hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

OpenUrlRedirect: Add support for url.Host reassignments

Browse Source
This commit is contained in:
Sauyon Lee
2020-03-24 08:47:52 -07:00
parent 5f83dbd07b
commit 9321ff9110
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
ql/src/semmle/go/security/OpenUrlRedirect.qll
View File

@@ -41,9 +41,21 @@ module OpenUrlRedirect {
or
// taint steps that do not include flow through fields
TaintTracking::localTaintStep(pred, succ) and not TaintTracking::fieldReadStep(pred, succ)
or
// propagate to a URL when its host is assigned to
exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
)
}
override predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
override predicate isBarrierOut(DataFlow::Node node) {
// block propagation of this unsafe value when its host is overwritten
exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(node.getASuccessor(), f, _)
)
or
hostnameSanitizingPrefixEdge(node, _)
}
override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
guard instanceof BarrierGuard