hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12558 from smowton/smowton/fix/flow-to-external-api-write-only-methods

Browse Source 
Go: exclude `net/http.Header.Set` and `.Del` from `go/untrusted-data-to-external-api`
This commit is contained in:
Chris Smowton
2023-03-17 11:52:48 +00:00
committed by GitHub
parent b8fb4b9b0f 3e9924fcd2
commit 0cadf4d94a
2 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
go/ql/lib/semmle/go/security/ExternalAPIs.qll
View File

@@ -19,6 +19,16 @@ abstract class SafeExternalApiFunction extends Function { }
/** DEPRECATED: Alias for SafeExternalApiFunction */
deprecated class SafeExternalAPIFunction = SafeExternalApiFunction;
/**
* A `Function` with one or more arguments that are considered "safe" from a security perspective.
*/
abstract class SafeExternalApiArgument extends Function {
/**
* Holds if `i` is a safe argument to this function.
*/
abstract predicate isSafeArgument(int i);
}
private predicate isDefaultSafePackage(Package package) {
package.getPath() in ["time", "unicode/utf8", package("gopkg.in/go-playground/validator", "")]
}
@@ -44,6 +54,16 @@ private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction {
}
}
private class DefaultSafeExternalApiFunctionArgument extends SafeExternalApiArgument {
int index;
DefaultSafeExternalApiFunctionArgument() {
this.(Method).hasQualifiedName("net/http", "Header", ["Set", "Del"]) and index = -1
}
override predicate isSafeArgument(int i) { i = index }
}
/** Holds if `callNode` is a local function pointer. */
private predicate isProbableLocalFunctionPointer(DataFlow::CallNode callNode) {
// Not a method call
@@ -77,7 +97,9 @@ class ExternalApiDataNode extends DataFlow::Node {
// Not already modeled as a taint step
not TaintTracking::localTaintStep(this, _) and
// Not a call to a known safe external API
not call.getTarget() instanceof SafeExternalApiFunction
not call.getTarget() instanceof SafeExternalApiFunction and
// Not a known safe argument to an external API
not any(SafeExternalApiArgument seaa).isSafeArgument(i)
}
/** Gets the called API `Function`. */

4
go/ql/src/change-notes/2023-03-16-untrusted-data-write-only-args.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The receiver arguments of `net/http.Header.Set` and `.Del` are no longer flagged by query `go/untrusted-data-to-external-api`.