hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 22:32:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve formatting and style in Gin.qll

Browse Source
This commit is contained in:
Owen Mansel-Chan
2020-12-17 12:43:22 +00:00
parent 71774ed2d4
commit 9236ad752b
1 changed files with 28 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
ql/src/semmle/go/frameworks/Gin.qll
View File

@@ -13,72 +13,24 @@ private module Gin {
*/
private class GithubComGinGonicGinContextSource extends UntrustedFlowSource::Range {
GithubComGinGonicGinContextSource() {
exists(string typeName | typeName = "Context" |
// Method calls:
exists(DataFlow::MethodCallNode call, string methodName |
call.getTarget().hasQualifiedName(packagePath(), typeName, methodName) and
(
methodName = "FullPath"
or
methodName = "GetHeader"
or
methodName = "QueryArray"
or
methodName = "Query"
or
methodName = "PostFormArray"
or
methodName = "PostForm"
or
methodName = "Param"
or
methodName = "GetStringSlice"
or
methodName = "GetString"
or
methodName = "GetRawData"
or
methodName = "ClientIP"
or
methodName = "ContentType"
or
methodName = "Cookie"
or
methodName = "GetQueryArray"
or
methodName = "GetQuery"
or
methodName = "GetPostFormArray"
or
methodName = "GetPostForm"
or
methodName = "DefaultPostForm"
or
methodName = "DefaultQuery"
or
methodName = "GetPostFormMap"
or
methodName = "GetQueryMap"
or
methodName = "GetStringMap"
or
methodName = "GetStringMapString"
or
methodName = "GetStringMapStringSlice"
or
methodName = "PostFormMap"
or
methodName = "QueryMap"
)
|
this = call.getResult(0)
)
or
// Field reads:
exists(DataFlow::Field fld |
fld.hasQualifiedName(packagePath(), typeName, ["Accepted", "Params"]) and
this = fld.getARead()
)
// Method calls:
exists(DataFlow::MethodCallNode call, string methodName |
call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and
methodName in [
"FullPath", "GetHeader", "QueryArray", "Query", "PostFormArray", "PostForm", "Param",
"GetStringSlice", "GetString", "GetRawData", "ClientIP", "ContentType", "Cookie",
"GetQueryArray", "GetQuery", "GetPostFormArray", "GetPostForm", "DefaultPostForm",
"DefaultQuery", "GetPostFormMap", "GetQueryMap", "GetStringMap", "GetStringMapString",
"GetStringMapStringSlice", "PostFormMap", "QueryMap"
]
|
this = call.getResult(0)
)
or
// Field reads:
exists(DataFlow::Field fld |
fld.hasQualifiedName(packagePath(), "Context", ["Accepted", "Params"]) and
this = fld.getARead()
)
}
}
@@ -104,32 +56,16 @@ private module Gin {
*/
private class GithubComGinGonicGinContextBindSource extends UntrustedFlowSource::Range {
GithubComGinGonicGinContextBindSource() {
exists(string typeName | typeName = "Context" |
exists(DataFlow::MethodCallNode call, string methodName |
call.getTarget().hasQualifiedName(packagePath(), typeName, methodName) and
(
methodName = "BindJSON" or
methodName = "BindYAML" or
methodName = "BindXML" or
methodName = "BindUri" or
methodName = "BindQuery" or
methodName = "BindWith" or
methodName = "BindHeader" or
methodName = "MustBindWith" or
methodName = "Bind" or
methodName = "ShouldBind" or
methodName = "ShouldBindBodyWith" or
methodName = "ShouldBindJSON" or
methodName = "ShouldBindQuery" or
methodName = "ShouldBindUri" or
methodName = "ShouldBindHeader" or
methodName = "ShouldBindWith" or
methodName = "ShouldBindXML" or
methodName = "ShouldBindYAML"
)
|
this = FunctionOutput::parameter(0).getExitNode(call)
)
exists(DataFlow::MethodCallNode call, string methodName |
call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and
methodName in [
"BindJSON", "BindYAML", "BindXML", "BindUri", "BindQuery", "BindWith", "BindHeader",
"MustBindWith", "Bind", "ShouldBind", "ShouldBindBodyWith", "ShouldBindJSON",
"ShouldBindQuery", "ShouldBindUri", "ShouldBindHeader", "ShouldBindWith",
"ShouldBindXML", "ShouldBindYAML"
]
|
this = FunctionOutput::parameter(0).getExitNode(call)
)
}
}