HTTP: Add model for Header.Values()

2026-01-30 14:52:57 +01:00 · 2020-02-27 00:22:37 -08:00
parent c243bb4243
commit 14e758a6ea
5 changed files with 31 additions and 2 deletions
--- a/ql/src/semmle/go/frameworks/HTTP.qll
+++ b/ql/src/semmle/go/frameworks/HTTP.qll
@@ -19,6 +19,10 @@ private module StdlibHttp {
    HeaderGetCall() { this.getTarget().hasQualifiedName("net/http", "Header", "Get") }
  }

+  private class HeaderValuesCall extends UntrustedFlowSource::Range, DataFlow::MethodCallNode {
+    HeaderValuesCall() { this.getTarget().hasQualifiedName("net/http", "Header", "Values") }
+  }
+
  private class StdlibResponseWriter extends HTTP::ResponseWriter::Range {
    StdlibResponseWriter() { this.getType().implements("net/http", "ResponseWriter") }

--- a/ql/test/library-tests/semmle/go/frameworks/HTTP/Header.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/Header.expected
@@ -2,7 +2,7 @@
 | main.go:31:2:31:51 | call to Set | "Authorization" | "Basic example:example" | authorization | Basic example:example |
 | main.go:32:2:32:26 | call to Add | "Age" | "342232" | age | 342232 |
 | main.go:34:2:34:55 | call to Add | server | call to Sprintf | n/a | n/a |
-| main.go:35:2:35:36 | call to Set | LOC_HEADER | ...+... | n/a | n/a |
+| main.go:35:2:35:45 | call to Set | LOC_HEADER | ...+... | n/a | n/a |
 | main.go:36:2:36:5 | head | "Unknown-Header" | composite literal | n/a | n/a |
 | main.go:48:2:48:43 | call to Add | "Not-A-Response" | "Header" | not-a-response | Header |
 | main.go:49:2:49:42 | call to Set | "Accept" | "nota/response" | accept | nota/response |
--- a/ql/test/library-tests/semmle/go/frameworks/HTTP/UntrustedFlowSources.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/UntrustedFlowSources.expected
@@ -9,3 +9,9 @@
 | main.go:48:2:48:11 | selection of Header |
 | main.go:49:2:49:11 | selection of Header |
 | main.go:50:2:50:11 | selection of Header |
+| server.go:8:6:8:13 | selection of Header |
+| server.go:9:6:9:13 | selection of Header |
+| server.go:9:6:9:38 | call to Values |
+| server.go:10:6:10:13 | selection of Header |
+| server.go:10:6:10:35 | call to Get |
+| server.go:13:6:13:11 | selection of Body |
--- a/ql/test/library-tests/semmle/go/frameworks/HTTP/main.go
+++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/main.go
@@ -32,7 +32,7 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	head.Add("Age", "342232")
 	server := "Server"
 	head.Add(server, fmt.Sprintf("Server: %s", "example"))
-	head.Set(LOC_HEADER, rfs4+"/redir")
+	head.Set(LOC_HEADER, rfs4.String()+"/redir")
 	head["Unknown-Header"] = []string{"Some value!"}

 	w.Write([]byte("Some more body text\n"))
--- a/ql/test/library-tests/semmle/go/frameworks/HTTP/server.go
+++ b/ql/test/library-tests/semmle/go/frameworks/HTTP/server.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	"net/http"
+)
+
+func Handler(r *http.Request) {
+	use(r.Header)
+	use(r.Header.Values("X-Forwarded-By"))
+	use(r.Header.Get("Authentication"))
+
+	buf := make([]byte, 100)
+	use(r.Body.Read(buf))
+	body, err := r.GetBody()
+	if err != nil {
+		return
+	}
+	use(body.Read(buf))
+}