Merge pull request #10026 from pwntester/patch-2

Go: Partial URLs should not sanitize against SSRF
2026-04-25 00:35:20 +02:00 · 2023-04-14 13:52:11 +01:00
parent cece307c60 352866b52d
commit 8a4ca7fb84
2 changed files with 9 additions and 0 deletions
--- a/go/ql/lib/change-notes/2023-04-14-partial-URLs-should-not-sanitize-against-SSRF.md
+++ b/go/ql/lib/change-notes/2023-04-14-partial-URLs-should-not-sanitize-against-SSRF.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Taking a slice is now considered a sanitizer for `SafeUrlFlow`.
--- a/go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll
@@ -35,4 +35,9 @@ module SafeUrlFlow {
  private class UnsafeUrlMethodEdge extends SanitizerEdge {
    UnsafeUrlMethodEdge() { this = any(UnsafeUrlMethod um).getACall().getReceiver() }
  }
+
+  /** Any slicing of the URL, considered as a sanitizer for safe URL flow. */
+  private class StringSlicingEdge extends SanitizerEdge {
+    StringSlicingEdge() { this = any(DataFlow::SliceNode sn) }
+  }
 }