hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve additional flow step for Host field

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-10-01 13:12:24 +01:00
parent c006777714
commit 2629369c93
2 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
go/ql/lib/semmle/go/security/RequestForgery.qll
View File

@@ -27,9 +27,8 @@ module RequestForgery {
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
// propagate to a URL when its host is assigned to
exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesFieldPreUpdate(v.getAUse(), f, pred) and
succ = v.getAUse()
exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(succ, f, pred)
)
}

10
go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
View File

@@ -37,9 +37,10 @@ edges
| tst.go:10:13:10:35 | call to FormValue | tst.go:38:11:38:29 | ...+... | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:40:11:40:40 | ...+... | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:47:11:47:18 | tainted2 | provenance | Src:MaD:1 |
| tst.go:47:2:47:2 | u | tst.go:48:11:48:11 | u | provenance | |
| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | u | provenance | Config |
| tst.go:47:11:47:18 | tainted2 | tst.go:48:11:48:11 | u | provenance | Config |
| tst.go:47:2:47:2 | implicit dereference [postupdate] | tst.go:47:2:47:2 | u [postupdate] | provenance | |
| tst.go:47:2:47:2 | u [postupdate] | tst.go:48:11:48:11 | u | provenance | |
| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | implicit dereference [postupdate] | provenance | Config |
| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | u [postupdate] | provenance | Config |
| tst.go:48:11:48:11 | u | tst.go:48:11:48:20 | call to String | provenance | MaD:3 |
| websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2 |
@@ -70,7 +71,8 @@ nodes
| tst.go:36:18:36:24 | tainted | semmle.label | tainted |
| tst.go:38:11:38:29 | ...+... | semmle.label | ...+... |
| tst.go:40:11:40:40 | ...+... | semmle.label | ...+... |
| tst.go:47:2:47:2 | u | semmle.label | u |
| tst.go:47:2:47:2 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| tst.go:47:2:47:2 | u [postupdate] | semmle.label | u [postupdate] |
| tst.go:47:11:47:18 | tainted2 | semmle.label | tainted2 |
| tst.go:48:11:48:11 | u | semmle.label | u |
| tst.go:48:11:48:20 | call to String | semmle.label | call to String |