diff --git a/go/ql/lib/ext/mime.multipart.model.yml b/go/ql/lib/ext/mime.multipart.model.yml index 410eac26af6..134481dfce3 100644 --- a/go/ql/lib/ext/mime.multipart.model.yml +++ b/go/ql/lib/ext/mime.multipart.model.yml @@ -1,4 +1,21 @@ extensions: + - addsTo: + pack: codeql/go-all + extensible: barrierModel + data: + # The only way to create a `mime/multipart.FileHeader` is to create a + # `mime/multipart.Form`, which creates the `Filename` field of each + # `mime/multipart.FileHeader` by calling `Part.FileName`, which calls + # `path/filepath.Base` on its return value. In general `path/filepath.Base` + # is not a sanitizer for path traversal, but in this specific case where the + # output is going to be used as a filename rather than a directory name, it + # is adequate. + - ["mime/multipart", "FileHeader", False, "Filename", "", "", "", "path-injection", "manual"] + # `Part.FileName` calls `path/filepath.Base` on its return value. In + # general `path/filepath.Base` is not a sanitizer for path traversal, but in + # this specific case where the output is going to be used as a filename + # rather than a directory name, it is adequate. + - ["mime/multipart", "Part", False, "FileName", "", "", "ReturnValue", "path-injection", "manual"] - addsTo: pack: codeql/go-all extensible: summaryModel diff --git a/go/ql/lib/ext/path.filepath.model.yml b/go/ql/lib/ext/path.filepath.model.yml index 15bcb7d386d..d450e2bbc56 100644 --- a/go/ql/lib/ext/path.filepath.model.yml +++ b/go/ql/lib/ext/path.filepath.model.yml @@ -1,4 +1,9 @@ extensions: + - addsTo: + pack: codeql/go-all + extensible: barrierModel + data: + - ["path/filepath", "", False, "Rel", "", "", "ReturnValue", "path-injection", "manual"] - addsTo: pack: codeql/go-all extensible: summaryModel diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll index b46460e1fa2..20341159c64 100644 --- a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll +++ b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll @@ -70,19 +70,6 @@ module TaintedPath { } } - /** - * A call to `filepath.Rel`, considered as a sanitizer for path traversal. - */ - class FilepathRelSanitizer extends Sanitizer { - FilepathRelSanitizer() { - exists(Function f, FunctionOutput outp | - f.hasQualifiedName("path/filepath", "Rel") and - outp.isResult(0) and - this = outp.getNode(f.getACall()) - ) - } - } - /** * A call to `filepath.Clean("/" + e)`, considered to sanitize `e` against path traversal. */ @@ -116,44 +103,6 @@ module TaintedPath { } } - /** - * A read from the field `Filename` of the type `mime/multipart.FileHeader`, - * considered as a sanitizer for path traversal. - * - * The only way to create a `mime/multipart.FileHeader` is to create a - * `mime/multipart.Form`, which creates the `Filename` field of each - * `mime/multipart.FileHeader` by calling `Part.FileName`, which calls - * `path/filepath.Base` on its return value. In general `path/filepath.Base` - * is not a sanitizer for path traversal, but in this specific case where the - * output is going to be used as a filename rather than a directory name, it - * is adequate. - */ - class MimeMultipartFileHeaderFilenameSanitizer extends Sanitizer { - MimeMultipartFileHeaderFilenameSanitizer() { - this.(DataFlow::FieldReadNode) - .getField() - .hasQualifiedName("mime/multipart", "FileHeader", "Filename") - } - } - - /** - * A call to `mime/multipart.Part.FileName`, considered as a sanitizer - * against path traversal. - * - * `Part.FileName` calls `path/filepath.Base` on its return value. In - * general `path/filepath.Base` is not a sanitizer for path traversal, but in - * this specific case where the output is going to be used as a filename - * rather than a directory name, it is adequate. - */ - class MimeMultipartPartFileNameSanitizer extends Sanitizer { - MimeMultipartPartFileNameSanitizer() { - this = - any(Method m | m.hasQualifiedName("mime/multipart", "Part", "FileName")) - .getACall() - .getResult() - } - } - /** * A check of the form `!strings.Contains(nd, "..")`, considered as a sanitizer guard for * path traversal.