Skip to content
This repository was archived by the owner on Nov 19, 2025. It is now read-only.

Comments

[NEW QUERY] Uncontrolled allocation size for Go (CWE-770)#4

Draft
Copilot wants to merge 4 commits intomainfrom
copilot/create-uncontrolled-allocation-size-query
Draft

[NEW QUERY] Uncontrolled allocation size for Go (CWE-770)#4
Copilot wants to merge 4 commits intomainfrom
copilot/create-uncontrolled-allocation-size-query

Conversation

Copy link

Copilot AI commented Nov 18, 2025

📝 Query Information

  • Language: Go
  • Query ID: go/uncontrolled-allocation-size
  • Category: security
  • Severity: warning (security-severity: 7.5)
  • CWE/CVE (if applicable): CWE-770

🎯 Description

What This Query Detects

Detects memory allocations where size is controlled by untrusted input, enabling DoS through excessive memory consumption or integer overflow.

Example Vulnerable Code

func OutOfMemoryBad(w http.ResponseWriter, r *http.Request) {
    source := r.URL.Query()
    sourceStr := source.Get("size")
    sink, err := strconv.Atoi(sourceStr)
    if err != nil {
        http.Error(w, err.Error(), http.StatusBadRequest)
        return
    }
    // BAD: Uncontrolled allocation size from user input
    result := make([]string, sink)
    // ...
}

Example Safe Code

func OutOfMemoryGood(w http.ResponseWriter, r *http.Request) {
    source := r.URL.Query()
    MaxValue := 100
    sourceStr := source.Get("size")
    sink, err := strconv.Atoi(sourceStr)
    if err != nil {
        http.Error(w, err.Error(), http.StatusBadRequest)
        return
    }
    // GOOD: Validate the size before allocation
    if sink < 0 || sink > MaxValue {
        http.Error(w, "Bad request", http.StatusBadRequest)
        return
    }
    result := make([]string, sink)
    // ...
}

🧪 Testing

  • Positive test cases included
  • Negative test cases included
  • Edge cases covered
  • All tests pass (requires CodeQL library dependencies unavailable in sandboxed environment)

📋 Checklist

  • Query compiles without errors
  • Documentation complete (.md and .qhelp)
  • Metadata properly set (@name, @id, @kind, etc.)
  • Tests validate query behavior
  • No false positives in test cases
  • No security vulnerabilities in implementation

🔗 References


Note: This query was developed using Test-Driven Development methodology. Expected test results created from issue specifications; full validation requires CodeQL stdlib dependencies.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Query Create]: Create UncontrolledAllocationSize.ql query for go / CWE-770</issue_title>
<issue_description>### Target Language

go

Query Name (Optional)

UncontrolledAllocationSize

Query Type

Security

Query Description

Query documentation file

Expected Severity

High

Code Examples

Example good (i.e. COMPLIANT) code

https://github.com/github/codeql/blob/main/go/ql/test/query-tests/Security/CWE-770/UncontrolledAllocationSizeGood.go

Example bad (i.e. NON_COMPLIANT) code

https://github.com/github/codeql/blob/main/go/ql/test/query-tests/Security/CWE-770/UncontrolledAllocationSizeBad.go

Expected query test results

#select
| UncontrolledAllocationSizeBad.go:20:27:20:30 | sink | UncontrolledAllocationSizeBad.go:11:12:11:16 | selection of URL | UncontrolledAllocationSizeBad.go:20:27:20:30 | sink | This memory allocation depends on a $@. | UncontrolledAllocationSizeBad.go:11:12:11:16 | selection of URL | user-provided value |
edges
| UncontrolledAllocationSizeBad.go:11:12:11:16 | selection of URL | UncontrolledAllocationSizeBad.go:11:12:11:24 | call to Query | provenance | Src:MaD:1 MaD:2 |
| UncontrolledAllocationSizeBad.go:11:12:11:24 | call to Query | UncontrolledAllocationSizeBad.go:13:15:13:20 | source | provenance |  |
| UncontrolledAllocationSizeBad.go:13:15:13:20 | source | UncontrolledAllocationSizeBad.go:13:15:13:29 | call to Get | provenance | MaD:3 |
| UncontrolledAllocationSizeBad.go:13:15:13:29 | call to Get | UncontrolledAllocationSizeBad.go:14:28:14:36 | sourceStr | provenance |  |
| UncontrolledAllocationSizeBad.go:14:2:14:37 | ... := ...[0] | UncontrolledAllocationSizeBad.go:20:27:20:30 | sink | provenance |  |
| UncontrolledAllocationSizeBad.go:14:28:14:36 | sourceStr | UncontrolledAllocationSizeBad.go:14:2:14:37 | ... := ...[0] | provenance | Config |
models
| 1 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
| 2 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual |
| 3 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
nodes
| UncontrolledAllocationSizeBad.go:11:12:11:16 | selection of URL | semmle.label | selection of URL |
| UncontrolledAllocationSizeBad.go:11:12:11:24 | call to Query | semmle.label | call to Query |
| UncontrolledAllocationSizeBad.go:13:15:13:20 | source | semmle.label | source |
| UncontrolledAllocationSizeBad.go:13:15:13:29 | call to Get | semmle.label | call to Get |
| UncontrolledAllocationSizeBad.go:14:2:14:37 | ... := ...[0] | semmle.label | ... := ...[0] |
| UncontrolledAllocationSizeBad.go:14:28:14:36 | sourceStr | semmle.label | sourceStr |
| UncontrolledAllocationSizeBad.go:20:27:20:30 | sink | semmle.label | sink |
subpaths

CWE/CVE Reference (Optional)

CWE-770

References (Optional)

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct</issue_description>

Comments on the Issue (you are @copilot in this section)

Custom agent used: QL Test Driven Developer Agent
Develops a new and/or improved CodeQL query by following test-driven-development (TDD) best practices for ql code.


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits November 18, 2025 16:48
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Copilot AI changed the title [WIP] Create UncontrolledAllocationSize.ql query for Go [NEW QUERY] Uncontrolled allocation size for Go (CWE-770) Nov 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Query Create]: Create UncontrolledAllocationSize.ql query for go / CWE-770

2 participants