hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Address review comments

Browse Source
This commit is contained in:
Sauyon Lee
2020-03-30 02:04:03 -07:00
parent 3577d75607
commit 1c859a8991
2 changed files with 10 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ql/src/Security/CWE-918/RequestForgery.qhelp
View File

@@ -19,8 +19,8 @@ requests to other servers, potentially resulting in a DDOS attack.
<recommendation>
<p>
To guard against request forgery, it is advisable to avoid putting user input directly into a
network request. If a flexible network request mechanism is required, it is recommended tomaintain a
list of authorized request targets and choose from that list based on the user input provided.
network request. If a flexible network request mechanism is required, it is recommended to maintain
a list of authorized request targets and choose from that list based on the user input provided.
</p>
</recommendation>

17
ql/src/semmle/go/frameworks/HTTP.qll
View File

@@ -201,22 +201,21 @@ private module StdlibHttp {
ClientDo() { this.getTarget().hasQualifiedName("net/http", "Client", "Do") }
override DataFlow::Node getUrl() {
exists(DataFlow::CallNode call, FunctionOutput outp |
call.getTarget().hasQualifiedName("net/http", "NewRequest") and
outp.isResult(0)
|
this.getArgument(0) = outp.getNode(call).getASuccessor*() and
// A URL passed to `NewRequest`, whose result is passed to this `Do` call
exists(DataFlow::CallNode call | call.getTarget().hasQualifiedName("net/http", "NewRequest") |
this.getArgument(0) = call.getResult(0).getASuccessor*() and
result = call.getArgument(1)
)
or
exists(DataFlow::CallNode call, FunctionOutput outp |
call.getTarget().hasQualifiedName("net/http", "NewRequestWithContext") and
outp.isResult(0)
// A URL passed to `NewRequestWithContext`, whose result is passed to this `Do` call
exists(DataFlow::CallNode call |
call.getTarget().hasQualifiedName("net/http", "NewRequestWithContext")
|
this.getArgument(0) = outp.getNode(call).getASuccessor*() and
this.getArgument(0) = call.getResult(0).getASuccessor*() and
result = call.getArgument(2)
)
or
// A URL assigned to a request that is passed to this `Do` call
exists(Write w, Field f |
f.hasQualifiedName("net/http", "Request", "URL") and
w.writesField(this.getArgument(0).getAPredecessor*(), f, result)