hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 14:23:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add support for ioutil TempFile and TempDir

Browse Source
This commit is contained in:
Sauyon Lee
2020-05-07 06:26:18 -07:00
parent 0e779d0b64
commit 181c03ebf3
4 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ql/src/semmle/go/frameworks/Stdlib.qll
View File

@@ -166,11 +166,13 @@ module IoUtil {
exists(string fn | getTarget().hasQualifiedName("io/ioutil", fn) |
fn = "ReadDir" or
fn = "ReadFile" or
fn = "TempDir" or
fn = "TempFile" or
fn = "WriteFile"
)
}
override DataFlow::Node getAPathArgument() { result = getArgument(0) }
override DataFlow::Node getAPathArgument() { result = getAnArgument() }
}
/**

8
ql/test/query-tests/Security/CWE-022/TaintedPath.expected
View File

@@ -1,10 +1,18 @@
edges
| TaintedPath.go:10:10:10:14 | selection of URL : pointer type | TaintedPath.go:13:29:13:32 | path |
| TaintedPath.go:10:10:10:14 | selection of URL : pointer type | TaintedPath.go:17:28:17:61 | call to Join |
| tst.go:14:22:14:39 | call to FormFile : tuple type | tst.go:17:41:17:47 | implicit dereference : FileHeader |
| tst.go:14:22:14:39 | call to FormFile : tuple type | tst.go:17:41:17:56 | selection of Filename |
| tst.go:17:41:17:47 | implicit dereference : FileHeader | tst.go:17:41:17:47 | implicit dereference : FileHeader |
| tst.go:17:41:17:47 | implicit dereference : FileHeader | tst.go:17:41:17:56 | selection of Filename |
nodes
| TaintedPath.go:10:10:10:14 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
| TaintedPath.go:13:29:13:32 | path | semmle.label | path |
| TaintedPath.go:17:28:17:61 | call to Join | semmle.label | call to Join |
| tst.go:14:22:14:39 | call to FormFile : tuple type | semmle.label | call to FormFile : tuple type |
| tst.go:17:41:17:47 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
| tst.go:17:41:17:56 | selection of Filename | semmle.label | selection of Filename |
#select
| TaintedPath.go:13:29:13:32 | path | TaintedPath.go:10:10:10:14 | selection of URL : pointer type | TaintedPath.go:13:29:13:32 | path | This path depends on $@. | TaintedPath.go:10:10:10:14 | selection of URL | a user-provided value |
| TaintedPath.go:17:28:17:61 | call to Join | TaintedPath.go:10:10:10:14 | selection of URL : pointer type | TaintedPath.go:17:28:17:61 | call to Join | This path depends on $@. | TaintedPath.go:10:10:10:14 | selection of URL | a user-provided value |
| tst.go:17:41:17:56 | selection of Filename | tst.go:14:22:14:39 | call to FormFile : tuple type | tst.go:17:41:17:56 | selection of Filename | This path depends on $@. | tst.go:14:22:14:39 | call to FormFile | a user-provided value |

8
ql/test/query-tests/Security/CWE-022/ZipSlip.expected
View File

@@ -1,15 +1,15 @@
edges
| ZipSlip.go:12:24:12:29 | selection of Name : string | ZipSlip.go:14:20:14:20 | p |
| tarslip.go:14:23:14:33 | selection of Name : string | tarslip.go:14:14:14:34 | call to Dir |
| tst.go:15:11:15:16 | selection of Name : string | tst.go:20:20:20:23 | path |
| tst.go:24:11:24:16 | selection of Name : string | tst.go:29:20:29:23 | path |
nodes
| ZipSlip.go:12:24:12:29 | selection of Name : string | semmle.label | selection of Name : string |
| ZipSlip.go:14:20:14:20 | p | semmle.label | p |
| tarslip.go:14:14:14:34 | call to Dir | semmle.label | call to Dir |
| tarslip.go:14:23:14:33 | selection of Name : string | semmle.label | selection of Name : string |
| tst.go:15:11:15:16 | selection of Name : string | semmle.label | selection of Name : string |
| tst.go:20:20:20:23 | path | semmle.label | path |
| tst.go:24:11:24:16 | selection of Name : string | semmle.label | selection of Name : string |
| tst.go:29:20:29:23 | path | semmle.label | path |
#select
| ZipSlip.go:12:24:12:29 | selection of Name | ZipSlip.go:12:24:12:29 | selection of Name : string | ZipSlip.go:14:20:14:20 | p | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.go:14:20:14:20 | p | file system operation |
| tarslip.go:14:23:14:33 | selection of Name | tarslip.go:14:23:14:33 | selection of Name : string | tarslip.go:14:14:14:34 | call to Dir | Unsanitized archive entry, which may contain '..', is used in a $@. | tarslip.go:14:14:14:34 | call to Dir | file system operation |
| tst.go:15:11:15:16 | selection of Name | tst.go:15:11:15:16 | selection of Name : string | tst.go:20:20:20:23 | path | Unsanitized archive entry, which may contain '..', is used in a $@. | tst.go:20:20:20:23 | path | file system operation |
| tst.go:24:11:24:16 | selection of Name | tst.go:24:11:24:16 | selection of Name : string | tst.go:29:20:29:23 | path | Unsanitized archive entry, which may contain '..', is used in a $@. | tst.go:29:20:29:23 | path | file system operation |

9
ql/test/query-tests/Security/CWE-022/tst.go
View File

@@ -3,12 +3,21 @@ package main
import (
"archive/zip"
"io/ioutil"
"net/http"
"os"
"path/filepath"
"regexp"
"strings"
)
func uploadFile(w http.ResponseWriter, r *http.Request) {
file, handler, _ := r.FormFile("file")
// err handling
defer file.Close()
tempFile, _ := ioutil.TempFile("/tmp", handler.Filename) // NOT OK
// do stuff with tempFile
}
func unzip2(f string, root string) {
r, _ := zip.OpenReader(f)
for _, f := range r.File {