Manually fix copilot's mistakes and get query working

2026-04-22 23:35:14 +02:00 · 2025-04-24 16:14:48 +01:00
parent ce4be6d04c
commit 4e5a865337
2 changed files with 64 additions and 83 deletions
--- a/go/ql/src/Security/CWE-079/HTMLTemplateEscapingPassthrough.ql
+++ b/go/ql/src/Security/CWE-079/HTMLTemplateEscapingPassthrough.ql
@@ -35,70 +35,76 @@ predicate isSinkToTemplateExec(DataFlow::Node sink, DataFlow::CallNode call) {
  )
 }

-/**
- * Flow state for tracking whether a conversion to a passthrough type has occurred.
- */
-class FlowState extends int {
-  FlowState() { this = 0 or this = 1 }
-
-  predicate isBeforeConversion() { this = 0 }
-
-  predicate isAfterConversion() { this = 1 }
-}
-
 /**
 * Data flow configuration that tracks flows from untrusted sources (A) to template execution calls (C),
 * and tracks whether a conversion to a passthrough type (B) has occurred.
 */
-module UntrustedToTemplateExecWithConversionConfig implements DataFlow::ConfigSig {
+module UntrustedToTemplateExecWithConversionConfig implements DataFlow::StateConfigSig {
+  private newtype TConversionState =
+    TUnconverted() or
+    TConverted(PassthroughTypeName x)
+
+  /**
+   * Flow state for tracking whether a conversion to a passthrough type has occurred.
+   */
+  class FlowState extends TConversionState {
+    predicate isBeforeConversion() { this instanceof TUnconverted }
+
+    predicate isAfterConversion(PassthroughTypeName x) { this = TConverted(x) }
+
+    /** Gets a textual representation of this element. */
+    string toString() {
+      this.isBeforeConversion() and result = "Unconverted"
+      or
+      exists(PassthroughTypeName x | this.isAfterConversion(x) |
+        result = "Converted to template." + x
+      )
+    }
+  }
+
  predicate isSource(DataFlow::Node source, FlowState state) {
    state.isBeforeConversion() and source instanceof ActiveThreatModelSource
  }

  predicate isSink(DataFlow::Node sink, FlowState state) {
-    state.isAfterConversion() and isSinkToTemplateExec(sink, _)
+    state.isAfterConversion(_) and isSinkToTemplateExec(sink, _)
  }

-  predicate isBarrier(DataFlow::Node node, FlowState state) {
-    node instanceof SharedXss::Sanitizer or node.getType() instanceof NumericType
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof SharedXss::Sanitizer and not node instanceof SharedXss::HtmlTemplateSanitizer
+    or
+    node.getType() instanceof NumericType
  }

  /**
   * When a conversion to a passthrough type is encountered, transition the flow state.
   */
-  predicate step(DataFlow::Node pred, FlowState predState, DataFlow::Node succ, FlowState succState) {
-    // If not yet converted, look for a conversion to a passthrough type
-    predState.isBeforeConversion() and
-    succState.isAfterConversion() and
-    pred = succ and
-    exists(Type typ, PassthroughTypeName name |
-      typ = pred.getType() and
-      typ.getUnderlyingType*().hasQualifiedName("html/template", name)
+  predicate isAdditionalFlowStep(
+    DataFlow::Node pred, FlowState predState, DataFlow::Node succ, FlowState succState
+  ) {
+    exists(ConversionExpr conversion, PassthroughTypeName name |
+      // If not yet converted, look for a conversion to a passthrough type
+      predState.isBeforeConversion() and
+      succState.isAfterConversion(name) and
+      succ.(DataFlow::TypeCastNode).getExpr() = conversion and
+      pred.asExpr() = conversion.getOperand() and
+      conversion.getType().getUnderlyingType*().hasQualifiedName("html/template", name)
    )
-    or
-    // Otherwise, normal flow with unchanged state
-    predState = succState
  }
 }

 module UntrustedToTemplateExecWithConversionFlow =
-  DataFlow::PathGraph<UntrustedToTemplateExecWithConversionConfig>;
+  TaintTracking::GlobalWithState<UntrustedToTemplateExecWithConversionConfig>;
+
+import UntrustedToTemplateExecWithConversionFlow::PathGraph

 from
  UntrustedToTemplateExecWithConversionFlow::PathNode untrustedSource,
-  UntrustedToTemplateExecWithConversionFlow::PathNode templateExecCall, DataFlow::Node conversion,
+  UntrustedToTemplateExecWithConversionFlow::PathNode templateExecCall,
  PassthroughTypeName targetTypeName
 where
  UntrustedToTemplateExecWithConversionFlow::flowPath(untrustedSource, templateExecCall) and
-  // Find the conversion node in the path
-  exists(int i |
-    i = templateExecCall.getPathIndex() - 1 and
-    conversion = templateExecCall.getPathNode(i).getNode() and
-    exists(Type typ |
-      typ = conversion.getType() and
-      typ.getUnderlyingType*().hasQualifiedName("html/template", targetTypeName)
-    )
-  )
+  templateExecCall.getState().isAfterConversion(targetTypeName)
 select templateExecCall.getNode(), untrustedSource, templateExecCall,
-  "Data from an $@ will not be auto-escaped because it was $@ to template." + targetTypeName,
-  untrustedSource.getNode(), "untrusted source", conversion, "converted"
+  "Data from an $@ will not be auto-escaped because it was converted to template." + targetTypeName,
+  untrustedSource.getNode(), "untrusted source"
--- a/go/ql/test/query-tests/Security/CWE-079/HTMLTemplateEscapingPassthrough.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/HTMLTemplateEscapingPassthrough.expected
@@ -1,46 +1,34 @@
 #select
-| HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | Data from an $@ will not be auto-escaped because it was $@ to template.HTML | HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | converted |
-| HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | Data from an $@ will not be auto-escaped because it was $@ to template.HTML | HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | converted |
-| HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | Data from an $@ will not be auto-escaped because it was $@ to template.HTML | HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | converted |
-| HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | Data from an $@ will not be auto-escaped because it was $@ to template.HTMLAttr | HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | converted |
-| HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | Data from an $@ will not be auto-escaped because it was $@ to template.JS | HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | converted |
-| HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | Data from an $@ will not be auto-escaped because it was $@ to template.JSStr | HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | converted |
-| HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | Data from an $@ will not be auto-escaped because it was $@ to template.CSS | HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | converted |
-| HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | Data from an $@ will not be auto-escaped because it was $@ to template.Srcset | HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | converted |
-| HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | Data from an $@ will not be auto-escaped because it was $@ to template.URL | HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | converted |
+| HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | Data from an $@ will not be auto-escaped because it was converted to template.HTML | HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | untrusted source |
+| HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | Data from an $@ will not be auto-escaped because it was converted to template.HTML | HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | untrusted source |
+| HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | Data from an $@ will not be auto-escaped because it was converted to template.HTML | HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | untrusted source |
+| HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | Data from an $@ will not be auto-escaped because it was converted to template.HTMLAttr | HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | untrusted source |
+| HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | Data from an $@ will not be auto-escaped because it was converted to template.JS | HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | untrusted source |
+| HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | Data from an $@ will not be auto-escaped because it was converted to template.JSStr | HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | untrusted source |
+| HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | Data from an $@ will not be auto-escaped because it was converted to template.CSS | HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | untrusted source |
+| HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | Data from an $@ will not be auto-escaped because it was converted to template.Srcset | HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | untrusted source |
+| HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | Data from an $@ will not be auto-escaped because it was converted to template.URL | HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | untrusted source |
 edges
 | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | provenance | Src:MaD:2  |
+| HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | provenance | Src:MaD:1 Config |
 | HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | provenance | Src:MaD:2  |
+| HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | provenance | Src:MaD:1 Config |
 | HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | provenance | Src:MaD:2  |
+| HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | provenance | Src:MaD:1 Config |
 | HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | provenance | Src:MaD:2  |
+| HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | provenance | Src:MaD:1 Config |
 | HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | provenance | Src:MaD:2  |
+| HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | provenance | Src:MaD:1 Config |
 | HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | provenance | Src:MaD:2  |
+| HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | provenance | Src:MaD:1 Config |
 | HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | provenance | Src:MaD:2  |
+| HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | provenance | Src:MaD:1 Config |
 | HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | provenance | Src:MaD:2  |
+| HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | provenance | Src:MaD:1 Config |
 | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | provenance | Src:MaD:2  |
-| HTMLTemplateEscapingPassthrough.go:75:17:75:31 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:76:38:76:44 | escaped | provenance | Src:MaD:2  |
-| HTMLTemplateEscapingPassthrough.go:81:10:81:24 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:84:38:84:40 | src | provenance | Src:MaD:2  |
-| HTMLTemplateEscapingPassthrough.go:89:10:89:24 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | provenance | Src:MaD:2  |
-| HTMLTemplateEscapingPassthrough.go:91:16:91:77 | type conversion | HTMLTemplateEscapingPassthrough.go:92:38:92:46 | converted | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | HTMLTemplateEscapingPassthrough.go:91:16:91:77 | type conversion | provenance |  |
-| HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | provenance | MaD:3 |
-| ReflectedXssGood.go:15:15:15:20 | selection of Form | ReflectedXssGood.go:15:15:15:36 | call to Get | provenance | Src:MaD:1 MaD:4 |
-| ReflectedXssGood.go:15:15:15:36 | call to Get | ReflectedXssGood.go:20:24:20:31 | username | provenance |  |
-| ReflectedXssGood.go:15:15:15:36 | call to Get | ReflectedXssGood.go:21:40:21:47 | username | provenance |  |
+| HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | provenance | Src:MaD:1 Config |
 models
-| 1 | Source: net/http; Request; true; Form; ; ; ; remote; manual |
-| 2 | Source: net/http; Request; true; UserAgent; ; ; ReturnValue; remote; manual |
-| 3 | Summary: html/template; ; false; HTMLEscapeString; ; ; Argument[0]; ReturnValue; taint; manual |
-| 4 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 1 | Source: net/http; Request; true; UserAgent; ; ; ReturnValue; remote; manual |
 nodes
 | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | semmle.label | type conversion |
 | HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | semmle.label | call to UserAgent |
@@ -69,17 +57,4 @@ nodes
 | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | semmle.label | type conversion |
 | HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | semmle.label | call to UserAgent |
 | HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | semmle.label | g |
-| HTMLTemplateEscapingPassthrough.go:75:17:75:31 | call to UserAgent | semmle.label | call to UserAgent |
-| HTMLTemplateEscapingPassthrough.go:76:38:76:44 | escaped | semmle.label | escaped |
-| HTMLTemplateEscapingPassthrough.go:81:10:81:24 | call to UserAgent | semmle.label | call to UserAgent |
-| HTMLTemplateEscapingPassthrough.go:84:38:84:40 | src | semmle.label | src |
-| HTMLTemplateEscapingPassthrough.go:89:10:89:24 | call to UserAgent | semmle.label | call to UserAgent |
-| HTMLTemplateEscapingPassthrough.go:91:16:91:77 | type conversion | semmle.label | type conversion |
-| HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | semmle.label | call to HTMLEscapeString |
-| HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | semmle.label | src |
-| HTMLTemplateEscapingPassthrough.go:92:38:92:46 | converted | semmle.label | converted |
-| ReflectedXssGood.go:15:15:15:20 | selection of Form | semmle.label | selection of Form |
-| ReflectedXssGood.go:15:15:15:36 | call to Get | semmle.label | call to Get |
-| ReflectedXssGood.go:20:24:20:31 | username | semmle.label | username |
-| ReflectedXssGood.go:21:40:21:47 | username | semmle.label | username |
 subpaths