From 49abd0b9b1103c37f13c862aad659dfb2eb2c564 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 17 Jun 2020 14:33:26 +0100
Subject: [PATCH] Add test using hashing

---
 .../Security/CWE-640/EmailInjection.expected  | 72 +++++++++----------
 ql/test/query-tests/Security/CWE-640/main.go  | 16 +++++
 2 files changed, 52 insertions(+), 36 deletions(-)

diff --git a/ql/test/query-tests/Security/CWE-640/EmailInjection.expected b/ql/test/query-tests/Security/CWE-640/EmailInjection.expected
index 9e4eb436872..6e84a0466cd 100644
--- a/ql/test/query-tests/Security/CWE-640/EmailInjection.expected
+++ b/ql/test/query-tests/Security/CWE-640/EmailInjection.expected
@@ -1,43 +1,43 @@
 edges
 | EmailBad.go:9:10:9:17 | selection of Header : Header | EmailBad.go:12:56:12:67 | type conversion |
-| main.go:26:21:26:31 | call to Referer : string | main.go:28:57:28:78 | type conversion |
-| main.go:34:21:34:31 | call to Referer : string | main.go:37:3:37:7 | definition of write |
-| main.go:43:21:43:31 | call to Referer : string | main.go:49:46:49:59 | untrustedInput |
-| main.go:43:21:43:31 | call to Referer : string | main.go:50:52:50:65 | untrustedInput |
-| main.go:55:21:55:31 | call to Referer : string | main.go:60:16:60:22 | content |
-| main.go:65:21:65:31 | call to Referer : string | main.go:73:50:73:56 | content |
-| main.go:65:21:65:31 | call to Referer : string | main.go:73:59:73:65 | content |
-| main.go:65:21:65:31 | call to Referer : string | main.go:74:16:74:22 | content |
-| main.go:79:21:79:31 | call to Referer : string | main.go:86:37:86:50 | untrustedInput |
-| main.go:79:21:79:31 | call to Referer : string | main.go:90:16:90:23 | content2 |
+| main.go:29:21:29:31 | call to Referer : string | main.go:31:57:31:78 | type conversion |
+| main.go:37:21:37:31 | call to Referer : string | main.go:40:3:40:7 | definition of write |
+| main.go:46:21:46:31 | call to Referer : string | main.go:52:46:52:59 | untrustedInput |
+| main.go:46:21:46:31 | call to Referer : string | main.go:53:52:53:65 | untrustedInput |
+| main.go:58:21:58:31 | call to Referer : string | main.go:63:16:63:22 | content |
+| main.go:68:21:68:31 | call to Referer : string | main.go:76:50:76:56 | content |
+| main.go:68:21:68:31 | call to Referer : string | main.go:76:59:76:65 | content |
+| main.go:68:21:68:31 | call to Referer : string | main.go:77:16:77:22 | content |
+| main.go:82:21:82:31 | call to Referer : string | main.go:89:37:89:50 | untrustedInput |
+| main.go:82:21:82:31 | call to Referer : string | main.go:93:16:93:23 | content2 |
 nodes
 | EmailBad.go:9:10:9:17 | selection of Header : Header | semmle.label | selection of Header : Header |
 | EmailBad.go:12:56:12:67 | type conversion | semmle.label | type conversion |
-| main.go:26:21:26:31 | call to Referer : string | semmle.label | call to Referer : string |
-| main.go:28:57:28:78 | type conversion | semmle.label | type conversion |
-| main.go:34:21:34:31 | call to Referer : string | semmle.label | call to Referer : string |
-| main.go:37:3:37:7 | definition of write | semmle.label | definition of write |
-| main.go:43:21:43:31 | call to Referer : string | semmle.label | call to Referer : string |
-| main.go:49:46:49:59 | untrustedInput | semmle.label | untrustedInput |
-| main.go:50:52:50:65 | untrustedInput | semmle.label | untrustedInput |
-| main.go:55:21:55:31 | call to Referer : string | semmle.label | call to Referer : string |
-| main.go:60:16:60:22 | content | semmle.label | content |
-| main.go:65:21:65:31 | call to Referer : string | semmle.label | call to Referer : string |
-| main.go:73:50:73:56 | content | semmle.label | content |
-| main.go:73:59:73:65 | content | semmle.label | content |
-| main.go:74:16:74:22 | content | semmle.label | content |
-| main.go:79:21:79:31 | call to Referer : string | semmle.label | call to Referer : string |
-| main.go:86:37:86:50 | untrustedInput | semmle.label | untrustedInput |
-| main.go:90:16:90:23 | content2 | semmle.label | content2 |
+| main.go:29:21:29:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:31:57:31:78 | type conversion | semmle.label | type conversion |
+| main.go:37:21:37:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:40:3:40:7 | definition of write | semmle.label | definition of write |
+| main.go:46:21:46:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:52:46:52:59 | untrustedInput | semmle.label | untrustedInput |
+| main.go:53:52:53:65 | untrustedInput | semmle.label | untrustedInput |
+| main.go:58:21:58:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:63:16:63:22 | content | semmle.label | content |
+| main.go:68:21:68:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:76:50:76:56 | content | semmle.label | content |
+| main.go:76:59:76:65 | content | semmle.label | content |
+| main.go:77:16:77:22 | content | semmle.label | content |
+| main.go:82:21:82:31 | call to Referer : string | semmle.label | call to Referer : string |
+| main.go:89:37:89:50 | untrustedInput | semmle.label | untrustedInput |
+| main.go:93:16:93:23 | content2 | semmle.label | content2 |
 #select
 | EmailBad.go:12:56:12:67 | type conversion | EmailBad.go:9:10:9:17 | selection of Header : Header | EmailBad.go:12:56:12:67 | type conversion | Email content may contain $@. | EmailBad.go:9:10:9:17 | selection of Header | untrusted input |
-| main.go:28:57:28:78 | type conversion | main.go:26:21:26:31 | call to Referer : string | main.go:28:57:28:78 | type conversion | Email content may contain $@. | main.go:26:21:26:31 | call to Referer | untrusted input |
-| main.go:37:3:37:7 | definition of write | main.go:34:21:34:31 | call to Referer : string | main.go:37:3:37:7 | definition of write | Email content may contain $@. | main.go:34:21:34:31 | call to Referer | untrusted input |
-| main.go:49:46:49:59 | untrustedInput | main.go:43:21:43:31 | call to Referer : string | main.go:49:46:49:59 | untrustedInput | Email content may contain $@. | main.go:43:21:43:31 | call to Referer | untrusted input |
-| main.go:50:52:50:65 | untrustedInput | main.go:43:21:43:31 | call to Referer : string | main.go:50:52:50:65 | untrustedInput | Email content may contain $@. | main.go:43:21:43:31 | call to Referer | untrusted input |
-| main.go:60:16:60:22 | content | main.go:55:21:55:31 | call to Referer : string | main.go:60:16:60:22 | content | Email content may contain $@. | main.go:55:21:55:31 | call to Referer | untrusted input |
-| main.go:73:50:73:56 | content | main.go:65:21:65:31 | call to Referer : string | main.go:73:50:73:56 | content | Email content may contain $@. | main.go:65:21:65:31 | call to Referer | untrusted input |
-| main.go:73:59:73:65 | content | main.go:65:21:65:31 | call to Referer : string | main.go:73:59:73:65 | content | Email content may contain $@. | main.go:65:21:65:31 | call to Referer | untrusted input |
-| main.go:74:16:74:22 | content | main.go:65:21:65:31 | call to Referer : string | main.go:74:16:74:22 | content | Email content may contain $@. | main.go:65:21:65:31 | call to Referer | untrusted input |
-| main.go:86:37:86:50 | untrustedInput | main.go:79:21:79:31 | call to Referer : string | main.go:86:37:86:50 | untrustedInput | Email content may contain $@. | main.go:79:21:79:31 | call to Referer | untrusted input |
-| main.go:90:16:90:23 | content2 | main.go:79:21:79:31 | call to Referer : string | main.go:90:16:90:23 | content2 | Email content may contain $@. | main.go:79:21:79:31 | call to Referer | untrusted input |
+| main.go:31:57:31:78 | type conversion | main.go:29:21:29:31 | call to Referer : string | main.go:31:57:31:78 | type conversion | Email content may contain $@. | main.go:29:21:29:31 | call to Referer | untrusted input |
+| main.go:40:3:40:7 | definition of write | main.go:37:21:37:31 | call to Referer : string | main.go:40:3:40:7 | definition of write | Email content may contain $@. | main.go:37:21:37:31 | call to Referer | untrusted input |
+| main.go:52:46:52:59 | untrustedInput | main.go:46:21:46:31 | call to Referer : string | main.go:52:46:52:59 | untrustedInput | Email content may contain $@. | main.go:46:21:46:31 | call to Referer | untrusted input |
+| main.go:53:52:53:65 | untrustedInput | main.go:46:21:46:31 | call to Referer : string | main.go:53:52:53:65 | untrustedInput | Email content may contain $@. | main.go:46:21:46:31 | call to Referer | untrusted input |
+| main.go:63:16:63:22 | content | main.go:58:21:58:31 | call to Referer : string | main.go:63:16:63:22 | content | Email content may contain $@. | main.go:58:21:58:31 | call to Referer | untrusted input |
+| main.go:76:50:76:56 | content | main.go:68:21:68:31 | call to Referer : string | main.go:76:50:76:56 | content | Email content may contain $@. | main.go:68:21:68:31 | call to Referer | untrusted input |
+| main.go:76:59:76:65 | content | main.go:68:21:68:31 | call to Referer : string | main.go:76:59:76:65 | content | Email content may contain $@. | main.go:68:21:68:31 | call to Referer | untrusted input |
+| main.go:77:16:77:22 | content | main.go:68:21:68:31 | call to Referer : string | main.go:77:16:77:22 | content | Email content may contain $@. | main.go:68:21:68:31 | call to Referer | untrusted input |
+| main.go:89:37:89:50 | untrustedInput | main.go:82:21:82:31 | call to Referer : string | main.go:89:37:89:50 | untrustedInput | Email content may contain $@. | main.go:82:21:82:31 | call to Referer | untrusted input |
+| main.go:93:16:93:23 | content2 | main.go:82:21:82:31 | call to Referer : string | main.go:93:16:93:23 | content2 | Email content may contain $@. | main.go:82:21:82:31 | call to Referer | untrusted input |
diff --git a/ql/test/query-tests/Security/CWE-640/main.go b/ql/test/query-tests/Security/CWE-640/main.go
index 2f57864ad06..c6685475a8d 100644
--- a/ql/test/query-tests/Security/CWE-640/main.go
+++ b/ql/test/query-tests/Security/CWE-640/main.go
@@ -3,6 +3,9 @@ package main
 //go:generate depstubber -vendor github.com/sendgrid/sendgrid-go/helpers/mail "" NewEmail,NewSingleEmail,NewContent,NewV3Mail,NewV3MailInit
 
 import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
 	"io"
 	"log"
 	"net/http"
@@ -90,6 +93,19 @@ func main() {
 		v.AddContent(content2)
 	})
 
+	// OK
+	http.HandleFunc("/ex6", func(w http.ResponseWriter, r *http.Request) {
+		untrustedInput := r.Referer()
+
+		sha256 := sha256.New
+		appsecret := "appid"
+		hash := hmac.New(sha256, []byte(appsecret))
+		hash.Write([]byte(untrustedInput))
+		signature := base64.StdEncoding.EncodeToString(hash.Sum(nil))
+
+		smtp.SendMail("test.test", nil, "from@from.com", nil, []byte(signature))
+	})
+
 	log.Println(http.ListenAndServe(":80", nil))
 
 }