From 1144bb99b4d9419ef400218252d0bf817efb4321 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 25 Sep 2025 16:13:31 +0100 Subject: [PATCH] Convert OpenUrlRedirect tests to InlineExpectations --- .../OpenUrlRedirect/OpenUrlRedirect.go | 2 +- .../OpenUrlRedirect/OpenUrlRedirect.qlref | 4 +- .../CWE-601/OpenUrlRedirect/stdlib.go | 38 +++++++++---------- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go index 606b5d43ac0..752cf47decc 100644 --- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go +++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go @@ -7,6 +7,6 @@ import ( func serve() { http.HandleFunc("/redir", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - http.Redirect(w, r, r.Form.Get("target"), 302) + http.Redirect(w, r, r.Form.Get("target"), 302) // $ Alert }) } diff --git a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.qlref b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.qlref index 867dd766561..13add930f51 100644 --- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.qlref +++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.qlref @@ -1,2 +1,4 @@ query: Security/CWE-601/OpenUrlRedirect.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go index f6cd1e5576f..80eb8c970b1 100644 --- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go +++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go @@ -10,18 +10,18 @@ func serveStdlib() { http.HandleFunc("/ex", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - target := r.Form.Get("target") + target := r.Form.Get("target") // $ Source // BAD: a request parameter is incorporated without validation into a URL redirect - w.Header().Set("Location", target) + w.Header().Set("Location", target) // $ Alert w.WriteHeader(302) }) http.HandleFunc("/ex1", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - target := r.Form.Get("target") + target := r.Form.Get("target") // $ Source // Probably OK because the status is set to 500, but we catch it anyway - w.Header().Set("Location", target) + w.Header().Set("Location", target) // $ Alert w.WriteHeader(500) }) @@ -30,13 +30,13 @@ func serveStdlib() { // Taking gratuitous copies of target so that sanitizing the use in // the first request doesn't also sanitize other uses - target := r.Form.Get("target") + target := r.Form.Get("target") // $ Source target2 := target target3 := target // GOOD: local redirects are unproblematic w.Header().Set("Location", "/local"+target) // BAD: this could be a non-local redirect - w.Header().Set("Location", "/"+target2) + w.Header().Set("Location", "/"+target2) // $ Alert // GOOD: localhost redirects are unproblematic w.Header().Set("Location", "//localhost/"+target3) w.WriteHeader(302) @@ -45,9 +45,9 @@ func serveStdlib() { http.HandleFunc("/ex3", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - target := r.Form.Get("target") + target := r.Form.Get("target") // $ Source // BAD: using the utility function - http.Redirect(w, r, target, 301) + http.Redirect(w, r, target, 301) // $ Alert }) http.HandleFunc("/ex4", func(w http.ResponseWriter, r *http.Request) { @@ -65,10 +65,10 @@ func serveStdlib() { http.HandleFunc("/ex5", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - target := r.Form.Get("target") + target := r.Form.Get("target") // $ Source me := "me" // BAD: may be a global redirection - http.Redirect(w, r, target+"?from="+me, 301) + http.Redirect(w, r, target+"?from="+me, 301) // $ Alert }) http.HandleFunc("/ex6", func(w http.ResponseWriter, r *http.Request) { @@ -90,10 +90,10 @@ func serveStdlib() { http.HandleFunc("/ex7", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - target := r.Form.Get("target") + target := r.Form.Get("target") // $ Source target += "/index.html" // BAD - http.Redirect(w, r, target, 302) + http.Redirect(w, r, target, 302) // $ Alert }) http.HandleFunc("/ex7", func(w http.ResponseWriter, r *http.Request) { @@ -147,13 +147,13 @@ func serveStdlib() { http.HandleFunc("/ex9", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - target := r.Form.Get("target") + target := r.Form.Get("target") // $ Source // GOOD, but we catch this anyway: a check is done on the URL if !isValidRedirect(target) { target = "/" } - http.Redirect(w, r, target, 302) + http.Redirect(w, r, target, 302) // $ SPURIOUS: Alert }) http.HandleFunc("/ex8", func(w http.ResponseWriter, r *http.Request) { @@ -183,19 +183,19 @@ func serveStdlib() { http.HandleFunc("/ex9", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - target := r.FormValue("target") + target := r.FormValue("target") // $ Source // BAD: a request parameter is incorporated without validation into a URL redirect - http.Redirect(w, r, target, 301) + http.Redirect(w, r, target, 301) // $ Alert }) http.HandleFunc("/ex10", func(w http.ResponseWriter, r *http.Request) { r.ParseForm() - target, _ := url.ParseRequestURI(r.FormValue("target")) + target, _ := url.ParseRequestURI(r.FormValue("target")) // $ Source // BAD: Path could start with `//` - http.Redirect(w, r, target.Path, 301) + http.Redirect(w, r, target.Path, 301) // $ Alert // BAD: EscapedPath() does not help with that - http.Redirect(w, r, target.EscapedPath(), 301) + http.Redirect(w, r, target.EscapedPath(), 301) // $ Alert }) http.HandleFunc("/ex11", func(w http.ResponseWriter, r *http.Request) {