Add LogSanitizer library predicates for zap encoder detection

danielriddell21 · danielriddell21 · commit 833b74a3fa43 · 2025-11-25T18:07:38.000Z
diff --git a/go/ql/lib/LogSanitizer.qll b/go/ql/lib/LogSanitizer.qll
@@ -0,0 +1,62 @@
+/**
+ * LogSanitizer.qll
+ *
+ * Predicates to identify sanitizer functions and zap encoder-like types.
+ * Template: adjust whitelist entries as needed.
+ */
+
+import go
+
+/**
+ * isKnownSanitizer(Function f)
+ * - True for explicit sanitizer functions (add fully-qualified names as needed).
+ */
+predicate isKnownSanitizer(Function f) {
+  exists(string fullname |
+    fullname = f.getDeclaringType().getPackage().getName() + "." + f.getName() and
+    (
+      fullname = "github.com/myorg/mylib.EscapeForLog" or
+      fullname = "github.com/myorg/mylib.SanitizeForZap"
+    )
+  )
+}
+
+/**
+ * isZapEncoderLike(Type t)
+ * - True for types that implement go.uber.org/zap/zapcore.Encoder
+ * - If you prefer explicit whitelisting, replace/extend this predicate.
+ */
+predicate isZapEncoderLike(Type t) {
+  exists(InterfaceType it |
+    it.getPackage().getName() = "go.uber.org/zap/zapcore" and
+    it.getName() = "Encoder" and
+    t.implementsInterface(it)
+  )
+}
+
+/**
+ * isFlowThroughZapEncoder(Function f)
+ * - True for functions/methods that act on encoder types (AddString, Encode, etc.)
+ */
+predicate isFlowThroughZapEncoder(Function f) {
+  exists(Type recv |
+    f.getDeclaringType() = recv and
+    isZapEncoderLike(recv)
+  )
+  or
+  (
+    f.getName() = "AddString" or
+    f.getName() = "AddStringer" or
+    f.getName() = "AddReflected" or
+    f.getName() = "EncodeEntry" or
+    f.getName() = "Encode"
+  )
+}
+
+/**
+ * isSanitizer(Function f)
+ * - Top-level predicate used by queries to test for sanitization steps.
+ */
+predicate isSanitizer(Function f) {
+  isKnownSanitizer(f) or isFlowThroughZapEncoder(f)
+}
