Fix modelling of Params part 2

2026-01-30 14:52:57 +01:00 · 2020-06-25 16:09:34 +01:00
parent cf47159a30
commit 82361ce060
2 changed files with 18 additions and 47 deletions
--- a/ql/src/semmle/go/frameworks/Gin.qll
+++ b/ql/src/semmle/go/frameworks/Gin.qll
@@ -5,18 +5,18 @@
 import go

 private module Gin {
+  /** Gets the package name `github.com/gin-gonic/gin`. */
+  private string packagePath() { result = "github.com/gin-gonic/gin" }
+
  /**
   * Data from a `Context` struct, considered as a source of untrusted flow.
   */
  private class GithubComGinGonicGinContextSource extends UntrustedFlowSource::Range {
    GithubComGinGonicGinContextSource() {
-      exists(string packagePath, string typeName |
-        packagePath = "github.com/gin-gonic/gin" and
-        typeName = "Context"
-      |
+      exists(string typeName | typeName = "Context" |
        // Method calls:
        exists(DataFlow::MethodCallNode call, string methodName |
-          call.getTarget().hasQualifiedName(packagePath, typeName, methodName) and
+          call.getTarget().hasQualifiedName(packagePath(), typeName, methodName) and
          (
            methodName = "FullPath"
            or
@@ -76,46 +76,26 @@ private module Gin {
        or
        // Field reads:
        exists(DataFlow::Field fld |
-          fld.hasQualifiedName(packagePath, typeName, ["Accepted", "Params"]) and
+          fld.hasQualifiedName(packagePath(), typeName, ["Accepted", "Params"]) and
          this = fld.getARead()
        )
      )
    }
  }

-  /**
-   * Data from a `Params` slice, considered as a source of untrusted flow.
-   */
-  private class GithubComGinGonicGinParamsSource extends UntrustedFlowSource::Range {
-    GithubComGinGonicGinParamsSource() {
-      exists(string packagePath, string typeName |
-        packagePath = "github.com/gin-gonic/gin" and
-        typeName = "Params"
-      |
-        // Method calls:
-        exists(DataFlow::MethodCallNode call |
-          call.getTarget().hasQualifiedName(packagePath, typeName, ["ByName", "Get"])
-        |
-          this = call.getResult(0)
-        )
-      )
+  private class ParamsGet extends TaintTracking::FunctionModel, Method {
+    ParamsGet() { this.hasQualifiedName(packagePath(), "Params", "Get") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult(0)
    }
  }

-  /**
-   * Data from a `Param` struct, considered as a source of untrusted flow.
-   */
-  private class GithubComGinGonicGinParamSource extends UntrustedFlowSource::Range {
-    GithubComGinGonicGinParamSource() {
-      exists(string packagePath, string typeName |
-        packagePath = "github.com/gin-gonic/gin" and
-        typeName = "Param"
-      |
-        // Field reads:
-        exists(DataFlow::Field fld | fld.hasQualifiedName(packagePath, typeName, ["Key", "Value"]) |
-          this = fld.getARead()
-        )
-      )
+  private class ParamsByName extends TaintTracking::FunctionModel, Method {
+    ParamsByName() { this.hasQualifiedName(packagePath(), "Params", "ByName") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
    }
  }

@@ -124,12 +104,9 @@ private module Gin {
   */
  private class GithubComGinGonicGinContextBindSource extends UntrustedFlowSource::Range {
    GithubComGinGonicGinContextBindSource() {
-      exists(string packagePath, string typeName |
-        packagePath = "github.com/gin-gonic/gin" and
-        typeName = "Context"
-      |
+      exists(string typeName | typeName = "Context" |
        exists(DataFlow::MethodCallNode call, string methodName |
-          call.getTarget().hasQualifiedName(packagePath, typeName, methodName) and
+          call.getTarget().hasQualifiedName(packagePath(), typeName, methodName) and
          (
            methodName = "BindJSON" or
            methodName = "BindYAML" or
--- a/ql/test/library-tests/semmle/go/frameworks/Gin/Gin.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/Gin/Gin.expected
@@ -26,16 +26,10 @@
 | Gin.go:123:10:123:23 | call to FullPath |
 | Gin.go:129:10:129:21 | selection of Accepted |
 | Gin.go:133:10:133:19 | selection of Params |
-| Gin.go:134:7:134:18 | selection of Value |
 | Gin.go:139:10:139:19 | selection of Params |
-| Gin.go:140:7:140:15 | selection of Value |
 | Gin.go:143:10:143:19 | selection of Params |
-| Gin.go:143:10:143:34 | call to ByName |
-| Gin.go:147:3:147:34 | ... := ...[0] |
 | Gin.go:147:13:147:22 | selection of Params |
 | Gin.go:153:12:153:21 | selection of Params |
-| Gin.go:154:10:154:18 | selection of Key |
-| Gin.go:155:10:155:20 | selection of Value |
 | Gin.go:163:16:163:22 | &... |
 | Gin.go:167:7:167:19 | definition of personPointer |
 | Gin.go:173:15:173:21 | &... |