mirror of
https://github.com/github/codeql.git
synced 2026-01-29 06:12:58 +01:00
Apply suggestions from code review
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
This commit is contained in:
Owen Mansel-Chan
committed by
Owen Mansel-Chan
Owen Mansel-Chan
parent
0ee00d8647
commit
7730d66d76
4
change-notes/2020-11-27-external-api.md
Normal file
4
change-notes/2020-11-27-external-api.md
Normal file
@@ -0,0 +1,4 @@
|
||||
lgtm,codescanning
|
||||
* A new query "Untrusted data passed to external API" (`go/untrusted-data-to-external-api`) has been added. The query reports external APIs that use untrusted data. This query is designed primarily to help identify which APIs may be relevant for security analysis of this application.
|
||||
* A new query "Untrusted data passed to unknown external API" (`go/untrusted-data-to-unknown-external-api`) has been added. The query reports external APIs that use untrusted data and which are not already known to be safe. This query is designed primarily to help identify which APIs may be relevant for security analysis of this application.
|
||||
* A new query "Frequency counts for external APIs that are used with untrusted data" (`go/count-untrusted-data-external-api`) has been added. The query reports external APIs that use untrusted data. It displays the same results as "Untrusted data passed to external API" (`go/untrusted-data-to-external-api`) but in a table.
|
||||
@@ -10,10 +10,10 @@ may be relevant for security analysis of this application.</p>
|
||||
|
||||
<p>An external API is defined as a call to a function that is not defined in the source code and is not
|
||||
modeled as a taint step in the default taint library. Calls made in test files are excluded.
|
||||
External APIs may be from the Go standard library, third party dependencies or from internal dependencies.
|
||||
External APIs may be from the Go standard library, third party dependencies, or from internal dependencies.
|
||||
The query will report the fully-qualified method name, along with either <code>[param x]</code>,
|
||||
where <code>x</code> indicates the position of the parameter receiving the untrusted data or <code>[receiver]</code>
|
||||
indicating the untrusted data is used as the receiver of the method call.</p>
|
||||
where <code>x</code> indicates the position of the parameter receiving the untrusted data, or <code>[receiver]</code>
|
||||
indicating that the untrusted data is used as the receiver of the method call.</p>
|
||||
|
||||
</overview>
|
||||
<recommendation>
|
||||
@@ -36,16 +36,16 @@ class to exclude known safe external APIs from future analysis.</p>
|
||||
<sample src="ExternalAPISinkExample.go" />
|
||||
|
||||
<p>If the query were to return the API <code>fmt.Fprintf [param 2]</code> then we should first consider
|
||||
whether this a security relevant sink. In this case, this is writing to a HTTP response, so we should
|
||||
consider whether this is an XSS sink. If it is, we should confirm that it is handled by the XSS query.</p>
|
||||
whether this a security relevant sink. In this case, this is writing to an HTTP response, so we should
|
||||
consider whether this is an XSS sink. If it is, we should confirm that it is handled by the "Reflected cross-site scripting" query (<code>go/reflected-xss</code>).</p>
|
||||
|
||||
<sample src="ExternalAPITaintStepExample.go" />
|
||||
|
||||
<p>If the query were to return the API <code>fmt.Sprintf [param 1]</code>, then this should be
|
||||
reviewed as a possible taint step, because tainted data would flow from the 1st argument to the return value
|
||||
reviewed as a possible taint step, because tainted data would flow from the first argument to the return value
|
||||
of the call.</p>
|
||||
|
||||
<p>Note that both examples are correctly handled by the standard taint tracking library and XSS query.</p>
|
||||
<p>Note that both examples are correctly handled by the standard taint tracking library and the "Reflected cross-site scripting" query (<code>go/reflected-xss</code>).</p>
|
||||
</example>
|
||||
<references>
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ external APIs that should be modeled as either taint steps, or sinks for specifi
|
||||
|
||||
<p>An external API is defined as a call to a function that is not defined in the source code and is not
|
||||
modeled as a taint step in the default taint library. Calls made in test files are excluded.
|
||||
External APIs may be from the Go standard library, third-party dependencies or from internal dependencies.
|
||||
External APIs may be from the Go standard library, third-party dependencies, or from internal dependencies.
|
||||
The query reports uses of untrusted data in either the receiver or as one of the arguments of external APIs.</p>
|
||||
|
||||
</overview>
|
||||
@@ -38,7 +38,7 @@ class to exclude known safe external APIs from future analysis.</p>
|
||||
|
||||
<sample src="ExternalAPISinkExample.go" />
|
||||
|
||||
<p>This is an XSS sink. The XSS query should therefore be reviewed to confirm that this sink is appropriately modeled,
|
||||
<p>This is an XSS sink. The "Reflected cross-site scripting" query (<code>go/reflected-xss</code>) should therefore be reviewed to confirm that this sink is appropriately modeled,
|
||||
and if it is, to confirm that the query reports this particular result, or that the result is a false positive due to
|
||||
some existing sanitization.</p>
|
||||
|
||||
@@ -51,8 +51,9 @@ modeled as a taint step in the taint tracking library. The next step would be to
|
||||
re-run the query to determine what additional results might be found. In this example, an SQL injection vulnerability
|
||||
would be reported.</p>
|
||||
|
||||
<p>Note that both examples are correctly handled by the standard taint tracking library, the reflected XSS query and SQL
|
||||
injection query.</p>
|
||||
<p>Note that both examples are correctly handled by the standard taint tracking library,
|
||||
the "Reflected cross-site scripting" query (<code>go/reflected-xss</code>),
|
||||
and the "Database query built from user-controlled sources" query (<code>go/sql-injection</code>).</p>
|
||||
</example>
|
||||
<references>
|
||||
|
||||
|
||||
@@ -4,17 +4,17 @@
|
||||
<qhelp>
|
||||
<overview>
|
||||
<p>Using unsanitized untrusted data in an external API can cause a variety of security issues. This query reports
|
||||
external APIs that use untrusted data. The results have been filtered. The query provides data for security
|
||||
external APIs that use untrusted data. The results have been filtered to only report unknown external APIs. The query provides data for security
|
||||
reviews of the application. It can also be used to identify external APIs that should be modeled as either
|
||||
taint steps, or sinks for specific problems.</p>
|
||||
|
||||
<p>An external API is defined as a call to a function that is not defined in the source code and is not
|
||||
modeled as a taint step in the default taint library. Calls made in test files are excluded.
|
||||
External APIs may be from the Go standard library, third-party dependencies or from internal dependencies.
|
||||
External APIs may be from the Go standard library, third-party dependencies, or from internal dependencies.
|
||||
The query reports uses of untrusted data in either the receiver or as one of the arguments of external APIs.</p>
|
||||
|
||||
<p>An external API is considered unknown if it is not in a package which has already been modeled, it is not
|
||||
a sink for an existing query and it is not in a list of external APIs which have been examined and determined
|
||||
a sink for an existing query, and it is not in a list of external APIs which have been examined and determined
|
||||
to not be a possible source of security vulnerabilities.</p>
|
||||
</overview>
|
||||
<recommendation>
|
||||
@@ -39,7 +39,7 @@ class to exclude known safe external APIs from future analysis.</p>
|
||||
|
||||
<sample src="ExternalAPISinkExample.go" />
|
||||
|
||||
<p>This is an XSS sink. The XSS query should therefore be reviewed to confirm that this sink is appropriately modeled,
|
||||
<p>This is an XSS sink. The "Reflected cross-site scripting" query (<code>go/reflected-xss</code>) should therefore be reviewed to confirm that this sink is appropriately modeled,
|
||||
and if it is, to confirm that the query reports this particular result, or that the result is a false positive due to
|
||||
some existing sanitization.</p>
|
||||
|
||||
@@ -52,8 +52,9 @@ modeled as a taint step in the taint tracking library. The next step would be to
|
||||
re-run the query to determine what additional results might be found. In this example, an SQL injection vulnerability
|
||||
would be reported.</p>
|
||||
|
||||
<p>Note that both examples are correctly handled by the standard taint tracking library, the reflected XSS query and SQL
|
||||
injection query.</p>
|
||||
<p>Note that both examples are correctly handled by the standard taint tracking library,
|
||||
the "Reflected cross-site scripting" query (<code>go/reflected-xss</code>),
|
||||
and the "Database query built from user-controlled sources" query (<code>go/sql-injection</code>).</p>
|
||||
</example>
|
||||
<references>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user