Merge pull request #9947 from github/smowton/fix/golang-path-injection-numeric-sanitizer

Go: note that numeric-typed nodes can't cause path traversal
2026-04-26 09:15:12 +02:00 · 2022-08-04 09:00:34 +01:00
parent af274354a0 e04c77ce15
commit 96091e4fa0
2 changed files with 13 additions and 0 deletions
--- a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
@@ -70,6 +70,15 @@ module TaintedPath {
    PathAsSink() { this = any(FileSystemAccess fsa).getAPathArgument() }
  }

+  /**
+   * A numeric- or boolean-typed node, considered a sanitizer for path traversal.
+   */
+  class NumericOrBooleanSanitizer extends Sanitizer {
+    NumericOrBooleanSanitizer() {
+      this.getType() instanceof NumericType or this.getType() instanceof BoolType
+    }
+  }
+
  /**
   * A call to `filepath.Rel`, considered as a sanitizer for path traversal.
   */
--- a/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md
+++ b/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.