Add support for 'path/filepath.WalkDir'

2026-01-29 22:32:58 +01:00 · 2021-02-18 15:39:35 -08:00
parent 82849fe91a
commit 23103fd8e0
3 changed files with 23 additions and 10 deletions
--- a/ql/src/semmle/go/security/StoredXssCustomizations.qll
+++ b/ql/src/semmle/go/security/StoredXssCustomizations.qll
@@ -42,12 +42,9 @@ module StoredXss {
  class FileNameSource extends Source {
    FileNameSource() {
      // the second parameter to a filepath.Walk function
-      exists(DataFlow::ParameterNode prm, DataFlow::FunctionNode f, DataFlow::CallNode walkCall |
-        prm = this and
-        f.getParameter(0) = prm
-      |
-        walkCall.getTarget().hasQualifiedName("path/filepath", "Walk") and
-        walkCall.getArgument(1) = f.getASuccessor*()
+      exists(DataFlow::FunctionNode f, Function walkFn | this = f.getParameter(0) |
+        walkFn.hasQualifiedName("path/filepath", ["Walk", "WalkDir"]) and
+        walkFn.getACall().getArgument(1) = f.getASuccessor*()
      )
      or
      // A call to os.FileInfo.Name
--- a/ql/test/query-tests/Security/CWE-079/StoredXss.expected
+++ b/ql/test/query-tests/Security/CWE-079/StoredXss.expected
@@ -1,11 +1,15 @@
 edges
 | StoredXss.go:13:21:13:31 | call to Name : string | StoredXss.go:13:21:13:36 | ...+... |
-| stored.go:16:3:16:28 | ... := ...[0] : pointer type | stored.go:28:22:28:25 | name |
+| stored.go:18:3:18:28 | ... := ...[0] : pointer type | stored.go:30:22:30:25 | name |
+| stored.go:59:30:59:33 | definition of path : string | stored.go:61:22:61:25 | path |
 nodes
 | StoredXss.go:13:21:13:31 | call to Name : string | semmle.label | call to Name : string |
 | StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
-| stored.go:16:3:16:28 | ... := ...[0] : pointer type | semmle.label | ... := ...[0] : pointer type |
-| stored.go:28:22:28:25 | name | semmle.label | name |
+| stored.go:18:3:18:28 | ... := ...[0] : pointer type | semmle.label | ... := ...[0] : pointer type |
+| stored.go:30:22:30:25 | name | semmle.label | name |
+| stored.go:59:30:59:33 | definition of path : string | semmle.label | definition of path : string |
+| stored.go:61:22:61:25 | path | semmle.label | path |
 #select
 | StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name : string | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
-| stored.go:28:22:28:25 | name | stored.go:16:3:16:28 | ... := ...[0] : pointer type | stored.go:28:22:28:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:16:3:16:28 | ... := ...[0] | stored value |
+| stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] : pointer type | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
+| stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | definition of path : string | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | definition of path | stored value |
--- a/ql/test/query-tests/Security/CWE-079/stored.go
+++ b/ql/test/query-tests/Security/CWE-079/stored.go
@@ -3,8 +3,10 @@ package main
 import (
 	"database/sql"
 	"io"
+	"io/fs"
 	"log"
 	"net/http"
+	"path/filepath"
 )

 var db *sql.DB
@@ -51,3 +53,13 @@ func storedserve2() {
 		}
 	})
 }
+
+func storedserve3() {
+	http.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
+		filepath.WalkDir(".", func(path string, _ fs.DirEntry, err error) error {
+			// BAD: filenames are considered to be untrusted
+			io.WriteString(w, path)
+			return nil
+		})
+	})
+}