hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Convert EchoContextSource to MaD

Browse Source
This commit is contained in:
Owen Mansel-Chan
2024-06-23 07:21:58 +01:00
parent 5b38d51f62
commit 3fc598dbe9
2 changed files with 16 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
go/ql/lib/ext/github.com.labstack.echo.model.yml
View File

@@ -5,3 +5,19 @@ extensions:
data:
- ["github.com/labstack/echo", "Context", True, "Get", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/labstack/echo", "Context", True, "Set", "", "", "Argument[1]", "Argument[receiver]", "taint", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
- ["github.com/labstack/echo", "Context", True, "Param", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "ParamValues", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "QueryParam", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "QueryParams", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "QueryString", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "FormValue", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "FormParams", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "FormFile", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "MultipartForm", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "Cookie", "", "", "ReturnValue[0]", "remote", "manual"]
- ["github.com/labstack/echo", "Context", True, "Cookies", "", "", "ReturnValue[0]", "remote", "manual"]

17
go/ql/lib/semmle/go/frameworks/Echo.qll
View File

@@ -9,23 +9,6 @@ private module Echo {
/** Gets the package name `github.com/labstack/echo`. */
private string packagePath() { result = package("github.com/labstack/echo", "") }
/**
* Data from a `Context` interface method, considered as a source of remote flow.
*/
private class EchoContextSource extends RemoteFlowSource::Range {
EchoContextSource() {
exists(DataFlow::MethodCallNode call, string methodName |
methodName =
[
"Param", "ParamValues", "QueryParam", "QueryParams", "QueryString", "FormValue",
"FormParams", "FormFile", "MultipartForm", "Cookie", "Cookies"
] and
call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and
this = call.getResult(0)
)
}
}
/**
* Data from a `Context` interface method that is not generally exploitable for open-redirect attacks.
*/