syscall_darwin.go | 830 ++ .../x/sys/unix/syscall_darwin_amd64.go | 51 + .../x/sys/unix/syscall_darwin_arm64.go | 51 + .../x/sys/unix/syscall_darwin_libSystem.go | 27 + .../x/sys/unix/syscall_dragonfly.go | 544 + .../x/sys/unix/syscall_dragonfly_amd64.go | 57 + .../golang.org/x/sys/unix/syscall_freebsd.go | 614 ++ .../x/sys/unix/syscall_freebsd_386.go | 67 + .../x/sys/unix/syscall_freebsd_amd64.go | 67 + .../x/sys/unix/syscall_freebsd_arm.go | 63 + .../x/sys/unix/syscall_freebsd_arm64.go | 63 + .../x/sys/unix/syscall_freebsd_riscv64.go | 63 + .../golang.org/x/sys/unix/syscall_illumos.go | 79 + .../golang.org/x/sys/unix/syscall_linux.go | 2476 +++++ .../x/sys/unix/syscall_linux_386.go | 342 + .../x/sys/unix/syscall_linux_alarm.go | 14 + .../x/sys/unix/syscall_linux_amd64.go | 147 + .../x/sys/unix/syscall_linux_amd64_gc.go | 13 + .../x/sys/unix/syscall_linux_arm.go | 244 + .../x/sys/unix/syscall_linux_arm64.go | 195 + .../golang.org/x/sys/unix/syscall_linux_gc.go | 15 + .../x/sys/unix/syscall_linux_gc_386.go | 17 + .../x/sys/unix/syscall_linux_gc_arm.go | 14 + .../x/sys/unix/syscall_linux_gccgo_386.go | 31 + .../x/sys/unix/syscall_linux_gccgo_arm.go | 21 + .../x/sys/unix/syscall_linux_loong64.go | 222 + .../x/sys/unix/syscall_linux_mips64x.go | 191 + .../x/sys/unix/syscall_linux_mipsx.go | 203 + .../x/sys/unix/syscall_linux_ppc.go | 232 + .../x/sys/unix/syscall_linux_ppc64x.go | 118 + .../x/sys/unix/syscall_linux_riscv64.go | 180 + .../x/sys/unix/syscall_linux_s390x.go | 298 + .../x/sys/unix/syscall_linux_sparc64.go | 114 + .../golang.org/x/sys/unix/syscall_netbsd.go | 609 ++ .../x/sys/unix/syscall_netbsd_386.go | 38 + .../x/sys/unix/syscall_netbsd_amd64.go | 38 + .../x/sys/unix/syscall_netbsd_arm.go | 38 + .../x/sys/unix/syscall_netbsd_arm64.go | 38 + .../golang.org/x/sys/unix/syscall_openbsd.go | 389 + .../x/sys/unix/syscall_openbsd_386.go | 42 + .../x/sys/unix/syscall_openbsd_amd64.go | 42 + .../x/sys/unix/syscall_openbsd_arm.go | 42 + .../x/sys/unix/syscall_openbsd_arm64.go | 42 + .../x/sys/unix/syscall_openbsd_libc.go | 27 + .../x/sys/unix/syscall_openbsd_mips64.go | 39 + .../x/sys/unix/syscall_openbsd_ppc64.go | 42 + .../x/sys/unix/syscall_openbsd_riscv64.go | 42 + .../golang.org/x/sys/unix/syscall_solaris.go | 1132 +++ .../x/sys/unix/syscall_solaris_amd64.go | 28 + .../golang.org/x/sys/unix/syscall_unix.go | 554 + .../golang.org/x/sys/unix/syscall_unix_gc.go | 16 + .../x/sys/unix/syscall_unix_gc_ppc64x.go | 25 + .../x/sys/unix/syscall_zos_s390x.go | 1994 ++++ .../golang.org/x/sys/unix/sysvshm_linux.go | 21 + .../golang.org/x/sys/unix/sysvshm_unix.go | 52 + .../x/sys/unix/sysvshm_unix_other.go | 14 + .../golang.org/x/sys/unix/timestruct.go | 77 + .../golang.org/x/sys/unix/unveil_openbsd.go | 42 + .../vendor/golang.org/x/sys/unix/xattr_bsd.go | 276 + .../golang.org/x/sys/unix/zerrors_aix_ppc.go | 1385 +++ .../x/sys/unix/zerrors_aix_ppc64.go | 1386 +++ .../x/sys/unix/zerrors_darwin_amd64.go | 1892 ++++ .../x/sys/unix/zerrors_darwin_arm64.go | 1892 ++++ .../x/sys/unix/zerrors_dragonfly_amd64.go | 1738 ++++ .../x/sys/unix/zerrors_freebsd_386.go | 2043 ++++ .../x/sys/unix/zerrors_freebsd_amd64.go | 2040 ++++ .../x/sys/unix/zerrors_freebsd_arm.go | 2034 ++++ .../x/sys/unix/zerrors_freebsd_arm64.go | 2034 ++++ .../x/sys/unix/zerrors_freebsd_riscv64.go | 2148 ++++ .../golang.org/x/sys/unix/zerrors_linux.go | 3457 +++++++ .../x/sys/unix/zerrors_linux_386.go | 828 ++ .../x/sys/unix/zerrors_linux_amd64.go | 828 ++ .../x/sys/unix/zerrors_linux_arm.go | 834 ++ .../x/sys/unix/zerrors_linux_arm64.go | 826 ++ .../x/sys/unix/zerrors_linux_loong64.go | 818 ++ .../x/sys/unix/zerrors_linux_mips.go | 835 ++ .../x/sys/unix/zerrors_linux_mips64.go | 835 ++ .../x/sys/unix/zerrors_linux_mips64le.go | 835 ++ .../x/sys/unix/zerrors_linux_mipsle.go | 835 ++ .../x/sys/unix/zerrors_linux_ppc.go | 887 ++ .../x/sys/unix/zerrors_linux_ppc64.go | 891 ++ .../x/sys/unix/zerrors_linux_ppc64le.go | 891 ++ .../x/sys/unix/zerrors_linux_riscv64.go | 815 ++ .../x/sys/unix/zerrors_linux_s390x.go | 890 ++ .../x/sys/unix/zerrors_linux_sparc64.go | 885 ++ .../x/sys/unix/zerrors_netbsd_386.go | 1780 ++++ .../x/sys/unix/zerrors_netbsd_amd64.go | 1770 ++++ .../x/sys/unix/zerrors_netbsd_arm.go | 1759 ++++ .../x/sys/unix/zerrors_netbsd_arm64.go | 1770 ++++ .../x/sys/unix/zerrors_openbsd_386.go | 1668 +++ .../x/sys/unix/zerrors_openbsd_amd64.go | 1775 ++++ .../x/sys/unix/zerrors_openbsd_arm.go | 1670 +++ .../x/sys/unix/zerrors_openbsd_arm64.go | 1798 ++++ .../x/sys/unix/zerrors_openbsd_mips64.go | 1863 ++++ .../x/sys/unix/zerrors_openbsd_ppc64.go | 1905 ++++ .../x/sys/unix/zerrors_openbsd_riscv64.go | 1904 ++++ .../x/sys/unix/zerrors_solaris_amd64.go | 1557 +++ .../x/sys/unix/zerrors_zos_s390x.go | 860 ++ .../x/sys/unix/zptrace_armnn_linux.go | 42 + .../x/sys/unix/zptrace_linux_arm64.go | 17 + .../x/sys/unix/zptrace_mipsnn_linux.go | 51 + .../x/sys/unix/zptrace_mipsnnle_linux.go | 51 + .../x/sys/unix/zptrace_x86_linux.go | 81 + .../golang.org/x/sys/unix/zsyscall_aix_ppc.go | 1485 +++ .../x/sys/unix/zsyscall_aix_ppc64.go | 1443 +++ .../x/sys/unix/zsyscall_aix_ppc64_gc.go | 1192 +++ .../x/sys/unix/zsyscall_aix_ppc64_gccgo.go | 1070 ++ .../x/sys/unix/zsyscall_darwin_amd64.go | 2545 +++++ .../x/sys/unix/zsyscall_darwin_amd64.s | 904 ++ .../x/sys/unix/zsyscall_darwin_arm64.go | 2545 +++++ .../x/sys/unix/zsyscall_darwin_arm64.s | 904 ++ .../x/sys/unix/zsyscall_dragonfly_amd64.go | 1679 ++++ .../x/sys/unix/zsyscall_freebsd_386.go | 1889 ++++ .../x/sys/unix/zsyscall_freebsd_amd64.go | 1889 ++++ .../x/sys/unix/zsyscall_freebsd_arm.go | 1889 ++++ .../x/sys/unix/zsyscall_freebsd_arm64.go | 1889 ++++ .../x/sys/unix/zsyscall_freebsd_riscv64.go | 1889 ++++ .../x/sys/unix/zsyscall_illumos_amd64.go | 102 + .../golang.org/x/sys/unix/zsyscall_linux.go | 2163 ++++ .../x/sys/unix/zsyscall_linux_386.go | 497 + .../x/sys/unix/zsyscall_linux_amd64.go | 664 ++ .../x/sys/unix/zsyscall_linux_arm.go | 612 ++ .../x/sys/unix/zsyscall_linux_arm64.go | 563 ++ .../x/sys/unix/zsyscall_linux_loong64.go | 487 + .../x/sys/unix/zsyscall_linux_mips.go | 664 ++ .../x/sys/unix/zsyscall_linux_mips64.go | 658 ++ .../x/sys/unix/zsyscall_linux_mips64le.go | 647 ++ .../x/sys/unix/zsyscall_linux_mipsle.go | 664 ++ .../x/sys/unix/zsyscall_linux_ppc.go | 669 ++ .../x/sys/unix/zsyscall_linux_ppc64.go | 715 ++ .../x/sys/unix/zsyscall_linux_ppc64le.go | 715 ++ .../x/sys/unix/zsyscall_linux_riscv64.go | 543 + .../x/sys/unix/zsyscall_linux_s390x.go | 506 + .../x/sys/unix/zsyscall_linux_sparc64.go | 659 ++ .../x/sys/unix/zsyscall_netbsd_386.go | 1850 ++++ .../x/sys/unix/zsyscall_netbsd_amd64.go | 1850 ++++ .../x/sys/unix/zsyscall_netbsd_arm.go | 1850 ++++ .../x/sys/unix/zsyscall_netbsd_arm64.go | 1850 ++++ .../x/sys/unix/zsyscall_openbsd_386.go | 2221 ++++ .../x/sys/unix/zsyscall_openbsd_386.s | 796 ++ .../x/sys/unix/zsyscall_openbsd_amd64.go | 2221 ++++ .../x/sys/unix/zsyscall_openbsd_amd64.s | 796 ++ .../x/sys/unix/zsyscall_openbsd_arm.go | 2221 ++++ .../x/sys/unix/zsyscall_openbsd_arm.s | 796 ++ .../x/sys/unix/zsyscall_openbsd_arm64.go | 2221 ++++ .../x/sys/unix/zsyscall_openbsd_arm64.s | 796 ++ .../x/sys/unix/zsyscall_openbsd_mips64.go | 1693 ++++ .../x/sys/unix/zsyscall_openbsd_ppc64.go | 2221 ++++ .../x/sys/unix/zsyscall_openbsd_ppc64.s | 796 ++ .../x/sys/unix/zsyscall_openbsd_riscv64.go | 2221 ++++ .../x/sys/unix/zsyscall_openbsd_riscv64.s | 796 ++ .../x/sys/unix/zsyscall_solaris_amd64.go | 2093 ++++ .../x/sys/unix/zsyscall_zos_s390x.go | 1255 +++ .../x/sys/unix/zsysctl_openbsd_386.go | 274 + .../x/sys/unix/zsysctl_openbsd_amd64.go | 272 + .../x/sys/unix/zsysctl_openbsd_arm.go | 274 + .../x/sys/unix/zsysctl_openbsd_arm64.go | 276 + .../x/sys/unix/zsysctl_openbsd_mips64.go | 280 + .../x/sys/unix/zsysctl_openbsd_ppc64.go | 281 + .../x/sys/unix/zsysctl_openbsd_riscv64.go | 282 + .../x/sys/unix/zsysnum_darwin_amd64.go | 440 + .../x/sys/unix/zsysnum_darwin_arm64.go | 438 + .../x/sys/unix/zsysnum_dragonfly_amd64.go | 317 + .../x/sys/unix/zsysnum_freebsd_386.go | 394 + .../x/sys/unix/zsysnum_freebsd_amd64.go | 394 + .../x/sys/unix/zsysnum_freebsd_arm.go | 394 + .../x/sys/unix/zsysnum_freebsd_arm64.go | 394 + .../x/sys/unix/zsysnum_freebsd_riscv64.go | 394 + .../x/sys/unix/zsysnum_linux_386.go | 450 + .../x/sys/unix/zsysnum_linux_amd64.go | 372 + .../x/sys/unix/zsysnum_linux_arm.go | 414 + .../x/sys/unix/zsysnum_linux_arm64.go | 317 + .../x/sys/unix/zsysnum_linux_loong64.go | 311 + .../x/sys/unix/zsysnum_linux_mips.go | 434 + .../x/sys/unix/zsysnum_linux_mips64.go | 364 + .../x/sys/unix/zsysnum_linux_mips64le.go | 364 + .../x/sys/unix/zsysnum_linux_mipsle.go | 434 + .../x/sys/unix/zsysnum_linux_ppc.go | 441 + .../x/sys/unix/zsysnum_linux_ppc64.go | 413 + .../x/sys/unix/zsysnum_linux_ppc64le.go | 413 + .../x/sys/unix/zsysnum_linux_riscv64.go | 316 + .../x/sys/unix/zsysnum_linux_s390x.go | 378 + .../x/sys/unix/zsysnum_linux_sparc64.go | 392 + .../x/sys/unix/zsysnum_netbsd_386.go | 275 + .../x/sys/unix/zsysnum_netbsd_amd64.go | 275 + .../x/sys/unix/zsysnum_netbsd_arm.go | 275 + .../x/sys/unix/zsysnum_netbsd_arm64.go | 275 + .../x/sys/unix/zsysnum_openbsd_386.go | 220 + .../x/sys/unix/zsysnum_openbsd_amd64.go | 220 + .../x/sys/unix/zsysnum_openbsd_arm.go | 220 + .../x/sys/unix/zsysnum_openbsd_arm64.go | 219 + .../x/sys/unix/zsysnum_openbsd_mips64.go | 221 + .../x/sys/unix/zsysnum_openbsd_ppc64.go | 218 + .../x/sys/unix/zsysnum_openbsd_riscv64.go | 219 + .../x/sys/unix/zsysnum_zos_s390x.go | 2670 +++++ .../golang.org/x/sys/unix/ztypes_aix_ppc.go | 354 + .../golang.org/x/sys/unix/ztypes_aix_ppc64.go | 358 + .../x/sys/unix/ztypes_darwin_amd64.go | 795 ++ .../x/sys/unix/ztypes_darwin_arm64.go | 795 ++ .../x/sys/unix/ztypes_dragonfly_amd64.go | 474 + .../x/sys/unix/ztypes_freebsd_386.go | 651 ++ .../x/sys/unix/ztypes_freebsd_amd64.go | 656 ++ .../x/sys/unix/ztypes_freebsd_arm.go | 642 ++ .../x/sys/unix/ztypes_freebsd_arm64.go | 636 ++ .../x/sys/unix/ztypes_freebsd_riscv64.go | 638 ++ .../golang.org/x/sys/unix/ztypes_linux.go | 5609 +++++++++++ .../golang.org/x/sys/unix/ztypes_linux_386.go | 696 ++ .../x/sys/unix/ztypes_linux_amd64.go | 711 ++ .../golang.org/x/sys/unix/ztypes_linux_arm.go | 691 ++ .../x/sys/unix/ztypes_linux_arm64.go | 690 ++ .../x/sys/unix/ztypes_linux_loong64.go | 691 ++ .../x/sys/unix/ztypes_linux_mips.go | 696 ++ .../x/sys/unix/ztypes_linux_mips64.go | 693 ++ .../x/sys/unix/ztypes_linux_mips64le.go | 693 ++ .../x/sys/unix/ztypes_linux_mipsle.go | 696 ++ .../golang.org/x/sys/unix/ztypes_linux_ppc.go | 704 ++ .../x/sys/unix/ztypes_linux_ppc64.go | 699 ++ .../x/sys/unix/ztypes_linux_ppc64le.go | 699 ++ .../x/sys/unix/ztypes_linux_riscv64.go | 718 ++ .../x/sys/unix/ztypes_linux_s390x.go | 713 ++ .../x/sys/unix/ztypes_linux_sparc64.go | 694 ++ .../x/sys/unix/ztypes_netbsd_386.go | 502 + .../x/sys/unix/ztypes_netbsd_amd64.go | 510 + .../x/sys/unix/ztypes_netbsd_arm.go | 507 + .../x/sys/unix/ztypes_netbsd_arm64.go | 510 + .../x/sys/unix/ztypes_openbsd_386.go | 574 ++ .../x/sys/unix/ztypes_openbsd_amd64.go | 574 ++ .../x/sys/unix/ztypes_openbsd_arm.go | 575 ++ .../x/sys/unix/ztypes_openbsd_arm64.go | 568 ++ .../x/sys/unix/ztypes_openbsd_mips64.go | 568 ++ .../x/sys/unix/ztypes_openbsd_ppc64.go | 571 ++ .../x/sys/unix/ztypes_openbsd_riscv64.go | 571 ++ .../x/sys/unix/ztypes_solaris_amd64.go | 517 + .../golang.org/x/sys/unix/ztypes_zos_s390x.go | 415 + .../CWE-321/vendor/golang.org/x/text/AUTHORS | 3 + .../vendor/golang.org/x/text/CONTRIBUTORS | 3 + .../CWE-321/vendor/golang.org/x/text/LICENSE | 27 + .../CWE-321/vendor/golang.org/x/text/PATENTS | 22 + .../x/text/secure/bidirule/bidirule.go | 336 + .../x/text/secure/bidirule/bidirule10.0.0.go | 12 + .../x/text/secure/bidirule/bidirule9.0.0.go | 15 + .../golang.org/x/text/transform/transform.go | 709 ++ .../golang.org/x/text/unicode/bidi/bidi.go | 359 + .../golang.org/x/text/unicode/bidi/bracket.go | 335 + .../golang.org/x/text/unicode/bidi/core.go | 1071 ++ .../golang.org/x/text/unicode/bidi/prop.go | 206 + .../x/text/unicode/bidi/tables10.0.0.go | 1816 ++++ .../x/text/unicode/bidi/tables11.0.0.go | 1888 ++++ .../x/text/unicode/bidi/tables12.0.0.go | 1924 ++++ .../x/text/unicode/bidi/tables13.0.0.go | 1956 ++++ .../x/text/unicode/bidi/tables9.0.0.go | 1782 ++++ .../golang.org/x/text/unicode/bidi/trieval.go | 60 + .../x/text/unicode/norm/composition.go | 512 + .../x/text/unicode/norm/forminfo.go | 278 + .../golang.org/x/text/unicode/norm/input.go | 109 + .../golang.org/x/text/unicode/norm/iter.go | 458 + .../x/text/unicode/norm/normalize.go | 609 ++ .../x/text/unicode/norm/readwriter.go | 125 + .../x/text/unicode/norm/tables10.0.0.go | 7658 ++++++++++++++ .../x/text/unicode/norm/tables11.0.0.go | 7694 ++++++++++++++ .../x/text/unicode/norm/tables12.0.0.go | 7711 ++++++++++++++ .../x/text/unicode/norm/tables13.0.0.go | 7761 ++++++++++++++ .../x/text/unicode/norm/tables9.0.0.go | 7638 ++++++++++++++ .../x/text/unicode/norm/transform.go | 88 + .../golang.org/x/text/unicode/norm/trie.go | 54 + .../vendor/google.golang.org/genproto/LICENSE | 202 + .../googleapis/rpc/status/status.pb.go | 201 + .../vendor/google.golang.org/grpc/AUTHORS | 1 + .../google.golang.org/grpc/CODE-OF-CONDUCT.md | 3 + .../google.golang.org/grpc/CONTRIBUTING.md | 61 + .../google.golang.org/grpc/GOVERNANCE.md | 1 + .../vendor/google.golang.org/grpc/LICENSE | 202 + .../google.golang.org/grpc/MAINTAINERS.md | 27 + .../vendor/google.golang.org/grpc/Makefile | 48 + .../vendor/google.golang.org/grpc/README.md | 141 + .../vendor/google.golang.org/grpc/SECURITY.md | 3 + .../grpc/attributes/attributes.go | 79 + .../vendor/google.golang.org/grpc/backoff.go | 61 + .../google.golang.org/grpc/backoff/backoff.go | 52 + .../grpc/balancer/balancer.go | 388 + .../grpc/balancer/base/balancer.go | 270 + .../grpc/balancer/base/base.go | 71 + .../grpc/balancer/grpclb/state/state.go | 51 + .../grpc/balancer/roundrobin/roundrobin.go | 83 + .../grpc/balancer_conn_wrappers.go | 267 + .../grpc_binarylog_v1/binarylog.pb.go | 1187 +++ .../vendor/google.golang.org/grpc/call.go | 74 + .../google.golang.org/grpc/clientconn.go | 1589 +++ .../vendor/google.golang.org/grpc/codec.go | 50 + .../vendor/google.golang.org/grpc/codegen.sh | 17 + .../grpc/codes/code_string.go | 62 + .../google.golang.org/grpc/codes/codes.go | 244 + .../grpc/connectivity/connectivity.go | 63 + .../grpc/credentials/credentials.go | 272 + .../grpc/credentials/go12.go | 30 + .../google.golang.org/grpc/credentials/tls.go | 233 + .../google.golang.org/grpc/dialoptions.go | 622 ++ .../vendor/google.golang.org/grpc/doc.go | 26 + .../grpc/encoding/encoding.go | 130 + .../grpc/encoding/proto/proto.go | 58 + .../grpc/grpclog/component.go | 117 + .../google.golang.org/grpc/grpclog/grpclog.go | 132 + .../google.golang.org/grpc/grpclog/logger.go | 87 + .../grpc/grpclog/loggerv2.go | 221 + .../google.golang.org/grpc/install_gae.sh | 6 + .../google.golang.org/grpc/interceptor.go | 101 + .../grpc/internal/backoff/backoff.go | 73 + .../grpc/internal/balancerload/load.go | 46 + .../grpc/internal/binarylog/binarylog.go | 170 + .../internal/binarylog/binarylog_testutil.go | 42 + .../grpc/internal/binarylog/env_config.go | 208 + .../grpc/internal/binarylog/method_logger.go | 422 + .../grpc/internal/binarylog/sink.go | 170 + .../grpc/internal/buffer/unbounded.go | 85 + .../grpc/internal/channelz/funcs.go | 737 ++ .../grpc/internal/channelz/logging.go | 102 + .../grpc/internal/channelz/types.go | 701 ++ .../grpc/internal/channelz/types_linux.go | 53 + .../grpc/internal/channelz/types_nonlinux.go | 42 + .../grpc/internal/channelz/util_linux.go | 39 + .../grpc/internal/channelz/util_nonlinux.go | 26 + .../grpc/internal/credentials/credentials.go | 49 + .../grpc/internal/credentials/spiffe.go | 77 + .../internal/credentials/spiffe_appengine.go | 31 + .../grpc/internal/credentials/syscallconn.go | 60 + .../credentials/syscallconn_appengine.go | 30 + .../grpc/internal/credentials/util.go | 50 + .../grpc/internal/envconfig/envconfig.go | 38 + .../grpc/internal/grpclog/grpclog.go | 126 + .../grpc/internal/grpclog/prefixLogger.go | 81 + .../grpc/internal/grpcrand/grpcrand.go | 67 + .../grpc/internal/grpcsync/event.go | 61 + .../grpc/internal/grpcutil/encode_duration.go | 63 + .../grpc/internal/grpcutil/metadata.go | 40 + .../grpc/internal/grpcutil/method.go | 84 + .../grpc/internal/grpcutil/target.go | 89 + .../grpc/internal/internal.go | 88 + .../grpc/internal/metadata/metadata.go | 50 + .../grpc/internal/resolver/config_selector.go | 164 + .../internal/resolver/dns/dns_resolver.go | 463 + .../grpc/internal/resolver/dns/go113.go | 33 + .../resolver/passthrough/passthrough.go | 57 + .../grpc/internal/resolver/unix/unix.go | 63 + .../internal/serviceconfig/serviceconfig.go | 178 + .../grpc/internal/status/status.go | 166 + .../grpc/internal/syscall/syscall_linux.go | 114 + .../grpc/internal/syscall/syscall_nonlinux.go | 76 + .../grpc/internal/transport/bdp_estimator.go | 141 + .../grpc/internal/transport/controlbuf.go | 980 ++ .../grpc/internal/transport/defaults.go | 49 + .../grpc/internal/transport/flowcontrol.go | 217 + .../grpc/internal/transport/handler_server.go | 462 + .../grpc/internal/transport/http2_client.go | 1692 ++++ .../grpc/internal/transport/http2_server.go | 1347 +++ .../grpc/internal/transport/http_util.go | 424 + .../transport/networktype/networktype.go | 46 + .../grpc/internal/transport/proxy.go | 142 + .../grpc/internal/transport/transport.go | 804 ++ .../grpc/internal/xds_handshake_cluster.go | 40 + .../grpc/keepalive/keepalive.go | 85 + .../grpc/metadata/metadata.go | 247 + .../google.golang.org/grpc/peer/peer.go | 51 + .../google.golang.org/grpc/picker_wrapper.go | 177 + .../google.golang.org/grpc/pickfirst.go | 136 + .../google.golang.org/grpc/preloader.go | 67 + .../google.golang.org/grpc/regenerate.sh | 119 + .../grpc/resolver/resolver.go | 260 + .../grpc/resolver_conn_wrapper.go | 187 + .../vendor/google.golang.org/grpc/rpc_util.go | 916 ++ .../vendor/google.golang.org/grpc/server.go | 1877 ++++ .../google.golang.org/grpc/service_config.go | 404 + .../grpc/serviceconfig/serviceconfig.go | 44 + .../google.golang.org/grpc/stats/handlers.go | 63 + .../google.golang.org/grpc/stats/stats.go | 316 + .../google.golang.org/grpc/status/status.go | 129 + .../vendor/google.golang.org/grpc/stream.go | 1613 +++ .../vendor/google.golang.org/grpc/tap/tap.go | 56 + .../vendor/google.golang.org/grpc/trace.go | 123 + .../vendor/google.golang.org/grpc/version.go | 22 + .../vendor/google.golang.org/grpc/vet.sh | 215 + .../vendor/google.golang.org/protobuf/AUTHORS | 3 + .../google.golang.org/protobuf/CONTRIBUTORS | 3 + .../vendor/google.golang.org/protobuf/LICENSE | 27 + .../vendor/google.golang.org/protobuf/PATENTS | 22 + .../protobuf/encoding/prototext/decode.go | 770 ++ .../protobuf/encoding/prototext/doc.go | 7 + .../protobuf/encoding/prototext/encode.go | 371 + .../protobuf/encoding/protowire/wire.go | 538 + .../protobuf/internal/descfmt/stringer.go | 318 + .../protobuf/internal/descopts/options.go | 29 + .../protobuf/internal/detrand/rand.go | 69 + .../internal/encoding/defval/default.go | 213 + .../encoding/messageset/messageset.go | 241 + .../protobuf/internal/encoding/tag/tag.go | 207 + .../protobuf/internal/encoding/text/decode.go | 665 ++ .../internal/encoding/text/decode_number.go | 190 + .../internal/encoding/text/decode_string.go | 161 + .../internal/encoding/text/decode_token.go | 373 + .../protobuf/internal/encoding/text/doc.go | 29 + .../protobuf/internal/encoding/text/encode.go | 270 + .../protobuf/internal/errors/errors.go | 89 + .../protobuf/internal/errors/is_go112.go | 39 + .../protobuf/internal/errors/is_go113.go | 12 + .../protobuf/internal/filedesc/build.go | 158 + .../protobuf/internal/filedesc/desc.go | 631 ++ .../protobuf/internal/filedesc/desc_init.go | 471 + .../protobuf/internal/filedesc/desc_lazy.go | 704 ++ .../protobuf/internal/filedesc/desc_list.go | 450 + .../internal/filedesc/desc_list_gen.go | 356 + .../protobuf/internal/filedesc/placeholder.go | 107 + .../protobuf/internal/filetype/build.go | 297 + .../protobuf/internal/flags/flags.go | 24 + .../internal/flags/proto_legacy_disable.go | 9 + .../internal/flags/proto_legacy_enable.go | 9 + .../protobuf/internal/genid/any_gen.go | 34 + .../protobuf/internal/genid/api_gen.go | 106 + .../protobuf/internal/genid/descriptor_gen.go | 829 ++ .../protobuf/internal/genid/doc.go | 11 + .../protobuf/internal/genid/duration_gen.go | 34 + .../protobuf/internal/genid/empty_gen.go | 19 + .../protobuf/internal/genid/field_mask_gen.go | 31 + .../protobuf/internal/genid/goname.go | 25 + .../protobuf/internal/genid/map_entry.go | 16 + .../internal/genid/source_context_gen.go | 31 + .../protobuf/internal/genid/struct_gen.go | 116 + .../protobuf/internal/genid/timestamp_gen.go | 34 + .../protobuf/internal/genid/type_gen.go | 184 + .../protobuf/internal/genid/wrappers.go | 13 + .../protobuf/internal/genid/wrappers_gen.go | 175 + .../protobuf/internal/impl/api_export.go | 177 + .../protobuf/internal/impl/checkinit.go | 141 + .../protobuf/internal/impl/codec_extension.go | 223 + .../protobuf/internal/impl/codec_field.go | 830 ++ .../protobuf/internal/impl/codec_gen.go | 5637 +++++++++++ .../protobuf/internal/impl/codec_map.go | 388 + .../protobuf/internal/impl/codec_map_go111.go | 37 + .../protobuf/internal/impl/codec_map_go112.go | 11 + .../protobuf/internal/impl/codec_message.go | 217 + .../internal/impl/codec_messageset.go | 123 + .../protobuf/internal/impl/codec_reflect.go | 209 + .../protobuf/internal/impl/codec_tables.go | 557 + .../protobuf/internal/impl/codec_unsafe.go | 17 + .../protobuf/internal/impl/convert.go | 496 + .../protobuf/internal/impl/convert_list.go | 141 + .../protobuf/internal/impl/convert_map.go | 121 + .../protobuf/internal/impl/decode.go | 276 + .../protobuf/internal/impl/encode.go | 201 + .../protobuf/internal/impl/enum.go | 21 + .../protobuf/internal/impl/extension.go | 156 + .../protobuf/internal/impl/legacy_enum.go | 219 + .../protobuf/internal/impl/legacy_export.go | 92 + .../internal/impl/legacy_extension.go | 176 + .../protobuf/internal/impl/legacy_file.go | 81 + .../protobuf/internal/impl/legacy_message.go | 565 ++ .../protobuf/internal/impl/merge.go | 176 + .../protobuf/internal/impl/merge_gen.go | 209 + .../protobuf/internal/impl/message.go | 276 + .../protobuf/internal/impl/message_reflect.go | 465 + .../internal/impl/message_reflect_field.go | 543 + .../internal/impl/message_reflect_gen.go | 249 + .../protobuf/internal/impl/pointer_reflect.go | 178 + .../protobuf/internal/impl/pointer_unsafe.go | 174 + .../protobuf/internal/impl/validate.go | 576 ++ .../protobuf/internal/impl/weak.go | 74 + .../protobuf/internal/order/order.go | 89 + .../protobuf/internal/order/range.go | 115 + .../protobuf/internal/pragma/pragma.go | 29 + .../protobuf/internal/set/ints.go | 58 + .../protobuf/internal/strs/strings.go | 196 + .../protobuf/internal/strs/strings_pure.go | 27 + .../protobuf/internal/strs/strings_unsafe.go | 94 + .../protobuf/internal/version/version.go | 79 + .../protobuf/proto/checkinit.go | 71 + .../protobuf/proto/decode.go | 278 + .../protobuf/proto/decode_gen.go | 603 ++ .../google.golang.org/protobuf/proto/doc.go | 94 + .../protobuf/proto/encode.go | 319 + .../protobuf/proto/encode_gen.go | 97 + .../google.golang.org/protobuf/proto/equal.go | 167 + .../protobuf/proto/extension.go | 92 + .../google.golang.org/protobuf/proto/merge.go | 139 + .../protobuf/proto/messageset.go | 93 + .../google.golang.org/protobuf/proto/proto.go | 43 + .../protobuf/proto/proto_methods.go | 19 + .../protobuf/proto/proto_reflect.go | 19 + .../google.golang.org/protobuf/proto/reset.go | 43 + .../google.golang.org/protobuf/proto/size.go | 97 + .../protobuf/proto/size_gen.go | 55 + .../protobuf/proto/wrappers.go | 29 + .../protobuf/reflect/protodesc/desc.go | 276 + .../protobuf/reflect/protodesc/desc_init.go | 248 + .../reflect/protodesc/desc_resolve.go | 286 + .../reflect/protodesc/desc_validate.go | 374 + .../protobuf/reflect/protodesc/proto.go | 252 + .../protobuf/reflect/protoreflect/methods.go | 77 + .../protobuf/reflect/protoreflect/proto.go | 504 + .../protobuf/reflect/protoreflect/source.go | 128 + .../reflect/protoreflect/source_gen.go | 461 + .../protobuf/reflect/protoreflect/type.go | 665 ++ .../protobuf/reflect/protoreflect/value.go | 285 + .../reflect/protoreflect/value_pure.go | 59 + .../reflect/protoreflect/value_union.go | 411 + .../reflect/protoreflect/value_unsafe.go | 98 + .../reflect/protoregistry/registry.go | 880 ++ .../protobuf/runtime/protoiface/legacy.go | 15 + .../protobuf/runtime/protoiface/methods.go | 167 + .../protobuf/runtime/protoimpl/impl.go | 44 + .../protobuf/runtime/protoimpl/version.go | 56 + .../types/descriptorpb/descriptor.pb.go | 3957 ++++++++ .../protobuf/types/known/anypb/any.pb.go | 498 + .../types/known/durationpb/duration.pb.go | 379 + .../types/known/timestamppb/timestamp.pb.go | 390 + .../square/go-jose.v2/.gitcookies.sh.enc | 1 + .../gopkg.in/square/go-jose.v2/.gitignore | 8 + .../gopkg.in/square/go-jose.v2/.travis.yml | 45 + .../gopkg.in/square/go-jose.v2/BUG-BOUNTY.md | 10 + .../square/go-jose.v2/CONTRIBUTING.md | 14 + .../vendor/gopkg.in/square/go-jose.v2/LICENSE | 202 + .../gopkg.in/square/go-jose.v2/README.md | 118 + .../gopkg.in/square/go-jose.v2/asymmetric.go | 592 ++ .../square/go-jose.v2/cipher/cbc_hmac.go | 196 + .../square/go-jose.v2/cipher/concat_kdf.go | 75 + .../square/go-jose.v2/cipher/ecdh_es.go | 86 + .../square/go-jose.v2/cipher/key_wrap.go | 109 + .../gopkg.in/square/go-jose.v2/crypter.go | 542 + .../vendor/gopkg.in/square/go-jose.v2/doc.go | 27 + .../gopkg.in/square/go-jose.v2/encoding.go | 185 + .../gopkg.in/square/go-jose.v2/json/LICENSE | 27 + .../gopkg.in/square/go-jose.v2/json/README.md | 13 + .../gopkg.in/square/go-jose.v2/json/decode.go | 1217 +++ .../gopkg.in/square/go-jose.v2/json/encode.go | 1197 +++ .../gopkg.in/square/go-jose.v2/json/indent.go | 141 + .../square/go-jose.v2/json/scanner.go | 623 ++ .../gopkg.in/square/go-jose.v2/json/stream.go | 485 + .../gopkg.in/square/go-jose.v2/json/tags.go | 44 + .../vendor/gopkg.in/square/go-jose.v2/jwe.go | 294 + .../vendor/gopkg.in/square/go-jose.v2/jwk.go | 760 ++ .../vendor/gopkg.in/square/go-jose.v2/jws.go | 366 + .../gopkg.in/square/go-jose.v2/opaque.go | 144 + .../gopkg.in/square/go-jose.v2/shared.go | 520 + .../gopkg.in/square/go-jose.v2/signing.go | 441 + .../vendor/gopkg.in/square/go-jose.v2/stub.go | 219 - .../gopkg.in/square/go-jose.v2/symmetric.go | 482 + .../vendor/gopkg.in/yaml.v2/.travis.yml | 16 + .../CWE-321/vendor/gopkg.in/yaml.v2/LICENSE | 201 + .../vendor/gopkg.in/yaml.v2/LICENSE.libyaml | 31 + .../CWE-321/vendor/gopkg.in/yaml.v2/NOTICE | 13 + .../CWE-321/vendor/gopkg.in/yaml.v2/README.md | 133 + .../CWE-321/vendor/gopkg.in/yaml.v2/apic.go | 739 ++ .../CWE-321/vendor/gopkg.in/yaml.v2/decode.go | 815 ++ .../vendor/gopkg.in/yaml.v2/emitterc.go | 1685 ++++ .../CWE-321/vendor/gopkg.in/yaml.v2/encode.go | 390 + .../vendor/gopkg.in/yaml.v2/parserc.go | 1095 ++ .../vendor/gopkg.in/yaml.v2/readerc.go | 412 + .../vendor/gopkg.in/yaml.v2/resolve.go | 258 + .../vendor/gopkg.in/yaml.v2/scannerc.go | 2711 +++++ .../CWE-321/vendor/gopkg.in/yaml.v2/sorter.go | 113 + .../vendor/gopkg.in/yaml.v2/writerc.go | 26 + .../CWE-321/vendor/gopkg.in/yaml.v2/yaml.go | 466 + .../CWE-321/vendor/gopkg.in/yaml.v2/yamlh.go | 739 ++ .../vendor/gopkg.in/yaml.v2/yamlprivateh.go | 173 + .../experimental/CWE-321/vendor/modules.txt | 195 +- 1209 files changed, 460000 insertions(+), 1664 deletions(-) create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/.editorconfig create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/auth_jwt.go delete mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/stub.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_eddsa.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_es.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_hs.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_ps.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_rs.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/audience.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/build.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/claims.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/errors.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/fuzz.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/jwt.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/numeric_date.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/parse.go delete mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/stub.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/bypass.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/common.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/config.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/dump.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/format.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/spew.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/sse-decoder.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/sse-encoder.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/writer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/AUTHORS.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/BENCHMARKS.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CHANGELOG.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CODE_OF_CONDUCT.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CONTRIBUTING.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/Makefile create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/auth.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/binding.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/binding_nomsgpack.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/default_validator.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/form.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/form_mapping.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/header.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/json.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/msgpack.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/multipart_form_mapping.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/protobuf.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/query.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/uri.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/xml.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/yaml.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/codecov.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/context.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/context_appengine.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/debug.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/deprecated.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/errors.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/fs.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/gin.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/bytesconv/bytesconv.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/json/json.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/json/jsoniter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/logger.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/mode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/path.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/recovery.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/data.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/html.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/json.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/msgpack.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/protobuf.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/reader.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/redirect.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/render.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/text.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/xml.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/yaml.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/response_writer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/routergroup.go delete mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/test_helpers.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/tree.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/utils.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/version.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/middleware.go delete mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/stub.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/transport.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/endpoint/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/endpoint/endpoint.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/error_handler.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/client.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/encode_decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/request_response_funcs.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/server.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/client.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/encode_decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/request_response_funcs.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/server.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/json_logger.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/log.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/logfmt_logger.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/nop_logger.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/stdlib.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/sync.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/value.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-logfmt/logfmt/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-logfmt/logfmt/CHANGELOG.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-logfmt/logfmt/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-logfmt/logfmt/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-logfmt/logfmt/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-logfmt/logfmt/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-logfmt/logfmt/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-logfmt/logfmt/jsonstring.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/locales/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/locales/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/locales/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/locales/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/locales/currency/currency.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/locales/logo.png create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/locales/rules.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/errors.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/import_export.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/logo.png create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/translator.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/universal-translator/universal_translator.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/Makefile create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/baked_in.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/cache.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/country_codes.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/errors.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/field_level.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/logo.png create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/regexes.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/struct_level.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/translations.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/util.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/validator.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/go-playground/validator/v10/validator_instance.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/MIGRATION_GUIDE.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/VERSION_HISTORY.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/claims.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/ecdsa.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/ecdsa_utils.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/ed25519.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/ed25519_utils.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/errors.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/hmac.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/map_claims.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/none.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/parser.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/parser_option.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/rsa.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/rsa_pss.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/rsa_utils.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/signing_method.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/staticcheck.conf delete mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/stub.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/token.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/types.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/AUTHORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/CONTRIBUTORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/buffer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/defaults.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/deprecated.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/discard.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/extensions.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/properties.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/proto.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/registry.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/text_decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/text_encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/wire.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/proto/wrappers.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/ptypes/any.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/ptypes/any/any.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/ptypes/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/ptypes/duration.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/ptypes/duration/duration.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/ptypes/timestamp.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/.codecov.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/Gopkg.lock create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/Gopkg.toml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/adapter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_array.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_bool.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_float.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_int32.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_int64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_invalid.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_nil.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_number.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_object.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_str.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_uint32.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/any_uint64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/build.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/config.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/fuzzy_mode_convert_table.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter_array.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter_float.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter_int.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter_object.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter_skip.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter_skip_sloppy.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter_skip_strict.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/iter_str.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/jsoniter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/pool.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_array.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_dynamic.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_extension.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_json_number.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_json_raw_message.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_map.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_marshaler.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_native.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_optional.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_slice.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_struct_decoder.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/reflect_struct_encoder.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/stream.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/stream_float.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/stream_int.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/stream_str.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/json-iterator/go/test.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/leodido/go-urn/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/leodido/go-urn/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/leodido/go-urn/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/leodido/go-urn/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/leodido/go-urn/machine.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/leodido/go-urn/machine.go.rl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/leodido/go-urn/makefile create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/leodido/go-urn/urn.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/internal/base64/base64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwa/compression.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwa/content_encryption.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwa/elliptic.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwa/jwa.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwa/key_encryption.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwa/key_type.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwa/signature.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/certchain.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/ecdsa.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/headers.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/interface.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/jwk.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/rsa.go delete mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/stub.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/symmetric.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/autoflag_off.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/autoflag_on.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/common.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/debug_off.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/debug_on.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-pdebug/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/go.test.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/isatty_bsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/isatty_others.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/isatty_plan9.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/isatty_solaris.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/isatty_tcgets.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/mattn/go-isatty/isatty_windows.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/executor.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/go_above_19.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/go_below_19.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/log.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/test.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/concurrent/unbounded_executor.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/Gopkg.lock create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/Gopkg.toml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/go_above_118.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/go_above_19.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/go_below_118.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/reflect2.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/reflect2_amd64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/reflect2_kind.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/relfect2_386.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/relfect2_amd64p32.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/relfect2_arm.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/relfect2_arm64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/relfect2_mips64x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/relfect2_mipsx.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/relfect2_ppc64x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/relfect2_s390x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/safe_field.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/safe_map.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/safe_slice.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/safe_struct.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/safe_type.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/type_map.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_array.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_eface.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_field.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_iface.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_link.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_map.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_ptr.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_slice.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_struct.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/modern-go/reflect2/unsafe_type.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/Makefile create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/appveyor.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/errors.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/go113.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/pkg/errors/stack.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/.golangci.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/BUG-BOUNTY.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/CONTRIBUTING.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/asymmetric.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/cipher/cbc_hmac.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/cipher/concat_kdf.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/cipher/ecdh_es.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/cipher/key_wrap.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/crypter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/encoding.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/json/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/json/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/json/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/json/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/json/indent.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/json/scanner.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/json/stream.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/json/tags.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/jwe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/jwk.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/jws.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/opaque.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/shared.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/signing.go delete mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/stub.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/symmetric.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/0_importpath.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/binc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/build.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/cbor.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/codecgen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/fast-path.generated.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/fast-path.go.tmpl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/fast-path.not.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/float.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/gen-dec-array.go.tmpl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/gen-dec-map.go.tmpl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/gen-enc-chan.go.tmpl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/gen-helper.generated.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/gen-helper.go.tmpl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/gen.generated.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_arrayof_gte_go15.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_arrayof_lt_go15.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_fmt_time_gte_go15.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_fmt_time_lt_go15.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_makemap_gte_go19.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_makemap_lt_go19.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_maprange_gte_go112.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_maprange_lt_go112.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_unexportedembeddedptr_gte_go110.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_unexportedembeddedptr_lt_go110.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_unsupported_lt_go14.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_vendor_eq_go15.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_vendor_eq_go16.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_vendor_gte_go17.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/goversion_vendor_lt_go15.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/helper.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/helper.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/helper_internal.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/helper_not_unsafe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/helper_unsafe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/json.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/mammoth-test.go.tmpl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/mammoth2-test.go.tmpl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/msgpack.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/prebuild.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/reader.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/register_ext.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/rpc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/simple.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/sort-slice.generated.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/sort-slice.go.tmpl create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/test-cbor-goldens.json create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/test.py create mode 100644 go/ql/test/experimental/CWE-321/vendor/github.com/ugorji/go/codec/writer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/AUTHORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/CONTRIBUTORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/PATENTS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/ed25519/ed25519.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/ed25519/ed25519_go113.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/hashes.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/hashes_generic.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/keccakf.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/register.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/sha3.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/sha3_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/sha3_s390x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/shake.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/shake_generic.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/xor.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/xor_generic.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/crypto/sha3/xor_unaligned.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/AUTHORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/CONTRIBUTORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/PATENTS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http/httpguts/guts.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http/httpguts/httplex.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/Dockerfile create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/Makefile create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/ascii.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/ciphers.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/client_conn_pool.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/databuffer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/errors.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/flow.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/frame.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/go111.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/go115.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/gotrack.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/headermap.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/hpack/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/hpack/hpack.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/hpack/huffman.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/hpack/tables.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/http2.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/not_go111.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/not_go115.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/pipe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/server.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/transport.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/write.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/writesched.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/writesched_priority.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/http2/writesched_random.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/idna10.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/idna9.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/punycode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/tables10.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/tables11.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/tables12.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/tables13.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/tables9.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/trie.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/idna/trieval.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/internal/timeseries/timeseries.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/trace/events.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/trace/histogram.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/net/trace/trace.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/PATENTS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/asm_aix_ppc64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/byteorder.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_aix.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_arm64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_gc_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_gc_x86.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_gccgo_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_gccgo_x86.c create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_gccgo_x86.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_linux_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_linux_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_linux_mips64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_linux_noinit.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_linux_ppc64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_linux_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_loong64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_mips64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_mipsx.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_other_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_other_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_other_mips64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_other_ppc64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_other_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_ppc64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_s390x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_wasm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_x86.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_x86.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_zos.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/cpu_zos_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/hwcap_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/syscall_aix_gccgo.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/cpu/syscall_aix_ppc64_gc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/affinity_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/aliases.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_aix_ppc64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_bsd_386.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_bsd_amd64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_bsd_arm.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_bsd_arm64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_bsd_ppc64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_bsd_riscv64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_386.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_amd64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_arm.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_arm64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_loong64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_mips64x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_mipsx.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_ppc64x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_riscv64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_linux_s390x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_openbsd_mips64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_solaris_amd64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/asm_zos_s390x.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/bluetooth_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/cap_freebsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/constants.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_aix_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_aix_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_darwin.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_dragonfly.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_freebsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_netbsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_openbsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dev_zos.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/dirent.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/endian_big.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/endian_little.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/env_unix.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/epoll_zos.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/fcntl.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/fcntl_darwin.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/fcntl_linux_32bit.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/fdset.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/fstatfs_zos.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/gccgo.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/gccgo_c.c create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/gccgo_linux_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ifreq_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ioctl.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ioctl_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ioctl_zos.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/mkall.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/mkerrors.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/pagesize_unix.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/pledge_openbsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ptrace_darwin.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ptrace_ios.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/race.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/race0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/readdirent_getdents.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/readdirent_getdirentries.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/sockcmsg_dragonfly.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/sockcmsg_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/sockcmsg_unix.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/sockcmsg_unix_other.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_aix.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_aix_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_aix_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_bsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_darwin.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_darwin_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_darwin_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_darwin_libSystem.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_dragonfly.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_dragonfly_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_freebsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_freebsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_freebsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_freebsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_freebsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_freebsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_illumos.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_alarm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_amd64_gc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_gc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_gc_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_gc_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_gccgo_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_gccgo_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_loong64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_mips64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_mipsx.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_ppc64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_linux_sparc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_netbsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_netbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_netbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_netbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_netbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd_libc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_openbsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_solaris.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_solaris_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_unix.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_unix_gc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_unix_gc_ppc64x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/syscall_zos_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/sysvshm_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/sysvshm_unix.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/sysvshm_unix_other.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/timestruct.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/unveil_openbsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/xattr_bsd.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_aix_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_aix_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_darwin_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_darwin_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_dragonfly_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_freebsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_freebsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_freebsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_freebsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_freebsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_netbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_netbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_netbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_netbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_openbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_openbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_openbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_openbsd_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_openbsd_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_openbsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_solaris_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zerrors_zos_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zptrace_armnn_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zptrace_linux_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zptrace_mipsnn_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zptrace_mipsnnle_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zptrace_x86_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_aix_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_aix_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_aix_ppc64_gc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_aix_ppc64_gccgo.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_freebsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_freebsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_freebsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_illumos_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_loong64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_mips.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64le.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_mipsle.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64le.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_linux_sparc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_netbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_netbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsyscall_zos_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysctl_openbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysctl_openbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysctl_openbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysctl_openbsd_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysctl_openbsd_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysctl_openbsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_darwin_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_darwin_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_dragonfly_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_freebsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_freebsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_freebsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_freebsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_freebsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_netbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_netbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_netbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_netbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_openbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_openbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_openbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_openbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_openbsd_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_openbsd_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_openbsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/zsysnum_zos_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_aix_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_aix_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_darwin_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_darwin_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_dragonfly_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_freebsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_freebsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_freebsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_freebsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_freebsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_netbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_netbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_openbsd_386.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_openbsd_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_openbsd_arm64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_openbsd_mips64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_openbsd_ppc64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_openbsd_riscv64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_solaris_amd64.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/sys/unix/ztypes_zos_s390x.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/AUTHORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/CONTRIBUTORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/PATENTS create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/secure/bidirule/bidirule.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/transform/transform.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/bidi.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/bracket.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/core.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/prop.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/bidi/trieval.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/composition.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/forminfo.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/input.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/iter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/normalize.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/readwriter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/tables10.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/tables11.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/tables12.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/tables9.0.0.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/transform.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/golang.org/x/text/unicode/norm/trie.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/genproto/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/AUTHORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/CODE-OF-CONDUCT.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/CONTRIBUTING.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/GOVERNANCE.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/MAINTAINERS.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/Makefile create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/SECURITY.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/attributes/attributes.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/backoff.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/backoff/backoff.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/balancer/balancer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/balancer/base/balancer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/balancer/base/base.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/balancer/grpclb/state/state.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/balancer_conn_wrappers.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/call.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/clientconn.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/codec.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/codegen.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/codes/code_string.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/codes/codes.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/connectivity/connectivity.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/credentials/credentials.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/credentials/go12.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/credentials/tls.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/dialoptions.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/encoding/encoding.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/encoding/proto/proto.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/grpclog/component.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/grpclog/grpclog.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/grpclog/logger.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/grpclog/loggerv2.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/install_gae.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/interceptor.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/backoff/backoff.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/balancerload/load.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/binarylog/binarylog.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/binarylog/binarylog_testutil.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/binarylog/env_config.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/binarylog/method_logger.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/binarylog/sink.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/buffer/unbounded.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/channelz/funcs.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/channelz/logging.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/channelz/types.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/channelz/types_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/channelz/types_nonlinux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/channelz/util_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/channelz/util_nonlinux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/credentials/credentials.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/credentials/spiffe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/credentials/spiffe_appengine.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/credentials/syscallconn.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/credentials/syscallconn_appengine.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/credentials/util.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/grpclog/grpclog.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/grpclog/prefixLogger.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/grpcrand/grpcrand.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/grpcsync/event.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/grpcutil/encode_duration.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/grpcutil/metadata.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/grpcutil/method.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/grpcutil/target.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/internal.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/metadata/metadata.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/resolver/config_selector.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/resolver/dns/go113.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/resolver/passthrough/passthrough.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/resolver/unix/unix.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/serviceconfig/serviceconfig.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/status/status.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/syscall/syscall_linux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/syscall/syscall_nonlinux.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/bdp_estimator.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/controlbuf.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/defaults.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/handler_server.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/http2_client.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/http2_server.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/http_util.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/networktype/networktype.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/proxy.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/transport/transport.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/internal/xds_handshake_cluster.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/keepalive/keepalive.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/metadata/metadata.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/peer/peer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/picker_wrapper.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/pickfirst.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/preloader.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/regenerate.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/resolver/resolver.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/resolver_conn_wrapper.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/rpc_util.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/server.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/service_config.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/serviceconfig/serviceconfig.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/stats/handlers.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/stats/stats.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/status/status.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/stream.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/tap/tap.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/trace.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/version.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/grpc/vet.sh create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/AUTHORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/CONTRIBUTORS create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/PATENTS create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/encoding/prototext/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/encoding/prototext/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/encoding/prototext/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/encoding/protowire/wire.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/descfmt/stringer.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/descopts/options.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/detrand/rand.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/defval/default.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/messageset/messageset.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/text/decode_number.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/text/decode_string.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/text/decode_token.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/text/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/encoding/text/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/errors/errors.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/errors/is_go112.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/errors/is_go113.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/filedesc/build.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/filedesc/desc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/filedesc/desc_list.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/filedesc/desc_list_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/filedesc/placeholder.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/filetype/build.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/flags/flags.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_disable.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_enable.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/any_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/api_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/duration_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/empty_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/field_mask_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/goname.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/map_entry.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/source_context_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/struct_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/timestamp_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/type_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/wrappers.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/genid/wrappers_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/api_export.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/checkinit.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_extension.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_field.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_map.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_map_go111.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_map_go112.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_message.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_messageset.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_reflect.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_tables.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/codec_unsafe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/convert.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/convert_list.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/convert_map.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/enum.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/extension.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/legacy_enum.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/legacy_export.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/legacy_extension.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/legacy_file.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/legacy_message.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/merge.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/merge_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/message.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/message_reflect.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/message_reflect_field.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/message_reflect_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/pointer_reflect.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/validate.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/impl/weak.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/order/order.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/order/range.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/pragma/pragma.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/set/ints.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/strs/strings.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/strs/strings_pure.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/internal/version/version.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/checkinit.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/decode_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/encode_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/equal.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/extension.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/merge.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/messageset.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/proto.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/proto_methods.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/proto_reflect.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/reset.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/size.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/size_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/proto/wrappers.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protodesc/desc_resolve.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protodesc/desc_validate.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/methods.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/proto.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/source.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/type.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/value.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/value_pure.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/value_union.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/reflect/protoregistry/registry.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/runtime/protoiface/legacy.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/runtime/protoiface/methods.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/runtime/protoimpl/impl.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/runtime/protoimpl/version.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/.gitignore create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/CONTRIBUTING.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/asymmetric.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/crypter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/doc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/encoding.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/json/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/json/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/json/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/json/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/json/indent.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/json/scanner.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/json/stream.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/json/tags.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/jwe.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/jwk.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/jws.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/opaque.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/shared.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/signing.go delete mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/stub.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/symmetric.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/.travis.yml create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/LICENSE create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/LICENSE.libyaml create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/NOTICE create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/README.md create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/apic.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/decode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/emitterc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/encode.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/parserc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/readerc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/resolve.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/scannerc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/sorter.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/writerc.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/yaml.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/yamlh.go create mode 100644 go/ql/test/experimental/CWE-321/vendor/gopkg.in/yaml.v2/yamlprivateh.go diff --git a/go/ql/test/experimental/CWE-321/go.mod b/go/ql/test/experimental/CWE-321/go.mod index 1f78c4037c06..c340dba07fd6 100644 --- a/go/ql/test/experimental/CWE-321/go.mod +++ b/go/ql/test/experimental/CWE-321/go.mod @@ -32,7 +32,7 @@ require ( github.com/ugorji/go/codec v1.1.7 // indirect golang.org/x/crypto v0.0.0-20210915214749-c084706c2272 // indirect golang.org/x/net v0.0.0-20210917221730-978cfadd31cf // indirect - golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 // indirect + golang.org/x/sys v0.1.0 // indirect golang.org/x/text v0.3.7 // indirect google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4 // indirect google.golang.org/grpc v1.40.0 // indirect diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/.editorconfig b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/.editorconfig new file mode 100644 index 000000000000..e4f9beca31a7 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/.editorconfig @@ -0,0 +1,42 @@ +# unifying the coding style for different editors and IDEs => editorconfig.org + +; indicate this is the root of the project +root = true + +########################################################### +; common +########################################################### + +[*] +charset = utf-8 + +end_of_line = LF +insert_final_newline = true +trim_trailing_whitespace = true + +indent_style = space +indent_size = 2 + +########################################################### +; make +########################################################### + +[Makefile] +indent_style = tab + +[makefile] +indent_style = tab + +########################################################### +; markdown +########################################################### + +[*.md] +trim_trailing_whitespace = false + +########################################################### +; golang +########################################################### + +[*.go] +indent_style = tab \ No newline at end of file diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/.gitignore b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/.gitignore new file mode 100644 index 000000000000..d93b5c92d867 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/.gitignore @@ -0,0 +1,27 @@ +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so + +# Folders +_obj +_test + +# Architecture specific extensions/prefixes +*.[568vq] +[568vq].out + +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +*.test +*.prof +.DS_Store +.vscode +coverage.out diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/LICENSE b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/LICENSE new file mode 100644 index 000000000000..446bb8b425a9 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Bo-Yi Wu + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/README.md b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/README.md new file mode 100644 index 000000000000..330ba0e15157 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/README.md @@ -0,0 +1,347 @@ +# JWT Middleware for Gin Framework + +[![Run Tests](https://github.com/appleboy/gin-jwt/actions/workflows/go.yml/badge.svg)](https://github.com/appleboy/gin-jwt/actions/workflows/go.yml) +[![GitHub tag](https://img.shields.io/github/tag/appleboy/gin-jwt.svg)](https://github.com/appleboy/gin-jwt/releases) +[![GoDoc](https://godoc.org/github.com/appleboy/gin-jwt?status.svg)](https://godoc.org/github.com/appleboy/gin-jwt) +[![Go Report Card](https://goreportcard.com/badge/github.com/appleboy/gin-jwt)](https://goreportcard.com/report/github.com/appleboy/gin-jwt) +[![codecov](https://codecov.io/gh/appleboy/gin-jwt/branch/master/graph/badge.svg)](https://codecov.io/gh/appleboy/gin-jwt) +[![codebeat badge](https://codebeat.co/badges/c4015f07-df23-4c7c-95ba-9193a12e14b1)](https://codebeat.co/projects/github-com-appleboy-gin-jwt) +[![Sourcegraph](https://sourcegraph.com/github.com/appleboy/gin-jwt/-/badge.svg)](https://sourcegraph.com/github.com/appleboy/gin-jwt?badge) + +This is a middleware for [Gin](https://github.com/gin-gonic/gin) framework. + +It uses [jwt-go](https://github.com/golang-jwt/jwt) to provide a jwt authentication middleware. It provides additional handler functions to provide the `login` api that will generate the token and an additional `refresh` handler that can be used to refresh tokens. + +## Security Issue + +Simple HS256 JWT token brute force cracker. Effective only to crack JWT tokens with weak secrets. **Recommendation**: Use strong long secrets or `RS256` tokens. See the [jwt-cracker repository](https://github.com/lmammino/jwt-cracker). + +## Usage + +Download and install using [go module](https://blog.golang.org/using-go-modules): + +```sh +export GO111MODULE=on +go get github.com/appleboy/gin-jwt/v2 +``` + +Import it in your code: + +```go +import "github.com/appleboy/gin-jwt/v2" +``` + +Download and install without using [go module](https://blog.golang.org/using-go-modules): + +```sh +go get github.com/appleboy/gin-jwt +``` + +Import it in your code: + +```go +import "github.com/appleboy/gin-jwt" +``` + +## Example + +Please see [the example file](_example/basic/server.go) and you can use `ExtractClaims` to fetch user data. + + +```go +package main + +import ( + "log" + "net/http" + "os" + "time" + + jwt "github.com/appleboy/gin-jwt/v2" + "github.com/gin-gonic/gin" +) + +type login struct { + Username string `form:"username" json:"username" binding:"required"` + Password string `form:"password" json:"password" binding:"required"` +} + +var identityKey = "id" + +func helloHandler(c *gin.Context) { + claims := jwt.ExtractClaims(c) + user, _ := c.Get(identityKey) + c.JSON(200, gin.H{ + "userID": claims[identityKey], + "userName": user.(*User).UserName, + "text": "Hello World.", + }) +} + +// User demo +type User struct { + UserName string + FirstName string + LastName string +} + +func main() { + port := os.Getenv("PORT") + r := gin.New() + r.Use(gin.Logger()) + r.Use(gin.Recovery()) + + if port == "" { + port = "8000" + } + + // the jwt middleware + authMiddleware, err := jwt.New(&jwt.GinJWTMiddleware{ + Realm: "test zone", + Key: []byte("secret key"), + Timeout: time.Hour, + MaxRefresh: time.Hour, + IdentityKey: identityKey, + PayloadFunc: func(data interface{}) jwt.MapClaims { + if v, ok := data.(*User); ok { + return jwt.MapClaims{ + identityKey: v.UserName, + } + } + return jwt.MapClaims{} + }, + IdentityHandler: func(c *gin.Context) interface{} { + claims := jwt.ExtractClaims(c) + return &User{ + UserName: claims[identityKey].(string), + } + }, + Authenticator: func(c *gin.Context) (interface{}, error) { + var loginVals login + if err := c.ShouldBind(&loginVals); err != nil { + return "", jwt.ErrMissingLoginValues + } + userID := loginVals.Username + password := loginVals.Password + + if (userID == "admin" && password == "admin") || (userID == "test" && password == "test") { + return &User{ + UserName: userID, + LastName: "Bo-Yi", + FirstName: "Wu", + }, nil + } + + return nil, jwt.ErrFailedAuthentication + }, + Authorizator: func(data interface{}, c *gin.Context) bool { + if v, ok := data.(*User); ok && v.UserName == "admin" { + return true + } + + return false + }, + Unauthorized: func(c *gin.Context, code int, message string) { + c.JSON(code, gin.H{ + "code": code, + "message": message, + }) + }, + // TokenLookup is a string in the form of ":" that is used + // to extract token from the request. + // Optional. Default value "header:Authorization". + // Possible values: + // - "header:" + // - "query:" + // - "cookie:" + // - "param:" + TokenLookup: "header: Authorization, query: token, cookie: jwt", + // TokenLookup: "query:token", + // TokenLookup: "cookie:token", + + // TokenHeadName is a string in the header. Default value is "Bearer" + TokenHeadName: "Bearer", + + // TimeFunc provides the current time. You can override it to use another time value. This is useful for testing or if your server uses a different time zone than your tokens. + TimeFunc: time.Now, + }) + + if err != nil { + log.Fatal("JWT Error:" + err.Error()) + } + + // When you use jwt.New(), the function is already automatically called for checking, + // which means you don't need to call it again. + errInit := authMiddleware.MiddlewareInit() + + if errInit != nil { + log.Fatal("authMiddleware.MiddlewareInit() Error:" + errInit.Error()) + } + + r.POST("/login", authMiddleware.LoginHandler) + + r.NoRoute(authMiddleware.MiddlewareFunc(), func(c *gin.Context) { + claims := jwt.ExtractClaims(c) + log.Printf("NoRoute claims: %#v\n", claims) + c.JSON(404, gin.H{"code": "PAGE_NOT_FOUND", "message": "Page not found"}) + }) + + auth := r.Group("/auth") + // Refresh time can be longer than token timeout + auth.GET("/refresh_token", authMiddleware.RefreshHandler) + auth.Use(authMiddleware.MiddlewareFunc()) + { + auth.GET("/hello", helloHandler) + } + + if err := http.ListenAndServe(":"+port, r); err != nil { + log.Fatal(err) + } +} +``` + +## Demo + +Please run _example/server.go file and listen `8000` port. + +```sh +go run _example/server.go +``` + +Download and install [httpie](https://github.com/jkbrzt/httpie) CLI HTTP client. + +### Login API + +```sh +http -v --json POST localhost:8000/login username=admin password=admin +``` + +Output screenshot + +![api screenshot](screenshot/login.png) + +### Refresh token API + +```bash +http -v -f GET localhost:8000/auth/refresh_token "Authorization:Bearer xxxxxxxxx" "Content-Type: application/json" +``` + +Output screenshot + +![api screenshot](screenshot/refresh_token.png) + +### Hello world + +Please login as `admin` and password as `admin` + +```bash +http -f GET localhost:8000/auth/hello "Authorization:Bearer xxxxxxxxx" "Content-Type: application/json" +``` + +Response message `200 OK`: + +```sh +HTTP/1.1 200 OK +Content-Length: 24 +Content-Type: application/json; charset=utf-8 +Date: Sat, 19 Mar 2016 03:02:57 GMT + +{ + "text": "Hello World.", + "userID": "admin" +} +``` + +### Authorization + +Please login as `test` and password as `test` + +```bash +http -f GET localhost:8000/auth/hello "Authorization:Bearer xxxxxxxxx" "Content-Type: application/json" +``` + +Response message `403 Forbidden`: + +```sh +HTTP/1.1 403 Forbidden +Content-Length: 62 +Content-Type: application/json; charset=utf-8 +Date: Sat, 19 Mar 2016 03:05:40 GMT +Www-Authenticate: JWT realm=test zone + +{ + "code": 403, + "message": "You don't have permission to access." +} +``` + +### Cookie Token + +Use these options for setting the JWT in a cookie. See the Mozilla [documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies) for more information on these options. + +```go + SendCookie: true, + SecureCookie: false, //non HTTPS dev environments + CookieHTTPOnly: true, // JS can't modify + CookieDomain: "localhost:8080", + CookieName: "token", // default jwt + TokenLookup: "cookie:token", + CookieSameSite: http.SameSiteDefaultMode, //SameSiteDefaultMode, SameSiteLaxMode, SameSiteStrictMode, SameSiteNoneMode +``` + +### Login request flow (using the LoginHandler) + +1. PROVIDED: `LoginHandler` + + This is a provided function to be called on any login endpoint, which will trigger the flow described below. + +2. REQUIRED: `Authenticator` + This function should verify the user credentials given the gin context (i.e. password matches hashed password for a given user email, and any other authentication logic). Then the authenticator should return a struct or map that contains the user data that will be embedded in the jwt token. This might be something like an account id, role, is_verified, etc. After having successfully authenticated, the data returned from the authenticator is passed in as a parameter into the `PayloadFunc`, which is used to embed the user identifiers mentioned above into the jwt token. If an error is returned, the `Unauthorized` function is used (explained below). + +3. OPTIONAL: `PayloadFunc` + + This function is called after having successfully authenticated (logged in). It should take whatever was returned from `Authenticator` and convert it into `MapClaims` (i.e. map[string]interface{}). A typical use case of this function is for when `Authenticator` returns a struct which holds the user identifiers, and that struct needs to be converted into a map. `MapClaims` should include one element that is [`IdentityKey` (default is "identity"): some_user_identity]. The elements of `MapClaims` returned in `PayloadFunc` will be embedded within the jwt token (as token claims). When users pass in their token on subsequent requests, you can get these claims back by using `ExtractClaims`. + +4. OPTIONAL: `LoginResponse` + + After having successfully authenticated with `Authenticator`, created the jwt token using the identifiers from map returned from `PayloadFunc`, and set it as a cookie if `SendCookie` is enabled, this function is called. It is used to handle any post-login logic. This might look something like using the gin context to return a JSON of the token back to the user. + +### Subsequent requests on endpoints requiring jwt token (using MiddlewareFunc). + +1. PROVIDED: `MiddlewareFunc` + + This is gin middleware that should be used within any endpoints that require the jwt token to be present. This middleware will parse the request headers for the token if it exists, and check that the jwt token is valid (not expired, correct signature). Then it will call `IdentityHandler` followed by `Authorizator`. If `Authorizator` passes and all of the previous token validity checks passed, the middleware will continue the request. If any of these checks fail, the `Unauthorized` function is used (explained below). + +2. OPTIONAL: `IdentityHandler` + + The default of this function is likely sufficient for your needs. The purpose of this function is to fetch the user identity from claims embedded within the jwt token, and pass this identity value to `Authorizator`. This function assummes [`IdentityKey`: some_user_identity] is one of the attributes embedded within the claims of the jwt token (determined by `PayloadFunc`). + +3. OPTIONAL: `Authorizator` + + Given the user identity value (`data` parameter) and the gin context, this function should check if the user is authorized to be reaching this endpoint (on the endpoints where the `MiddlewareFunc` applies). This function should likely use `ExtractClaims` to check if the user has the sufficient permissions to reach this endpoint, as opposed to hitting the database on every request. This function should return true if the user is authorized to continue through with the request, or false if they are not authorized (where `Unauthorized` will be called). + +### Logout Request flow (using LogoutHandler) + +1. PROVIDED: `LogoutHandler` + + This is a provided function to be called on any logout endpoint, which will clear any cookies if `SendCookie` is set, and then call `LogoutResponse`. + +2. OPTIONAL: `LogoutResponse` + + This should likely just return back to the user the http status code, if logout was successful or not. + +### Refresh Request flow (using RefreshHandler) + +1. PROVIDED: `RefreshHandler`: + + This is a provided function to be called on any refresh token endpoint. If the token passed in is was issued within the `MaxRefreshTime` time frame, then this handler will create/set a new token similar to the `LoginHandler`, and pass this token into `RefreshResponse` + +2. OPTIONAL: `RefreshResponse`: + + This should likely return a JSON of the token back to the user, similar to `LoginResponse` + +### Failures with logging in, bad tokens, or lacking privileges + +1. OPTIONAL `Unauthorized`: + + On any error logging in, authorizing the user, or when there was no token or a invalid token passed in with the request, the following will happen. The gin context will be aborted depending on `DisabledAbort`, then `HTTPStatusMessageFunc` is called which by default converts the error into a string. Finally the `Unauthorized` function will be called. This function should likely return a JSON containing the http error code and error message to the user. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/auth_jwt.go b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/auth_jwt.go new file mode 100644 index 000000000000..89ec00d862e4 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/auth_jwt.go @@ -0,0 +1,821 @@ +package jwt + +import ( + "crypto/rsa" + "errors" + "io/ioutil" + "net/http" + "strings" + "time" + + "github.com/gin-gonic/gin" + "github.com/golang-jwt/jwt/v4" +) + +// MapClaims type that uses the map[string]interface{} for JSON decoding +// This is the default claims type if you don't supply one +type MapClaims map[string]interface{} + +// GinJWTMiddleware provides a Json-Web-Token authentication implementation. On failure, a 401 HTTP response +// is returned. On success, the wrapped middleware is called, and the userID is made available as +// c.Get("userID").(string). +// Users can get a token by posting a json request to LoginHandler. The token then needs to be passed in +// the Authentication header. Example: Authorization:Bearer XXX_TOKEN_XXX +type GinJWTMiddleware struct { + // Realm name to display to the user. Required. + Realm string + + // signing algorithm - possible values are HS256, HS384, HS512, RS256, RS384 or RS512 + // Optional, default is HS256. + SigningAlgorithm string + + // Secret key used for signing. Required. + Key []byte + + // Callback to retrieve key used for signing. Setting KeyFunc will bypass + // all other key settings + KeyFunc func(token *jwt.Token) (interface{}, error) + + // Duration that a jwt token is valid. Optional, defaults to one hour. + Timeout time.Duration + + // This field allows clients to refresh their token until MaxRefresh has passed. + // Note that clients can refresh their token in the last moment of MaxRefresh. + // This means that the maximum validity timespan for a token is TokenTime + MaxRefresh. + // Optional, defaults to 0 meaning not refreshable. + MaxRefresh time.Duration + + // Callback function that should perform the authentication of the user based on login info. + // Must return user data as user identifier, it will be stored in Claim Array. Required. + // Check error (e) to determine the appropriate error message. + Authenticator func(c *gin.Context) (interface{}, error) + + // Callback function that should perform the authorization of the authenticated user. Called + // only after an authentication success. Must return true on success, false on failure. + // Optional, default to success. + Authorizator func(data interface{}, c *gin.Context) bool + + // Callback function that will be called during login. + // Using this function it is possible to add additional payload data to the webtoken. + // The data is then made available during requests via c.Get("JWT_PAYLOAD"). + // Note that the payload is not encrypted. + // The attributes mentioned on jwt.io can't be used as keys for the map. + // Optional, by default no additional data will be set. + PayloadFunc func(data interface{}) MapClaims + + // User can define own Unauthorized func. + Unauthorized func(c *gin.Context, code int, message string) + + // User can define own LoginResponse func. + LoginResponse func(c *gin.Context, code int, message string, time time.Time) + + // User can define own LogoutResponse func. + LogoutResponse func(c *gin.Context, code int) + + // User can define own RefreshResponse func. + RefreshResponse func(c *gin.Context, code int, message string, time time.Time) + + // Set the identity handler function + IdentityHandler func(*gin.Context) interface{} + + // Set the identity key + IdentityKey string + + // TokenLookup is a string in the form of ":" that is used + // to extract token from the request. + // Optional. Default value "header:Authorization". + // Possible values: + // - "header:" + // - "query:" + // - "cookie:" + TokenLookup string + + // TokenHeadName is a string in the header. Default value is "Bearer" + TokenHeadName string + + // TimeFunc provides the current time. You can override it to use another time value. This is useful for testing or if your server uses a different time zone than your tokens. + TimeFunc func() time.Time + + // HTTP Status messages for when something in the JWT middleware fails. + // Check error (e) to determine the appropriate error message. + HTTPStatusMessageFunc func(e error, c *gin.Context) string + + // Private key file for asymmetric algorithms + PrivKeyFile string + + // Private Key bytes for asymmetric algorithms + // + // Note: PrivKeyFile takes precedence over PrivKeyBytes if both are set + PrivKeyBytes []byte + + // Public key file for asymmetric algorithms + PubKeyFile string + + // Private key passphrase + PrivateKeyPassphrase string + + // Public key bytes for asymmetric algorithms. + // + // Note: PubKeyFile takes precedence over PubKeyBytes if both are set + PubKeyBytes []byte + + // Private key + privKey *rsa.PrivateKey + + // Public key + pubKey *rsa.PublicKey + + // Optionally return the token as a cookie + SendCookie bool + + // Duration that a cookie is valid. Optional, by default equals to Timeout value. + CookieMaxAge time.Duration + + // Allow insecure cookies for development over http + SecureCookie bool + + // Allow cookies to be accessed client side for development + CookieHTTPOnly bool + + // Allow cookie domain change for development + CookieDomain string + + // SendAuthorization allow return authorization header for every request + SendAuthorization bool + + // Disable abort() of context. + DisabledAbort bool + + // CookieName allow cookie name change for development + CookieName string + + // CookieSameSite allow use http.SameSite cookie param + CookieSameSite http.SameSite +} + +var ( + // ErrMissingSecretKey indicates Secret key is required + ErrMissingSecretKey = errors.New("secret key is required") + + // ErrForbidden when HTTP status 403 is given + ErrForbidden = errors.New("you don't have permission to access this resource") + + // ErrMissingAuthenticatorFunc indicates Authenticator is required + ErrMissingAuthenticatorFunc = errors.New("ginJWTMiddleware.Authenticator func is undefined") + + // ErrMissingLoginValues indicates a user tried to authenticate without username or password + ErrMissingLoginValues = errors.New("missing Username or Password") + + // ErrFailedAuthentication indicates authentication failed, could be faulty username or password + ErrFailedAuthentication = errors.New("incorrect Username or Password") + + // ErrFailedTokenCreation indicates JWT Token failed to create, reason unknown + ErrFailedTokenCreation = errors.New("failed to create JWT Token") + + // ErrExpiredToken indicates JWT token has expired. Can't refresh. + ErrExpiredToken = errors.New("token is expired") // in practice, this is generated from the jwt library not by us + + // ErrEmptyAuthHeader can be thrown if authing with a HTTP header, the Auth header needs to be set + ErrEmptyAuthHeader = errors.New("auth header is empty") + + // ErrMissingExpField missing exp field in token + ErrMissingExpField = errors.New("missing exp field") + + // ErrWrongFormatOfExp field must be float64 format + ErrWrongFormatOfExp = errors.New("exp must be float64 format") + + // ErrInvalidAuthHeader indicates auth header is invalid, could for example have the wrong Realm name + ErrInvalidAuthHeader = errors.New("auth header is invalid") + + // ErrEmptyQueryToken can be thrown if authing with URL Query, the query token variable is empty + ErrEmptyQueryToken = errors.New("query token is empty") + + // ErrEmptyCookieToken can be thrown if authing with a cookie, the token cookie is empty + ErrEmptyCookieToken = errors.New("cookie token is empty") + + // ErrEmptyParamToken can be thrown if authing with parameter in path, the parameter in path is empty + ErrEmptyParamToken = errors.New("parameter token is empty") + + // ErrInvalidSigningAlgorithm indicates signing algorithm is invalid, needs to be HS256, HS384, HS512, RS256, RS384 or RS512 + ErrInvalidSigningAlgorithm = errors.New("invalid signing algorithm") + + // ErrNoPrivKeyFile indicates that the given private key is unreadable + ErrNoPrivKeyFile = errors.New("private key file unreadable") + + // ErrNoPubKeyFile indicates that the given public key is unreadable + ErrNoPubKeyFile = errors.New("public key file unreadable") + + // ErrInvalidPrivKey indicates that the given private key is invalid + ErrInvalidPrivKey = errors.New("private key invalid") + + // ErrInvalidPubKey indicates the the given public key is invalid + ErrInvalidPubKey = errors.New("public key invalid") + + // IdentityKey default identity key + IdentityKey = "identity" +) + +// New for check error with GinJWTMiddleware +func New(m *GinJWTMiddleware) (*GinJWTMiddleware, error) { + if err := m.MiddlewareInit(); err != nil { + return nil, err + } + + return m, nil +} + +func (mw *GinJWTMiddleware) readKeys() error { + err := mw.privateKey() + if err != nil { + return err + } + err = mw.publicKey() + if err != nil { + return err + } + return nil +} + +func (mw *GinJWTMiddleware) privateKey() error { + var keyData []byte + if mw.PrivKeyFile == "" { + keyData = mw.PrivKeyBytes + } else { + filecontent, err := ioutil.ReadFile(mw.PrivKeyFile) + if err != nil { + return ErrNoPrivKeyFile + } + keyData = filecontent + } + + if mw.PrivateKeyPassphrase != "" { + //nolint:staticcheck + key, err := jwt.ParseRSAPrivateKeyFromPEMWithPassword(keyData, mw.PrivateKeyPassphrase) + if err != nil { + return ErrInvalidPrivKey + } + mw.privKey = key + return nil + } + + key, err := jwt.ParseRSAPrivateKeyFromPEM(keyData) + if err != nil { + return ErrInvalidPrivKey + } + mw.privKey = key + return nil +} + +func (mw *GinJWTMiddleware) publicKey() error { + var keyData []byte + if mw.PubKeyFile == "" { + keyData = mw.PubKeyBytes + } else { + filecontent, err := ioutil.ReadFile(mw.PubKeyFile) + if err != nil { + return ErrNoPubKeyFile + } + keyData = filecontent + } + + key, err := jwt.ParseRSAPublicKeyFromPEM(keyData) + if err != nil { + return ErrInvalidPubKey + } + mw.pubKey = key + return nil +} + +func (mw *GinJWTMiddleware) usingPublicKeyAlgo() bool { + switch mw.SigningAlgorithm { + case "RS256", "RS512", "RS384": + return true + } + return false +} + +// MiddlewareInit initialize jwt configs. +func (mw *GinJWTMiddleware) MiddlewareInit() error { + if mw.TokenLookup == "" { + mw.TokenLookup = "header:Authorization" + } + + if mw.SigningAlgorithm == "" { + mw.SigningAlgorithm = "HS256" + } + + if mw.Timeout == 0 { + mw.Timeout = time.Hour + } + + if mw.TimeFunc == nil { + mw.TimeFunc = time.Now + } + + mw.TokenHeadName = strings.TrimSpace(mw.TokenHeadName) + if len(mw.TokenHeadName) == 0 { + mw.TokenHeadName = "Bearer" + } + + if mw.Authorizator == nil { + mw.Authorizator = func(data interface{}, c *gin.Context) bool { + return true + } + } + + if mw.Unauthorized == nil { + mw.Unauthorized = func(c *gin.Context, code int, message string) { + c.JSON(code, gin.H{ + "code": code, + "message": message, + }) + } + } + + if mw.LoginResponse == nil { + mw.LoginResponse = func(c *gin.Context, code int, token string, expire time.Time) { + c.JSON(http.StatusOK, gin.H{ + "code": http.StatusOK, + "token": token, + "expire": expire.Format(time.RFC3339), + }) + } + } + + if mw.LogoutResponse == nil { + mw.LogoutResponse = func(c *gin.Context, code int) { + c.JSON(http.StatusOK, gin.H{ + "code": http.StatusOK, + }) + } + } + + if mw.RefreshResponse == nil { + mw.RefreshResponse = func(c *gin.Context, code int, token string, expire time.Time) { + c.JSON(http.StatusOK, gin.H{ + "code": http.StatusOK, + "token": token, + "expire": expire.Format(time.RFC3339), + }) + } + } + + if mw.IdentityKey == "" { + mw.IdentityKey = IdentityKey + } + + if mw.IdentityHandler == nil { + mw.IdentityHandler = func(c *gin.Context) interface{} { + claims := ExtractClaims(c) + return claims[mw.IdentityKey] + } + } + + if mw.HTTPStatusMessageFunc == nil { + mw.HTTPStatusMessageFunc = func(e error, c *gin.Context) string { + return e.Error() + } + } + + if mw.Realm == "" { + mw.Realm = "gin jwt" + } + + if mw.CookieMaxAge == 0 { + mw.CookieMaxAge = mw.Timeout + } + + if mw.CookieName == "" { + mw.CookieName = "jwt" + } + + // bypass other key settings if KeyFunc is set + if mw.KeyFunc != nil { + return nil + } + + if mw.usingPublicKeyAlgo() { + return mw.readKeys() + } + + if mw.Key == nil { + return ErrMissingSecretKey + } + return nil +} + +// MiddlewareFunc makes GinJWTMiddleware implement the Middleware interface. +func (mw *GinJWTMiddleware) MiddlewareFunc() gin.HandlerFunc { + return func(c *gin.Context) { + mw.middlewareImpl(c) + } +} + +func (mw *GinJWTMiddleware) middlewareImpl(c *gin.Context) { + claims, err := mw.GetClaimsFromJWT(c) + if err != nil { + mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(err, c)) + return + } + + if claims["exp"] == nil { + mw.unauthorized(c, http.StatusBadRequest, mw.HTTPStatusMessageFunc(ErrMissingExpField, c)) + return + } + + if _, ok := claims["exp"].(float64); !ok { + mw.unauthorized(c, http.StatusBadRequest, mw.HTTPStatusMessageFunc(ErrWrongFormatOfExp, c)) + return + } + + if int64(claims["exp"].(float64)) < mw.TimeFunc().Unix() { + mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(ErrExpiredToken, c)) + return + } + + c.Set("JWT_PAYLOAD", claims) + identity := mw.IdentityHandler(c) + + if identity != nil { + c.Set(mw.IdentityKey, identity) + } + + if !mw.Authorizator(identity, c) { + mw.unauthorized(c, http.StatusForbidden, mw.HTTPStatusMessageFunc(ErrForbidden, c)) + return + } + + c.Next() +} + +// GetClaimsFromJWT get claims from JWT token +func (mw *GinJWTMiddleware) GetClaimsFromJWT(c *gin.Context) (MapClaims, error) { + token, err := mw.ParseToken(c) + if err != nil { + return nil, err + } + + if mw.SendAuthorization { + if v, ok := c.Get("JWT_TOKEN"); ok { + c.Header("Authorization", mw.TokenHeadName+" "+v.(string)) + } + } + + claims := MapClaims{} + for key, value := range token.Claims.(jwt.MapClaims) { + claims[key] = value + } + + return claims, nil +} + +// LoginHandler can be used by clients to get a jwt token. +// Payload needs to be json in the form of {"username": "USERNAME", "password": "PASSWORD"}. +// Reply will be of the form {"token": "TOKEN"}. +func (mw *GinJWTMiddleware) LoginHandler(c *gin.Context) { + if mw.Authenticator == nil { + mw.unauthorized(c, http.StatusInternalServerError, mw.HTTPStatusMessageFunc(ErrMissingAuthenticatorFunc, c)) + return + } + + data, err := mw.Authenticator(c) + if err != nil { + mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(err, c)) + return + } + + // Create the token + token := jwt.New(jwt.GetSigningMethod(mw.SigningAlgorithm)) + claims := token.Claims.(jwt.MapClaims) + + if mw.PayloadFunc != nil { + for key, value := range mw.PayloadFunc(data) { + claims[key] = value + } + } + + expire := mw.TimeFunc().Add(mw.Timeout) + claims["exp"] = expire.Unix() + claims["orig_iat"] = mw.TimeFunc().Unix() + tokenString, err := mw.signedString(token) + if err != nil { + mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(ErrFailedTokenCreation, c)) + return + } + + // set cookie + if mw.SendCookie { + expireCookie := mw.TimeFunc().Add(mw.CookieMaxAge) + maxage := int(expireCookie.Unix() - mw.TimeFunc().Unix()) + + if mw.CookieSameSite != 0 { + c.SetSameSite(mw.CookieSameSite) + } + + c.SetCookie( + mw.CookieName, + tokenString, + maxage, + "/", + mw.CookieDomain, + mw.SecureCookie, + mw.CookieHTTPOnly, + ) + } + + mw.LoginResponse(c, http.StatusOK, tokenString, expire) +} + +// LogoutHandler can be used by clients to remove the jwt cookie (if set) +func (mw *GinJWTMiddleware) LogoutHandler(c *gin.Context) { + // delete auth cookie + if mw.SendCookie { + if mw.CookieSameSite != 0 { + c.SetSameSite(mw.CookieSameSite) + } + + c.SetCookie( + mw.CookieName, + "", + -1, + "/", + mw.CookieDomain, + mw.SecureCookie, + mw.CookieHTTPOnly, + ) + } + + mw.LogoutResponse(c, http.StatusOK) +} + +func (mw *GinJWTMiddleware) signedString(token *jwt.Token) (string, error) { + var tokenString string + var err error + if mw.usingPublicKeyAlgo() { + tokenString, err = token.SignedString(mw.privKey) + } else { + tokenString, err = token.SignedString(mw.Key) + } + return tokenString, err +} + +// RefreshHandler can be used to refresh a token. The token still needs to be valid on refresh. +// Shall be put under an endpoint that is using the GinJWTMiddleware. +// Reply will be of the form {"token": "TOKEN"}. +func (mw *GinJWTMiddleware) RefreshHandler(c *gin.Context) { + tokenString, expire, err := mw.RefreshToken(c) + if err != nil { + mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(err, c)) + return + } + + mw.RefreshResponse(c, http.StatusOK, tokenString, expire) +} + +// RefreshToken refresh token and check if token is expired +func (mw *GinJWTMiddleware) RefreshToken(c *gin.Context) (string, time.Time, error) { + claims, err := mw.CheckIfTokenExpire(c) + if err != nil { + return "", time.Now(), err + } + + // Create the token + newToken := jwt.New(jwt.GetSigningMethod(mw.SigningAlgorithm)) + newClaims := newToken.Claims.(jwt.MapClaims) + + for key := range claims { + newClaims[key] = claims[key] + } + + expire := mw.TimeFunc().Add(mw.Timeout) + newClaims["exp"] = expire.Unix() + newClaims["orig_iat"] = mw.TimeFunc().Unix() + tokenString, err := mw.signedString(newToken) + if err != nil { + return "", time.Now(), err + } + + // set cookie + if mw.SendCookie { + expireCookie := mw.TimeFunc().Add(mw.CookieMaxAge) + maxage := int(expireCookie.Unix() - time.Now().Unix()) + + if mw.CookieSameSite != 0 { + c.SetSameSite(mw.CookieSameSite) + } + + c.SetCookie( + mw.CookieName, + tokenString, + maxage, + "/", + mw.CookieDomain, + mw.SecureCookie, + mw.CookieHTTPOnly, + ) + } + + return tokenString, expire, nil +} + +// CheckIfTokenExpire check if token expire +func (mw *GinJWTMiddleware) CheckIfTokenExpire(c *gin.Context) (jwt.MapClaims, error) { + token, err := mw.ParseToken(c) + if err != nil { + // If we receive an error, and the error is anything other than a single + // ValidationErrorExpired, we want to return the error. + // If the error is just ValidationErrorExpired, we want to continue, as we can still + // refresh the token if it's within the MaxRefresh time. + // (see https://github.com/appleboy/gin-jwt/issues/176) + validationErr, ok := err.(*jwt.ValidationError) + if !ok || validationErr.Errors != jwt.ValidationErrorExpired { + return nil, err + } + } + + claims := token.Claims.(jwt.MapClaims) + + origIat := int64(claims["orig_iat"].(float64)) + + if origIat < mw.TimeFunc().Add(-mw.MaxRefresh).Unix() { + return nil, ErrExpiredToken + } + + return claims, nil +} + +// TokenGenerator method that clients can use to get a jwt token. +func (mw *GinJWTMiddleware) TokenGenerator(data interface{}) (string, time.Time, error) { + token := jwt.New(jwt.GetSigningMethod(mw.SigningAlgorithm)) + claims := token.Claims.(jwt.MapClaims) + + if mw.PayloadFunc != nil { + for key, value := range mw.PayloadFunc(data) { + claims[key] = value + } + } + + expire := mw.TimeFunc().UTC().Add(mw.Timeout) + claims["exp"] = expire.Unix() + claims["orig_iat"] = mw.TimeFunc().Unix() + tokenString, err := mw.signedString(token) + if err != nil { + return "", time.Time{}, err + } + + return tokenString, expire, nil +} + +func (mw *GinJWTMiddleware) jwtFromHeader(c *gin.Context, key string) (string, error) { + authHeader := c.Request.Header.Get(key) + + if authHeader == "" { + return "", ErrEmptyAuthHeader + } + + parts := strings.SplitN(authHeader, " ", 2) + if !(len(parts) == 2 && parts[0] == mw.TokenHeadName) { + return "", ErrInvalidAuthHeader + } + + return parts[1], nil +} + +func (mw *GinJWTMiddleware) jwtFromQuery(c *gin.Context, key string) (string, error) { + token := c.Query(key) + + if token == "" { + return "", ErrEmptyQueryToken + } + + return token, nil +} + +func (mw *GinJWTMiddleware) jwtFromCookie(c *gin.Context, key string) (string, error) { + cookie, _ := c.Cookie(key) + + if cookie == "" { + return "", ErrEmptyCookieToken + } + + return cookie, nil +} + +func (mw *GinJWTMiddleware) jwtFromParam(c *gin.Context, key string) (string, error) { + token := c.Param(key) + + if token == "" { + return "", ErrEmptyParamToken + } + + return token, nil +} + +// ParseToken parse jwt token from gin context +func (mw *GinJWTMiddleware) ParseToken(c *gin.Context) (*jwt.Token, error) { + var token string + var err error + + methods := strings.Split(mw.TokenLookup, ",") + for _, method := range methods { + if len(token) > 0 { + break + } + parts := strings.Split(strings.TrimSpace(method), ":") + k := strings.TrimSpace(parts[0]) + v := strings.TrimSpace(parts[1]) + switch k { + case "header": + token, err = mw.jwtFromHeader(c, v) + case "query": + token, err = mw.jwtFromQuery(c, v) + case "cookie": + token, err = mw.jwtFromCookie(c, v) + case "param": + token, err = mw.jwtFromParam(c, v) + } + } + + if err != nil { + return nil, err + } + + if mw.KeyFunc != nil { + return jwt.Parse(token, mw.KeyFunc) + } + + return jwt.Parse(token, func(t *jwt.Token) (interface{}, error) { + if jwt.GetSigningMethod(mw.SigningAlgorithm) != t.Method { + return nil, ErrInvalidSigningAlgorithm + } + if mw.usingPublicKeyAlgo() { + return mw.pubKey, nil + } + + // save token string if vaild + c.Set("JWT_TOKEN", token) + + return mw.Key, nil + }) +} + +// ParseTokenString parse jwt token string +func (mw *GinJWTMiddleware) ParseTokenString(token string) (*jwt.Token, error) { + if mw.KeyFunc != nil { + return jwt.Parse(token, mw.KeyFunc) + } + + return jwt.Parse(token, func(t *jwt.Token) (interface{}, error) { + if jwt.GetSigningMethod(mw.SigningAlgorithm) != t.Method { + return nil, ErrInvalidSigningAlgorithm + } + if mw.usingPublicKeyAlgo() { + return mw.pubKey, nil + } + + return mw.Key, nil + }) +} + +func (mw *GinJWTMiddleware) unauthorized(c *gin.Context, code int, message string) { + c.Header("WWW-Authenticate", "JWT realm="+mw.Realm) + if !mw.DisabledAbort { + c.Abort() + } + + mw.Unauthorized(c, code, message) +} + +// ExtractClaims help to extract the JWT claims +func ExtractClaims(c *gin.Context) MapClaims { + claims, exists := c.Get("JWT_PAYLOAD") + if !exists { + return make(MapClaims) + } + + return claims.(MapClaims) +} + +// ExtractClaimsFromToken help to extract the JWT claims from token +func ExtractClaimsFromToken(token *jwt.Token) MapClaims { + if token == nil { + return make(MapClaims) + } + + claims := MapClaims{} + for key, value := range token.Claims.(jwt.MapClaims) { + claims[key] = value + } + + return claims +} + +// GetToken help to get the JWT token string +func GetToken(c *gin.Context) string { + token, exists := c.Get("JWT_TOKEN") + if !exists { + return "" + } + + return token.(string) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/stub.go deleted file mode 100644 index 87a117f1f921..000000000000 --- a/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/stub.go +++ /dev/null @@ -1,93 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/appleboy/gin-jwt/v2, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/appleboy/gin-jwt/v2 (exports: GinJWTMiddleware; functions: New) - -// Package gin is a stub of github.com/appleboy/gin-jwt/v2, generated by depstubber. -package gin - -import ( - http "net/http" - time "time" -) - -type GinJWTMiddleware struct { - Realm string - SigningAlgorithm string - Key []byte - KeyFunc func(interface{}) (interface{}, error) - Timeout time.Duration - MaxRefresh time.Duration - Authenticator func(interface{}) (interface{}, error) - Authorizator func(interface{}, interface{}) bool - PayloadFunc func(interface{}) MapClaims - Unauthorized func(interface{}, int, string) - LoginResponse func(interface{}, int, string, time.Time) - LogoutResponse func(interface{}, int) - RefreshResponse func(interface{}, int, string, time.Time) - IdentityHandler func(interface{}) interface{} - IdentityKey string - TokenLookup string - TokenHeadName string - TimeFunc func() time.Time - HTTPStatusMessageFunc func(error, interface{}) string - PrivKeyFile string - PrivKeyBytes []byte - PubKeyFile string - PrivateKeyPassphrase string - PubKeyBytes []byte - SendCookie bool - CookieMaxAge time.Duration - SecureCookie bool - CookieHTTPOnly bool - CookieDomain string - SendAuthorization bool - DisabledAbort bool - CookieName string - CookieSameSite http.SameSite -} - -func (_ *GinJWTMiddleware) CheckIfTokenExpire(_ interface{}) (interface{}, error) { - return nil, nil -} - -func (_ *GinJWTMiddleware) GetClaimsFromJWT(_ interface{}) (MapClaims, error) { - return nil, nil -} - -func (_ *GinJWTMiddleware) LoginHandler(_ interface{}) {} - -func (_ *GinJWTMiddleware) LogoutHandler(_ interface{}) {} - -func (_ *GinJWTMiddleware) MiddlewareFunc() interface{} { - return nil -} - -func (_ *GinJWTMiddleware) MiddlewareInit() error { - return nil -} - -func (_ *GinJWTMiddleware) ParseToken(_ interface{}) (interface{}, error) { - return nil, nil -} - -func (_ *GinJWTMiddleware) ParseTokenString(_ string) (interface{}, error) { - return nil, nil -} - -func (_ *GinJWTMiddleware) RefreshHandler(_ interface{}) {} - -func (_ *GinJWTMiddleware) RefreshToken(_ interface{}) (string, time.Time, error) { - return "", time.Time{}, nil -} - -func (_ *GinJWTMiddleware) TokenGenerator(_ interface{}) (string, time.Time, error) { - return "", time.Time{}, nil -} - -type MapClaims map[string]interface{} - -func New(_ *GinJWTMiddleware) (*GinJWTMiddleware, error) { - return nil, nil -} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/LICENSE b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/LICENSE new file mode 100644 index 000000000000..ce4fabaf8c21 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2019 Oleg Kovalov + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/README.md b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/README.md new file mode 100644 index 000000000000..f00036667eee --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/README.md @@ -0,0 +1,113 @@ +# jwt + +[![build-img]][build-url] +[![pkg-img]][pkg-url] +[![reportcard-img]][reportcard-url] +[![coverage-img]][coverage-url] + +JSON Web Token for Go [RFC 7519](https://tools.ietf.org/html/rfc7519), also see [jwt.io](https://jwt.io) for more. + +The latest version is `v3`. + +## Rationale + +There are many JWT libraries, but many of them are hard to use (unclear or fixed API), not optimal (unneeded allocations + strange API). This library addresses all these issues. It's simple to read, to use, memory and CPU conservative. + +## Features + +* Simple API. +* Clean and tested code. +* Optimized for speed. +* Concurrent-safe. +* Dependency-free. +* All well-known algorithms are supported + * HMAC (HS) + * RSA (RS) + * RSA-PSS (PS) + * ECDSA (ES) + * EdDSA (EdDSA) + * or your own! + +## Install + +Go version 1.13+ + +``` +GO111MODULE=on go get github.com/cristalhq/jwt/v3 +``` + +## Example + +Build new token: + +```go +// create a Signer (HMAC in this example) +key := []byte(`secret`) +signer, err := jwt.NewSignerHS(jwt.HS256, key) +checkErr(err) + +// create claims (you can create your own, see: Example_BuildUserClaims) +claims := &jwt.RegisteredClaims{ + Audience: []string{"admin"}, + ID: "random-unique-string", +} + +// create a Builder +builder := jwt.NewBuilder(signer) + +// and build a Token +token, err := builder.Build(claims) +checkErr(err) + +// here is token as byte slice +var _ []byte = token.Bytes() // or just token.String() for string +``` + +Parse and verify token: +```go +// create a Verifier (HMAC in this example) +key := []byte(`secret`) +verifier, err := jwt.NewVerifierHS(jwt.HS256, key) +checkErr(err) + +// parse a Token (by example received from a request) +tokenStr := `` +token, err := jwt.ParseString(tokenStr) +checkErr(err) + +// and verify it's signature +err = verifier.Verify(token.Payload(), token.Signature()) +checkErr(err) + +// also you can parse and verify together +newToken, err := jwt.ParseAndVerifyString(tokenStr, verifier) +checkErr(err) + +// get standard claims +var newClaims jwt.StandardClaims +errClaims := json.Unmarshal(newToken.RawClaims(), &newClaims) +checkErr(errClaims) + +// verify claims as you +var _ bool = newClaims.IsForAudience("admin") +var _ bool = newClaims.IsValidAt(time.Now()) +``` + +Also see examples: [example_test.go](https://github.com/cristalhq/jwt/blob/master/example_test.go). + +## Documentation + +See [these docs][pkg-url]. + +## License + +[MIT License](LICENSE). + +[build-img]: https://github.com/cristalhq/jwt/workflows/build/badge.svg +[build-url]: https://github.com/cristalhq/jwt/actions +[pkg-img]: https://pkg.go.dev/badge/cristalhq/jwt/v3 +[pkg-url]: https://pkg.go.dev/github.com/cristalhq/jwt/v3 +[reportcard-img]: https://goreportcard.com/badge/cristalhq/jwt +[reportcard-url]: https://goreportcard.com/report/cristalhq/jwt +[coverage-img]: https://codecov.io/gh/cristalhq/jwt/branch/master/graph/badge.svg +[coverage-url]: https://codecov.io/gh/cristalhq/jwt diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo.go new file mode 100644 index 000000000000..c812a3c2278d --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo.go @@ -0,0 +1,81 @@ +package jwt + +import ( + "crypto" + _ "crypto/sha256" // to register a hash + _ "crypto/sha512" // to register a hash +) + +// Signer is used to sign tokens. +type Signer interface { + Algorithm() Algorithm + SignSize() int + Sign(payload []byte) ([]byte, error) +} + +// Verifier is used to verify tokens. +type Verifier interface { + Algorithm() Algorithm + Verify(payload, signature []byte) error +} + +// Algorithm for signing and verifying. +type Algorithm string + +func (a Algorithm) String() string { return string(a) } + +// keySize of the algorithm's key (if exist). Is similar to Signer.SignSize. +func (a Algorithm) keySize() int { return algsKeySize[a] } + +var algsKeySize = map[Algorithm]int{ + // for EdDSA private and public key have different sizes, so 0 + // for HS there is no limits for key size, so 0 + + RS256: 256, + RS384: 384, + RS512: 512, + + ES256: 64, + ES384: 96, + ES512: 132, + + PS256: 256, + PS384: 384, + PS512: 512, +} + +// Algorithm names for signing and verifying. +const ( + EdDSA Algorithm = "EdDSA" + + HS256 Algorithm = "HS256" + HS384 Algorithm = "HS384" + HS512 Algorithm = "HS512" + + RS256 Algorithm = "RS256" + RS384 Algorithm = "RS384" + RS512 Algorithm = "RS512" + + ES256 Algorithm = "ES256" + ES384 Algorithm = "ES384" + ES512 Algorithm = "ES512" + + PS256 Algorithm = "PS256" + PS384 Algorithm = "PS384" + PS512 Algorithm = "PS512" +) + +func hashPayload(hash crypto.Hash, payload []byte) ([]byte, error) { + hasher := hash.New() + + _, err := hasher.Write(payload) + if err != nil { + return nil, err + } + signed := hasher.Sum(nil) + return signed, nil +} + +func constTimeAlgEqual(a, b Algorithm) bool { + return constTimeEqual(a.String(), b.String()) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_eddsa.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_eddsa.go new file mode 100644 index 000000000000..1af3d3ffabaf --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_eddsa.go @@ -0,0 +1,65 @@ +package jwt + +import ( + "crypto/ed25519" +) + +// NewSignerEdDSA returns a new ed25519-based signer. +func NewSignerEdDSA(key ed25519.PrivateKey) (Signer, error) { + if len(key) == 0 { + return nil, ErrNilKey + } + if len(key) != ed25519.PrivateKeySize { + return nil, ErrInvalidKey + } + return &edDSAAlg{ + alg: EdDSA, + privateKey: key, + }, nil +} + +// NewVerifierEdDSA returns a new ed25519-based verifier. +func NewVerifierEdDSA(key ed25519.PublicKey) (Verifier, error) { + if len(key) == 0 { + return nil, ErrNilKey + } + if len(key) != ed25519.PublicKeySize { + return nil, ErrInvalidKey + } + return &edDSAAlg{ + alg: EdDSA, + publicKey: key, + }, nil +} + +type edDSAAlg struct { + alg Algorithm + publicKey ed25519.PublicKey + privateKey ed25519.PrivateKey +} + +func (ed *edDSAAlg) Algorithm() Algorithm { + return ed.alg +} + +func (ed *edDSAAlg) SignSize() int { + return ed25519.SignatureSize +} + +func (ed *edDSAAlg) Sign(payload []byte) ([]byte, error) { + return ed25519.Sign(ed.privateKey, payload), nil +} + +func (ed *edDSAAlg) VerifyToken(token *Token) error { + if constTimeAlgEqual(token.Header().Algorithm, ed.alg) { + return ed.Verify(token.Payload(), token.Signature()) + } + return ErrAlgorithmMismatch +} + +func (ed *edDSAAlg) Verify(payload, signature []byte) error { + if !ed25519.Verify(ed.publicKey, payload, signature) { + return ErrInvalidSignature + } + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_es.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_es.go new file mode 100644 index 000000000000..2b3126c8a7f8 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_es.go @@ -0,0 +1,132 @@ +package jwt + +import ( + "crypto" + "crypto/ecdsa" + "crypto/rand" + "math/big" +) + +// NewSignerES returns a new ECDSA-based signer. +func NewSignerES(alg Algorithm, key *ecdsa.PrivateKey) (Signer, error) { + if key == nil { + return nil, ErrNilKey + } + hash, err := getParamsES(alg, roundBytes(key.PublicKey.Params().BitSize)*2) + if err != nil { + return nil, err + } + return &esAlg{ + alg: alg, + hash: hash, + privateKey: key, + signSize: roundBytes(key.PublicKey.Params().BitSize) * 2, + }, nil +} + +// NewVerifierES returns a new ECDSA-based verifier. +func NewVerifierES(alg Algorithm, key *ecdsa.PublicKey) (Verifier, error) { + if key == nil { + return nil, ErrNilKey + } + hash, err := getParamsES(alg, roundBytes(key.Params().BitSize)*2) + if err != nil { + return nil, err + } + return &esAlg{ + alg: alg, + hash: hash, + publicKey: key, + signSize: roundBytes(key.Params().BitSize) * 2, + }, nil +} + +func getParamsES(alg Algorithm, size int) (crypto.Hash, error) { + var hash crypto.Hash + switch alg { + case ES256: + hash = crypto.SHA256 + case ES384: + hash = crypto.SHA384 + case ES512: + hash = crypto.SHA512 + default: + return 0, ErrUnsupportedAlg + } + + if alg.keySize() != size { + return 0, ErrInvalidKey + } + return hash, nil +} + +type esAlg struct { + alg Algorithm + hash crypto.Hash + publicKey *ecdsa.PublicKey + privateKey *ecdsa.PrivateKey + signSize int +} + +func (es *esAlg) Algorithm() Algorithm { + return es.alg +} + +func (es *esAlg) SignSize() int { + return es.signSize +} + +func (es *esAlg) Sign(payload []byte) ([]byte, error) { + digest, err := hashPayload(es.hash, payload) + if err != nil { + return nil, err + } + + r, s, errSign := ecdsa.Sign(rand.Reader, es.privateKey, digest) + if err != nil { + return nil, errSign + } + + pivot := es.SignSize() / 2 + + rBytes, sBytes := r.Bytes(), s.Bytes() + signature := make([]byte, es.SignSize()) + copy(signature[pivot-len(rBytes):], rBytes) + copy(signature[pivot*2-len(sBytes):], sBytes) + return signature, nil +} + +func (es *esAlg) VerifyToken(token *Token) error { + if constTimeAlgEqual(token.Header().Algorithm, es.alg) { + return es.Verify(token.Payload(), token.Signature()) + } + return ErrAlgorithmMismatch +} + +func (es *esAlg) Verify(payload, signature []byte) error { + if len(signature) != es.SignSize() { + return ErrInvalidSignature + } + + digest, err := hashPayload(es.hash, payload) + if err != nil { + return err + } + + pivot := es.SignSize() / 2 + r := big.NewInt(0).SetBytes(signature[:pivot]) + s := big.NewInt(0).SetBytes(signature[pivot:]) + + if !ecdsa.Verify(es.publicKey, digest, r, s) { + return ErrInvalidSignature + } + return nil +} + +func roundBytes(n int) int { + res := n / 8 + if n%8 > 0 { + return res + 1 + } + return res +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_hs.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_hs.go new file mode 100644 index 000000000000..9438fbff7f99 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_hs.go @@ -0,0 +1,111 @@ +package jwt + +import ( + "crypto" + "crypto/hmac" + "hash" + "sync" +) + +// NewSignerHS returns a new HMAC-based signer. +func NewSignerHS(alg Algorithm, key []byte) (Signer, error) { + return newHS(alg, key) +} + +// NewVerifierHS returns a new HMAC-based verifier. +func NewVerifierHS(alg Algorithm, key []byte) (Verifier, error) { + return newHS(alg, key) +} + +type hmacAlgo interface { + // copy-pasted Signer & Verifier due to older Go versions + Algorithm() Algorithm + SignSize() int + Sign(payload []byte) ([]byte, error) + Verify(payload, signature []byte) error + VerifyToken(token *Token) error +} + +func newHS(alg Algorithm, key []byte) (hmacAlgo, error) { + if len(key) == 0 { + return nil, ErrNilKey + } + hash, ok := getHashHMAC(alg) + if !ok { + return nil, ErrUnsupportedAlg + } + return &hsAlg{ + alg: alg, + hash: hash, + key: key, + hashPool: &sync.Pool{ + New: func() interface{} { + return hmac.New(hash.New, key) + }, + }, + }, nil +} + +func getHashHMAC(alg Algorithm) (crypto.Hash, bool) { + switch alg { + case HS256: + return crypto.SHA256, true + case HS384: + return crypto.SHA384, true + case HS512: + return crypto.SHA512, true + default: + return 0, false + } +} + +type hsAlg struct { + alg Algorithm + hash crypto.Hash + key []byte + hashPool *sync.Pool +} + +func (hs *hsAlg) Algorithm() Algorithm { + return hs.alg +} + +func (hs *hsAlg) SignSize() int { + return hs.hash.Size() +} + +func (hs *hsAlg) Sign(payload []byte) ([]byte, error) { + return hs.sign(payload) +} + +func (hs *hsAlg) VerifyToken(token *Token) error { + if constTimeAlgEqual(token.Header().Algorithm, hs.alg) { + return hs.Verify(token.Payload(), token.Signature()) + } + return ErrAlgorithmMismatch +} + +func (hs *hsAlg) Verify(payload, signature []byte) error { + digest, err := hs.sign(payload) + if err != nil { + return err + } + if !hmac.Equal(signature, digest) { + return ErrInvalidSignature + } + return nil +} + +func (hs *hsAlg) sign(payload []byte) ([]byte, error) { + hasher := hs.hashPool.Get().(hash.Hash) + defer func() { + hasher.Reset() + hs.hashPool.Put(hasher) + }() + + _, err := hasher.Write(payload) + if err != nil { + return nil, err + } + return hasher.Sum(nil), nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_ps.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_ps.go new file mode 100644 index 000000000000..21d552d37976 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_ps.go @@ -0,0 +1,127 @@ +package jwt + +import ( + "crypto" + "crypto/rand" + "crypto/rsa" +) + +// NewSignerPS returns a new RSA-PSS-based signer. +func NewSignerPS(alg Algorithm, key *rsa.PrivateKey) (Signer, error) { + if key == nil { + return nil, ErrNilKey + } + hash, opts, err := getParamsPS(alg, key.Size()) + if err != nil { + return nil, err + } + return &psAlg{ + alg: alg, + hash: hash, + privateKey: key, + opts: opts, + }, nil +} + +// NewVerifierPS returns a new RSA-PSS-based signer. +func NewVerifierPS(alg Algorithm, key *rsa.PublicKey) (Verifier, error) { + if key == nil { + return nil, ErrNilKey + } + hash, opts, err := getParamsPS(alg, key.Size()) + if err != nil { + return nil, err + } + return &psAlg{ + alg: alg, + hash: hash, + publicKey: key, + opts: opts, + }, nil +} + +func getParamsPS(alg Algorithm, size int) (crypto.Hash, *rsa.PSSOptions, error) { + var hash crypto.Hash + var opts *rsa.PSSOptions + switch alg { + case PS256: + hash, opts = crypto.SHA256, optsPS256 + case PS384: + hash, opts = crypto.SHA384, optsPS384 + case PS512: + hash, opts = crypto.SHA512, optsPS512 + default: + return 0, nil, ErrUnsupportedAlg + } + + if alg.keySize() != size { + return 0, nil, ErrInvalidKey + } + return hash, opts, nil +} + +var ( + optsPS256 = &rsa.PSSOptions{ + SaltLength: rsa.PSSSaltLengthAuto, + Hash: crypto.SHA256, + } + + optsPS384 = &rsa.PSSOptions{ + SaltLength: rsa.PSSSaltLengthAuto, + Hash: crypto.SHA384, + } + + optsPS512 = &rsa.PSSOptions{ + SaltLength: rsa.PSSSaltLengthAuto, + Hash: crypto.SHA512, + } +) + +type psAlg struct { + alg Algorithm + hash crypto.Hash + publicKey *rsa.PublicKey + privateKey *rsa.PrivateKey + opts *rsa.PSSOptions +} + +func (ps *psAlg) SignSize() int { + return ps.privateKey.Size() +} + +func (ps *psAlg) Algorithm() Algorithm { + return ps.alg +} + +func (ps *psAlg) Sign(payload []byte) ([]byte, error) { + digest, err := hashPayload(ps.hash, payload) + if err != nil { + return nil, err + } + + signature, errSign := rsa.SignPSS(rand.Reader, ps.privateKey, ps.hash, digest, ps.opts) + if errSign != nil { + return nil, errSign + } + return signature, nil +} + +func (ps *psAlg) VerifyToken(token *Token) error { + if constTimeAlgEqual(token.Header().Algorithm, ps.alg) { + return ps.Verify(token.Payload(), token.Signature()) + } + return ErrAlgorithmMismatch +} + +func (ps *psAlg) Verify(payload, signature []byte) error { + digest, err := hashPayload(ps.hash, payload) + if err != nil { + return err + } + + errVerify := rsa.VerifyPSS(ps.publicKey, ps.hash, digest, signature, ps.opts) + if errVerify != nil { + return ErrInvalidSignature + } + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_rs.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_rs.go new file mode 100644 index 000000000000..393e80bea93a --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/algo_rs.go @@ -0,0 +1,102 @@ +package jwt + +import ( + "crypto" + "crypto/rand" + "crypto/rsa" +) + +// NewSignerRS returns a new RSA-based signer. +func NewSignerRS(alg Algorithm, key *rsa.PrivateKey) (Signer, error) { + if key == nil { + return nil, ErrNilKey + } + hash, err := getHashRS(alg, key.Size()) + if err != nil { + return nil, err + } + return &rsAlg{ + alg: alg, + hash: hash, + privateKey: key, + }, nil +} + +// NewVerifierRS returns a new RSA-based verifier. +func NewVerifierRS(alg Algorithm, key *rsa.PublicKey) (Verifier, error) { + if key == nil { + return nil, ErrNilKey + } + hash, err := getHashRS(alg, key.Size()) + if err != nil { + return nil, err + } + return &rsAlg{ + alg: alg, + hash: hash, + publicKey: key, + }, nil +} + +func getHashRS(alg Algorithm, size int) (crypto.Hash, error) { + var hash crypto.Hash + switch alg { + case RS256: + hash = crypto.SHA256 + case RS384: + hash = crypto.SHA384 + case RS512: + hash = crypto.SHA512 + default: + return 0, ErrUnsupportedAlg + } + return hash, nil +} + +type rsAlg struct { + alg Algorithm + hash crypto.Hash + publicKey *rsa.PublicKey + privateKey *rsa.PrivateKey +} + +func (rs *rsAlg) Algorithm() Algorithm { + return rs.alg +} + +func (rs *rsAlg) SignSize() int { + return rs.privateKey.Size() +} + +func (rs *rsAlg) Sign(payload []byte) ([]byte, error) { + digest, err := hashPayload(rs.hash, payload) + if err != nil { + return nil, err + } + + signature, errSign := rsa.SignPKCS1v15(rand.Reader, rs.privateKey, rs.hash, digest) + if errSign != nil { + return nil, errSign + } + return signature, nil +} + +func (rs *rsAlg) VerifyToken(token *Token) error { + if constTimeAlgEqual(token.Header().Algorithm, rs.alg) { + return rs.Verify(token.Payload(), token.Signature()) + } + return ErrAlgorithmMismatch +} + +func (rs *rsAlg) Verify(payload, signature []byte) error { + digest, err := hashPayload(rs.hash, payload) + if err != nil { + return err + } + + errVerify := rsa.VerifyPKCS1v15(rs.publicKey, rs.hash, digest, signature) + if errVerify != nil { + return ErrInvalidSignature + } + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/audience.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/audience.go new file mode 100644 index 000000000000..6b311a033a65 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/audience.go @@ -0,0 +1,46 @@ +package jwt + +import "encoding/json" + +// Audience is a special claim that be a single string or an array of strings +// see RFC 7519. +type Audience []string + +// MarshalJSON implements a marshaling function for "aud" claim. +func (a Audience) MarshalJSON() ([]byte, error) { + switch len(a) { + case 0: + return []byte(`""`), nil + case 1: + return json.Marshal(a[0]) + default: + return json.Marshal([]string(a)) + } +} + +// UnmarshalJSON implements json.Unmarshaler interface. +func (a *Audience) UnmarshalJSON(b []byte) error { + var v interface{} + if err := json.Unmarshal(b, &v); err != nil { + return ErrAudienceInvalidFormat + } + + switch v := v.(type) { + case string: + *a = Audience{v} + return nil + case []interface{}: + aud := make(Audience, len(v)) + for i := range v { + v, ok := v[i].(string) + if !ok { + return ErrAudienceInvalidFormat + } + aud[i] = v + } + *a = aud + return nil + default: + return ErrAudienceInvalidFormat + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/build.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/build.go new file mode 100644 index 000000000000..82e292a07bab --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/build.go @@ -0,0 +1,178 @@ +package jwt + +import ( + "encoding/base64" + "encoding/json" +) + +// BuilderOption is used to modify builder properties. +type BuilderOption func(*Builder) + +// WithKeyID sets `kid` header for token. +func WithKeyID(kid string) BuilderOption { + return func(b *Builder) { b.header.KeyID = kid } +} + +// WithContentType sets `cty` header for token. +func WithContentType(cty string) BuilderOption { + return func(b *Builder) { b.header.ContentType = cty } +} + +// Builder is used to create a new token. +type Builder struct { + signer Signer + header Header + headerRaw []byte +} + +// BuildBytes is used to create and encode JWT with a provided claims. +func BuildBytes(signer Signer, claims interface{}) ([]byte, error) { + return NewBuilder(signer).BuildBytes(claims) +} + +// Build is used to create and encode JWT with a provided claims. +func Build(signer Signer, claims interface{}) (*Token, error) { + return NewBuilder(signer).Build(claims) +} + +// NewBuilder returns new instance of Builder. +func NewBuilder(signer Signer, opts ...BuilderOption) *Builder { + b := &Builder{ + signer: signer, + header: Header{ + Algorithm: signer.Algorithm(), + Type: "JWT", + }, + } + + for _, opt := range opts { + opt(b) + } + + b.headerRaw = encodeHeader(b.header) + return b +} + +// BuildBytes used to create and encode JWT with a provided claims. +func (b *Builder) BuildBytes(claims interface{}) ([]byte, error) { + token, err := b.Build(claims) + if err != nil { + return nil, err + } + return token.Raw(), nil +} + +// Build used to create and encode JWT with a provided claims. +// If claims param is of type []byte or string then it's treated as a marshaled JSON. +// In other words you can pass already marshaled claims. +// +func (b *Builder) Build(claims interface{}) (*Token, error) { + rawClaims, errClaims := encodeClaims(claims) + if errClaims != nil { + return nil, errClaims + } + + lenH := len(b.headerRaw) + lenC := b64EncodedLen(len(rawClaims)) + lenS := b64EncodedLen(b.signer.SignSize()) + + token := make([]byte, lenH+1+lenC+1+lenS) + idx := 0 + idx = copy(token[idx:], b.headerRaw) + + // add '.' and append encoded claims + token[idx] = '.' + idx++ + b64Encode(token[idx:], rawClaims) + idx += lenC + + // calculate signature of already written 'header.claims' + rawSignature, errSign := b.signer.Sign(token[:idx]) + if errSign != nil { + return nil, errSign + } + + // add '.' and append encoded signature + token[idx] = '.' + idx++ + b64Encode(token[idx:], rawSignature) + + t := &Token{ + raw: token, + dot1: lenH, + dot2: lenH + 1 + lenC, + header: b.header, + claims: rawClaims, + signature: rawSignature, + } + return t, nil +} + +func encodeClaims(claims interface{}) ([]byte, error) { + switch claims := claims.(type) { + case []byte: + return claims, nil + case string: + return []byte(claims), nil + default: + return json.Marshal(claims) + } +} + +func encodeHeader(header Header) []byte { + if header.Type == "JWT" && header.ContentType == "" && header.KeyID == "" { + if h := getPredefinedHeader(header); h != "" { + return []byte(h) + } + // another algorithm? encode below + } + // returned err is always nil, see *Header.MarshalJSON + buf, _ := json.Marshal(header) + + encoded := make([]byte, b64EncodedLen(len(buf))) + b64Encode(encoded, buf) + return encoded +} + +func getPredefinedHeader(header Header) string { + switch header.Algorithm { + case EdDSA: + return "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9" + + case HS256: + return "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" + case HS384: + return "eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9" + case HS512: + return "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9" + + case RS256: + return "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9" + case RS384: + return "eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9" + case RS512: + return "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9" + + case ES256: + return "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9" + case ES384: + return "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9" + case ES512: + return "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9" + + case PS256: + return "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9" + case PS384: + return "eyJhbGciOiJQUzM4NCIsInR5cCI6IkpXVCJ9" + case PS512: + return "eyJhbGciOiJQUzUxMiIsInR5cCI6IkpXVCJ9" + + default: + return "" + } +} + +var ( + b64Encode = base64.RawURLEncoding.Encode + b64EncodedLen = base64.RawURLEncoding.EncodedLen +) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/claims.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/claims.go new file mode 100644 index 000000000000..f0d4a07f27da --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/claims.go @@ -0,0 +1,90 @@ +package jwt + +import ( + "crypto/subtle" + "time" +) + +// RegisteredClaims will replace StandardClaims in v4. +type RegisteredClaims = StandardClaims + +// StandardClaims represents claims for JWT. +// See: https://tools.ietf.org/html/rfc7519#section-4.1 +// +type StandardClaims struct { + // ID claim provides a unique identifier for the JWT. + ID string `json:"jti,omitempty"` + + // Audience claim identifies the recipients that the JWT is intended for. + Audience Audience `json:"aud,omitempty"` + + // Issuer claim identifies the principal that issued the JWT. + // Use of this claim is OPTIONAL. + Issuer string `json:"iss,omitempty"` + + // Subject claim identifies the principal that is the subject of the JWT. + // Use of this claim is OPTIONAL. + Subject string `json:"sub,omitempty"` + + // ExpiresAt claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. + // Use of this claim is OPTIONAL. + ExpiresAt *NumericDate `json:"exp,omitempty"` + + // IssuedAt claim identifies the time at which the JWT was issued. + // This claim can be used to determine the age of the JWT. + // Use of this claim is OPTIONAL. + IssuedAt *NumericDate `json:"iat,omitempty"` + + // NotBefore claim identifies the time before which the JWT MUST NOT be accepted for processing. + // Use of this claim is OPTIONAL. + NotBefore *NumericDate `json:"nbf,omitempty"` +} + +// IsForAudience reports whether token has a given audience. +func (sc *StandardClaims) IsForAudience(audience string) bool { + for _, aud := range sc.Audience { + if constTimeEqual(aud, audience) { + return true + } + } + return false +} + +// IsIssuer reports whether token has a given issuer. +func (sc *StandardClaims) IsIssuer(issuer string) bool { + return constTimeEqual(sc.Issuer, issuer) +} + +// IsSubject reports whether token has a given subject. +func (sc *StandardClaims) IsSubject(subject string) bool { + return constTimeEqual(sc.Subject, subject) +} + +// IsID reports whether token has a given id. +func (sc *StandardClaims) IsID(id string) bool { + return constTimeEqual(sc.ID, id) +} + +// IsValidExpiresAt reports whether a token isn't expired at a given time. +func (sc *StandardClaims) IsValidExpiresAt(now time.Time) bool { + return sc.ExpiresAt == nil || sc.ExpiresAt.After(now) +} + +// IsValidNotBefore reports whether a token isn't used before a given time. +func (sc *StandardClaims) IsValidNotBefore(now time.Time) bool { + return sc.NotBefore == nil || sc.NotBefore.Before(now) +} + +// IsValidIssuedAt reports whether a token was created before a given time. +func (sc *StandardClaims) IsValidIssuedAt(now time.Time) bool { + return sc.IssuedAt == nil || sc.IssuedAt.Before(now) +} + +// IsValidAt reports whether a token is valid at a given time. +func (sc *StandardClaims) IsValidAt(now time.Time) bool { + return sc.IsValidExpiresAt(now) && sc.IsValidNotBefore(now) && sc.IsValidIssuedAt(now) +} + +func constTimeEqual(a, b string) bool { + return subtle.ConstantTimeCompare([]byte(a), []byte(b)) == 1 +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/doc.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/doc.go new file mode 100644 index 000000000000..fdfa3651a476 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/doc.go @@ -0,0 +1,7 @@ +// Package jwt represents JSON Web Token for Go. +// +// Builder, all the Signers and Verifiers are safe for use by multiple goroutines simultaneously. +// +// See [RFC 7519](https://tools.ietf.org/html/rfc7519) and see [jwt.io](https://jwt.io) for more. +// +package jwt diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/errors.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/errors.go new file mode 100644 index 000000000000..83a26c1c5fc1 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/errors.go @@ -0,0 +1,37 @@ +package jwt + +// Error represents a JWT error. +type Error string + +func (e Error) Error() string { + return string(e) +} + +var _ error = (Error)("") + +// Build and parse errors. +const ( + // ErrNilKey indicates that key is nil. + ErrNilKey = Error("jwt: key is nil") + + // ErrInvalidKey indicates that key is not valid. + ErrInvalidKey = Error("jwt: key is not valid") + + // ErrUnsupportedAlg indicates that given algorithm is not supported. + ErrUnsupportedAlg = Error("jwt: algorithm is not supported") + + // ErrInvalidFormat indicates that token format is not valid. + ErrInvalidFormat = Error("jwt: token format is not valid") + + // ErrAudienceInvalidFormat indicates that audience format is not valid. + ErrAudienceInvalidFormat = Error("jwt: audience format is not valid") + + // ErrDateInvalidFormat indicates that date format is not valid. + ErrDateInvalidFormat = Error("jwt: date is not valid") + + // ErrAlgorithmMismatch indicates that token is signed by another algorithm. + ErrAlgorithmMismatch = Error("jwt: token is signed by another algorithm") + + // ErrInvalidSignature indicates that signature is not valid. + ErrInvalidSignature = Error("jwt: signature is not valid") +) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/fuzz.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/fuzz.go new file mode 100644 index 000000000000..5fd1e8c83c79 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/fuzz.go @@ -0,0 +1,17 @@ +// +build gofuzz +// To run the fuzzer, run the following commands: +// $ GO111MODULE=off go get -u github.com/dvyukov/go-fuzz/go-fuzz github.com/dvyukov/go-fuzz/go-fuzz-build +// $ cd $GOPATH/src/github.com/cristalhq/jwt/ +// $ go-fuzz-build +// $ go-fuzz +// Note: go-fuzz doesn't support go modules, so you must have your local +// installation of jwt under $GOPATH. + +package jwt + +func Fuzz(data []byte) int { + if _, err := Parse(data); err != nil { + return 0 + } + return 1 +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/jwt.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/jwt.go new file mode 100644 index 000000000000..9bd46927b81e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/jwt.go @@ -0,0 +1,91 @@ +package jwt + +import ( + "bytes" + "encoding/json" +) + +// Token represents a JWT token. +// See: https://tools.ietf.org/html/rfc7519 +// +type Token struct { + raw []byte + dot1 int + dot2 int + signature []byte + header Header + claims json.RawMessage +} + +func (t *Token) String() string { + return string(t.raw) +} + +// SecureString returns token without a signature (replaced with `.`). +func (t *Token) SecureString() string { + dot := bytes.LastIndexByte(t.raw, '.') + return string(t.raw[:dot]) + `.` +} + +// Raw returns token's raw bytes. +func (t *Token) Raw() []byte { + return t.raw +} + +// Header returns token's header. +func (t *Token) Header() Header { + return t.header +} + +// RawHeader returns token's header raw bytes. +func (t *Token) RawHeader() []byte { + return t.raw[:t.dot1] +} + +// RawClaims returns token's claims as a raw bytes. +func (t *Token) RawClaims() []byte { + return t.claims +} + +// Payload returns token's payload. +func (t *Token) Payload() []byte { + return t.raw[:t.dot2] +} + +// Signature returns token's signature. +func (t *Token) Signature() []byte { + return t.signature +} + +// Header representa JWT header data. +// See: https://tools.ietf.org/html/rfc7519#section-5, https://tools.ietf.org/html/rfc7517 +// +type Header struct { + Algorithm Algorithm `json:"alg"` + Type string `json:"typ,omitempty"` // only "JWT" can be here + ContentType string `json:"cty,omitempty"` + KeyID string `json:"kid,omitempty"` +} + +// MarshalJSON implements the json.Marshaler interface. +func (h *Header) MarshalJSON() ([]byte, error) { + buf := bytes.Buffer{} + buf.WriteString(`{"alg":"`) + buf.WriteString(string(h.Algorithm)) + + if h.Type != "" { + buf.WriteString(`","typ":"`) + buf.WriteString(h.Type) + } + if h.ContentType != "" { + buf.WriteString(`","cty":"`) + buf.WriteString(h.ContentType) + } + if h.KeyID != "" { + buf.WriteString(`","kid":"`) + buf.WriteString(h.KeyID) + } + buf.WriteString(`"}`) + + return buf.Bytes(), nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/numeric_date.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/numeric_date.go new file mode 100644 index 000000000000..6bfb0046f4a3 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/numeric_date.go @@ -0,0 +1,44 @@ +package jwt + +import ( + "encoding/json" + "math" + "strconv" + "time" +) + +// NumericDate represents date for StandardClaims +// See: https://tools.ietf.org/html/rfc7519#section-2 +// +type NumericDate struct { + time.Time +} + +// NewNumericDate creates a new NumericDate value from time.Time. +func NewNumericDate(t time.Time) *NumericDate { + if t.IsZero() { + return nil + } + return &NumericDate{t} +} + +// MarshalJSON implements the json.Marshaler interface. +func (t *NumericDate) MarshalJSON() ([]byte, error) { + return []byte(strconv.FormatInt(t.Unix(), 10)), nil +} + +// UnmarshalJSON implements the json.Unmarshaler interface. +func (t *NumericDate) UnmarshalJSON(data []byte) error { + var value json.Number + if err := json.Unmarshal(data, &value); err != nil { + return ErrDateInvalidFormat + } + f, err := value.Float64() + if err != nil { + return ErrDateInvalidFormat + } + sec, dec := math.Modf(f) + ts := time.Unix(int64(sec), int64(dec*1e9)) + *t = NumericDate{ts} + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/parse.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/parse.go new file mode 100644 index 000000000000..b339de17419a --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/parse.go @@ -0,0 +1,86 @@ +package jwt + +import ( + "bytes" + "encoding/base64" + "encoding/json" +) + +// ParseString decodes a token. +func ParseString(raw string) (*Token, error) { + return Parse([]byte(raw)) +} + +// Parse decodes a token from a raw bytes. +func Parse(raw []byte) (*Token, error) { + return parse(raw) +} + +// ParseAndVerifyString decodes a token and verifies it's signature. +func ParseAndVerifyString(raw string, verifier Verifier) (*Token, error) { + return ParseAndVerify([]byte(raw), verifier) +} + +// ParseAndVerify decodes a token and verifies it's signature. +func ParseAndVerify(raw []byte, verifier Verifier) (*Token, error) { + token, err := parse(raw) + if err != nil { + return nil, err + } + if !constTimeAlgEqual(token.Header().Algorithm, verifier.Algorithm()) { + return nil, ErrAlgorithmMismatch + } + if err := verifier.Verify(token.Payload(), token.Signature()); err != nil { + return nil, err + } + return token, nil +} + +func parse(token []byte) (*Token, error) { + // "eyJ" is `{"` which is begin of every JWT token. + // Quick check for the invalid input. + if !bytes.HasPrefix(token, []byte("eyJ")) { + return nil, ErrInvalidFormat + } + + dot1 := bytes.IndexByte(token, '.') + dot2 := bytes.LastIndexByte(token, '.') + if dot2 <= dot1 { + return nil, ErrInvalidFormat + } + + buf := make([]byte, len(token)) + + headerN, err := b64Decode(buf, token[:dot1]) + if err != nil { + return nil, ErrInvalidFormat + } + var header Header + if err := json.Unmarshal(buf[:headerN], &header); err != nil { + return nil, ErrInvalidFormat + } + + claimsN, err := b64Decode(buf[headerN:], token[dot1+1:dot2]) + if err != nil { + return nil, ErrInvalidFormat + } + claims := buf[headerN : headerN+claimsN] + + signN, err := b64Decode(buf[headerN+claimsN:], token[dot2+1:]) + if err != nil { + return nil, ErrInvalidFormat + } + signature := buf[headerN+claimsN : headerN+claimsN+signN] + + tk := &Token{ + raw: token, + dot1: dot1, + dot2: dot2, + signature: signature, + header: header, + claims: claims, + } + return tk, nil +} + +var b64Decode = base64.RawURLEncoding.Decode diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/stub.go deleted file mode 100644 index c4f718e4f1a8..000000000000 --- a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/stub.go +++ /dev/null @@ -1,26 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/cristalhq/jwt/v3, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/cristalhq/jwt/v3 (exports: Signer; functions: NewSignerHS,HS256) - -// Package jwt is a stub of github.com/cristalhq/jwt/v3, generated by depstubber. -package jwt - -type Algorithm string - -func (_ Algorithm) String() string { - return "" -} - -var HS256 Algorithm = "" - -func NewSignerHS(_ Algorithm, _ []byte) (Signer, error) { - return nil, nil -} - -type Signer interface { - Algorithm() Algorithm - Sign(_ []byte) ([]byte, error) - SignSize() int -} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/LICENSE b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/LICENSE new file mode 100644 index 000000000000..bc52e96f2b0e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/LICENSE @@ -0,0 +1,15 @@ +ISC License + +Copyright (c) 2012-2016 Dave Collins + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/bypass.go b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/bypass.go new file mode 100644 index 000000000000..792994785e36 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/bypass.go @@ -0,0 +1,145 @@ +// Copyright (c) 2015-2016 Dave Collins +// +// Permission to use, copy, modify, and distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// NOTE: Due to the following build constraints, this file will only be compiled +// when the code is not running on Google App Engine, compiled by GopherJS, and +// "-tags safe" is not added to the go build command line. The "disableunsafe" +// tag is deprecated and thus should not be used. +// Go versions prior to 1.4 are disabled because they use a different layout +// for interfaces which make the implementation of unsafeReflectValue more complex. +// +build !js,!appengine,!safe,!disableunsafe,go1.4 + +package spew + +import ( + "reflect" + "unsafe" +) + +const ( + // UnsafeDisabled is a build-time constant which specifies whether or + // not access to the unsafe package is available. + UnsafeDisabled = false + + // ptrSize is the size of a pointer on the current arch. + ptrSize = unsafe.Sizeof((*byte)(nil)) +) + +type flag uintptr + +var ( + // flagRO indicates whether the value field of a reflect.Value + // is read-only. + flagRO flag + + // flagAddr indicates whether the address of the reflect.Value's + // value may be taken. + flagAddr flag +) + +// flagKindMask holds the bits that make up the kind +// part of the flags field. In all the supported versions, +// it is in the lower 5 bits. +const flagKindMask = flag(0x1f) + +// Different versions of Go have used different +// bit layouts for the flags type. This table +// records the known combinations. +var okFlags = []struct { + ro, addr flag +}{{ + // From Go 1.4 to 1.5 + ro: 1 << 5, + addr: 1 << 7, +}, { + // Up to Go tip. + ro: 1<<5 | 1<<6, + addr: 1 << 8, +}} + +var flagValOffset = func() uintptr { + field, ok := reflect.TypeOf(reflect.Value{}).FieldByName("flag") + if !ok { + panic("reflect.Value has no flag field") + } + return field.Offset +}() + +// flagField returns a pointer to the flag field of a reflect.Value. +func flagField(v *reflect.Value) *flag { + return (*flag)(unsafe.Pointer(uintptr(unsafe.Pointer(v)) + flagValOffset)) +} + +// unsafeReflectValue converts the passed reflect.Value into a one that bypasses +// the typical safety restrictions preventing access to unaddressable and +// unexported data. It works by digging the raw pointer to the underlying +// value out of the protected value and generating a new unprotected (unsafe) +// reflect.Value to it. +// +// This allows us to check for implementations of the Stringer and error +// interfaces to be used for pretty printing ordinarily unaddressable and +// inaccessible values such as unexported struct fields. +func unsafeReflectValue(v reflect.Value) reflect.Value { + if !v.IsValid() || (v.CanInterface() && v.CanAddr()) { + return v + } + flagFieldPtr := flagField(&v) + *flagFieldPtr &^= flagRO + *flagFieldPtr |= flagAddr + return v +} + +// Sanity checks against future reflect package changes +// to the type or semantics of the Value.flag field. +func init() { + field, ok := reflect.TypeOf(reflect.Value{}).FieldByName("flag") + if !ok { + panic("reflect.Value has no flag field") + } + if field.Type.Kind() != reflect.TypeOf(flag(0)).Kind() { + panic("reflect.Value flag field has changed kind") + } + type t0 int + var t struct { + A t0 + // t0 will have flagEmbedRO set. + t0 + // a will have flagStickyRO set + a t0 + } + vA := reflect.ValueOf(t).FieldByName("A") + va := reflect.ValueOf(t).FieldByName("a") + vt0 := reflect.ValueOf(t).FieldByName("t0") + + // Infer flagRO from the difference between the flags + // for the (otherwise identical) fields in t. + flagPublic := *flagField(&vA) + flagWithRO := *flagField(&va) | *flagField(&vt0) + flagRO = flagPublic ^ flagWithRO + + // Infer flagAddr from the difference between a value + // taken from a pointer and not. + vPtrA := reflect.ValueOf(&t).Elem().FieldByName("A") + flagNoPtr := *flagField(&vA) + flagPtr := *flagField(&vPtrA) + flagAddr = flagNoPtr ^ flagPtr + + // Check that the inferred flags tally with one of the known versions. + for _, f := range okFlags { + if flagRO == f.ro && flagAddr == f.addr { + return + } + } + panic("reflect.Value read-only flag has changed semantics") +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go new file mode 100644 index 000000000000..205c28d68c47 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go @@ -0,0 +1,38 @@ +// Copyright (c) 2015-2016 Dave Collins +// +// Permission to use, copy, modify, and distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// NOTE: Due to the following build constraints, this file will only be compiled +// when the code is running on Google App Engine, compiled by GopherJS, or +// "-tags safe" is added to the go build command line. The "disableunsafe" +// tag is deprecated and thus should not be used. +// +build js appengine safe disableunsafe !go1.4 + +package spew + +import "reflect" + +const ( + // UnsafeDisabled is a build-time constant which specifies whether or + // not access to the unsafe package is available. + UnsafeDisabled = true +) + +// unsafeReflectValue typically converts the passed reflect.Value into a one +// that bypasses the typical safety restrictions preventing access to +// unaddressable and unexported data. However, doing this relies on access to +// the unsafe package. This is a stub version which simply returns the passed +// reflect.Value when the unsafe package is not available. +func unsafeReflectValue(v reflect.Value) reflect.Value { + return v +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/common.go b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/common.go new file mode 100644 index 000000000000..1be8ce945761 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/common.go @@ -0,0 +1,341 @@ +/* + * Copyright (c) 2013-2016 Dave Collins + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +package spew + +import ( + "bytes" + "fmt" + "io" + "reflect" + "sort" + "strconv" +) + +// Some constants in the form of bytes to avoid string overhead. This mirrors +// the technique used in the fmt package. +var ( + panicBytes = []byte("(PANIC=") + plusBytes = []byte("+") + iBytes = []byte("i") + trueBytes = []byte("true") + falseBytes = []byte("false") + interfaceBytes = []byte("(interface {})") + commaNewlineBytes = []byte(",\n") + newlineBytes = []byte("\n") + openBraceBytes = []byte("{") + openBraceNewlineBytes = []byte("{\n") + closeBraceBytes = []byte("}") + asteriskBytes = []byte("*") + colonBytes = []byte(":") + colonSpaceBytes = []byte(": ") + openParenBytes = []byte("(") + closeParenBytes = []byte(")") + spaceBytes = []byte(" ") + pointerChainBytes = []byte("->") + nilAngleBytes = []byte("") + maxNewlineBytes = []byte("\n") + maxShortBytes = []byte("") + circularBytes = []byte("") + circularShortBytes = []byte("") + invalidAngleBytes = []byte("") + openBracketBytes = []byte("[") + closeBracketBytes = []byte("]") + percentBytes = []byte("%") + precisionBytes = []byte(".") + openAngleBytes = []byte("<") + closeAngleBytes = []byte(">") + openMapBytes = []byte("map[") + closeMapBytes = []byte("]") + lenEqualsBytes = []byte("len=") + capEqualsBytes = []byte("cap=") +) + +// hexDigits is used to map a decimal value to a hex digit. +var hexDigits = "0123456789abcdef" + +// catchPanic handles any panics that might occur during the handleMethods +// calls. +func catchPanic(w io.Writer, v reflect.Value) { + if err := recover(); err != nil { + w.Write(panicBytes) + fmt.Fprintf(w, "%v", err) + w.Write(closeParenBytes) + } +} + +// handleMethods attempts to call the Error and String methods on the underlying +// type the passed reflect.Value represents and outputes the result to Writer w. +// +// It handles panics in any called methods by catching and displaying the error +// as the formatted value. +func handleMethods(cs *ConfigState, w io.Writer, v reflect.Value) (handled bool) { + // We need an interface to check if the type implements the error or + // Stringer interface. However, the reflect package won't give us an + // interface on certain things like unexported struct fields in order + // to enforce visibility rules. We use unsafe, when it's available, + // to bypass these restrictions since this package does not mutate the + // values. + if !v.CanInterface() { + if UnsafeDisabled { + return false + } + + v = unsafeReflectValue(v) + } + + // Choose whether or not to do error and Stringer interface lookups against + // the base type or a pointer to the base type depending on settings. + // Technically calling one of these methods with a pointer receiver can + // mutate the value, however, types which choose to satisify an error or + // Stringer interface with a pointer receiver should not be mutating their + // state inside these interface methods. + if !cs.DisablePointerMethods && !UnsafeDisabled && !v.CanAddr() { + v = unsafeReflectValue(v) + } + if v.CanAddr() { + v = v.Addr() + } + + // Is it an error or Stringer? + switch iface := v.Interface().(type) { + case error: + defer catchPanic(w, v) + if cs.ContinueOnMethod { + w.Write(openParenBytes) + w.Write([]byte(iface.Error())) + w.Write(closeParenBytes) + w.Write(spaceBytes) + return false + } + + w.Write([]byte(iface.Error())) + return true + + case fmt.Stringer: + defer catchPanic(w, v) + if cs.ContinueOnMethod { + w.Write(openParenBytes) + w.Write([]byte(iface.String())) + w.Write(closeParenBytes) + w.Write(spaceBytes) + return false + } + w.Write([]byte(iface.String())) + return true + } + return false +} + +// printBool outputs a boolean value as true or false to Writer w. +func printBool(w io.Writer, val bool) { + if val { + w.Write(trueBytes) + } else { + w.Write(falseBytes) + } +} + +// printInt outputs a signed integer value to Writer w. +func printInt(w io.Writer, val int64, base int) { + w.Write([]byte(strconv.FormatInt(val, base))) +} + +// printUint outputs an unsigned integer value to Writer w. +func printUint(w io.Writer, val uint64, base int) { + w.Write([]byte(strconv.FormatUint(val, base))) +} + +// printFloat outputs a floating point value using the specified precision, +// which is expected to be 32 or 64bit, to Writer w. +func printFloat(w io.Writer, val float64, precision int) { + w.Write([]byte(strconv.FormatFloat(val, 'g', -1, precision))) +} + +// printComplex outputs a complex value using the specified float precision +// for the real and imaginary parts to Writer w. +func printComplex(w io.Writer, c complex128, floatPrecision int) { + r := real(c) + w.Write(openParenBytes) + w.Write([]byte(strconv.FormatFloat(r, 'g', -1, floatPrecision))) + i := imag(c) + if i >= 0 { + w.Write(plusBytes) + } + w.Write([]byte(strconv.FormatFloat(i, 'g', -1, floatPrecision))) + w.Write(iBytes) + w.Write(closeParenBytes) +} + +// printHexPtr outputs a uintptr formatted as hexadecimal with a leading '0x' +// prefix to Writer w. +func printHexPtr(w io.Writer, p uintptr) { + // Null pointer. + num := uint64(p) + if num == 0 { + w.Write(nilAngleBytes) + return + } + + // Max uint64 is 16 bytes in hex + 2 bytes for '0x' prefix + buf := make([]byte, 18) + + // It's simpler to construct the hex string right to left. + base := uint64(16) + i := len(buf) - 1 + for num >= base { + buf[i] = hexDigits[num%base] + num /= base + i-- + } + buf[i] = hexDigits[num] + + // Add '0x' prefix. + i-- + buf[i] = 'x' + i-- + buf[i] = '0' + + // Strip unused leading bytes. + buf = buf[i:] + w.Write(buf) +} + +// valuesSorter implements sort.Interface to allow a slice of reflect.Value +// elements to be sorted. +type valuesSorter struct { + values []reflect.Value + strings []string // either nil or same len and values + cs *ConfigState +} + +// newValuesSorter initializes a valuesSorter instance, which holds a set of +// surrogate keys on which the data should be sorted. It uses flags in +// ConfigState to decide if and how to populate those surrogate keys. +func newValuesSorter(values []reflect.Value, cs *ConfigState) sort.Interface { + vs := &valuesSorter{values: values, cs: cs} + if canSortSimply(vs.values[0].Kind()) { + return vs + } + if !cs.DisableMethods { + vs.strings = make([]string, len(values)) + for i := range vs.values { + b := bytes.Buffer{} + if !handleMethods(cs, &b, vs.values[i]) { + vs.strings = nil + break + } + vs.strings[i] = b.String() + } + } + if vs.strings == nil && cs.SpewKeys { + vs.strings = make([]string, len(values)) + for i := range vs.values { + vs.strings[i] = Sprintf("%#v", vs.values[i].Interface()) + } + } + return vs +} + +// canSortSimply tests whether a reflect.Kind is a primitive that can be sorted +// directly, or whether it should be considered for sorting by surrogate keys +// (if the ConfigState allows it). +func canSortSimply(kind reflect.Kind) bool { + // This switch parallels valueSortLess, except for the default case. + switch kind { + case reflect.Bool: + return true + case reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Int: + return true + case reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uint: + return true + case reflect.Float32, reflect.Float64: + return true + case reflect.String: + return true + case reflect.Uintptr: + return true + case reflect.Array: + return true + } + return false +} + +// Len returns the number of values in the slice. It is part of the +// sort.Interface implementation. +func (s *valuesSorter) Len() int { + return len(s.values) +} + +// Swap swaps the values at the passed indices. It is part of the +// sort.Interface implementation. +func (s *valuesSorter) Swap(i, j int) { + s.values[i], s.values[j] = s.values[j], s.values[i] + if s.strings != nil { + s.strings[i], s.strings[j] = s.strings[j], s.strings[i] + } +} + +// valueSortLess returns whether the first value should sort before the second +// value. It is used by valueSorter.Less as part of the sort.Interface +// implementation. +func valueSortLess(a, b reflect.Value) bool { + switch a.Kind() { + case reflect.Bool: + return !a.Bool() && b.Bool() + case reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Int: + return a.Int() < b.Int() + case reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uint: + return a.Uint() < b.Uint() + case reflect.Float32, reflect.Float64: + return a.Float() < b.Float() + case reflect.String: + return a.String() < b.String() + case reflect.Uintptr: + return a.Uint() < b.Uint() + case reflect.Array: + // Compare the contents of both arrays. + l := a.Len() + for i := 0; i < l; i++ { + av := a.Index(i) + bv := b.Index(i) + if av.Interface() == bv.Interface() { + continue + } + return valueSortLess(av, bv) + } + } + return a.String() < b.String() +} + +// Less returns whether the value at index i should sort before the +// value at index j. It is part of the sort.Interface implementation. +func (s *valuesSorter) Less(i, j int) bool { + if s.strings == nil { + return valueSortLess(s.values[i], s.values[j]) + } + return s.strings[i] < s.strings[j] +} + +// sortValues is a sort function that handles both native types and any type that +// can be converted to error or Stringer. Other inputs are sorted according to +// their Value.String() value to ensure display stability. +func sortValues(values []reflect.Value, cs *ConfigState) { + if len(values) == 0 { + return + } + sort.Sort(newValuesSorter(values, cs)) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/config.go b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/config.go new file mode 100644 index 000000000000..2e3d22f31202 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/config.go @@ -0,0 +1,306 @@ +/* + * Copyright (c) 2013-2016 Dave Collins + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +package spew + +import ( + "bytes" + "fmt" + "io" + "os" +) + +// ConfigState houses the configuration options used by spew to format and +// display values. There is a global instance, Config, that is used to control +// all top-level Formatter and Dump functionality. Each ConfigState instance +// provides methods equivalent to the top-level functions. +// +// The zero value for ConfigState provides no indentation. You would typically +// want to set it to a space or a tab. +// +// Alternatively, you can use NewDefaultConfig to get a ConfigState instance +// with default settings. See the documentation of NewDefaultConfig for default +// values. +type ConfigState struct { + // Indent specifies the string to use for each indentation level. The + // global config instance that all top-level functions use set this to a + // single space by default. If you would like more indentation, you might + // set this to a tab with "\t" or perhaps two spaces with " ". + Indent string + + // MaxDepth controls the maximum number of levels to descend into nested + // data structures. The default, 0, means there is no limit. + // + // NOTE: Circular data structures are properly detected, so it is not + // necessary to set this value unless you specifically want to limit deeply + // nested data structures. + MaxDepth int + + // DisableMethods specifies whether or not error and Stringer interfaces are + // invoked for types that implement them. + DisableMethods bool + + // DisablePointerMethods specifies whether or not to check for and invoke + // error and Stringer interfaces on types which only accept a pointer + // receiver when the current type is not a pointer. + // + // NOTE: This might be an unsafe action since calling one of these methods + // with a pointer receiver could technically mutate the value, however, + // in practice, types which choose to satisify an error or Stringer + // interface with a pointer receiver should not be mutating their state + // inside these interface methods. As a result, this option relies on + // access to the unsafe package, so it will not have any effect when + // running in environments without access to the unsafe package such as + // Google App Engine or with the "safe" build tag specified. + DisablePointerMethods bool + + // DisablePointerAddresses specifies whether to disable the printing of + // pointer addresses. This is useful when diffing data structures in tests. + DisablePointerAddresses bool + + // DisableCapacities specifies whether to disable the printing of capacities + // for arrays, slices, maps and channels. This is useful when diffing + // data structures in tests. + DisableCapacities bool + + // ContinueOnMethod specifies whether or not recursion should continue once + // a custom error or Stringer interface is invoked. The default, false, + // means it will print the results of invoking the custom error or Stringer + // interface and return immediately instead of continuing to recurse into + // the internals of the data type. + // + // NOTE: This flag does not have any effect if method invocation is disabled + // via the DisableMethods or DisablePointerMethods options. + ContinueOnMethod bool + + // SortKeys specifies map keys should be sorted before being printed. Use + // this to have a more deterministic, diffable output. Note that only + // native types (bool, int, uint, floats, uintptr and string) and types + // that support the error or Stringer interfaces (if methods are + // enabled) are supported, with other types sorted according to the + // reflect.Value.String() output which guarantees display stability. + SortKeys bool + + // SpewKeys specifies that, as a last resort attempt, map keys should + // be spewed to strings and sorted by those strings. This is only + // considered if SortKeys is true. + SpewKeys bool +} + +// Config is the active configuration of the top-level functions. +// The configuration can be changed by modifying the contents of spew.Config. +var Config = ConfigState{Indent: " "} + +// Errorf is a wrapper for fmt.Errorf that treats each argument as if it were +// passed with a Formatter interface returned by c.NewFormatter. It returns +// the formatted string as a value that satisfies error. See NewFormatter +// for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Errorf(format, c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Errorf(format string, a ...interface{}) (err error) { + return fmt.Errorf(format, c.convertArgs(a)...) +} + +// Fprint is a wrapper for fmt.Fprint that treats each argument as if it were +// passed with a Formatter interface returned by c.NewFormatter. It returns +// the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Fprint(w, c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Fprint(w io.Writer, a ...interface{}) (n int, err error) { + return fmt.Fprint(w, c.convertArgs(a)...) +} + +// Fprintf is a wrapper for fmt.Fprintf that treats each argument as if it were +// passed with a Formatter interface returned by c.NewFormatter. It returns +// the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Fprintf(w, format, c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Fprintf(w io.Writer, format string, a ...interface{}) (n int, err error) { + return fmt.Fprintf(w, format, c.convertArgs(a)...) +} + +// Fprintln is a wrapper for fmt.Fprintln that treats each argument as if it +// passed with a Formatter interface returned by c.NewFormatter. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Fprintln(w, c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Fprintln(w io.Writer, a ...interface{}) (n int, err error) { + return fmt.Fprintln(w, c.convertArgs(a)...) +} + +// Print is a wrapper for fmt.Print that treats each argument as if it were +// passed with a Formatter interface returned by c.NewFormatter. It returns +// the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Print(c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Print(a ...interface{}) (n int, err error) { + return fmt.Print(c.convertArgs(a)...) +} + +// Printf is a wrapper for fmt.Printf that treats each argument as if it were +// passed with a Formatter interface returned by c.NewFormatter. It returns +// the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Printf(format, c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Printf(format string, a ...interface{}) (n int, err error) { + return fmt.Printf(format, c.convertArgs(a)...) +} + +// Println is a wrapper for fmt.Println that treats each argument as if it were +// passed with a Formatter interface returned by c.NewFormatter. It returns +// the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Println(c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Println(a ...interface{}) (n int, err error) { + return fmt.Println(c.convertArgs(a)...) +} + +// Sprint is a wrapper for fmt.Sprint that treats each argument as if it were +// passed with a Formatter interface returned by c.NewFormatter. It returns +// the resulting string. See NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Sprint(c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Sprint(a ...interface{}) string { + return fmt.Sprint(c.convertArgs(a)...) +} + +// Sprintf is a wrapper for fmt.Sprintf that treats each argument as if it were +// passed with a Formatter interface returned by c.NewFormatter. It returns +// the resulting string. See NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Sprintf(format, c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Sprintf(format string, a ...interface{}) string { + return fmt.Sprintf(format, c.convertArgs(a)...) +} + +// Sprintln is a wrapper for fmt.Sprintln that treats each argument as if it +// were passed with a Formatter interface returned by c.NewFormatter. It +// returns the resulting string. See NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Sprintln(c.NewFormatter(a), c.NewFormatter(b)) +func (c *ConfigState) Sprintln(a ...interface{}) string { + return fmt.Sprintln(c.convertArgs(a)...) +} + +/* +NewFormatter returns a custom formatter that satisfies the fmt.Formatter +interface. As a result, it integrates cleanly with standard fmt package +printing functions. The formatter is useful for inline printing of smaller data +types similar to the standard %v format specifier. + +The custom formatter only responds to the %v (most compact), %+v (adds pointer +addresses), %#v (adds types), and %#+v (adds types and pointer addresses) verb +combinations. Any other verbs such as %x and %q will be sent to the the +standard fmt package for formatting. In addition, the custom formatter ignores +the width and precision arguments (however they will still work on the format +specifiers not handled by the custom formatter). + +Typically this function shouldn't be called directly. It is much easier to make +use of the custom formatter by calling one of the convenience functions such as +c.Printf, c.Println, or c.Printf. +*/ +func (c *ConfigState) NewFormatter(v interface{}) fmt.Formatter { + return newFormatter(c, v) +} + +// Fdump formats and displays the passed arguments to io.Writer w. It formats +// exactly the same as Dump. +func (c *ConfigState) Fdump(w io.Writer, a ...interface{}) { + fdump(c, w, a...) +} + +/* +Dump displays the passed parameters to standard out with newlines, customizable +indentation, and additional debug information such as complete types and all +pointer addresses used to indirect to the final value. It provides the +following features over the built-in printing facilities provided by the fmt +package: + + * Pointers are dereferenced and followed + * Circular data structures are detected and handled properly + * Custom Stringer/error interfaces are optionally invoked, including + on unexported types + * Custom types which only implement the Stringer/error interfaces via + a pointer receiver are optionally invoked when passing non-pointer + variables + * Byte arrays and slices are dumped like the hexdump -C command which + includes offsets, byte values in hex, and ASCII output + +The configuration options are controlled by modifying the public members +of c. See ConfigState for options documentation. + +See Fdump if you would prefer dumping to an arbitrary io.Writer or Sdump to +get the formatted result as a string. +*/ +func (c *ConfigState) Dump(a ...interface{}) { + fdump(c, os.Stdout, a...) +} + +// Sdump returns a string with the passed arguments formatted exactly the same +// as Dump. +func (c *ConfigState) Sdump(a ...interface{}) string { + var buf bytes.Buffer + fdump(c, &buf, a...) + return buf.String() +} + +// convertArgs accepts a slice of arguments and returns a slice of the same +// length with each argument converted to a spew Formatter interface using +// the ConfigState associated with s. +func (c *ConfigState) convertArgs(args []interface{}) (formatters []interface{}) { + formatters = make([]interface{}, len(args)) + for index, arg := range args { + formatters[index] = newFormatter(c, arg) + } + return formatters +} + +// NewDefaultConfig returns a ConfigState with the following default settings. +// +// Indent: " " +// MaxDepth: 0 +// DisableMethods: false +// DisablePointerMethods: false +// ContinueOnMethod: false +// SortKeys: false +func NewDefaultConfig() *ConfigState { + return &ConfigState{Indent: " "} +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/doc.go b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/doc.go new file mode 100644 index 000000000000..aacaac6f1e1e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/doc.go @@ -0,0 +1,211 @@ +/* + * Copyright (c) 2013-2016 Dave Collins + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* +Package spew implements a deep pretty printer for Go data structures to aid in +debugging. + +A quick overview of the additional features spew provides over the built-in +printing facilities for Go data types are as follows: + + * Pointers are dereferenced and followed + * Circular data structures are detected and handled properly + * Custom Stringer/error interfaces are optionally invoked, including + on unexported types + * Custom types which only implement the Stringer/error interfaces via + a pointer receiver are optionally invoked when passing non-pointer + variables + * Byte arrays and slices are dumped like the hexdump -C command which + includes offsets, byte values in hex, and ASCII output (only when using + Dump style) + +There are two different approaches spew allows for dumping Go data structures: + + * Dump style which prints with newlines, customizable indentation, + and additional debug information such as types and all pointer addresses + used to indirect to the final value + * A custom Formatter interface that integrates cleanly with the standard fmt + package and replaces %v, %+v, %#v, and %#+v to provide inline printing + similar to the default %v while providing the additional functionality + outlined above and passing unsupported format verbs such as %x and %q + along to fmt + +Quick Start + +This section demonstrates how to quickly get started with spew. See the +sections below for further details on formatting and configuration options. + +To dump a variable with full newlines, indentation, type, and pointer +information use Dump, Fdump, or Sdump: + spew.Dump(myVar1, myVar2, ...) + spew.Fdump(someWriter, myVar1, myVar2, ...) + str := spew.Sdump(myVar1, myVar2, ...) + +Alternatively, if you would prefer to use format strings with a compacted inline +printing style, use the convenience wrappers Printf, Fprintf, etc with +%v (most compact), %+v (adds pointer addresses), %#v (adds types), or +%#+v (adds types and pointer addresses): + spew.Printf("myVar1: %v -- myVar2: %+v", myVar1, myVar2) + spew.Printf("myVar3: %#v -- myVar4: %#+v", myVar3, myVar4) + spew.Fprintf(someWriter, "myVar1: %v -- myVar2: %+v", myVar1, myVar2) + spew.Fprintf(someWriter, "myVar3: %#v -- myVar4: %#+v", myVar3, myVar4) + +Configuration Options + +Configuration of spew is handled by fields in the ConfigState type. For +convenience, all of the top-level functions use a global state available +via the spew.Config global. + +It is also possible to create a ConfigState instance that provides methods +equivalent to the top-level functions. This allows concurrent configuration +options. See the ConfigState documentation for more details. + +The following configuration options are available: + * Indent + String to use for each indentation level for Dump functions. + It is a single space by default. A popular alternative is "\t". + + * MaxDepth + Maximum number of levels to descend into nested data structures. + There is no limit by default. + + * DisableMethods + Disables invocation of error and Stringer interface methods. + Method invocation is enabled by default. + + * DisablePointerMethods + Disables invocation of error and Stringer interface methods on types + which only accept pointer receivers from non-pointer variables. + Pointer method invocation is enabled by default. + + * DisablePointerAddresses + DisablePointerAddresses specifies whether to disable the printing of + pointer addresses. This is useful when diffing data structures in tests. + + * DisableCapacities + DisableCapacities specifies whether to disable the printing of + capacities for arrays, slices, maps and channels. This is useful when + diffing data structures in tests. + + * ContinueOnMethod + Enables recursion into types after invoking error and Stringer interface + methods. Recursion after method invocation is disabled by default. + + * SortKeys + Specifies map keys should be sorted before being printed. Use + this to have a more deterministic, diffable output. Note that + only native types (bool, int, uint, floats, uintptr and string) + and types which implement error or Stringer interfaces are + supported with other types sorted according to the + reflect.Value.String() output which guarantees display + stability. Natural map order is used by default. + + * SpewKeys + Specifies that, as a last resort attempt, map keys should be + spewed to strings and sorted by those strings. This is only + considered if SortKeys is true. + +Dump Usage + +Simply call spew.Dump with a list of variables you want to dump: + + spew.Dump(myVar1, myVar2, ...) + +You may also call spew.Fdump if you would prefer to output to an arbitrary +io.Writer. For example, to dump to standard error: + + spew.Fdump(os.Stderr, myVar1, myVar2, ...) + +A third option is to call spew.Sdump to get the formatted output as a string: + + str := spew.Sdump(myVar1, myVar2, ...) + +Sample Dump Output + +See the Dump example for details on the setup of the types and variables being +shown here. + + (main.Foo) { + unexportedField: (*main.Bar)(0xf84002e210)({ + flag: (main.Flag) flagTwo, + data: (uintptr) + }), + ExportedField: (map[interface {}]interface {}) (len=1) { + (string) (len=3) "one": (bool) true + } + } + +Byte (and uint8) arrays and slices are displayed uniquely like the hexdump -C +command as shown. + ([]uint8) (len=32 cap=32) { + 00000000 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 |............... | + 00000010 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 |!"#$%&'()*+,-./0| + 00000020 31 32 |12| + } + +Custom Formatter + +Spew provides a custom formatter that implements the fmt.Formatter interface +so that it integrates cleanly with standard fmt package printing functions. The +formatter is useful for inline printing of smaller data types similar to the +standard %v format specifier. + +The custom formatter only responds to the %v (most compact), %+v (adds pointer +addresses), %#v (adds types), or %#+v (adds types and pointer addresses) verb +combinations. Any other verbs such as %x and %q will be sent to the the +standard fmt package for formatting. In addition, the custom formatter ignores +the width and precision arguments (however they will still work on the format +specifiers not handled by the custom formatter). + +Custom Formatter Usage + +The simplest way to make use of the spew custom formatter is to call one of the +convenience functions such as spew.Printf, spew.Println, or spew.Printf. The +functions have syntax you are most likely already familiar with: + + spew.Printf("myVar1: %v -- myVar2: %+v", myVar1, myVar2) + spew.Printf("myVar3: %#v -- myVar4: %#+v", myVar3, myVar4) + spew.Println(myVar, myVar2) + spew.Fprintf(os.Stderr, "myVar1: %v -- myVar2: %+v", myVar1, myVar2) + spew.Fprintf(os.Stderr, "myVar3: %#v -- myVar4: %#+v", myVar3, myVar4) + +See the Index for the full list convenience functions. + +Sample Formatter Output + +Double pointer to a uint8: + %v: <**>5 + %+v: <**>(0xf8400420d0->0xf8400420c8)5 + %#v: (**uint8)5 + %#+v: (**uint8)(0xf8400420d0->0xf8400420c8)5 + +Pointer to circular struct with a uint8 field and a pointer to itself: + %v: <*>{1 <*>} + %+v: <*>(0xf84003e260){ui8:1 c:<*>(0xf84003e260)} + %#v: (*main.circular){ui8:(uint8)1 c:(*main.circular)} + %#+v: (*main.circular)(0xf84003e260){ui8:(uint8)1 c:(*main.circular)(0xf84003e260)} + +See the Printf example for details on the setup of variables being shown +here. + +Errors + +Since it is possible for custom Stringer/error interfaces to panic, spew +detects them and handles them internally by printing the panic information +inline with the output. Since spew is intended to provide deep pretty printing +capabilities on structures, it intentionally does not return any errors. +*/ +package spew diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/dump.go b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/dump.go new file mode 100644 index 000000000000..f78d89fc1f6c --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/dump.go @@ -0,0 +1,509 @@ +/* + * Copyright (c) 2013-2016 Dave Collins + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +package spew + +import ( + "bytes" + "encoding/hex" + "fmt" + "io" + "os" + "reflect" + "regexp" + "strconv" + "strings" +) + +var ( + // uint8Type is a reflect.Type representing a uint8. It is used to + // convert cgo types to uint8 slices for hexdumping. + uint8Type = reflect.TypeOf(uint8(0)) + + // cCharRE is a regular expression that matches a cgo char. + // It is used to detect character arrays to hexdump them. + cCharRE = regexp.MustCompile(`^.*\._Ctype_char$`) + + // cUnsignedCharRE is a regular expression that matches a cgo unsigned + // char. It is used to detect unsigned character arrays to hexdump + // them. + cUnsignedCharRE = regexp.MustCompile(`^.*\._Ctype_unsignedchar$`) + + // cUint8tCharRE is a regular expression that matches a cgo uint8_t. + // It is used to detect uint8_t arrays to hexdump them. + cUint8tCharRE = regexp.MustCompile(`^.*\._Ctype_uint8_t$`) +) + +// dumpState contains information about the state of a dump operation. +type dumpState struct { + w io.Writer + depth int + pointers map[uintptr]int + ignoreNextType bool + ignoreNextIndent bool + cs *ConfigState +} + +// indent performs indentation according to the depth level and cs.Indent +// option. +func (d *dumpState) indent() { + if d.ignoreNextIndent { + d.ignoreNextIndent = false + return + } + d.w.Write(bytes.Repeat([]byte(d.cs.Indent), d.depth)) +} + +// unpackValue returns values inside of non-nil interfaces when possible. +// This is useful for data types like structs, arrays, slices, and maps which +// can contain varying types packed inside an interface. +func (d *dumpState) unpackValue(v reflect.Value) reflect.Value { + if v.Kind() == reflect.Interface && !v.IsNil() { + v = v.Elem() + } + return v +} + +// dumpPtr handles formatting of pointers by indirecting them as necessary. +func (d *dumpState) dumpPtr(v reflect.Value) { + // Remove pointers at or below the current depth from map used to detect + // circular refs. + for k, depth := range d.pointers { + if depth >= d.depth { + delete(d.pointers, k) + } + } + + // Keep list of all dereferenced pointers to show later. + pointerChain := make([]uintptr, 0) + + // Figure out how many levels of indirection there are by dereferencing + // pointers and unpacking interfaces down the chain while detecting circular + // references. + nilFound := false + cycleFound := false + indirects := 0 + ve := v + for ve.Kind() == reflect.Ptr { + if ve.IsNil() { + nilFound = true + break + } + indirects++ + addr := ve.Pointer() + pointerChain = append(pointerChain, addr) + if pd, ok := d.pointers[addr]; ok && pd < d.depth { + cycleFound = true + indirects-- + break + } + d.pointers[addr] = d.depth + + ve = ve.Elem() + if ve.Kind() == reflect.Interface { + if ve.IsNil() { + nilFound = true + break + } + ve = ve.Elem() + } + } + + // Display type information. + d.w.Write(openParenBytes) + d.w.Write(bytes.Repeat(asteriskBytes, indirects)) + d.w.Write([]byte(ve.Type().String())) + d.w.Write(closeParenBytes) + + // Display pointer information. + if !d.cs.DisablePointerAddresses && len(pointerChain) > 0 { + d.w.Write(openParenBytes) + for i, addr := range pointerChain { + if i > 0 { + d.w.Write(pointerChainBytes) + } + printHexPtr(d.w, addr) + } + d.w.Write(closeParenBytes) + } + + // Display dereferenced value. + d.w.Write(openParenBytes) + switch { + case nilFound: + d.w.Write(nilAngleBytes) + + case cycleFound: + d.w.Write(circularBytes) + + default: + d.ignoreNextType = true + d.dump(ve) + } + d.w.Write(closeParenBytes) +} + +// dumpSlice handles formatting of arrays and slices. Byte (uint8 under +// reflection) arrays and slices are dumped in hexdump -C fashion. +func (d *dumpState) dumpSlice(v reflect.Value) { + // Determine whether this type should be hex dumped or not. Also, + // for types which should be hexdumped, try to use the underlying data + // first, then fall back to trying to convert them to a uint8 slice. + var buf []uint8 + doConvert := false + doHexDump := false + numEntries := v.Len() + if numEntries > 0 { + vt := v.Index(0).Type() + vts := vt.String() + switch { + // C types that need to be converted. + case cCharRE.MatchString(vts): + fallthrough + case cUnsignedCharRE.MatchString(vts): + fallthrough + case cUint8tCharRE.MatchString(vts): + doConvert = true + + // Try to use existing uint8 slices and fall back to converting + // and copying if that fails. + case vt.Kind() == reflect.Uint8: + // We need an addressable interface to convert the type + // to a byte slice. However, the reflect package won't + // give us an interface on certain things like + // unexported struct fields in order to enforce + // visibility rules. We use unsafe, when available, to + // bypass these restrictions since this package does not + // mutate the values. + vs := v + if !vs.CanInterface() || !vs.CanAddr() { + vs = unsafeReflectValue(vs) + } + if !UnsafeDisabled { + vs = vs.Slice(0, numEntries) + + // Use the existing uint8 slice if it can be + // type asserted. + iface := vs.Interface() + if slice, ok := iface.([]uint8); ok { + buf = slice + doHexDump = true + break + } + } + + // The underlying data needs to be converted if it can't + // be type asserted to a uint8 slice. + doConvert = true + } + + // Copy and convert the underlying type if needed. + if doConvert && vt.ConvertibleTo(uint8Type) { + // Convert and copy each element into a uint8 byte + // slice. + buf = make([]uint8, numEntries) + for i := 0; i < numEntries; i++ { + vv := v.Index(i) + buf[i] = uint8(vv.Convert(uint8Type).Uint()) + } + doHexDump = true + } + } + + // Hexdump the entire slice as needed. + if doHexDump { + indent := strings.Repeat(d.cs.Indent, d.depth) + str := indent + hex.Dump(buf) + str = strings.Replace(str, "\n", "\n"+indent, -1) + str = strings.TrimRight(str, d.cs.Indent) + d.w.Write([]byte(str)) + return + } + + // Recursively call dump for each item. + for i := 0; i < numEntries; i++ { + d.dump(d.unpackValue(v.Index(i))) + if i < (numEntries - 1) { + d.w.Write(commaNewlineBytes) + } else { + d.w.Write(newlineBytes) + } + } +} + +// dump is the main workhorse for dumping a value. It uses the passed reflect +// value to figure out what kind of object we are dealing with and formats it +// appropriately. It is a recursive function, however circular data structures +// are detected and handled properly. +func (d *dumpState) dump(v reflect.Value) { + // Handle invalid reflect values immediately. + kind := v.Kind() + if kind == reflect.Invalid { + d.w.Write(invalidAngleBytes) + return + } + + // Handle pointers specially. + if kind == reflect.Ptr { + d.indent() + d.dumpPtr(v) + return + } + + // Print type information unless already handled elsewhere. + if !d.ignoreNextType { + d.indent() + d.w.Write(openParenBytes) + d.w.Write([]byte(v.Type().String())) + d.w.Write(closeParenBytes) + d.w.Write(spaceBytes) + } + d.ignoreNextType = false + + // Display length and capacity if the built-in len and cap functions + // work with the value's kind and the len/cap itself is non-zero. + valueLen, valueCap := 0, 0 + switch v.Kind() { + case reflect.Array, reflect.Slice, reflect.Chan: + valueLen, valueCap = v.Len(), v.Cap() + case reflect.Map, reflect.String: + valueLen = v.Len() + } + if valueLen != 0 || !d.cs.DisableCapacities && valueCap != 0 { + d.w.Write(openParenBytes) + if valueLen != 0 { + d.w.Write(lenEqualsBytes) + printInt(d.w, int64(valueLen), 10) + } + if !d.cs.DisableCapacities && valueCap != 0 { + if valueLen != 0 { + d.w.Write(spaceBytes) + } + d.w.Write(capEqualsBytes) + printInt(d.w, int64(valueCap), 10) + } + d.w.Write(closeParenBytes) + d.w.Write(spaceBytes) + } + + // Call Stringer/error interfaces if they exist and the handle methods flag + // is enabled + if !d.cs.DisableMethods { + if (kind != reflect.Invalid) && (kind != reflect.Interface) { + if handled := handleMethods(d.cs, d.w, v); handled { + return + } + } + } + + switch kind { + case reflect.Invalid: + // Do nothing. We should never get here since invalid has already + // been handled above. + + case reflect.Bool: + printBool(d.w, v.Bool()) + + case reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Int: + printInt(d.w, v.Int(), 10) + + case reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uint: + printUint(d.w, v.Uint(), 10) + + case reflect.Float32: + printFloat(d.w, v.Float(), 32) + + case reflect.Float64: + printFloat(d.w, v.Float(), 64) + + case reflect.Complex64: + printComplex(d.w, v.Complex(), 32) + + case reflect.Complex128: + printComplex(d.w, v.Complex(), 64) + + case reflect.Slice: + if v.IsNil() { + d.w.Write(nilAngleBytes) + break + } + fallthrough + + case reflect.Array: + d.w.Write(openBraceNewlineBytes) + d.depth++ + if (d.cs.MaxDepth != 0) && (d.depth > d.cs.MaxDepth) { + d.indent() + d.w.Write(maxNewlineBytes) + } else { + d.dumpSlice(v) + } + d.depth-- + d.indent() + d.w.Write(closeBraceBytes) + + case reflect.String: + d.w.Write([]byte(strconv.Quote(v.String()))) + + case reflect.Interface: + // The only time we should get here is for nil interfaces due to + // unpackValue calls. + if v.IsNil() { + d.w.Write(nilAngleBytes) + } + + case reflect.Ptr: + // Do nothing. We should never get here since pointers have already + // been handled above. + + case reflect.Map: + // nil maps should be indicated as different than empty maps + if v.IsNil() { + d.w.Write(nilAngleBytes) + break + } + + d.w.Write(openBraceNewlineBytes) + d.depth++ + if (d.cs.MaxDepth != 0) && (d.depth > d.cs.MaxDepth) { + d.indent() + d.w.Write(maxNewlineBytes) + } else { + numEntries := v.Len() + keys := v.MapKeys() + if d.cs.SortKeys { + sortValues(keys, d.cs) + } + for i, key := range keys { + d.dump(d.unpackValue(key)) + d.w.Write(colonSpaceBytes) + d.ignoreNextIndent = true + d.dump(d.unpackValue(v.MapIndex(key))) + if i < (numEntries - 1) { + d.w.Write(commaNewlineBytes) + } else { + d.w.Write(newlineBytes) + } + } + } + d.depth-- + d.indent() + d.w.Write(closeBraceBytes) + + case reflect.Struct: + d.w.Write(openBraceNewlineBytes) + d.depth++ + if (d.cs.MaxDepth != 0) && (d.depth > d.cs.MaxDepth) { + d.indent() + d.w.Write(maxNewlineBytes) + } else { + vt := v.Type() + numFields := v.NumField() + for i := 0; i < numFields; i++ { + d.indent() + vtf := vt.Field(i) + d.w.Write([]byte(vtf.Name)) + d.w.Write(colonSpaceBytes) + d.ignoreNextIndent = true + d.dump(d.unpackValue(v.Field(i))) + if i < (numFields - 1) { + d.w.Write(commaNewlineBytes) + } else { + d.w.Write(newlineBytes) + } + } + } + d.depth-- + d.indent() + d.w.Write(closeBraceBytes) + + case reflect.Uintptr: + printHexPtr(d.w, uintptr(v.Uint())) + + case reflect.UnsafePointer, reflect.Chan, reflect.Func: + printHexPtr(d.w, v.Pointer()) + + // There were not any other types at the time this code was written, but + // fall back to letting the default fmt package handle it in case any new + // types are added. + default: + if v.CanInterface() { + fmt.Fprintf(d.w, "%v", v.Interface()) + } else { + fmt.Fprintf(d.w, "%v", v.String()) + } + } +} + +// fdump is a helper function to consolidate the logic from the various public +// methods which take varying writers and config states. +func fdump(cs *ConfigState, w io.Writer, a ...interface{}) { + for _, arg := range a { + if arg == nil { + w.Write(interfaceBytes) + w.Write(spaceBytes) + w.Write(nilAngleBytes) + w.Write(newlineBytes) + continue + } + + d := dumpState{w: w, cs: cs} + d.pointers = make(map[uintptr]int) + d.dump(reflect.ValueOf(arg)) + d.w.Write(newlineBytes) + } +} + +// Fdump formats and displays the passed arguments to io.Writer w. It formats +// exactly the same as Dump. +func Fdump(w io.Writer, a ...interface{}) { + fdump(&Config, w, a...) +} + +// Sdump returns a string with the passed arguments formatted exactly the same +// as Dump. +func Sdump(a ...interface{}) string { + var buf bytes.Buffer + fdump(&Config, &buf, a...) + return buf.String() +} + +/* +Dump displays the passed parameters to standard out with newlines, customizable +indentation, and additional debug information such as complete types and all +pointer addresses used to indirect to the final value. It provides the +following features over the built-in printing facilities provided by the fmt +package: + + * Pointers are dereferenced and followed + * Circular data structures are detected and handled properly + * Custom Stringer/error interfaces are optionally invoked, including + on unexported types + * Custom types which only implement the Stringer/error interfaces via + a pointer receiver are optionally invoked when passing non-pointer + variables + * Byte arrays and slices are dumped like the hexdump -C command which + includes offsets, byte values in hex, and ASCII output + +The configuration options are controlled by an exported package global, +spew.Config. See ConfigState for options documentation. + +See Fdump if you would prefer dumping to an arbitrary io.Writer or Sdump to +get the formatted result as a string. +*/ +func Dump(a ...interface{}) { + fdump(&Config, os.Stdout, a...) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/format.go b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/format.go new file mode 100644 index 000000000000..b04edb7d7ac2 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/format.go @@ -0,0 +1,419 @@ +/* + * Copyright (c) 2013-2016 Dave Collins + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +package spew + +import ( + "bytes" + "fmt" + "reflect" + "strconv" + "strings" +) + +// supportedFlags is a list of all the character flags supported by fmt package. +const supportedFlags = "0-+# " + +// formatState implements the fmt.Formatter interface and contains information +// about the state of a formatting operation. The NewFormatter function can +// be used to get a new Formatter which can be used directly as arguments +// in standard fmt package printing calls. +type formatState struct { + value interface{} + fs fmt.State + depth int + pointers map[uintptr]int + ignoreNextType bool + cs *ConfigState +} + +// buildDefaultFormat recreates the original format string without precision +// and width information to pass in to fmt.Sprintf in the case of an +// unrecognized type. Unless new types are added to the language, this +// function won't ever be called. +func (f *formatState) buildDefaultFormat() (format string) { + buf := bytes.NewBuffer(percentBytes) + + for _, flag := range supportedFlags { + if f.fs.Flag(int(flag)) { + buf.WriteRune(flag) + } + } + + buf.WriteRune('v') + + format = buf.String() + return format +} + +// constructOrigFormat recreates the original format string including precision +// and width information to pass along to the standard fmt package. This allows +// automatic deferral of all format strings this package doesn't support. +func (f *formatState) constructOrigFormat(verb rune) (format string) { + buf := bytes.NewBuffer(percentBytes) + + for _, flag := range supportedFlags { + if f.fs.Flag(int(flag)) { + buf.WriteRune(flag) + } + } + + if width, ok := f.fs.Width(); ok { + buf.WriteString(strconv.Itoa(width)) + } + + if precision, ok := f.fs.Precision(); ok { + buf.Write(precisionBytes) + buf.WriteString(strconv.Itoa(precision)) + } + + buf.WriteRune(verb) + + format = buf.String() + return format +} + +// unpackValue returns values inside of non-nil interfaces when possible and +// ensures that types for values which have been unpacked from an interface +// are displayed when the show types flag is also set. +// This is useful for data types like structs, arrays, slices, and maps which +// can contain varying types packed inside an interface. +func (f *formatState) unpackValue(v reflect.Value) reflect.Value { + if v.Kind() == reflect.Interface { + f.ignoreNextType = false + if !v.IsNil() { + v = v.Elem() + } + } + return v +} + +// formatPtr handles formatting of pointers by indirecting them as necessary. +func (f *formatState) formatPtr(v reflect.Value) { + // Display nil if top level pointer is nil. + showTypes := f.fs.Flag('#') + if v.IsNil() && (!showTypes || f.ignoreNextType) { + f.fs.Write(nilAngleBytes) + return + } + + // Remove pointers at or below the current depth from map used to detect + // circular refs. + for k, depth := range f.pointers { + if depth >= f.depth { + delete(f.pointers, k) + } + } + + // Keep list of all dereferenced pointers to possibly show later. + pointerChain := make([]uintptr, 0) + + // Figure out how many levels of indirection there are by derferencing + // pointers and unpacking interfaces down the chain while detecting circular + // references. + nilFound := false + cycleFound := false + indirects := 0 + ve := v + for ve.Kind() == reflect.Ptr { + if ve.IsNil() { + nilFound = true + break + } + indirects++ + addr := ve.Pointer() + pointerChain = append(pointerChain, addr) + if pd, ok := f.pointers[addr]; ok && pd < f.depth { + cycleFound = true + indirects-- + break + } + f.pointers[addr] = f.depth + + ve = ve.Elem() + if ve.Kind() == reflect.Interface { + if ve.IsNil() { + nilFound = true + break + } + ve = ve.Elem() + } + } + + // Display type or indirection level depending on flags. + if showTypes && !f.ignoreNextType { + f.fs.Write(openParenBytes) + f.fs.Write(bytes.Repeat(asteriskBytes, indirects)) + f.fs.Write([]byte(ve.Type().String())) + f.fs.Write(closeParenBytes) + } else { + if nilFound || cycleFound { + indirects += strings.Count(ve.Type().String(), "*") + } + f.fs.Write(openAngleBytes) + f.fs.Write([]byte(strings.Repeat("*", indirects))) + f.fs.Write(closeAngleBytes) + } + + // Display pointer information depending on flags. + if f.fs.Flag('+') && (len(pointerChain) > 0) { + f.fs.Write(openParenBytes) + for i, addr := range pointerChain { + if i > 0 { + f.fs.Write(pointerChainBytes) + } + printHexPtr(f.fs, addr) + } + f.fs.Write(closeParenBytes) + } + + // Display dereferenced value. + switch { + case nilFound: + f.fs.Write(nilAngleBytes) + + case cycleFound: + f.fs.Write(circularShortBytes) + + default: + f.ignoreNextType = true + f.format(ve) + } +} + +// format is the main workhorse for providing the Formatter interface. It +// uses the passed reflect value to figure out what kind of object we are +// dealing with and formats it appropriately. It is a recursive function, +// however circular data structures are detected and handled properly. +func (f *formatState) format(v reflect.Value) { + // Handle invalid reflect values immediately. + kind := v.Kind() + if kind == reflect.Invalid { + f.fs.Write(invalidAngleBytes) + return + } + + // Handle pointers specially. + if kind == reflect.Ptr { + f.formatPtr(v) + return + } + + // Print type information unless already handled elsewhere. + if !f.ignoreNextType && f.fs.Flag('#') { + f.fs.Write(openParenBytes) + f.fs.Write([]byte(v.Type().String())) + f.fs.Write(closeParenBytes) + } + f.ignoreNextType = false + + // Call Stringer/error interfaces if they exist and the handle methods + // flag is enabled. + if !f.cs.DisableMethods { + if (kind != reflect.Invalid) && (kind != reflect.Interface) { + if handled := handleMethods(f.cs, f.fs, v); handled { + return + } + } + } + + switch kind { + case reflect.Invalid: + // Do nothing. We should never get here since invalid has already + // been handled above. + + case reflect.Bool: + printBool(f.fs, v.Bool()) + + case reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Int: + printInt(f.fs, v.Int(), 10) + + case reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uint: + printUint(f.fs, v.Uint(), 10) + + case reflect.Float32: + printFloat(f.fs, v.Float(), 32) + + case reflect.Float64: + printFloat(f.fs, v.Float(), 64) + + case reflect.Complex64: + printComplex(f.fs, v.Complex(), 32) + + case reflect.Complex128: + printComplex(f.fs, v.Complex(), 64) + + case reflect.Slice: + if v.IsNil() { + f.fs.Write(nilAngleBytes) + break + } + fallthrough + + case reflect.Array: + f.fs.Write(openBracketBytes) + f.depth++ + if (f.cs.MaxDepth != 0) && (f.depth > f.cs.MaxDepth) { + f.fs.Write(maxShortBytes) + } else { + numEntries := v.Len() + for i := 0; i < numEntries; i++ { + if i > 0 { + f.fs.Write(spaceBytes) + } + f.ignoreNextType = true + f.format(f.unpackValue(v.Index(i))) + } + } + f.depth-- + f.fs.Write(closeBracketBytes) + + case reflect.String: + f.fs.Write([]byte(v.String())) + + case reflect.Interface: + // The only time we should get here is for nil interfaces due to + // unpackValue calls. + if v.IsNil() { + f.fs.Write(nilAngleBytes) + } + + case reflect.Ptr: + // Do nothing. We should never get here since pointers have already + // been handled above. + + case reflect.Map: + // nil maps should be indicated as different than empty maps + if v.IsNil() { + f.fs.Write(nilAngleBytes) + break + } + + f.fs.Write(openMapBytes) + f.depth++ + if (f.cs.MaxDepth != 0) && (f.depth > f.cs.MaxDepth) { + f.fs.Write(maxShortBytes) + } else { + keys := v.MapKeys() + if f.cs.SortKeys { + sortValues(keys, f.cs) + } + for i, key := range keys { + if i > 0 { + f.fs.Write(spaceBytes) + } + f.ignoreNextType = true + f.format(f.unpackValue(key)) + f.fs.Write(colonBytes) + f.ignoreNextType = true + f.format(f.unpackValue(v.MapIndex(key))) + } + } + f.depth-- + f.fs.Write(closeMapBytes) + + case reflect.Struct: + numFields := v.NumField() + f.fs.Write(openBraceBytes) + f.depth++ + if (f.cs.MaxDepth != 0) && (f.depth > f.cs.MaxDepth) { + f.fs.Write(maxShortBytes) + } else { + vt := v.Type() + for i := 0; i < numFields; i++ { + if i > 0 { + f.fs.Write(spaceBytes) + } + vtf := vt.Field(i) + if f.fs.Flag('+') || f.fs.Flag('#') { + f.fs.Write([]byte(vtf.Name)) + f.fs.Write(colonBytes) + } + f.format(f.unpackValue(v.Field(i))) + } + } + f.depth-- + f.fs.Write(closeBraceBytes) + + case reflect.Uintptr: + printHexPtr(f.fs, uintptr(v.Uint())) + + case reflect.UnsafePointer, reflect.Chan, reflect.Func: + printHexPtr(f.fs, v.Pointer()) + + // There were not any other types at the time this code was written, but + // fall back to letting the default fmt package handle it if any get added. + default: + format := f.buildDefaultFormat() + if v.CanInterface() { + fmt.Fprintf(f.fs, format, v.Interface()) + } else { + fmt.Fprintf(f.fs, format, v.String()) + } + } +} + +// Format satisfies the fmt.Formatter interface. See NewFormatter for usage +// details. +func (f *formatState) Format(fs fmt.State, verb rune) { + f.fs = fs + + // Use standard formatting for verbs that are not v. + if verb != 'v' { + format := f.constructOrigFormat(verb) + fmt.Fprintf(fs, format, f.value) + return + } + + if f.value == nil { + if fs.Flag('#') { + fs.Write(interfaceBytes) + } + fs.Write(nilAngleBytes) + return + } + + f.format(reflect.ValueOf(f.value)) +} + +// newFormatter is a helper function to consolidate the logic from the various +// public methods which take varying config states. +func newFormatter(cs *ConfigState, v interface{}) fmt.Formatter { + fs := &formatState{value: v, cs: cs} + fs.pointers = make(map[uintptr]int) + return fs +} + +/* +NewFormatter returns a custom formatter that satisfies the fmt.Formatter +interface. As a result, it integrates cleanly with standard fmt package +printing functions. The formatter is useful for inline printing of smaller data +types similar to the standard %v format specifier. + +The custom formatter only responds to the %v (most compact), %+v (adds pointer +addresses), %#v (adds types), or %#+v (adds types and pointer addresses) verb +combinations. Any other verbs such as %x and %q will be sent to the the +standard fmt package for formatting. In addition, the custom formatter ignores +the width and precision arguments (however they will still work on the format +specifiers not handled by the custom formatter). + +Typically this function shouldn't be called directly. It is much easier to make +use of the custom formatter by calling one of the convenience functions such as +Printf, Println, or Fprintf. +*/ +func NewFormatter(v interface{}) fmt.Formatter { + return newFormatter(&Config, v) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/spew.go b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/spew.go new file mode 100644 index 000000000000..32c0e3388253 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/davecgh/go-spew/spew/spew.go @@ -0,0 +1,148 @@ +/* + * Copyright (c) 2013-2016 Dave Collins + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +package spew + +import ( + "fmt" + "io" +) + +// Errorf is a wrapper for fmt.Errorf that treats each argument as if it were +// passed with a default Formatter interface returned by NewFormatter. It +// returns the formatted string as a value that satisfies error. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Errorf(format, spew.NewFormatter(a), spew.NewFormatter(b)) +func Errorf(format string, a ...interface{}) (err error) { + return fmt.Errorf(format, convertArgs(a)...) +} + +// Fprint is a wrapper for fmt.Fprint that treats each argument as if it were +// passed with a default Formatter interface returned by NewFormatter. It +// returns the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Fprint(w, spew.NewFormatter(a), spew.NewFormatter(b)) +func Fprint(w io.Writer, a ...interface{}) (n int, err error) { + return fmt.Fprint(w, convertArgs(a)...) +} + +// Fprintf is a wrapper for fmt.Fprintf that treats each argument as if it were +// passed with a default Formatter interface returned by NewFormatter. It +// returns the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Fprintf(w, format, spew.NewFormatter(a), spew.NewFormatter(b)) +func Fprintf(w io.Writer, format string, a ...interface{}) (n int, err error) { + return fmt.Fprintf(w, format, convertArgs(a)...) +} + +// Fprintln is a wrapper for fmt.Fprintln that treats each argument as if it +// passed with a default Formatter interface returned by NewFormatter. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Fprintln(w, spew.NewFormatter(a), spew.NewFormatter(b)) +func Fprintln(w io.Writer, a ...interface{}) (n int, err error) { + return fmt.Fprintln(w, convertArgs(a)...) +} + +// Print is a wrapper for fmt.Print that treats each argument as if it were +// passed with a default Formatter interface returned by NewFormatter. It +// returns the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Print(spew.NewFormatter(a), spew.NewFormatter(b)) +func Print(a ...interface{}) (n int, err error) { + return fmt.Print(convertArgs(a)...) +} + +// Printf is a wrapper for fmt.Printf that treats each argument as if it were +// passed with a default Formatter interface returned by NewFormatter. It +// returns the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Printf(format, spew.NewFormatter(a), spew.NewFormatter(b)) +func Printf(format string, a ...interface{}) (n int, err error) { + return fmt.Printf(format, convertArgs(a)...) +} + +// Println is a wrapper for fmt.Println that treats each argument as if it were +// passed with a default Formatter interface returned by NewFormatter. It +// returns the number of bytes written and any write error encountered. See +// NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Println(spew.NewFormatter(a), spew.NewFormatter(b)) +func Println(a ...interface{}) (n int, err error) { + return fmt.Println(convertArgs(a)...) +} + +// Sprint is a wrapper for fmt.Sprint that treats each argument as if it were +// passed with a default Formatter interface returned by NewFormatter. It +// returns the resulting string. See NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Sprint(spew.NewFormatter(a), spew.NewFormatter(b)) +func Sprint(a ...interface{}) string { + return fmt.Sprint(convertArgs(a)...) +} + +// Sprintf is a wrapper for fmt.Sprintf that treats each argument as if it were +// passed with a default Formatter interface returned by NewFormatter. It +// returns the resulting string. See NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Sprintf(format, spew.NewFormatter(a), spew.NewFormatter(b)) +func Sprintf(format string, a ...interface{}) string { + return fmt.Sprintf(format, convertArgs(a)...) +} + +// Sprintln is a wrapper for fmt.Sprintln that treats each argument as if it +// were passed with a default Formatter interface returned by NewFormatter. It +// returns the resulting string. See NewFormatter for formatting details. +// +// This function is shorthand for the following syntax: +// +// fmt.Sprintln(spew.NewFormatter(a), spew.NewFormatter(b)) +func Sprintln(a ...interface{}) string { + return fmt.Sprintln(convertArgs(a)...) +} + +// convertArgs accepts a slice of arguments and returns a slice of the same +// length with each argument converted to a default spew Formatter interface. +func convertArgs(args []interface{}) (formatters []interface{}) { + formatters = make([]interface{}, len(args)) + for index, arg := range args { + formatters[index] = NewFormatter(arg) + } + return formatters +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/.travis.yml b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/.travis.yml new file mode 100644 index 000000000000..d0e8fcf99437 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/.travis.yml @@ -0,0 +1,26 @@ +language: go +sudo: false +go: + - 1.8.x + - 1.9.x + - 1.10.x + - 1.11.x + - 1.12.x + - master + +git: + depth: 10 + +matrix: + fast_finish: true + include: + - go: 1.11.x + env: GO111MODULE=on + - go: 1.12.x + env: GO111MODULE=on + +script: + - go test -v -covermode=count -coverprofile=coverage.out + +after_success: + - bash <(curl -s https://codecov.io/bash) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/LICENSE b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/LICENSE new file mode 100644 index 000000000000..1ff7f3706055 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Manuel Martínez-Almeida + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/README.md b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/README.md new file mode 100644 index 000000000000..c9c49cf94959 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/README.md @@ -0,0 +1,58 @@ +# Server-Sent Events + +[![GoDoc](https://godoc.org/github.com/gin-contrib/sse?status.svg)](https://godoc.org/github.com/gin-contrib/sse) +[![Build Status](https://travis-ci.org/gin-contrib/sse.svg)](https://travis-ci.org/gin-contrib/sse) +[![codecov](https://codecov.io/gh/gin-contrib/sse/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-contrib/sse) +[![Go Report Card](https://goreportcard.com/badge/github.com/gin-contrib/sse)](https://goreportcard.com/report/github.com/gin-contrib/sse) + +Server-sent events (SSE) is a technology where a browser receives automatic updates from a server via HTTP connection. The Server-Sent Events EventSource API is [standardized as part of HTML5[1] by the W3C](http://www.w3.org/TR/2009/WD-eventsource-20091029/). + +- [Read this great SSE introduction by the HTML5Rocks guys](http://www.html5rocks.com/en/tutorials/eventsource/basics/) +- [Browser support](http://caniuse.com/#feat=eventsource) + +## Sample code + +```go +import "github.com/gin-contrib/sse" + +func httpHandler(w http.ResponseWriter, req *http.Request) { + // data can be a primitive like a string, an integer or a float + sse.Encode(w, sse.Event{ + Event: "message", + Data: "some data\nmore data", + }) + + // also a complex type, like a map, a struct or a slice + sse.Encode(w, sse.Event{ + Id: "124", + Event: "message", + Data: map[string]interface{}{ + "user": "manu", + "date": time.Now().Unix(), + "content": "hi!", + }, + }) +} +``` +``` +event: message +data: some data\\nmore data + +id: 124 +event: message +data: {"content":"hi!","date":1431540810,"user":"manu"} + +``` + +## Content-Type + +```go +fmt.Println(sse.ContentType) +``` +``` +text/event-stream +``` + +## Decoding support + +There is a client-side implementation of SSE coming soon. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/sse-decoder.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/sse-decoder.go new file mode 100644 index 000000000000..fd49b9c37a45 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/sse-decoder.go @@ -0,0 +1,116 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package sse + +import ( + "bytes" + "io" + "io/ioutil" +) + +type decoder struct { + events []Event +} + +func Decode(r io.Reader) ([]Event, error) { + var dec decoder + return dec.decode(r) +} + +func (d *decoder) dispatchEvent(event Event, data string) { + dataLength := len(data) + if dataLength > 0 { + //If the data buffer's last character is a U+000A LINE FEED (LF) character, then remove the last character from the data buffer. + data = data[:dataLength-1] + dataLength-- + } + if dataLength == 0 && event.Event == "" { + return + } + if event.Event == "" { + event.Event = "message" + } + event.Data = data + d.events = append(d.events, event) +} + +func (d *decoder) decode(r io.Reader) ([]Event, error) { + buf, err := ioutil.ReadAll(r) + if err != nil { + return nil, err + } + + var currentEvent Event + var dataBuffer *bytes.Buffer = new(bytes.Buffer) + // TODO (and unit tests) + // Lines must be separated by either a U+000D CARRIAGE RETURN U+000A LINE FEED (CRLF) character pair, + // a single U+000A LINE FEED (LF) character, + // or a single U+000D CARRIAGE RETURN (CR) character. + lines := bytes.Split(buf, []byte{'\n'}) + for _, line := range lines { + if len(line) == 0 { + // If the line is empty (a blank line). Dispatch the event. + d.dispatchEvent(currentEvent, dataBuffer.String()) + + // reset current event and data buffer + currentEvent = Event{} + dataBuffer.Reset() + continue + } + if line[0] == byte(':') { + // If the line starts with a U+003A COLON character (:), ignore the line. + continue + } + + var field, value []byte + colonIndex := bytes.IndexRune(line, ':') + if colonIndex != -1 { + // If the line contains a U+003A COLON character character (:) + // Collect the characters on the line before the first U+003A COLON character (:), + // and let field be that string. + field = line[:colonIndex] + // Collect the characters on the line after the first U+003A COLON character (:), + // and let value be that string. + value = line[colonIndex+1:] + // If value starts with a single U+0020 SPACE character, remove it from value. + if len(value) > 0 && value[0] == ' ' { + value = value[1:] + } + } else { + // Otherwise, the string is not empty but does not contain a U+003A COLON character character (:) + // Use the whole line as the field name, and the empty string as the field value. + field = line + value = []byte{} + } + // The steps to process the field given a field name and a field value depend on the field name, + // as given in the following list. Field names must be compared literally, + // with no case folding performed. + switch string(field) { + case "event": + // Set the event name buffer to field value. + currentEvent.Event = string(value) + case "id": + // Set the event stream's last event ID to the field value. + currentEvent.Id = string(value) + case "retry": + // If the field value consists of only characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9), + // then interpret the field value as an integer in base ten, and set the event stream's reconnection time to that integer. + // Otherwise, ignore the field. + currentEvent.Id = string(value) + case "data": + // Append the field value to the data buffer, + dataBuffer.Write(value) + // then append a single U+000A LINE FEED (LF) character to the data buffer. + dataBuffer.WriteString("\n") + default: + //Otherwise. The field is ignored. + continue + } + } + // Once the end of the file is reached, the user agent must dispatch the event one final time. + d.dispatchEvent(currentEvent, dataBuffer.String()) + + return d.events, nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/sse-encoder.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/sse-encoder.go new file mode 100644 index 000000000000..f9c8087504d4 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/sse-encoder.go @@ -0,0 +1,110 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package sse + +import ( + "encoding/json" + "fmt" + "io" + "net/http" + "reflect" + "strconv" + "strings" +) + +// Server-Sent Events +// W3C Working Draft 29 October 2009 +// http://www.w3.org/TR/2009/WD-eventsource-20091029/ + +const ContentType = "text/event-stream" + +var contentType = []string{ContentType} +var noCache = []string{"no-cache"} + +var fieldReplacer = strings.NewReplacer( + "\n", "\\n", + "\r", "\\r") + +var dataReplacer = strings.NewReplacer( + "\n", "\ndata:", + "\r", "\\r") + +type Event struct { + Event string + Id string + Retry uint + Data interface{} +} + +func Encode(writer io.Writer, event Event) error { + w := checkWriter(writer) + writeId(w, event.Id) + writeEvent(w, event.Event) + writeRetry(w, event.Retry) + return writeData(w, event.Data) +} + +func writeId(w stringWriter, id string) { + if len(id) > 0 { + w.WriteString("id:") + fieldReplacer.WriteString(w, id) + w.WriteString("\n") + } +} + +func writeEvent(w stringWriter, event string) { + if len(event) > 0 { + w.WriteString("event:") + fieldReplacer.WriteString(w, event) + w.WriteString("\n") + } +} + +func writeRetry(w stringWriter, retry uint) { + if retry > 0 { + w.WriteString("retry:") + w.WriteString(strconv.FormatUint(uint64(retry), 10)) + w.WriteString("\n") + } +} + +func writeData(w stringWriter, data interface{}) error { + w.WriteString("data:") + switch kindOfData(data) { + case reflect.Struct, reflect.Slice, reflect.Map: + err := json.NewEncoder(w).Encode(data) + if err != nil { + return err + } + w.WriteString("\n") + default: + dataReplacer.WriteString(w, fmt.Sprint(data)) + w.WriteString("\n\n") + } + return nil +} + +func (r Event) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + return Encode(w, r) +} + +func (r Event) WriteContentType(w http.ResponseWriter) { + header := w.Header() + header["Content-Type"] = contentType + + if _, exist := header["Cache-Control"]; !exist { + header["Cache-Control"] = noCache + } +} + +func kindOfData(data interface{}) reflect.Kind { + value := reflect.ValueOf(data) + valueType := value.Kind() + if valueType == reflect.Ptr { + valueType = value.Elem().Kind() + } + return valueType +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/writer.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/writer.go new file mode 100644 index 000000000000..6f9806c55a3e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-contrib/sse/writer.go @@ -0,0 +1,24 @@ +package sse + +import "io" + +type stringWriter interface { + io.Writer + WriteString(string) (int, error) +} + +type stringWrapper struct { + io.Writer +} + +func (w stringWrapper) WriteString(str string) (int, error) { + return w.Writer.Write([]byte(str)) +} + +func checkWriter(writer io.Writer) stringWriter { + if w, ok := writer.(stringWriter); ok { + return w + } else { + return stringWrapper{writer} + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/.gitignore b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/.gitignore new file mode 100644 index 000000000000..bdd50c95cf9d --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/.gitignore @@ -0,0 +1,7 @@ +vendor/* +!vendor/vendor.json +coverage.out +count.out +test +profile.out +tmp.out diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/.travis.yml b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/.travis.yml new file mode 100644 index 000000000000..bcc21414d1b8 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/.travis.yml @@ -0,0 +1,48 @@ +language: go + +matrix: + fast_finish: true + include: + - go: 1.13.x + - go: 1.13.x + env: + - TESTTAGS=nomsgpack + - go: 1.14.x + - go: 1.14.x + env: + - TESTTAGS=nomsgpack + - go: 1.15.x + - go: 1.15.x + env: + - TESTTAGS=nomsgpack + - go: master + +git: + depth: 10 + +before_install: + - if [[ "${GO111MODULE}" = "on" ]]; then mkdir "${HOME}/go"; export GOPATH="${HOME}/go"; fi + +install: + - if [[ "${GO111MODULE}" = "on" ]]; then go mod download; fi + - if [[ "${GO111MODULE}" = "on" ]]; then export PATH="${GOPATH}/bin:${GOROOT}/bin:${PATH}"; fi + - if [[ "${GO111MODULE}" = "on" ]]; then make tools; fi + +go_import_path: github.com/gin-gonic/gin + +script: + - make vet + - make fmt-check + - make misspell-check + - make test + +after_success: + - bash <(curl -s https://codecov.io/bash) + +notifications: + webhooks: + urls: + - https://webhooks.gitter.im/e/7f95bf605c4d356372f4 + on_success: change # options: [always|never|change] default: always + on_failure: always # options: [always|never|change] default: always + on_start: false # default: false diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/AUTHORS.md b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/AUTHORS.md new file mode 100644 index 000000000000..c634e6be05ae --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/AUTHORS.md @@ -0,0 +1,233 @@ +List of all the awesome people working to make Gin the best Web Framework in Go. + +## gin 1.x series authors + +**Gin Core Team:** Bo-Yi Wu (@appleboy), 田欧 (@thinkerou), Javier Provecho (@javierprovecho) + +## gin 0.x series authors + +**Maintainers:** Manu Martinez-Almeida (@manucorporat), Javier Provecho (@javierprovecho) + +People and companies, who have contributed, in alphabetical order. + +**@858806258 (æ°å“¥)** +- Fix typo in example + + +**@achedeuzot (Klemen Sever)** +- Fix newline debug printing + + +**@adammck (Adam Mckaig)** +- Add MIT license + + +**@AlexanderChen1989 (Alexander)** +- Typos in README + + +**@alexanderdidenko (Aleksandr Didenko)** +- Add support multipart/form-data + + +**@alexandernyquist (Alexander Nyquist)** +- Using template.Must to fix multiple return issue +- ★ Added support for OPTIONS verb +- ★ Setting response headers before calling WriteHeader +- Improved documentation for model binding +- ★ Added Content.Redirect() +- ★ Added tons of Unit tests + + +**@austinheap (Austin Heap)** +- Added travis CI integration + + +**@andredublin (Andre Dublin)** +- Fix typo in comment + + +**@bredov (Ludwig Valda Vasquez)** +- Fix html templating in debug mode + + +**@bluele (Jun Kimura)** +- Fixes code examples in README + + +**@chad-russell** +- ★ Support for serializing gin.H into XML + + +**@dickeyxxx (Jeff Dickey)** +- Typos in README +- Add example about serving static files + + +**@donileo (Adonis)** +- Add NoMethod handler + + +**@dutchcoders (DutchCoders)** +- ★ Fix security bug that allows client to spoof ip +- Fix typo. r.HTMLTemplates -> SetHTMLTemplate + + +**@el3ctro- (Joshua Loper)** +- Fix typo in example + + +**@ethankan (Ethan Kan)** +- Unsigned integers in binding + + +**(Evgeny Persienko)** +- Validate sub structures + + +**@frankbille (Frank Bille)** +- Add support for HTTP Realm Auth + + +**@fmd (Fareed Dudhia)** +- Fix typo. SetHTTPTemplate -> SetHTMLTemplate + + +**@ironiridis (Christopher Harrington)** +- Remove old reference + + +**@jammie-stackhouse (Jamie Stackhouse)** +- Add more shortcuts for router methods + + +**@jasonrhansen** +- Fix spelling and grammar errors in documentation + + +**@JasonSoft (Jason Lee)** +- Fix typo in comment + + +**@joiggama (Ignacio Galindo)** +- Add utf-8 charset header on renders + + +**@julienschmidt (Julien Schmidt)** +- gofmt the code examples + + +**@kelcecil (Kel Cecil)** +- Fix readme typo + + +**@kyledinh (Kyle Dinh)** +- Adds RunTLS() + + +**@LinusU (Linus Unnebäck)** +- Small fixes in README + + +**@loongmxbt (Saint Asky)** +- Fix typo in example + + +**@lucas-clemente (Lucas Clemente)** +- ★ work around path.Join removing trailing slashes from routes + + +**@mattn (Yasuhiro Matsumoto)** +- Improve color logger + + +**@mdigger (Dmitry Sedykh)** +- Fixes Form binding when content-type is x-www-form-urlencoded +- No repeat call c.Writer.Status() in gin.Logger +- Fixes Content-Type for json render + + +**@mirzac (Mirza Ceric)** +- Fix debug printing + + +**@mopemope (Yutaka Matsubara)** +- ★ Adds Godep support (Dependencies Manager) +- Fix variadic parameter in the flexible render API +- Fix Corrupted plain render +- Add Pluggable View Renderer Example + + +**@msemenistyi (Mykyta Semenistyi)** +- update Readme.md. Add code to String method + + +**@msoedov (Sasha Myasoedov)** +- ★ Adds tons of unit tests. + + +**@ngerakines (Nick Gerakines)** +- ★ Improves API, c.GET() doesn't panic +- Adds MustGet() method + + +**@r8k (Rajiv Kilaparti)** +- Fix Port usage in README. + + +**@rayrod2030 (Ray Rodriguez)** +- Fix typo in example + + +**@rns** +- Fix typo in example + + +**@RobAWilkinson (Robert Wilkinson)** +- Add example of forms and params + + +**@rogierlommers (Rogier Lommers)** +- Add updated static serve example + +**@rw-access (Ross Wolf)** +- Added support to mix exact and param routes + +**@se77en (Damon Zhao)** +- Improve color logging + + +**@silasb (Silas Baronda)** +- Fixing quotes in README + + +**@SkuliOskarsson (Skuli Oskarsson)** +- Fixes some texts in README II + + +**@slimmy (Jimmy Pettersson)** +- Added messages for required bindings + + +**@smira (Andrey Smirnov)** +- Add support for ignored/unexported fields in binding + + +**@superalsrk (SRK.Lyu)** +- Update httprouter godeps + + +**@tebeka (Miki Tebeka)** +- Use net/http constants instead of numeric values + + +**@techjanitor** +- Update context.go reserved IPs + + +**@yosssi (Keiji Yoshida)** +- Fix link in README + + +**@yuyabee** +- Fixed README diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/BENCHMARKS.md b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/BENCHMARKS.md new file mode 100644 index 000000000000..c11ee99ae7f4 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/BENCHMARKS.md @@ -0,0 +1,666 @@ + +# Benchmark System + +**VM HOST:** Travis +**Machine:** Ubuntu 16.04.6 LTS x64 +**Date:** May 04th, 2020 +**Version:** Gin v1.6.3 +**Go Version:** 1.14.2 linux/amd64 +**Source:** [Go HTTP Router Benchmark](https://github.com/gin-gonic/go-http-routing-benchmark) +**Result:** [See the gist](https://gist.github.com/appleboy/b5f2ecfaf50824ae9c64dcfb9165ae5e) or [Travis result](https://travis-ci.org/github/gin-gonic/go-http-routing-benchmark/jobs/682947061) + +## Static Routes: 157 + +```sh +Gin: 34936 Bytes + +HttpServeMux: 14512 Bytes +Ace: 30680 Bytes +Aero: 34536 Bytes +Bear: 30456 Bytes +Beego: 98456 Bytes +Bone: 40224 Bytes +Chi: 83608 Bytes +Denco: 10216 Bytes +Echo: 80328 Bytes +GocraftWeb: 55288 Bytes +Goji: 29744 Bytes +Gojiv2: 105840 Bytes +GoJsonRest: 137496 Bytes +GoRestful: 816936 Bytes +GorillaMux: 585632 Bytes +GowwwRouter: 24968 Bytes +HttpRouter: 21712 Bytes +HttpTreeMux: 73448 Bytes +Kocha: 115472 Bytes +LARS: 30640 Bytes +Macaron: 38592 Bytes +Martini: 310864 Bytes +Pat: 19696 Bytes +Possum: 89920 Bytes +R2router: 23712 Bytes +Rivet: 24608 Bytes +Tango: 28264 Bytes +TigerTonic: 78768 Bytes +Traffic: 538976 Bytes +Vulcan: 369960 Bytes +``` + +## GithubAPI Routes: 203 + +```sh +Gin: 58512 Bytes + +Ace: 48688 Bytes +Aero: 318568 Bytes +Bear: 84248 Bytes +Beego: 150936 Bytes +Bone: 100976 Bytes +Chi: 95112 Bytes +Denco: 36736 Bytes +Echo: 100296 Bytes +GocraftWeb: 95432 Bytes +Goji: 49680 Bytes +Gojiv2: 104704 Bytes +GoJsonRest: 141976 Bytes +GoRestful: 1241656 Bytes +GorillaMux: 1322784 Bytes +GowwwRouter: 80008 Bytes +HttpRouter: 37144 Bytes +HttpTreeMux: 78800 Bytes +Kocha: 785120 Bytes +LARS: 48600 Bytes +Macaron: 92784 Bytes +Martini: 485264 Bytes +Pat: 21200 Bytes +Possum: 85312 Bytes +R2router: 47104 Bytes +Rivet: 42840 Bytes +Tango: 54840 Bytes +TigerTonic: 95264 Bytes +Traffic: 921744 Bytes +Vulcan: 425992 Bytes +``` + +## GPlusAPI Routes: 13 + +```sh +Gin: 4384 Bytes + +Ace: 3712 Bytes +Aero: 26056 Bytes +Bear: 7112 Bytes +Beego: 10272 Bytes +Bone: 6688 Bytes +Chi: 8024 Bytes +Denco: 3264 Bytes +Echo: 9688 Bytes +GocraftWeb: 7496 Bytes +Goji: 3152 Bytes +Gojiv2: 7376 Bytes +GoJsonRest: 11400 Bytes +GoRestful: 74328 Bytes +GorillaMux: 66208 Bytes +GowwwRouter: 5744 Bytes +HttpRouter: 2808 Bytes +HttpTreeMux: 7440 Bytes +Kocha: 128880 Bytes +LARS: 3656 Bytes +Macaron: 8656 Bytes +Martini: 23920 Bytes +Pat: 1856 Bytes +Possum: 7248 Bytes +R2router: 3928 Bytes +Rivet: 3064 Bytes +Tango: 5168 Bytes +TigerTonic: 9408 Bytes +Traffic: 46400 Bytes +Vulcan: 25544 Bytes +``` + +## ParseAPI Routes: 26 + +```sh +Gin: 7776 Bytes + +Ace: 6704 Bytes +Aero: 28488 Bytes +Bear: 12320 Bytes +Beego: 19280 Bytes +Bone: 11440 Bytes +Chi: 9744 Bytes +Denco: 4192 Bytes +Echo: 11664 Bytes +GocraftWeb: 12800 Bytes +Goji: 5680 Bytes +Gojiv2: 14464 Bytes +GoJsonRest: 14072 Bytes +GoRestful: 116264 Bytes +GorillaMux: 105880 Bytes +GowwwRouter: 9344 Bytes +HttpRouter: 5072 Bytes +HttpTreeMux: 7848 Bytes +Kocha: 181712 Bytes +LARS: 6632 Bytes +Macaron: 13648 Bytes +Martini: 45888 Bytes +Pat: 2560 Bytes +Possum: 9200 Bytes +R2router: 7056 Bytes +Rivet: 5680 Bytes +Tango: 8920 Bytes +TigerTonic: 9840 Bytes +Traffic: 79096 Bytes +Vulcan: 44504 Bytes +``` + +## Static Routes + +```sh +BenchmarkGin_StaticAll 62169 19319 ns/op 0 B/op 0 allocs/op + +BenchmarkAce_StaticAll 65428 18313 ns/op 0 B/op 0 allocs/op +BenchmarkAero_StaticAll 121132 9632 ns/op 0 B/op 0 allocs/op +BenchmarkHttpServeMux_StaticAll 52626 22758 ns/op 0 B/op 0 allocs/op +BenchmarkBeego_StaticAll 9962 179058 ns/op 55264 B/op 471 allocs/op +BenchmarkBear_StaticAll 14894 80966 ns/op 20272 B/op 469 allocs/op +BenchmarkBone_StaticAll 18718 64065 ns/op 0 B/op 0 allocs/op +BenchmarkChi_StaticAll 10000 149827 ns/op 67824 B/op 471 allocs/op +BenchmarkDenco_StaticAll 211393 5680 ns/op 0 B/op 0 allocs/op +BenchmarkEcho_StaticAll 49341 24343 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_StaticAll 10000 126209 ns/op 46312 B/op 785 allocs/op +BenchmarkGoji_StaticAll 27956 43174 ns/op 0 B/op 0 allocs/op +BenchmarkGojiv2_StaticAll 3430 370718 ns/op 205984 B/op 1570 allocs/op +BenchmarkGoJsonRest_StaticAll 9134 188888 ns/op 51653 B/op 1727 allocs/op +BenchmarkGoRestful_StaticAll 706 1703330 ns/op 613280 B/op 2053 allocs/op +BenchmarkGorillaMux_StaticAll 1268 924083 ns/op 153233 B/op 1413 allocs/op +BenchmarkGowwwRouter_StaticAll 63374 18935 ns/op 0 B/op 0 allocs/op +BenchmarkHttpRouter_StaticAll 109938 10902 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_StaticAll 109166 10861 ns/op 0 B/op 0 allocs/op +BenchmarkKocha_StaticAll 92258 12992 ns/op 0 B/op 0 allocs/op +BenchmarkLARS_StaticAll 65200 18387 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_StaticAll 5671 291501 ns/op 115553 B/op 1256 allocs/op +BenchmarkMartini_StaticAll 807 1460498 ns/op 125444 B/op 1717 allocs/op +BenchmarkPat_StaticAll 513 2342396 ns/op 602832 B/op 12559 allocs/op +BenchmarkPossum_StaticAll 10000 128270 ns/op 65312 B/op 471 allocs/op +BenchmarkR2router_StaticAll 16726 71760 ns/op 22608 B/op 628 allocs/op +BenchmarkRivet_StaticAll 41722 28723 ns/op 0 B/op 0 allocs/op +BenchmarkTango_StaticAll 7606 205082 ns/op 39209 B/op 1256 allocs/op +BenchmarkTigerTonic_StaticAll 26247 45806 ns/op 7376 B/op 157 allocs/op +BenchmarkTraffic_StaticAll 550 2284518 ns/op 754864 B/op 14601 allocs/op +BenchmarkVulcan_StaticAll 10000 131343 ns/op 15386 B/op 471 allocs/op +``` + +## Micro Benchmarks + +```sh +BenchmarkGin_Param 18785022 63.9 ns/op 0 B/op 0 allocs/op + +BenchmarkAce_Param 14689765 81.5 ns/op 0 B/op 0 allocs/op +BenchmarkAero_Param 23094770 51.2 ns/op 0 B/op 0 allocs/op +BenchmarkBear_Param 1417045 845 ns/op 456 B/op 5 allocs/op +BenchmarkBeego_Param 1000000 1080 ns/op 352 B/op 3 allocs/op +BenchmarkBone_Param 1000000 1463 ns/op 816 B/op 6 allocs/op +BenchmarkChi_Param 1378756 885 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_Param 8557899 143 ns/op 32 B/op 1 allocs/op +BenchmarkEcho_Param 16433347 75.5 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_Param 1000000 1218 ns/op 648 B/op 8 allocs/op +BenchmarkGoji_Param 1921248 617 ns/op 336 B/op 2 allocs/op +BenchmarkGojiv2_Param 561848 2156 ns/op 1328 B/op 11 allocs/op +BenchmarkGoJsonRest_Param 1000000 1358 ns/op 649 B/op 13 allocs/op +BenchmarkGoRestful_Param 224857 5307 ns/op 4192 B/op 14 allocs/op +BenchmarkGorillaMux_Param 498313 2459 ns/op 1280 B/op 10 allocs/op +BenchmarkGowwwRouter_Param 1864354 654 ns/op 432 B/op 3 allocs/op +BenchmarkHttpRouter_Param 26269074 47.7 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_Param 2109829 557 ns/op 352 B/op 3 allocs/op +BenchmarkKocha_Param 5050216 243 ns/op 56 B/op 3 allocs/op +BenchmarkLARS_Param 19811712 59.9 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_Param 662746 2329 ns/op 1072 B/op 10 allocs/op +BenchmarkMartini_Param 279902 4260 ns/op 1072 B/op 10 allocs/op +BenchmarkPat_Param 1000000 1382 ns/op 536 B/op 11 allocs/op +BenchmarkPossum_Param 1000000 1014 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_Param 1712559 707 ns/op 432 B/op 5 allocs/op +BenchmarkRivet_Param 6648086 182 ns/op 48 B/op 1 allocs/op +BenchmarkTango_Param 1221504 994 ns/op 248 B/op 8 allocs/op +BenchmarkTigerTonic_Param 891661 2261 ns/op 776 B/op 16 allocs/op +BenchmarkTraffic_Param 350059 3598 ns/op 1856 B/op 21 allocs/op +BenchmarkVulcan_Param 2517823 472 ns/op 98 B/op 3 allocs/op +BenchmarkAce_Param5 9214365 130 ns/op 0 B/op 0 allocs/op +BenchmarkAero_Param5 15369013 77.9 ns/op 0 B/op 0 allocs/op +BenchmarkBear_Param5 1000000 1113 ns/op 501 B/op 5 allocs/op +BenchmarkBeego_Param5 1000000 1269 ns/op 352 B/op 3 allocs/op +BenchmarkBone_Param5 986820 1873 ns/op 864 B/op 6 allocs/op +BenchmarkChi_Param5 1000000 1156 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_Param5 3036331 400 ns/op 160 B/op 1 allocs/op +BenchmarkEcho_Param5 6447133 186 ns/op 0 B/op 0 allocs/op +BenchmarkGin_Param5 10786068 110 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_Param5 844820 1944 ns/op 920 B/op 11 allocs/op +BenchmarkGoji_Param5 1474965 827 ns/op 336 B/op 2 allocs/op +BenchmarkGojiv2_Param5 442820 2516 ns/op 1392 B/op 11 allocs/op +BenchmarkGoJsonRest_Param5 507555 2711 ns/op 1097 B/op 16 allocs/op +BenchmarkGoRestful_Param5 216481 6093 ns/op 4288 B/op 14 allocs/op +BenchmarkGorillaMux_Param5 314402 3628 ns/op 1344 B/op 10 allocs/op +BenchmarkGowwwRouter_Param5 1624660 733 ns/op 432 B/op 3 allocs/op +BenchmarkHttpRouter_Param5 13167324 92.0 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_Param5 1000000 1295 ns/op 576 B/op 6 allocs/op +BenchmarkKocha_Param5 1000000 1138 ns/op 440 B/op 10 allocs/op +BenchmarkLARS_Param5 11580613 105 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_Param5 473596 2755 ns/op 1072 B/op 10 allocs/op +BenchmarkMartini_Param5 230756 5111 ns/op 1232 B/op 11 allocs/op +BenchmarkPat_Param5 469190 3370 ns/op 888 B/op 29 allocs/op +BenchmarkPossum_Param5 1000000 1002 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_Param5 1422129 844 ns/op 432 B/op 5 allocs/op +BenchmarkRivet_Param5 2263789 539 ns/op 240 B/op 1 allocs/op +BenchmarkTango_Param5 1000000 1256 ns/op 360 B/op 8 allocs/op +BenchmarkTigerTonic_Param5 175500 7492 ns/op 2279 B/op 39 allocs/op +BenchmarkTraffic_Param5 233631 5816 ns/op 2208 B/op 27 allocs/op +BenchmarkVulcan_Param5 1923416 629 ns/op 98 B/op 3 allocs/op +BenchmarkAce_Param20 4321266 281 ns/op 0 B/op 0 allocs/op +BenchmarkAero_Param20 31501641 35.2 ns/op 0 B/op 0 allocs/op +BenchmarkBear_Param20 335204 3489 ns/op 1665 B/op 5 allocs/op +BenchmarkBeego_Param20 503674 2860 ns/op 352 B/op 3 allocs/op +BenchmarkBone_Param20 298922 4741 ns/op 2031 B/op 6 allocs/op +BenchmarkChi_Param20 878181 1957 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_Param20 1000000 1360 ns/op 640 B/op 1 allocs/op +BenchmarkEcho_Param20 2104946 580 ns/op 0 B/op 0 allocs/op +BenchmarkGin_Param20 4167204 290 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_Param20 173064 7514 ns/op 3796 B/op 15 allocs/op +BenchmarkGoji_Param20 458778 2651 ns/op 1247 B/op 2 allocs/op +BenchmarkGojiv2_Param20 364862 3178 ns/op 1632 B/op 11 allocs/op +BenchmarkGoJsonRest_Param20 125514 9760 ns/op 4485 B/op 20 allocs/op +BenchmarkGoRestful_Param20 101217 11964 ns/op 6715 B/op 18 allocs/op +BenchmarkGorillaMux_Param20 147654 8132 ns/op 3452 B/op 12 allocs/op +BenchmarkGowwwRouter_Param20 1000000 1225 ns/op 432 B/op 3 allocs/op +BenchmarkHttpRouter_Param20 4920895 247 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_Param20 173202 6605 ns/op 3196 B/op 10 allocs/op +BenchmarkKocha_Param20 345988 3620 ns/op 1808 B/op 27 allocs/op +BenchmarkLARS_Param20 4592326 262 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_Param20 166492 7286 ns/op 2924 B/op 12 allocs/op +BenchmarkMartini_Param20 122162 10653 ns/op 3595 B/op 13 allocs/op +BenchmarkPat_Param20 78630 15239 ns/op 4424 B/op 93 allocs/op +BenchmarkPossum_Param20 1000000 1008 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_Param20 294981 4587 ns/op 2284 B/op 7 allocs/op +BenchmarkRivet_Param20 691798 2090 ns/op 1024 B/op 1 allocs/op +BenchmarkTango_Param20 842440 2505 ns/op 856 B/op 8 allocs/op +BenchmarkTigerTonic_Param20 38614 31509 ns/op 9870 B/op 119 allocs/op +BenchmarkTraffic_Param20 57633 21107 ns/op 7853 B/op 47 allocs/op +BenchmarkVulcan_Param20 1000000 1178 ns/op 98 B/op 3 allocs/op +BenchmarkAce_ParamWrite 7330743 180 ns/op 8 B/op 1 allocs/op +BenchmarkAero_ParamWrite 13833598 86.7 ns/op 0 B/op 0 allocs/op +BenchmarkBear_ParamWrite 1363321 867 ns/op 456 B/op 5 allocs/op +BenchmarkBeego_ParamWrite 1000000 1104 ns/op 360 B/op 4 allocs/op +BenchmarkBone_ParamWrite 1000000 1475 ns/op 816 B/op 6 allocs/op +BenchmarkChi_ParamWrite 1320590 892 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_ParamWrite 7093605 172 ns/op 32 B/op 1 allocs/op +BenchmarkEcho_ParamWrite 8434424 161 ns/op 8 B/op 1 allocs/op +BenchmarkGin_ParamWrite 10377034 118 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_ParamWrite 1000000 1266 ns/op 656 B/op 9 allocs/op +BenchmarkGoji_ParamWrite 1874168 654 ns/op 336 B/op 2 allocs/op +BenchmarkGojiv2_ParamWrite 459032 2352 ns/op 1360 B/op 13 allocs/op +BenchmarkGoJsonRest_ParamWrite 499434 2145 ns/op 1128 B/op 18 allocs/op +BenchmarkGoRestful_ParamWrite 241087 5470 ns/op 4200 B/op 15 allocs/op +BenchmarkGorillaMux_ParamWrite 425686 2522 ns/op 1280 B/op 10 allocs/op +BenchmarkGowwwRouter_ParamWrite 922172 1778 ns/op 976 B/op 8 allocs/op +BenchmarkHttpRouter_ParamWrite 15392049 77.7 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_ParamWrite 1973385 597 ns/op 352 B/op 3 allocs/op +BenchmarkKocha_ParamWrite 4262500 281 ns/op 56 B/op 3 allocs/op +BenchmarkLARS_ParamWrite 10764410 113 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_ParamWrite 486769 2726 ns/op 1176 B/op 14 allocs/op +BenchmarkMartini_ParamWrite 264804 4842 ns/op 1176 B/op 14 allocs/op +BenchmarkPat_ParamWrite 735116 2047 ns/op 960 B/op 15 allocs/op +BenchmarkPossum_ParamWrite 1000000 1004 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_ParamWrite 1592136 768 ns/op 432 B/op 5 allocs/op +BenchmarkRivet_ParamWrite 3582051 339 ns/op 112 B/op 2 allocs/op +BenchmarkTango_ParamWrite 2237337 534 ns/op 136 B/op 4 allocs/op +BenchmarkTigerTonic_ParamWrite 439608 3136 ns/op 1216 B/op 21 allocs/op +BenchmarkTraffic_ParamWrite 306979 4328 ns/op 2280 B/op 25 allocs/op +BenchmarkVulcan_ParamWrite 2529973 472 ns/op 98 B/op 3 allocs/op +``` + +## GitHub + +```sh +BenchmarkGin_GithubStatic 15629472 76.7 ns/op 0 B/op 0 allocs/op + +BenchmarkAce_GithubStatic 15542612 75.9 ns/op 0 B/op 0 allocs/op +BenchmarkAero_GithubStatic 24777151 48.5 ns/op 0 B/op 0 allocs/op +BenchmarkBear_GithubStatic 2788894 435 ns/op 120 B/op 3 allocs/op +BenchmarkBeego_GithubStatic 1000000 1064 ns/op 352 B/op 3 allocs/op +BenchmarkBone_GithubStatic 93507 12838 ns/op 2880 B/op 60 allocs/op +BenchmarkChi_GithubStatic 1387743 860 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_GithubStatic 39384996 30.4 ns/op 0 B/op 0 allocs/op +BenchmarkEcho_GithubStatic 12076382 99.1 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_GithubStatic 1596495 756 ns/op 296 B/op 5 allocs/op +BenchmarkGoji_GithubStatic 6364876 189 ns/op 0 B/op 0 allocs/op +BenchmarkGojiv2_GithubStatic 550202 2098 ns/op 1312 B/op 10 allocs/op +BenchmarkGoRestful_GithubStatic 102183 12552 ns/op 4256 B/op 13 allocs/op +BenchmarkGoJsonRest_GithubStatic 1000000 1029 ns/op 329 B/op 11 allocs/op +BenchmarkGorillaMux_GithubStatic 255552 5190 ns/op 976 B/op 9 allocs/op +BenchmarkGowwwRouter_GithubStatic 15531916 77.1 ns/op 0 B/op 0 allocs/op +BenchmarkHttpRouter_GithubStatic 27920724 43.1 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_GithubStatic 21448953 55.8 ns/op 0 B/op 0 allocs/op +BenchmarkKocha_GithubStatic 21405310 56.0 ns/op 0 B/op 0 allocs/op +BenchmarkLARS_GithubStatic 13625156 89.0 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_GithubStatic 1000000 1747 ns/op 736 B/op 8 allocs/op +BenchmarkMartini_GithubStatic 187186 7326 ns/op 768 B/op 9 allocs/op +BenchmarkPat_GithubStatic 109143 11563 ns/op 3648 B/op 76 allocs/op +BenchmarkPossum_GithubStatic 1575898 770 ns/op 416 B/op 3 allocs/op +BenchmarkR2router_GithubStatic 3046231 404 ns/op 144 B/op 4 allocs/op +BenchmarkRivet_GithubStatic 11484826 105 ns/op 0 B/op 0 allocs/op +BenchmarkTango_GithubStatic 1000000 1153 ns/op 248 B/op 8 allocs/op +BenchmarkTigerTonic_GithubStatic 4929780 249 ns/op 48 B/op 1 allocs/op +BenchmarkTraffic_GithubStatic 106351 11819 ns/op 4664 B/op 90 allocs/op +BenchmarkVulcan_GithubStatic 1613271 722 ns/op 98 B/op 3 allocs/op +BenchmarkAce_GithubParam 8386032 143 ns/op 0 B/op 0 allocs/op +BenchmarkAero_GithubParam 11816200 102 ns/op 0 B/op 0 allocs/op +BenchmarkBear_GithubParam 1000000 1012 ns/op 496 B/op 5 allocs/op +BenchmarkBeego_GithubParam 1000000 1157 ns/op 352 B/op 3 allocs/op +BenchmarkBone_GithubParam 184653 6912 ns/op 1888 B/op 19 allocs/op +BenchmarkChi_GithubParam 1000000 1102 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_GithubParam 3484798 352 ns/op 128 B/op 1 allocs/op +BenchmarkEcho_GithubParam 6337380 189 ns/op 0 B/op 0 allocs/op +BenchmarkGin_GithubParam 9132032 131 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_GithubParam 1000000 1446 ns/op 712 B/op 9 allocs/op +BenchmarkGoji_GithubParam 1248640 977 ns/op 336 B/op 2 allocs/op +BenchmarkGojiv2_GithubParam 383233 2784 ns/op 1408 B/op 13 allocs/op +BenchmarkGoJsonRest_GithubParam 1000000 1991 ns/op 713 B/op 14 allocs/op +BenchmarkGoRestful_GithubParam 76414 16015 ns/op 4352 B/op 16 allocs/op +BenchmarkGorillaMux_GithubParam 150026 7663 ns/op 1296 B/op 10 allocs/op +BenchmarkGowwwRouter_GithubParam 1592044 751 ns/op 432 B/op 3 allocs/op +BenchmarkHttpRouter_GithubParam 10420628 115 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_GithubParam 1403755 835 ns/op 384 B/op 4 allocs/op +BenchmarkKocha_GithubParam 2286170 533 ns/op 128 B/op 5 allocs/op +BenchmarkLARS_GithubParam 9540374 129 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_GithubParam 533154 2742 ns/op 1072 B/op 10 allocs/op +BenchmarkMartini_GithubParam 119397 9638 ns/op 1152 B/op 11 allocs/op +BenchmarkPat_GithubParam 150675 8858 ns/op 2408 B/op 48 allocs/op +BenchmarkPossum_GithubParam 1000000 1001 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_GithubParam 1602886 761 ns/op 432 B/op 5 allocs/op +BenchmarkRivet_GithubParam 2986579 409 ns/op 96 B/op 1 allocs/op +BenchmarkTango_GithubParam 1000000 1356 ns/op 344 B/op 8 allocs/op +BenchmarkTigerTonic_GithubParam 388899 3429 ns/op 1176 B/op 22 allocs/op +BenchmarkTraffic_GithubParam 123160 9734 ns/op 2816 B/op 40 allocs/op +BenchmarkVulcan_GithubParam 1000000 1138 ns/op 98 B/op 3 allocs/op +BenchmarkAce_GithubAll 40543 29670 ns/op 0 B/op 0 allocs/op +BenchmarkAero_GithubAll 57632 20648 ns/op 0 B/op 0 allocs/op +BenchmarkBear_GithubAll 9234 216179 ns/op 86448 B/op 943 allocs/op +BenchmarkBeego_GithubAll 7407 243496 ns/op 71456 B/op 609 allocs/op +BenchmarkBone_GithubAll 420 2922835 ns/op 720160 B/op 8620 allocs/op +BenchmarkChi_GithubAll 7620 238331 ns/op 87696 B/op 609 allocs/op +BenchmarkDenco_GithubAll 18355 64494 ns/op 20224 B/op 167 allocs/op +BenchmarkEcho_GithubAll 31251 38479 ns/op 0 B/op 0 allocs/op +BenchmarkGin_GithubAll 43550 27364 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_GithubAll 4117 300062 ns/op 131656 B/op 1686 allocs/op +BenchmarkGoji_GithubAll 3274 416158 ns/op 56112 B/op 334 allocs/op +BenchmarkGojiv2_GithubAll 1402 870518 ns/op 352720 B/op 4321 allocs/op +BenchmarkGoJsonRest_GithubAll 2976 401507 ns/op 134371 B/op 2737 allocs/op +BenchmarkGoRestful_GithubAll 410 2913158 ns/op 910144 B/op 2938 allocs/op +BenchmarkGorillaMux_GithubAll 346 3384987 ns/op 251650 B/op 1994 allocs/op +BenchmarkGowwwRouter_GithubAll 10000 143025 ns/op 72144 B/op 501 allocs/op +BenchmarkHttpRouter_GithubAll 55938 21360 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_GithubAll 10000 153944 ns/op 65856 B/op 671 allocs/op +BenchmarkKocha_GithubAll 10000 106315 ns/op 23304 B/op 843 allocs/op +BenchmarkLARS_GithubAll 47779 25084 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_GithubAll 3266 371907 ns/op 149409 B/op 1624 allocs/op +BenchmarkMartini_GithubAll 331 3444706 ns/op 226551 B/op 2325 allocs/op +BenchmarkPat_GithubAll 273 4381818 ns/op 1483152 B/op 26963 allocs/op +BenchmarkPossum_GithubAll 10000 164367 ns/op 84448 B/op 609 allocs/op +BenchmarkR2router_GithubAll 10000 160220 ns/op 77328 B/op 979 allocs/op +BenchmarkRivet_GithubAll 14625 82453 ns/op 16272 B/op 167 allocs/op +BenchmarkTango_GithubAll 6255 279611 ns/op 63826 B/op 1618 allocs/op +BenchmarkTigerTonic_GithubAll 2008 687874 ns/op 193856 B/op 4474 allocs/op +BenchmarkTraffic_GithubAll 355 3478508 ns/op 820744 B/op 14114 allocs/op +BenchmarkVulcan_GithubAll 6885 193333 ns/op 19894 B/op 609 allocs/op +``` + +## Google+ + +```sh +BenchmarkGin_GPlusStatic 19247326 62.2 ns/op 0 B/op 0 allocs/op + +BenchmarkAce_GPlusStatic 20235060 59.2 ns/op 0 B/op 0 allocs/op +BenchmarkAero_GPlusStatic 31978935 37.6 ns/op 0 B/op 0 allocs/op +BenchmarkBear_GPlusStatic 3516523 341 ns/op 104 B/op 3 allocs/op +BenchmarkBeego_GPlusStatic 1212036 991 ns/op 352 B/op 3 allocs/op +BenchmarkBone_GPlusStatic 6736242 183 ns/op 32 B/op 1 allocs/op +BenchmarkChi_GPlusStatic 1490640 814 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_GPlusStatic 55006856 21.8 ns/op 0 B/op 0 allocs/op +BenchmarkEcho_GPlusStatic 17688258 67.9 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_GPlusStatic 1829181 666 ns/op 280 B/op 5 allocs/op +BenchmarkGoji_GPlusStatic 9147451 130 ns/op 0 B/op 0 allocs/op +BenchmarkGojiv2_GPlusStatic 594015 2063 ns/op 1312 B/op 10 allocs/op +BenchmarkGoJsonRest_GPlusStatic 1264906 950 ns/op 329 B/op 11 allocs/op +BenchmarkGoRestful_GPlusStatic 231558 5341 ns/op 3872 B/op 13 allocs/op +BenchmarkGorillaMux_GPlusStatic 908418 1809 ns/op 976 B/op 9 allocs/op +BenchmarkGowwwRouter_GPlusStatic 40684604 29.5 ns/op 0 B/op 0 allocs/op +BenchmarkHttpRouter_GPlusStatic 46742804 25.7 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_GPlusStatic 32567161 36.9 ns/op 0 B/op 0 allocs/op +BenchmarkKocha_GPlusStatic 33800060 35.3 ns/op 0 B/op 0 allocs/op +BenchmarkLARS_GPlusStatic 20431858 60.0 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_GPlusStatic 1000000 1745 ns/op 736 B/op 8 allocs/op +BenchmarkMartini_GPlusStatic 442248 3619 ns/op 768 B/op 9 allocs/op +BenchmarkPat_GPlusStatic 4328004 292 ns/op 96 B/op 2 allocs/op +BenchmarkPossum_GPlusStatic 1570753 763 ns/op 416 B/op 3 allocs/op +BenchmarkR2router_GPlusStatic 3339474 355 ns/op 144 B/op 4 allocs/op +BenchmarkRivet_GPlusStatic 18570961 64.7 ns/op 0 B/op 0 allocs/op +BenchmarkTango_GPlusStatic 1388702 860 ns/op 200 B/op 8 allocs/op +BenchmarkTigerTonic_GPlusStatic 7803543 159 ns/op 32 B/op 1 allocs/op +BenchmarkTraffic_GPlusStatic 878605 2171 ns/op 1112 B/op 16 allocs/op +BenchmarkVulcan_GPlusStatic 2742446 437 ns/op 98 B/op 3 allocs/op +BenchmarkAce_GPlusParam 11626975 105 ns/op 0 B/op 0 allocs/op +BenchmarkAero_GPlusParam 16914322 71.6 ns/op 0 B/op 0 allocs/op +BenchmarkBear_GPlusParam 1405173 832 ns/op 480 B/op 5 allocs/op +BenchmarkBeego_GPlusParam 1000000 1075 ns/op 352 B/op 3 allocs/op +BenchmarkBone_GPlusParam 1000000 1557 ns/op 816 B/op 6 allocs/op +BenchmarkChi_GPlusParam 1347926 894 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_GPlusParam 5513000 212 ns/op 64 B/op 1 allocs/op +BenchmarkEcho_GPlusParam 11884383 101 ns/op 0 B/op 0 allocs/op +BenchmarkGin_GPlusParam 12898952 93.1 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_GPlusParam 1000000 1194 ns/op 648 B/op 8 allocs/op +BenchmarkGoji_GPlusParam 1857229 645 ns/op 336 B/op 2 allocs/op +BenchmarkGojiv2_GPlusParam 520939 2322 ns/op 1328 B/op 11 allocs/op +BenchmarkGoJsonRest_GPlusParam 1000000 1536 ns/op 649 B/op 13 allocs/op +BenchmarkGoRestful_GPlusParam 205449 5800 ns/op 4192 B/op 14 allocs/op +BenchmarkGorillaMux_GPlusParam 395310 3188 ns/op 1280 B/op 10 allocs/op +BenchmarkGowwwRouter_GPlusParam 1851798 667 ns/op 432 B/op 3 allocs/op +BenchmarkHttpRouter_GPlusParam 18420789 65.2 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_GPlusParam 1878463 629 ns/op 352 B/op 3 allocs/op +BenchmarkKocha_GPlusParam 4495610 273 ns/op 56 B/op 3 allocs/op +BenchmarkLARS_GPlusParam 14615976 83.2 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_GPlusParam 584145 2549 ns/op 1072 B/op 10 allocs/op +BenchmarkMartini_GPlusParam 250501 4583 ns/op 1072 B/op 10 allocs/op +BenchmarkPat_GPlusParam 1000000 1645 ns/op 576 B/op 11 allocs/op +BenchmarkPossum_GPlusParam 1000000 1008 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_GPlusParam 1708191 688 ns/op 432 B/op 5 allocs/op +BenchmarkRivet_GPlusParam 5795014 211 ns/op 48 B/op 1 allocs/op +BenchmarkTango_GPlusParam 1000000 1091 ns/op 264 B/op 8 allocs/op +BenchmarkTigerTonic_GPlusParam 760221 2489 ns/op 856 B/op 16 allocs/op +BenchmarkTraffic_GPlusParam 309774 4039 ns/op 1872 B/op 21 allocs/op +BenchmarkVulcan_GPlusParam 1935730 623 ns/op 98 B/op 3 allocs/op +BenchmarkAce_GPlus2Params 9158314 134 ns/op 0 B/op 0 allocs/op +BenchmarkAero_GPlus2Params 11300517 107 ns/op 0 B/op 0 allocs/op +BenchmarkBear_GPlus2Params 1239238 961 ns/op 496 B/op 5 allocs/op +BenchmarkBeego_GPlus2Params 1000000 1202 ns/op 352 B/op 3 allocs/op +BenchmarkBone_GPlus2Params 335576 3725 ns/op 1168 B/op 10 allocs/op +BenchmarkChi_GPlus2Params 1000000 1014 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_GPlus2Params 4394598 280 ns/op 64 B/op 1 allocs/op +BenchmarkEcho_GPlus2Params 7851861 154 ns/op 0 B/op 0 allocs/op +BenchmarkGin_GPlus2Params 9958588 120 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_GPlus2Params 1000000 1433 ns/op 712 B/op 9 allocs/op +BenchmarkGoji_GPlus2Params 1325134 909 ns/op 336 B/op 2 allocs/op +BenchmarkGojiv2_GPlus2Params 405955 2870 ns/op 1408 B/op 14 allocs/op +BenchmarkGoJsonRest_GPlus2Params 977038 1987 ns/op 713 B/op 14 allocs/op +BenchmarkGoRestful_GPlus2Params 205018 6142 ns/op 4384 B/op 16 allocs/op +BenchmarkGorillaMux_GPlus2Params 205641 6015 ns/op 1296 B/op 10 allocs/op +BenchmarkGowwwRouter_GPlus2Params 1748542 684 ns/op 432 B/op 3 allocs/op +BenchmarkHttpRouter_GPlus2Params 14047102 87.7 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_GPlus2Params 1418673 828 ns/op 384 B/op 4 allocs/op +BenchmarkKocha_GPlus2Params 2334562 520 ns/op 128 B/op 5 allocs/op +BenchmarkLARS_GPlus2Params 11954094 101 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_GPlus2Params 491552 2890 ns/op 1072 B/op 10 allocs/op +BenchmarkMartini_GPlus2Params 120532 9545 ns/op 1200 B/op 13 allocs/op +BenchmarkPat_GPlus2Params 194739 6766 ns/op 2168 B/op 33 allocs/op +BenchmarkPossum_GPlus2Params 1201224 1009 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_GPlus2Params 1575535 756 ns/op 432 B/op 5 allocs/op +BenchmarkRivet_GPlus2Params 3698930 325 ns/op 96 B/op 1 allocs/op +BenchmarkTango_GPlus2Params 1000000 1212 ns/op 344 B/op 8 allocs/op +BenchmarkTigerTonic_GPlus2Params 349350 3660 ns/op 1200 B/op 22 allocs/op +BenchmarkTraffic_GPlus2Params 169714 7862 ns/op 2248 B/op 28 allocs/op +BenchmarkVulcan_GPlus2Params 1222288 974 ns/op 98 B/op 3 allocs/op +BenchmarkAce_GPlusAll 845606 1398 ns/op 0 B/op 0 allocs/op +BenchmarkAero_GPlusAll 1000000 1009 ns/op 0 B/op 0 allocs/op +BenchmarkBear_GPlusAll 103830 11386 ns/op 5488 B/op 61 allocs/op +BenchmarkBeego_GPlusAll 82653 14784 ns/op 4576 B/op 39 allocs/op +BenchmarkBone_GPlusAll 36601 33123 ns/op 11744 B/op 109 allocs/op +BenchmarkChi_GPlusAll 95264 12831 ns/op 5616 B/op 39 allocs/op +BenchmarkDenco_GPlusAll 567681 2950 ns/op 672 B/op 11 allocs/op +BenchmarkEcho_GPlusAll 720366 1665 ns/op 0 B/op 0 allocs/op +BenchmarkGin_GPlusAll 1000000 1185 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_GPlusAll 71575 16365 ns/op 8040 B/op 103 allocs/op +BenchmarkGoji_GPlusAll 136352 9191 ns/op 3696 B/op 22 allocs/op +BenchmarkGojiv2_GPlusAll 38006 31802 ns/op 17616 B/op 154 allocs/op +BenchmarkGoJsonRest_GPlusAll 57238 21561 ns/op 8117 B/op 170 allocs/op +BenchmarkGoRestful_GPlusAll 15147 79276 ns/op 55520 B/op 192 allocs/op +BenchmarkGorillaMux_GPlusAll 24446 48410 ns/op 16112 B/op 128 allocs/op +BenchmarkGowwwRouter_GPlusAll 150112 7770 ns/op 4752 B/op 33 allocs/op +BenchmarkHttpRouter_GPlusAll 1367820 878 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_GPlusAll 166628 8004 ns/op 4032 B/op 38 allocs/op +BenchmarkKocha_GPlusAll 265694 4570 ns/op 976 B/op 43 allocs/op +BenchmarkLARS_GPlusAll 1000000 1068 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_GPlusAll 54564 23305 ns/op 9568 B/op 104 allocs/op +BenchmarkMartini_GPlusAll 16274 73845 ns/op 14016 B/op 145 allocs/op +BenchmarkPat_GPlusAll 27181 44478 ns/op 15264 B/op 271 allocs/op +BenchmarkPossum_GPlusAll 122587 10277 ns/op 5408 B/op 39 allocs/op +BenchmarkR2router_GPlusAll 130137 9297 ns/op 5040 B/op 63 allocs/op +BenchmarkRivet_GPlusAll 532438 3323 ns/op 768 B/op 11 allocs/op +BenchmarkTango_GPlusAll 86054 14531 ns/op 3656 B/op 104 allocs/op +BenchmarkTigerTonic_GPlusAll 33936 35356 ns/op 11600 B/op 242 allocs/op +BenchmarkTraffic_GPlusAll 17833 68181 ns/op 26248 B/op 341 allocs/op +BenchmarkVulcan_GPlusAll 120109 9861 ns/op 1274 B/op 39 allocs/op +``` + +## Parse.com + +```sh +BenchmarkGin_ParseStatic 18877833 63.5 ns/op 0 B/op 0 allocs/op + +BenchmarkAce_ParseStatic 19663731 60.8 ns/op 0 B/op 0 allocs/op +BenchmarkAero_ParseStatic 28967341 41.5 ns/op 0 B/op 0 allocs/op +BenchmarkBear_ParseStatic 3006984 402 ns/op 120 B/op 3 allocs/op +BenchmarkBeego_ParseStatic 1000000 1031 ns/op 352 B/op 3 allocs/op +BenchmarkBone_ParseStatic 1782482 675 ns/op 144 B/op 3 allocs/op +BenchmarkChi_ParseStatic 1453261 819 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_ParseStatic 45023595 26.5 ns/op 0 B/op 0 allocs/op +BenchmarkEcho_ParseStatic 17330470 69.3 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_ParseStatic 1644006 731 ns/op 296 B/op 5 allocs/op +BenchmarkGoji_ParseStatic 7026930 170 ns/op 0 B/op 0 allocs/op +BenchmarkGojiv2_ParseStatic 517618 2037 ns/op 1312 B/op 10 allocs/op +BenchmarkGoJsonRest_ParseStatic 1227080 975 ns/op 329 B/op 11 allocs/op +BenchmarkGoRestful_ParseStatic 192458 6659 ns/op 4256 B/op 13 allocs/op +BenchmarkGorillaMux_ParseStatic 744062 2109 ns/op 976 B/op 9 allocs/op +BenchmarkGowwwRouter_ParseStatic 37781062 31.8 ns/op 0 B/op 0 allocs/op +BenchmarkHttpRouter_ParseStatic 45311223 26.5 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_ParseStatic 21383475 56.1 ns/op 0 B/op 0 allocs/op +BenchmarkKocha_ParseStatic 29953290 40.1 ns/op 0 B/op 0 allocs/op +BenchmarkLARS_ParseStatic 20036196 62.7 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_ParseStatic 1000000 1740 ns/op 736 B/op 8 allocs/op +BenchmarkMartini_ParseStatic 404156 3801 ns/op 768 B/op 9 allocs/op +BenchmarkPat_ParseStatic 1547180 772 ns/op 240 B/op 5 allocs/op +BenchmarkPossum_ParseStatic 1608991 757 ns/op 416 B/op 3 allocs/op +BenchmarkR2router_ParseStatic 3177936 385 ns/op 144 B/op 4 allocs/op +BenchmarkRivet_ParseStatic 17783205 67.4 ns/op 0 B/op 0 allocs/op +BenchmarkTango_ParseStatic 1210777 990 ns/op 248 B/op 8 allocs/op +BenchmarkTigerTonic_ParseStatic 5316440 231 ns/op 48 B/op 1 allocs/op +BenchmarkTraffic_ParseStatic 496050 2539 ns/op 1256 B/op 19 allocs/op +BenchmarkVulcan_ParseStatic 2462798 488 ns/op 98 B/op 3 allocs/op +BenchmarkAce_ParseParam 13393669 89.6 ns/op 0 B/op 0 allocs/op +BenchmarkAero_ParseParam 19836619 60.4 ns/op 0 B/op 0 allocs/op +BenchmarkBear_ParseParam 1405954 864 ns/op 467 B/op 5 allocs/op +BenchmarkBeego_ParseParam 1000000 1065 ns/op 352 B/op 3 allocs/op +BenchmarkBone_ParseParam 1000000 1698 ns/op 896 B/op 7 allocs/op +BenchmarkChi_ParseParam 1356037 873 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_ParseParam 6241392 204 ns/op 64 B/op 1 allocs/op +BenchmarkEcho_ParseParam 14088100 85.1 ns/op 0 B/op 0 allocs/op +BenchmarkGin_ParseParam 17426064 68.9 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_ParseParam 1000000 1254 ns/op 664 B/op 8 allocs/op +BenchmarkGoji_ParseParam 1682574 713 ns/op 336 B/op 2 allocs/op +BenchmarkGojiv2_ParseParam 502224 2333 ns/op 1360 B/op 12 allocs/op +BenchmarkGoJsonRest_ParseParam 1000000 1401 ns/op 649 B/op 13 allocs/op +BenchmarkGoRestful_ParseParam 182623 7097 ns/op 4576 B/op 14 allocs/op +BenchmarkGorillaMux_ParseParam 482332 2477 ns/op 1280 B/op 10 allocs/op +BenchmarkGowwwRouter_ParseParam 1834873 657 ns/op 432 B/op 3 allocs/op +BenchmarkHttpRouter_ParseParam 23593393 51.0 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_ParseParam 2100160 574 ns/op 352 B/op 3 allocs/op +BenchmarkKocha_ParseParam 4837220 252 ns/op 56 B/op 3 allocs/op +BenchmarkLARS_ParseParam 18411192 66.2 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_ParseParam 571870 2398 ns/op 1072 B/op 10 allocs/op +BenchmarkMartini_ParseParam 286262 4268 ns/op 1072 B/op 10 allocs/op +BenchmarkPat_ParseParam 692906 2157 ns/op 992 B/op 15 allocs/op +BenchmarkPossum_ParseParam 1000000 1011 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_ParseParam 1722735 697 ns/op 432 B/op 5 allocs/op +BenchmarkRivet_ParseParam 6058054 203 ns/op 48 B/op 1 allocs/op +BenchmarkTango_ParseParam 1000000 1061 ns/op 280 B/op 8 allocs/op +BenchmarkTigerTonic_ParseParam 890275 2277 ns/op 784 B/op 15 allocs/op +BenchmarkTraffic_ParseParam 351322 3543 ns/op 1896 B/op 21 allocs/op +BenchmarkVulcan_ParseParam 2076544 572 ns/op 98 B/op 3 allocs/op +BenchmarkAce_Parse2Params 11718074 101 ns/op 0 B/op 0 allocs/op +BenchmarkAero_Parse2Params 16264988 73.4 ns/op 0 B/op 0 allocs/op +BenchmarkBear_Parse2Params 1238322 973 ns/op 496 B/op 5 allocs/op +BenchmarkBeego_Parse2Params 1000000 1120 ns/op 352 B/op 3 allocs/op +BenchmarkBone_Parse2Params 1000000 1632 ns/op 848 B/op 6 allocs/op +BenchmarkChi_Parse2Params 1239477 955 ns/op 432 B/op 3 allocs/op +BenchmarkDenco_Parse2Params 4944133 245 ns/op 64 B/op 1 allocs/op +BenchmarkEcho_Parse2Params 10518286 114 ns/op 0 B/op 0 allocs/op +BenchmarkGin_Parse2Params 14505195 82.7 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_Parse2Params 1000000 1437 ns/op 712 B/op 9 allocs/op +BenchmarkGoji_Parse2Params 1689883 707 ns/op 336 B/op 2 allocs/op +BenchmarkGojiv2_Parse2Params 502334 2308 ns/op 1344 B/op 11 allocs/op +BenchmarkGoJsonRest_Parse2Params 1000000 1771 ns/op 713 B/op 14 allocs/op +BenchmarkGoRestful_Parse2Params 159092 7583 ns/op 4928 B/op 14 allocs/op +BenchmarkGorillaMux_Parse2Params 417548 2980 ns/op 1296 B/op 10 allocs/op +BenchmarkGowwwRouter_Parse2Params 1751737 686 ns/op 432 B/op 3 allocs/op +BenchmarkHttpRouter_Parse2Params 18089204 66.3 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_Parse2Params 1556986 777 ns/op 384 B/op 4 allocs/op +BenchmarkKocha_Parse2Params 2493082 485 ns/op 128 B/op 5 allocs/op +BenchmarkLARS_Parse2Params 15350108 78.5 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_Parse2Params 530974 2605 ns/op 1072 B/op 10 allocs/op +BenchmarkMartini_Parse2Params 247069 4673 ns/op 1152 B/op 11 allocs/op +BenchmarkPat_Parse2Params 816295 2126 ns/op 752 B/op 16 allocs/op +BenchmarkPossum_Parse2Params 1000000 1002 ns/op 496 B/op 5 allocs/op +BenchmarkR2router_Parse2Params 1569771 733 ns/op 432 B/op 5 allocs/op +BenchmarkRivet_Parse2Params 4080546 295 ns/op 96 B/op 1 allocs/op +BenchmarkTango_Parse2Params 1000000 1121 ns/op 312 B/op 8 allocs/op +BenchmarkTigerTonic_Parse2Params 399556 3470 ns/op 1168 B/op 22 allocs/op +BenchmarkTraffic_Parse2Params 314194 4159 ns/op 1944 B/op 22 allocs/op +BenchmarkVulcan_Parse2Params 1827559 664 ns/op 98 B/op 3 allocs/op +BenchmarkAce_ParseAll 478395 2503 ns/op 0 B/op 0 allocs/op +BenchmarkAero_ParseAll 715392 1658 ns/op 0 B/op 0 allocs/op +BenchmarkBear_ParseAll 59191 20124 ns/op 8928 B/op 110 allocs/op +BenchmarkBeego_ParseAll 45507 27266 ns/op 9152 B/op 78 allocs/op +BenchmarkBone_ParseAll 29328 41459 ns/op 16208 B/op 147 allocs/op +BenchmarkChi_ParseAll 48531 25053 ns/op 11232 B/op 78 allocs/op +BenchmarkDenco_ParseAll 325532 4284 ns/op 928 B/op 16 allocs/op +BenchmarkEcho_ParseAll 433771 2759 ns/op 0 B/op 0 allocs/op +BenchmarkGin_ParseAll 576316 2082 ns/op 0 B/op 0 allocs/op +BenchmarkGocraftWeb_ParseAll 41500 29692 ns/op 13728 B/op 181 allocs/op +BenchmarkGoji_ParseAll 80833 15563 ns/op 5376 B/op 32 allocs/op +BenchmarkGojiv2_ParseAll 19836 60335 ns/op 34448 B/op 277 allocs/op +BenchmarkGoJsonRest_ParseAll 32210 38027 ns/op 13866 B/op 321 allocs/op +BenchmarkGoRestful_ParseAll 6644 190842 ns/op 117600 B/op 354 allocs/op +BenchmarkGorillaMux_ParseAll 12634 95894 ns/op 30288 B/op 250 allocs/op +BenchmarkGowwwRouter_ParseAll 98152 12159 ns/op 6912 B/op 48 allocs/op +BenchmarkHttpRouter_ParseAll 933208 1273 ns/op 0 B/op 0 allocs/op +BenchmarkHttpTreeMux_ParseAll 107191 11554 ns/op 5728 B/op 51 allocs/op +BenchmarkKocha_ParseAll 184862 6225 ns/op 1112 B/op 54 allocs/op +BenchmarkLARS_ParseAll 644546 1858 ns/op 0 B/op 0 allocs/op +BenchmarkMacaron_ParseAll 26145 46484 ns/op 19136 B/op 208 allocs/op +BenchmarkMartini_ParseAll 10000 121838 ns/op 25072 B/op 253 allocs/op +BenchmarkPat_ParseAll 25417 47196 ns/op 15216 B/op 308 allocs/op +BenchmarkPossum_ParseAll 58550 20735 ns/op 10816 B/op 78 allocs/op +BenchmarkR2router_ParseAll 72732 16584 ns/op 8352 B/op 120 allocs/op +BenchmarkRivet_ParseAll 281365 4968 ns/op 912 B/op 16 allocs/op +BenchmarkTango_ParseAll 42831 28668 ns/op 7168 B/op 208 allocs/op +BenchmarkTigerTonic_ParseAll 23774 49972 ns/op 16048 B/op 332 allocs/op +BenchmarkTraffic_ParseAll 10000 104679 ns/op 45520 B/op 605 allocs/op +BenchmarkVulcan_ParseAll 64810 18108 ns/op 2548 B/op 78 allocs/op +``` diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CHANGELOG.md b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CHANGELOG.md new file mode 100644 index 000000000000..4c806a5a7de9 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CHANGELOG.md @@ -0,0 +1,454 @@ +# Gin ChangeLog + +## Gin v1.7.7 + +### BUGFIXES + +* Fixed X-Forwarded-For unsafe handling of CVE-2020-28483 [#2844](https://github.com/gin-gonic/gin/pull/2844), closed issue [#2862](https://github.com/gin-gonic/gin/issues/2862). +* Tree: updated the code logic for `latestNode` [#2897](https://github.com/gin-gonic/gin/pull/2897), closed issue [#2894](https://github.com/gin-gonic/gin/issues/2894) [#2878](https://github.com/gin-gonic/gin/issues/2878). +* Tree: fixed the misplacement of adding slashes [#2847](https://github.com/gin-gonic/gin/pull/2847), closed issue [#2843](https://github.com/gin-gonic/gin/issues/2843). +* Tree: fixed tsr with mixed static and wildcard paths [#2924](https://github.com/gin-gonic/gin/pull/2924), closed issue [#2918](https://github.com/gin-gonic/gin/issues/2918). + +### ENHANCEMENTS + +* TrustedProxies: make it backward-compatible [#2887](https://github.com/gin-gonic/gin/pull/2887), closed issue [#2819](https://github.com/gin-gonic/gin/issues/2819). +* TrustedPlatform: provide custom options for another CDN services [#2906](https://github.com/gin-gonic/gin/pull/2906). + +### DOCS + +* NoMethod: added usage annotation ([#2832](https://github.com/gin-gonic/gin/pull/2832#issuecomment-929954463)). + +## Gin v1.7.6 + +### BUGFIXES + +* bump new release to fix v1.7.5 release error by using v1.7.4 codes. + +## Gin v1.7.4 + +### BUGFIXES + +* bump new release to fix checksum mismatch + +## Gin v1.7.3 + +### BUGFIXES + +* fix level 1 router match [#2767](https://github.com/gin-gonic/gin/issues/2767), [#2796](https://github.com/gin-gonic/gin/issues/2796) + +## Gin v1.7.2 + +### BUGFIXES + +* Fix conflict between param and exact path [#2706](https://github.com/gin-gonic/gin/issues/2706). Close issue [#2682](https://github.com/gin-gonic/gin/issues/2682) [#2696](https://github.com/gin-gonic/gin/issues/2696). + +## Gin v1.7.1 + +### BUGFIXES + +* fix: data race with trustedCIDRs from [#2674](https://github.com/gin-gonic/gin/issues/2674)([#2675](https://github.com/gin-gonic/gin/pull/2675)) + +## Gin v1.7.0 + +### BUGFIXES + +* fix compile error from [#2572](https://github.com/gin-gonic/gin/pull/2572) ([#2600](https://github.com/gin-gonic/gin/pull/2600)) +* fix: print headers without Authorization header on broken pipe ([#2528](https://github.com/gin-gonic/gin/pull/2528)) +* fix(tree): reassign fullpath when register new node ([#2366](https://github.com/gin-gonic/gin/pull/2366)) + +### ENHANCEMENTS + +* Support params and exact routes without creating conflicts ([#2663](https://github.com/gin-gonic/gin/pull/2663)) +* chore: improve render string performance ([#2365](https://github.com/gin-gonic/gin/pull/2365)) +* Sync route tree to httprouter latest code ([#2368](https://github.com/gin-gonic/gin/pull/2368)) +* chore: rename getQueryCache/getFormCache to initQueryCache/initFormCa ([#2375](https://github.com/gin-gonic/gin/pull/2375)) +* chore(performance): improve countParams ([#2378](https://github.com/gin-gonic/gin/pull/2378)) +* Remove some functions that have the same effect as the bytes package ([#2387](https://github.com/gin-gonic/gin/pull/2387)) +* update:SetMode function ([#2321](https://github.com/gin-gonic/gin/pull/2321)) +* remove a unused type SecureJSONPrefix ([#2391](https://github.com/gin-gonic/gin/pull/2391)) +* Add a redirect sample for POST method ([#2389](https://github.com/gin-gonic/gin/pull/2389)) +* Add CustomRecovery builtin middleware ([#2322](https://github.com/gin-gonic/gin/pull/2322)) +* binding: avoid 2038 problem on 32-bit architectures ([#2450](https://github.com/gin-gonic/gin/pull/2450)) +* Prevent panic in Context.GetQuery() when there is no Request ([#2412](https://github.com/gin-gonic/gin/pull/2412)) +* Add GetUint and GetUint64 method on gin.context ([#2487](https://github.com/gin-gonic/gin/pull/2487)) +* update content-disposition header to MIME-style ([#2512](https://github.com/gin-gonic/gin/pull/2512)) +* reduce allocs and improve the render `WriteString` ([#2508](https://github.com/gin-gonic/gin/pull/2508)) +* implement ".Unwrap() error" on Error type ([#2525](https://github.com/gin-gonic/gin/pull/2525)) ([#2526](https://github.com/gin-gonic/gin/pull/2526)) +* Allow bind with a map[string]string ([#2484](https://github.com/gin-gonic/gin/pull/2484)) +* chore: update tree ([#2371](https://github.com/gin-gonic/gin/pull/2371)) +* Support binding for slice/array obj [Rewrite] ([#2302](https://github.com/gin-gonic/gin/pull/2302)) +* basic auth: fix timing oracle ([#2609](https://github.com/gin-gonic/gin/pull/2609)) +* Add mixed param and non-param paths (port of httprouter[#329](https://github.com/gin-gonic/gin/pull/329)) ([#2663](https://github.com/gin-gonic/gin/pull/2663)) +* feat(engine): add trustedproxies and remoteIP ([#2632](https://github.com/gin-gonic/gin/pull/2632)) + +## Gin v1.6.3 + +### ENHANCEMENTS + + * Improve performance: Change `*sync.RWMutex` to `sync.RWMutex` in context. [#2351](https://github.com/gin-gonic/gin/pull/2351) + +## Gin v1.6.2 + +### BUGFIXES + * fix missing initial sync.RWMutex [#2305](https://github.com/gin-gonic/gin/pull/2305) +### ENHANCEMENTS + * Add set samesite in cookie. [#2306](https://github.com/gin-gonic/gin/pull/2306) + +## Gin v1.6.1 + +### BUGFIXES + * Revert "fix accept incoming network connections" [#2294](https://github.com/gin-gonic/gin/pull/2294) + +## Gin v1.6.0 + +### BREAKING + * chore(performance): Improve performance for adding RemoveExtraSlash flag [#2159](https://github.com/gin-gonic/gin/pull/2159) + * drop support govendor [#2148](https://github.com/gin-gonic/gin/pull/2148) + * Added support for SameSite cookie flag [#1615](https://github.com/gin-gonic/gin/pull/1615) +### FEATURES + * add yaml negotiation [#2220](https://github.com/gin-gonic/gin/pull/2220) + * FileFromFS [#2112](https://github.com/gin-gonic/gin/pull/2112) +### BUGFIXES + * Unix Socket Handling [#2280](https://github.com/gin-gonic/gin/pull/2280) + * Use json marshall in context json to fix breaking new line issue. Fixes #2209 [#2228](https://github.com/gin-gonic/gin/pull/2228) + * fix accept incoming network connections [#2216](https://github.com/gin-gonic/gin/pull/2216) + * Fixed a bug in the calculation of the maximum number of parameters [#2166](https://github.com/gin-gonic/gin/pull/2166) + * [FIX] allow empty headers on DataFromReader [#2121](https://github.com/gin-gonic/gin/pull/2121) + * Add mutex for protect Context.Keys map [#1391](https://github.com/gin-gonic/gin/pull/1391) +### ENHANCEMENTS + * Add mitigation for log injection [#2277](https://github.com/gin-gonic/gin/pull/2277) + * tree: range over nodes values [#2229](https://github.com/gin-gonic/gin/pull/2229) + * tree: remove duplicate assignment [#2222](https://github.com/gin-gonic/gin/pull/2222) + * chore: upgrade go-isatty and json-iterator/go [#2215](https://github.com/gin-gonic/gin/pull/2215) + * path: sync code with httprouter [#2212](https://github.com/gin-gonic/gin/pull/2212) + * Use zero-copy approach to convert types between string and byte slice [#2206](https://github.com/gin-gonic/gin/pull/2206) + * Reuse bytes when cleaning the URL paths [#2179](https://github.com/gin-gonic/gin/pull/2179) + * tree: remove one else statement [#2177](https://github.com/gin-gonic/gin/pull/2177) + * tree: sync httprouter update (#2173) (#2172) [#2171](https://github.com/gin-gonic/gin/pull/2171) + * tree: sync part httprouter codes and reduce if/else [#2163](https://github.com/gin-gonic/gin/pull/2163) + * use http method constant [#2155](https://github.com/gin-gonic/gin/pull/2155) + * upgrade go-validator to v10 [#2149](https://github.com/gin-gonic/gin/pull/2149) + * Refactor redirect request in gin.go [#1970](https://github.com/gin-gonic/gin/pull/1970) + * Add build tag nomsgpack [#1852](https://github.com/gin-gonic/gin/pull/1852) +### DOCS + * docs(path): improve comments [#2223](https://github.com/gin-gonic/gin/pull/2223) + * Renew README to fit the modification of SetCookie method [#2217](https://github.com/gin-gonic/gin/pull/2217) + * Fix spelling [#2202](https://github.com/gin-gonic/gin/pull/2202) + * Remove broken link from README. [#2198](https://github.com/gin-gonic/gin/pull/2198) + * Update docs on Context.Done(), Context.Deadline() and Context.Err() [#2196](https://github.com/gin-gonic/gin/pull/2196) + * Update validator to v10 [#2190](https://github.com/gin-gonic/gin/pull/2190) + * upgrade go-validator to v10 for README [#2189](https://github.com/gin-gonic/gin/pull/2189) + * Update to currently output [#2188](https://github.com/gin-gonic/gin/pull/2188) + * Fix "Custom Validators" example [#2186](https://github.com/gin-gonic/gin/pull/2186) + * Add project to README [#2165](https://github.com/gin-gonic/gin/pull/2165) + * docs(benchmarks): for gin v1.5 [#2153](https://github.com/gin-gonic/gin/pull/2153) + * Changed wording for clarity in README.md [#2122](https://github.com/gin-gonic/gin/pull/2122) +### MISC + * ci support go1.14 [#2262](https://github.com/gin-gonic/gin/pull/2262) + * chore: upgrade depend version [#2231](https://github.com/gin-gonic/gin/pull/2231) + * Drop support go1.10 [#2147](https://github.com/gin-gonic/gin/pull/2147) + * fix comment in `mode.go` [#2129](https://github.com/gin-gonic/gin/pull/2129) + +## Gin v1.5.0 + +- [FIX] Use DefaultWriter and DefaultErrorWriter for debug messages [#1891](https://github.com/gin-gonic/gin/pull/1891) +- [NEW] Now you can parse the inline lowercase start structure [#1893](https://github.com/gin-gonic/gin/pull/1893) +- [FIX] Some code improvements [#1909](https://github.com/gin-gonic/gin/pull/1909) +- [FIX] Use encode replace json marshal increase json encoder speed [#1546](https://github.com/gin-gonic/gin/pull/1546) +- [NEW] Hold matched route full path in the Context [#1826](https://github.com/gin-gonic/gin/pull/1826) +- [FIX] Fix context.Params race condition on Copy() [#1841](https://github.com/gin-gonic/gin/pull/1841) +- [NEW] Add context param query cache [#1450](https://github.com/gin-gonic/gin/pull/1450) +- [FIX] Improve GetQueryMap performance [#1918](https://github.com/gin-gonic/gin/pull/1918) +- [FIX] Improve get post data [#1920](https://github.com/gin-gonic/gin/pull/1920) +- [FIX] Use context instead of x/net/context [#1922](https://github.com/gin-gonic/gin/pull/1922) +- [FIX] Attempt to fix PostForm cache bug [#1931](https://github.com/gin-gonic/gin/pull/1931) +- [NEW] Add support of multipart multi files [#1949](https://github.com/gin-gonic/gin/pull/1949) +- [NEW] Support bind http header param [#1957](https://github.com/gin-gonic/gin/pull/1957) +- [FIX] Drop support for go1.8 and go1.9 [#1933](https://github.com/gin-gonic/gin/pull/1933) +- [FIX] Bugfix for the FullPath feature [#1919](https://github.com/gin-gonic/gin/pull/1919) +- [FIX] Gin1.5 bytes.Buffer to strings.Builder [#1939](https://github.com/gin-gonic/gin/pull/1939) +- [FIX] Upgrade github.com/ugorji/go/codec [#1969](https://github.com/gin-gonic/gin/pull/1969) +- [NEW] Support bind unix time [#1980](https://github.com/gin-gonic/gin/pull/1980) +- [FIX] Simplify code [#2004](https://github.com/gin-gonic/gin/pull/2004) +- [NEW] Support negative Content-Length in DataFromReader [#1981](https://github.com/gin-gonic/gin/pull/1981) +- [FIX] Identify terminal on a RISC-V architecture for auto-colored logs [#2019](https://github.com/gin-gonic/gin/pull/2019) +- [BREAKING] `Context.JSONP()` now expects a semicolon (`;`) at the end [#2007](https://github.com/gin-gonic/gin/pull/2007) +- [BREAKING] Upgrade default `binding.Validator` to v9 (see [its changelog](https://github.com/go-playground/validator/releases/tag/v9.0.0)) [#1015](https://github.com/gin-gonic/gin/pull/1015) +- [NEW] Add `DisallowUnknownFields()` in `Context.BindJSON()` [#2028](https://github.com/gin-gonic/gin/pull/2028) +- [NEW] Use specific `net.Listener` with `Engine.RunListener()` [#2023](https://github.com/gin-gonic/gin/pull/2023) +- [FIX] Fix some typo [#2079](https://github.com/gin-gonic/gin/pull/2079) [#2080](https://github.com/gin-gonic/gin/pull/2080) +- [FIX] Relocate binding body tests [#2086](https://github.com/gin-gonic/gin/pull/2086) +- [FIX] Use Writer in Context.Status [#1606](https://github.com/gin-gonic/gin/pull/1606) +- [FIX] `Engine.RunUnix()` now returns the error if it can't change the file mode [#2093](https://github.com/gin-gonic/gin/pull/2093) +- [FIX] `RouterGroup.StaticFS()` leaked files. Now it closes them. [#2118](https://github.com/gin-gonic/gin/pull/2118) +- [FIX] `Context.Request.FormFile` leaked file. Now it closes it. [#2114](https://github.com/gin-gonic/gin/pull/2114) +- [FIX] Ignore walking on `form:"-"` mapping [#1943](https://github.com/gin-gonic/gin/pull/1943) + +### Gin v1.4.0 + +- [NEW] Support for [Go Modules](https://github.com/golang/go/wiki/Modules) [#1569](https://github.com/gin-gonic/gin/pull/1569) +- [NEW] Refactor of form mapping multipart request [#1829](https://github.com/gin-gonic/gin/pull/1829) +- [FIX] Truncate Latency precision in long running request [#1830](https://github.com/gin-gonic/gin/pull/1830) +- [FIX] IsTerm flag should not be affected by DisableConsoleColor method. [#1802](https://github.com/gin-gonic/gin/pull/1802) +- [NEW] Supporting file binding [#1264](https://github.com/gin-gonic/gin/pull/1264) +- [NEW] Add support for mapping arrays [#1797](https://github.com/gin-gonic/gin/pull/1797) +- [FIX] Readme updates [#1793](https://github.com/gin-gonic/gin/pull/1793) [#1788](https://github.com/gin-gonic/gin/pull/1788) [1789](https://github.com/gin-gonic/gin/pull/1789) +- [FIX] StaticFS: Fixed Logging two log lines on 404. [#1805](https://github.com/gin-gonic/gin/pull/1805), [#1804](https://github.com/gin-gonic/gin/pull/1804) +- [NEW] Make context.Keys available as LogFormatterParams [#1779](https://github.com/gin-gonic/gin/pull/1779) +- [NEW] Use internal/json for Marshal/Unmarshal [#1791](https://github.com/gin-gonic/gin/pull/1791) +- [NEW] Support mapping time.Duration [#1794](https://github.com/gin-gonic/gin/pull/1794) +- [NEW] Refactor form mappings [#1749](https://github.com/gin-gonic/gin/pull/1749) +- [NEW] Added flag to context.Stream indicates if client disconnected in middle of stream [#1252](https://github.com/gin-gonic/gin/pull/1252) +- [FIX] Moved [examples](https://github.com/gin-gonic/examples) to stand alone Repo [#1775](https://github.com/gin-gonic/gin/pull/1775) +- [NEW] Extend context.File to allow for the content-disposition attachments via a new method context.Attachment [#1260](https://github.com/gin-gonic/gin/pull/1260) +- [FIX] Support HTTP content negotiation wildcards [#1112](https://github.com/gin-gonic/gin/pull/1112) +- [NEW] Add prefix from X-Forwarded-Prefix in redirectTrailingSlash [#1238](https://github.com/gin-gonic/gin/pull/1238) +- [FIX] context.Copy() race condition [#1020](https://github.com/gin-gonic/gin/pull/1020) +- [NEW] Add context.HandlerNames() [#1729](https://github.com/gin-gonic/gin/pull/1729) +- [FIX] Change color methods to public in the defaultLogger. [#1771](https://github.com/gin-gonic/gin/pull/1771) +- [FIX] Update writeHeaders method to use http.Header.Set [#1722](https://github.com/gin-gonic/gin/pull/1722) +- [NEW] Add response size to LogFormatterParams [#1752](https://github.com/gin-gonic/gin/pull/1752) +- [NEW] Allow ignoring field on form mapping [#1733](https://github.com/gin-gonic/gin/pull/1733) +- [NEW] Add a function to force color in console output. [#1724](https://github.com/gin-gonic/gin/pull/1724) +- [FIX] Context.Next() - recheck len of handlers on every iteration. [#1745](https://github.com/gin-gonic/gin/pull/1745) +- [FIX] Fix all errcheck warnings [#1739](https://github.com/gin-gonic/gin/pull/1739) [#1653](https://github.com/gin-gonic/gin/pull/1653) +- [NEW] context: inherits context cancellation and deadline from http.Request context for Go>=1.7 [#1690](https://github.com/gin-gonic/gin/pull/1690) +- [NEW] Binding for URL Params [#1694](https://github.com/gin-gonic/gin/pull/1694) +- [NEW] Add LoggerWithFormatter method [#1677](https://github.com/gin-gonic/gin/pull/1677) +- [FIX] CI testing updates [#1671](https://github.com/gin-gonic/gin/pull/1671) [#1670](https://github.com/gin-gonic/gin/pull/1670) [#1682](https://github.com/gin-gonic/gin/pull/1682) [#1669](https://github.com/gin-gonic/gin/pull/1669) +- [FIX] StaticFS(): Send 404 when path does not exist [#1663](https://github.com/gin-gonic/gin/pull/1663) +- [FIX] Handle nil body for JSON binding [#1638](https://github.com/gin-gonic/gin/pull/1638) +- [FIX] Support bind uri param [#1612](https://github.com/gin-gonic/gin/pull/1612) +- [FIX] recovery: fix issue with syscall import on google app engine [#1640](https://github.com/gin-gonic/gin/pull/1640) +- [FIX] Make sure the debug log contains line breaks [#1650](https://github.com/gin-gonic/gin/pull/1650) +- [FIX] Panic stack trace being printed during recovery of broken pipe [#1089](https://github.com/gin-gonic/gin/pull/1089) [#1259](https://github.com/gin-gonic/gin/pull/1259) +- [NEW] RunFd method to run http.Server through a file descriptor [#1609](https://github.com/gin-gonic/gin/pull/1609) +- [NEW] Yaml binding support [#1618](https://github.com/gin-gonic/gin/pull/1618) +- [FIX] Pass MaxMultipartMemory when FormFile is called [#1600](https://github.com/gin-gonic/gin/pull/1600) +- [FIX] LoadHTML* tests [#1559](https://github.com/gin-gonic/gin/pull/1559) +- [FIX] Removed use of sync.pool from HandleContext [#1565](https://github.com/gin-gonic/gin/pull/1565) +- [FIX] Format output log to os.Stderr [#1571](https://github.com/gin-gonic/gin/pull/1571) +- [FIX] Make logger use a yellow background and a darkgray text for legibility [#1570](https://github.com/gin-gonic/gin/pull/1570) +- [FIX] Remove sensitive request information from panic log. [#1370](https://github.com/gin-gonic/gin/pull/1370) +- [FIX] log.Println() does not print timestamp [#829](https://github.com/gin-gonic/gin/pull/829) [#1560](https://github.com/gin-gonic/gin/pull/1560) +- [NEW] Add PureJSON renderer [#694](https://github.com/gin-gonic/gin/pull/694) +- [FIX] Add missing copyright and update if/else [#1497](https://github.com/gin-gonic/gin/pull/1497) +- [FIX] Update msgpack usage [#1498](https://github.com/gin-gonic/gin/pull/1498) +- [FIX] Use protobuf on render [#1496](https://github.com/gin-gonic/gin/pull/1496) +- [FIX] Add support for Protobuf format response [#1479](https://github.com/gin-gonic/gin/pull/1479) +- [NEW] Set default time format in form binding [#1487](https://github.com/gin-gonic/gin/pull/1487) +- [FIX] Add BindXML and ShouldBindXML [#1485](https://github.com/gin-gonic/gin/pull/1485) +- [NEW] Upgrade dependency libraries [#1491](https://github.com/gin-gonic/gin/pull/1491) + + +## Gin v1.3.0 + +- [NEW] Add [`func (*Context) QueryMap`](https://godoc.org/github.com/gin-gonic/gin#Context.QueryMap), [`func (*Context) GetQueryMap`](https://godoc.org/github.com/gin-gonic/gin#Context.GetQueryMap), [`func (*Context) PostFormMap`](https://godoc.org/github.com/gin-gonic/gin#Context.PostFormMap) and [`func (*Context) GetPostFormMap`](https://godoc.org/github.com/gin-gonic/gin#Context.GetPostFormMap) to support `type map[string]string` as query string or form parameters, see [#1383](https://github.com/gin-gonic/gin/pull/1383) +- [NEW] Add [`func (*Context) AsciiJSON`](https://godoc.org/github.com/gin-gonic/gin#Context.AsciiJSON), see [#1358](https://github.com/gin-gonic/gin/pull/1358) +- [NEW] Add `Pusher()` in [`type ResponseWriter`](https://godoc.org/github.com/gin-gonic/gin#ResponseWriter) for supporting http2 push, see [#1273](https://github.com/gin-gonic/gin/pull/1273) +- [NEW] Add [`func (*Context) DataFromReader`](https://godoc.org/github.com/gin-gonic/gin#Context.DataFromReader) for serving dynamic data, see [#1304](https://github.com/gin-gonic/gin/pull/1304) +- [NEW] Add [`func (*Context) ShouldBindBodyWith`](https://godoc.org/github.com/gin-gonic/gin#Context.ShouldBindBodyWith) allowing to call binding multiple times, see [#1341](https://github.com/gin-gonic/gin/pull/1341) +- [NEW] Support pointers in form binding, see [#1336](https://github.com/gin-gonic/gin/pull/1336) +- [NEW] Add [`func (*Context) JSONP`](https://godoc.org/github.com/gin-gonic/gin#Context.JSONP), see [#1333](https://github.com/gin-gonic/gin/pull/1333) +- [NEW] Support default value in form binding, see [#1138](https://github.com/gin-gonic/gin/pull/1138) +- [NEW] Expose validator engine in [`type StructValidator`](https://godoc.org/github.com/gin-gonic/gin/binding#StructValidator), see [#1277](https://github.com/gin-gonic/gin/pull/1277) +- [NEW] Add [`func (*Context) ShouldBind`](https://godoc.org/github.com/gin-gonic/gin#Context.ShouldBind), [`func (*Context) ShouldBindQuery`](https://godoc.org/github.com/gin-gonic/gin#Context.ShouldBindQuery) and [`func (*Context) ShouldBindJSON`](https://godoc.org/github.com/gin-gonic/gin#Context.ShouldBindJSON), see [#1047](https://github.com/gin-gonic/gin/pull/1047) +- [NEW] Add support for `time.Time` location in form binding, see [#1117](https://github.com/gin-gonic/gin/pull/1117) +- [NEW] Add [`func (*Context) BindQuery`](https://godoc.org/github.com/gin-gonic/gin#Context.BindQuery), see [#1029](https://github.com/gin-gonic/gin/pull/1029) +- [NEW] Make [jsonite](https://github.com/json-iterator/go) optional with build tags, see [#1026](https://github.com/gin-gonic/gin/pull/1026) +- [NEW] Show query string in logger, see [#999](https://github.com/gin-gonic/gin/pull/999) +- [NEW] Add [`func (*Context) SecureJSON`](https://godoc.org/github.com/gin-gonic/gin#Context.SecureJSON), see [#987](https://github.com/gin-gonic/gin/pull/987) and [#993](https://github.com/gin-gonic/gin/pull/993) +- [DEPRECATE] `func (*Context) GetCookie` for [`func (*Context) Cookie`](https://godoc.org/github.com/gin-gonic/gin#Context.Cookie) +- [FIX] Don't display color tags if [`func DisableConsoleColor`](https://godoc.org/github.com/gin-gonic/gin#DisableConsoleColor) called, see [#1072](https://github.com/gin-gonic/gin/pull/1072) +- [FIX] Gin Mode `""` when calling [`func Mode`](https://godoc.org/github.com/gin-gonic/gin#Mode) now returns `const DebugMode`, see [#1250](https://github.com/gin-gonic/gin/pull/1250) +- [FIX] `Flush()` now doesn't overwrite `responseWriter` status code, see [#1460](https://github.com/gin-gonic/gin/pull/1460) + +## Gin 1.2.0 + +- [NEW] Switch from godeps to govendor +- [NEW] Add support for Let's Encrypt via gin-gonic/autotls +- [NEW] Improve README examples and add extra at examples folder +- [NEW] Improved support with App Engine +- [NEW] Add custom template delimiters, see #860 +- [NEW] Add Template Func Maps, see #962 +- [NEW] Add \*context.Handler(), see #928 +- [NEW] Add \*context.GetRawData() +- [NEW] Add \*context.GetHeader() (request) +- [NEW] Add \*context.AbortWithStatusJSON() (JSON content type) +- [NEW] Add \*context.Keys type cast helpers +- [NEW] Add \*context.ShouldBindWith() +- [NEW] Add \*context.MustBindWith() +- [NEW] Add \*engine.SetFuncMap() +- [DEPRECATE] On next release: \*context.BindWith(), see #855 +- [FIX] Refactor render +- [FIX] Reworked tests +- [FIX] logger now supports cygwin +- [FIX] Use X-Forwarded-For before X-Real-Ip +- [FIX] time.Time binding (#904) + +## Gin 1.1.4 + +- [NEW] Support google appengine for IsTerminal func + +## Gin 1.1.3 + +- [FIX] Reverted Logger: skip ANSI color commands + +## Gin 1.1 + +- [NEW] Implement QueryArray and PostArray methods +- [NEW] Refactor GetQuery and GetPostForm +- [NEW] Add contribution guide +- [FIX] Corrected typos in README +- [FIX] Removed additional Iota +- [FIX] Changed imports to gopkg instead of github in README (#733) +- [FIX] Logger: skip ANSI color commands if output is not a tty + +## Gin 1.0rc2 (...) + +- [PERFORMANCE] Fast path for writing Content-Type. +- [PERFORMANCE] Much faster 404 routing +- [PERFORMANCE] Allocation optimizations +- [PERFORMANCE] Faster root tree lookup +- [PERFORMANCE] Zero overhead, String() and JSON() rendering. +- [PERFORMANCE] Faster ClientIP parsing +- [PERFORMANCE] Much faster SSE implementation +- [NEW] Benchmarks suite +- [NEW] Bind validation can be disabled and replaced with custom validators. +- [NEW] More flexible HTML render +- [NEW] Multipart and PostForm bindings +- [NEW] Adds method to return all the registered routes +- [NEW] Context.HandlerName() returns the main handler's name +- [NEW] Adds Error.IsType() helper +- [FIX] Binding multipart form +- [FIX] Integration tests +- [FIX] Crash when binding non struct object in Context. +- [FIX] RunTLS() implementation +- [FIX] Logger() unit tests +- [FIX] Adds SetHTMLTemplate() warning +- [FIX] Context.IsAborted() +- [FIX] More unit tests +- [FIX] JSON, XML, HTML renders accept custom content-types +- [FIX] gin.AbortIndex is unexported +- [FIX] Better approach to avoid directory listing in StaticFS() +- [FIX] Context.ClientIP() always returns the IP with trimmed spaces. +- [FIX] Better warning when running in debug mode. +- [FIX] Google App Engine integration. debugPrint does not use os.Stdout +- [FIX] Fixes integer overflow in error type +- [FIX] Error implements the json.Marshaller interface +- [FIX] MIT license in every file + + +## Gin 1.0rc1 (May 22, 2015) + +- [PERFORMANCE] Zero allocation router +- [PERFORMANCE] Faster JSON, XML and text rendering +- [PERFORMANCE] Custom hand optimized HttpRouter for Gin +- [PERFORMANCE] Misc code optimizations. Inlining, tail call optimizations +- [NEW] Built-in support for golang.org/x/net/context +- [NEW] Any(path, handler). Create a route that matches any path +- [NEW] Refactored rendering pipeline (faster and static typed) +- [NEW] Refactored errors API +- [NEW] IndentedJSON() prints pretty JSON +- [NEW] Added gin.DefaultWriter +- [NEW] UNIX socket support +- [NEW] RouterGroup.BasePath is exposed +- [NEW] JSON validation using go-validate-yourself (very powerful options) +- [NEW] Completed suite of unit tests +- [NEW] HTTP streaming with c.Stream() +- [NEW] StaticFile() creates a router for serving just one file. +- [NEW] StaticFS() has an option to disable directory listing. +- [NEW] StaticFS() for serving static files through virtual filesystems +- [NEW] Server-Sent Events native support +- [NEW] WrapF() and WrapH() helpers for wrapping http.HandlerFunc and http.Handler +- [NEW] Added LoggerWithWriter() middleware +- [NEW] Added RecoveryWithWriter() middleware +- [NEW] Added DefaultPostFormValue() +- [NEW] Added DefaultFormValue() +- [NEW] Added DefaultParamValue() +- [FIX] BasicAuth() when using custom realm +- [FIX] Bug when serving static files in nested routing group +- [FIX] Redirect using built-in http.Redirect() +- [FIX] Logger when printing the requested path +- [FIX] Documentation typos +- [FIX] Context.Engine renamed to Context.engine +- [FIX] Better debugging messages +- [FIX] ErrorLogger +- [FIX] Debug HTTP render +- [FIX] Refactored binding and render modules +- [FIX] Refactored Context initialization +- [FIX] Refactored BasicAuth() +- [FIX] NoMethod/NoRoute handlers +- [FIX] Hijacking http +- [FIX] Better support for Google App Engine (using log instead of fmt) + + +## Gin 0.6 (Mar 9, 2015) + +- [NEW] Support multipart/form-data +- [NEW] NoMethod handler +- [NEW] Validate sub structures +- [NEW] Support for HTTP Realm Auth +- [FIX] Unsigned integers in binding +- [FIX] Improve color logger + + +## Gin 0.5 (Feb 7, 2015) + +- [NEW] Content Negotiation +- [FIX] Solved security bug that allow a client to spoof ip +- [FIX] Fix unexported/ignored fields in binding + + +## Gin 0.4 (Aug 21, 2014) + +- [NEW] Development mode +- [NEW] Unit tests +- [NEW] Add Content.Redirect() +- [FIX] Deferring WriteHeader() +- [FIX] Improved documentation for model binding + + +## Gin 0.3 (Jul 18, 2014) + +- [PERFORMANCE] Normal log and error log are printed in the same call. +- [PERFORMANCE] Improve performance of NoRouter() +- [PERFORMANCE] Improve context's memory locality, reduce CPU cache faults. +- [NEW] Flexible rendering API +- [NEW] Add Context.File() +- [NEW] Add shortcut RunTLS() for http.ListenAndServeTLS +- [FIX] Rename NotFound404() to NoRoute() +- [FIX] Errors in context are purged +- [FIX] Adds HEAD method in Static file serving +- [FIX] Refactors Static() file serving +- [FIX] Using keyed initialization to fix app-engine integration +- [FIX] Can't unmarshal JSON array, #63 +- [FIX] Renaming Context.Req to Context.Request +- [FIX] Check application/x-www-form-urlencoded when parsing form + + +## Gin 0.2b (Jul 08, 2014) +- [PERFORMANCE] Using sync.Pool to allocatio/gc overhead +- [NEW] Travis CI integration +- [NEW] Completely new logger +- [NEW] New API for serving static files. gin.Static() +- [NEW] gin.H() can be serialized into XML +- [NEW] Typed errors. Errors can be typed. Internet/external/custom. +- [NEW] Support for Godeps +- [NEW] Travis/Godocs badges in README +- [NEW] New Bind() and BindWith() methods for parsing request body. +- [NEW] Add Content.Copy() +- [NEW] Add context.LastError() +- [NEW] Add shortcut for OPTIONS HTTP method +- [FIX] Tons of README fixes +- [FIX] Header is written before body +- [FIX] BasicAuth() and changes API a little bit +- [FIX] Recovery() middleware only prints panics +- [FIX] Context.Get() does not panic anymore. Use MustGet() instead. +- [FIX] Multiple http.WriteHeader() in NotFound handlers +- [FIX] Engine.Run() panics if http server can't be set up +- [FIX] Crash when route path doesn't start with '/' +- [FIX] Do not update header when status code is negative +- [FIX] Setting response headers before calling WriteHeader in context.String() +- [FIX] Add MIT license +- [FIX] Changes behaviour of ErrorLogger() and Logger() diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CODE_OF_CONDUCT.md b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CODE_OF_CONDUCT.md new file mode 100644 index 000000000000..4ea14f3955ce --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CODE_OF_CONDUCT.md @@ -0,0 +1,46 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at teamgingonic@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CONTRIBUTING.md b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CONTRIBUTING.md new file mode 100644 index 000000000000..97daa808f0f4 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/CONTRIBUTING.md @@ -0,0 +1,13 @@ +## Contributing + +- With issues: + - Use the search tool before opening a new issue. + - Please provide source code and commit sha if you found a bug. + - Review existing issues and provide feedback or react to them. + +- With pull requests: + - Open your pull request against `master` + - Your pull request should have no more than two commits, if not you should squash them. + - It should pass all tests in the available continuous integration systems such as TravisCI. + - You should add/modify tests to cover your proposed code changes. + - If your pull request contains a new feature, please document it on the README. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/LICENSE b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/LICENSE new file mode 100644 index 000000000000..1ff7f3706055 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Manuel Martínez-Almeida + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/Makefile b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/Makefile new file mode 100644 index 000000000000..1a99193959ea --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/Makefile @@ -0,0 +1,71 @@ +GO ?= go +GOFMT ?= gofmt "-s" +PACKAGES ?= $(shell $(GO) list ./...) +VETPACKAGES ?= $(shell $(GO) list ./... | grep -v /examples/) +GOFILES := $(shell find . -name "*.go") +TESTFOLDER := $(shell $(GO) list ./... | grep -E 'gin$$|binding$$|render$$' | grep -v examples) +TESTTAGS ?= "" + +.PHONY: test +test: + echo "mode: count" > coverage.out + for d in $(TESTFOLDER); do \ + $(GO) test -tags $(TESTTAGS) -v -covermode=count -coverprofile=profile.out $$d > tmp.out; \ + cat tmp.out; \ + if grep -q "^--- FAIL" tmp.out; then \ + rm tmp.out; \ + exit 1; \ + elif grep -q "build failed" tmp.out; then \ + rm tmp.out; \ + exit 1; \ + elif grep -q "setup failed" tmp.out; then \ + rm tmp.out; \ + exit 1; \ + fi; \ + if [ -f profile.out ]; then \ + cat profile.out | grep -v "mode:" >> coverage.out; \ + rm profile.out; \ + fi; \ + done + +.PHONY: fmt +fmt: + $(GOFMT) -w $(GOFILES) + +.PHONY: fmt-check +fmt-check: + @diff=$$($(GOFMT) -d $(GOFILES)); \ + if [ -n "$$diff" ]; then \ + echo "Please run 'make fmt' and commit the result:"; \ + echo "$${diff}"; \ + exit 1; \ + fi; + +vet: + $(GO) vet $(VETPACKAGES) + +.PHONY: lint +lint: + @hash golint > /dev/null 2>&1; if [ $$? -ne 0 ]; then \ + $(GO) get -u golang.org/x/lint/golint; \ + fi + for PKG in $(PACKAGES); do golint -set_exit_status $$PKG || exit 1; done; + +.PHONY: misspell-check +misspell-check: + @hash misspell > /dev/null 2>&1; if [ $$? -ne 0 ]; then \ + $(GO) get -u github.com/client9/misspell/cmd/misspell; \ + fi + misspell -error $(GOFILES) + +.PHONY: misspell +misspell: + @hash misspell > /dev/null 2>&1; if [ $$? -ne 0 ]; then \ + $(GO) get -u github.com/client9/misspell/cmd/misspell; \ + fi + misspell -w $(GOFILES) + +.PHONY: tools +tools: + go install golang.org/x/lint/golint; \ + go install github.com/client9/misspell/cmd/misspell; diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/README.md b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/README.md new file mode 100644 index 000000000000..9bf459b09ffd --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/README.md @@ -0,0 +1,2252 @@ +# Gin Web Framework + + + +[![Build Status](https://travis-ci.org/gin-gonic/gin.svg)](https://travis-ci.org/gin-gonic/gin) +[![codecov](https://codecov.io/gh/gin-gonic/gin/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-gonic/gin) +[![Go Report Card](https://goreportcard.com/badge/github.com/gin-gonic/gin)](https://goreportcard.com/report/github.com/gin-gonic/gin) +[![GoDoc](https://pkg.go.dev/badge/github.com/gin-gonic/gin?status.svg)](https://pkg.go.dev/github.com/gin-gonic/gin?tab=doc) +[![Join the chat at https://gitter.im/gin-gonic/gin](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gin-gonic/gin?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) +[![Sourcegraph](https://sourcegraph.com/github.com/gin-gonic/gin/-/badge.svg)](https://sourcegraph.com/github.com/gin-gonic/gin?badge) +[![Open Source Helpers](https://www.codetriage.com/gin-gonic/gin/badges/users.svg)](https://www.codetriage.com/gin-gonic/gin) +[![Release](https://img.shields.io/github/release/gin-gonic/gin.svg?style=flat-square)](https://github.com/gin-gonic/gin/releases) +[![TODOs](https://badgen.net/https/api.tickgit.com/badgen/github.com/gin-gonic/gin)](https://www.tickgit.com/browse?repo=github.com/gin-gonic/gin) + +Gin is a web framework written in Go (Golang). It features a martini-like API with performance that is up to 40 times faster thanks to [httprouter](https://github.com/julienschmidt/httprouter). If you need performance and good productivity, you will love Gin. + + +## Contents + +- [Gin Web Framework](#gin-web-framework) + - [Contents](#contents) + - [Installation](#installation) + - [Quick start](#quick-start) + - [Benchmarks](#benchmarks) + - [Gin v1. stable](#gin-v1-stable) + - [Build with jsoniter](#build-with-jsoniter) + - [API Examples](#api-examples) + - [Using GET, POST, PUT, PATCH, DELETE and OPTIONS](#using-get-post-put-patch-delete-and-options) + - [Parameters in path](#parameters-in-path) + - [Querystring parameters](#querystring-parameters) + - [Multipart/Urlencoded Form](#multiparturlencoded-form) + - [Another example: query + post form](#another-example-query--post-form) + - [Map as querystring or postform parameters](#map-as-querystring-or-postform-parameters) + - [Upload files](#upload-files) + - [Single file](#single-file) + - [Multiple files](#multiple-files) + - [Grouping routes](#grouping-routes) + - [Blank Gin without middleware by default](#blank-gin-without-middleware-by-default) + - [Using middleware](#using-middleware) + - [How to write log file](#how-to-write-log-file) + - [Custom Log Format](#custom-log-format) + - [Controlling Log output coloring](#controlling-log-output-coloring) + - [Model binding and validation](#model-binding-and-validation) + - [Custom Validators](#custom-validators) + - [Only Bind Query String](#only-bind-query-string) + - [Bind Query String or Post Data](#bind-query-string-or-post-data) + - [Bind Uri](#bind-uri) + - [Bind Header](#bind-header) + - [Bind HTML checkboxes](#bind-html-checkboxes) + - [Multipart/Urlencoded binding](#multiparturlencoded-binding) + - [XML, JSON, YAML and ProtoBuf rendering](#xml-json-yaml-and-protobuf-rendering) + - [SecureJSON](#securejson) + - [JSONP](#jsonp) + - [AsciiJSON](#asciijson) + - [PureJSON](#purejson) + - [Serving static files](#serving-static-files) + - [Serving data from file](#serving-data-from-file) + - [Serving data from reader](#serving-data-from-reader) + - [HTML rendering](#html-rendering) + - [Custom Template renderer](#custom-template-renderer) + - [Custom Delimiters](#custom-delimiters) + - [Custom Template Funcs](#custom-template-funcs) + - [Multitemplate](#multitemplate) + - [Redirects](#redirects) + - [Custom Middleware](#custom-middleware) + - [Using BasicAuth() middleware](#using-basicauth-middleware) + - [Goroutines inside a middleware](#goroutines-inside-a-middleware) + - [Custom HTTP configuration](#custom-http-configuration) + - [Support Let's Encrypt](#support-lets-encrypt) + - [Run multiple service using Gin](#run-multiple-service-using-gin) + - [Graceful shutdown or restart](#graceful-shutdown-or-restart) + - [Third-party packages](#third-party-packages) + - [Manually](#manually) + - [Build a single binary with templates](#build-a-single-binary-with-templates) + - [Bind form-data request with custom struct](#bind-form-data-request-with-custom-struct) + - [Try to bind body into different structs](#try-to-bind-body-into-different-structs) + - [http2 server push](#http2-server-push) + - [Define format for the log of routes](#define-format-for-the-log-of-routes) + - [Set and get a cookie](#set-and-get-a-cookie) + - [Don't trust all proxies](#don't-trust-all-proxies) + - [Testing](#testing) + - [Users](#users) + +## Installation + +To install Gin package, you need to install Go and set your Go workspace first. + +1. The first need [Go](https://golang.org/) installed (**version 1.13+ is required**), then you can use the below Go command to install Gin. + +```sh +$ go get -u github.com/gin-gonic/gin +``` + +2. Import it in your code: + +```go +import "github.com/gin-gonic/gin" +``` + +3. (Optional) Import `net/http`. This is required for example if using constants such as `http.StatusOK`. + +```go +import "net/http" +``` + +## Quick start + +```sh +# assume the following codes in example.go file +$ cat example.go +``` + +```go +package main + +import "github.com/gin-gonic/gin" + +func main() { + r := gin.Default() + r.GET("/ping", func(c *gin.Context) { + c.JSON(200, gin.H{ + "message": "pong", + }) + }) + r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080") +} +``` + +``` +# run example.go and visit 0.0.0.0:8080/ping (for windows "localhost:8080/ping") on browser +$ go run example.go +``` + +## Benchmarks + +Gin uses a custom version of [HttpRouter](https://github.com/julienschmidt/httprouter) + +[See all benchmarks](/BENCHMARKS.md) + +| Benchmark name | (1) | (2) | (3) | (4) | +| ------------------------------ | ---------:| ---------------:| ------------:| ---------------:| +| BenchmarkGin_GithubAll | **43550** | **27364 ns/op** | **0 B/op** | **0 allocs/op** | +| BenchmarkAce_GithubAll | 40543 | 29670 ns/op | 0 B/op | 0 allocs/op | +| BenchmarkAero_GithubAll | 57632 | 20648 ns/op | 0 B/op | 0 allocs/op | +| BenchmarkBear_GithubAll | 9234 | 216179 ns/op | 86448 B/op | 943 allocs/op | +| BenchmarkBeego_GithubAll | 7407 | 243496 ns/op | 71456 B/op | 609 allocs/op | +| BenchmarkBone_GithubAll | 420 | 2922835 ns/op | 720160 B/op | 8620 allocs/op | +| BenchmarkChi_GithubAll | 7620 | 238331 ns/op | 87696 B/op | 609 allocs/op | +| BenchmarkDenco_GithubAll | 18355 | 64494 ns/op | 20224 B/op | 167 allocs/op | +| BenchmarkEcho_GithubAll | 31251 | 38479 ns/op | 0 B/op | 0 allocs/op | +| BenchmarkGocraftWeb_GithubAll | 4117 | 300062 ns/op | 131656 B/op | 1686 allocs/op | +| BenchmarkGoji_GithubAll | 3274 | 416158 ns/op | 56112 B/op | 334 allocs/op | +| BenchmarkGojiv2_GithubAll | 1402 | 870518 ns/op | 352720 B/op | 4321 allocs/op | +| BenchmarkGoJsonRest_GithubAll | 2976 | 401507 ns/op | 134371 B/op | 2737 allocs/op | +| BenchmarkGoRestful_GithubAll | 410 | 2913158 ns/op | 910144 B/op | 2938 allocs/op | +| BenchmarkGorillaMux_GithubAll | 346 | 3384987 ns/op | 251650 B/op | 1994 allocs/op | +| BenchmarkGowwwRouter_GithubAll | 10000 | 143025 ns/op | 72144 B/op | 501 allocs/op | +| BenchmarkHttpRouter_GithubAll | 55938 | 21360 ns/op | 0 B/op | 0 allocs/op | +| BenchmarkHttpTreeMux_GithubAll | 10000 | 153944 ns/op | 65856 B/op | 671 allocs/op | +| BenchmarkKocha_GithubAll | 10000 | 106315 ns/op | 23304 B/op | 843 allocs/op | +| BenchmarkLARS_GithubAll | 47779 | 25084 ns/op | 0 B/op | 0 allocs/op | +| BenchmarkMacaron_GithubAll | 3266 | 371907 ns/op | 149409 B/op | 1624 allocs/op | +| BenchmarkMartini_GithubAll | 331 | 3444706 ns/op | 226551 B/op | 2325 allocs/op | +| BenchmarkPat_GithubAll | 273 | 4381818 ns/op | 1483152 B/op | 26963 allocs/op | +| BenchmarkPossum_GithubAll | 10000 | 164367 ns/op | 84448 B/op | 609 allocs/op | +| BenchmarkR2router_GithubAll | 10000 | 160220 ns/op | 77328 B/op | 979 allocs/op | +| BenchmarkRivet_GithubAll | 14625 | 82453 ns/op | 16272 B/op | 167 allocs/op | +| BenchmarkTango_GithubAll | 6255 | 279611 ns/op | 63826 B/op | 1618 allocs/op | +| BenchmarkTigerTonic_GithubAll | 2008 | 687874 ns/op | 193856 B/op | 4474 allocs/op | +| BenchmarkTraffic_GithubAll | 355 | 3478508 ns/op | 820744 B/op | 14114 allocs/op | +| BenchmarkVulcan_GithubAll | 6885 | 193333 ns/op | 19894 B/op | 609 allocs/op | + +- (1): Total Repetitions achieved in constant time, higher means more confident result +- (2): Single Repetition Duration (ns/op), lower is better +- (3): Heap Memory (B/op), lower is better +- (4): Average Allocations per Repetition (allocs/op), lower is better + +## Gin v1. stable + +- [x] Zero allocation router. +- [x] Still the fastest http router and framework. From routing to writing. +- [x] Complete suite of unit tests. +- [x] Battle tested. +- [x] API frozen, new releases will not break your code. + +## Build with [jsoniter](https://github.com/json-iterator/go) + +Gin uses `encoding/json` as default json package but you can change to [jsoniter](https://github.com/json-iterator/go) by build from other tags. + +```sh +$ go build -tags=jsoniter . +``` + +## API Examples + +You can find a number of ready-to-run examples at [Gin examples repository](https://github.com/gin-gonic/examples). + +### Using GET, POST, PUT, PATCH, DELETE and OPTIONS + +```go +func main() { + // Creates a gin router with default middleware: + // logger and recovery (crash-free) middleware + router := gin.Default() + + router.GET("/someGet", getting) + router.POST("/somePost", posting) + router.PUT("/somePut", putting) + router.DELETE("/someDelete", deleting) + router.PATCH("/somePatch", patching) + router.HEAD("/someHead", head) + router.OPTIONS("/someOptions", options) + + // By default it serves on :8080 unless a + // PORT environment variable was defined. + router.Run() + // router.Run(":3000") for a hard coded port +} +``` + +### Parameters in path + +```go +func main() { + router := gin.Default() + + // This handler will match /user/john but will not match /user/ or /user + router.GET("/user/:name", func(c *gin.Context) { + name := c.Param("name") + c.String(http.StatusOK, "Hello %s", name) + }) + + // However, this one will match /user/john/ and also /user/john/send + // If no other routers match /user/john, it will redirect to /user/john/ + router.GET("/user/:name/*action", func(c *gin.Context) { + name := c.Param("name") + action := c.Param("action") + message := name + " is " + action + c.String(http.StatusOK, message) + }) + + // For each matched request Context will hold the route definition + router.POST("/user/:name/*action", func(c *gin.Context) { + c.FullPath() == "/user/:name/*action" // true + }) + + // This handler will add a new router for /user/groups. + // Exact routes are resolved before param routes, regardless of the order they were defined. + // Routes starting with /user/groups are never interpreted as /user/:name/... routes + router.GET("/user/groups", func(c *gin.Context) { + c.String(http.StatusOK, "The available groups are [...]", name) + }) + + router.Run(":8080") +} +``` + +### Querystring parameters + +```go +func main() { + router := gin.Default() + + // Query string parameters are parsed using the existing underlying request object. + // The request responds to a url matching: /welcome?firstname=Jane&lastname=Doe + router.GET("/welcome", func(c *gin.Context) { + firstname := c.DefaultQuery("firstname", "Guest") + lastname := c.Query("lastname") // shortcut for c.Request.URL.Query().Get("lastname") + + c.String(http.StatusOK, "Hello %s %s", firstname, lastname) + }) + router.Run(":8080") +} +``` + +### Multipart/Urlencoded Form + +```go +func main() { + router := gin.Default() + + router.POST("/form_post", func(c *gin.Context) { + message := c.PostForm("message") + nick := c.DefaultPostForm("nick", "anonymous") + + c.JSON(200, gin.H{ + "status": "posted", + "message": message, + "nick": nick, + }) + }) + router.Run(":8080") +} +``` + +### Another example: query + post form + +``` +POST /post?id=1234&page=1 HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +name=manu&message=this_is_great +``` + +```go +func main() { + router := gin.Default() + + router.POST("/post", func(c *gin.Context) { + + id := c.Query("id") + page := c.DefaultQuery("page", "0") + name := c.PostForm("name") + message := c.PostForm("message") + + fmt.Printf("id: %s; page: %s; name: %s; message: %s", id, page, name, message) + }) + router.Run(":8080") +} +``` + +``` +id: 1234; page: 1; name: manu; message: this_is_great +``` + +### Map as querystring or postform parameters + +``` +POST /post?ids[a]=1234&ids[b]=hello HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +names[first]=thinkerou&names[second]=tianou +``` + +```go +func main() { + router := gin.Default() + + router.POST("/post", func(c *gin.Context) { + + ids := c.QueryMap("ids") + names := c.PostFormMap("names") + + fmt.Printf("ids: %v; names: %v", ids, names) + }) + router.Run(":8080") +} +``` + +``` +ids: map[b:hello a:1234]; names: map[second:tianou first:thinkerou] +``` + +### Upload files + +#### Single file + +References issue [#774](https://github.com/gin-gonic/gin/issues/774) and detail [example code](https://github.com/gin-gonic/examples/tree/master/upload-file/single). + +`file.Filename` **SHOULD NOT** be trusted. See [`Content-Disposition` on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition#Directives) and [#1693](https://github.com/gin-gonic/gin/issues/1693) + +> The filename is always optional and must not be used blindly by the application: path information should be stripped, and conversion to the server file system rules should be done. + +```go +func main() { + router := gin.Default() + // Set a lower memory limit for multipart forms (default is 32 MiB) + router.MaxMultipartMemory = 8 << 20 // 8 MiB + router.POST("/upload", func(c *gin.Context) { + // single file + file, _ := c.FormFile("file") + log.Println(file.Filename) + + // Upload the file to specific dst. + c.SaveUploadedFile(file, dst) + + c.String(http.StatusOK, fmt.Sprintf("'%s' uploaded!", file.Filename)) + }) + router.Run(":8080") +} +``` + +How to `curl`: + +```bash +curl -X POST http://localhost:8080/upload \ + -F "file=@/Users/appleboy/test.zip" \ + -H "Content-Type: multipart/form-data" +``` + +#### Multiple files + +See the detail [example code](https://github.com/gin-gonic/examples/tree/master/upload-file/multiple). + +```go +func main() { + router := gin.Default() + // Set a lower memory limit for multipart forms (default is 32 MiB) + router.MaxMultipartMemory = 8 << 20 // 8 MiB + router.POST("/upload", func(c *gin.Context) { + // Multipart form + form, _ := c.MultipartForm() + files := form.File["upload[]"] + + for _, file := range files { + log.Println(file.Filename) + + // Upload the file to specific dst. + c.SaveUploadedFile(file, dst) + } + c.String(http.StatusOK, fmt.Sprintf("%d files uploaded!", len(files))) + }) + router.Run(":8080") +} +``` + +How to `curl`: + +```bash +curl -X POST http://localhost:8080/upload \ + -F "upload[]=@/Users/appleboy/test1.zip" \ + -F "upload[]=@/Users/appleboy/test2.zip" \ + -H "Content-Type: multipart/form-data" +``` + +### Grouping routes + +```go +func main() { + router := gin.Default() + + // Simple group: v1 + v1 := router.Group("/v1") + { + v1.POST("/login", loginEndpoint) + v1.POST("/submit", submitEndpoint) + v1.POST("/read", readEndpoint) + } + + // Simple group: v2 + v2 := router.Group("/v2") + { + v2.POST("/login", loginEndpoint) + v2.POST("/submit", submitEndpoint) + v2.POST("/read", readEndpoint) + } + + router.Run(":8080") +} +``` + +### Blank Gin without middleware by default + +Use + +```go +r := gin.New() +``` + +instead of + +```go +// Default With the Logger and Recovery middleware already attached +r := gin.Default() +``` + + +### Using middleware +```go +func main() { + // Creates a router without any middleware by default + r := gin.New() + + // Global middleware + // Logger middleware will write the logs to gin.DefaultWriter even if you set with GIN_MODE=release. + // By default gin.DefaultWriter = os.Stdout + r.Use(gin.Logger()) + + // Recovery middleware recovers from any panics and writes a 500 if there was one. + r.Use(gin.Recovery()) + + // Per route middleware, you can add as many as you desire. + r.GET("/benchmark", MyBenchLogger(), benchEndpoint) + + // Authorization group + // authorized := r.Group("/", AuthRequired()) + // exactly the same as: + authorized := r.Group("/") + // per group middleware! in this case we use the custom created + // AuthRequired() middleware just in the "authorized" group. + authorized.Use(AuthRequired()) + { + authorized.POST("/login", loginEndpoint) + authorized.POST("/submit", submitEndpoint) + authorized.POST("/read", readEndpoint) + + // nested group + testing := authorized.Group("testing") + testing.GET("/analytics", analyticsEndpoint) + } + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` + +### Custom Recovery behavior +```go +func main() { + // Creates a router without any middleware by default + r := gin.New() + + // Global middleware + // Logger middleware will write the logs to gin.DefaultWriter even if you set with GIN_MODE=release. + // By default gin.DefaultWriter = os.Stdout + r.Use(gin.Logger()) + + // Recovery middleware recovers from any panics and writes a 500 if there was one. + r.Use(gin.CustomRecovery(func(c *gin.Context, recovered interface{}) { + if err, ok := recovered.(string); ok { + c.String(http.StatusInternalServerError, fmt.Sprintf("error: %s", err)) + } + c.AbortWithStatus(http.StatusInternalServerError) + })) + + r.GET("/panic", func(c *gin.Context) { + // panic with a string -- the custom middleware could save this to a database or report it to the user + panic("foo") + }) + + r.GET("/", func(c *gin.Context) { + c.String(http.StatusOK, "ohai") + }) + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` + +### How to write log file +```go +func main() { + // Disable Console Color, you don't need console color when writing the logs to file. + gin.DisableConsoleColor() + + // Logging to a file. + f, _ := os.Create("gin.log") + gin.DefaultWriter = io.MultiWriter(f) + + // Use the following code if you need to write the logs to file and console at the same time. + // gin.DefaultWriter = io.MultiWriter(f, os.Stdout) + + router := gin.Default() + router.GET("/ping", func(c *gin.Context) { + c.String(200, "pong") + }) + +    router.Run(":8080") +} +``` + +### Custom Log Format +```go +func main() { + router := gin.New() + + // LoggerWithFormatter middleware will write the logs to gin.DefaultWriter + // By default gin.DefaultWriter = os.Stdout + router.Use(gin.LoggerWithFormatter(func(param gin.LogFormatterParams) string { + + // your custom format + return fmt.Sprintf("%s - [%s] \"%s %s %s %d %s \"%s\" %s\"\n", + param.ClientIP, + param.TimeStamp.Format(time.RFC1123), + param.Method, + param.Path, + param.Request.Proto, + param.StatusCode, + param.Latency, + param.Request.UserAgent(), + param.ErrorMessage, + ) + })) + router.Use(gin.Recovery()) + + router.GET("/ping", func(c *gin.Context) { + c.String(200, "pong") + }) + + router.Run(":8080") +} +``` + +**Sample Output** +``` +::1 - [Fri, 07 Dec 2018 17:04:38 JST] "GET /ping HTTP/1.1 200 122.767µs "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36" " +``` + +### Controlling Log output coloring + +By default, logs output on console should be colorized depending on the detected TTY. + +Never colorize logs: + +```go +func main() { + // Disable log's color + gin.DisableConsoleColor() + + // Creates a gin router with default middleware: + // logger and recovery (crash-free) middleware + router := gin.Default() + + router.GET("/ping", func(c *gin.Context) { + c.String(200, "pong") + }) + + router.Run(":8080") +} +``` + +Always colorize logs: + +```go +func main() { + // Force log's color + gin.ForceConsoleColor() + + // Creates a gin router with default middleware: + // logger and recovery (crash-free) middleware + router := gin.Default() + + router.GET("/ping", func(c *gin.Context) { + c.String(200, "pong") + }) + + router.Run(":8080") +} +``` + +### Model binding and validation + +To bind a request body into a type, use model binding. We currently support binding of JSON, XML, YAML and standard form values (foo=bar&boo=baz). + +Gin uses [**go-playground/validator/v10**](https://github.com/go-playground/validator) for validation. Check the full docs on tags usage [here](https://godoc.org/github.com/go-playground/validator#hdr-Baked_In_Validators_and_Tags). + +Note that you need to set the corresponding binding tag on all fields you want to bind. For example, when binding from JSON, set `json:"fieldname"`. + +Also, Gin provides two sets of methods for binding: +- **Type** - Must bind + - **Methods** - `Bind`, `BindJSON`, `BindXML`, `BindQuery`, `BindYAML`, `BindHeader` + - **Behavior** - These methods use `MustBindWith` under the hood. If there is a binding error, the request is aborted with `c.AbortWithError(400, err).SetType(ErrorTypeBind)`. This sets the response status code to 400 and the `Content-Type` header is set to `text/plain; charset=utf-8`. Note that if you try to set the response code after this, it will result in a warning `[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 400 with 422`. If you wish to have greater control over the behavior, consider using the `ShouldBind` equivalent method. +- **Type** - Should bind + - **Methods** - `ShouldBind`, `ShouldBindJSON`, `ShouldBindXML`, `ShouldBindQuery`, `ShouldBindYAML`, `ShouldBindHeader` + - **Behavior** - These methods use `ShouldBindWith` under the hood. If there is a binding error, the error is returned and it is the developer's responsibility to handle the request and error appropriately. + +When using the Bind-method, Gin tries to infer the binder depending on the Content-Type header. If you are sure what you are binding, you can use `MustBindWith` or `ShouldBindWith`. + +You can also specify that specific fields are required. If a field is decorated with `binding:"required"` and has a empty value when binding, an error will be returned. + +```go +// Binding from JSON +type Login struct { + User string `form:"user" json:"user" xml:"user" binding:"required"` + Password string `form:"password" json:"password" xml:"password" binding:"required"` +} + +func main() { + router := gin.Default() + + // Example for binding JSON ({"user": "manu", "password": "123"}) + router.POST("/loginJSON", func(c *gin.Context) { + var json Login + if err := c.ShouldBindJSON(&json); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + + if json.User != "manu" || json.Password != "123" { + c.JSON(http.StatusUnauthorized, gin.H{"status": "unauthorized"}) + return + } + + c.JSON(http.StatusOK, gin.H{"status": "you are logged in"}) + }) + + // Example for binding XML ( + // + // + // user + // 123 + // ) + router.POST("/loginXML", func(c *gin.Context) { + var xml Login + if err := c.ShouldBindXML(&xml); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + + if xml.User != "manu" || xml.Password != "123" { + c.JSON(http.StatusUnauthorized, gin.H{"status": "unauthorized"}) + return + } + + c.JSON(http.StatusOK, gin.H{"status": "you are logged in"}) + }) + + // Example for binding a HTML form (user=manu&password=123) + router.POST("/loginForm", func(c *gin.Context) { + var form Login + // This will infer what binder to use depending on the content-type header. + if err := c.ShouldBind(&form); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + + if form.User != "manu" || form.Password != "123" { + c.JSON(http.StatusUnauthorized, gin.H{"status": "unauthorized"}) + return + } + + c.JSON(http.StatusOK, gin.H{"status": "you are logged in"}) + }) + + // Listen and serve on 0.0.0.0:8080 + router.Run(":8080") +} +``` + +**Sample request** +```shell +$ curl -v -X POST \ + http://localhost:8080/loginJSON \ + -H 'content-type: application/json' \ + -d '{ "user": "manu" }' +> POST /loginJSON HTTP/1.1 +> Host: localhost:8080 +> User-Agent: curl/7.51.0 +> Accept: */* +> content-type: application/json +> Content-Length: 18 +> +* upload completely sent off: 18 out of 18 bytes +< HTTP/1.1 400 Bad Request +< Content-Type: application/json; charset=utf-8 +< Date: Fri, 04 Aug 2017 03:51:31 GMT +< Content-Length: 100 +< +{"error":"Key: 'Login.Password' Error:Field validation for 'Password' failed on the 'required' tag"} +``` + +**Skip validate** + +When running the above example using the above the `curl` command, it returns error. Because the example use `binding:"required"` for `Password`. If use `binding:"-"` for `Password`, then it will not return error when running the above example again. + +### Custom Validators + +It is also possible to register custom validators. See the [example code](https://github.com/gin-gonic/examples/tree/master/custom-validation/server.go). + +```go +package main + +import ( + "net/http" + "time" + + "github.com/gin-gonic/gin" + "github.com/gin-gonic/gin/binding" + "github.com/go-playground/validator/v10" +) + +// Booking contains binded and validated data. +type Booking struct { + CheckIn time.Time `form:"check_in" binding:"required,bookabledate" time_format:"2006-01-02"` + CheckOut time.Time `form:"check_out" binding:"required,gtfield=CheckIn" time_format:"2006-01-02"` +} + +var bookableDate validator.Func = func(fl validator.FieldLevel) bool { + date, ok := fl.Field().Interface().(time.Time) + if ok { + today := time.Now() + if today.After(date) { + return false + } + } + return true +} + +func main() { + route := gin.Default() + + if v, ok := binding.Validator.Engine().(*validator.Validate); ok { + v.RegisterValidation("bookabledate", bookableDate) + } + + route.GET("/bookable", getBookable) + route.Run(":8085") +} + +func getBookable(c *gin.Context) { + var b Booking + if err := c.ShouldBindWith(&b, binding.Query); err == nil { + c.JSON(http.StatusOK, gin.H{"message": "Booking dates are valid!"}) + } else { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + } +} +``` + +```console +$ curl "localhost:8085/bookable?check_in=2030-04-16&check_out=2030-04-17" +{"message":"Booking dates are valid!"} + +$ curl "localhost:8085/bookable?check_in=2030-03-10&check_out=2030-03-09" +{"error":"Key: 'Booking.CheckOut' Error:Field validation for 'CheckOut' failed on the 'gtfield' tag"} + +$ curl "localhost:8085/bookable?check_in=2000-03-09&check_out=2000-03-10" +{"error":"Key: 'Booking.CheckIn' Error:Field validation for 'CheckIn' failed on the 'bookabledate' tag"}% +``` + +[Struct level validations](https://github.com/go-playground/validator/releases/tag/v8.7) can also be registered this way. +See the [struct-lvl-validation example](https://github.com/gin-gonic/examples/tree/master/struct-lvl-validations) to learn more. + +### Only Bind Query String + +`ShouldBindQuery` function only binds the query params and not the post data. See the [detail information](https://github.com/gin-gonic/gin/issues/742#issuecomment-315953017). + +```go +package main + +import ( + "log" + + "github.com/gin-gonic/gin" +) + +type Person struct { + Name string `form:"name"` + Address string `form:"address"` +} + +func main() { + route := gin.Default() + route.Any("/testing", startPage) + route.Run(":8085") +} + +func startPage(c *gin.Context) { + var person Person + if c.ShouldBindQuery(&person) == nil { + log.Println("====== Only Bind By Query String ======") + log.Println(person.Name) + log.Println(person.Address) + } + c.String(200, "Success") +} + +``` + +### Bind Query String or Post Data + +See the [detail information](https://github.com/gin-gonic/gin/issues/742#issuecomment-264681292). + +```go +package main + +import ( + "log" + "time" + + "github.com/gin-gonic/gin" +) + +type Person struct { + Name string `form:"name"` + Address string `form:"address"` + Birthday time.Time `form:"birthday" time_format:"2006-01-02" time_utc:"1"` + CreateTime time.Time `form:"createTime" time_format:"unixNano"` + UnixTime time.Time `form:"unixTime" time_format:"unix"` +} + +func main() { + route := gin.Default() + route.GET("/testing", startPage) + route.Run(":8085") +} + +func startPage(c *gin.Context) { + var person Person + // If `GET`, only `Form` binding engine (`query`) used. + // If `POST`, first checks the `content-type` for `JSON` or `XML`, then uses `Form` (`form-data`). + // See more at https://github.com/gin-gonic/gin/blob/master/binding/binding.go#L48 + if c.ShouldBind(&person) == nil { + log.Println(person.Name) + log.Println(person.Address) + log.Println(person.Birthday) + log.Println(person.CreateTime) + log.Println(person.UnixTime) + } + + c.String(200, "Success") +} +``` + +Test it with: +```sh +$ curl -X GET "localhost:8085/testing?name=appleboy&address=xyz&birthday=1992-03-15&createTime=1562400033000000123&unixTime=1562400033" +``` + +### Bind Uri + +See the [detail information](https://github.com/gin-gonic/gin/issues/846). + +```go +package main + +import "github.com/gin-gonic/gin" + +type Person struct { + ID string `uri:"id" binding:"required,uuid"` + Name string `uri:"name" binding:"required"` +} + +func main() { + route := gin.Default() + route.GET("/:name/:id", func(c *gin.Context) { + var person Person + if err := c.ShouldBindUri(&person); err != nil { + c.JSON(400, gin.H{"msg": err}) + return + } + c.JSON(200, gin.H{"name": person.Name, "uuid": person.ID}) + }) + route.Run(":8088") +} +``` + +Test it with: +```sh +$ curl -v localhost:8088/thinkerou/987fbc97-4bed-5078-9f07-9141ba07c9f3 +$ curl -v localhost:8088/thinkerou/not-uuid +``` + +### Bind Header + +```go +package main + +import ( + "fmt" + "github.com/gin-gonic/gin" +) + +type testHeader struct { + Rate int `header:"Rate"` + Domain string `header:"Domain"` +} + +func main() { + r := gin.Default() + r.GET("/", func(c *gin.Context) { + h := testHeader{} + + if err := c.ShouldBindHeader(&h); err != nil { + c.JSON(200, err) + } + + fmt.Printf("%#v\n", h) + c.JSON(200, gin.H{"Rate": h.Rate, "Domain": h.Domain}) + }) + + r.Run() + +// client +// curl -H "rate:300" -H "domain:music" 127.0.0.1:8080/ +// output +// {"Domain":"music","Rate":300} +} +``` + +### Bind HTML checkboxes + +See the [detail information](https://github.com/gin-gonic/gin/issues/129#issuecomment-124260092) + +main.go + +```go +... + +type myForm struct { + Colors []string `form:"colors[]"` +} + +... + +func formHandler(c *gin.Context) { + var fakeForm myForm + c.ShouldBind(&fakeForm) + c.JSON(200, gin.H{"color": fakeForm.Colors}) +} + +... + +``` + +form.html + +```html +
+

Check some colors

+ + + + + + + +
+``` + +result: + +``` +{"color":["red","green","blue"]} +``` + +### Multipart/Urlencoded binding + +```go +type ProfileForm struct { + Name string `form:"name" binding:"required"` + Avatar *multipart.FileHeader `form:"avatar" binding:"required"` + + // or for multiple files + // Avatars []*multipart.FileHeader `form:"avatar" binding:"required"` +} + +func main() { + router := gin.Default() + router.POST("/profile", func(c *gin.Context) { + // you can bind multipart form with explicit binding declaration: + // c.ShouldBindWith(&form, binding.Form) + // or you can simply use autobinding with ShouldBind method: + var form ProfileForm + // in this case proper binding will be automatically selected + if err := c.ShouldBind(&form); err != nil { + c.String(http.StatusBadRequest, "bad request") + return + } + + err := c.SaveUploadedFile(form.Avatar, form.Avatar.Filename) + if err != nil { + c.String(http.StatusInternalServerError, "unknown error") + return + } + + // db.Save(&form) + + c.String(http.StatusOK, "ok") + }) + router.Run(":8080") +} +``` + +Test it with: +```sh +$ curl -X POST -v --form name=user --form "avatar=@./avatar.png" http://localhost:8080/profile +``` + +### XML, JSON, YAML and ProtoBuf rendering + +```go +func main() { + r := gin.Default() + + // gin.H is a shortcut for map[string]interface{} + r.GET("/someJSON", func(c *gin.Context) { + c.JSON(http.StatusOK, gin.H{"message": "hey", "status": http.StatusOK}) + }) + + r.GET("/moreJSON", func(c *gin.Context) { + // You also can use a struct + var msg struct { + Name string `json:"user"` + Message string + Number int + } + msg.Name = "Lena" + msg.Message = "hey" + msg.Number = 123 + // Note that msg.Name becomes "user" in the JSON + // Will output : {"user": "Lena", "Message": "hey", "Number": 123} + c.JSON(http.StatusOK, msg) + }) + + r.GET("/someXML", func(c *gin.Context) { + c.XML(http.StatusOK, gin.H{"message": "hey", "status": http.StatusOK}) + }) + + r.GET("/someYAML", func(c *gin.Context) { + c.YAML(http.StatusOK, gin.H{"message": "hey", "status": http.StatusOK}) + }) + + r.GET("/someProtoBuf", func(c *gin.Context) { + reps := []int64{int64(1), int64(2)} + label := "test" + // The specific definition of protobuf is written in the testdata/protoexample file. + data := &protoexample.Test{ + Label: &label, + Reps: reps, + } + // Note that data becomes binary data in the response + // Will output protoexample.Test protobuf serialized data + c.ProtoBuf(http.StatusOK, data) + }) + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` + +#### SecureJSON + +Using SecureJSON to prevent json hijacking. Default prepends `"while(1),"` to response body if the given struct is array values. + +```go +func main() { + r := gin.Default() + + // You can also use your own secure json prefix + // r.SecureJsonPrefix(")]}',\n") + + r.GET("/someJSON", func(c *gin.Context) { + names := []string{"lena", "austin", "foo"} + + // Will output : while(1);["lena","austin","foo"] + c.SecureJSON(http.StatusOK, names) + }) + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` +#### JSONP + +Using JSONP to request data from a server in a different domain. Add callback to response body if the query parameter callback exists. + +```go +func main() { + r := gin.Default() + + r.GET("/JSONP", func(c *gin.Context) { + data := gin.H{ + "foo": "bar", + } + + //callback is x + // Will output : x({\"foo\":\"bar\"}) + c.JSONP(http.StatusOK, data) + }) + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") + + // client + // curl http://127.0.0.1:8080/JSONP?callback=x +} +``` + +#### AsciiJSON + +Using AsciiJSON to Generates ASCII-only JSON with escaped non-ASCII characters. + +```go +func main() { + r := gin.Default() + + r.GET("/someJSON", func(c *gin.Context) { + data := gin.H{ + "lang": "GO语言", + "tag": "
", + } + + // will output : {"lang":"GO\u8bed\u8a00","tag":"\u003cbr\u003e"} + c.AsciiJSON(http.StatusOK, data) + }) + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` + +#### PureJSON + +Normally, JSON replaces special HTML characters with their unicode entities, e.g. `<` becomes `\u003c`. If you want to encode such characters literally, you can use PureJSON instead. +This feature is unavailable in Go 1.6 and lower. + +```go +func main() { + r := gin.Default() + + // Serves unicode entities + r.GET("/json", func(c *gin.Context) { + c.JSON(200, gin.H{ + "html": "Hello, world!", + }) + }) + + // Serves literal characters + r.GET("/purejson", func(c *gin.Context) { + c.PureJSON(200, gin.H{ + "html": "Hello, world!", + }) + }) + + // listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` + +### Serving static files + +```go +func main() { + router := gin.Default() + router.Static("/assets", "./assets") + router.StaticFS("/more_static", http.Dir("my_file_system")) + router.StaticFile("/favicon.ico", "./resources/favicon.ico") + + // Listen and serve on 0.0.0.0:8080 + router.Run(":8080") +} +``` + +### Serving data from file + +```go +func main() { + router := gin.Default() + + router.GET("/local/file", func(c *gin.Context) { + c.File("local/file.go") + }) + + var fs http.FileSystem = // ... + router.GET("/fs/file", func(c *gin.Context) { + c.FileFromFS("fs/file.go", fs) + }) +} + +``` + +### Serving data from reader + +```go +func main() { + router := gin.Default() + router.GET("/someDataFromReader", func(c *gin.Context) { + response, err := http.Get("https://raw.githubusercontent.com/gin-gonic/logo/master/color.png") + if err != nil || response.StatusCode != http.StatusOK { + c.Status(http.StatusServiceUnavailable) + return + } + + reader := response.Body + defer reader.Close() + contentLength := response.ContentLength + contentType := response.Header.Get("Content-Type") + + extraHeaders := map[string]string{ + "Content-Disposition": `attachment; filename="gopher.png"`, + } + + c.DataFromReader(http.StatusOK, contentLength, contentType, reader, extraHeaders) + }) + router.Run(":8080") +} +``` + +### HTML rendering + +Using LoadHTMLGlob() or LoadHTMLFiles() + +```go +func main() { + router := gin.Default() + router.LoadHTMLGlob("templates/*") + //router.LoadHTMLFiles("templates/template1.html", "templates/template2.html") + router.GET("/index", func(c *gin.Context) { + c.HTML(http.StatusOK, "index.tmpl", gin.H{ + "title": "Main website", + }) + }) + router.Run(":8080") +} +``` + +templates/index.tmpl + +```html + +

+ {{ .title }} +

+ +``` + +Using templates with same name in different directories + +```go +func main() { + router := gin.Default() + router.LoadHTMLGlob("templates/**/*") + router.GET("/posts/index", func(c *gin.Context) { + c.HTML(http.StatusOK, "posts/index.tmpl", gin.H{ + "title": "Posts", + }) + }) + router.GET("/users/index", func(c *gin.Context) { + c.HTML(http.StatusOK, "users/index.tmpl", gin.H{ + "title": "Users", + }) + }) + router.Run(":8080") +} +``` + +templates/posts/index.tmpl + +```html +{{ define "posts/index.tmpl" }} +

+ {{ .title }} +

+

Using posts/index.tmpl

+ +{{ end }} +``` + +templates/users/index.tmpl + +```html +{{ define "users/index.tmpl" }} +

+ {{ .title }} +

+

Using users/index.tmpl

+ +{{ end }} +``` + +#### Custom Template renderer + +You can also use your own html template render + +```go +import "html/template" + +func main() { + router := gin.Default() + html := template.Must(template.ParseFiles("file1", "file2")) + router.SetHTMLTemplate(html) + router.Run(":8080") +} +``` + +#### Custom Delimiters + +You may use custom delims + +```go + r := gin.Default() + r.Delims("{[{", "}]}") + r.LoadHTMLGlob("/path/to/templates") +``` + +#### Custom Template Funcs + +See the detail [example code](https://github.com/gin-gonic/examples/tree/master/template). + +main.go + +```go +import ( + "fmt" + "html/template" + "net/http" + "time" + + "github.com/gin-gonic/gin" +) + +func formatAsDate(t time.Time) string { + year, month, day := t.Date() + return fmt.Sprintf("%d%02d/%02d", year, month, day) +} + +func main() { + router := gin.Default() + router.Delims("{[{", "}]}") + router.SetFuncMap(template.FuncMap{ + "formatAsDate": formatAsDate, + }) + router.LoadHTMLFiles("./testdata/template/raw.tmpl") + + router.GET("/raw", func(c *gin.Context) { + c.HTML(http.StatusOK, "raw.tmpl", gin.H{ + "now": time.Date(2017, 07, 01, 0, 0, 0, 0, time.UTC), + }) + }) + + router.Run(":8080") +} + +``` + +raw.tmpl + +```html +Date: {[{.now | formatAsDate}]} +``` + +Result: +``` +Date: 2017/07/01 +``` + +### Multitemplate + +Gin allow by default use only one html.Template. Check [a multitemplate render](https://github.com/gin-contrib/multitemplate) for using features like go 1.6 `block template`. + +### Redirects + +Issuing a HTTP redirect is easy. Both internal and external locations are supported. + +```go +r.GET("/test", func(c *gin.Context) { + c.Redirect(http.StatusMovedPermanently, "http://www.google.com/") +}) +``` + +Issuing a HTTP redirect from POST. Refer to issue: [#444](https://github.com/gin-gonic/gin/issues/444) +```go +r.POST("/test", func(c *gin.Context) { + c.Redirect(http.StatusFound, "/foo") +}) +``` + +Issuing a Router redirect, use `HandleContext` like below. + +``` go +r.GET("/test", func(c *gin.Context) { + c.Request.URL.Path = "/test2" + r.HandleContext(c) +}) +r.GET("/test2", func(c *gin.Context) { + c.JSON(200, gin.H{"hello": "world"}) +}) +``` + + +### Custom Middleware + +```go +func Logger() gin.HandlerFunc { + return func(c *gin.Context) { + t := time.Now() + + // Set example variable + c.Set("example", "12345") + + // before request + + c.Next() + + // after request + latency := time.Since(t) + log.Print(latency) + + // access the status we are sending + status := c.Writer.Status() + log.Println(status) + } +} + +func main() { + r := gin.New() + r.Use(Logger()) + + r.GET("/test", func(c *gin.Context) { + example := c.MustGet("example").(string) + + // it would print: "12345" + log.Println(example) + }) + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` + +### Using BasicAuth() middleware + +```go +// simulate some private data +var secrets = gin.H{ + "foo": gin.H{"email": "foo@bar.com", "phone": "123433"}, + "austin": gin.H{"email": "austin@example.com", "phone": "666"}, + "lena": gin.H{"email": "lena@guapa.com", "phone": "523443"}, +} + +func main() { + r := gin.Default() + + // Group using gin.BasicAuth() middleware + // gin.Accounts is a shortcut for map[string]string + authorized := r.Group("/admin", gin.BasicAuth(gin.Accounts{ + "foo": "bar", + "austin": "1234", + "lena": "hello2", + "manu": "4321", + })) + + // /admin/secrets endpoint + // hit "localhost:8080/admin/secrets + authorized.GET("/secrets", func(c *gin.Context) { + // get user, it was set by the BasicAuth middleware + user := c.MustGet(gin.AuthUserKey).(string) + if secret, ok := secrets[user]; ok { + c.JSON(http.StatusOK, gin.H{"user": user, "secret": secret}) + } else { + c.JSON(http.StatusOK, gin.H{"user": user, "secret": "NO SECRET :("}) + } + }) + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` + +### Goroutines inside a middleware + +When starting new Goroutines inside a middleware or handler, you **SHOULD NOT** use the original context inside it, you have to use a read-only copy. + +```go +func main() { + r := gin.Default() + + r.GET("/long_async", func(c *gin.Context) { + // create copy to be used inside the goroutine + cCp := c.Copy() + go func() { + // simulate a long task with time.Sleep(). 5 seconds + time.Sleep(5 * time.Second) + + // note that you are using the copied context "cCp", IMPORTANT + log.Println("Done! in path " + cCp.Request.URL.Path) + }() + }) + + r.GET("/long_sync", func(c *gin.Context) { + // simulate a long task with time.Sleep(). 5 seconds + time.Sleep(5 * time.Second) + + // since we are NOT using a goroutine, we do not have to copy the context + log.Println("Done! in path " + c.Request.URL.Path) + }) + + // Listen and serve on 0.0.0.0:8080 + r.Run(":8080") +} +``` + +### Custom HTTP configuration + +Use `http.ListenAndServe()` directly, like this: + +```go +func main() { + router := gin.Default() + http.ListenAndServe(":8080", router) +} +``` +or + +```go +func main() { + router := gin.Default() + + s := &http.Server{ + Addr: ":8080", + Handler: router, + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, + MaxHeaderBytes: 1 << 20, + } + s.ListenAndServe() +} +``` + +### Support Let's Encrypt + +example for 1-line LetsEncrypt HTTPS servers. + +```go +package main + +import ( + "log" + + "github.com/gin-gonic/autotls" + "github.com/gin-gonic/gin" +) + +func main() { + r := gin.Default() + + // Ping handler + r.GET("/ping", func(c *gin.Context) { + c.String(200, "pong") + }) + + log.Fatal(autotls.Run(r, "example1.com", "example2.com")) +} +``` + +example for custom autocert manager. + +```go +package main + +import ( + "log" + + "github.com/gin-gonic/autotls" + "github.com/gin-gonic/gin" + "golang.org/x/crypto/acme/autocert" +) + +func main() { + r := gin.Default() + + // Ping handler + r.GET("/ping", func(c *gin.Context) { + c.String(200, "pong") + }) + + m := autocert.Manager{ + Prompt: autocert.AcceptTOS, + HostPolicy: autocert.HostWhitelist("example1.com", "example2.com"), + Cache: autocert.DirCache("/var/www/.cache"), + } + + log.Fatal(autotls.RunWithManager(r, &m)) +} +``` + +### Run multiple service using Gin + +See the [question](https://github.com/gin-gonic/gin/issues/346) and try the following example: + +```go +package main + +import ( + "log" + "net/http" + "time" + + "github.com/gin-gonic/gin" + "golang.org/x/sync/errgroup" +) + +var ( + g errgroup.Group +) + +func router01() http.Handler { + e := gin.New() + e.Use(gin.Recovery()) + e.GET("/", func(c *gin.Context) { + c.JSON( + http.StatusOK, + gin.H{ + "code": http.StatusOK, + "error": "Welcome server 01", + }, + ) + }) + + return e +} + +func router02() http.Handler { + e := gin.New() + e.Use(gin.Recovery()) + e.GET("/", func(c *gin.Context) { + c.JSON( + http.StatusOK, + gin.H{ + "code": http.StatusOK, + "error": "Welcome server 02", + }, + ) + }) + + return e +} + +func main() { + server01 := &http.Server{ + Addr: ":8080", + Handler: router01(), + ReadTimeout: 5 * time.Second, + WriteTimeout: 10 * time.Second, + } + + server02 := &http.Server{ + Addr: ":8081", + Handler: router02(), + ReadTimeout: 5 * time.Second, + WriteTimeout: 10 * time.Second, + } + + g.Go(func() error { + err := server01.ListenAndServe() + if err != nil && err != http.ErrServerClosed { + log.Fatal(err) + } + return err + }) + + g.Go(func() error { + err := server02.ListenAndServe() + if err != nil && err != http.ErrServerClosed { + log.Fatal(err) + } + return err + }) + + if err := g.Wait(); err != nil { + log.Fatal(err) + } +} +``` + +### Graceful shutdown or restart + +There are a few approaches you can use to perform a graceful shutdown or restart. You can make use of third-party packages specifically built for that, or you can manually do the same with the functions and methods from the built-in packages. + +#### Third-party packages + +We can use [fvbock/endless](https://github.com/fvbock/endless) to replace the default `ListenAndServe`. Refer to issue [#296](https://github.com/gin-gonic/gin/issues/296) for more details. + +```go +router := gin.Default() +router.GET("/", handler) +// [...] +endless.ListenAndServe(":4242", router) +``` + +Alternatives: + +* [manners](https://github.com/braintree/manners): A polite Go HTTP server that shuts down gracefully. +* [graceful](https://github.com/tylerb/graceful): Graceful is a Go package enabling graceful shutdown of an http.Handler server. +* [grace](https://github.com/facebookgo/grace): Graceful restart & zero downtime deploy for Go servers. + +#### Manually + +In case you are using Go 1.8 or a later version, you may not need to use those libraries. Consider using `http.Server`'s built-in [Shutdown()](https://golang.org/pkg/net/http/#Server.Shutdown) method for graceful shutdowns. The example below describes its usage, and we've got more examples using gin [here](https://github.com/gin-gonic/examples/tree/master/graceful-shutdown). + +```go +// +build go1.8 + +package main + +import ( + "context" + "log" + "net/http" + "os" + "os/signal" + "syscall" + "time" + + "github.com/gin-gonic/gin" +) + +func main() { + router := gin.Default() + router.GET("/", func(c *gin.Context) { + time.Sleep(5 * time.Second) + c.String(http.StatusOK, "Welcome Gin Server") + }) + + srv := &http.Server{ + Addr: ":8080", + Handler: router, + } + + // Initializing the server in a goroutine so that + // it won't block the graceful shutdown handling below + go func() { + if err := srv.ListenAndServe(); err != nil && errors.Is(err, http.ErrServerClosed) { + log.Printf("listen: %s\n", err) + } + }() + + // Wait for interrupt signal to gracefully shutdown the server with + // a timeout of 5 seconds. + quit := make(chan os.Signal) + // kill (no param) default send syscall.SIGTERM + // kill -2 is syscall.SIGINT + // kill -9 is syscall.SIGKILL but can't be catch, so don't need add it + signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM) + <-quit + log.Println("Shutting down server...") + + // The context is used to inform the server it has 5 seconds to finish + // the request it is currently handling + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + if err := srv.Shutdown(ctx); err != nil { + log.Fatal("Server forced to shutdown:", err) + } + + log.Println("Server exiting") +} +``` + +### Build a single binary with templates + +You can build a server into a single binary containing templates by using [go-assets][]. + +[go-assets]: https://github.com/jessevdk/go-assets + +```go +func main() { + r := gin.New() + + t, err := loadTemplate() + if err != nil { + panic(err) + } + r.SetHTMLTemplate(t) + + r.GET("/", func(c *gin.Context) { + c.HTML(http.StatusOK, "/html/index.tmpl",nil) + }) + r.Run(":8080") +} + +// loadTemplate loads templates embedded by go-assets-builder +func loadTemplate() (*template.Template, error) { + t := template.New("") + for name, file := range Assets.Files { + defer file.Close() + if file.IsDir() || !strings.HasSuffix(name, ".tmpl") { + continue + } + h, err := ioutil.ReadAll(file) + if err != nil { + return nil, err + } + t, err = t.New(name).Parse(string(h)) + if err != nil { + return nil, err + } + } + return t, nil +} +``` + +See a complete example in the `https://github.com/gin-gonic/examples/tree/master/assets-in-binary` directory. + +### Bind form-data request with custom struct + +The follow example using custom struct: + +```go +type StructA struct { + FieldA string `form:"field_a"` +} + +type StructB struct { + NestedStruct StructA + FieldB string `form:"field_b"` +} + +type StructC struct { + NestedStructPointer *StructA + FieldC string `form:"field_c"` +} + +type StructD struct { + NestedAnonyStruct struct { + FieldX string `form:"field_x"` + } + FieldD string `form:"field_d"` +} + +func GetDataB(c *gin.Context) { + var b StructB + c.Bind(&b) + c.JSON(200, gin.H{ + "a": b.NestedStruct, + "b": b.FieldB, + }) +} + +func GetDataC(c *gin.Context) { + var b StructC + c.Bind(&b) + c.JSON(200, gin.H{ + "a": b.NestedStructPointer, + "c": b.FieldC, + }) +} + +func GetDataD(c *gin.Context) { + var b StructD + c.Bind(&b) + c.JSON(200, gin.H{ + "x": b.NestedAnonyStruct, + "d": b.FieldD, + }) +} + +func main() { + r := gin.Default() + r.GET("/getb", GetDataB) + r.GET("/getc", GetDataC) + r.GET("/getd", GetDataD) + + r.Run() +} +``` + +Using the command `curl` command result: + +``` +$ curl "http://localhost:8080/getb?field_a=hello&field_b=world" +{"a":{"FieldA":"hello"},"b":"world"} +$ curl "http://localhost:8080/getc?field_a=hello&field_c=world" +{"a":{"FieldA":"hello"},"c":"world"} +$ curl "http://localhost:8080/getd?field_x=hello&field_d=world" +{"d":"world","x":{"FieldX":"hello"}} +``` + +### Try to bind body into different structs + +The normal methods for binding request body consumes `c.Request.Body` and they +cannot be called multiple times. + +```go +type formA struct { + Foo string `json:"foo" xml:"foo" binding:"required"` +} + +type formB struct { + Bar string `json:"bar" xml:"bar" binding:"required"` +} + +func SomeHandler(c *gin.Context) { + objA := formA{} + objB := formB{} + // This c.ShouldBind consumes c.Request.Body and it cannot be reused. + if errA := c.ShouldBind(&objA); errA == nil { + c.String(http.StatusOK, `the body should be formA`) + // Always an error is occurred by this because c.Request.Body is EOF now. + } else if errB := c.ShouldBind(&objB); errB == nil { + c.String(http.StatusOK, `the body should be formB`) + } else { + ... + } +} +``` + +For this, you can use `c.ShouldBindBodyWith`. + +```go +func SomeHandler(c *gin.Context) { + objA := formA{} + objB := formB{} + // This reads c.Request.Body and stores the result into the context. + if errA := c.ShouldBindBodyWith(&objA, binding.JSON); errA == nil { + c.String(http.StatusOK, `the body should be formA`) + // At this time, it reuses body stored in the context. + } else if errB := c.ShouldBindBodyWith(&objB, binding.JSON); errB == nil { + c.String(http.StatusOK, `the body should be formB JSON`) + // And it can accepts other formats + } else if errB2 := c.ShouldBindBodyWith(&objB, binding.XML); errB2 == nil { + c.String(http.StatusOK, `the body should be formB XML`) + } else { + ... + } +} +``` + +* `c.ShouldBindBodyWith` stores body into the context before binding. This has +a slight impact to performance, so you should not use this method if you are +enough to call binding at once. +* This feature is only needed for some formats -- `JSON`, `XML`, `MsgPack`, +`ProtoBuf`. For other formats, `Query`, `Form`, `FormPost`, `FormMultipart`, +can be called by `c.ShouldBind()` multiple times without any damage to +performance (See [#1341](https://github.com/gin-gonic/gin/pull/1341)). + +### http2 server push + +http.Pusher is supported only **go1.8+**. See the [golang blog](https://blog.golang.org/h2push) for detail information. + +```go +package main + +import ( + "html/template" + "log" + + "github.com/gin-gonic/gin" +) + +var html = template.Must(template.New("https").Parse(` + + + Https Test + + + +

Welcome, Ginner!

+ + +`)) + +func main() { + r := gin.Default() + r.Static("/assets", "./assets") + r.SetHTMLTemplate(html) + + r.GET("/", func(c *gin.Context) { + if pusher := c.Writer.Pusher(); pusher != nil { + // use pusher.Push() to do server push + if err := pusher.Push("/assets/app.js", nil); err != nil { + log.Printf("Failed to push: %v", err) + } + } + c.HTML(200, "https", gin.H{ + "status": "success", + }) + }) + + // Listen and Server in https://127.0.0.1:8080 + r.RunTLS(":8080", "./testdata/server.pem", "./testdata/server.key") +} +``` + +### Define format for the log of routes + +The default log of routes is: +``` +[GIN-debug] POST /foo --> main.main.func1 (3 handlers) +[GIN-debug] GET /bar --> main.main.func2 (3 handlers) +[GIN-debug] GET /status --> main.main.func3 (3 handlers) +``` + +If you want to log this information in given format (e.g. JSON, key values or something else), then you can define this format with `gin.DebugPrintRouteFunc`. +In the example below, we log all routes with standard log package but you can use another log tools that suits of your needs. +```go +import ( + "log" + "net/http" + + "github.com/gin-gonic/gin" +) + +func main() { + r := gin.Default() + gin.DebugPrintRouteFunc = func(httpMethod, absolutePath, handlerName string, nuHandlers int) { + log.Printf("endpoint %v %v %v %v\n", httpMethod, absolutePath, handlerName, nuHandlers) + } + + r.POST("/foo", func(c *gin.Context) { + c.JSON(http.StatusOK, "foo") + }) + + r.GET("/bar", func(c *gin.Context) { + c.JSON(http.StatusOK, "bar") + }) + + r.GET("/status", func(c *gin.Context) { + c.JSON(http.StatusOK, "ok") + }) + + // Listen and Server in http://0.0.0.0:8080 + r.Run() +} +``` + +### Set and get a cookie + +```go +import ( + "fmt" + + "github.com/gin-gonic/gin" +) + +func main() { + + router := gin.Default() + + router.GET("/cookie", func(c *gin.Context) { + + cookie, err := c.Cookie("gin_cookie") + + if err != nil { + cookie = "NotSet" + c.SetCookie("gin_cookie", "test", 3600, "/", "localhost", false, true) + } + + fmt.Printf("Cookie value: %s \n", cookie) + }) + + router.Run() +} +``` + +## Don't trust all proxies + +Gin lets you specify which headers to hold the real client IP (if any), +as well as specifying which proxies (or direct clients) you trust to +specify one of these headers. + +Use function `SetTrustedProxies()` on your `gin.Engine` to specify network addresses +or network CIDRs from where clients which their request headers related to client +IP can be trusted. They can be IPv4 addresses, IPv4 CIDRs, IPv6 addresses or +IPv6 CIDRs. + +**Attention:** Gin trust all proxies by default if you don't specify a trusted +proxy using the function above, **this is NOT safe**. At the same time, if you don't +use any proxy, you can disable this feature by using `Engine.SetTrustedProxies(nil)`, +then `Context.ClientIP()` will return the remote address directly to avoid some +unnecessary computation. + +```go +import ( + "fmt" + + "github.com/gin-gonic/gin" +) + +func main() { + + router := gin.Default() + router.SetTrustedProxies([]string{"192.168.1.2"}) + + router.GET("/", func(c *gin.Context) { + // If the client is 192.168.1.2, use the X-Forwarded-For + // header to deduce the original client IP from the trust- + // worthy parts of that header. + // Otherwise, simply return the direct client IP + fmt.Printf("ClientIP: %s\n", c.ClientIP()) + }) + router.Run() +} +``` + +**Notice:** If you are using a CDN service, you can set the `Engine.TrustedPlatform` +to skip TrustedProxies check, it has a higher priority than TrustedProxies. +Look at the example below: +```go +import ( + "fmt" + + "github.com/gin-gonic/gin" +) + +func main() { + + router := gin.Default() + // Use predefined header gin.PlatformXXX + router.TrustedPlatform = gin.PlatformGoogleAppEngine + // Or set your own trusted request header for another trusted proxy service + // Don't set it to any suspect request header, it's unsafe + router.TrustedPlatform = "X-CDN-IP" + + router.GET("/", func(c *gin.Context) { + // If you set TrustedPlatform, ClientIP() will resolve the + // corresponding header and return IP directly + fmt.Printf("ClientIP: %s\n", c.ClientIP()) + }) + router.Run() +} +``` + +## Testing + +The `net/http/httptest` package is preferable way for HTTP testing. + +```go +package main + +func setupRouter() *gin.Engine { + r := gin.Default() + r.GET("/ping", func(c *gin.Context) { + c.String(200, "pong") + }) + return r +} + +func main() { + r := setupRouter() + r.Run(":8080") +} +``` + +Test for code example above: + +```go +package main + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestPingRoute(t *testing.T) { + router := setupRouter() + + w := httptest.NewRecorder() + req, _ := http.NewRequest("GET", "/ping", nil) + router.ServeHTTP(w, req) + + assert.Equal(t, 200, w.Code) + assert.Equal(t, "pong", w.Body.String()) +} +``` + +## Users + +Awesome project lists using [Gin](https://github.com/gin-gonic/gin) web framework. + +* [gorush](https://github.com/appleboy/gorush): A push notification server written in Go. +* [fnproject](https://github.com/fnproject/fn): The container native, cloud agnostic serverless platform. +* [photoprism](https://github.com/photoprism/photoprism): Personal photo management powered by Go and Google TensorFlow. +* [krakend](https://github.com/devopsfaith/krakend): Ultra performant API Gateway with middlewares. +* [picfit](https://github.com/thoas/picfit): An image resizing server written in Go. +* [brigade](https://github.com/brigadecore/brigade): Event-based Scripting for Kubernetes. +* [dkron](https://github.com/distribworks/dkron): Distributed, fault tolerant job scheduling system. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/auth.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/auth.go new file mode 100644 index 000000000000..4d8a6ce484c4 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/auth.go @@ -0,0 +1,91 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "crypto/subtle" + "encoding/base64" + "net/http" + "strconv" + + "github.com/gin-gonic/gin/internal/bytesconv" +) + +// AuthUserKey is the cookie name for user credential in basic auth. +const AuthUserKey = "user" + +// Accounts defines a key/value for user/pass list of authorized logins. +type Accounts map[string]string + +type authPair struct { + value string + user string +} + +type authPairs []authPair + +func (a authPairs) searchCredential(authValue string) (string, bool) { + if authValue == "" { + return "", false + } + for _, pair := range a { + if subtle.ConstantTimeCompare([]byte(pair.value), []byte(authValue)) == 1 { + return pair.user, true + } + } + return "", false +} + +// BasicAuthForRealm returns a Basic HTTP Authorization middleware. It takes as arguments a map[string]string where +// the key is the user name and the value is the password, as well as the name of the Realm. +// If the realm is empty, "Authorization Required" will be used by default. +// (see http://tools.ietf.org/html/rfc2617#section-1.2) +func BasicAuthForRealm(accounts Accounts, realm string) HandlerFunc { + if realm == "" { + realm = "Authorization Required" + } + realm = "Basic realm=" + strconv.Quote(realm) + pairs := processAccounts(accounts) + return func(c *Context) { + // Search user in the slice of allowed credentials + user, found := pairs.searchCredential(c.requestHeader("Authorization")) + if !found { + // Credentials doesn't match, we return 401 and abort handlers chain. + c.Header("WWW-Authenticate", realm) + c.AbortWithStatus(http.StatusUnauthorized) + return + } + + // The user credentials was found, set user's id to key AuthUserKey in this context, the user's id can be read later using + // c.MustGet(gin.AuthUserKey). + c.Set(AuthUserKey, user) + } +} + +// BasicAuth returns a Basic HTTP Authorization middleware. It takes as argument a map[string]string where +// the key is the user name and the value is the password. +func BasicAuth(accounts Accounts) HandlerFunc { + return BasicAuthForRealm(accounts, "") +} + +func processAccounts(accounts Accounts) authPairs { + length := len(accounts) + assert1(length > 0, "Empty list of authorized credentials") + pairs := make(authPairs, 0, length) + for user, password := range accounts { + assert1(user != "", "User can not be empty") + value := authorizationHeader(user, password) + pairs = append(pairs, authPair{ + value: value, + user: user, + }) + } + return pairs +} + +func authorizationHeader(user, password string) string { + base := user + ":" + password + return "Basic " + base64.StdEncoding.EncodeToString(bytesconv.StringToBytes(base)) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/binding.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/binding.go new file mode 100644 index 000000000000..5caeb581afe7 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/binding.go @@ -0,0 +1,118 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +//go:build !nomsgpack +// +build !nomsgpack + +package binding + +import "net/http" + +// Content-Type MIME of the most common data formats. +const ( + MIMEJSON = "application/json" + MIMEHTML = "text/html" + MIMEXML = "application/xml" + MIMEXML2 = "text/xml" + MIMEPlain = "text/plain" + MIMEPOSTForm = "application/x-www-form-urlencoded" + MIMEMultipartPOSTForm = "multipart/form-data" + MIMEPROTOBUF = "application/x-protobuf" + MIMEMSGPACK = "application/x-msgpack" + MIMEMSGPACK2 = "application/msgpack" + MIMEYAML = "application/x-yaml" +) + +// Binding describes the interface which needs to be implemented for binding the +// data present in the request such as JSON request body, query parameters or +// the form POST. +type Binding interface { + Name() string + Bind(*http.Request, interface{}) error +} + +// BindingBody adds BindBody method to Binding. BindBody is similar with Bind, +// but it reads the body from supplied bytes instead of req.Body. +type BindingBody interface { + Binding + BindBody([]byte, interface{}) error +} + +// BindingUri adds BindUri method to Binding. BindUri is similar with Bind, +// but it read the Params. +type BindingUri interface { + Name() string + BindUri(map[string][]string, interface{}) error +} + +// StructValidator is the minimal interface which needs to be implemented in +// order for it to be used as the validator engine for ensuring the correctness +// of the request. Gin provides a default implementation for this using +// https://github.com/go-playground/validator/tree/v8.18.2. +type StructValidator interface { + // ValidateStruct can receive any kind of type and it should never panic, even if the configuration is not right. + // If the received type is a slice|array, the validation should be performed travel on every element. + // If the received type is not a struct or slice|array, any validation should be skipped and nil must be returned. + // If the received type is a struct or pointer to a struct, the validation should be performed. + // If the struct is not valid or the validation itself fails, a descriptive error should be returned. + // Otherwise nil must be returned. + ValidateStruct(interface{}) error + + // Engine returns the underlying validator engine which powers the + // StructValidator implementation. + Engine() interface{} +} + +// Validator is the default validator which implements the StructValidator +// interface. It uses https://github.com/go-playground/validator/tree/v8.18.2 +// under the hood. +var Validator StructValidator = &defaultValidator{} + +// These implement the Binding interface and can be used to bind the data +// present in the request to struct instances. +var ( + JSON = jsonBinding{} + XML = xmlBinding{} + Form = formBinding{} + Query = queryBinding{} + FormPost = formPostBinding{} + FormMultipart = formMultipartBinding{} + ProtoBuf = protobufBinding{} + MsgPack = msgpackBinding{} + YAML = yamlBinding{} + Uri = uriBinding{} + Header = headerBinding{} +) + +// Default returns the appropriate Binding instance based on the HTTP method +// and the content type. +func Default(method, contentType string) Binding { + if method == http.MethodGet { + return Form + } + + switch contentType { + case MIMEJSON: + return JSON + case MIMEXML, MIMEXML2: + return XML + case MIMEPROTOBUF: + return ProtoBuf + case MIMEMSGPACK, MIMEMSGPACK2: + return MsgPack + case MIMEYAML: + return YAML + case MIMEMultipartPOSTForm: + return FormMultipart + default: // case MIMEPOSTForm: + return Form + } +} + +func validate(obj interface{}) error { + if Validator == nil { + return nil + } + return Validator.ValidateStruct(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/binding_nomsgpack.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/binding_nomsgpack.go new file mode 100644 index 000000000000..9afa3dcf6dad --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/binding_nomsgpack.go @@ -0,0 +1,112 @@ +// Copyright 2020 Gin Core Team. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +//go:build nomsgpack +// +build nomsgpack + +package binding + +import "net/http" + +// Content-Type MIME of the most common data formats. +const ( + MIMEJSON = "application/json" + MIMEHTML = "text/html" + MIMEXML = "application/xml" + MIMEXML2 = "text/xml" + MIMEPlain = "text/plain" + MIMEPOSTForm = "application/x-www-form-urlencoded" + MIMEMultipartPOSTForm = "multipart/form-data" + MIMEPROTOBUF = "application/x-protobuf" + MIMEYAML = "application/x-yaml" +) + +// Binding describes the interface which needs to be implemented for binding the +// data present in the request such as JSON request body, query parameters or +// the form POST. +type Binding interface { + Name() string + Bind(*http.Request, interface{}) error +} + +// BindingBody adds BindBody method to Binding. BindBody is similar with Bind, +// but it reads the body from supplied bytes instead of req.Body. +type BindingBody interface { + Binding + BindBody([]byte, interface{}) error +} + +// BindingUri adds BindUri method to Binding. BindUri is similar with Bind, +// but it read the Params. +type BindingUri interface { + Name() string + BindUri(map[string][]string, interface{}) error +} + +// StructValidator is the minimal interface which needs to be implemented in +// order for it to be used as the validator engine for ensuring the correctness +// of the request. Gin provides a default implementation for this using +// https://github.com/go-playground/validator/tree/v8.18.2. +type StructValidator interface { + // ValidateStruct can receive any kind of type and it should never panic, even if the configuration is not right. + // If the received type is not a struct, any validation should be skipped and nil must be returned. + // If the received type is a struct or pointer to a struct, the validation should be performed. + // If the struct is not valid or the validation itself fails, a descriptive error should be returned. + // Otherwise nil must be returned. + ValidateStruct(interface{}) error + + // Engine returns the underlying validator engine which powers the + // StructValidator implementation. + Engine() interface{} +} + +// Validator is the default validator which implements the StructValidator +// interface. It uses https://github.com/go-playground/validator/tree/v8.18.2 +// under the hood. +var Validator StructValidator = &defaultValidator{} + +// These implement the Binding interface and can be used to bind the data +// present in the request to struct instances. +var ( + JSON = jsonBinding{} + XML = xmlBinding{} + Form = formBinding{} + Query = queryBinding{} + FormPost = formPostBinding{} + FormMultipart = formMultipartBinding{} + ProtoBuf = protobufBinding{} + YAML = yamlBinding{} + Uri = uriBinding{} + Header = headerBinding{} +) + +// Default returns the appropriate Binding instance based on the HTTP method +// and the content type. +func Default(method, contentType string) Binding { + if method == "GET" { + return Form + } + + switch contentType { + case MIMEJSON: + return JSON + case MIMEXML, MIMEXML2: + return XML + case MIMEPROTOBUF: + return ProtoBuf + case MIMEYAML: + return YAML + case MIMEMultipartPOSTForm: + return FormMultipart + default: // case MIMEPOSTForm: + return Form + } +} + +func validate(obj interface{}) error { + if Validator == nil { + return nil + } + return Validator.ValidateStruct(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/default_validator.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/default_validator.go new file mode 100644 index 000000000000..c57a120fc2eb --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/default_validator.go @@ -0,0 +1,85 @@ +// Copyright 2017 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import ( + "fmt" + "reflect" + "strings" + "sync" + + "github.com/go-playground/validator/v10" +) + +type defaultValidator struct { + once sync.Once + validate *validator.Validate +} + +type sliceValidateError []error + +func (err sliceValidateError) Error() string { + var errMsgs []string + for i, e := range err { + if e == nil { + continue + } + errMsgs = append(errMsgs, fmt.Sprintf("[%d]: %s", i, e.Error())) + } + return strings.Join(errMsgs, "\n") +} + +var _ StructValidator = &defaultValidator{} + +// ValidateStruct receives any kind of type, but only performed struct or pointer to struct type. +func (v *defaultValidator) ValidateStruct(obj interface{}) error { + if obj == nil { + return nil + } + + value := reflect.ValueOf(obj) + switch value.Kind() { + case reflect.Ptr: + return v.ValidateStruct(value.Elem().Interface()) + case reflect.Struct: + return v.validateStruct(obj) + case reflect.Slice, reflect.Array: + count := value.Len() + validateRet := make(sliceValidateError, 0) + for i := 0; i < count; i++ { + if err := v.ValidateStruct(value.Index(i).Interface()); err != nil { + validateRet = append(validateRet, err) + } + } + if len(validateRet) == 0 { + return nil + } + return validateRet + default: + return nil + } +} + +// validateStruct receives struct type +func (v *defaultValidator) validateStruct(obj interface{}) error { + v.lazyinit() + return v.validate.Struct(obj) +} + +// Engine returns the underlying validator engine which powers the default +// Validator instance. This is useful if you want to register custom validations +// or struct level validations. See validator GoDoc for more info - +// https://godoc.org/gopkg.in/go-playground/validator.v8 +func (v *defaultValidator) Engine() interface{} { + v.lazyinit() + return v.validate +} + +func (v *defaultValidator) lazyinit() { + v.once.Do(func() { + v.validate = validator.New() + v.validate.SetTagName("binding") + }) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/form.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/form.go new file mode 100644 index 000000000000..b93c34cf42d3 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/form.go @@ -0,0 +1,63 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import ( + "net/http" +) + +const defaultMemory = 32 << 20 + +type formBinding struct{} +type formPostBinding struct{} +type formMultipartBinding struct{} + +func (formBinding) Name() string { + return "form" +} + +func (formBinding) Bind(req *http.Request, obj interface{}) error { + if err := req.ParseForm(); err != nil { + return err + } + if err := req.ParseMultipartForm(defaultMemory); err != nil { + if err != http.ErrNotMultipart { + return err + } + } + if err := mapForm(obj, req.Form); err != nil { + return err + } + return validate(obj) +} + +func (formPostBinding) Name() string { + return "form-urlencoded" +} + +func (formPostBinding) Bind(req *http.Request, obj interface{}) error { + if err := req.ParseForm(); err != nil { + return err + } + if err := mapForm(obj, req.PostForm); err != nil { + return err + } + return validate(obj) +} + +func (formMultipartBinding) Name() string { + return "multipart/form-data" +} + +func (formMultipartBinding) Bind(req *http.Request, obj interface{}) error { + if err := req.ParseMultipartForm(defaultMemory); err != nil { + return err + } + if err := mappingByPtr(obj, (*multipartRequest)(req), "form"); err != nil { + return err + } + + return validate(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/form_mapping.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/form_mapping.go new file mode 100644 index 000000000000..2f4e45b40fcb --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/form_mapping.go @@ -0,0 +1,392 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import ( + "errors" + "fmt" + "reflect" + "strconv" + "strings" + "time" + + "github.com/gin-gonic/gin/internal/bytesconv" + "github.com/gin-gonic/gin/internal/json" +) + +var errUnknownType = errors.New("unknown type") + +func mapUri(ptr interface{}, m map[string][]string) error { + return mapFormByTag(ptr, m, "uri") +} + +func mapForm(ptr interface{}, form map[string][]string) error { + return mapFormByTag(ptr, form, "form") +} + +var emptyField = reflect.StructField{} + +func mapFormByTag(ptr interface{}, form map[string][]string, tag string) error { + // Check if ptr is a map + ptrVal := reflect.ValueOf(ptr) + var pointed interface{} + if ptrVal.Kind() == reflect.Ptr { + ptrVal = ptrVal.Elem() + pointed = ptrVal.Interface() + } + if ptrVal.Kind() == reflect.Map && + ptrVal.Type().Key().Kind() == reflect.String { + if pointed != nil { + ptr = pointed + } + return setFormMap(ptr, form) + } + + return mappingByPtr(ptr, formSource(form), tag) +} + +// setter tries to set value on a walking by fields of a struct +type setter interface { + TrySet(value reflect.Value, field reflect.StructField, key string, opt setOptions) (isSetted bool, err error) +} + +type formSource map[string][]string + +var _ setter = formSource(nil) + +// TrySet tries to set a value by request's form source (like map[string][]string) +func (form formSource) TrySet(value reflect.Value, field reflect.StructField, tagValue string, opt setOptions) (isSetted bool, err error) { + return setByForm(value, field, form, tagValue, opt) +} + +func mappingByPtr(ptr interface{}, setter setter, tag string) error { + _, err := mapping(reflect.ValueOf(ptr), emptyField, setter, tag) + return err +} + +func mapping(value reflect.Value, field reflect.StructField, setter setter, tag string) (bool, error) { + if field.Tag.Get(tag) == "-" { // just ignoring this field + return false, nil + } + + var vKind = value.Kind() + + if vKind == reflect.Ptr { + var isNew bool + vPtr := value + if value.IsNil() { + isNew = true + vPtr = reflect.New(value.Type().Elem()) + } + isSetted, err := mapping(vPtr.Elem(), field, setter, tag) + if err != nil { + return false, err + } + if isNew && isSetted { + value.Set(vPtr) + } + return isSetted, nil + } + + if vKind != reflect.Struct || !field.Anonymous { + ok, err := tryToSetValue(value, field, setter, tag) + if err != nil { + return false, err + } + if ok { + return true, nil + } + } + + if vKind == reflect.Struct { + tValue := value.Type() + + var isSetted bool + for i := 0; i < value.NumField(); i++ { + sf := tValue.Field(i) + if sf.PkgPath != "" && !sf.Anonymous { // unexported + continue + } + ok, err := mapping(value.Field(i), tValue.Field(i), setter, tag) + if err != nil { + return false, err + } + isSetted = isSetted || ok + } + return isSetted, nil + } + return false, nil +} + +type setOptions struct { + isDefaultExists bool + defaultValue string +} + +func tryToSetValue(value reflect.Value, field reflect.StructField, setter setter, tag string) (bool, error) { + var tagValue string + var setOpt setOptions + + tagValue = field.Tag.Get(tag) + tagValue, opts := head(tagValue, ",") + + if tagValue == "" { // default value is FieldName + tagValue = field.Name + } + if tagValue == "" { // when field is "emptyField" variable + return false, nil + } + + var opt string + for len(opts) > 0 { + opt, opts = head(opts, ",") + + if k, v := head(opt, "="); k == "default" { + setOpt.isDefaultExists = true + setOpt.defaultValue = v + } + } + + return setter.TrySet(value, field, tagValue, setOpt) +} + +func setByForm(value reflect.Value, field reflect.StructField, form map[string][]string, tagValue string, opt setOptions) (isSetted bool, err error) { + vs, ok := form[tagValue] + if !ok && !opt.isDefaultExists { + return false, nil + } + + switch value.Kind() { + case reflect.Slice: + if !ok { + vs = []string{opt.defaultValue} + } + return true, setSlice(vs, value, field) + case reflect.Array: + if !ok { + vs = []string{opt.defaultValue} + } + if len(vs) != value.Len() { + return false, fmt.Errorf("%q is not valid value for %s", vs, value.Type().String()) + } + return true, setArray(vs, value, field) + default: + var val string + if !ok { + val = opt.defaultValue + } + + if len(vs) > 0 { + val = vs[0] + } + return true, setWithProperType(val, value, field) + } +} + +func setWithProperType(val string, value reflect.Value, field reflect.StructField) error { + switch value.Kind() { + case reflect.Int: + return setIntField(val, 0, value) + case reflect.Int8: + return setIntField(val, 8, value) + case reflect.Int16: + return setIntField(val, 16, value) + case reflect.Int32: + return setIntField(val, 32, value) + case reflect.Int64: + switch value.Interface().(type) { + case time.Duration: + return setTimeDuration(val, value, field) + } + return setIntField(val, 64, value) + case reflect.Uint: + return setUintField(val, 0, value) + case reflect.Uint8: + return setUintField(val, 8, value) + case reflect.Uint16: + return setUintField(val, 16, value) + case reflect.Uint32: + return setUintField(val, 32, value) + case reflect.Uint64: + return setUintField(val, 64, value) + case reflect.Bool: + return setBoolField(val, value) + case reflect.Float32: + return setFloatField(val, 32, value) + case reflect.Float64: + return setFloatField(val, 64, value) + case reflect.String: + value.SetString(val) + case reflect.Struct: + switch value.Interface().(type) { + case time.Time: + return setTimeField(val, field, value) + } + return json.Unmarshal(bytesconv.StringToBytes(val), value.Addr().Interface()) + case reflect.Map: + return json.Unmarshal(bytesconv.StringToBytes(val), value.Addr().Interface()) + default: + return errUnknownType + } + return nil +} + +func setIntField(val string, bitSize int, field reflect.Value) error { + if val == "" { + val = "0" + } + intVal, err := strconv.ParseInt(val, 10, bitSize) + if err == nil { + field.SetInt(intVal) + } + return err +} + +func setUintField(val string, bitSize int, field reflect.Value) error { + if val == "" { + val = "0" + } + uintVal, err := strconv.ParseUint(val, 10, bitSize) + if err == nil { + field.SetUint(uintVal) + } + return err +} + +func setBoolField(val string, field reflect.Value) error { + if val == "" { + val = "false" + } + boolVal, err := strconv.ParseBool(val) + if err == nil { + field.SetBool(boolVal) + } + return err +} + +func setFloatField(val string, bitSize int, field reflect.Value) error { + if val == "" { + val = "0.0" + } + floatVal, err := strconv.ParseFloat(val, bitSize) + if err == nil { + field.SetFloat(floatVal) + } + return err +} + +func setTimeField(val string, structField reflect.StructField, value reflect.Value) error { + timeFormat := structField.Tag.Get("time_format") + if timeFormat == "" { + timeFormat = time.RFC3339 + } + + switch tf := strings.ToLower(timeFormat); tf { + case "unix", "unixnano": + tv, err := strconv.ParseInt(val, 10, 64) + if err != nil { + return err + } + + d := time.Duration(1) + if tf == "unixnano" { + d = time.Second + } + + t := time.Unix(tv/int64(d), tv%int64(d)) + value.Set(reflect.ValueOf(t)) + return nil + + } + + if val == "" { + value.Set(reflect.ValueOf(time.Time{})) + return nil + } + + l := time.Local + if isUTC, _ := strconv.ParseBool(structField.Tag.Get("time_utc")); isUTC { + l = time.UTC + } + + if locTag := structField.Tag.Get("time_location"); locTag != "" { + loc, err := time.LoadLocation(locTag) + if err != nil { + return err + } + l = loc + } + + t, err := time.ParseInLocation(timeFormat, val, l) + if err != nil { + return err + } + + value.Set(reflect.ValueOf(t)) + return nil +} + +func setArray(vals []string, value reflect.Value, field reflect.StructField) error { + for i, s := range vals { + err := setWithProperType(s, value.Index(i), field) + if err != nil { + return err + } + } + return nil +} + +func setSlice(vals []string, value reflect.Value, field reflect.StructField) error { + slice := reflect.MakeSlice(value.Type(), len(vals), len(vals)) + err := setArray(vals, slice, field) + if err != nil { + return err + } + value.Set(slice) + return nil +} + +func setTimeDuration(val string, value reflect.Value, field reflect.StructField) error { + d, err := time.ParseDuration(val) + if err != nil { + return err + } + value.Set(reflect.ValueOf(d)) + return nil +} + +func head(str, sep string) (head string, tail string) { + idx := strings.Index(str, sep) + if idx < 0 { + return str, "" + } + return str[:idx], str[idx+len(sep):] +} + +func setFormMap(ptr interface{}, form map[string][]string) error { + el := reflect.TypeOf(ptr).Elem() + + if el.Kind() == reflect.Slice { + ptrMap, ok := ptr.(map[string][]string) + if !ok { + return errors.New("cannot convert to map slices of strings") + } + for k, v := range form { + ptrMap[k] = v + } + + return nil + } + + ptrMap, ok := ptr.(map[string]string) + if !ok { + return errors.New("cannot convert to map of strings") + } + for k, v := range form { + ptrMap[k] = v[len(v)-1] // pick last + } + + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/header.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/header.go new file mode 100644 index 000000000000..179ce4ea2037 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/header.go @@ -0,0 +1,34 @@ +package binding + +import ( + "net/http" + "net/textproto" + "reflect" +) + +type headerBinding struct{} + +func (headerBinding) Name() string { + return "header" +} + +func (headerBinding) Bind(req *http.Request, obj interface{}) error { + + if err := mapHeader(obj, req.Header); err != nil { + return err + } + + return validate(obj) +} + +func mapHeader(ptr interface{}, h map[string][]string) error { + return mappingByPtr(ptr, headerSource(h), "header") +} + +type headerSource map[string][]string + +var _ setter = headerSource(nil) + +func (hs headerSource) TrySet(value reflect.Value, field reflect.StructField, tagValue string, opt setOptions) (isSetted bool, err error) { + return setByForm(value, field, hs, textproto.CanonicalMIMEHeaderKey(tagValue), opt) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/json.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/json.go new file mode 100644 index 000000000000..d62e07059482 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/json.go @@ -0,0 +1,56 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import ( + "bytes" + "fmt" + "io" + "net/http" + + "github.com/gin-gonic/gin/internal/json" +) + +// EnableDecoderUseNumber is used to call the UseNumber method on the JSON +// Decoder instance. UseNumber causes the Decoder to unmarshal a number into an +// interface{} as a Number instead of as a float64. +var EnableDecoderUseNumber = false + +// EnableDecoderDisallowUnknownFields is used to call the DisallowUnknownFields method +// on the JSON Decoder instance. DisallowUnknownFields causes the Decoder to +// return an error when the destination is a struct and the input contains object +// keys which do not match any non-ignored, exported fields in the destination. +var EnableDecoderDisallowUnknownFields = false + +type jsonBinding struct{} + +func (jsonBinding) Name() string { + return "json" +} + +func (jsonBinding) Bind(req *http.Request, obj interface{}) error { + if req == nil || req.Body == nil { + return fmt.Errorf("invalid request") + } + return decodeJSON(req.Body, obj) +} + +func (jsonBinding) BindBody(body []byte, obj interface{}) error { + return decodeJSON(bytes.NewReader(body), obj) +} + +func decodeJSON(r io.Reader, obj interface{}) error { + decoder := json.NewDecoder(r) + if EnableDecoderUseNumber { + decoder.UseNumber() + } + if EnableDecoderDisallowUnknownFields { + decoder.DisallowUnknownFields() + } + if err := decoder.Decode(obj); err != nil { + return err + } + return validate(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/msgpack.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/msgpack.go new file mode 100644 index 000000000000..2a442996a63e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/msgpack.go @@ -0,0 +1,38 @@ +// Copyright 2017 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +//go:build !nomsgpack +// +build !nomsgpack + +package binding + +import ( + "bytes" + "io" + "net/http" + + "github.com/ugorji/go/codec" +) + +type msgpackBinding struct{} + +func (msgpackBinding) Name() string { + return "msgpack" +} + +func (msgpackBinding) Bind(req *http.Request, obj interface{}) error { + return decodeMsgPack(req.Body, obj) +} + +func (msgpackBinding) BindBody(body []byte, obj interface{}) error { + return decodeMsgPack(bytes.NewReader(body), obj) +} + +func decodeMsgPack(r io.Reader, obj interface{}) error { + cdc := new(codec.MsgpackHandle) + if err := codec.NewDecoder(r, cdc).Decode(&obj); err != nil { + return err + } + return validate(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/multipart_form_mapping.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/multipart_form_mapping.go new file mode 100644 index 000000000000..f85a1aa60455 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/multipart_form_mapping.go @@ -0,0 +1,66 @@ +// Copyright 2019 Gin Core Team. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import ( + "errors" + "mime/multipart" + "net/http" + "reflect" +) + +type multipartRequest http.Request + +var _ setter = (*multipartRequest)(nil) + +// TrySet tries to set a value by the multipart request with the binding a form file +func (r *multipartRequest) TrySet(value reflect.Value, field reflect.StructField, key string, opt setOptions) (isSetted bool, err error) { + if files := r.MultipartForm.File[key]; len(files) != 0 { + return setByMultipartFormFile(value, field, files) + } + + return setByForm(value, field, r.MultipartForm.Value, key, opt) +} + +func setByMultipartFormFile(value reflect.Value, field reflect.StructField, files []*multipart.FileHeader) (isSetted bool, err error) { + switch value.Kind() { + case reflect.Ptr: + switch value.Interface().(type) { + case *multipart.FileHeader: + value.Set(reflect.ValueOf(files[0])) + return true, nil + } + case reflect.Struct: + switch value.Interface().(type) { + case multipart.FileHeader: + value.Set(reflect.ValueOf(*files[0])) + return true, nil + } + case reflect.Slice: + slice := reflect.MakeSlice(value.Type(), len(files), len(files)) + isSetted, err = setArrayOfMultipartFormFiles(slice, field, files) + if err != nil || !isSetted { + return isSetted, err + } + value.Set(slice) + return true, nil + case reflect.Array: + return setArrayOfMultipartFormFiles(value, field, files) + } + return false, errors.New("unsupported field type for multipart.FileHeader") +} + +func setArrayOfMultipartFormFiles(value reflect.Value, field reflect.StructField, files []*multipart.FileHeader) (isSetted bool, err error) { + if value.Len() != len(files) { + return false, errors.New("unsupported len of array for []*multipart.FileHeader") + } + for i := range files { + setted, err := setByMultipartFormFile(value.Index(i), field, files[i:i+1]) + if err != nil || !setted { + return setted, err + } + } + return true, nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/protobuf.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/protobuf.go new file mode 100644 index 000000000000..f9ece928d489 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/protobuf.go @@ -0,0 +1,36 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import ( + "io/ioutil" + "net/http" + + "github.com/golang/protobuf/proto" +) + +type protobufBinding struct{} + +func (protobufBinding) Name() string { + return "protobuf" +} + +func (b protobufBinding) Bind(req *http.Request, obj interface{}) error { + buf, err := ioutil.ReadAll(req.Body) + if err != nil { + return err + } + return b.BindBody(buf, obj) +} + +func (protobufBinding) BindBody(body []byte, obj interface{}) error { + if err := proto.Unmarshal(body, obj.(proto.Message)); err != nil { + return err + } + // Here it's same to return validate(obj), but util now we can't add + // `binding:""` to the struct which automatically generate by gen-proto + return nil + // return validate(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/query.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/query.go new file mode 100644 index 000000000000..219743f2a950 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/query.go @@ -0,0 +1,21 @@ +// Copyright 2017 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import "net/http" + +type queryBinding struct{} + +func (queryBinding) Name() string { + return "query" +} + +func (queryBinding) Bind(req *http.Request, obj interface{}) error { + values := req.URL.Query() + if err := mapForm(obj, values); err != nil { + return err + } + return validate(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/uri.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/uri.go new file mode 100644 index 000000000000..f91ec3819942 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/uri.go @@ -0,0 +1,18 @@ +// Copyright 2018 Gin Core Team. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +type uriBinding struct{} + +func (uriBinding) Name() string { + return "uri" +} + +func (uriBinding) BindUri(m map[string][]string, obj interface{}) error { + if err := mapUri(obj, m); err != nil { + return err + } + return validate(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/xml.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/xml.go new file mode 100644 index 000000000000..4e9011496260 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/xml.go @@ -0,0 +1,33 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import ( + "bytes" + "encoding/xml" + "io" + "net/http" +) + +type xmlBinding struct{} + +func (xmlBinding) Name() string { + return "xml" +} + +func (xmlBinding) Bind(req *http.Request, obj interface{}) error { + return decodeXML(req.Body, obj) +} + +func (xmlBinding) BindBody(body []byte, obj interface{}) error { + return decodeXML(bytes.NewReader(body), obj) +} +func decodeXML(r io.Reader, obj interface{}) error { + decoder := xml.NewDecoder(r) + if err := decoder.Decode(obj); err != nil { + return err + } + return validate(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/yaml.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/yaml.go new file mode 100644 index 000000000000..a2d36d6a549f --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/binding/yaml.go @@ -0,0 +1,35 @@ +// Copyright 2018 Gin Core Team. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package binding + +import ( + "bytes" + "io" + "net/http" + + "gopkg.in/yaml.v2" +) + +type yamlBinding struct{} + +func (yamlBinding) Name() string { + return "yaml" +} + +func (yamlBinding) Bind(req *http.Request, obj interface{}) error { + return decodeYAML(req.Body, obj) +} + +func (yamlBinding) BindBody(body []byte, obj interface{}) error { + return decodeYAML(bytes.NewReader(body), obj) +} + +func decodeYAML(r io.Reader, obj interface{}) error { + decoder := yaml.NewDecoder(r) + if err := decoder.Decode(obj); err != nil { + return err + } + return validate(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/codecov.yml b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/codecov.yml new file mode 100644 index 000000000000..c9c9a522da9f --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/codecov.yml @@ -0,0 +1,5 @@ +coverage: + notify: + gitter: + default: + url: https://webhooks.gitter.im/e/d90dcdeeab2f1e357165 diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/context.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/context.go new file mode 100644 index 000000000000..220d1bc7b454 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/context.go @@ -0,0 +1,1192 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "errors" + "fmt" + "io" + "io/ioutil" + "log" + "math" + "mime/multipart" + "net" + "net/http" + "net/url" + "os" + "strings" + "sync" + "time" + + "github.com/gin-contrib/sse" + "github.com/gin-gonic/gin/binding" + "github.com/gin-gonic/gin/render" +) + +// Content-Type MIME of the most common data formats. +const ( + MIMEJSON = binding.MIMEJSON + MIMEHTML = binding.MIMEHTML + MIMEXML = binding.MIMEXML + MIMEXML2 = binding.MIMEXML2 + MIMEPlain = binding.MIMEPlain + MIMEPOSTForm = binding.MIMEPOSTForm + MIMEMultipartPOSTForm = binding.MIMEMultipartPOSTForm + MIMEYAML = binding.MIMEYAML +) + +// BodyBytesKey indicates a default body bytes key. +const BodyBytesKey = "_gin-gonic/gin/bodybyteskey" + +const abortIndex int8 = math.MaxInt8 / 2 + +// Context is the most important part of gin. It allows us to pass variables between middleware, +// manage the flow, validate the JSON of a request and render a JSON response for example. +type Context struct { + writermem responseWriter + Request *http.Request + Writer ResponseWriter + + Params Params + handlers HandlersChain + index int8 + fullPath string + + engine *Engine + params *Params + skippedNodes *[]skippedNode + + // This mutex protect Keys map + mu sync.RWMutex + + // Keys is a key/value pair exclusively for the context of each request. + Keys map[string]interface{} + + // Errors is a list of errors attached to all the handlers/middlewares who used this context. + Errors errorMsgs + + // Accepted defines a list of manually accepted formats for content negotiation. + Accepted []string + + // queryCache use url.ParseQuery cached the param query result from c.Request.URL.Query() + queryCache url.Values + + // formCache use url.ParseQuery cached PostForm contains the parsed form data from POST, PATCH, + // or PUT body parameters. + formCache url.Values + + // SameSite allows a server to define a cookie attribute making it impossible for + // the browser to send this cookie along with cross-site requests. + sameSite http.SameSite +} + +/************************************/ +/********** CONTEXT CREATION ********/ +/************************************/ + +func (c *Context) reset() { + c.Writer = &c.writermem + c.Params = c.Params[0:0] + c.handlers = nil + c.index = -1 + + c.fullPath = "" + c.Keys = nil + c.Errors = c.Errors[0:0] + c.Accepted = nil + c.queryCache = nil + c.formCache = nil + *c.params = (*c.params)[:0] + *c.skippedNodes = (*c.skippedNodes)[:0] +} + +// Copy returns a copy of the current context that can be safely used outside the request's scope. +// This has to be used when the context has to be passed to a goroutine. +func (c *Context) Copy() *Context { + cp := Context{ + writermem: c.writermem, + Request: c.Request, + Params: c.Params, + engine: c.engine, + } + cp.writermem.ResponseWriter = nil + cp.Writer = &cp.writermem + cp.index = abortIndex + cp.handlers = nil + cp.Keys = map[string]interface{}{} + for k, v := range c.Keys { + cp.Keys[k] = v + } + paramCopy := make([]Param, len(cp.Params)) + copy(paramCopy, cp.Params) + cp.Params = paramCopy + return &cp +} + +// HandlerName returns the main handler's name. For example if the handler is "handleGetUsers()", +// this function will return "main.handleGetUsers". +func (c *Context) HandlerName() string { + return nameOfFunction(c.handlers.Last()) +} + +// HandlerNames returns a list of all registered handlers for this context in descending order, +// following the semantics of HandlerName() +func (c *Context) HandlerNames() []string { + hn := make([]string, 0, len(c.handlers)) + for _, val := range c.handlers { + hn = append(hn, nameOfFunction(val)) + } + return hn +} + +// Handler returns the main handler. +func (c *Context) Handler() HandlerFunc { + return c.handlers.Last() +} + +// FullPath returns a matched route full path. For not found routes +// returns an empty string. +// router.GET("/user/:id", func(c *gin.Context) { +// c.FullPath() == "/user/:id" // true +// }) +func (c *Context) FullPath() string { + return c.fullPath +} + +/************************************/ +/*********** FLOW CONTROL ***********/ +/************************************/ + +// Next should be used only inside middleware. +// It executes the pending handlers in the chain inside the calling handler. +// See example in GitHub. +func (c *Context) Next() { + c.index++ + for c.index < int8(len(c.handlers)) { + c.handlers[c.index](c) + c.index++ + } +} + +// IsAborted returns true if the current context was aborted. +func (c *Context) IsAborted() bool { + return c.index >= abortIndex +} + +// Abort prevents pending handlers from being called. Note that this will not stop the current handler. +// Let's say you have an authorization middleware that validates that the current request is authorized. +// If the authorization fails (ex: the password does not match), call Abort to ensure the remaining handlers +// for this request are not called. +func (c *Context) Abort() { + c.index = abortIndex +} + +// AbortWithStatus calls `Abort()` and writes the headers with the specified status code. +// For example, a failed attempt to authenticate a request could use: context.AbortWithStatus(401). +func (c *Context) AbortWithStatus(code int) { + c.Status(code) + c.Writer.WriteHeaderNow() + c.Abort() +} + +// AbortWithStatusJSON calls `Abort()` and then `JSON` internally. +// This method stops the chain, writes the status code and return a JSON body. +// It also sets the Content-Type as "application/json". +func (c *Context) AbortWithStatusJSON(code int, jsonObj interface{}) { + c.Abort() + c.JSON(code, jsonObj) +} + +// AbortWithError calls `AbortWithStatus()` and `Error()` internally. +// This method stops the chain, writes the status code and pushes the specified error to `c.Errors`. +// See Context.Error() for more details. +func (c *Context) AbortWithError(code int, err error) *Error { + c.AbortWithStatus(code) + return c.Error(err) +} + +/************************************/ +/********* ERROR MANAGEMENT *********/ +/************************************/ + +// Error attaches an error to the current context. The error is pushed to a list of errors. +// It's a good idea to call Error for each error that occurred during the resolution of a request. +// A middleware can be used to collect all the errors and push them to a database together, +// print a log, or append it in the HTTP response. +// Error will panic if err is nil. +func (c *Context) Error(err error) *Error { + if err == nil { + panic("err is nil") + } + + parsedError, ok := err.(*Error) + if !ok { + parsedError = &Error{ + Err: err, + Type: ErrorTypePrivate, + } + } + + c.Errors = append(c.Errors, parsedError) + return parsedError +} + +/************************************/ +/******** METADATA MANAGEMENT********/ +/************************************/ + +// Set is used to store a new key/value pair exclusively for this context. +// It also lazy initializes c.Keys if it was not used previously. +func (c *Context) Set(key string, value interface{}) { + c.mu.Lock() + if c.Keys == nil { + c.Keys = make(map[string]interface{}) + } + + c.Keys[key] = value + c.mu.Unlock() +} + +// Get returns the value for the given key, ie: (value, true). +// If the value does not exists it returns (nil, false) +func (c *Context) Get(key string) (value interface{}, exists bool) { + c.mu.RLock() + value, exists = c.Keys[key] + c.mu.RUnlock() + return +} + +// MustGet returns the value for the given key if it exists, otherwise it panics. +func (c *Context) MustGet(key string) interface{} { + if value, exists := c.Get(key); exists { + return value + } + panic("Key \"" + key + "\" does not exist") +} + +// GetString returns the value associated with the key as a string. +func (c *Context) GetString(key string) (s string) { + if val, ok := c.Get(key); ok && val != nil { + s, _ = val.(string) + } + return +} + +// GetBool returns the value associated with the key as a boolean. +func (c *Context) GetBool(key string) (b bool) { + if val, ok := c.Get(key); ok && val != nil { + b, _ = val.(bool) + } + return +} + +// GetInt returns the value associated with the key as an integer. +func (c *Context) GetInt(key string) (i int) { + if val, ok := c.Get(key); ok && val != nil { + i, _ = val.(int) + } + return +} + +// GetInt64 returns the value associated with the key as an integer. +func (c *Context) GetInt64(key string) (i64 int64) { + if val, ok := c.Get(key); ok && val != nil { + i64, _ = val.(int64) + } + return +} + +// GetUint returns the value associated with the key as an unsigned integer. +func (c *Context) GetUint(key string) (ui uint) { + if val, ok := c.Get(key); ok && val != nil { + ui, _ = val.(uint) + } + return +} + +// GetUint64 returns the value associated with the key as an unsigned integer. +func (c *Context) GetUint64(key string) (ui64 uint64) { + if val, ok := c.Get(key); ok && val != nil { + ui64, _ = val.(uint64) + } + return +} + +// GetFloat64 returns the value associated with the key as a float64. +func (c *Context) GetFloat64(key string) (f64 float64) { + if val, ok := c.Get(key); ok && val != nil { + f64, _ = val.(float64) + } + return +} + +// GetTime returns the value associated with the key as time. +func (c *Context) GetTime(key string) (t time.Time) { + if val, ok := c.Get(key); ok && val != nil { + t, _ = val.(time.Time) + } + return +} + +// GetDuration returns the value associated with the key as a duration. +func (c *Context) GetDuration(key string) (d time.Duration) { + if val, ok := c.Get(key); ok && val != nil { + d, _ = val.(time.Duration) + } + return +} + +// GetStringSlice returns the value associated with the key as a slice of strings. +func (c *Context) GetStringSlice(key string) (ss []string) { + if val, ok := c.Get(key); ok && val != nil { + ss, _ = val.([]string) + } + return +} + +// GetStringMap returns the value associated with the key as a map of interfaces. +func (c *Context) GetStringMap(key string) (sm map[string]interface{}) { + if val, ok := c.Get(key); ok && val != nil { + sm, _ = val.(map[string]interface{}) + } + return +} + +// GetStringMapString returns the value associated with the key as a map of strings. +func (c *Context) GetStringMapString(key string) (sms map[string]string) { + if val, ok := c.Get(key); ok && val != nil { + sms, _ = val.(map[string]string) + } + return +} + +// GetStringMapStringSlice returns the value associated with the key as a map to a slice of strings. +func (c *Context) GetStringMapStringSlice(key string) (smss map[string][]string) { + if val, ok := c.Get(key); ok && val != nil { + smss, _ = val.(map[string][]string) + } + return +} + +/************************************/ +/************ INPUT DATA ************/ +/************************************/ + +// Param returns the value of the URL param. +// It is a shortcut for c.Params.ByName(key) +// router.GET("/user/:id", func(c *gin.Context) { +// // a GET request to /user/john +// id := c.Param("id") // id == "john" +// }) +func (c *Context) Param(key string) string { + return c.Params.ByName(key) +} + +// Query returns the keyed url query value if it exists, +// otherwise it returns an empty string `("")`. +// It is shortcut for `c.Request.URL.Query().Get(key)` +// GET /path?id=1234&name=Manu&value= +// c.Query("id") == "1234" +// c.Query("name") == "Manu" +// c.Query("value") == "" +// c.Query("wtf") == "" +func (c *Context) Query(key string) string { + value, _ := c.GetQuery(key) + return value +} + +// DefaultQuery returns the keyed url query value if it exists, +// otherwise it returns the specified defaultValue string. +// See: Query() and GetQuery() for further information. +// GET /?name=Manu&lastname= +// c.DefaultQuery("name", "unknown") == "Manu" +// c.DefaultQuery("id", "none") == "none" +// c.DefaultQuery("lastname", "none") == "" +func (c *Context) DefaultQuery(key, defaultValue string) string { + if value, ok := c.GetQuery(key); ok { + return value + } + return defaultValue +} + +// GetQuery is like Query(), it returns the keyed url query value +// if it exists `(value, true)` (even when the value is an empty string), +// otherwise it returns `("", false)`. +// It is shortcut for `c.Request.URL.Query().Get(key)` +// GET /?name=Manu&lastname= +// ("Manu", true) == c.GetQuery("name") +// ("", false) == c.GetQuery("id") +// ("", true) == c.GetQuery("lastname") +func (c *Context) GetQuery(key string) (string, bool) { + if values, ok := c.GetQueryArray(key); ok { + return values[0], ok + } + return "", false +} + +// QueryArray returns a slice of strings for a given query key. +// The length of the slice depends on the number of params with the given key. +func (c *Context) QueryArray(key string) []string { + values, _ := c.GetQueryArray(key) + return values +} + +func (c *Context) initQueryCache() { + if c.queryCache == nil { + if c.Request != nil { + c.queryCache = c.Request.URL.Query() + } else { + c.queryCache = url.Values{} + } + } +} + +// GetQueryArray returns a slice of strings for a given query key, plus +// a boolean value whether at least one value exists for the given key. +func (c *Context) GetQueryArray(key string) ([]string, bool) { + c.initQueryCache() + if values, ok := c.queryCache[key]; ok && len(values) > 0 { + return values, true + } + return []string{}, false +} + +// QueryMap returns a map for a given query key. +func (c *Context) QueryMap(key string) map[string]string { + dicts, _ := c.GetQueryMap(key) + return dicts +} + +// GetQueryMap returns a map for a given query key, plus a boolean value +// whether at least one value exists for the given key. +func (c *Context) GetQueryMap(key string) (map[string]string, bool) { + c.initQueryCache() + return c.get(c.queryCache, key) +} + +// PostForm returns the specified key from a POST urlencoded form or multipart form +// when it exists, otherwise it returns an empty string `("")`. +func (c *Context) PostForm(key string) string { + value, _ := c.GetPostForm(key) + return value +} + +// DefaultPostForm returns the specified key from a POST urlencoded form or multipart form +// when it exists, otherwise it returns the specified defaultValue string. +// See: PostForm() and GetPostForm() for further information. +func (c *Context) DefaultPostForm(key, defaultValue string) string { + if value, ok := c.GetPostForm(key); ok { + return value + } + return defaultValue +} + +// GetPostForm is like PostForm(key). It returns the specified key from a POST urlencoded +// form or multipart form when it exists `(value, true)` (even when the value is an empty string), +// otherwise it returns ("", false). +// For example, during a PATCH request to update the user's email: +// email=mail@example.com --> ("mail@example.com", true) := GetPostForm("email") // set email to "mail@example.com" +// email= --> ("", true) := GetPostForm("email") // set email to "" +// --> ("", false) := GetPostForm("email") // do nothing with email +func (c *Context) GetPostForm(key string) (string, bool) { + if values, ok := c.GetPostFormArray(key); ok { + return values[0], ok + } + return "", false +} + +// PostFormArray returns a slice of strings for a given form key. +// The length of the slice depends on the number of params with the given key. +func (c *Context) PostFormArray(key string) []string { + values, _ := c.GetPostFormArray(key) + return values +} + +func (c *Context) initFormCache() { + if c.formCache == nil { + c.formCache = make(url.Values) + req := c.Request + if err := req.ParseMultipartForm(c.engine.MaxMultipartMemory); err != nil { + if err != http.ErrNotMultipart { + debugPrint("error on parse multipart form array: %v", err) + } + } + c.formCache = req.PostForm + } +} + +// GetPostFormArray returns a slice of strings for a given form key, plus +// a boolean value whether at least one value exists for the given key. +func (c *Context) GetPostFormArray(key string) ([]string, bool) { + c.initFormCache() + if values := c.formCache[key]; len(values) > 0 { + return values, true + } + return []string{}, false +} + +// PostFormMap returns a map for a given form key. +func (c *Context) PostFormMap(key string) map[string]string { + dicts, _ := c.GetPostFormMap(key) + return dicts +} + +// GetPostFormMap returns a map for a given form key, plus a boolean value +// whether at least one value exists for the given key. +func (c *Context) GetPostFormMap(key string) (map[string]string, bool) { + c.initFormCache() + return c.get(c.formCache, key) +} + +// get is an internal method and returns a map which satisfy conditions. +func (c *Context) get(m map[string][]string, key string) (map[string]string, bool) { + dicts := make(map[string]string) + exist := false + for k, v := range m { + if i := strings.IndexByte(k, '['); i >= 1 && k[0:i] == key { + if j := strings.IndexByte(k[i+1:], ']'); j >= 1 { + exist = true + dicts[k[i+1:][:j]] = v[0] + } + } + } + return dicts, exist +} + +// FormFile returns the first file for the provided form key. +func (c *Context) FormFile(name string) (*multipart.FileHeader, error) { + if c.Request.MultipartForm == nil { + if err := c.Request.ParseMultipartForm(c.engine.MaxMultipartMemory); err != nil { + return nil, err + } + } + f, fh, err := c.Request.FormFile(name) + if err != nil { + return nil, err + } + f.Close() + return fh, err +} + +// MultipartForm is the parsed multipart form, including file uploads. +func (c *Context) MultipartForm() (*multipart.Form, error) { + err := c.Request.ParseMultipartForm(c.engine.MaxMultipartMemory) + return c.Request.MultipartForm, err +} + +// SaveUploadedFile uploads the form file to specific dst. +func (c *Context) SaveUploadedFile(file *multipart.FileHeader, dst string) error { + src, err := file.Open() + if err != nil { + return err + } + defer src.Close() + + out, err := os.Create(dst) + if err != nil { + return err + } + defer out.Close() + + _, err = io.Copy(out, src) + return err +} + +// Bind checks the Content-Type to select a binding engine automatically, +// Depending the "Content-Type" header different bindings are used: +// "application/json" --> JSON binding +// "application/xml" --> XML binding +// otherwise --> returns an error. +// It parses the request's body as JSON if Content-Type == "application/json" using JSON or XML as a JSON input. +// It decodes the json payload into the struct specified as a pointer. +// It writes a 400 error and sets Content-Type header "text/plain" in the response if input is not valid. +func (c *Context) Bind(obj interface{}) error { + b := binding.Default(c.Request.Method, c.ContentType()) + return c.MustBindWith(obj, b) +} + +// BindJSON is a shortcut for c.MustBindWith(obj, binding.JSON). +func (c *Context) BindJSON(obj interface{}) error { + return c.MustBindWith(obj, binding.JSON) +} + +// BindXML is a shortcut for c.MustBindWith(obj, binding.BindXML). +func (c *Context) BindXML(obj interface{}) error { + return c.MustBindWith(obj, binding.XML) +} + +// BindQuery is a shortcut for c.MustBindWith(obj, binding.Query). +func (c *Context) BindQuery(obj interface{}) error { + return c.MustBindWith(obj, binding.Query) +} + +// BindYAML is a shortcut for c.MustBindWith(obj, binding.YAML). +func (c *Context) BindYAML(obj interface{}) error { + return c.MustBindWith(obj, binding.YAML) +} + +// BindHeader is a shortcut for c.MustBindWith(obj, binding.Header). +func (c *Context) BindHeader(obj interface{}) error { + return c.MustBindWith(obj, binding.Header) +} + +// BindUri binds the passed struct pointer using binding.Uri. +// It will abort the request with HTTP 400 if any error occurs. +func (c *Context) BindUri(obj interface{}) error { + if err := c.ShouldBindUri(obj); err != nil { + c.AbortWithError(http.StatusBadRequest, err).SetType(ErrorTypeBind) // nolint: errcheck + return err + } + return nil +} + +// MustBindWith binds the passed struct pointer using the specified binding engine. +// It will abort the request with HTTP 400 if any error occurs. +// See the binding package. +func (c *Context) MustBindWith(obj interface{}, b binding.Binding) error { + if err := c.ShouldBindWith(obj, b); err != nil { + c.AbortWithError(http.StatusBadRequest, err).SetType(ErrorTypeBind) // nolint: errcheck + return err + } + return nil +} + +// ShouldBind checks the Content-Type to select a binding engine automatically, +// Depending the "Content-Type" header different bindings are used: +// "application/json" --> JSON binding +// "application/xml" --> XML binding +// otherwise --> returns an error +// It parses the request's body as JSON if Content-Type == "application/json" using JSON or XML as a JSON input. +// It decodes the json payload into the struct specified as a pointer. +// Like c.Bind() but this method does not set the response status code to 400 and abort if the json is not valid. +func (c *Context) ShouldBind(obj interface{}) error { + b := binding.Default(c.Request.Method, c.ContentType()) + return c.ShouldBindWith(obj, b) +} + +// ShouldBindJSON is a shortcut for c.ShouldBindWith(obj, binding.JSON). +func (c *Context) ShouldBindJSON(obj interface{}) error { + return c.ShouldBindWith(obj, binding.JSON) +} + +// ShouldBindXML is a shortcut for c.ShouldBindWith(obj, binding.XML). +func (c *Context) ShouldBindXML(obj interface{}) error { + return c.ShouldBindWith(obj, binding.XML) +} + +// ShouldBindQuery is a shortcut for c.ShouldBindWith(obj, binding.Query). +func (c *Context) ShouldBindQuery(obj interface{}) error { + return c.ShouldBindWith(obj, binding.Query) +} + +// ShouldBindYAML is a shortcut for c.ShouldBindWith(obj, binding.YAML). +func (c *Context) ShouldBindYAML(obj interface{}) error { + return c.ShouldBindWith(obj, binding.YAML) +} + +// ShouldBindHeader is a shortcut for c.ShouldBindWith(obj, binding.Header). +func (c *Context) ShouldBindHeader(obj interface{}) error { + return c.ShouldBindWith(obj, binding.Header) +} + +// ShouldBindUri binds the passed struct pointer using the specified binding engine. +func (c *Context) ShouldBindUri(obj interface{}) error { + m := make(map[string][]string) + for _, v := range c.Params { + m[v.Key] = []string{v.Value} + } + return binding.Uri.BindUri(m, obj) +} + +// ShouldBindWith binds the passed struct pointer using the specified binding engine. +// See the binding package. +func (c *Context) ShouldBindWith(obj interface{}, b binding.Binding) error { + return b.Bind(c.Request, obj) +} + +// ShouldBindBodyWith is similar with ShouldBindWith, but it stores the request +// body into the context, and reuse when it is called again. +// +// NOTE: This method reads the body before binding. So you should use +// ShouldBindWith for better performance if you need to call only once. +func (c *Context) ShouldBindBodyWith(obj interface{}, bb binding.BindingBody) (err error) { + var body []byte + if cb, ok := c.Get(BodyBytesKey); ok { + if cbb, ok := cb.([]byte); ok { + body = cbb + } + } + if body == nil { + body, err = ioutil.ReadAll(c.Request.Body) + if err != nil { + return err + } + c.Set(BodyBytesKey, body) + } + return bb.BindBody(body, obj) +} + +// ClientIP implements one best effort algorithm to return the real client IP. +// It called c.RemoteIP() under the hood, to check if the remote IP is a trusted proxy or not. +// If it is it will then try to parse the headers defined in Engine.RemoteIPHeaders (defaulting to [X-Forwarded-For, X-Real-Ip]). +// If the headers are not syntactically valid OR the remote IP does not correspond to a trusted proxy, +// the remote IP (coming form Request.RemoteAddr) is returned. +func (c *Context) ClientIP() string { + // Check if we're running on a trusted platform, continue running backwards if error + if c.engine.TrustedPlatform != "" { + // Developers can define their own header of Trusted Platform or use predefined constants + if addr := c.requestHeader(c.engine.TrustedPlatform); addr != "" { + return addr + } + } + + // Legacy "AppEngine" flag + if c.engine.AppEngine { + log.Println(`The AppEngine flag is going to be deprecated. Please check issues #2723 and #2739 and use 'TrustedPlatform: gin.PlatformGoogleAppEngine' instead.`) + if addr := c.requestHeader("X-Appengine-Remote-Addr"); addr != "" { + return addr + } + } + + remoteIP, trusted := c.RemoteIP() + if remoteIP == nil { + return "" + } + + if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil { + for _, headerName := range c.engine.RemoteIPHeaders { + ip, valid := c.engine.validateHeader(c.requestHeader(headerName)) + if valid { + return ip + } + } + } + return remoteIP.String() +} + +func (e *Engine) isTrustedProxy(ip net.IP) bool { + if e.trustedCIDRs != nil { + for _, cidr := range e.trustedCIDRs { + if cidr.Contains(ip) { + return true + } + } + } + return false +} + +// RemoteIP parses the IP from Request.RemoteAddr, normalizes and returns the IP (without the port). +// It also checks if the remoteIP is a trusted proxy or not. +// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks +// defined by Engine.SetTrustedProxies() +func (c *Context) RemoteIP() (net.IP, bool) { + ip, _, err := net.SplitHostPort(strings.TrimSpace(c.Request.RemoteAddr)) + if err != nil { + return nil, false + } + remoteIP := net.ParseIP(ip) + if remoteIP == nil { + return nil, false + } + + return remoteIP, c.engine.isTrustedProxy(remoteIP) +} + +func (e *Engine) validateHeader(header string) (clientIP string, valid bool) { + if header == "" { + return "", false + } + items := strings.Split(header, ",") + for i := len(items) - 1; i >= 0; i-- { + ipStr := strings.TrimSpace(items[i]) + ip := net.ParseIP(ipStr) + if ip == nil { + return "", false + } + + // X-Forwarded-For is appended by proxy + // Check IPs in reverse order and stop when find untrusted proxy + if (i == 0) || (!e.isTrustedProxy(ip)) { + return ipStr, true + } + } + return +} + +// ContentType returns the Content-Type header of the request. +func (c *Context) ContentType() string { + return filterFlags(c.requestHeader("Content-Type")) +} + +// IsWebsocket returns true if the request headers indicate that a websocket +// handshake is being initiated by the client. +func (c *Context) IsWebsocket() bool { + if strings.Contains(strings.ToLower(c.requestHeader("Connection")), "upgrade") && + strings.EqualFold(c.requestHeader("Upgrade"), "websocket") { + return true + } + return false +} + +func (c *Context) requestHeader(key string) string { + return c.Request.Header.Get(key) +} + +/************************************/ +/******** RESPONSE RENDERING ********/ +/************************************/ + +// bodyAllowedForStatus is a copy of http.bodyAllowedForStatus non-exported function. +func bodyAllowedForStatus(status int) bool { + switch { + case status >= 100 && status <= 199: + return false + case status == http.StatusNoContent: + return false + case status == http.StatusNotModified: + return false + } + return true +} + +// Status sets the HTTP response code. +func (c *Context) Status(code int) { + c.Writer.WriteHeader(code) +} + +// Header is a intelligent shortcut for c.Writer.Header().Set(key, value). +// It writes a header in the response. +// If value == "", this method removes the header `c.Writer.Header().Del(key)` +func (c *Context) Header(key, value string) { + if value == "" { + c.Writer.Header().Del(key) + return + } + c.Writer.Header().Set(key, value) +} + +// GetHeader returns value from request headers. +func (c *Context) GetHeader(key string) string { + return c.requestHeader(key) +} + +// GetRawData return stream data. +func (c *Context) GetRawData() ([]byte, error) { + return ioutil.ReadAll(c.Request.Body) +} + +// SetSameSite with cookie +func (c *Context) SetSameSite(samesite http.SameSite) { + c.sameSite = samesite +} + +// SetCookie adds a Set-Cookie header to the ResponseWriter's headers. +// The provided cookie must have a valid Name. Invalid cookies may be +// silently dropped. +func (c *Context) SetCookie(name, value string, maxAge int, path, domain string, secure, httpOnly bool) { + if path == "" { + path = "/" + } + http.SetCookie(c.Writer, &http.Cookie{ + Name: name, + Value: url.QueryEscape(value), + MaxAge: maxAge, + Path: path, + Domain: domain, + SameSite: c.sameSite, + Secure: secure, + HttpOnly: httpOnly, + }) +} + +// Cookie returns the named cookie provided in the request or +// ErrNoCookie if not found. And return the named cookie is unescaped. +// If multiple cookies match the given name, only one cookie will +// be returned. +func (c *Context) Cookie(name string) (string, error) { + cookie, err := c.Request.Cookie(name) + if err != nil { + return "", err + } + val, _ := url.QueryUnescape(cookie.Value) + return val, nil +} + +// Render writes the response headers and calls render.Render to render data. +func (c *Context) Render(code int, r render.Render) { + c.Status(code) + + if !bodyAllowedForStatus(code) { + r.WriteContentType(c.Writer) + c.Writer.WriteHeaderNow() + return + } + + if err := r.Render(c.Writer); err != nil { + panic(err) + } +} + +// HTML renders the HTTP template specified by its file name. +// It also updates the HTTP code and sets the Content-Type as "text/html". +// See http://golang.org/doc/articles/wiki/ +func (c *Context) HTML(code int, name string, obj interface{}) { + instance := c.engine.HTMLRender.Instance(name, obj) + c.Render(code, instance) +} + +// IndentedJSON serializes the given struct as pretty JSON (indented + endlines) into the response body. +// It also sets the Content-Type as "application/json". +// WARNING: we recommend to use this only for development purposes since printing pretty JSON is +// more CPU and bandwidth consuming. Use Context.JSON() instead. +func (c *Context) IndentedJSON(code int, obj interface{}) { + c.Render(code, render.IndentedJSON{Data: obj}) +} + +// SecureJSON serializes the given struct as Secure JSON into the response body. +// Default prepends "while(1)," to response body if the given struct is array values. +// It also sets the Content-Type as "application/json". +func (c *Context) SecureJSON(code int, obj interface{}) { + c.Render(code, render.SecureJSON{Prefix: c.engine.secureJSONPrefix, Data: obj}) +} + +// JSONP serializes the given struct as JSON into the response body. +// It adds padding to response body to request data from a server residing in a different domain than the client. +// It also sets the Content-Type as "application/javascript". +func (c *Context) JSONP(code int, obj interface{}) { + callback := c.DefaultQuery("callback", "") + if callback == "" { + c.Render(code, render.JSON{Data: obj}) + return + } + c.Render(code, render.JsonpJSON{Callback: callback, Data: obj}) +} + +// JSON serializes the given struct as JSON into the response body. +// It also sets the Content-Type as "application/json". +func (c *Context) JSON(code int, obj interface{}) { + c.Render(code, render.JSON{Data: obj}) +} + +// AsciiJSON serializes the given struct as JSON into the response body with unicode to ASCII string. +// It also sets the Content-Type as "application/json". +func (c *Context) AsciiJSON(code int, obj interface{}) { + c.Render(code, render.AsciiJSON{Data: obj}) +} + +// PureJSON serializes the given struct as JSON into the response body. +// PureJSON, unlike JSON, does not replace special html characters with their unicode entities. +func (c *Context) PureJSON(code int, obj interface{}) { + c.Render(code, render.PureJSON{Data: obj}) +} + +// XML serializes the given struct as XML into the response body. +// It also sets the Content-Type as "application/xml". +func (c *Context) XML(code int, obj interface{}) { + c.Render(code, render.XML{Data: obj}) +} + +// YAML serializes the given struct as YAML into the response body. +func (c *Context) YAML(code int, obj interface{}) { + c.Render(code, render.YAML{Data: obj}) +} + +// ProtoBuf serializes the given struct as ProtoBuf into the response body. +func (c *Context) ProtoBuf(code int, obj interface{}) { + c.Render(code, render.ProtoBuf{Data: obj}) +} + +// String writes the given string into the response body. +func (c *Context) String(code int, format string, values ...interface{}) { + c.Render(code, render.String{Format: format, Data: values}) +} + +// Redirect returns a HTTP redirect to the specific location. +func (c *Context) Redirect(code int, location string) { + c.Render(-1, render.Redirect{ + Code: code, + Location: location, + Request: c.Request, + }) +} + +// Data writes some data into the body stream and updates the HTTP code. +func (c *Context) Data(code int, contentType string, data []byte) { + c.Render(code, render.Data{ + ContentType: contentType, + Data: data, + }) +} + +// DataFromReader writes the specified reader into the body stream and updates the HTTP code. +func (c *Context) DataFromReader(code int, contentLength int64, contentType string, reader io.Reader, extraHeaders map[string]string) { + c.Render(code, render.Reader{ + Headers: extraHeaders, + ContentType: contentType, + ContentLength: contentLength, + Reader: reader, + }) +} + +// File writes the specified file into the body stream in an efficient way. +func (c *Context) File(filepath string) { + http.ServeFile(c.Writer, c.Request, filepath) +} + +// FileFromFS writes the specified file from http.FileSystem into the body stream in an efficient way. +func (c *Context) FileFromFS(filepath string, fs http.FileSystem) { + defer func(old string) { + c.Request.URL.Path = old + }(c.Request.URL.Path) + + c.Request.URL.Path = filepath + + http.FileServer(fs).ServeHTTP(c.Writer, c.Request) +} + +// FileAttachment writes the specified file into the body stream in an efficient way +// On the client side, the file will typically be downloaded with the given filename +func (c *Context) FileAttachment(filepath, filename string) { + c.Writer.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filename)) + http.ServeFile(c.Writer, c.Request, filepath) +} + +// SSEvent writes a Server-Sent Event into the body stream. +func (c *Context) SSEvent(name string, message interface{}) { + c.Render(-1, sse.Event{ + Event: name, + Data: message, + }) +} + +// Stream sends a streaming response and returns a boolean +// indicates "Is client disconnected in middle of stream" +func (c *Context) Stream(step func(w io.Writer) bool) bool { + w := c.Writer + clientGone := w.CloseNotify() + for { + select { + case <-clientGone: + return true + default: + keepOpen := step(w) + w.Flush() + if !keepOpen { + return false + } + } + } +} + +/************************************/ +/******** CONTENT NEGOTIATION *******/ +/************************************/ + +// Negotiate contains all negotiations data. +type Negotiate struct { + Offered []string + HTMLName string + HTMLData interface{} + JSONData interface{} + XMLData interface{} + YAMLData interface{} + Data interface{} +} + +// Negotiate calls different Render according acceptable Accept format. +func (c *Context) Negotiate(code int, config Negotiate) { + switch c.NegotiateFormat(config.Offered...) { + case binding.MIMEJSON: + data := chooseData(config.JSONData, config.Data) + c.JSON(code, data) + + case binding.MIMEHTML: + data := chooseData(config.HTMLData, config.Data) + c.HTML(code, config.HTMLName, data) + + case binding.MIMEXML: + data := chooseData(config.XMLData, config.Data) + c.XML(code, data) + + case binding.MIMEYAML: + data := chooseData(config.YAMLData, config.Data) + c.YAML(code, data) + + default: + c.AbortWithError(http.StatusNotAcceptable, errors.New("the accepted formats are not offered by the server")) // nolint: errcheck + } +} + +// NegotiateFormat returns an acceptable Accept format. +func (c *Context) NegotiateFormat(offered ...string) string { + assert1(len(offered) > 0, "you must provide at least one offer") + + if c.Accepted == nil { + c.Accepted = parseAccept(c.requestHeader("Accept")) + } + if len(c.Accepted) == 0 { + return offered[0] + } + for _, accepted := range c.Accepted { + for _, offer := range offered { + // According to RFC 2616 and RFC 2396, non-ASCII characters are not allowed in headers, + // therefore we can just iterate over the string without casting it into []rune + i := 0 + for ; i < len(accepted); i++ { + if accepted[i] == '*' || offer[i] == '*' { + return offer + } + if accepted[i] != offer[i] { + break + } + } + if i == len(accepted) { + return offer + } + } + } + return "" +} + +// SetAccepted sets Accept header data. +func (c *Context) SetAccepted(formats ...string) { + c.Accepted = formats +} + +/************************************/ +/***** GOLANG.ORG/X/NET/CONTEXT *****/ +/************************************/ + +// Deadline always returns that there is no deadline (ok==false), +// maybe you want to use Request.Context().Deadline() instead. +func (c *Context) Deadline() (deadline time.Time, ok bool) { + return +} + +// Done always returns nil (chan which will wait forever), +// if you want to abort your work when the connection was closed +// you should use Request.Context().Done() instead. +func (c *Context) Done() <-chan struct{} { + return nil +} + +// Err always returns nil, maybe you want to use Request.Context().Err() instead. +func (c *Context) Err() error { + return nil +} + +// Value returns the value associated with this context for key, or nil +// if no value is associated with key. Successive calls to Value with +// the same key returns the same result. +func (c *Context) Value(key interface{}) interface{} { + if key == 0 { + return c.Request + } + if keyAsString, ok := key.(string); ok { + val, _ := c.Get(keyAsString) + return val + } + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/context_appengine.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/context_appengine.go new file mode 100644 index 000000000000..8bf938961d31 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/context_appengine.go @@ -0,0 +1,12 @@ +// Copyright 2017 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +//go:build appengine +// +build appengine + +package gin + +func init() { + defaultPlatform = PlatformGoogleAppEngine +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/debug.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/debug.go new file mode 100644 index 000000000000..9bacc68571c1 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/debug.go @@ -0,0 +1,103 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "fmt" + "html/template" + "runtime" + "strconv" + "strings" +) + +const ginSupportMinGoVer = 13 + +// IsDebugging returns true if the framework is running in debug mode. +// Use SetMode(gin.ReleaseMode) to disable debug mode. +func IsDebugging() bool { + return ginMode == debugCode +} + +// DebugPrintRouteFunc indicates debug log output format. +var DebugPrintRouteFunc func(httpMethod, absolutePath, handlerName string, nuHandlers int) + +func debugPrintRoute(httpMethod, absolutePath string, handlers HandlersChain) { + if IsDebugging() { + nuHandlers := len(handlers) + handlerName := nameOfFunction(handlers.Last()) + if DebugPrintRouteFunc == nil { + debugPrint("%-6s %-25s --> %s (%d handlers)\n", httpMethod, absolutePath, handlerName, nuHandlers) + } else { + DebugPrintRouteFunc(httpMethod, absolutePath, handlerName, nuHandlers) + } + } +} + +func debugPrintLoadTemplate(tmpl *template.Template) { + if IsDebugging() { + var buf strings.Builder + for _, tmpl := range tmpl.Templates() { + buf.WriteString("\t- ") + buf.WriteString(tmpl.Name()) + buf.WriteString("\n") + } + debugPrint("Loaded HTML Templates (%d): \n%s\n", len(tmpl.Templates()), buf.String()) + } +} + +func debugPrint(format string, values ...interface{}) { + if IsDebugging() { + if !strings.HasSuffix(format, "\n") { + format += "\n" + } + fmt.Fprintf(DefaultWriter, "[GIN-debug] "+format, values...) + } +} + +func getMinVer(v string) (uint64, error) { + first := strings.IndexByte(v, '.') + last := strings.LastIndexByte(v, '.') + if first == last { + return strconv.ParseUint(v[first+1:], 10, 64) + } + return strconv.ParseUint(v[first+1:last], 10, 64) +} + +func debugPrintWARNINGDefault() { + if v, e := getMinVer(runtime.Version()); e == nil && v <= ginSupportMinGoVer { + debugPrint(`[WARNING] Now Gin requires Go 1.13+. + +`) + } + debugPrint(`[WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached. + +`) +} + +func debugPrintWARNINGNew() { + debugPrint(`[WARNING] Running in "debug" mode. Switch to "release" mode in production. + - using env: export GIN_MODE=release + - using code: gin.SetMode(gin.ReleaseMode) + +`) +} + +func debugPrintWARNINGSetHTMLTemplate() { + debugPrint(`[WARNING] Since SetHTMLTemplate() is NOT thread-safe. It should only be called +at initialization. ie. before any route is registered or the router is listening in a socket: + + router := gin.Default() + router.SetHTMLTemplate(template) // << good place + +`) +} + +func debugPrintError(err error) { + if err != nil { + if IsDebugging() { + fmt.Fprintf(DefaultErrorWriter, "[GIN-debug] [ERROR] %v\n", err) + } + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/deprecated.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/deprecated.go new file mode 100644 index 000000000000..ab4474296e5b --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/deprecated.go @@ -0,0 +1,21 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "log" + + "github.com/gin-gonic/gin/binding" +) + +// BindWith binds the passed struct pointer using the specified binding engine. +// See the binding package. +func (c *Context) BindWith(obj interface{}, b binding.Binding) error { + log.Println(`BindWith(\"interface{}, binding.Binding\") error is going to + be deprecated, please check issue #662 and either use MustBindWith() if you + want HTTP 400 to be automatically returned if any error occur, or use + ShouldBindWith() if you need to manage the error.`) + return c.MustBindWith(obj, b) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/doc.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/doc.go new file mode 100644 index 000000000000..1bd03864f17b --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/doc.go @@ -0,0 +1,6 @@ +/* +Package gin implements a HTTP web framework called gin. + +See https://gin-gonic.com/ for more information about gin. +*/ +package gin // import "github.com/gin-gonic/gin" diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/errors.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/errors.go new file mode 100644 index 000000000000..0f276c13d4c9 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/errors.go @@ -0,0 +1,174 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "fmt" + "reflect" + "strings" + + "github.com/gin-gonic/gin/internal/json" +) + +// ErrorType is an unsigned 64-bit error code as defined in the gin spec. +type ErrorType uint64 + +const ( + // ErrorTypeBind is used when Context.Bind() fails. + ErrorTypeBind ErrorType = 1 << 63 + // ErrorTypeRender is used when Context.Render() fails. + ErrorTypeRender ErrorType = 1 << 62 + // ErrorTypePrivate indicates a private error. + ErrorTypePrivate ErrorType = 1 << 0 + // ErrorTypePublic indicates a public error. + ErrorTypePublic ErrorType = 1 << 1 + // ErrorTypeAny indicates any other error. + ErrorTypeAny ErrorType = 1<<64 - 1 + // ErrorTypeNu indicates any other error. + ErrorTypeNu = 2 +) + +// Error represents a error's specification. +type Error struct { + Err error + Type ErrorType + Meta interface{} +} + +type errorMsgs []*Error + +var _ error = &Error{} + +// SetType sets the error's type. +func (msg *Error) SetType(flags ErrorType) *Error { + msg.Type = flags + return msg +} + +// SetMeta sets the error's meta data. +func (msg *Error) SetMeta(data interface{}) *Error { + msg.Meta = data + return msg +} + +// JSON creates a properly formatted JSON +func (msg *Error) JSON() interface{} { + jsonData := H{} + if msg.Meta != nil { + value := reflect.ValueOf(msg.Meta) + switch value.Kind() { + case reflect.Struct: + return msg.Meta + case reflect.Map: + for _, key := range value.MapKeys() { + jsonData[key.String()] = value.MapIndex(key).Interface() + } + default: + jsonData["meta"] = msg.Meta + } + } + if _, ok := jsonData["error"]; !ok { + jsonData["error"] = msg.Error() + } + return jsonData +} + +// MarshalJSON implements the json.Marshaller interface. +func (msg *Error) MarshalJSON() ([]byte, error) { + return json.Marshal(msg.JSON()) +} + +// Error implements the error interface. +func (msg Error) Error() string { + return msg.Err.Error() +} + +// IsType judges one error. +func (msg *Error) IsType(flags ErrorType) bool { + return (msg.Type & flags) > 0 +} + +// Unwrap returns the wrapped error, to allow interoperability with errors.Is(), errors.As() and errors.Unwrap() +func (msg *Error) Unwrap() error { + return msg.Err +} + +// ByType returns a readonly copy filtered the byte. +// ie ByType(gin.ErrorTypePublic) returns a slice of errors with type=ErrorTypePublic. +func (a errorMsgs) ByType(typ ErrorType) errorMsgs { + if len(a) == 0 { + return nil + } + if typ == ErrorTypeAny { + return a + } + var result errorMsgs + for _, msg := range a { + if msg.IsType(typ) { + result = append(result, msg) + } + } + return result +} + +// Last returns the last error in the slice. It returns nil if the array is empty. +// Shortcut for errors[len(errors)-1]. +func (a errorMsgs) Last() *Error { + if length := len(a); length > 0 { + return a[length-1] + } + return nil +} + +// Errors returns an array will all the error messages. +// Example: +// c.Error(errors.New("first")) +// c.Error(errors.New("second")) +// c.Error(errors.New("third")) +// c.Errors.Errors() // == []string{"first", "second", "third"} +func (a errorMsgs) Errors() []string { + if len(a) == 0 { + return nil + } + errorStrings := make([]string, len(a)) + for i, err := range a { + errorStrings[i] = err.Error() + } + return errorStrings +} + +func (a errorMsgs) JSON() interface{} { + switch length := len(a); length { + case 0: + return nil + case 1: + return a.Last().JSON() + default: + jsonData := make([]interface{}, length) + for i, err := range a { + jsonData[i] = err.JSON() + } + return jsonData + } +} + +// MarshalJSON implements the json.Marshaller interface. +func (a errorMsgs) MarshalJSON() ([]byte, error) { + return json.Marshal(a.JSON()) +} + +func (a errorMsgs) String() string { + if len(a) == 0 { + return "" + } + var buffer strings.Builder + for i, msg := range a { + fmt.Fprintf(&buffer, "Error #%02d: %s\n", i+1, msg.Err) + if msg.Meta != nil { + fmt.Fprintf(&buffer, " Meta: %v\n", msg.Meta) + } + } + return buffer.String() +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/fs.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/fs.go new file mode 100644 index 000000000000..007d9b75514f --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/fs.go @@ -0,0 +1,45 @@ +// Copyright 2017 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "net/http" + "os" +) + +type onlyFilesFS struct { + fs http.FileSystem +} + +type neuteredReaddirFile struct { + http.File +} + +// Dir returns a http.Filesystem that can be used by http.FileServer(). It is used internally +// in router.Static(). +// if listDirectory == true, then it works the same as http.Dir() otherwise it returns +// a filesystem that prevents http.FileServer() to list the directory files. +func Dir(root string, listDirectory bool) http.FileSystem { + fs := http.Dir(root) + if listDirectory { + return fs + } + return &onlyFilesFS{fs} +} + +// Open conforms to http.Filesystem. +func (fs onlyFilesFS) Open(name string) (http.File, error) { + f, err := fs.fs.Open(name) + if err != nil { + return nil, err + } + return neuteredReaddirFile{f}, nil +} + +// Readdir overrides the http.File default implementation. +func (f neuteredReaddirFile) Readdir(count int) ([]os.FileInfo, error) { + // this disables directory listing + return nil, nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/gin.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/gin.go new file mode 100644 index 000000000000..58e76f41fbe7 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/gin.go @@ -0,0 +1,643 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "fmt" + "html/template" + "net" + "net/http" + "os" + "path" + "reflect" + "strings" + "sync" + + "github.com/gin-gonic/gin/internal/bytesconv" + "github.com/gin-gonic/gin/render" +) + +const defaultMultipartMemory = 32 << 20 // 32 MB + +var ( + default404Body = []byte("404 page not found") + default405Body = []byte("405 method not allowed") +) + +var defaultPlatform string + +var defaultTrustedCIDRs = []*net.IPNet{{IP: net.IP{0x0, 0x0, 0x0, 0x0}, Mask: net.IPMask{0x0, 0x0, 0x0, 0x0}}} // 0.0.0.0/0 + +// HandlerFunc defines the handler used by gin middleware as return value. +type HandlerFunc func(*Context) + +// HandlersChain defines a HandlerFunc array. +type HandlersChain []HandlerFunc + +// Last returns the last handler in the chain. ie. the last handler is the main one. +func (c HandlersChain) Last() HandlerFunc { + if length := len(c); length > 0 { + return c[length-1] + } + return nil +} + +// RouteInfo represents a request route's specification which contains method and path and its handler. +type RouteInfo struct { + Method string + Path string + Handler string + HandlerFunc HandlerFunc +} + +// RoutesInfo defines a RouteInfo array. +type RoutesInfo []RouteInfo + +// Trusted platforms +const ( + // When running on Google App Engine. Trust X-Appengine-Remote-Addr + // for determining the client's IP + PlatformGoogleAppEngine = "X-Appengine-Remote-Addr" + // When using Cloudflare's CDN. Trust CF-Connecting-IP for determining + // the client's IP + PlatformCloudflare = "CF-Connecting-IP" +) + +// Engine is the framework's instance, it contains the muxer, middleware and configuration settings. +// Create an instance of Engine, by using New() or Default() +type Engine struct { + RouterGroup + + // Enables automatic redirection if the current route can't be matched but a + // handler for the path with (without) the trailing slash exists. + // For example if /foo/ is requested but a route only exists for /foo, the + // client is redirected to /foo with http status code 301 for GET requests + // and 307 for all other request methods. + RedirectTrailingSlash bool + + // If enabled, the router tries to fix the current request path, if no + // handle is registered for it. + // First superfluous path elements like ../ or // are removed. + // Afterwards the router does a case-insensitive lookup of the cleaned path. + // If a handle can be found for this route, the router makes a redirection + // to the corrected path with status code 301 for GET requests and 307 for + // all other request methods. + // For example /FOO and /..//Foo could be redirected to /foo. + // RedirectTrailingSlash is independent of this option. + RedirectFixedPath bool + + // If enabled, the router checks if another method is allowed for the + // current route, if the current request can not be routed. + // If this is the case, the request is answered with 'Method Not Allowed' + // and HTTP status code 405. + // If no other Method is allowed, the request is delegated to the NotFound + // handler. + HandleMethodNotAllowed bool + + // If enabled, client IP will be parsed from the request's headers that + // match those stored at `(*gin.Engine).RemoteIPHeaders`. If no IP was + // fetched, it falls back to the IP obtained from + // `(*gin.Context).Request.RemoteAddr`. + ForwardedByClientIP bool + + // DEPRECATED: USE `TrustedPlatform` WITH VALUE `gin.GoogleAppEngine` INSTEAD + // #726 #755 If enabled, it will trust some headers starting with + // 'X-AppEngine...' for better integration with that PaaS. + AppEngine bool + + // If enabled, the url.RawPath will be used to find parameters. + UseRawPath bool + + // If true, the path value will be unescaped. + // If UseRawPath is false (by default), the UnescapePathValues effectively is true, + // as url.Path gonna be used, which is already unescaped. + UnescapePathValues bool + + // RemoveExtraSlash a parameter can be parsed from the URL even with extra slashes. + // See the PR #1817 and issue #1644 + RemoveExtraSlash bool + + // List of headers used to obtain the client IP when + // `(*gin.Engine).ForwardedByClientIP` is `true` and + // `(*gin.Context).Request.RemoteAddr` is matched by at least one of the + // network origins of list defined by `(*gin.Engine).SetTrustedProxies()`. + RemoteIPHeaders []string + + // If set to a constant of value gin.Platform*, trusts the headers set by + // that platform, for example to determine the client IP + TrustedPlatform string + + // Value of 'maxMemory' param that is given to http.Request's ParseMultipartForm + // method call. + MaxMultipartMemory int64 + + delims render.Delims + secureJSONPrefix string + HTMLRender render.HTMLRender + FuncMap template.FuncMap + allNoRoute HandlersChain + allNoMethod HandlersChain + noRoute HandlersChain + noMethod HandlersChain + pool sync.Pool + trees methodTrees + maxParams uint16 + maxSections uint16 + trustedProxies []string + trustedCIDRs []*net.IPNet +} + +var _ IRouter = &Engine{} + +// New returns a new blank Engine instance without any middleware attached. +// By default the configuration is: +// - RedirectTrailingSlash: true +// - RedirectFixedPath: false +// - HandleMethodNotAllowed: false +// - ForwardedByClientIP: true +// - UseRawPath: false +// - UnescapePathValues: true +func New() *Engine { + debugPrintWARNINGNew() + engine := &Engine{ + RouterGroup: RouterGroup{ + Handlers: nil, + basePath: "/", + root: true, + }, + FuncMap: template.FuncMap{}, + RedirectTrailingSlash: true, + RedirectFixedPath: false, + HandleMethodNotAllowed: false, + ForwardedByClientIP: true, + RemoteIPHeaders: []string{"X-Forwarded-For", "X-Real-IP"}, + TrustedPlatform: defaultPlatform, + UseRawPath: false, + RemoveExtraSlash: false, + UnescapePathValues: true, + MaxMultipartMemory: defaultMultipartMemory, + trees: make(methodTrees, 0, 9), + delims: render.Delims{Left: "{{", Right: "}}"}, + secureJSONPrefix: "while(1);", + trustedProxies: []string{"0.0.0.0/0"}, + trustedCIDRs: defaultTrustedCIDRs, + } + engine.RouterGroup.engine = engine + engine.pool.New = func() interface{} { + return engine.allocateContext() + } + return engine +} + +// Default returns an Engine instance with the Logger and Recovery middleware already attached. +func Default() *Engine { + debugPrintWARNINGDefault() + engine := New() + engine.Use(Logger(), Recovery()) + return engine +} + +func (engine *Engine) allocateContext() *Context { + v := make(Params, 0, engine.maxParams) + skippedNodes := make([]skippedNode, 0, engine.maxSections) + return &Context{engine: engine, params: &v, skippedNodes: &skippedNodes} +} + +// Delims sets template left and right delims and returns a Engine instance. +func (engine *Engine) Delims(left, right string) *Engine { + engine.delims = render.Delims{Left: left, Right: right} + return engine +} + +// SecureJsonPrefix sets the secureJSONPrefix used in Context.SecureJSON. +func (engine *Engine) SecureJsonPrefix(prefix string) *Engine { + engine.secureJSONPrefix = prefix + return engine +} + +// LoadHTMLGlob loads HTML files identified by glob pattern +// and associates the result with HTML renderer. +func (engine *Engine) LoadHTMLGlob(pattern string) { + left := engine.delims.Left + right := engine.delims.Right + templ := template.Must(template.New("").Delims(left, right).Funcs(engine.FuncMap).ParseGlob(pattern)) + + if IsDebugging() { + debugPrintLoadTemplate(templ) + engine.HTMLRender = render.HTMLDebug{Glob: pattern, FuncMap: engine.FuncMap, Delims: engine.delims} + return + } + + engine.SetHTMLTemplate(templ) +} + +// LoadHTMLFiles loads a slice of HTML files +// and associates the result with HTML renderer. +func (engine *Engine) LoadHTMLFiles(files ...string) { + if IsDebugging() { + engine.HTMLRender = render.HTMLDebug{Files: files, FuncMap: engine.FuncMap, Delims: engine.delims} + return + } + + templ := template.Must(template.New("").Delims(engine.delims.Left, engine.delims.Right).Funcs(engine.FuncMap).ParseFiles(files...)) + engine.SetHTMLTemplate(templ) +} + +// SetHTMLTemplate associate a template with HTML renderer. +func (engine *Engine) SetHTMLTemplate(templ *template.Template) { + if len(engine.trees) > 0 { + debugPrintWARNINGSetHTMLTemplate() + } + + engine.HTMLRender = render.HTMLProduction{Template: templ.Funcs(engine.FuncMap)} +} + +// SetFuncMap sets the FuncMap used for template.FuncMap. +func (engine *Engine) SetFuncMap(funcMap template.FuncMap) { + engine.FuncMap = funcMap +} + +// NoRoute adds handlers for NoRoute. It return a 404 code by default. +func (engine *Engine) NoRoute(handlers ...HandlerFunc) { + engine.noRoute = handlers + engine.rebuild404Handlers() +} + +// NoMethod sets the handlers called when Engine.HandleMethodNotAllowed = true. +func (engine *Engine) NoMethod(handlers ...HandlerFunc) { + engine.noMethod = handlers + engine.rebuild405Handlers() +} + +// Use attaches a global middleware to the router. ie. the middleware attached though Use() will be +// included in the handlers chain for every single request. Even 404, 405, static files... +// For example, this is the right place for a logger or error management middleware. +func (engine *Engine) Use(middleware ...HandlerFunc) IRoutes { + engine.RouterGroup.Use(middleware...) + engine.rebuild404Handlers() + engine.rebuild405Handlers() + return engine +} + +func (engine *Engine) rebuild404Handlers() { + engine.allNoRoute = engine.combineHandlers(engine.noRoute) +} + +func (engine *Engine) rebuild405Handlers() { + engine.allNoMethod = engine.combineHandlers(engine.noMethod) +} + +func (engine *Engine) addRoute(method, path string, handlers HandlersChain) { + assert1(path[0] == '/', "path must begin with '/'") + assert1(method != "", "HTTP method can not be empty") + assert1(len(handlers) > 0, "there must be at least one handler") + + debugPrintRoute(method, path, handlers) + + root := engine.trees.get(method) + if root == nil { + root = new(node) + root.fullPath = "/" + engine.trees = append(engine.trees, methodTree{method: method, root: root}) + } + root.addRoute(path, handlers) + + // Update maxParams + if paramsCount := countParams(path); paramsCount > engine.maxParams { + engine.maxParams = paramsCount + } + + if sectionsCount := countSections(path); sectionsCount > engine.maxSections { + engine.maxSections = sectionsCount + } +} + +// Routes returns a slice of registered routes, including some useful information, such as: +// the http method, path and the handler name. +func (engine *Engine) Routes() (routes RoutesInfo) { + for _, tree := range engine.trees { + routes = iterate("", tree.method, routes, tree.root) + } + return routes +} + +func iterate(path, method string, routes RoutesInfo, root *node) RoutesInfo { + path += root.path + if len(root.handlers) > 0 { + handlerFunc := root.handlers.Last() + routes = append(routes, RouteInfo{ + Method: method, + Path: path, + Handler: nameOfFunction(handlerFunc), + HandlerFunc: handlerFunc, + }) + } + for _, child := range root.children { + routes = iterate(path, method, routes, child) + } + return routes +} + +// Run attaches the router to a http.Server and starts listening and serving HTTP requests. +// It is a shortcut for http.ListenAndServe(addr, router) +// Note: this method will block the calling goroutine indefinitely unless an error happens. +func (engine *Engine) Run(addr ...string) (err error) { + defer func() { debugPrintError(err) }() + + if engine.isUnsafeTrustedProxies() { + debugPrint("[WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.\n" + + "Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.") + } + + address := resolveAddress(addr) + debugPrint("Listening and serving HTTP on %s\n", address) + err = http.ListenAndServe(address, engine) + return +} + +func (engine *Engine) prepareTrustedCIDRs() ([]*net.IPNet, error) { + if engine.trustedProxies == nil { + return nil, nil + } + + cidr := make([]*net.IPNet, 0, len(engine.trustedProxies)) + for _, trustedProxy := range engine.trustedProxies { + if !strings.Contains(trustedProxy, "/") { + ip := parseIP(trustedProxy) + if ip == nil { + return cidr, &net.ParseError{Type: "IP address", Text: trustedProxy} + } + + switch len(ip) { + case net.IPv4len: + trustedProxy += "/32" + case net.IPv6len: + trustedProxy += "/128" + } + } + _, cidrNet, err := net.ParseCIDR(trustedProxy) + if err != nil { + return cidr, err + } + cidr = append(cidr, cidrNet) + } + return cidr, nil +} + +// SetTrustedProxies set a list of network origins (IPv4 addresses, +// IPv4 CIDRs, IPv6 addresses or IPv6 CIDRs) from which to trust +// request's headers that contain alternative client IP when +// `(*gin.Engine).ForwardedByClientIP` is `true`. `TrustedProxies` +// feature is enabled by default, and it also trusts all proxies +// by default. If you want to disable this feature, use +// Engine.SetTrustedProxies(nil), then Context.ClientIP() will +// return the remote address directly. +func (engine *Engine) SetTrustedProxies(trustedProxies []string) error { + engine.trustedProxies = trustedProxies + return engine.parseTrustedProxies() +} + +// isUnsafeTrustedProxies compares Engine.trustedCIDRs and defaultTrustedCIDRs, it's not safe if equal (returns true) +func (engine *Engine) isUnsafeTrustedProxies() bool { + return reflect.DeepEqual(engine.trustedCIDRs, defaultTrustedCIDRs) +} + +// parseTrustedProxies parse Engine.trustedProxies to Engine.trustedCIDRs +func (engine *Engine) parseTrustedProxies() error { + trustedCIDRs, err := engine.prepareTrustedCIDRs() + engine.trustedCIDRs = trustedCIDRs + return err +} + +// parseIP parse a string representation of an IP and returns a net.IP with the +// minimum byte representation or nil if input is invalid. +func parseIP(ip string) net.IP { + parsedIP := net.ParseIP(ip) + + if ipv4 := parsedIP.To4(); ipv4 != nil { + // return ip in a 4-byte representation + return ipv4 + } + + // return ip in a 16-byte representation or nil + return parsedIP +} + +// RunTLS attaches the router to a http.Server and starts listening and serving HTTPS (secure) requests. +// It is a shortcut for http.ListenAndServeTLS(addr, certFile, keyFile, router) +// Note: this method will block the calling goroutine indefinitely unless an error happens. +func (engine *Engine) RunTLS(addr, certFile, keyFile string) (err error) { + debugPrint("Listening and serving HTTPS on %s\n", addr) + defer func() { debugPrintError(err) }() + + if engine.isUnsafeTrustedProxies() { + debugPrint("[WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.\n" + + "Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.") + } + + err = http.ListenAndServeTLS(addr, certFile, keyFile, engine) + return +} + +// RunUnix attaches the router to a http.Server and starts listening and serving HTTP requests +// through the specified unix socket (ie. a file). +// Note: this method will block the calling goroutine indefinitely unless an error happens. +func (engine *Engine) RunUnix(file string) (err error) { + debugPrint("Listening and serving HTTP on unix:/%s", file) + defer func() { debugPrintError(err) }() + + if engine.isUnsafeTrustedProxies() { + debugPrint("[WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.\n" + + "Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.") + } + + listener, err := net.Listen("unix", file) + if err != nil { + return + } + defer listener.Close() + defer os.Remove(file) + + err = http.Serve(listener, engine) + return +} + +// RunFd attaches the router to a http.Server and starts listening and serving HTTP requests +// through the specified file descriptor. +// Note: this method will block the calling goroutine indefinitely unless an error happens. +func (engine *Engine) RunFd(fd int) (err error) { + debugPrint("Listening and serving HTTP on fd@%d", fd) + defer func() { debugPrintError(err) }() + + if engine.isUnsafeTrustedProxies() { + debugPrint("[WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.\n" + + "Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.") + } + + f := os.NewFile(uintptr(fd), fmt.Sprintf("fd@%d", fd)) + listener, err := net.FileListener(f) + if err != nil { + return + } + defer listener.Close() + err = engine.RunListener(listener) + return +} + +// RunListener attaches the router to a http.Server and starts listening and serving HTTP requests +// through the specified net.Listener +func (engine *Engine) RunListener(listener net.Listener) (err error) { + debugPrint("Listening and serving HTTP on listener what's bind with address@%s", listener.Addr()) + defer func() { debugPrintError(err) }() + + if engine.isUnsafeTrustedProxies() { + debugPrint("[WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.\n" + + "Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.") + } + + err = http.Serve(listener, engine) + return +} + +// ServeHTTP conforms to the http.Handler interface. +func (engine *Engine) ServeHTTP(w http.ResponseWriter, req *http.Request) { + c := engine.pool.Get().(*Context) + c.writermem.reset(w) + c.Request = req + c.reset() + + engine.handleHTTPRequest(c) + + engine.pool.Put(c) +} + +// HandleContext re-enter a context that has been rewritten. +// This can be done by setting c.Request.URL.Path to your new target. +// Disclaimer: You can loop yourself to death with this, use wisely. +func (engine *Engine) HandleContext(c *Context) { + oldIndexValue := c.index + c.reset() + engine.handleHTTPRequest(c) + + c.index = oldIndexValue +} + +func (engine *Engine) handleHTTPRequest(c *Context) { + httpMethod := c.Request.Method + rPath := c.Request.URL.Path + unescape := false + if engine.UseRawPath && len(c.Request.URL.RawPath) > 0 { + rPath = c.Request.URL.RawPath + unescape = engine.UnescapePathValues + } + + if engine.RemoveExtraSlash { + rPath = cleanPath(rPath) + } + + // Find root of the tree for the given HTTP method + t := engine.trees + for i, tl := 0, len(t); i < tl; i++ { + if t[i].method != httpMethod { + continue + } + root := t[i].root + // Find route in tree + value := root.getValue(rPath, c.params, c.skippedNodes, unescape) + if value.params != nil { + c.Params = *value.params + } + if value.handlers != nil { + c.handlers = value.handlers + c.fullPath = value.fullPath + c.Next() + c.writermem.WriteHeaderNow() + return + } + if httpMethod != "CONNECT" && rPath != "/" { + if value.tsr && engine.RedirectTrailingSlash { + redirectTrailingSlash(c) + return + } + if engine.RedirectFixedPath && redirectFixedPath(c, root, engine.RedirectFixedPath) { + return + } + } + break + } + + if engine.HandleMethodNotAllowed { + for _, tree := range engine.trees { + if tree.method == httpMethod { + continue + } + if value := tree.root.getValue(rPath, nil, c.skippedNodes, unescape); value.handlers != nil { + c.handlers = engine.allNoMethod + serveError(c, http.StatusMethodNotAllowed, default405Body) + return + } + } + } + c.handlers = engine.allNoRoute + serveError(c, http.StatusNotFound, default404Body) +} + +var mimePlain = []string{MIMEPlain} + +func serveError(c *Context, code int, defaultMessage []byte) { + c.writermem.status = code + c.Next() + if c.writermem.Written() { + return + } + if c.writermem.Status() == code { + c.writermem.Header()["Content-Type"] = mimePlain + _, err := c.Writer.Write(defaultMessage) + if err != nil { + debugPrint("cannot write message to writer during serve error: %v", err) + } + return + } + c.writermem.WriteHeaderNow() +} + +func redirectTrailingSlash(c *Context) { + req := c.Request + p := req.URL.Path + if prefix := path.Clean(c.Request.Header.Get("X-Forwarded-Prefix")); prefix != "." { + p = prefix + "/" + req.URL.Path + } + req.URL.Path = p + "/" + if length := len(p); length > 1 && p[length-1] == '/' { + req.URL.Path = p[:length-1] + } + redirectRequest(c) +} + +func redirectFixedPath(c *Context, root *node, trailingSlash bool) bool { + req := c.Request + rPath := req.URL.Path + + if fixedPath, ok := root.findCaseInsensitivePath(cleanPath(rPath), trailingSlash); ok { + req.URL.Path = bytesconv.BytesToString(fixedPath) + redirectRequest(c) + return true + } + return false +} + +func redirectRequest(c *Context) { + req := c.Request + rPath := req.URL.Path + rURL := req.URL.String() + + code := http.StatusMovedPermanently // Permanent redirect, request with GET method + if req.Method != http.MethodGet { + code = http.StatusTemporaryRedirect + } + debugPrint("redirecting request %d: %s --> %s", code, rPath, rURL) + http.Redirect(c.Writer, req, rURL, code) + c.writermem.WriteHeaderNow() +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/bytesconv/bytesconv.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/bytesconv/bytesconv.go new file mode 100644 index 000000000000..86e4c4d44cdf --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/bytesconv/bytesconv.go @@ -0,0 +1,24 @@ +// Copyright 2020 Gin Core Team. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package bytesconv + +import ( + "unsafe" +) + +// StringToBytes converts string to byte slice without a memory allocation. +func StringToBytes(s string) []byte { + return *(*[]byte)(unsafe.Pointer( + &struct { + string + Cap int + }{s, len(s)}, + )) +} + +// BytesToString converts byte slice to string without a memory allocation. +func BytesToString(b []byte) string { + return *(*string)(unsafe.Pointer(&b)) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/json/json.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/json/json.go new file mode 100644 index 000000000000..172aeb2414c6 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/json/json.go @@ -0,0 +1,23 @@ +// Copyright 2017 Bo-Yi Wu. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +//go:build !jsoniter +// +build !jsoniter + +package json + +import "encoding/json" + +var ( + // Marshal is exported by gin/json package. + Marshal = json.Marshal + // Unmarshal is exported by gin/json package. + Unmarshal = json.Unmarshal + // MarshalIndent is exported by gin/json package. + MarshalIndent = json.MarshalIndent + // NewDecoder is exported by gin/json package. + NewDecoder = json.NewDecoder + // NewEncoder is exported by gin/json package. + NewEncoder = json.NewEncoder +) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/json/jsoniter.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/json/jsoniter.go new file mode 100644 index 000000000000..232f8dcada12 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/internal/json/jsoniter.go @@ -0,0 +1,24 @@ +// Copyright 2017 Bo-Yi Wu. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +//go:build jsoniter +// +build jsoniter + +package json + +import jsoniter "github.com/json-iterator/go" + +var ( + json = jsoniter.ConfigCompatibleWithStandardLibrary + // Marshal is exported by gin/json package. + Marshal = json.Marshal + // Unmarshal is exported by gin/json package. + Unmarshal = json.Unmarshal + // MarshalIndent is exported by gin/json package. + MarshalIndent = json.MarshalIndent + // NewDecoder is exported by gin/json package. + NewDecoder = json.NewDecoder + // NewEncoder is exported by gin/json package. + NewEncoder = json.NewEncoder +) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/logger.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/logger.go new file mode 100644 index 000000000000..d361b74d3239 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/logger.go @@ -0,0 +1,271 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "fmt" + "io" + "net/http" + "os" + "time" + + "github.com/mattn/go-isatty" +) + +type consoleColorModeValue int + +const ( + autoColor consoleColorModeValue = iota + disableColor + forceColor +) + +const ( + green = "\033[97;42m" + white = "\033[90;47m" + yellow = "\033[90;43m" + red = "\033[97;41m" + blue = "\033[97;44m" + magenta = "\033[97;45m" + cyan = "\033[97;46m" + reset = "\033[0m" +) + +var consoleColorMode = autoColor + +// LoggerConfig defines the config for Logger middleware. +type LoggerConfig struct { + // Optional. Default value is gin.defaultLogFormatter + Formatter LogFormatter + + // Output is a writer where logs are written. + // Optional. Default value is gin.DefaultWriter. + Output io.Writer + + // SkipPaths is a url path array which logs are not written. + // Optional. + SkipPaths []string +} + +// LogFormatter gives the signature of the formatter function passed to LoggerWithFormatter +type LogFormatter func(params LogFormatterParams) string + +// LogFormatterParams is the structure any formatter will be handed when time to log comes +type LogFormatterParams struct { + Request *http.Request + + // TimeStamp shows the time after the server returns a response. + TimeStamp time.Time + // StatusCode is HTTP response code. + StatusCode int + // Latency is how much time the server cost to process a certain request. + Latency time.Duration + // ClientIP equals Context's ClientIP method. + ClientIP string + // Method is the HTTP method given to the request. + Method string + // Path is a path the client requests. + Path string + // ErrorMessage is set if error has occurred in processing the request. + ErrorMessage string + // isTerm shows whether does gin's output descriptor refers to a terminal. + isTerm bool + // BodySize is the size of the Response Body + BodySize int + // Keys are the keys set on the request's context. + Keys map[string]interface{} +} + +// StatusCodeColor is the ANSI color for appropriately logging http status code to a terminal. +func (p *LogFormatterParams) StatusCodeColor() string { + code := p.StatusCode + + switch { + case code >= http.StatusOK && code < http.StatusMultipleChoices: + return green + case code >= http.StatusMultipleChoices && code < http.StatusBadRequest: + return white + case code >= http.StatusBadRequest && code < http.StatusInternalServerError: + return yellow + default: + return red + } +} + +// MethodColor is the ANSI color for appropriately logging http method to a terminal. +func (p *LogFormatterParams) MethodColor() string { + method := p.Method + + switch method { + case http.MethodGet: + return blue + case http.MethodPost: + return cyan + case http.MethodPut: + return yellow + case http.MethodDelete: + return red + case http.MethodPatch: + return green + case http.MethodHead: + return magenta + case http.MethodOptions: + return white + default: + return reset + } +} + +// ResetColor resets all escape attributes. +func (p *LogFormatterParams) ResetColor() string { + return reset +} + +// IsOutputColor indicates whether can colors be outputted to the log. +func (p *LogFormatterParams) IsOutputColor() bool { + return consoleColorMode == forceColor || (consoleColorMode == autoColor && p.isTerm) +} + +// defaultLogFormatter is the default log format function Logger middleware uses. +var defaultLogFormatter = func(param LogFormatterParams) string { + var statusColor, methodColor, resetColor string + if param.IsOutputColor() { + statusColor = param.StatusCodeColor() + methodColor = param.MethodColor() + resetColor = param.ResetColor() + } + + if param.Latency > time.Minute { + // Truncate in a golang < 1.8 safe way + param.Latency = param.Latency - param.Latency%time.Second + } + return fmt.Sprintf("[GIN] %v |%s %3d %s| %13v | %15s |%s %-7s %s %#v\n%s", + param.TimeStamp.Format("2006/01/02 - 15:04:05"), + statusColor, param.StatusCode, resetColor, + param.Latency, + param.ClientIP, + methodColor, param.Method, resetColor, + param.Path, + param.ErrorMessage, + ) +} + +// DisableConsoleColor disables color output in the console. +func DisableConsoleColor() { + consoleColorMode = disableColor +} + +// ForceConsoleColor force color output in the console. +func ForceConsoleColor() { + consoleColorMode = forceColor +} + +// ErrorLogger returns a handlerfunc for any error type. +func ErrorLogger() HandlerFunc { + return ErrorLoggerT(ErrorTypeAny) +} + +// ErrorLoggerT returns a handlerfunc for a given error type. +func ErrorLoggerT(typ ErrorType) HandlerFunc { + return func(c *Context) { + c.Next() + errors := c.Errors.ByType(typ) + if len(errors) > 0 { + c.JSON(-1, errors) + } + } +} + +// Logger instances a Logger middleware that will write the logs to gin.DefaultWriter. +// By default gin.DefaultWriter = os.Stdout. +func Logger() HandlerFunc { + return LoggerWithConfig(LoggerConfig{}) +} + +// LoggerWithFormatter instance a Logger middleware with the specified log format function. +func LoggerWithFormatter(f LogFormatter) HandlerFunc { + return LoggerWithConfig(LoggerConfig{ + Formatter: f, + }) +} + +// LoggerWithWriter instance a Logger middleware with the specified writer buffer. +// Example: os.Stdout, a file opened in write mode, a socket... +func LoggerWithWriter(out io.Writer, notlogged ...string) HandlerFunc { + return LoggerWithConfig(LoggerConfig{ + Output: out, + SkipPaths: notlogged, + }) +} + +// LoggerWithConfig instance a Logger middleware with config. +func LoggerWithConfig(conf LoggerConfig) HandlerFunc { + formatter := conf.Formatter + if formatter == nil { + formatter = defaultLogFormatter + } + + out := conf.Output + if out == nil { + out = DefaultWriter + } + + notlogged := conf.SkipPaths + + isTerm := true + + if w, ok := out.(*os.File); !ok || os.Getenv("TERM") == "dumb" || + (!isatty.IsTerminal(w.Fd()) && !isatty.IsCygwinTerminal(w.Fd())) { + isTerm = false + } + + var skip map[string]struct{} + + if length := len(notlogged); length > 0 { + skip = make(map[string]struct{}, length) + + for _, path := range notlogged { + skip[path] = struct{}{} + } + } + + return func(c *Context) { + // Start timer + start := time.Now() + path := c.Request.URL.Path + raw := c.Request.URL.RawQuery + + // Process request + c.Next() + + // Log only when path is not being skipped + if _, ok := skip[path]; !ok { + param := LogFormatterParams{ + Request: c.Request, + isTerm: isTerm, + Keys: c.Keys, + } + + // Stop timer + param.TimeStamp = time.Now() + param.Latency = param.TimeStamp.Sub(start) + + param.ClientIP = c.ClientIP() + param.Method = c.Request.Method + param.StatusCode = c.Writer.Status() + param.ErrorMessage = c.Errors.ByType(ErrorTypePrivate).String() + + param.BodySize = c.Writer.Size() + + if raw != "" { + path = path + "?" + raw + } + + param.Path = path + + fmt.Fprint(out, formatter(param)) + } + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/mode.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/mode.go new file mode 100644 index 000000000000..c8813aff26c5 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/mode.go @@ -0,0 +1,92 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "io" + "os" + + "github.com/gin-gonic/gin/binding" +) + +// EnvGinMode indicates environment name for gin mode. +const EnvGinMode = "GIN_MODE" + +const ( + // DebugMode indicates gin mode is debug. + DebugMode = "debug" + // ReleaseMode indicates gin mode is release. + ReleaseMode = "release" + // TestMode indicates gin mode is test. + TestMode = "test" +) + +const ( + debugCode = iota + releaseCode + testCode +) + +// DefaultWriter is the default io.Writer used by Gin for debug output and +// middleware output like Logger() or Recovery(). +// Note that both Logger and Recovery provides custom ways to configure their +// output io.Writer. +// To support coloring in Windows use: +// import "github.com/mattn/go-colorable" +// gin.DefaultWriter = colorable.NewColorableStdout() +var DefaultWriter io.Writer = os.Stdout + +// DefaultErrorWriter is the default io.Writer used by Gin to debug errors +var DefaultErrorWriter io.Writer = os.Stderr + +var ginMode = debugCode +var modeName = DebugMode + +func init() { + mode := os.Getenv(EnvGinMode) + SetMode(mode) +} + +// SetMode sets gin mode according to input string. +func SetMode(value string) { + if value == "" { + value = DebugMode + } + + switch value { + case DebugMode: + ginMode = debugCode + case ReleaseMode: + ginMode = releaseCode + case TestMode: + ginMode = testCode + default: + panic("gin mode unknown: " + value + " (available mode: debug release test)") + } + + modeName = value +} + +// DisableBindValidation closes the default validator. +func DisableBindValidation() { + binding.Validator = nil +} + +// EnableJsonDecoderUseNumber sets true for binding.EnableDecoderUseNumber to +// call the UseNumber method on the JSON Decoder instance. +func EnableJsonDecoderUseNumber() { + binding.EnableDecoderUseNumber = true +} + +// EnableJsonDecoderDisallowUnknownFields sets true for binding.EnableDecoderDisallowUnknownFields to +// call the DisallowUnknownFields method on the JSON Decoder instance. +func EnableJsonDecoderDisallowUnknownFields() { + binding.EnableDecoderDisallowUnknownFields = true +} + +// Mode returns currently gin mode. +func Mode() string { + return modeName +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/path.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/path.go new file mode 100644 index 000000000000..d42d6b9d05d6 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/path.go @@ -0,0 +1,150 @@ +// Copyright 2013 Julien Schmidt. All rights reserved. +// Based on the path package, Copyright 2009 The Go Authors. +// Use of this source code is governed by a BSD-style license that can be found +// at https://github.com/julienschmidt/httprouter/blob/master/LICENSE. + +package gin + +// cleanPath is the URL version of path.Clean, it returns a canonical URL path +// for p, eliminating . and .. elements. +// +// The following rules are applied iteratively until no further processing can +// be done: +// 1. Replace multiple slashes with a single slash. +// 2. Eliminate each . path name element (the current directory). +// 3. Eliminate each inner .. path name element (the parent directory) +// along with the non-.. element that precedes it. +// 4. Eliminate .. elements that begin a rooted path: +// that is, replace "/.." by "/" at the beginning of a path. +// +// If the result of this process is an empty string, "/" is returned. +func cleanPath(p string) string { + const stackBufSize = 128 + // Turn empty string into "/" + if p == "" { + return "/" + } + + // Reasonably sized buffer on stack to avoid allocations in the common case. + // If a larger buffer is required, it gets allocated dynamically. + buf := make([]byte, 0, stackBufSize) + + n := len(p) + + // Invariants: + // reading from path; r is index of next byte to process. + // writing to buf; w is index of next byte to write. + + // path must start with '/' + r := 1 + w := 1 + + if p[0] != '/' { + r = 0 + + if n+1 > stackBufSize { + buf = make([]byte, n+1) + } else { + buf = buf[:n+1] + } + buf[0] = '/' + } + + trailing := n > 1 && p[n-1] == '/' + + // A bit more clunky without a 'lazybuf' like the path package, but the loop + // gets completely inlined (bufApp calls). + // loop has no expensive function calls (except 1x make) // So in contrast to the path package this loop has no expensive function + // calls (except make, if needed). + + for r < n { + switch { + case p[r] == '/': + // empty path element, trailing slash is added after the end + r++ + + case p[r] == '.' && r+1 == n: + trailing = true + r++ + + case p[r] == '.' && p[r+1] == '/': + // . element + r += 2 + + case p[r] == '.' && p[r+1] == '.' && (r+2 == n || p[r+2] == '/'): + // .. element: remove to last / + r += 3 + + if w > 1 { + // can backtrack + w-- + + if len(buf) == 0 { + for w > 1 && p[w] != '/' { + w-- + } + } else { + for w > 1 && buf[w] != '/' { + w-- + } + } + } + + default: + // Real path element. + // Add slash if needed + if w > 1 { + bufApp(&buf, p, w, '/') + w++ + } + + // Copy element + for r < n && p[r] != '/' { + bufApp(&buf, p, w, p[r]) + w++ + r++ + } + } + } + + // Re-append trailing slash + if trailing && w > 1 { + bufApp(&buf, p, w, '/') + w++ + } + + // If the original string was not modified (or only shortened at the end), + // return the respective substring of the original string. + // Otherwise return a new string from the buffer. + if len(buf) == 0 { + return p[:w] + } + return string(buf[:w]) +} + +// Internal helper to lazily create a buffer if necessary. +// Calls to this function get inlined. +func bufApp(buf *[]byte, s string, w int, c byte) { + b := *buf + if len(b) == 0 { + // No modification of the original string so far. + // If the next character is the same as in the original string, we do + // not yet have to allocate a buffer. + if s[w] == c { + return + } + + // Otherwise use either the stack buffer, if it is large enough, or + // allocate a new buffer on the heap, and copy all previous characters. + length := len(s) + if length > cap(b) { + *buf = make([]byte, length) + } else { + *buf = (*buf)[:length] + } + b = *buf + + copy(b, s[:w]) + } + b[w] = c +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/recovery.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/recovery.go new file mode 100644 index 000000000000..563f5aaa8e24 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/recovery.go @@ -0,0 +1,171 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "bytes" + "fmt" + "io" + "io/ioutil" + "log" + "net" + "net/http" + "net/http/httputil" + "os" + "runtime" + "strings" + "time" +) + +var ( + dunno = []byte("???") + centerDot = []byte("·") + dot = []byte(".") + slash = []byte("/") +) + +// RecoveryFunc defines the function passable to CustomRecovery. +type RecoveryFunc func(c *Context, err interface{}) + +// Recovery returns a middleware that recovers from any panics and writes a 500 if there was one. +func Recovery() HandlerFunc { + return RecoveryWithWriter(DefaultErrorWriter) +} + +//CustomRecovery returns a middleware that recovers from any panics and calls the provided handle func to handle it. +func CustomRecovery(handle RecoveryFunc) HandlerFunc { + return RecoveryWithWriter(DefaultErrorWriter, handle) +} + +// RecoveryWithWriter returns a middleware for a given writer that recovers from any panics and writes a 500 if there was one. +func RecoveryWithWriter(out io.Writer, recovery ...RecoveryFunc) HandlerFunc { + if len(recovery) > 0 { + return CustomRecoveryWithWriter(out, recovery[0]) + } + return CustomRecoveryWithWriter(out, defaultHandleRecovery) +} + +// CustomRecoveryWithWriter returns a middleware for a given writer that recovers from any panics and calls the provided handle func to handle it. +func CustomRecoveryWithWriter(out io.Writer, handle RecoveryFunc) HandlerFunc { + var logger *log.Logger + if out != nil { + logger = log.New(out, "\n\n\x1b[31m", log.LstdFlags) + } + return func(c *Context) { + defer func() { + if err := recover(); err != nil { + // Check for a broken connection, as it is not really a + // condition that warrants a panic stack trace. + var brokenPipe bool + if ne, ok := err.(*net.OpError); ok { + if se, ok := ne.Err.(*os.SyscallError); ok { + if strings.Contains(strings.ToLower(se.Error()), "broken pipe") || strings.Contains(strings.ToLower(se.Error()), "connection reset by peer") { + brokenPipe = true + } + } + } + if logger != nil { + stack := stack(3) + httpRequest, _ := httputil.DumpRequest(c.Request, false) + headers := strings.Split(string(httpRequest), "\r\n") + for idx, header := range headers { + current := strings.Split(header, ":") + if current[0] == "Authorization" { + headers[idx] = current[0] + ": *" + } + } + headersToStr := strings.Join(headers, "\r\n") + if brokenPipe { + logger.Printf("%s\n%s%s", err, headersToStr, reset) + } else if IsDebugging() { + logger.Printf("[Recovery] %s panic recovered:\n%s\n%s\n%s%s", + timeFormat(time.Now()), headersToStr, err, stack, reset) + } else { + logger.Printf("[Recovery] %s panic recovered:\n%s\n%s%s", + timeFormat(time.Now()), err, stack, reset) + } + } + if brokenPipe { + // If the connection is dead, we can't write a status to it. + c.Error(err.(error)) // nolint: errcheck + c.Abort() + } else { + handle(c, err) + } + } + }() + c.Next() + } +} + +func defaultHandleRecovery(c *Context, err interface{}) { + c.AbortWithStatus(http.StatusInternalServerError) +} + +// stack returns a nicely formatted stack frame, skipping skip frames. +func stack(skip int) []byte { + buf := new(bytes.Buffer) // the returned data + // As we loop, we open files and read them. These variables record the currently + // loaded file. + var lines [][]byte + var lastFile string + for i := skip; ; i++ { // Skip the expected number of frames + pc, file, line, ok := runtime.Caller(i) + if !ok { + break + } + // Print this much at least. If we can't find the source, it won't show. + fmt.Fprintf(buf, "%s:%d (0x%x)\n", file, line, pc) + if file != lastFile { + data, err := ioutil.ReadFile(file) + if err != nil { + continue + } + lines = bytes.Split(data, []byte{'\n'}) + lastFile = file + } + fmt.Fprintf(buf, "\t%s: %s\n", function(pc), source(lines, line)) + } + return buf.Bytes() +} + +// source returns a space-trimmed slice of the n'th line. +func source(lines [][]byte, n int) []byte { + n-- // in stack trace, lines are 1-indexed but our array is 0-indexed + if n < 0 || n >= len(lines) { + return dunno + } + return bytes.TrimSpace(lines[n]) +} + +// function returns, if possible, the name of the function containing the PC. +func function(pc uintptr) []byte { + fn := runtime.FuncForPC(pc) + if fn == nil { + return dunno + } + name := []byte(fn.Name()) + // The name includes the path name to the package, which is unnecessary + // since the file name is already included. Plus, it has center dots. + // That is, we see + // runtime/debug.*T·ptrmethod + // and want + // *T.ptrmethod + // Also the package path might contains dot (e.g. code.google.com/...), + // so first eliminate the path prefix + if lastSlash := bytes.LastIndex(name, slash); lastSlash >= 0 { + name = name[lastSlash+1:] + } + if period := bytes.Index(name, dot); period >= 0 { + name = name[period+1:] + } + name = bytes.Replace(name, centerDot, dot, -1) + return name +} + +func timeFormat(t time.Time) string { + timeString := t.Format("2006/01/02 - 15:04:05") + return timeString +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/data.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/data.go new file mode 100644 index 000000000000..6ba657ba0a5f --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/data.go @@ -0,0 +1,25 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import "net/http" + +// Data contains ContentType and bytes data. +type Data struct { + ContentType string + Data []byte +} + +// Render (Data) writes data with custom ContentType. +func (r Data) Render(w http.ResponseWriter) (err error) { + r.WriteContentType(w) + _, err = w.Write(r.Data) + return +} + +// WriteContentType (Data) writes custom ContentType. +func (r Data) WriteContentType(w http.ResponseWriter) { + writeContentType(w, []string{r.ContentType}) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/html.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/html.go new file mode 100644 index 000000000000..6696ece99716 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/html.go @@ -0,0 +1,92 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import ( + "html/template" + "net/http" +) + +// Delims represents a set of Left and Right delimiters for HTML template rendering. +type Delims struct { + // Left delimiter, defaults to {{. + Left string + // Right delimiter, defaults to }}. + Right string +} + +// HTMLRender interface is to be implemented by HTMLProduction and HTMLDebug. +type HTMLRender interface { + // Instance returns an HTML instance. + Instance(string, interface{}) Render +} + +// HTMLProduction contains template reference and its delims. +type HTMLProduction struct { + Template *template.Template + Delims Delims +} + +// HTMLDebug contains template delims and pattern and function with file list. +type HTMLDebug struct { + Files []string + Glob string + Delims Delims + FuncMap template.FuncMap +} + +// HTML contains template reference and its name with given interface object. +type HTML struct { + Template *template.Template + Name string + Data interface{} +} + +var htmlContentType = []string{"text/html; charset=utf-8"} + +// Instance (HTMLProduction) returns an HTML instance which it realizes Render interface. +func (r HTMLProduction) Instance(name string, data interface{}) Render { + return HTML{ + Template: r.Template, + Name: name, + Data: data, + } +} + +// Instance (HTMLDebug) returns an HTML instance which it realizes Render interface. +func (r HTMLDebug) Instance(name string, data interface{}) Render { + return HTML{ + Template: r.loadTemplate(), + Name: name, + Data: data, + } +} +func (r HTMLDebug) loadTemplate() *template.Template { + if r.FuncMap == nil { + r.FuncMap = template.FuncMap{} + } + if len(r.Files) > 0 { + return template.Must(template.New("").Delims(r.Delims.Left, r.Delims.Right).Funcs(r.FuncMap).ParseFiles(r.Files...)) + } + if r.Glob != "" { + return template.Must(template.New("").Delims(r.Delims.Left, r.Delims.Right).Funcs(r.FuncMap).ParseGlob(r.Glob)) + } + panic("the HTML debug render was created without files or glob pattern") +} + +// Render (HTML) executes template and writes its result with custom ContentType for response. +func (r HTML) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + + if r.Name == "" { + return r.Template.Execute(w, r.Data) + } + return r.Template.ExecuteTemplate(w, r.Name, r.Data) +} + +// WriteContentType (HTML) writes HTML ContentType. +func (r HTML) WriteContentType(w http.ResponseWriter) { + writeContentType(w, htmlContentType) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/json.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/json.go new file mode 100644 index 000000000000..418630939808 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/json.go @@ -0,0 +1,193 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import ( + "bytes" + "fmt" + "html/template" + "net/http" + + "github.com/gin-gonic/gin/internal/bytesconv" + "github.com/gin-gonic/gin/internal/json" +) + +// JSON contains the given interface object. +type JSON struct { + Data interface{} +} + +// IndentedJSON contains the given interface object. +type IndentedJSON struct { + Data interface{} +} + +// SecureJSON contains the given interface object and its prefix. +type SecureJSON struct { + Prefix string + Data interface{} +} + +// JsonpJSON contains the given interface object its callback. +type JsonpJSON struct { + Callback string + Data interface{} +} + +// AsciiJSON contains the given interface object. +type AsciiJSON struct { + Data interface{} +} + +// PureJSON contains the given interface object. +type PureJSON struct { + Data interface{} +} + +var jsonContentType = []string{"application/json; charset=utf-8"} +var jsonpContentType = []string{"application/javascript; charset=utf-8"} +var jsonAsciiContentType = []string{"application/json"} + +// Render (JSON) writes data with custom ContentType. +func (r JSON) Render(w http.ResponseWriter) (err error) { + if err = WriteJSON(w, r.Data); err != nil { + panic(err) + } + return +} + +// WriteContentType (JSON) writes JSON ContentType. +func (r JSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonContentType) +} + +// WriteJSON marshals the given interface object and writes it with custom ContentType. +func WriteJSON(w http.ResponseWriter, obj interface{}) error { + writeContentType(w, jsonContentType) + jsonBytes, err := json.Marshal(obj) + if err != nil { + return err + } + _, err = w.Write(jsonBytes) + return err +} + +// Render (IndentedJSON) marshals the given interface object and writes it with custom ContentType. +func (r IndentedJSON) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + jsonBytes, err := json.MarshalIndent(r.Data, "", " ") + if err != nil { + return err + } + _, err = w.Write(jsonBytes) + return err +} + +// WriteContentType (IndentedJSON) writes JSON ContentType. +func (r IndentedJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonContentType) +} + +// Render (SecureJSON) marshals the given interface object and writes it with custom ContentType. +func (r SecureJSON) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + jsonBytes, err := json.Marshal(r.Data) + if err != nil { + return err + } + // if the jsonBytes is array values + if bytes.HasPrefix(jsonBytes, bytesconv.StringToBytes("[")) && bytes.HasSuffix(jsonBytes, + bytesconv.StringToBytes("]")) { + _, err = w.Write(bytesconv.StringToBytes(r.Prefix)) + if err != nil { + return err + } + } + _, err = w.Write(jsonBytes) + return err +} + +// WriteContentType (SecureJSON) writes JSON ContentType. +func (r SecureJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonContentType) +} + +// Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType. +func (r JsonpJSON) Render(w http.ResponseWriter) (err error) { + r.WriteContentType(w) + ret, err := json.Marshal(r.Data) + if err != nil { + return err + } + + if r.Callback == "" { + _, err = w.Write(ret) + return err + } + + callback := template.JSEscapeString(r.Callback) + _, err = w.Write(bytesconv.StringToBytes(callback)) + if err != nil { + return err + } + _, err = w.Write(bytesconv.StringToBytes("(")) + if err != nil { + return err + } + _, err = w.Write(ret) + if err != nil { + return err + } + _, err = w.Write(bytesconv.StringToBytes(");")) + if err != nil { + return err + } + + return nil +} + +// WriteContentType (JsonpJSON) writes Javascript ContentType. +func (r JsonpJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonpContentType) +} + +// Render (AsciiJSON) marshals the given interface object and writes it with custom ContentType. +func (r AsciiJSON) Render(w http.ResponseWriter) (err error) { + r.WriteContentType(w) + ret, err := json.Marshal(r.Data) + if err != nil { + return err + } + + var buffer bytes.Buffer + for _, r := range bytesconv.BytesToString(ret) { + cvt := string(r) + if r >= 128 { + cvt = fmt.Sprintf("\\u%04x", int64(r)) + } + buffer.WriteString(cvt) + } + + _, err = w.Write(buffer.Bytes()) + return err +} + +// WriteContentType (AsciiJSON) writes JSON ContentType. +func (r AsciiJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonAsciiContentType) +} + +// Render (PureJSON) writes custom ContentType and encodes the given interface object. +func (r PureJSON) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + encoder := json.NewEncoder(w) + encoder.SetEscapeHTML(false) + return encoder.Encode(r.Data) +} + +// WriteContentType (PureJSON) writes custom ContentType. +func (r PureJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonContentType) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/msgpack.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/msgpack.go new file mode 100644 index 000000000000..6ef5b6e514c3 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/msgpack.go @@ -0,0 +1,42 @@ +// Copyright 2017 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +//go:build !nomsgpack +// +build !nomsgpack + +package render + +import ( + "net/http" + + "github.com/ugorji/go/codec" +) + +var ( + _ Render = MsgPack{} +) + +// MsgPack contains the given interface object. +type MsgPack struct { + Data interface{} +} + +var msgpackContentType = []string{"application/msgpack; charset=utf-8"} + +// WriteContentType (MsgPack) writes MsgPack ContentType. +func (r MsgPack) WriteContentType(w http.ResponseWriter) { + writeContentType(w, msgpackContentType) +} + +// Render (MsgPack) encodes the given interface object and writes data with custom ContentType. +func (r MsgPack) Render(w http.ResponseWriter) error { + return WriteMsgPack(w, r.Data) +} + +// WriteMsgPack writes MsgPack ContentType and encodes the given interface object. +func WriteMsgPack(w http.ResponseWriter, obj interface{}) error { + writeContentType(w, msgpackContentType) + var mh codec.MsgpackHandle + return codec.NewEncoder(w, &mh).Encode(obj) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/protobuf.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/protobuf.go new file mode 100644 index 000000000000..15aca9959cd6 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/protobuf.go @@ -0,0 +1,36 @@ +// Copyright 2018 Gin Core Team. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import ( + "net/http" + + "github.com/golang/protobuf/proto" +) + +// ProtoBuf contains the given interface object. +type ProtoBuf struct { + Data interface{} +} + +var protobufContentType = []string{"application/x-protobuf"} + +// Render (ProtoBuf) marshals the given interface object and writes data with custom ContentType. +func (r ProtoBuf) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + + bytes, err := proto.Marshal(r.Data.(proto.Message)) + if err != nil { + return err + } + + _, err = w.Write(bytes) + return err +} + +// WriteContentType (ProtoBuf) writes ProtoBuf ContentType. +func (r ProtoBuf) WriteContentType(w http.ResponseWriter) { + writeContentType(w, protobufContentType) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/reader.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/reader.go new file mode 100644 index 000000000000..d5282e492724 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/reader.go @@ -0,0 +1,48 @@ +// Copyright 2018 Gin Core Team. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import ( + "io" + "net/http" + "strconv" +) + +// Reader contains the IO reader and its length, and custom ContentType and other headers. +type Reader struct { + ContentType string + ContentLength int64 + Reader io.Reader + Headers map[string]string +} + +// Render (Reader) writes data with custom ContentType and headers. +func (r Reader) Render(w http.ResponseWriter) (err error) { + r.WriteContentType(w) + if r.ContentLength >= 0 { + if r.Headers == nil { + r.Headers = map[string]string{} + } + r.Headers["Content-Length"] = strconv.FormatInt(r.ContentLength, 10) + } + r.writeHeaders(w, r.Headers) + _, err = io.Copy(w, r.Reader) + return +} + +// WriteContentType (Reader) writes custom ContentType. +func (r Reader) WriteContentType(w http.ResponseWriter) { + writeContentType(w, []string{r.ContentType}) +} + +// writeHeaders writes custom Header. +func (r Reader) writeHeaders(w http.ResponseWriter, headers map[string]string) { + header := w.Header() + for k, v := range headers { + if header.Get(k) == "" { + header.Set(k, v) + } + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/redirect.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/redirect.go new file mode 100644 index 000000000000..c006691ca635 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/redirect.go @@ -0,0 +1,29 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import ( + "fmt" + "net/http" +) + +// Redirect contains the http request reference and redirects status code and location. +type Redirect struct { + Code int + Request *http.Request + Location string +} + +// Render (Redirect) redirects the http request to new location and writes redirect response. +func (r Redirect) Render(w http.ResponseWriter) error { + if (r.Code < http.StatusMultipleChoices || r.Code > http.StatusPermanentRedirect) && r.Code != http.StatusCreated { + panic(fmt.Sprintf("Cannot redirect with status code %d", r.Code)) + } + http.Redirect(w, r.Request, r.Location, r.Code) + return nil +} + +// WriteContentType (Redirect) don't write any ContentType. +func (r Redirect) WriteContentType(http.ResponseWriter) {} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/render.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/render.go new file mode 100644 index 000000000000..bcd568bfba7a --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/render.go @@ -0,0 +1,40 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import "net/http" + +// Render interface is to be implemented by JSON, XML, HTML, YAML and so on. +type Render interface { + // Render writes data with custom ContentType. + Render(http.ResponseWriter) error + // WriteContentType writes custom ContentType. + WriteContentType(w http.ResponseWriter) +} + +var ( + _ Render = JSON{} + _ Render = IndentedJSON{} + _ Render = SecureJSON{} + _ Render = JsonpJSON{} + _ Render = XML{} + _ Render = String{} + _ Render = Redirect{} + _ Render = Data{} + _ Render = HTML{} + _ HTMLRender = HTMLDebug{} + _ HTMLRender = HTMLProduction{} + _ Render = YAML{} + _ Render = Reader{} + _ Render = AsciiJSON{} + _ Render = ProtoBuf{} +) + +func writeContentType(w http.ResponseWriter, value []string) { + header := w.Header() + if val := header["Content-Type"]; len(val) == 0 { + header["Content-Type"] = value + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/text.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/text.go new file mode 100644 index 000000000000..461b720af5ed --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/text.go @@ -0,0 +1,41 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import ( + "fmt" + "net/http" + + "github.com/gin-gonic/gin/internal/bytesconv" +) + +// String contains the given interface object slice and its format. +type String struct { + Format string + Data []interface{} +} + +var plainContentType = []string{"text/plain; charset=utf-8"} + +// Render (String) writes data with custom ContentType. +func (r String) Render(w http.ResponseWriter) error { + return WriteString(w, r.Format, r.Data) +} + +// WriteContentType (String) writes Plain ContentType. +func (r String) WriteContentType(w http.ResponseWriter) { + writeContentType(w, plainContentType) +} + +// WriteString writes data according to its format and write custom ContentType. +func WriteString(w http.ResponseWriter, format string, data []interface{}) (err error) { + writeContentType(w, plainContentType) + if len(data) > 0 { + _, err = fmt.Fprintf(w, format, data...) + return + } + _, err = w.Write(bytesconv.StringToBytes(format)) + return +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/xml.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/xml.go new file mode 100644 index 000000000000..cc5390a2d05b --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/xml.go @@ -0,0 +1,28 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import ( + "encoding/xml" + "net/http" +) + +// XML contains the given interface object. +type XML struct { + Data interface{} +} + +var xmlContentType = []string{"application/xml; charset=utf-8"} + +// Render (XML) encodes the given interface object and writes data with custom ContentType. +func (r XML) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + return xml.NewEncoder(w).Encode(r.Data) +} + +// WriteContentType (XML) writes XML ContentType for response. +func (r XML) WriteContentType(w http.ResponseWriter) { + writeContentType(w, xmlContentType) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/yaml.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/yaml.go new file mode 100644 index 000000000000..0df78360893c --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/render/yaml.go @@ -0,0 +1,36 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package render + +import ( + "net/http" + + "gopkg.in/yaml.v2" +) + +// YAML contains the given interface object. +type YAML struct { + Data interface{} +} + +var yamlContentType = []string{"application/x-yaml; charset=utf-8"} + +// Render (YAML) marshals the given interface object and writes data with custom ContentType. +func (r YAML) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + + bytes, err := yaml.Marshal(r.Data) + if err != nil { + return err + } + + _, err = w.Write(bytes) + return err +} + +// WriteContentType (YAML) writes YAML ContentType for response. +func (r YAML) WriteContentType(w http.ResponseWriter) { + writeContentType(w, yamlContentType) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/response_writer.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/response_writer.go new file mode 100644 index 000000000000..26826689a5cf --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/response_writer.go @@ -0,0 +1,126 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "bufio" + "io" + "net" + "net/http" +) + +const ( + noWritten = -1 + defaultStatus = http.StatusOK +) + +// ResponseWriter ... +type ResponseWriter interface { + http.ResponseWriter + http.Hijacker + http.Flusher + http.CloseNotifier + + // Returns the HTTP response status code of the current request. + Status() int + + // Returns the number of bytes already written into the response http body. + // See Written() + Size() int + + // Writes the string into the response body. + WriteString(string) (int, error) + + // Returns true if the response body was already written. + Written() bool + + // Forces to write the http header (status code + headers). + WriteHeaderNow() + + // get the http.Pusher for server push + Pusher() http.Pusher +} + +type responseWriter struct { + http.ResponseWriter + size int + status int +} + +var _ ResponseWriter = &responseWriter{} + +func (w *responseWriter) reset(writer http.ResponseWriter) { + w.ResponseWriter = writer + w.size = noWritten + w.status = defaultStatus +} + +func (w *responseWriter) WriteHeader(code int) { + if code > 0 && w.status != code { + if w.Written() { + debugPrint("[WARNING] Headers were already written. Wanted to override status code %d with %d", w.status, code) + } + w.status = code + } +} + +func (w *responseWriter) WriteHeaderNow() { + if !w.Written() { + w.size = 0 + w.ResponseWriter.WriteHeader(w.status) + } +} + +func (w *responseWriter) Write(data []byte) (n int, err error) { + w.WriteHeaderNow() + n, err = w.ResponseWriter.Write(data) + w.size += n + return +} + +func (w *responseWriter) WriteString(s string) (n int, err error) { + w.WriteHeaderNow() + n, err = io.WriteString(w.ResponseWriter, s) + w.size += n + return +} + +func (w *responseWriter) Status() int { + return w.status +} + +func (w *responseWriter) Size() int { + return w.size +} + +func (w *responseWriter) Written() bool { + return w.size != noWritten +} + +// Hijack implements the http.Hijacker interface. +func (w *responseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) { + if w.size < 0 { + w.size = 0 + } + return w.ResponseWriter.(http.Hijacker).Hijack() +} + +// CloseNotify implements the http.CloseNotify interface. +func (w *responseWriter) CloseNotify() <-chan bool { + return w.ResponseWriter.(http.CloseNotifier).CloseNotify() +} + +// Flush implements the http.Flush interface. +func (w *responseWriter) Flush() { + w.WriteHeaderNow() + w.ResponseWriter.(http.Flusher).Flush() +} + +func (w *responseWriter) Pusher() (pusher http.Pusher) { + if pusher, ok := w.ResponseWriter.(http.Pusher); ok { + return pusher + } + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/routergroup.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/routergroup.go new file mode 100644 index 000000000000..15d9930d3d14 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/routergroup.go @@ -0,0 +1,230 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "net/http" + "path" + "regexp" + "strings" +) + +// IRouter defines all router handle interface includes single and group router. +type IRouter interface { + IRoutes + Group(string, ...HandlerFunc) *RouterGroup +} + +// IRoutes defines all router handle interface. +type IRoutes interface { + Use(...HandlerFunc) IRoutes + + Handle(string, string, ...HandlerFunc) IRoutes + Any(string, ...HandlerFunc) IRoutes + GET(string, ...HandlerFunc) IRoutes + POST(string, ...HandlerFunc) IRoutes + DELETE(string, ...HandlerFunc) IRoutes + PATCH(string, ...HandlerFunc) IRoutes + PUT(string, ...HandlerFunc) IRoutes + OPTIONS(string, ...HandlerFunc) IRoutes + HEAD(string, ...HandlerFunc) IRoutes + + StaticFile(string, string) IRoutes + Static(string, string) IRoutes + StaticFS(string, http.FileSystem) IRoutes +} + +// RouterGroup is used internally to configure router, a RouterGroup is associated with +// a prefix and an array of handlers (middleware). +type RouterGroup struct { + Handlers HandlersChain + basePath string + engine *Engine + root bool +} + +var _ IRouter = &RouterGroup{} + +// Use adds middleware to the group, see example code in GitHub. +func (group *RouterGroup) Use(middleware ...HandlerFunc) IRoutes { + group.Handlers = append(group.Handlers, middleware...) + return group.returnObj() +} + +// Group creates a new router group. You should add all the routes that have common middlewares or the same path prefix. +// For example, all the routes that use a common middleware for authorization could be grouped. +func (group *RouterGroup) Group(relativePath string, handlers ...HandlerFunc) *RouterGroup { + return &RouterGroup{ + Handlers: group.combineHandlers(handlers), + basePath: group.calculateAbsolutePath(relativePath), + engine: group.engine, + } +} + +// BasePath returns the base path of router group. +// For example, if v := router.Group("/rest/n/v1/api"), v.BasePath() is "/rest/n/v1/api". +func (group *RouterGroup) BasePath() string { + return group.basePath +} + +func (group *RouterGroup) handle(httpMethod, relativePath string, handlers HandlersChain) IRoutes { + absolutePath := group.calculateAbsolutePath(relativePath) + handlers = group.combineHandlers(handlers) + group.engine.addRoute(httpMethod, absolutePath, handlers) + return group.returnObj() +} + +// Handle registers a new request handle and middleware with the given path and method. +// The last handler should be the real handler, the other ones should be middleware that can and should be shared among different routes. +// See the example code in GitHub. +// +// For GET, POST, PUT, PATCH and DELETE requests the respective shortcut +// functions can be used. +// +// This function is intended for bulk loading and to allow the usage of less +// frequently used, non-standardized or custom methods (e.g. for internal +// communication with a proxy). +func (group *RouterGroup) Handle(httpMethod, relativePath string, handlers ...HandlerFunc) IRoutes { + if matches, err := regexp.MatchString("^[A-Z]+$", httpMethod); !matches || err != nil { + panic("http method " + httpMethod + " is not valid") + } + return group.handle(httpMethod, relativePath, handlers) +} + +// POST is a shortcut for router.Handle("POST", path, handle). +func (group *RouterGroup) POST(relativePath string, handlers ...HandlerFunc) IRoutes { + return group.handle(http.MethodPost, relativePath, handlers) +} + +// GET is a shortcut for router.Handle("GET", path, handle). +func (group *RouterGroup) GET(relativePath string, handlers ...HandlerFunc) IRoutes { + return group.handle(http.MethodGet, relativePath, handlers) +} + +// DELETE is a shortcut for router.Handle("DELETE", path, handle). +func (group *RouterGroup) DELETE(relativePath string, handlers ...HandlerFunc) IRoutes { + return group.handle(http.MethodDelete, relativePath, handlers) +} + +// PATCH is a shortcut for router.Handle("PATCH", path, handle). +func (group *RouterGroup) PATCH(relativePath string, handlers ...HandlerFunc) IRoutes { + return group.handle(http.MethodPatch, relativePath, handlers) +} + +// PUT is a shortcut for router.Handle("PUT", path, handle). +func (group *RouterGroup) PUT(relativePath string, handlers ...HandlerFunc) IRoutes { + return group.handle(http.MethodPut, relativePath, handlers) +} + +// OPTIONS is a shortcut for router.Handle("OPTIONS", path, handle). +func (group *RouterGroup) OPTIONS(relativePath string, handlers ...HandlerFunc) IRoutes { + return group.handle(http.MethodOptions, relativePath, handlers) +} + +// HEAD is a shortcut for router.Handle("HEAD", path, handle). +func (group *RouterGroup) HEAD(relativePath string, handlers ...HandlerFunc) IRoutes { + return group.handle(http.MethodHead, relativePath, handlers) +} + +// Any registers a route that matches all the HTTP methods. +// GET, POST, PUT, PATCH, HEAD, OPTIONS, DELETE, CONNECT, TRACE. +func (group *RouterGroup) Any(relativePath string, handlers ...HandlerFunc) IRoutes { + group.handle(http.MethodGet, relativePath, handlers) + group.handle(http.MethodPost, relativePath, handlers) + group.handle(http.MethodPut, relativePath, handlers) + group.handle(http.MethodPatch, relativePath, handlers) + group.handle(http.MethodHead, relativePath, handlers) + group.handle(http.MethodOptions, relativePath, handlers) + group.handle(http.MethodDelete, relativePath, handlers) + group.handle(http.MethodConnect, relativePath, handlers) + group.handle(http.MethodTrace, relativePath, handlers) + return group.returnObj() +} + +// StaticFile registers a single route in order to serve a single file of the local filesystem. +// router.StaticFile("favicon.ico", "./resources/favicon.ico") +func (group *RouterGroup) StaticFile(relativePath, filepath string) IRoutes { + if strings.Contains(relativePath, ":") || strings.Contains(relativePath, "*") { + panic("URL parameters can not be used when serving a static file") + } + handler := func(c *Context) { + c.File(filepath) + } + group.GET(relativePath, handler) + group.HEAD(relativePath, handler) + return group.returnObj() +} + +// Static serves files from the given file system root. +// Internally a http.FileServer is used, therefore http.NotFound is used instead +// of the Router's NotFound handler. +// To use the operating system's file system implementation, +// use : +// router.Static("/static", "/var/www") +func (group *RouterGroup) Static(relativePath, root string) IRoutes { + return group.StaticFS(relativePath, Dir(root, false)) +} + +// StaticFS works just like `Static()` but a custom `http.FileSystem` can be used instead. +// Gin by default user: gin.Dir() +func (group *RouterGroup) StaticFS(relativePath string, fs http.FileSystem) IRoutes { + if strings.Contains(relativePath, ":") || strings.Contains(relativePath, "*") { + panic("URL parameters can not be used when serving a static folder") + } + handler := group.createStaticHandler(relativePath, fs) + urlPattern := path.Join(relativePath, "/*filepath") + + // Register GET and HEAD handlers + group.GET(urlPattern, handler) + group.HEAD(urlPattern, handler) + return group.returnObj() +} + +func (group *RouterGroup) createStaticHandler(relativePath string, fs http.FileSystem) HandlerFunc { + absolutePath := group.calculateAbsolutePath(relativePath) + fileServer := http.StripPrefix(absolutePath, http.FileServer(fs)) + + return func(c *Context) { + if _, noListing := fs.(*onlyFilesFS); noListing { + c.Writer.WriteHeader(http.StatusNotFound) + } + + file := c.Param("filepath") + // Check if file exists and/or if we have permission to access it + f, err := fs.Open(file) + if err != nil { + c.Writer.WriteHeader(http.StatusNotFound) + c.handlers = group.engine.noRoute + // Reset index + c.index = -1 + return + } + f.Close() + + fileServer.ServeHTTP(c.Writer, c.Request) + } +} + +func (group *RouterGroup) combineHandlers(handlers HandlersChain) HandlersChain { + finalSize := len(group.Handlers) + len(handlers) + if finalSize >= int(abortIndex) { + panic("too many handlers") + } + mergedHandlers := make(HandlersChain, finalSize) + copy(mergedHandlers, group.Handlers) + copy(mergedHandlers[len(group.Handlers):], handlers) + return mergedHandlers +} + +func (group *RouterGroup) calculateAbsolutePath(relativePath string) string { + return joinPaths(group.basePath, relativePath) +} + +func (group *RouterGroup) returnObj() IRoutes { + if group.root { + return group.engine + } + return group +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go deleted file mode 100644 index f941716f925f..000000000000 --- a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go +++ /dev/null @@ -1,681 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/gin-gonic/gin (exports: Context; functions: New) - -// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber. -package gin - -import ( - bufio "bufio" - template "html/template" - io "io" - multipart "mime/multipart" - net "net" - http "net/http" - time "time" -) - -type Context struct { - Request *http.Request - Writer ResponseWriter - Params Params - Keys map[string]interface{} - Errors interface{} - Accepted []string -} - -func (_ *Context) Abort() {} - -func (_ *Context) AbortWithError(_ int, _ error) *Error { - return nil -} - -func (_ *Context) AbortWithStatus(_ int) {} - -func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {} - -func (_ *Context) AsciiJSON(_ int, _ interface{}) {} - -func (_ *Context) Bind(_ interface{}) error { - return nil -} - -func (_ *Context) BindHeader(_ interface{}) error { - return nil -} - -func (_ *Context) BindJSON(_ interface{}) error { - return nil -} - -func (_ *Context) BindQuery(_ interface{}) error { - return nil -} - -func (_ *Context) BindUri(_ interface{}) error { - return nil -} - -func (_ *Context) BindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) BindXML(_ interface{}) error { - return nil -} - -func (_ *Context) BindYAML(_ interface{}) error { - return nil -} - -func (_ *Context) ClientIP() string { - return "" -} - -func (_ *Context) ContentType() string { - return "" -} - -func (_ *Context) Cookie(_ string) (string, error) { - return "", nil -} - -func (_ *Context) Copy() *Context { - return nil -} - -func (_ *Context) Data(_ int, _ string, _ []byte) {} - -func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {} - -func (_ *Context) Deadline() (time.Time, bool) { - return time.Time{}, false -} - -func (_ *Context) DefaultPostForm(_ string, _ string) string { - return "" -} - -func (_ *Context) DefaultQuery(_ string, _ string) string { - return "" -} - -func (_ *Context) Done() <-chan struct{} { - return nil -} - -func (_ *Context) Err() error { - return nil -} - -func (_ *Context) Error(_ error) *Error { - return nil -} - -func (_ *Context) File(_ string) {} - -func (_ *Context) FileAttachment(_ string, _ string) {} - -func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {} - -func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) { - return nil, nil -} - -func (_ *Context) FullPath() string { - return "" -} - -func (_ *Context) Get(_ string) (interface{}, bool) { - return nil, false -} - -func (_ *Context) GetBool(_ string) bool { - return false -} - -func (_ *Context) GetDuration(_ string) time.Duration { - return 0 -} - -func (_ *Context) GetFloat64(_ string) float64 { - return 0 -} - -func (_ *Context) GetHeader(_ string) string { - return "" -} - -func (_ *Context) GetInt(_ string) int { - return 0 -} - -func (_ *Context) GetInt64(_ string) int64 { - return 0 -} - -func (_ *Context) GetPostForm(_ string) (string, bool) { - return "", false -} - -func (_ *Context) GetPostFormArray(_ string) ([]string, bool) { - return nil, false -} - -func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) { - return nil, false -} - -func (_ *Context) GetQuery(_ string) (string, bool) { - return "", false -} - -func (_ *Context) GetQueryArray(_ string) ([]string, bool) { - return nil, false -} - -func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) { - return nil, false -} - -func (_ *Context) GetRawData() ([]byte, error) { - return nil, nil -} - -func (_ *Context) GetString(_ string) string { - return "" -} - -func (_ *Context) GetStringMap(_ string) map[string]interface{} { - return nil -} - -func (_ *Context) GetStringMapString(_ string) map[string]string { - return nil -} - -func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string { - return nil -} - -func (_ *Context) GetStringSlice(_ string) []string { - return nil -} - -func (_ *Context) GetTime(_ string) time.Time { - return time.Time{} -} - -func (_ *Context) GetUint(_ string) uint { - return 0 -} - -func (_ *Context) GetUint64(_ string) uint64 { - return 0 -} - -func (_ *Context) HTML(_ int, _ string, _ interface{}) {} - -func (_ *Context) Handler() HandlerFunc { - return nil -} - -func (_ *Context) HandlerName() string { - return "" -} - -func (_ *Context) HandlerNames() []string { - return nil -} - -func (_ *Context) Header(_ string, _ string) {} - -func (_ *Context) IndentedJSON(_ int, _ interface{}) {} - -func (_ *Context) IsAborted() bool { - return false -} - -func (_ *Context) IsWebsocket() bool { - return false -} - -func (_ *Context) JSON(_ int, _ interface{}) {} - -func (_ *Context) JSONP(_ int, _ interface{}) {} - -func (_ *Context) MultipartForm() (*multipart.Form, error) { - return nil, nil -} - -func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) MustGet(_ string) interface{} { - return nil -} - -func (_ *Context) Negotiate(_ int, _ Negotiate) {} - -func (_ *Context) NegotiateFormat(_ ...string) string { - return "" -} - -func (_ *Context) Next() {} - -func (_ *Context) Param(_ string) string { - return "" -} - -func (_ *Context) PostForm(_ string) string { - return "" -} - -func (_ *Context) PostFormArray(_ string) []string { - return nil -} - -func (_ *Context) PostFormMap(_ string) map[string]string { - return nil -} - -func (_ *Context) ProtoBuf(_ int, _ interface{}) {} - -func (_ *Context) PureJSON(_ int, _ interface{}) {} - -func (_ *Context) Query(_ string) string { - return "" -} - -func (_ *Context) QueryArray(_ string) []string { - return nil -} - -func (_ *Context) QueryMap(_ string) map[string]string { - return nil -} - -func (_ *Context) Redirect(_ int, _ string) {} - -func (_ *Context) RemoteIP() (net.IP, bool) { - return nil, false -} - -func (_ *Context) Render(_ int, _ interface{}) {} - -func (_ *Context) SSEvent(_ string, _ interface{}) {} - -func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error { - return nil -} - -func (_ *Context) SecureJSON(_ int, _ interface{}) {} - -func (_ *Context) Set(_ string, _ interface{}) {} - -func (_ *Context) SetAccepted(_ ...string) {} - -func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {} - -func (_ *Context) SetSameSite(_ http.SameSite) {} - -func (_ *Context) ShouldBind(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindHeader(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindJSON(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindQuery(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindUri(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindXML(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindYAML(_ interface{}) error { - return nil -} - -func (_ *Context) Status(_ int) {} - -func (_ *Context) Stream(_ func(io.Writer) bool) bool { - return false -} - -func (_ *Context) String(_ int, _ string, _ ...interface{}) {} - -func (_ *Context) Value(_ interface{}) interface{} { - return nil -} - -func (_ *Context) XML(_ int, _ interface{}) {} - -func (_ *Context) YAML(_ int, _ interface{}) {} - -type Engine struct { - RouterGroup RouterGroup - RedirectTrailingSlash bool - RedirectFixedPath bool - HandleMethodNotAllowed bool - ForwardedByClientIP bool - AppEngine bool - UseRawPath bool - UnescapePathValues bool - RemoveExtraSlash bool - RemoteIPHeaders []string - TrustedPlatform string - MaxMultipartMemory int64 - HTMLRender interface{} - FuncMap template.FuncMap -} - -func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) BasePath() string { - return "" -} - -func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) Delims(_ string, _ string) *Engine { - return nil -} - -func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup { - return nil -} - -func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) HandleContext(_ *Context) {} - -func (_ *Engine) LoadHTMLFiles(_ ...string) {} - -func (_ *Engine) LoadHTMLGlob(_ string) {} - -func (_ *Engine) NoMethod(_ ...HandlerFunc) {} - -func (_ *Engine) NoRoute(_ ...HandlerFunc) {} - -func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *Engine) Routes() RoutesInfo { - return nil -} - -func (_ *Engine) Run(_ ...string) error { - return nil -} - -func (_ *Engine) RunFd(_ int) error { - return nil -} - -func (_ *Engine) RunListener(_ net.Listener) error { - return nil -} - -func (_ *Engine) RunTLS(_ string, _ string, _ string) error { - return nil -} - -func (_ *Engine) RunUnix(_ string) error { - return nil -} - -func (_ *Engine) SecureJsonPrefix(_ string) *Engine { - return nil -} - -func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {} - -func (_ *Engine) SetFuncMap(_ template.FuncMap) {} - -func (_ *Engine) SetHTMLTemplate(_ *template.Template) {} - -func (_ *Engine) SetTrustedProxies(_ []string) error { - return nil -} - -func (_ *Engine) Static(_ string, _ string) IRoutes { - return nil -} - -func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes { - return nil -} - -func (_ *Engine) StaticFile(_ string, _ string) IRoutes { - return nil -} - -func (_ *Engine) Use(_ ...HandlerFunc) IRoutes { - return nil -} - -type Error struct { - Err error - Type ErrorType - Meta interface{} -} - -func (_ Error) Error() string { - return "" -} - -func (_ *Error) IsType(_ ErrorType) bool { - return false -} - -func (_ *Error) JSON() interface{} { - return nil -} - -func (_ *Error) MarshalJSON() ([]byte, error) { - return nil, nil -} - -func (_ *Error) SetMeta(_ interface{}) *Error { - return nil -} - -func (_ *Error) SetType(_ ErrorType) *Error { - return nil -} - -func (_ *Error) Unwrap() error { - return nil -} - -type ErrorType uint64 - -type HandlerFunc func(*Context) - -type HandlersChain []HandlerFunc - -func (_ HandlersChain) Last() HandlerFunc { - return nil -} - -type IRoutes interface { - Any(_ string, _ ...HandlerFunc) IRoutes - DELETE(_ string, _ ...HandlerFunc) IRoutes - GET(_ string, _ ...HandlerFunc) IRoutes - HEAD(_ string, _ ...HandlerFunc) IRoutes - Handle(_ string, _ string, _ ...HandlerFunc) IRoutes - OPTIONS(_ string, _ ...HandlerFunc) IRoutes - PATCH(_ string, _ ...HandlerFunc) IRoutes - POST(_ string, _ ...HandlerFunc) IRoutes - PUT(_ string, _ ...HandlerFunc) IRoutes - Static(_ string, _ string) IRoutes - StaticFS(_ string, _ http.FileSystem) IRoutes - StaticFile(_ string, _ string) IRoutes - Use(_ ...HandlerFunc) IRoutes -} - -type Negotiate struct { - Offered []string - HTMLName string - HTMLData interface{} - JSONData interface{} - XMLData interface{} - YAMLData interface{} - Data interface{} -} - -func New() *Engine { - return nil -} - -type Param struct { - Key string - Value string -} - -type Params []Param - -func (_ Params) ByName(_ string) string { - return "" -} - -func (_ Params) Get(_ string) (string, bool) { - return "", false -} - -type ResponseWriter interface { - CloseNotify() <-chan bool - Flush() - Header() http.Header - Hijack() (net.Conn, *bufio.ReadWriter, error) - Pusher() http.Pusher - Size() int - Status() int - Write(_ []byte) (int, error) - WriteHeader(_ int) - WriteHeaderNow() - WriteString(_ string) (int, error) - Written() bool -} - -type RouteInfo struct { - Method string - Path string - Handler string - HandlerFunc HandlerFunc -} - -type RouterGroup struct { - Handlers HandlersChain -} - -func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) BasePath() string { - return "" -} - -func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup { - return nil -} - -func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes { - return nil -} - -func (_ *RouterGroup) Static(_ string, _ string) IRoutes { - return nil -} - -func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes { - return nil -} - -func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes { - return nil -} - -func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes { - return nil -} - -type RoutesInfo []RouteInfo diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/test_helpers.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/test_helpers.go new file mode 100644 index 000000000000..3a7a5ddf69c3 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/test_helpers.go @@ -0,0 +1,16 @@ +// Copyright 2017 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import "net/http" + +// CreateTestContext returns a fresh engine and context for testing purposes +func CreateTestContext(w http.ResponseWriter) (c *Context, r *Engine) { + r = New() + c = r.allocateContext() + c.reset() + c.writermem.reset(w) + return +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/tree.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/tree.go new file mode 100644 index 000000000000..158a3390892d --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/tree.go @@ -0,0 +1,867 @@ +// Copyright 2013 Julien Schmidt. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be found +// at https://github.com/julienschmidt/httprouter/blob/master/LICENSE + +package gin + +import ( + "bytes" + "net/url" + "strings" + "unicode" + "unicode/utf8" + + "github.com/gin-gonic/gin/internal/bytesconv" +) + +var ( + strColon = []byte(":") + strStar = []byte("*") + strSlash = []byte("/") +) + +// Param is a single URL parameter, consisting of a key and a value. +type Param struct { + Key string + Value string +} + +// Params is a Param-slice, as returned by the router. +// The slice is ordered, the first URL parameter is also the first slice value. +// It is therefore safe to read values by the index. +type Params []Param + +// Get returns the value of the first Param which key matches the given name. +// If no matching Param is found, an empty string is returned. +func (ps Params) Get(name string) (string, bool) { + for _, entry := range ps { + if entry.Key == name { + return entry.Value, true + } + } + return "", false +} + +// ByName returns the value of the first Param which key matches the given name. +// If no matching Param is found, an empty string is returned. +func (ps Params) ByName(name string) (va string) { + va, _ = ps.Get(name) + return +} + +type methodTree struct { + method string + root *node +} + +type methodTrees []methodTree + +func (trees methodTrees) get(method string) *node { + for _, tree := range trees { + if tree.method == method { + return tree.root + } + } + return nil +} + +func min(a, b int) int { + if a <= b { + return a + } + return b +} + +func longestCommonPrefix(a, b string) int { + i := 0 + max := min(len(a), len(b)) + for i < max && a[i] == b[i] { + i++ + } + return i +} + +// addChild will add a child node, keeping wildcards at the end +func (n *node) addChild(child *node) { + if n.wildChild && len(n.children) > 0 { + wildcardChild := n.children[len(n.children)-1] + n.children = append(n.children[:len(n.children)-1], child, wildcardChild) + } else { + n.children = append(n.children, child) + } +} + +func countParams(path string) uint16 { + var n uint16 + s := bytesconv.StringToBytes(path) + n += uint16(bytes.Count(s, strColon)) + n += uint16(bytes.Count(s, strStar)) + return n +} + +func countSections(path string) uint16 { + s := bytesconv.StringToBytes(path) + return uint16(bytes.Count(s, strSlash)) +} + +type nodeType uint8 + +const ( + static nodeType = iota // default + root + param + catchAll +) + +type node struct { + path string + indices string + wildChild bool + nType nodeType + priority uint32 + children []*node // child nodes, at most 1 :param style node at the end of the array + handlers HandlersChain + fullPath string +} + +// Increments priority of the given child and reorders if necessary +func (n *node) incrementChildPrio(pos int) int { + cs := n.children + cs[pos].priority++ + prio := cs[pos].priority + + // Adjust position (move to front) + newPos := pos + for ; newPos > 0 && cs[newPos-1].priority < prio; newPos-- { + // Swap node positions + cs[newPos-1], cs[newPos] = cs[newPos], cs[newPos-1] + } + + // Build new index char string + if newPos != pos { + n.indices = n.indices[:newPos] + // Unchanged prefix, might be empty + n.indices[pos:pos+1] + // The index char we move + n.indices[newPos:pos] + n.indices[pos+1:] // Rest without char at 'pos' + } + + return newPos +} + +// addRoute adds a node with the given handle to the path. +// Not concurrency-safe! +func (n *node) addRoute(path string, handlers HandlersChain) { + fullPath := path + n.priority++ + + // Empty tree + if len(n.path) == 0 && len(n.children) == 0 { + n.insertChild(path, fullPath, handlers) + n.nType = root + return + } + + parentFullPathIndex := 0 + +walk: + for { + // Find the longest common prefix. + // This also implies that the common prefix contains no ':' or '*' + // since the existing key can't contain those chars. + i := longestCommonPrefix(path, n.path) + + // Split edge + if i < len(n.path) { + child := node{ + path: n.path[i:], + wildChild: n.wildChild, + indices: n.indices, + children: n.children, + handlers: n.handlers, + priority: n.priority - 1, + fullPath: n.fullPath, + } + + n.children = []*node{&child} + // []byte for proper unicode char conversion, see #65 + n.indices = bytesconv.BytesToString([]byte{n.path[i]}) + n.path = path[:i] + n.handlers = nil + n.wildChild = false + n.fullPath = fullPath[:parentFullPathIndex+i] + } + + // Make new node a child of this node + if i < len(path) { + path = path[i:] + c := path[0] + + // '/' after param + if n.nType == param && c == '/' && len(n.children) == 1 { + parentFullPathIndex += len(n.path) + n = n.children[0] + n.priority++ + continue walk + } + + // Check if a child with the next path byte exists + for i, max := 0, len(n.indices); i < max; i++ { + if c == n.indices[i] { + parentFullPathIndex += len(n.path) + i = n.incrementChildPrio(i) + n = n.children[i] + continue walk + } + } + + // Otherwise insert it + if c != ':' && c != '*' && n.nType != catchAll { + // []byte for proper unicode char conversion, see #65 + n.indices += bytesconv.BytesToString([]byte{c}) + child := &node{ + fullPath: fullPath, + } + n.addChild(child) + n.incrementChildPrio(len(n.indices) - 1) + n = child + } else if n.wildChild { + // inserting a wildcard node, need to check if it conflicts with the existing wildcard + n = n.children[len(n.children)-1] + n.priority++ + + // Check if the wildcard matches + if len(path) >= len(n.path) && n.path == path[:len(n.path)] && + // Adding a child to a catchAll is not possible + n.nType != catchAll && + // Check for longer wildcard, e.g. :name and :names + (len(n.path) >= len(path) || path[len(n.path)] == '/') { + continue walk + } + + // Wildcard conflict + pathSeg := path + if n.nType != catchAll { + pathSeg = strings.SplitN(pathSeg, "/", 2)[0] + } + prefix := fullPath[:strings.Index(fullPath, pathSeg)] + n.path + panic("'" + pathSeg + + "' in new path '" + fullPath + + "' conflicts with existing wildcard '" + n.path + + "' in existing prefix '" + prefix + + "'") + } + + n.insertChild(path, fullPath, handlers) + return + } + + // Otherwise add handle to current node + if n.handlers != nil { + panic("handlers are already registered for path '" + fullPath + "'") + } + n.handlers = handlers + n.fullPath = fullPath + return + } +} + +// Search for a wildcard segment and check the name for invalid characters. +// Returns -1 as index, if no wildcard was found. +func findWildcard(path string) (wildcard string, i int, valid bool) { + // Find start + for start, c := range []byte(path) { + // A wildcard starts with ':' (param) or '*' (catch-all) + if c != ':' && c != '*' { + continue + } + + // Find end and check for invalid characters + valid = true + for end, c := range []byte(path[start+1:]) { + switch c { + case '/': + return path[start : start+1+end], start, valid + case ':', '*': + valid = false + } + } + return path[start:], start, valid + } + return "", -1, false +} + +func (n *node) insertChild(path string, fullPath string, handlers HandlersChain) { + for { + // Find prefix until first wildcard + wildcard, i, valid := findWildcard(path) + if i < 0 { // No wildcard found + break + } + + // The wildcard name must not contain ':' and '*' + if !valid { + panic("only one wildcard per path segment is allowed, has: '" + + wildcard + "' in path '" + fullPath + "'") + } + + // check if the wildcard has a name + if len(wildcard) < 2 { + panic("wildcards must be named with a non-empty name in path '" + fullPath + "'") + } + + if wildcard[0] == ':' { // param + if i > 0 { + // Insert prefix before the current wildcard + n.path = path[:i] + path = path[i:] + } + + child := &node{ + nType: param, + path: wildcard, + fullPath: fullPath, + } + n.addChild(child) + n.wildChild = true + n = child + n.priority++ + + // if the path doesn't end with the wildcard, then there + // will be another non-wildcard subpath starting with '/' + if len(wildcard) < len(path) { + path = path[len(wildcard):] + + child := &node{ + priority: 1, + fullPath: fullPath, + } + n.addChild(child) + n = child + continue + } + + // Otherwise we're done. Insert the handle in the new leaf + n.handlers = handlers + return + } + + // catchAll + if i+len(wildcard) != len(path) { + panic("catch-all routes are only allowed at the end of the path in path '" + fullPath + "'") + } + + if len(n.path) > 0 && n.path[len(n.path)-1] == '/' { + panic("catch-all conflicts with existing handle for the path segment root in path '" + fullPath + "'") + } + + // currently fixed width 1 for '/' + i-- + if path[i] != '/' { + panic("no / before catch-all in path '" + fullPath + "'") + } + + n.path = path[:i] + + // First node: catchAll node with empty path + child := &node{ + wildChild: true, + nType: catchAll, + fullPath: fullPath, + } + + n.addChild(child) + n.indices = string('/') + n = child + n.priority++ + + // second node: node holding the variable + child = &node{ + path: path[i:], + nType: catchAll, + handlers: handlers, + priority: 1, + fullPath: fullPath, + } + n.children = []*node{child} + + return + } + + // If no wildcard was found, simply insert the path and handle + n.path = path + n.handlers = handlers + n.fullPath = fullPath +} + +// nodeValue holds return values of (*Node).getValue method +type nodeValue struct { + handlers HandlersChain + params *Params + tsr bool + fullPath string +} + +type skippedNode struct { + path string + node *node + paramsCount int16 +} + +// Returns the handle registered with the given path (key). The values of +// wildcards are saved to a map. +// If no handle can be found, a TSR (trailing slash redirect) recommendation is +// made if a handle exists with an extra (without the) trailing slash for the +// given path. +func (n *node) getValue(path string, params *Params, skippedNodes *[]skippedNode, unescape bool) (value nodeValue) { + var globalParamsCount int16 + +walk: // Outer loop for walking the tree + for { + prefix := n.path + if len(path) > len(prefix) { + if path[:len(prefix)] == prefix { + path = path[len(prefix):] + + // Try all the non-wildcard children first by matching the indices + idxc := path[0] + for i, c := range []byte(n.indices) { + if c == idxc { + // strings.HasPrefix(n.children[len(n.children)-1].path, ":") == n.wildChild + if n.wildChild { + index := len(*skippedNodes) + *skippedNodes = (*skippedNodes)[:index+1] + (*skippedNodes)[index] = skippedNode{ + path: prefix + path, + node: &node{ + path: n.path, + wildChild: n.wildChild, + nType: n.nType, + priority: n.priority, + children: n.children, + handlers: n.handlers, + fullPath: n.fullPath, + }, + paramsCount: globalParamsCount, + } + } + + n = n.children[i] + continue walk + } + } + + if !n.wildChild { + // If the path at the end of the loop is not equal to '/' and the current node has no child nodes + // the current node needs to roll back to last vaild skippedNode + if path != "/" { + for l := len(*skippedNodes); l > 0; { + skippedNode := (*skippedNodes)[l-1] + *skippedNodes = (*skippedNodes)[:l-1] + if strings.HasSuffix(skippedNode.path, path) { + path = skippedNode.path + n = skippedNode.node + if value.params != nil { + *value.params = (*value.params)[:skippedNode.paramsCount] + } + globalParamsCount = skippedNode.paramsCount + continue walk + } + } + } + + // Nothing found. + // We can recommend to redirect to the same URL without a + // trailing slash if a leaf exists for that path. + value.tsr = path == "/" && n.handlers != nil + return + } + + // Handle wildcard child, which is always at the end of the array + n = n.children[len(n.children)-1] + globalParamsCount++ + + switch n.nType { + case param: + // fix truncate the parameter + // tree_test.go line: 204 + + // Find param end (either '/' or path end) + end := 0 + for end < len(path) && path[end] != '/' { + end++ + } + + // Save param value + if params != nil && cap(*params) > 0 { + if value.params == nil { + value.params = params + } + // Expand slice within preallocated capacity + i := len(*value.params) + *value.params = (*value.params)[:i+1] + val := path[:end] + if unescape { + if v, err := url.QueryUnescape(val); err == nil { + val = v + } + } + (*value.params)[i] = Param{ + Key: n.path[1:], + Value: val, + } + } + + // we need to go deeper! + if end < len(path) { + if len(n.children) > 0 { + path = path[end:] + n = n.children[0] + continue walk + } + + // ... but we can't + value.tsr = len(path) == end+1 + return + } + + if value.handlers = n.handlers; value.handlers != nil { + value.fullPath = n.fullPath + return + } + if len(n.children) == 1 { + // No handle found. Check if a handle for this path + a + // trailing slash exists for TSR recommendation + n = n.children[0] + value.tsr = n.path == "/" && n.handlers != nil + } + return + + case catchAll: + // Save param value + if params != nil { + if value.params == nil { + value.params = params + } + // Expand slice within preallocated capacity + i := len(*value.params) + *value.params = (*value.params)[:i+1] + val := path + if unescape { + if v, err := url.QueryUnescape(path); err == nil { + val = v + } + } + (*value.params)[i] = Param{ + Key: n.path[2:], + Value: val, + } + } + + value.handlers = n.handlers + value.fullPath = n.fullPath + return + + default: + panic("invalid node type") + } + } + } + + if path == prefix { + // If the current path does not equal '/' and the node does not have a registered handle and the most recently matched node has a child node + // the current node needs to roll back to last vaild skippedNode + if n.handlers == nil && path != "/" { + for l := len(*skippedNodes); l > 0; { + skippedNode := (*skippedNodes)[l-1] + *skippedNodes = (*skippedNodes)[:l-1] + if strings.HasSuffix(skippedNode.path, path) { + path = skippedNode.path + n = skippedNode.node + if value.params != nil { + *value.params = (*value.params)[:skippedNode.paramsCount] + } + globalParamsCount = skippedNode.paramsCount + continue walk + } + } + // n = latestNode.children[len(latestNode.children)-1] + } + // We should have reached the node containing the handle. + // Check if this node has a handle registered. + if value.handlers = n.handlers; value.handlers != nil { + value.fullPath = n.fullPath + return + } + + // If there is no handle for this route, but this route has a + // wildcard child, there must be a handle for this path with an + // additional trailing slash + if path == "/" && n.wildChild && n.nType != root { + value.tsr = true + return + } + + // No handle found. Check if a handle for this path + a + // trailing slash exists for trailing slash recommendation + for i, c := range []byte(n.indices) { + if c == '/' { + n = n.children[i] + value.tsr = (len(n.path) == 1 && n.handlers != nil) || + (n.nType == catchAll && n.children[0].handlers != nil) + return + } + } + + return + } + + // Nothing found. We can recommend to redirect to the same URL with an + // extra trailing slash if a leaf exists for that path + value.tsr = path == "/" || + (len(prefix) == len(path)+1 && prefix[len(path)] == '/' && + path == prefix[:len(prefix)-1] && n.handlers != nil) + + // roll back to last valid skippedNode + if !value.tsr && path != "/" { + for l := len(*skippedNodes); l > 0; { + skippedNode := (*skippedNodes)[l-1] + *skippedNodes = (*skippedNodes)[:l-1] + if strings.HasSuffix(skippedNode.path, path) { + path = skippedNode.path + n = skippedNode.node + if value.params != nil { + *value.params = (*value.params)[:skippedNode.paramsCount] + } + globalParamsCount = skippedNode.paramsCount + continue walk + } + } + } + + return + } +} + +// Makes a case-insensitive lookup of the given path and tries to find a handler. +// It can optionally also fix trailing slashes. +// It returns the case-corrected path and a bool indicating whether the lookup +// was successful. +func (n *node) findCaseInsensitivePath(path string, fixTrailingSlash bool) ([]byte, bool) { + const stackBufSize = 128 + + // Use a static sized buffer on the stack in the common case. + // If the path is too long, allocate a buffer on the heap instead. + buf := make([]byte, 0, stackBufSize) + if length := len(path) + 1; length > stackBufSize { + buf = make([]byte, 0, length) + } + + ciPath := n.findCaseInsensitivePathRec( + path, + buf, // Preallocate enough memory for new path + [4]byte{}, // Empty rune buffer + fixTrailingSlash, + ) + + return ciPath, ciPath != nil +} + +// Shift bytes in array by n bytes left +func shiftNRuneBytes(rb [4]byte, n int) [4]byte { + switch n { + case 0: + return rb + case 1: + return [4]byte{rb[1], rb[2], rb[3], 0} + case 2: + return [4]byte{rb[2], rb[3]} + case 3: + return [4]byte{rb[3]} + default: + return [4]byte{} + } +} + +// Recursive case-insensitive lookup function used by n.findCaseInsensitivePath +func (n *node) findCaseInsensitivePathRec(path string, ciPath []byte, rb [4]byte, fixTrailingSlash bool) []byte { + npLen := len(n.path) + +walk: // Outer loop for walking the tree + for len(path) >= npLen && (npLen == 0 || strings.EqualFold(path[1:npLen], n.path[1:])) { + // Add common prefix to result + oldPath := path + path = path[npLen:] + ciPath = append(ciPath, n.path...) + + if len(path) == 0 { + // We should have reached the node containing the handle. + // Check if this node has a handle registered. + if n.handlers != nil { + return ciPath + } + + // No handle found. + // Try to fix the path by adding a trailing slash + if fixTrailingSlash { + for i, c := range []byte(n.indices) { + if c == '/' { + n = n.children[i] + if (len(n.path) == 1 && n.handlers != nil) || + (n.nType == catchAll && n.children[0].handlers != nil) { + return append(ciPath, '/') + } + return nil + } + } + } + return nil + } + + // If this node does not have a wildcard (param or catchAll) child, + // we can just look up the next child node and continue to walk down + // the tree + if !n.wildChild { + // Skip rune bytes already processed + rb = shiftNRuneBytes(rb, npLen) + + if rb[0] != 0 { + // Old rune not finished + idxc := rb[0] + for i, c := range []byte(n.indices) { + if c == idxc { + // continue with child node + n = n.children[i] + npLen = len(n.path) + continue walk + } + } + } else { + // Process a new rune + var rv rune + + // Find rune start. + // Runes are up to 4 byte long, + // -4 would definitely be another rune. + var off int + for max := min(npLen, 3); off < max; off++ { + if i := npLen - off; utf8.RuneStart(oldPath[i]) { + // read rune from cached path + rv, _ = utf8.DecodeRuneInString(oldPath[i:]) + break + } + } + + // Calculate lowercase bytes of current rune + lo := unicode.ToLower(rv) + utf8.EncodeRune(rb[:], lo) + + // Skip already processed bytes + rb = shiftNRuneBytes(rb, off) + + idxc := rb[0] + for i, c := range []byte(n.indices) { + // Lowercase matches + if c == idxc { + // must use a recursive approach since both the + // uppercase byte and the lowercase byte might exist + // as an index + if out := n.children[i].findCaseInsensitivePathRec( + path, ciPath, rb, fixTrailingSlash, + ); out != nil { + return out + } + break + } + } + + // If we found no match, the same for the uppercase rune, + // if it differs + if up := unicode.ToUpper(rv); up != lo { + utf8.EncodeRune(rb[:], up) + rb = shiftNRuneBytes(rb, off) + + idxc := rb[0] + for i, c := range []byte(n.indices) { + // Uppercase matches + if c == idxc { + // Continue with child node + n = n.children[i] + npLen = len(n.path) + continue walk + } + } + } + } + + // Nothing found. We can recommend to redirect to the same URL + // without a trailing slash if a leaf exists for that path + if fixTrailingSlash && path == "/" && n.handlers != nil { + return ciPath + } + return nil + } + + n = n.children[0] + switch n.nType { + case param: + // Find param end (either '/' or path end) + end := 0 + for end < len(path) && path[end] != '/' { + end++ + } + + // Add param value to case insensitive path + ciPath = append(ciPath, path[:end]...) + + // We need to go deeper! + if end < len(path) { + if len(n.children) > 0 { + // Continue with child node + n = n.children[0] + npLen = len(n.path) + path = path[end:] + continue + } + + // ... but we can't + if fixTrailingSlash && len(path) == end+1 { + return ciPath + } + return nil + } + + if n.handlers != nil { + return ciPath + } + + if fixTrailingSlash && len(n.children) == 1 { + // No handle found. Check if a handle for this path + a + // trailing slash exists + n = n.children[0] + if n.path == "/" && n.handlers != nil { + return append(ciPath, '/') + } + } + + return nil + + case catchAll: + return append(ciPath, path...) + + default: + panic("invalid node type") + } + } + + // Nothing found. + // Try to fix the path by adding / removing a trailing slash + if fixTrailingSlash { + if path == "/" { + return ciPath + } + if len(path)+1 == npLen && n.path[len(path)] == '/' && + strings.EqualFold(path[1:], n.path[1:len(path)]) && n.handlers != nil { + return append(ciPath, n.path...) + } + } + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/utils.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/utils.go new file mode 100644 index 000000000000..c32f0eeb0ee6 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/utils.go @@ -0,0 +1,153 @@ +// Copyright 2014 Manu Martinez-Almeida. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +import ( + "encoding/xml" + "net/http" + "os" + "path" + "reflect" + "runtime" + "strings" +) + +// BindKey indicates a default bind key. +const BindKey = "_gin-gonic/gin/bindkey" + +// Bind is a helper function for given interface object and returns a Gin middleware. +func Bind(val interface{}) HandlerFunc { + value := reflect.ValueOf(val) + if value.Kind() == reflect.Ptr { + panic(`Bind struct can not be a pointer. Example: + Use: gin.Bind(Struct{}) instead of gin.Bind(&Struct{}) +`) + } + typ := value.Type() + + return func(c *Context) { + obj := reflect.New(typ).Interface() + if c.Bind(obj) == nil { + c.Set(BindKey, obj) + } + } +} + +// WrapF is a helper function for wrapping http.HandlerFunc and returns a Gin middleware. +func WrapF(f http.HandlerFunc) HandlerFunc { + return func(c *Context) { + f(c.Writer, c.Request) + } +} + +// WrapH is a helper function for wrapping http.Handler and returns a Gin middleware. +func WrapH(h http.Handler) HandlerFunc { + return func(c *Context) { + h.ServeHTTP(c.Writer, c.Request) + } +} + +// H is a shortcut for map[string]interface{} +type H map[string]interface{} + +// MarshalXML allows type H to be used with xml.Marshal. +func (h H) MarshalXML(e *xml.Encoder, start xml.StartElement) error { + start.Name = xml.Name{ + Space: "", + Local: "map", + } + if err := e.EncodeToken(start); err != nil { + return err + } + for key, value := range h { + elem := xml.StartElement{ + Name: xml.Name{Space: "", Local: key}, + Attr: []xml.Attr{}, + } + if err := e.EncodeElement(value, elem); err != nil { + return err + } + } + + return e.EncodeToken(xml.EndElement{Name: start.Name}) +} + +func assert1(guard bool, text string) { + if !guard { + panic(text) + } +} + +func filterFlags(content string) string { + for i, char := range content { + if char == ' ' || char == ';' { + return content[:i] + } + } + return content +} + +func chooseData(custom, wildcard interface{}) interface{} { + if custom != nil { + return custom + } + if wildcard != nil { + return wildcard + } + panic("negotiation config is invalid") +} + +func parseAccept(acceptHeader string) []string { + parts := strings.Split(acceptHeader, ",") + out := make([]string, 0, len(parts)) + for _, part := range parts { + if i := strings.IndexByte(part, ';'); i > 0 { + part = part[:i] + } + if part = strings.TrimSpace(part); part != "" { + out = append(out, part) + } + } + return out +} + +func lastChar(str string) uint8 { + if str == "" { + panic("The length of the string can't be 0") + } + return str[len(str)-1] +} + +func nameOfFunction(f interface{}) string { + return runtime.FuncForPC(reflect.ValueOf(f).Pointer()).Name() +} + +func joinPaths(absolutePath, relativePath string) string { + if relativePath == "" { + return absolutePath + } + + finalPath := path.Join(absolutePath, relativePath) + if lastChar(relativePath) == '/' && lastChar(finalPath) != '/' { + return finalPath + "/" + } + return finalPath +} + +func resolveAddress(addr []string) string { + switch len(addr) { + case 0: + if port := os.Getenv("PORT"); port != "" { + debugPrint("Environment variable PORT=\"%s\"", port) + return ":" + port + } + debugPrint("Environment variable PORT is undefined. Using port :8080 by default") + return ":8080" + case 1: + return addr[0] + default: + panic("too many parameters") + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/version.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/version.go new file mode 100644 index 000000000000..4b69b9b91cfc --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/version.go @@ -0,0 +1,8 @@ +// Copyright 2018 Gin Core Team. All rights reserved. +// Use of this source code is governed by a MIT style +// license that can be found in the LICENSE file. + +package gin + +// Version is the current gin framework's version. +const Version = "v1.7.7" diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/LICENSE b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/LICENSE new file mode 100644 index 000000000000..9d83342acdc7 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2015 Peter Bourgon + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/README.md b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/README.md new file mode 100644 index 000000000000..58b7d912b2ce --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/README.md @@ -0,0 +1,122 @@ +# package auth/jwt + +`package auth/jwt` provides a set of interfaces for service authorization +through [JSON Web Tokens](https://jwt.io/). + +## Usage + +NewParser takes a key function and an expected signing method and returns an +`endpoint.Middleware`. The middleware will parse a token passed into the +context via the `jwt.JWTContextKey`. If the token is valid, any claims +will be added to the context via the `jwt.JWTClaimsContextKey`. + +```go +import ( + stdjwt "github.com/golang-jwt/jwt/v4" + + "github.com/go-kit/kit/auth/jwt" + "github.com/go-kit/kit/endpoint" +) + +func main() { + var exampleEndpoint endpoint.Endpoint + { + kf := func(token *stdjwt.Token) (interface{}, error) { return []byte("SigningString"), nil } + exampleEndpoint = MakeExampleEndpoint(service) + exampleEndpoint = jwt.NewParser(kf, stdjwt.SigningMethodHS256, jwt.StandardClaimsFactory)(exampleEndpoint) + } +} +``` + +NewSigner takes a JWT key ID header, the signing key, signing method, and a +claims object. It returns an `endpoint.Middleware`. The middleware will build +the token string and add it to the context via the `jwt.JWTContextKey`. + +```go +import ( + stdjwt "github.com/golang-jwt/jwt/v4" + + "github.com/go-kit/kit/auth/jwt" + "github.com/go-kit/kit/endpoint" +) + +func main() { + var exampleEndpoint endpoint.Endpoint + { + exampleEndpoint = grpctransport.NewClient(...).Endpoint() + exampleEndpoint = jwt.NewSigner( + "kid-header", + []byte("SigningString"), + stdjwt.SigningMethodHS256, + jwt.Claims{}, + )(exampleEndpoint) + } +} +``` + +In order for the parser and the signer to work, the authorization headers need +to be passed between the request and the context. `HTTPToContext()`, +`ContextToHTTP()`, `GRPCToContext()`, and `ContextToGRPC()` are given as +helpers to do this. These functions implement the correlating transport's +RequestFunc interface and can be passed as ClientBefore or ServerBefore +options. + +Example of use in a client: + +```go +import ( + stdjwt "github.com/golang-jwt/jwt/v4" + + grpctransport "github.com/go-kit/kit/transport/grpc" + "github.com/go-kit/kit/auth/jwt" + "github.com/go-kit/kit/endpoint" +) + +func main() { + + options := []httptransport.ClientOption{} + var exampleEndpoint endpoint.Endpoint + { + exampleEndpoint = grpctransport.NewClient(..., grpctransport.ClientBefore(jwt.ContextToGRPC())).Endpoint() + exampleEndpoint = jwt.NewSigner( + "kid-header", + []byte("SigningString"), + stdjwt.SigningMethodHS256, + jwt.Claims{}, + )(exampleEndpoint) + } +} +``` + +Example of use in a server: + +```go +import ( + "context" + + "github.com/go-kit/kit/auth/jwt" + "github.com/go-kit/log" + grpctransport "github.com/go-kit/kit/transport/grpc" +) + +func MakeGRPCServer(ctx context.Context, endpoints Endpoints, logger log.Logger) pb.ExampleServer { + options := []grpctransport.ServerOption{grpctransport.ServerErrorLogger(logger)} + + return &grpcServer{ + createUser: grpctransport.NewServer( + ctx, + endpoints.CreateUserEndpoint, + DecodeGRPCCreateUserRequest, + EncodeGRPCCreateUserResponse, + append(options, grpctransport.ServerBefore(jwt.GRPCToContext()))..., + ), + getUser: grpctransport.NewServer( + ctx, + endpoints.GetUserEndpoint, + DecodeGRPCGetUserRequest, + EncodeGRPCGetUserResponse, + options..., + ), + } +} +``` diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/middleware.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/middleware.go new file mode 100644 index 000000000000..b7c89ceb875e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/middleware.go @@ -0,0 +1,146 @@ +package jwt + +import ( + "context" + "errors" + + "github.com/go-kit/kit/endpoint" + "github.com/golang-jwt/jwt/v4" +) + +type contextKey string + +const ( + // JWTContextKey holds the key used to store a JWT in the context. + JWTContextKey contextKey = "JWTToken" + + // JWTTokenContextKey is an alias for JWTContextKey. + // + // Deprecated: prefer JWTContextKey. + JWTTokenContextKey = JWTContextKey + + // JWTClaimsContextKey holds the key used to store the JWT Claims in the + // context. + JWTClaimsContextKey contextKey = "JWTClaims" +) + +var ( + // ErrTokenContextMissing denotes a token was not passed into the parsing + // middleware's context. + ErrTokenContextMissing = errors.New("token up for parsing was not passed through the context") + + // ErrTokenInvalid denotes a token was not able to be validated. + ErrTokenInvalid = errors.New("JWT was invalid") + + // ErrTokenExpired denotes a token's expire header (exp) has since passed. + ErrTokenExpired = errors.New("JWT is expired") + + // ErrTokenMalformed denotes a token was not formatted as a JWT. + ErrTokenMalformed = errors.New("JWT is malformed") + + // ErrTokenNotActive denotes a token's not before header (nbf) is in the + // future. + ErrTokenNotActive = errors.New("token is not valid yet") + + // ErrUnexpectedSigningMethod denotes a token was signed with an unexpected + // signing method. + ErrUnexpectedSigningMethod = errors.New("unexpected signing method") +) + +// NewSigner creates a new JWT generating middleware, specifying key ID, +// signing string, signing method and the claims you would like it to contain. +// Tokens are signed with a Key ID header (kid) which is useful for determining +// the key to use for parsing. Particularly useful for clients. +func NewSigner(kid string, key []byte, method jwt.SigningMethod, claims jwt.Claims) endpoint.Middleware { + return func(next endpoint.Endpoint) endpoint.Endpoint { + return func(ctx context.Context, request interface{}) (response interface{}, err error) { + token := jwt.NewWithClaims(method, claims) + token.Header["kid"] = kid + + // Sign and get the complete encoded token as a string using the secret + tokenString, err := token.SignedString(key) + if err != nil { + return nil, err + } + ctx = context.WithValue(ctx, JWTContextKey, tokenString) + + return next(ctx, request) + } + } +} + +// ClaimsFactory is a factory for jwt.Claims. +// Useful in NewParser middleware. +type ClaimsFactory func() jwt.Claims + +// MapClaimsFactory is a ClaimsFactory that returns +// an empty jwt.MapClaims. +func MapClaimsFactory() jwt.Claims { + return jwt.MapClaims{} +} + +// StandardClaimsFactory is a ClaimsFactory that returns +// an empty jwt.StandardClaims. +func StandardClaimsFactory() jwt.Claims { + return &jwt.StandardClaims{} +} + +// NewParser creates a new JWT parsing middleware, specifying a +// jwt.Keyfunc interface, the signing method and the claims type to be used. NewParser +// adds the resulting claims to endpoint context or returns error on invalid token. +// Particularly useful for servers. +func NewParser(keyFunc jwt.Keyfunc, method jwt.SigningMethod, newClaims ClaimsFactory) endpoint.Middleware { + return func(next endpoint.Endpoint) endpoint.Endpoint { + return func(ctx context.Context, request interface{}) (response interface{}, err error) { + // tokenString is stored in the context from the transport handlers. + tokenString, ok := ctx.Value(JWTContextKey).(string) + if !ok { + return nil, ErrTokenContextMissing + } + + // Parse takes the token string and a function for looking up the + // key. The latter is especially useful if you use multiple keys + // for your application. The standard is to use 'kid' in the head + // of the token to identify which key to use, but the parsed token + // (head and claims) is provided to the callback, providing + // flexibility. + token, err := jwt.ParseWithClaims(tokenString, newClaims(), func(token *jwt.Token) (interface{}, error) { + // Don't forget to validate the alg is what you expect: + if token.Method != method { + return nil, ErrUnexpectedSigningMethod + } + + return keyFunc(token) + }) + if err != nil { + if e, ok := err.(*jwt.ValidationError); ok { + switch { + case e.Errors&jwt.ValidationErrorMalformed != 0: + // Token is malformed + return nil, ErrTokenMalformed + case e.Errors&jwt.ValidationErrorExpired != 0: + // Token is expired + return nil, ErrTokenExpired + case e.Errors&jwt.ValidationErrorNotValidYet != 0: + // Token is not active yet + return nil, ErrTokenNotActive + case e.Inner != nil: + // report e.Inner + return nil, e.Inner + } + // We have a ValidationError but have no specific Go kit error for it. + // Fall through to return original error. + } + return nil, err + } + + if !token.Valid { + return nil, ErrTokenInvalid + } + + ctx = context.WithValue(ctx, JWTClaimsContextKey, token.Claims) + + return next(ctx, request) + } + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/stub.go deleted file mode 100644 index b85d079daa57..000000000000 --- a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/stub.go +++ /dev/null @@ -1,12 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/go-kit/kit/auth/jwt, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/go-kit/kit/auth/jwt (exports: ; functions: NewSigner) - -// Package jwt is a stub of github.com/go-kit/kit/auth/jwt, generated by depstubber. -package jwt - -func NewSigner(_ string, _ []byte, _ interface{}, _ interface{}) interface{} { - return nil -} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/transport.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/transport.go new file mode 100644 index 000000000000..e7d19c180447 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/transport.go @@ -0,0 +1,89 @@ +package jwt + +import ( + "context" + "fmt" + stdhttp "net/http" + "strings" + + "google.golang.org/grpc/metadata" + + "github.com/go-kit/kit/transport/grpc" + "github.com/go-kit/kit/transport/http" +) + +const ( + bearer string = "bearer" + bearerFormat string = "Bearer %s" +) + +// HTTPToContext moves a JWT from request header to context. Particularly +// useful for servers. +func HTTPToContext() http.RequestFunc { + return func(ctx context.Context, r *stdhttp.Request) context.Context { + token, ok := extractTokenFromAuthHeader(r.Header.Get("Authorization")) + if !ok { + return ctx + } + + return context.WithValue(ctx, JWTContextKey, token) + } +} + +// ContextToHTTP moves a JWT from context to request header. Particularly +// useful for clients. +func ContextToHTTP() http.RequestFunc { + return func(ctx context.Context, r *stdhttp.Request) context.Context { + token, ok := ctx.Value(JWTContextKey).(string) + if ok { + r.Header.Add("Authorization", generateAuthHeaderFromToken(token)) + } + return ctx + } +} + +// GRPCToContext moves a JWT from grpc metadata to context. Particularly +// userful for servers. +func GRPCToContext() grpc.ServerRequestFunc { + return func(ctx context.Context, md metadata.MD) context.Context { + // capital "Key" is illegal in HTTP/2. + authHeader, ok := md["authorization"] + if !ok { + return ctx + } + + token, ok := extractTokenFromAuthHeader(authHeader[0]) + if ok { + ctx = context.WithValue(ctx, JWTContextKey, token) + } + + return ctx + } +} + +// ContextToGRPC moves a JWT from context to grpc metadata. Particularly +// useful for clients. +func ContextToGRPC() grpc.ClientRequestFunc { + return func(ctx context.Context, md *metadata.MD) context.Context { + token, ok := ctx.Value(JWTContextKey).(string) + if ok { + // capital "Key" is illegal in HTTP/2. + (*md)["authorization"] = []string{generateAuthHeaderFromToken(token)} + } + + return ctx + } +} + +func extractTokenFromAuthHeader(val string) (token string, ok bool) { + authHeaderParts := strings.Split(val, " ") + if len(authHeaderParts) != 2 || !strings.EqualFold(authHeaderParts[0], bearer) { + return "", false + } + + return authHeaderParts[1], true +} + +func generateAuthHeaderFromToken(token string) string { + return fmt.Sprintf(bearerFormat, token) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/endpoint/doc.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/endpoint/doc.go new file mode 100644 index 000000000000..84e27b95d4bd --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/endpoint/doc.go @@ -0,0 +1,5 @@ +// Package endpoint defines an abstraction for RPCs. +// +// Endpoints are a fundamental building block for many Go kit components. +// Endpoints are implemented by servers, and called by clients. +package endpoint diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/endpoint/endpoint.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/endpoint/endpoint.go new file mode 100644 index 000000000000..6e9da3679b0e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/endpoint/endpoint.go @@ -0,0 +1,40 @@ +package endpoint + +import ( + "context" +) + +// Endpoint is the fundamental building block of servers and clients. +// It represents a single RPC method. +type Endpoint func(ctx context.Context, request interface{}) (response interface{}, err error) + +// Nop is an endpoint that does nothing and returns a nil error. +// Useful for tests. +func Nop(context.Context, interface{}) (interface{}, error) { return struct{}{}, nil } + +// Middleware is a chainable behavior modifier for endpoints. +type Middleware func(Endpoint) Endpoint + +// Chain is a helper function for composing middlewares. Requests will +// traverse them in the order they're declared. That is, the first middleware +// is treated as the outermost middleware. +func Chain(outer Middleware, others ...Middleware) Middleware { + return func(next Endpoint) Endpoint { + for i := len(others) - 1; i >= 0; i-- { // reverse + next = others[i](next) + } + return outer(next) + } +} + +// Failer may be implemented by Go kit response types that contain business +// logic error details. If Failed returns a non-nil error, the Go kit transport +// layer may interpret this as a business logic error, and may encode it +// differently than a regular, successful response. +// +// It's not necessary for your response types to implement Failer, but it may +// help for more sophisticated use cases. The addsvc example shows how Failer +// should be used by a complete application. +type Failer interface { + Failed() error +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/doc.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/doc.go new file mode 100644 index 000000000000..f8382ae712f9 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/doc.go @@ -0,0 +1,2 @@ +// Package transport contains helpers applicable to all supported transports. +package transport diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/error_handler.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/error_handler.go new file mode 100644 index 000000000000..2456df184976 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/error_handler.go @@ -0,0 +1,39 @@ +package transport + +import ( + "context" + + "github.com/go-kit/log" +) + +// ErrorHandler receives a transport error to be processed for diagnostic purposes. +// Usually this means logging the error. +type ErrorHandler interface { + Handle(ctx context.Context, err error) +} + +// LogErrorHandler is a transport error handler implementation which logs an error. +type LogErrorHandler struct { + logger log.Logger +} + +func NewLogErrorHandler(logger log.Logger) *LogErrorHandler { + return &LogErrorHandler{ + logger: logger, + } +} + +func (h *LogErrorHandler) Handle(ctx context.Context, err error) { + h.logger.Log("err", err) +} + +// The ErrorHandlerFunc type is an adapter to allow the use of +// ordinary function as ErrorHandler. If f is a function +// with the appropriate signature, ErrorHandlerFunc(f) is a +// ErrorHandler that calls f. +type ErrorHandlerFunc func(ctx context.Context, err error) + +// Handle calls f(ctx, err). +func (f ErrorHandlerFunc) Handle(ctx context.Context, err error) { + f(ctx, err) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/README.md b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/README.md new file mode 100644 index 000000000000..d269cddb2c75 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/README.md @@ -0,0 +1,54 @@ +# grpc + +[gRPC](http://www.grpc.io/) is an excellent, modern IDL and transport for +microservices. If you're starting a greenfield project, go-kit strongly +recommends gRPC as your default transport. + +One important note is that while gRPC supports streaming requests and replies, +go-kit does not. You can still use streams in your service, but their +implementation will not be able to take advantage of many go-kit features like middleware. + +Using gRPC and go-kit together is very simple. + +First, define your service using protobuf3. This is explained +[in gRPC documentation](http://www.grpc.io/docs/#defining-a-service). +See +[addsvc.proto](https://github.com/go-kit/examples/blob/master/addsvc/pb/addsvc.proto) +for an example. Make sure the proto definition matches your service's go-kit +(interface) definition. + +Next, get the protoc compiler. + +You can download pre-compiled binaries from the +[protobuf release page](https://github.com/google/protobuf/releases). +You will unzip a folder called `protoc3` with a subdirectory `bin` containing +an executable. Move that executable somewhere in your `$PATH` and you're good +to go! + +It can also be built from source. + +```sh +brew install autoconf automake libtool +git clone https://github.com/google/protobuf +cd protobuf +./autogen.sh ; ./configure ; make ; make install +``` + +Then, compile your service definition, from .proto to .go. + +```sh +protoc add.proto --go_out=plugins=grpc:. +``` + +Finally, write a tiny binding from your service definition to the gRPC +definition. It's a simple conversion from one domain to another. +See +[grpc.go](https://github.com/go-kit/examples/blob/master/addsvc/pkg/addtransport/grpc.go) +for an example. + +That's it! +The gRPC binding can be bound to a listener and serve normal gRPC requests. +And within your service, you can use standard go-kit components and idioms. +See [addsvc](https://github.com/go-kit/examples/tree/master/addsvc/) for +a complete working example with gRPC support. And remember: go-kit services +can support multiple transports simultaneously. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/client.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/client.go new file mode 100644 index 000000000000..5d96c6b4d343 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/client.go @@ -0,0 +1,140 @@ +package grpc + +import ( + "context" + "fmt" + "reflect" + + "google.golang.org/grpc" + "google.golang.org/grpc/metadata" + + "github.com/go-kit/kit/endpoint" +) + +// Client wraps a gRPC connection and provides a method that implements +// endpoint.Endpoint. +type Client struct { + client *grpc.ClientConn + serviceName string + method string + enc EncodeRequestFunc + dec DecodeResponseFunc + grpcReply reflect.Type + before []ClientRequestFunc + after []ClientResponseFunc + finalizer []ClientFinalizerFunc +} + +// NewClient constructs a usable Client for a single remote endpoint. +// Pass an zero-value protobuf message of the RPC response type as +// the grpcReply argument. +func NewClient( + cc *grpc.ClientConn, + serviceName string, + method string, + enc EncodeRequestFunc, + dec DecodeResponseFunc, + grpcReply interface{}, + options ...ClientOption, +) *Client { + c := &Client{ + client: cc, + method: fmt.Sprintf("/%s/%s", serviceName, method), + enc: enc, + dec: dec, + // We are using reflect.Indirect here to allow both reply structs and + // pointers to these reply structs. New consumers of the client should + // use structs directly, while existing consumers will not break if they + // remain to use pointers to structs. + grpcReply: reflect.TypeOf( + reflect.Indirect( + reflect.ValueOf(grpcReply), + ).Interface(), + ), + before: []ClientRequestFunc{}, + after: []ClientResponseFunc{}, + } + for _, option := range options { + option(c) + } + return c +} + +// ClientOption sets an optional parameter for clients. +type ClientOption func(*Client) + +// ClientBefore sets the RequestFuncs that are applied to the outgoing gRPC +// request before it's invoked. +func ClientBefore(before ...ClientRequestFunc) ClientOption { + return func(c *Client) { c.before = append(c.before, before...) } +} + +// ClientAfter sets the ClientResponseFuncs that are applied to the incoming +// gRPC response prior to it being decoded. This is useful for obtaining +// response metadata and adding onto the context prior to decoding. +func ClientAfter(after ...ClientResponseFunc) ClientOption { + return func(c *Client) { c.after = append(c.after, after...) } +} + +// ClientFinalizer is executed at the end of every gRPC request. +// By default, no finalizer is registered. +func ClientFinalizer(f ...ClientFinalizerFunc) ClientOption { + return func(s *Client) { s.finalizer = append(s.finalizer, f...) } +} + +// Endpoint returns a usable endpoint that will invoke the gRPC specified by the +// client. +func (c Client) Endpoint() endpoint.Endpoint { + return func(ctx context.Context, request interface{}) (response interface{}, err error) { + ctx, cancel := context.WithCancel(ctx) + defer cancel() + + if c.finalizer != nil { + defer func() { + for _, f := range c.finalizer { + f(ctx, err) + } + }() + } + + ctx = context.WithValue(ctx, ContextKeyRequestMethod, c.method) + + req, err := c.enc(ctx, request) + if err != nil { + return nil, err + } + + md := &metadata.MD{} + for _, f := range c.before { + ctx = f(ctx, md) + } + ctx = metadata.NewOutgoingContext(ctx, *md) + + var header, trailer metadata.MD + grpcReply := reflect.New(c.grpcReply).Interface() + if err = c.client.Invoke( + ctx, c.method, req, grpcReply, grpc.Header(&header), + grpc.Trailer(&trailer), + ); err != nil { + return nil, err + } + + for _, f := range c.after { + ctx = f(ctx, header, trailer) + } + + response, err = c.dec(ctx, grpcReply) + if err != nil { + return nil, err + } + return response, nil + } +} + +// ClientFinalizerFunc can be used to perform work at the end of a client gRPC +// request, after the response is returned. The principal +// intended use is for error logging. Additional response parameters are +// provided in the context under keys with the ContextKeyResponse prefix. +// Note: err may be nil. There maybe also no additional response parameters depending on +// when an error occurs. +type ClientFinalizerFunc func(ctx context.Context, err error) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/doc.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/doc.go new file mode 100644 index 000000000000..a953ba88ef1c --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/doc.go @@ -0,0 +1,2 @@ +// Package grpc provides a gRPC binding for endpoints. +package grpc diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/encode_decode.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/encode_decode.go new file mode 100644 index 000000000000..f2900ed6d309 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/encode_decode.go @@ -0,0 +1,29 @@ +package grpc + +import ( + "context" +) + +// DecodeRequestFunc extracts a user-domain request object from a gRPC request. +// It's designed to be used in gRPC servers, for server-side endpoints. One +// straightforward DecodeRequestFunc could be something that decodes from the +// gRPC request message to the concrete request type. +type DecodeRequestFunc func(context.Context, interface{}) (request interface{}, err error) + +// EncodeRequestFunc encodes the passed request object into the gRPC request +// object. It's designed to be used in gRPC clients, for client-side endpoints. +// One straightforward EncodeRequestFunc could something that encodes the object +// directly to the gRPC request message. +type EncodeRequestFunc func(context.Context, interface{}) (request interface{}, err error) + +// EncodeResponseFunc encodes the passed response object to the gRPC response +// message. It's designed to be used in gRPC servers, for server-side endpoints. +// One straightforward EncodeResponseFunc could be something that encodes the +// object directly to the gRPC response message. +type EncodeResponseFunc func(context.Context, interface{}) (response interface{}, err error) + +// DecodeResponseFunc extracts a user-domain response object from a gRPC +// response object. It's designed to be used in gRPC clients, for client-side +// endpoints. One straightforward DecodeResponseFunc could be something that +// decodes from the gRPC response message to the concrete response type. +type DecodeResponseFunc func(context.Context, interface{}) (response interface{}, err error) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/request_response_funcs.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/request_response_funcs.go new file mode 100644 index 000000000000..eb8e3b178b68 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/request_response_funcs.go @@ -0,0 +1,81 @@ +package grpc + +import ( + "context" + "encoding/base64" + "strings" + + "google.golang.org/grpc/metadata" +) + +const ( + binHdrSuffix = "-bin" +) + +// ClientRequestFunc may take information from context and use it to construct +// metadata headers to be transported to the server. ClientRequestFuncs are +// executed after creating the request but prior to sending the gRPC request to +// the server. +type ClientRequestFunc func(context.Context, *metadata.MD) context.Context + +// ServerRequestFunc may take information from the received metadata header and +// use it to place items in the request scoped context. ServerRequestFuncs are +// executed prior to invoking the endpoint. +type ServerRequestFunc func(context.Context, metadata.MD) context.Context + +// ServerResponseFunc may take information from a request context and use it to +// manipulate the gRPC response metadata headers and trailers. ResponseFuncs are +// only executed in servers, after invoking the endpoint but prior to writing a +// response. +type ServerResponseFunc func(ctx context.Context, header *metadata.MD, trailer *metadata.MD) context.Context + +// ClientResponseFunc may take information from a gRPC metadata header and/or +// trailer and make the responses available for consumption. ClientResponseFuncs +// are only executed in clients, after a request has been made, but prior to it +// being decoded. +type ClientResponseFunc func(ctx context.Context, header metadata.MD, trailer metadata.MD) context.Context + +// SetRequestHeader returns a ClientRequestFunc that sets the specified metadata +// key-value pair. +func SetRequestHeader(key, val string) ClientRequestFunc { + return func(ctx context.Context, md *metadata.MD) context.Context { + key, val := EncodeKeyValue(key, val) + (*md)[key] = append((*md)[key], val) + return ctx + } +} + +// SetResponseHeader returns a ResponseFunc that sets the specified metadata +// key-value pair. +func SetResponseHeader(key, val string) ServerResponseFunc { + return func(ctx context.Context, md *metadata.MD, _ *metadata.MD) context.Context { + key, val := EncodeKeyValue(key, val) + (*md)[key] = append((*md)[key], val) + return ctx + } +} + +// SetResponseTrailer returns a ResponseFunc that sets the specified metadata +// key-value pair. +func SetResponseTrailer(key, val string) ServerResponseFunc { + return func(ctx context.Context, _ *metadata.MD, md *metadata.MD) context.Context { + key, val := EncodeKeyValue(key, val) + (*md)[key] = append((*md)[key], val) + return ctx + } +} + +// EncodeKeyValue sanitizes a key-value pair for use in gRPC metadata headers. +func EncodeKeyValue(key, val string) (string, string) { + key = strings.ToLower(key) + if strings.HasSuffix(key, binHdrSuffix) { + val = base64.StdEncoding.EncodeToString([]byte(val)) + } + return key, val +} + +type contextKey int + +const ( + ContextKeyRequestMethod contextKey = iota +) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/server.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/server.go new file mode 100644 index 000000000000..e83aeacfc18e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/grpc/server.go @@ -0,0 +1,168 @@ +package grpc + +import ( + "context" + + "google.golang.org/grpc" + "google.golang.org/grpc/metadata" + + "github.com/go-kit/kit/endpoint" + "github.com/go-kit/kit/transport" + "github.com/go-kit/log" +) + +// Handler which should be called from the gRPC binding of the service +// implementation. The incoming request parameter, and returned response +// parameter, are both gRPC types, not user-domain. +type Handler interface { + ServeGRPC(ctx context.Context, request interface{}) (context.Context, interface{}, error) +} + +// Server wraps an endpoint and implements grpc.Handler. +type Server struct { + e endpoint.Endpoint + dec DecodeRequestFunc + enc EncodeResponseFunc + before []ServerRequestFunc + after []ServerResponseFunc + finalizer []ServerFinalizerFunc + errorHandler transport.ErrorHandler +} + +// NewServer constructs a new server, which implements wraps the provided +// endpoint and implements the Handler interface. Consumers should write +// bindings that adapt the concrete gRPC methods from their compiled protobuf +// definitions to individual handlers. Request and response objects are from the +// caller business domain, not gRPC request and reply types. +func NewServer( + e endpoint.Endpoint, + dec DecodeRequestFunc, + enc EncodeResponseFunc, + options ...ServerOption, +) *Server { + s := &Server{ + e: e, + dec: dec, + enc: enc, + errorHandler: transport.NewLogErrorHandler(log.NewNopLogger()), + } + for _, option := range options { + option(s) + } + return s +} + +// ServerOption sets an optional parameter for servers. +type ServerOption func(*Server) + +// ServerBefore functions are executed on the gRPC request object before the +// request is decoded. +func ServerBefore(before ...ServerRequestFunc) ServerOption { + return func(s *Server) { s.before = append(s.before, before...) } +} + +// ServerAfter functions are executed on the gRPC response writer after the +// endpoint is invoked, but before anything is written to the client. +func ServerAfter(after ...ServerResponseFunc) ServerOption { + return func(s *Server) { s.after = append(s.after, after...) } +} + +// ServerErrorLogger is used to log non-terminal errors. By default, no errors +// are logged. +// Deprecated: Use ServerErrorHandler instead. +func ServerErrorLogger(logger log.Logger) ServerOption { + return func(s *Server) { s.errorHandler = transport.NewLogErrorHandler(logger) } +} + +// ServerErrorHandler is used to handle non-terminal errors. By default, non-terminal errors +// are ignored. +func ServerErrorHandler(errorHandler transport.ErrorHandler) ServerOption { + return func(s *Server) { s.errorHandler = errorHandler } +} + +// ServerFinalizer is executed at the end of every gRPC request. +// By default, no finalizer is registered. +func ServerFinalizer(f ...ServerFinalizerFunc) ServerOption { + return func(s *Server) { s.finalizer = append(s.finalizer, f...) } +} + +// ServeGRPC implements the Handler interface. +func (s Server) ServeGRPC(ctx context.Context, req interface{}) (retctx context.Context, resp interface{}, err error) { + // Retrieve gRPC metadata. + md, ok := metadata.FromIncomingContext(ctx) + if !ok { + md = metadata.MD{} + } + + if len(s.finalizer) > 0 { + defer func() { + for _, f := range s.finalizer { + f(ctx, err) + } + }() + } + + for _, f := range s.before { + ctx = f(ctx, md) + } + + var ( + request interface{} + response interface{} + grpcResp interface{} + ) + + request, err = s.dec(ctx, req) + if err != nil { + s.errorHandler.Handle(ctx, err) + return ctx, nil, err + } + + response, err = s.e(ctx, request) + if err != nil { + s.errorHandler.Handle(ctx, err) + return ctx, nil, err + } + + var mdHeader, mdTrailer metadata.MD + for _, f := range s.after { + ctx = f(ctx, &mdHeader, &mdTrailer) + } + + grpcResp, err = s.enc(ctx, response) + if err != nil { + s.errorHandler.Handle(ctx, err) + return ctx, nil, err + } + + if len(mdHeader) > 0 { + if err = grpc.SendHeader(ctx, mdHeader); err != nil { + s.errorHandler.Handle(ctx, err) + return ctx, nil, err + } + } + + if len(mdTrailer) > 0 { + if err = grpc.SetTrailer(ctx, mdTrailer); err != nil { + s.errorHandler.Handle(ctx, err) + return ctx, nil, err + } + } + + return ctx, grpcResp, nil +} + +// ServerFinalizerFunc can be used to perform work at the end of an gRPC +// request, after the response has been written to the client. +type ServerFinalizerFunc func(ctx context.Context, err error) + +// Interceptor is a grpc UnaryInterceptor that injects the method name into +// context so it can be consumed by Go kit gRPC middlewares. The Interceptor +// typically is added at creation time of the grpc-go server. +// Like this: `grpc.NewServer(grpc.UnaryInterceptor(kitgrpc.Interceptor))` +func Interceptor( + ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, +) (resp interface{}, err error) { + ctx = context.WithValue(ctx, ContextKeyRequestMethod, info.FullMethod) + return handler(ctx, req) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/client.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/client.go new file mode 100644 index 000000000000..7d868eee496b --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/client.go @@ -0,0 +1,219 @@ +package http + +import ( + "bytes" + "context" + "encoding/json" + "encoding/xml" + "io" + "io/ioutil" + "net/http" + "net/url" + + "github.com/go-kit/kit/endpoint" +) + +// HTTPClient is an interface that models *http.Client. +type HTTPClient interface { + Do(req *http.Request) (*http.Response, error) +} + +// Client wraps a URL and provides a method that implements endpoint.Endpoint. +type Client struct { + client HTTPClient + req CreateRequestFunc + dec DecodeResponseFunc + before []RequestFunc + after []ClientResponseFunc + finalizer []ClientFinalizerFunc + bufferedStream bool +} + +// NewClient constructs a usable Client for a single remote method. +func NewClient(method string, tgt *url.URL, enc EncodeRequestFunc, dec DecodeResponseFunc, options ...ClientOption) *Client { + return NewExplicitClient(makeCreateRequestFunc(method, tgt, enc), dec, options...) +} + +// NewExplicitClient is like NewClient but uses a CreateRequestFunc instead of a +// method, target URL, and EncodeRequestFunc, which allows for more control over +// the outgoing HTTP request. +func NewExplicitClient(req CreateRequestFunc, dec DecodeResponseFunc, options ...ClientOption) *Client { + c := &Client{ + client: http.DefaultClient, + req: req, + dec: dec, + } + for _, option := range options { + option(c) + } + return c +} + +// ClientOption sets an optional parameter for clients. +type ClientOption func(*Client) + +// SetClient sets the underlying HTTP client used for requests. +// By default, http.DefaultClient is used. +func SetClient(client HTTPClient) ClientOption { + return func(c *Client) { c.client = client } +} + +// ClientBefore adds one or more RequestFuncs to be applied to the outgoing HTTP +// request before it's invoked. +func ClientBefore(before ...RequestFunc) ClientOption { + return func(c *Client) { c.before = append(c.before, before...) } +} + +// ClientAfter adds one or more ClientResponseFuncs, which are applied to the +// incoming HTTP response prior to it being decoded. This is useful for +// obtaining anything off of the response and adding it into the context prior +// to decoding. +func ClientAfter(after ...ClientResponseFunc) ClientOption { + return func(c *Client) { c.after = append(c.after, after...) } +} + +// ClientFinalizer adds one or more ClientFinalizerFuncs to be executed at the +// end of every HTTP request. Finalizers are executed in the order in which they +// were added. By default, no finalizer is registered. +func ClientFinalizer(f ...ClientFinalizerFunc) ClientOption { + return func(s *Client) { s.finalizer = append(s.finalizer, f...) } +} + +// BufferedStream sets whether the HTTP response body is left open, allowing it +// to be read from later. Useful for transporting a file as a buffered stream. +// That body has to be drained and closed to properly end the request. +func BufferedStream(buffered bool) ClientOption { + return func(c *Client) { c.bufferedStream = buffered } +} + +// Endpoint returns a usable Go kit endpoint that calls the remote HTTP endpoint. +func (c Client) Endpoint() endpoint.Endpoint { + return func(ctx context.Context, request interface{}) (interface{}, error) { + ctx, cancel := context.WithCancel(ctx) + + var ( + resp *http.Response + err error + ) + if c.finalizer != nil { + defer func() { + if resp != nil { + ctx = context.WithValue(ctx, ContextKeyResponseHeaders, resp.Header) + ctx = context.WithValue(ctx, ContextKeyResponseSize, resp.ContentLength) + } + for _, f := range c.finalizer { + f(ctx, err) + } + }() + } + + req, err := c.req(ctx, request) + if err != nil { + cancel() + return nil, err + } + + for _, f := range c.before { + ctx = f(ctx, req) + } + + resp, err = c.client.Do(req.WithContext(ctx)) + if err != nil { + cancel() + return nil, err + } + + // If the caller asked for a buffered stream, we don't cancel the + // context when the endpoint returns. Instead, we should call the + // cancel func when closing the response body. + if c.bufferedStream { + resp.Body = bodyWithCancel{ReadCloser: resp.Body, cancel: cancel} + } else { + defer resp.Body.Close() + defer cancel() + } + + for _, f := range c.after { + ctx = f(ctx, resp) + } + + response, err := c.dec(ctx, resp) + if err != nil { + return nil, err + } + + return response, nil + } +} + +// bodyWithCancel is a wrapper for an io.ReadCloser with also a +// cancel function which is called when the Close is used +type bodyWithCancel struct { + io.ReadCloser + + cancel context.CancelFunc +} + +func (bwc bodyWithCancel) Close() error { + bwc.ReadCloser.Close() + bwc.cancel() + return nil +} + +// ClientFinalizerFunc can be used to perform work at the end of a client HTTP +// request, after the response is returned. The principal +// intended use is for error logging. Additional response parameters are +// provided in the context under keys with the ContextKeyResponse prefix. +// Note: err may be nil. There maybe also no additional response parameters +// depending on when an error occurs. +type ClientFinalizerFunc func(ctx context.Context, err error) + +// EncodeJSONRequest is an EncodeRequestFunc that serializes the request as a +// JSON object to the Request body. Many JSON-over-HTTP services can use it as +// a sensible default. If the request implements Headerer, the provided headers +// will be applied to the request. +func EncodeJSONRequest(c context.Context, r *http.Request, request interface{}) error { + r.Header.Set("Content-Type", "application/json; charset=utf-8") + if headerer, ok := request.(Headerer); ok { + for k := range headerer.Headers() { + r.Header.Set(k, headerer.Headers().Get(k)) + } + } + var b bytes.Buffer + r.Body = ioutil.NopCloser(&b) + return json.NewEncoder(&b).Encode(request) +} + +// EncodeXMLRequest is an EncodeRequestFunc that serializes the request as a +// XML object to the Request body. If the request implements Headerer, +// the provided headers will be applied to the request. +func EncodeXMLRequest(c context.Context, r *http.Request, request interface{}) error { + r.Header.Set("Content-Type", "text/xml; charset=utf-8") + if headerer, ok := request.(Headerer); ok { + for k := range headerer.Headers() { + r.Header.Set(k, headerer.Headers().Get(k)) + } + } + var b bytes.Buffer + r.Body = ioutil.NopCloser(&b) + return xml.NewEncoder(&b).Encode(request) +} + +// +// +// + +func makeCreateRequestFunc(method string, target *url.URL, enc EncodeRequestFunc) CreateRequestFunc { + return func(ctx context.Context, request interface{}) (*http.Request, error) { + req, err := http.NewRequest(method, target.String(), nil) + if err != nil { + return nil, err + } + + if err = enc(ctx, req, request); err != nil { + return nil, err + } + + return req, nil + } +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/doc.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/doc.go new file mode 100644 index 000000000000..e64010358591 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/doc.go @@ -0,0 +1,2 @@ +// Package http provides a general purpose HTTP binding for endpoints. +package http diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/encode_decode.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/encode_decode.go new file mode 100644 index 000000000000..b3de462b3e9a --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/encode_decode.go @@ -0,0 +1,36 @@ +package http + +import ( + "context" + "net/http" +) + +// DecodeRequestFunc extracts a user-domain request object from an HTTP +// request object. It's designed to be used in HTTP servers, for server-side +// endpoints. One straightforward DecodeRequestFunc could be something that +// JSON decodes from the request body to the concrete request type. +type DecodeRequestFunc func(context.Context, *http.Request) (request interface{}, err error) + +// EncodeRequestFunc encodes the passed request object into the HTTP request +// object. It's designed to be used in HTTP clients, for client-side +// endpoints. One straightforward EncodeRequestFunc could be something that JSON +// encodes the object directly to the request body. +type EncodeRequestFunc func(context.Context, *http.Request, interface{}) error + +// CreateRequestFunc creates an outgoing HTTP request based on the passed +// request object. It's designed to be used in HTTP clients, for client-side +// endpoints. It's a more powerful version of EncodeRequestFunc, and can be used +// if more fine-grained control of the HTTP request is required. +type CreateRequestFunc func(context.Context, interface{}) (*http.Request, error) + +// EncodeResponseFunc encodes the passed response object to the HTTP response +// writer. It's designed to be used in HTTP servers, for server-side +// endpoints. One straightforward EncodeResponseFunc could be something that +// JSON encodes the object directly to the response body. +type EncodeResponseFunc func(context.Context, http.ResponseWriter, interface{}) error + +// DecodeResponseFunc extracts a user-domain response object from an HTTP +// response object. It's designed to be used in HTTP clients, for client-side +// endpoints. One straightforward DecodeResponseFunc could be something that +// JSON decodes from the response body to the concrete response type. +type DecodeResponseFunc func(context.Context, *http.Response) (response interface{}, err error) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/request_response_funcs.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/request_response_funcs.go new file mode 100644 index 000000000000..8f92b3bc7f36 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/request_response_funcs.go @@ -0,0 +1,133 @@ +package http + +import ( + "context" + "net/http" +) + +// RequestFunc may take information from an HTTP request and put it into a +// request context. In Servers, RequestFuncs are executed prior to invoking the +// endpoint. In Clients, RequestFuncs are executed after creating the request +// but prior to invoking the HTTP client. +type RequestFunc func(context.Context, *http.Request) context.Context + +// ServerResponseFunc may take information from a request context and use it to +// manipulate a ResponseWriter. ServerResponseFuncs are only executed in +// servers, after invoking the endpoint but prior to writing a response. +type ServerResponseFunc func(context.Context, http.ResponseWriter) context.Context + +// ClientResponseFunc may take information from an HTTP request and make the +// response available for consumption. ClientResponseFuncs are only executed in +// clients, after a request has been made, but prior to it being decoded. +type ClientResponseFunc func(context.Context, *http.Response) context.Context + +// SetContentType returns a ServerResponseFunc that sets the Content-Type header +// to the provided value. +func SetContentType(contentType string) ServerResponseFunc { + return SetResponseHeader("Content-Type", contentType) +} + +// SetResponseHeader returns a ServerResponseFunc that sets the given header. +func SetResponseHeader(key, val string) ServerResponseFunc { + return func(ctx context.Context, w http.ResponseWriter) context.Context { + w.Header().Set(key, val) + return ctx + } +} + +// SetRequestHeader returns a RequestFunc that sets the given header. +func SetRequestHeader(key, val string) RequestFunc { + return func(ctx context.Context, r *http.Request) context.Context { + r.Header.Set(key, val) + return ctx + } +} + +// PopulateRequestContext is a RequestFunc that populates several values into +// the context from the HTTP request. Those values may be extracted using the +// corresponding ContextKey type in this package. +func PopulateRequestContext(ctx context.Context, r *http.Request) context.Context { + for k, v := range map[contextKey]string{ + ContextKeyRequestMethod: r.Method, + ContextKeyRequestURI: r.RequestURI, + ContextKeyRequestPath: r.URL.Path, + ContextKeyRequestProto: r.Proto, + ContextKeyRequestHost: r.Host, + ContextKeyRequestRemoteAddr: r.RemoteAddr, + ContextKeyRequestXForwardedFor: r.Header.Get("X-Forwarded-For"), + ContextKeyRequestXForwardedProto: r.Header.Get("X-Forwarded-Proto"), + ContextKeyRequestAuthorization: r.Header.Get("Authorization"), + ContextKeyRequestReferer: r.Header.Get("Referer"), + ContextKeyRequestUserAgent: r.Header.Get("User-Agent"), + ContextKeyRequestXRequestID: r.Header.Get("X-Request-Id"), + ContextKeyRequestAccept: r.Header.Get("Accept"), + } { + ctx = context.WithValue(ctx, k, v) + } + return ctx +} + +type contextKey int + +const ( + // ContextKeyRequestMethod is populated in the context by + // PopulateRequestContext. Its value is r.Method. + ContextKeyRequestMethod contextKey = iota + + // ContextKeyRequestURI is populated in the context by + // PopulateRequestContext. Its value is r.RequestURI. + ContextKeyRequestURI + + // ContextKeyRequestPath is populated in the context by + // PopulateRequestContext. Its value is r.URL.Path. + ContextKeyRequestPath + + // ContextKeyRequestProto is populated in the context by + // PopulateRequestContext. Its value is r.Proto. + ContextKeyRequestProto + + // ContextKeyRequestHost is populated in the context by + // PopulateRequestContext. Its value is r.Host. + ContextKeyRequestHost + + // ContextKeyRequestRemoteAddr is populated in the context by + // PopulateRequestContext. Its value is r.RemoteAddr. + ContextKeyRequestRemoteAddr + + // ContextKeyRequestXForwardedFor is populated in the context by + // PopulateRequestContext. Its value is r.Header.Get("X-Forwarded-For"). + ContextKeyRequestXForwardedFor + + // ContextKeyRequestXForwardedProto is populated in the context by + // PopulateRequestContext. Its value is r.Header.Get("X-Forwarded-Proto"). + ContextKeyRequestXForwardedProto + + // ContextKeyRequestAuthorization is populated in the context by + // PopulateRequestContext. Its value is r.Header.Get("Authorization"). + ContextKeyRequestAuthorization + + // ContextKeyRequestReferer is populated in the context by + // PopulateRequestContext. Its value is r.Header.Get("Referer"). + ContextKeyRequestReferer + + // ContextKeyRequestUserAgent is populated in the context by + // PopulateRequestContext. Its value is r.Header.Get("User-Agent"). + ContextKeyRequestUserAgent + + // ContextKeyRequestXRequestID is populated in the context by + // PopulateRequestContext. Its value is r.Header.Get("X-Request-Id"). + ContextKeyRequestXRequestID + + // ContextKeyRequestAccept is populated in the context by + // PopulateRequestContext. Its value is r.Header.Get("Accept"). + ContextKeyRequestAccept + + // ContextKeyResponseHeaders is populated in the context whenever a + // ServerFinalizerFunc is specified. Its value is of type http.Header, and + // is captured only once the entire response has been written. + ContextKeyResponseHeaders + + // ContextKeyResponseSize is populated in the context whenever a + // ServerFinalizerFunc is specified. Its value is of type int64. + ContextKeyResponseSize +) diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/server.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/server.go new file mode 100644 index 000000000000..dfd1ff3d6994 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/transport/http/server.go @@ -0,0 +1,244 @@ +package http + +import ( + "context" + "encoding/json" + "net/http" + + "github.com/go-kit/kit/endpoint" + "github.com/go-kit/kit/transport" + "github.com/go-kit/log" +) + +// Server wraps an endpoint and implements http.Handler. +type Server struct { + e endpoint.Endpoint + dec DecodeRequestFunc + enc EncodeResponseFunc + before []RequestFunc + after []ServerResponseFunc + errorEncoder ErrorEncoder + finalizer []ServerFinalizerFunc + errorHandler transport.ErrorHandler +} + +// NewServer constructs a new server, which implements http.Handler and wraps +// the provided endpoint. +func NewServer( + e endpoint.Endpoint, + dec DecodeRequestFunc, + enc EncodeResponseFunc, + options ...ServerOption, +) *Server { + s := &Server{ + e: e, + dec: dec, + enc: enc, + errorEncoder: DefaultErrorEncoder, + errorHandler: transport.NewLogErrorHandler(log.NewNopLogger()), + } + for _, option := range options { + option(s) + } + return s +} + +// ServerOption sets an optional parameter for servers. +type ServerOption func(*Server) + +// ServerBefore functions are executed on the HTTP request object before the +// request is decoded. +func ServerBefore(before ...RequestFunc) ServerOption { + return func(s *Server) { s.before = append(s.before, before...) } +} + +// ServerAfter functions are executed on the HTTP response writer after the +// endpoint is invoked, but before anything is written to the client. +func ServerAfter(after ...ServerResponseFunc) ServerOption { + return func(s *Server) { s.after = append(s.after, after...) } +} + +// ServerErrorEncoder is used to encode errors to the http.ResponseWriter +// whenever they're encountered in the processing of a request. Clients can +// use this to provide custom error formatting and response codes. By default, +// errors will be written with the DefaultErrorEncoder. +func ServerErrorEncoder(ee ErrorEncoder) ServerOption { + return func(s *Server) { s.errorEncoder = ee } +} + +// ServerErrorLogger is used to log non-terminal errors. By default, no errors +// are logged. This is intended as a diagnostic measure. Finer-grained control +// of error handling, including logging in more detail, should be performed in a +// custom ServerErrorEncoder or ServerFinalizer, both of which have access to +// the context. +// Deprecated: Use ServerErrorHandler instead. +func ServerErrorLogger(logger log.Logger) ServerOption { + return func(s *Server) { s.errorHandler = transport.NewLogErrorHandler(logger) } +} + +// ServerErrorHandler is used to handle non-terminal errors. By default, non-terminal errors +// are ignored. This is intended as a diagnostic measure. Finer-grained control +// of error handling, including logging in more detail, should be performed in a +// custom ServerErrorEncoder or ServerFinalizer, both of which have access to +// the context. +func ServerErrorHandler(errorHandler transport.ErrorHandler) ServerOption { + return func(s *Server) { s.errorHandler = errorHandler } +} + +// ServerFinalizer is executed at the end of every HTTP request. +// By default, no finalizer is registered. +func ServerFinalizer(f ...ServerFinalizerFunc) ServerOption { + return func(s *Server) { s.finalizer = append(s.finalizer, f...) } +} + +// ServeHTTP implements http.Handler. +func (s Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + + if len(s.finalizer) > 0 { + iw := &interceptingWriter{w, http.StatusOK, 0} + defer func() { + ctx = context.WithValue(ctx, ContextKeyResponseHeaders, iw.Header()) + ctx = context.WithValue(ctx, ContextKeyResponseSize, iw.written) + for _, f := range s.finalizer { + f(ctx, iw.code, r) + } + }() + w = iw + } + + for _, f := range s.before { + ctx = f(ctx, r) + } + + request, err := s.dec(ctx, r) + if err != nil { + s.errorHandler.Handle(ctx, err) + s.errorEncoder(ctx, err, w) + return + } + + response, err := s.e(ctx, request) + if err != nil { + s.errorHandler.Handle(ctx, err) + s.errorEncoder(ctx, err, w) + return + } + + for _, f := range s.after { + ctx = f(ctx, w) + } + + if err := s.enc(ctx, w, response); err != nil { + s.errorHandler.Handle(ctx, err) + s.errorEncoder(ctx, err, w) + return + } +} + +// ErrorEncoder is responsible for encoding an error to the ResponseWriter. +// Users are encouraged to use custom ErrorEncoders to encode HTTP errors to +// their clients, and will likely want to pass and check for their own error +// types. See the example shipping/handling service. +type ErrorEncoder func(ctx context.Context, err error, w http.ResponseWriter) + +// ServerFinalizerFunc can be used to perform work at the end of an HTTP +// request, after the response has been written to the client. The principal +// intended use is for request logging. In addition to the response code +// provided in the function signature, additional response parameters are +// provided in the context under keys with the ContextKeyResponse prefix. +type ServerFinalizerFunc func(ctx context.Context, code int, r *http.Request) + +// NopRequestDecoder is a DecodeRequestFunc that can be used for requests that do not +// need to be decoded, and simply returns nil, nil. +func NopRequestDecoder(ctx context.Context, r *http.Request) (interface{}, error) { + return nil, nil +} + +// EncodeJSONResponse is a EncodeResponseFunc that serializes the response as a +// JSON object to the ResponseWriter. Many JSON-over-HTTP services can use it as +// a sensible default. If the response implements Headerer, the provided headers +// will be applied to the response. If the response implements StatusCoder, the +// provided StatusCode will be used instead of 200. +func EncodeJSONResponse(_ context.Context, w http.ResponseWriter, response interface{}) error { + w.Header().Set("Content-Type", "application/json; charset=utf-8") + if headerer, ok := response.(Headerer); ok { + for k, values := range headerer.Headers() { + for _, v := range values { + w.Header().Add(k, v) + } + } + } + code := http.StatusOK + if sc, ok := response.(StatusCoder); ok { + code = sc.StatusCode() + } + w.WriteHeader(code) + if code == http.StatusNoContent { + return nil + } + return json.NewEncoder(w).Encode(response) +} + +// DefaultErrorEncoder writes the error to the ResponseWriter, by default a +// content type of text/plain, a body of the plain text of the error, and a +// status code of 500. If the error implements Headerer, the provided headers +// will be applied to the response. If the error implements json.Marshaler, and +// the marshaling succeeds, a content type of application/json and the JSON +// encoded form of the error will be used. If the error implements StatusCoder, +// the provided StatusCode will be used instead of 500. +func DefaultErrorEncoder(_ context.Context, err error, w http.ResponseWriter) { + contentType, body := "text/plain; charset=utf-8", []byte(err.Error()) + if marshaler, ok := err.(json.Marshaler); ok { + if jsonBody, marshalErr := marshaler.MarshalJSON(); marshalErr == nil { + contentType, body = "application/json; charset=utf-8", jsonBody + } + } + w.Header().Set("Content-Type", contentType) + if headerer, ok := err.(Headerer); ok { + for k, values := range headerer.Headers() { + for _, v := range values { + w.Header().Add(k, v) + } + } + } + code := http.StatusInternalServerError + if sc, ok := err.(StatusCoder); ok { + code = sc.StatusCode() + } + w.WriteHeader(code) + w.Write(body) +} + +// StatusCoder is checked by DefaultErrorEncoder. If an error value implements +// StatusCoder, the StatusCode will be used when encoding the error. By default, +// StatusInternalServerError (500) is used. +type StatusCoder interface { + StatusCode() int +} + +// Headerer is checked by DefaultErrorEncoder. If an error value implements +// Headerer, the provided headers will be applied to the response writer, after +// the Content-Type is set. +type Headerer interface { + Headers() http.Header +} + +type interceptingWriter struct { + http.ResponseWriter + code int + written int64 +} + +// WriteHeader may not be explicitly called, so care must be taken to +// initialize w.code to its default value of http.StatusOK. +func (w *interceptingWriter) WriteHeader(code int) { + w.code = code + w.ResponseWriter.WriteHeader(code) +} + +func (w *interceptingWriter) Write(p []byte) (int, error) { + n, err := w.ResponseWriter.Write(p) + w.written += int64(n) + return n, err +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/.gitignore b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/.gitignore new file mode 100644 index 000000000000..66fd13c903ca --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/.gitignore @@ -0,0 +1,15 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Dependency directories (remove the comment below to include it) +# vendor/ diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/LICENSE b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/LICENSE new file mode 100644 index 000000000000..bb5bdb9cb8c9 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2021 Go kit + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/README.md b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/README.md new file mode 100644 index 000000000000..a0931951df8d --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/README.md @@ -0,0 +1,151 @@ +# package log + +`package log` provides a minimal interface for structured logging in services. +It may be wrapped to encode conventions, enforce type-safety, provide leveled +logging, and so on. It can be used for both typical application log events, +and log-structured data streams. + +## Structured logging + +Structured logging is, basically, conceding to the reality that logs are +_data_, and warrant some level of schematic rigor. Using a stricter, +key/value-oriented message format for our logs, containing contextual and +semantic information, makes it much easier to get insight into the +operational activity of the systems we build. Consequently, `package log` is +of the strong belief that "[the benefits of structured logging outweigh the +minimal effort involved](https://www.thoughtworks.com/radar/techniques/structured-logging)". + +Migrating from unstructured to structured logging is probably a lot easier +than you'd expect. + +```go +// Unstructured +log.Printf("HTTP server listening on %s", addr) + +// Structured +logger.Log("transport", "HTTP", "addr", addr, "msg", "listening") +``` + +## Usage + +### Typical application logging + +```go +w := log.NewSyncWriter(os.Stderr) +logger := log.NewLogfmtLogger(w) +logger.Log("question", "what is the meaning of life?", "answer", 42) + +// Output: +// question="what is the meaning of life?" answer=42 +``` + +### Contextual Loggers + +```go +func main() { + var logger log.Logger + logger = log.NewLogfmtLogger(log.NewSyncWriter(os.Stderr)) + logger = log.With(logger, "instance_id", 123) + + logger.Log("msg", "starting") + NewWorker(log.With(logger, "component", "worker")).Run() + NewSlacker(log.With(logger, "component", "slacker")).Run() +} + +// Output: +// instance_id=123 msg=starting +// instance_id=123 component=worker msg=running +// instance_id=123 component=slacker msg=running +``` + +### Interact with stdlib logger + +Redirect stdlib logger to Go kit logger. + +```go +import ( + "os" + stdlog "log" + kitlog "github.com/go-kit/log" +) + +func main() { + logger := kitlog.NewJSONLogger(kitlog.NewSyncWriter(os.Stdout)) + stdlog.SetOutput(kitlog.NewStdlibAdapter(logger)) + stdlog.Print("I sure like pie") +} + +// Output: +// {"msg":"I sure like pie","ts":"2016/01/01 12:34:56"} +``` + +Or, if, for legacy reasons, you need to pipe all of your logging through the +stdlib log package, you can redirect Go kit logger to the stdlib logger. + +```go +logger := kitlog.NewLogfmtLogger(kitlog.StdlibWriter{}) +logger.Log("legacy", true, "msg", "at least it's something") + +// Output: +// 2016/01/01 12:34:56 legacy=true msg="at least it's something" +``` + +### Timestamps and callers + +```go +var logger log.Logger +logger = log.NewLogfmtLogger(log.NewSyncWriter(os.Stderr)) +logger = log.With(logger, "ts", log.DefaultTimestampUTC, "caller", log.DefaultCaller) + +logger.Log("msg", "hello") + +// Output: +// ts=2016-01-01T12:34:56Z caller=main.go:15 msg=hello +``` + +## Levels + +Log levels are supported via the [level package](https://godoc.org/github.com/go-kit/log/level). + +## Supported output formats + +- [Logfmt](https://brandur.org/logfmt) ([see also](https://blog.codeship.com/logfmt-a-log-format-thats-easy-to-read-and-write)) +- JSON + +## Enhancements + +`package log` is centered on the one-method Logger interface. + +```go +type Logger interface { + Log(keyvals ...interface{}) error +} +``` + +This interface, and its supporting code like is the product of much iteration +and evaluation. For more details on the evolution of the Logger interface, +see [The Hunt for a Logger Interface](http://go-talks.appspot.com/github.com/ChrisHines/talks/structured-logging/structured-logging.slide#1), +a talk by [Chris Hines](https://github.com/ChrisHines). +Also, please see +[#63](https://github.com/go-kit/kit/issues/63), +[#76](https://github.com/go-kit/kit/pull/76), +[#131](https://github.com/go-kit/kit/issues/131), +[#157](https://github.com/go-kit/kit/pull/157), +[#164](https://github.com/go-kit/kit/issues/164), and +[#252](https://github.com/go-kit/kit/pull/252) +to review historical conversations about package log and the Logger interface. + +Value-add packages and suggestions, +like improvements to [the leveled logger](https://godoc.org/github.com/go-kit/log/level), +are of course welcome. Good proposals should + +- Be composable with [contextual loggers](https://godoc.org/github.com/go-kit/log#With), +- Not break the behavior of [log.Caller](https://godoc.org/github.com/go-kit/log#Caller) in any wrapped contextual loggers, and +- Be friendly to packages that accept only an unadorned log.Logger. + +## Benchmarks & comparisons + +There are a few Go logging benchmarks and comparisons that include Go kit's package log. + +- [imkira/go-loggers-bench](https://github.com/imkira/go-loggers-bench) includes kit/log +- [uber-common/zap](https://github.com/uber-common/zap), a zero-alloc logging library, includes a comparison with kit/log diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/doc.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/doc.go new file mode 100644 index 000000000000..f744382fe499 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/doc.go @@ -0,0 +1,116 @@ +// Package log provides a structured logger. +// +// Structured logging produces logs easily consumed later by humans or +// machines. Humans might be interested in debugging errors, or tracing +// specific requests. Machines might be interested in counting interesting +// events, or aggregating information for off-line processing. In both cases, +// it is important that the log messages are structured and actionable. +// Package log is designed to encourage both of these best practices. +// +// Basic Usage +// +// The fundamental interface is Logger. Loggers create log events from +// key/value data. The Logger interface has a single method, Log, which +// accepts a sequence of alternating key/value pairs, which this package names +// keyvals. +// +// type Logger interface { +// Log(keyvals ...interface{}) error +// } +// +// Here is an example of a function using a Logger to create log events. +// +// func RunTask(task Task, logger log.Logger) string { +// logger.Log("taskID", task.ID, "event", "starting task") +// ... +// logger.Log("taskID", task.ID, "event", "task complete") +// } +// +// The keys in the above example are "taskID" and "event". The values are +// task.ID, "starting task", and "task complete". Every key is followed +// immediately by its value. +// +// Keys are usually plain strings. Values may be any type that has a sensible +// encoding in the chosen log format. With structured logging it is a good +// idea to log simple values without formatting them. This practice allows +// the chosen logger to encode values in the most appropriate way. +// +// Contextual Loggers +// +// A contextual logger stores keyvals that it includes in all log events. +// Building appropriate contextual loggers reduces repetition and aids +// consistency in the resulting log output. With, WithPrefix, and WithSuffix +// add context to a logger. We can use With to improve the RunTask example. +// +// func RunTask(task Task, logger log.Logger) string { +// logger = log.With(logger, "taskID", task.ID) +// logger.Log("event", "starting task") +// ... +// taskHelper(task.Cmd, logger) +// ... +// logger.Log("event", "task complete") +// } +// +// The improved version emits the same log events as the original for the +// first and last calls to Log. Passing the contextual logger to taskHelper +// enables each log event created by taskHelper to include the task.ID even +// though taskHelper does not have access to that value. Using contextual +// loggers this way simplifies producing log output that enables tracing the +// life cycle of individual tasks. (See the Contextual example for the full +// code of the above snippet.) +// +// Dynamic Contextual Values +// +// A Valuer function stored in a contextual logger generates a new value each +// time an event is logged. The Valuer example demonstrates how this feature +// works. +// +// Valuers provide the basis for consistently logging timestamps and source +// code location. The log package defines several valuers for that purpose. +// See Timestamp, DefaultTimestamp, DefaultTimestampUTC, Caller, and +// DefaultCaller. A common logger initialization sequence that ensures all log +// entries contain a timestamp and source location looks like this: +// +// logger := log.NewLogfmtLogger(log.NewSyncWriter(os.Stdout)) +// logger = log.With(logger, "ts", log.DefaultTimestampUTC, "caller", log.DefaultCaller) +// +// Concurrent Safety +// +// Applications with multiple goroutines want each log event written to the +// same logger to remain separate from other log events. Package log provides +// two simple solutions for concurrent safe logging. +// +// NewSyncWriter wraps an io.Writer and serializes each call to its Write +// method. Using a SyncWriter has the benefit that the smallest practical +// portion of the logging logic is performed within a mutex, but it requires +// the formatting Logger to make only one call to Write per log event. +// +// NewSyncLogger wraps any Logger and serializes each call to its Log method. +// Using a SyncLogger has the benefit that it guarantees each log event is +// handled atomically within the wrapped logger, but it typically serializes +// both the formatting and output logic. Use a SyncLogger if the formatting +// logger may perform multiple writes per log event. +// +// Error Handling +// +// This package relies on the practice of wrapping or decorating loggers with +// other loggers to provide composable pieces of functionality. It also means +// that Logger.Log must return an error because some +// implementations—especially those that output log data to an io.Writer—may +// encounter errors that cannot be handled locally. This in turn means that +// Loggers that wrap other loggers should return errors from the wrapped +// logger up the stack. +// +// Fortunately, the decorator pattern also provides a way to avoid the +// necessity to check for errors every time an application calls Logger.Log. +// An application required to panic whenever its Logger encounters +// an error could initialize its logger as follows. +// +// fmtlogger := log.NewLogfmtLogger(log.NewSyncWriter(os.Stdout)) +// logger := log.LoggerFunc(func(keyvals ...interface{}) error { +// if err := fmtlogger.Log(keyvals...); err != nil { +// panic(err) +// } +// return nil +// }) +package log diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/json_logger.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/json_logger.go new file mode 100644 index 000000000000..0cedbf82478e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/json_logger.go @@ -0,0 +1,91 @@ +package log + +import ( + "encoding" + "encoding/json" + "fmt" + "io" + "reflect" +) + +type jsonLogger struct { + io.Writer +} + +// NewJSONLogger returns a Logger that encodes keyvals to the Writer as a +// single JSON object. Each log event produces no more than one call to +// w.Write. The passed Writer must be safe for concurrent use by multiple +// goroutines if the returned Logger will be used concurrently. +func NewJSONLogger(w io.Writer) Logger { + return &jsonLogger{w} +} + +func (l *jsonLogger) Log(keyvals ...interface{}) error { + n := (len(keyvals) + 1) / 2 // +1 to handle case when len is odd + m := make(map[string]interface{}, n) + for i := 0; i < len(keyvals); i += 2 { + k := keyvals[i] + var v interface{} = ErrMissingValue + if i+1 < len(keyvals) { + v = keyvals[i+1] + } + merge(m, k, v) + } + enc := json.NewEncoder(l.Writer) + enc.SetEscapeHTML(false) + return enc.Encode(m) +} + +func merge(dst map[string]interface{}, k, v interface{}) { + var key string + switch x := k.(type) { + case string: + key = x + case fmt.Stringer: + key = safeString(x) + default: + key = fmt.Sprint(x) + } + + // We want json.Marshaler and encoding.TextMarshaller to take priority over + // err.Error() and v.String(). But json.Marshall (called later) does that by + // default so we force a no-op if it's one of those 2 case. + switch x := v.(type) { + case json.Marshaler: + case encoding.TextMarshaler: + case error: + v = safeError(x) + case fmt.Stringer: + v = safeString(x) + } + + dst[key] = v +} + +func safeString(str fmt.Stringer) (s string) { + defer func() { + if panicVal := recover(); panicVal != nil { + if v := reflect.ValueOf(str); v.Kind() == reflect.Ptr && v.IsNil() { + s = "NULL" + } else { + panic(panicVal) + } + } + }() + s = str.String() + return +} + +func safeError(err error) (s interface{}) { + defer func() { + if panicVal := recover(); panicVal != nil { + if v := reflect.ValueOf(err); v.Kind() == reflect.Ptr && v.IsNil() { + s = nil + } else { + panic(panicVal) + } + } + }() + s = err.Error() + return +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/log.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/log.go new file mode 100644 index 000000000000..62e11adace59 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/log.go @@ -0,0 +1,179 @@ +package log + +import "errors" + +// Logger is the fundamental interface for all log operations. Log creates a +// log event from keyvals, a variadic sequence of alternating keys and values. +// Implementations must be safe for concurrent use by multiple goroutines. In +// particular, any implementation of Logger that appends to keyvals or +// modifies or retains any of its elements must make a copy first. +type Logger interface { + Log(keyvals ...interface{}) error +} + +// ErrMissingValue is appended to keyvals slices with odd length to substitute +// the missing value. +var ErrMissingValue = errors.New("(MISSING)") + +// With returns a new contextual logger with keyvals prepended to those passed +// to calls to Log. If logger is also a contextual logger created by With, +// WithPrefix, or WithSuffix, keyvals is appended to the existing context. +// +// The returned Logger replaces all value elements (odd indexes) containing a +// Valuer with their generated value for each call to its Log method. +func With(logger Logger, keyvals ...interface{}) Logger { + if len(keyvals) == 0 { + return logger + } + l := newContext(logger) + kvs := append(l.keyvals, keyvals...) + if len(kvs)%2 != 0 { + kvs = append(kvs, ErrMissingValue) + } + return &context{ + logger: l.logger, + // Limiting the capacity of the stored keyvals ensures that a new + // backing array is created if the slice must grow in Log or With. + // Using the extra capacity without copying risks a data race that + // would violate the Logger interface contract. + keyvals: kvs[:len(kvs):len(kvs)], + hasValuer: l.hasValuer || containsValuer(keyvals), + sKeyvals: l.sKeyvals, + sHasValuer: l.sHasValuer, + } +} + +// WithPrefix returns a new contextual logger with keyvals prepended to those +// passed to calls to Log. If logger is also a contextual logger created by +// With, WithPrefix, or WithSuffix, keyvals is prepended to the existing context. +// +// The returned Logger replaces all value elements (odd indexes) containing a +// Valuer with their generated value for each call to its Log method. +func WithPrefix(logger Logger, keyvals ...interface{}) Logger { + if len(keyvals) == 0 { + return logger + } + l := newContext(logger) + // Limiting the capacity of the stored keyvals ensures that a new + // backing array is created if the slice must grow in Log or With. + // Using the extra capacity without copying risks a data race that + // would violate the Logger interface contract. + n := len(l.keyvals) + len(keyvals) + if len(keyvals)%2 != 0 { + n++ + } + kvs := make([]interface{}, 0, n) + kvs = append(kvs, keyvals...) + if len(kvs)%2 != 0 { + kvs = append(kvs, ErrMissingValue) + } + kvs = append(kvs, l.keyvals...) + return &context{ + logger: l.logger, + keyvals: kvs, + hasValuer: l.hasValuer || containsValuer(keyvals), + sKeyvals: l.sKeyvals, + sHasValuer: l.sHasValuer, + } +} + +// WithSuffix returns a new contextual logger with keyvals appended to those +// passed to calls to Log. If logger is also a contextual logger created by +// With, WithPrefix, or WithSuffix, keyvals is appended to the existing context. +// +// The returned Logger replaces all value elements (odd indexes) containing a +// Valuer with their generated value for each call to its Log method. +func WithSuffix(logger Logger, keyvals ...interface{}) Logger { + if len(keyvals) == 0 { + return logger + } + l := newContext(logger) + // Limiting the capacity of the stored keyvals ensures that a new + // backing array is created if the slice must grow in Log or With. + // Using the extra capacity without copying risks a data race that + // would violate the Logger interface contract. + n := len(l.sKeyvals) + len(keyvals) + if len(keyvals)%2 != 0 { + n++ + } + kvs := make([]interface{}, 0, n) + kvs = append(kvs, keyvals...) + if len(kvs)%2 != 0 { + kvs = append(kvs, ErrMissingValue) + } + kvs = append(l.sKeyvals, kvs...) + return &context{ + logger: l.logger, + keyvals: l.keyvals, + hasValuer: l.hasValuer, + sKeyvals: kvs, + sHasValuer: l.sHasValuer || containsValuer(keyvals), + } +} + +// context is the Logger implementation returned by With, WithPrefix, and +// WithSuffix. It wraps a Logger and holds keyvals that it includes in all +// log events. Its Log method calls bindValues to generate values for each +// Valuer in the context keyvals. +// +// A context must always have the same number of stack frames between calls to +// its Log method and the eventual binding of Valuers to their value. This +// requirement comes from the functional requirement to allow a context to +// resolve application call site information for a Caller stored in the +// context. To do this we must be able to predict the number of logging +// functions on the stack when bindValues is called. +// +// Two implementation details provide the needed stack depth consistency. +// +// 1. newContext avoids introducing an additional layer when asked to +// wrap another context. +// 2. With, WithPrefix, and WithSuffix avoid introducing an additional +// layer by returning a newly constructed context with a merged keyvals +// rather than simply wrapping the existing context. +type context struct { + logger Logger + keyvals []interface{} + sKeyvals []interface{} // suffixes + hasValuer bool + sHasValuer bool +} + +func newContext(logger Logger) *context { + if c, ok := logger.(*context); ok { + return c + } + return &context{logger: logger} +} + +// Log replaces all value elements (odd indexes) containing a Valuer in the +// stored context with their generated value, appends keyvals, and passes the +// result to the wrapped Logger. +func (l *context) Log(keyvals ...interface{}) error { + kvs := append(l.keyvals, keyvals...) + if len(kvs)%2 != 0 { + kvs = append(kvs, ErrMissingValue) + } + if l.hasValuer { + // If no keyvals were appended above then we must copy l.keyvals so + // that future log events will reevaluate the stored Valuers. + if len(keyvals) == 0 { + kvs = append([]interface{}{}, l.keyvals...) + } + bindValues(kvs[:(len(l.keyvals))]) + } + kvs = append(kvs, l.sKeyvals...) + if l.sHasValuer { + bindValues(kvs[len(kvs)-len(l.sKeyvals):]) + } + return l.logger.Log(kvs...) +} + +// LoggerFunc is an adapter to allow use of ordinary functions as Loggers. If +// f is a function with the appropriate signature, LoggerFunc(f) is a Logger +// object that calls f. +type LoggerFunc func(...interface{}) error + +// Log implements Logger by calling f(keyvals...). +func (f LoggerFunc) Log(keyvals ...interface{}) error { + return f(keyvals...) +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/logfmt_logger.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/logfmt_logger.go new file mode 100644 index 000000000000..a00305298b82 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/logfmt_logger.go @@ -0,0 +1,62 @@ +package log + +import ( + "bytes" + "io" + "sync" + + "github.com/go-logfmt/logfmt" +) + +type logfmtEncoder struct { + *logfmt.Encoder + buf bytes.Buffer +} + +func (l *logfmtEncoder) Reset() { + l.Encoder.Reset() + l.buf.Reset() +} + +var logfmtEncoderPool = sync.Pool{ + New: func() interface{} { + var enc logfmtEncoder + enc.Encoder = logfmt.NewEncoder(&enc.buf) + return &enc + }, +} + +type logfmtLogger struct { + w io.Writer +} + +// NewLogfmtLogger returns a logger that encodes keyvals to the Writer in +// logfmt format. Each log event produces no more than one call to w.Write. +// The passed Writer must be safe for concurrent use by multiple goroutines if +// the returned Logger will be used concurrently. +func NewLogfmtLogger(w io.Writer) Logger { + return &logfmtLogger{w} +} + +func (l logfmtLogger) Log(keyvals ...interface{}) error { + enc := logfmtEncoderPool.Get().(*logfmtEncoder) + enc.Reset() + defer logfmtEncoderPool.Put(enc) + + if err := enc.EncodeKeyvals(keyvals...); err != nil { + return err + } + + // Add newline to the end of the buffer + if err := enc.EndRecord(); err != nil { + return err + } + + // The Logger interface requires implementations to be safe for concurrent + // use by multiple goroutines. For this implementation that means making + // only one call to l.w.Write() for each call to Log. + if _, err := l.w.Write(enc.buf.Bytes()); err != nil { + return err + } + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/nop_logger.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/nop_logger.go new file mode 100644 index 000000000000..1047d626c436 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/nop_logger.go @@ -0,0 +1,8 @@ +package log + +type nopLogger struct{} + +// NewNopLogger returns a logger that doesn't do anything. +func NewNopLogger() Logger { return nopLogger{} } + +func (nopLogger) Log(...interface{}) error { return nil } diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/stdlib.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/stdlib.go new file mode 100644 index 000000000000..0338edbe2ba3 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/log/stdlib.go @@ -0,0 +1,151 @@ +package log + +import ( + "bytes" + "io" + "log" + "regexp" + "strings" +) + +// StdlibWriter implements io.Writer by invoking the stdlib log.Print. It's +// designed to be passed to a Go kit logger as the writer, for cases where +// it's necessary to redirect all Go kit log output to the stdlib logger. +// +// If you have any choice in the matter, you shouldn't use this. Prefer to +// redirect the stdlib log to the Go kit logger via NewStdlibAdapter. +type StdlibWriter struct{} + +// Write implements io.Writer. +func (w StdlibWriter) Write(p []byte) (int, error) { + log.Print(strings.TrimSpace(string(p))) + return len(p), nil +} + +// StdlibAdapter wraps a Logger and allows it to be passed to the stdlib +// logger's SetOutput. It will extract date/timestamps, filenames, and +// messages, and place them under relevant keys. +type StdlibAdapter struct { + Logger + timestampKey string + fileKey string + messageKey string + prefix string + joinPrefixToMsg bool +} + +// StdlibAdapterOption sets a parameter for the StdlibAdapter. +type StdlibAdapterOption func(*StdlibAdapter) + +// TimestampKey sets the key for the timestamp field. By default, it's "ts". +func TimestampKey(key string) StdlibAdapterOption { + return func(a *StdlibAdapter) { a.timestampKey = key } +} + +// FileKey sets the key for the file and line field. By default, it's "caller". +func FileKey(key string) StdlibAdapterOption { + return func(a *StdlibAdapter) { a.fileKey = key } +} + +// MessageKey sets the key for the actual log message. By default, it's "msg". +func MessageKey(key string) StdlibAdapterOption { + return func(a *StdlibAdapter) { a.messageKey = key } +} + +// Prefix configures the adapter to parse a prefix from stdlib log events. If +// you provide a non-empty prefix to the stdlib logger, then your should provide +// that same prefix to the adapter via this option. +// +// By default, the prefix isn't included in the msg key. Set joinPrefixToMsg to +// true if you want to include the parsed prefix in the msg. +func Prefix(prefix string, joinPrefixToMsg bool) StdlibAdapterOption { + return func(a *StdlibAdapter) { a.prefix = prefix; a.joinPrefixToMsg = joinPrefixToMsg } +} + +// NewStdlibAdapter returns a new StdlibAdapter wrapper around the passed +// logger. It's designed to be passed to log.SetOutput. +func NewStdlibAdapter(logger Logger, options ...StdlibAdapterOption) io.Writer { + a := StdlibAdapter{ + Logger: logger, + timestampKey: "ts", + fileKey: "caller", + messageKey: "msg", + } + for _, option := range options { + option(&a) + } + return a +} + +func (a StdlibAdapter) Write(p []byte) (int, error) { + p = a.handlePrefix(p) + + result := subexps(p) + keyvals := []interface{}{} + var timestamp string + if date, ok := result["date"]; ok && date != "" { + timestamp = date + } + if time, ok := result["time"]; ok && time != "" { + if timestamp != "" { + timestamp += " " + } + timestamp += time + } + if timestamp != "" { + keyvals = append(keyvals, a.timestampKey, timestamp) + } + if file, ok := result["file"]; ok && file != "" { + keyvals = append(keyvals, a.fileKey, file) + } + if msg, ok := result["msg"]; ok { + msg = a.handleMessagePrefix(msg) + keyvals = append(keyvals, a.messageKey, msg) + } + if err := a.Logger.Log(keyvals...); err != nil { + return 0, err + } + return len(p), nil +} + +func (a StdlibAdapter) handlePrefix(p []byte) []byte { + if a.prefix != "" { + p = bytes.TrimPrefix(p, []byte(a.prefix)) + } + return p +} + +func (a StdlibAdapter) handleMessagePrefix(msg string) string { + if a.prefix == "" { + return msg + } + + msg = strings.TrimPrefix(msg, a.prefix) + if a.joinPrefixToMsg { + msg = a.prefix + msg + } + return msg +} + +const ( + logRegexpDate = `(?P[0-9]{4}/[0-9]{2}/[0-9]{2})?[ ]?` + logRegexpTime = `(?P