add sources to detect CVE completely

go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql

@@ -1,11 +1,11 @@
 /**
- * @name User-controlled file decompression
- * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @name Uncontrolled file decompression
+ * @description Uncontrolled data that flows into decompression library APIs without checking the compression rate is dangerous
  * @kind path-problem
  * @problem.severity error
  * @security-severity 7.8
  * @precision medium
- * @id go/user-controlled-file-decompression
+ * @id go/uncontrolled-file-decompression
  * @tags security
  *       experimental
  *       external/cwe/cwe-409
@@ -16,7 +16,6 @@ import semmle.go.dataflow.Properties
 import semmle.go.security.FlowSources
 import CmdLineFlowSource
 
-
 module DecompressionBombs implements DataFlow::StateConfigSig {
   class FlowState = DataFlow::FlowState;
 
@@ -25,6 +24,8 @@ module DecompressionBombs implements DataFlow::StateConfigSig {
       source instanceof UntrustedFlowSource
       or
       source instanceof CmdLineFlowSource
+      //   or
+      // exists(Parameter p | p.getARead() = source | p.hasQualifiedName("io", "Reader"))
     ) and
     state =
       [
@@ -32,6 +33,52 @@ module DecompressionBombs implements DataFlow::StateConfigSig {
         "ZlibNewReader", "FlateNewReader", "Bzip2NewReader", "ZipOpenReader", "IOMethods",
         "ZipKlauspost"
       ]
+    or
+    exists(DataFlow::Function f |
+      (
+        f.hasQualifiedName("archive/zip", ["OpenReader", "NewReader"]) and
+        state = ""
+        or
+        f.hasQualifiedName("github.com/klauspost/compress/zip", ["NewReader", "OpenReader"]) and
+        state = "ZipKlauspost"
+        or
+        f.hasQualifiedName("github.com/ulikunitz/xz", "NewReader") and
+        state = "XzNewReader"
+        or
+        f.hasQualifiedName([
+            "compress/gzip", "github.com/klauspost/compress/gzip", "github.com/klauspost/pgzip"
+          ], "NewReader") and
+        state = "GzipNewReader"
+        or
+        f.hasQualifiedName([
+            "compress/bzip2", "github.com/dsnet/compress/bzip2", "github.com/cosnicolaou/pbzip2"
+          ], "NewReader") and
+        state = "Bzip2NewReader"
+        or
+        f.hasQualifiedName(["github.com/dsnet/compress/flate"], "NewReader") and
+        state = "FlateNewReader"
+        or
+        f.hasQualifiedName(["compress/flate", "github.com/klauspost/compress/flate"],
+          ["NewReaderDict", "NewReader"]) and
+        state = "FlateNewReader"
+        or
+        f.hasQualifiedName(["compress/zlib", "github.com/klauspost/compress/zlib"], "NewReader") and
+        state = "ZlibNewReader"
+        or
+        f.hasQualifiedName(["github.com/klauspost/compress/zstd", "github.com/DataDog/zstd"],
+          "NewReader") and
+        state = "ZstdNewReader"
+        or
+        f.hasQualifiedName(["github.com/golang/snappy", "github.com/klauspost/compress/snappy"],
+          "NewReader") and
+        state = "SnapyNewReader"
+        or
+        f.hasQualifiedName("github.com/klauspost/compress/s2", "NewReader") and
+        state = "S2NewReader"
+      ) and
+      source = f.getACall().getResult(0) and
+      not TaintTracking::localExprTaint(any(StringLit c), source.asExpr())
+    )
   }
 
   predicate isSink(DataFlow::Node sink, FlowState state) {
@@ -263,5 +310,5 @@ import DecompressionBombsFlow::PathGraph
 
 from DecompressionBombsFlow::PathNode source, DecompressionBombsFlow::PathNode sink
 where DecompressionBombsFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
-  "potentially untrusted source"
+select sink.getNode(), source, sink, "This file extraction $@.", source.getNode(),
+  "decompressing data controlling output size"