Merge branch 'master' into WebsocketXss

2026-01-29 22:32:58 +01:00 · 2020-05-20 08:57:36 -07:00
parent d1d4c2e492 f599a502fc
commit a2e2e260b2
10 changed files with 32 additions and 46 deletions
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -791,6 +791,7 @@ module Log {

 /** Provides models of some functions in the `encoding/json` package. */
 module EncodingJson {
+  /** The `Marshal` or `MarshalIndent` function in the `encoding/json` package. */
  class MarshalFunction extends TaintTracking::FunctionModel, MarshalingFunction::Range {
    MarshalFunction() {
      this.hasQualifiedName("encoding/json", "Marshal") or
--- a/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
+++ b/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
@@ -51,9 +51,7 @@ module AllocationSizeOverflow {
      exists(MarshalingFunction marshal, DataFlow::CallNode call |
        call = marshal.getACall() and
        // rule out cases where we can tell that the result will always be small
-        exists(FunctionInput inp | inp = marshal.getAnInput() |
-          isBig(inp.getNode(call).asExpr())
-        ) and
+        exists(FunctionInput inp | inp = marshal.getAnInput() | isBig(inp.getNode(call).asExpr())) and
        this = marshal.getOutput().getNode(call)
      )
    }
--- a/ql/test/library-tests/semmle/go/Packages/package.expected
+++ b/ql/test/library-tests/semmle/go/Packages/package.expected
@@ -0,0 +1,2 @@
+| PackageName/test |
+| PackageName/v2/test |
--- a/ql/test/library-tests/semmle/go/Packages/package.ql
+++ b/ql/test/library-tests/semmle/go/Packages/package.ql
@@ -0,0 +1,18 @@
+import go
+
+from string path
+where
+  (
+    path = "PackageName/v2/test" or // OK
+    path = "PackageName/test" or // OK
+    path = "PackageName//v//test" or // NOT OK
+    path = "PackageName//v/test" or // NOT OK
+    path = "PackageName/v//test" or // NOT OK
+    path = "PackageName/v/asd/v2/test" or // NOT OK
+    path = "PackageName/v/test" or // NOT OK
+    path = "PackageName//v2//test" or // NOT OK
+    path = "PackageName//v2/test" or // NOT OK
+    path = "PackageName/v2//test" // NOT OK
+  ) and
+  path = package("PackageName", "test")
+select path
--- a/ql/test/library-tests/semmle/go/Packages/packagePredicate.go
+++ b/ql/test/library-tests/semmle/go/Packages/packagePredicate.go
@@ -1,22 +0,0 @@
-package main
-
-import (
-	"fmt"
-
-	_ "PackageName//v//test"      // Not OK
-	_ "PackageName//v/test"       // Not OK
-	_ "PackageName/test"          // OK
-	_ "PackageName/v//test"       // Not OK
-	_ "PackageName/v/asd/v2/test" // Not OK
-	_ "PackageName/v/test"        // Not OK
-
-	_ "PackageName//v2//test" // Not OK
-	_ "PackageName//v2/test"  // Not OK
-	_ "PackageName/v2//test"  // Not OK
-	_ "PackageName/v2/test"   //OK
-)
-
-func main() {
-	pkg.Foo()
-	fmt.Println("")
-}
--- a/ql/test/library-tests/semmle/go/Packages/predicate.expected
+++ b/ql/test/library-tests/semmle/go/Packages/predicate.expected
@@ -1,2 +0,0 @@
-| package PackageName/test | PackageName/test |
-| package PackageName/v2/test | PackageName/v2/test |
--- a/ql/test/library-tests/semmle/go/Packages/predicate.ql
+++ b/ql/test/library-tests/semmle/go/Packages/predicate.ql
@@ -1,8 +0,0 @@
-import go
-
-from Package pkg, string mod, string path
-where
-  packages(pkg, _, package(mod, path), _) and
-  mod = "PackageName" and
-  path = "test"
-select pkg, pkg.getPath()
--- a/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.expected
@@ -1,8 +1,8 @@
-| DialFunction.go:25:11:25:52 | call to Dial | DialFunction.go:25:26:25:39 | untrustedInput |
-| DialFunction.go:28:12:28:39 | call to DialConfig | DialFunction.go:27:35:27:48 | untrustedInput |
+| DialFunction.go:25:2:25:43 | call to Dial | DialFunction.go:25:17:25:30 | untrustedInput |
+| DialFunction.go:28:2:28:29 | call to DialConfig | DialFunction.go:27:35:27:48 | untrustedInput |
 | DialFunction.go:30:2:30:49 | call to Dial | DialFunction.go:30:30:30:43 | untrustedInput |
-| DialFunction.go:33:2:33:38 | call to Dial | DialFunction.go:33:14:33:27 | untrustedInput |
-| DialFunction.go:35:2:35:61 | call to DialContext | DialFunction.go:35:37:35:50 | untrustedInput |
+| DialFunction.go:33:2:33:33 | call to Dial | DialFunction.go:33:14:33:27 | untrustedInput |
+| DialFunction.go:35:2:35:56 | call to DialContext | DialFunction.go:35:37:35:50 | untrustedInput |
 | DialFunction.go:37:2:37:44 | call to Dial | DialFunction.go:37:30:37:43 | untrustedInput |
 | DialFunction.go:40:2:40:45 | call to Dial | DialFunction.go:40:31:40:44 | untrustedInput |
 | DialFunction.go:42:2:42:31 | call to BuildProxy | DialFunction.go:42:17:42:30 | untrustedInput |
--- a/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.go
@@ -17,22 +17,22 @@ import (
 )

 func main() {
-	untrustedInput := r.Referer()
+	untrustedInput := "referrer"

 	origin := "http://localhost/"

 	// bad as input is directly passed to dial function
-	ws, _ := websocket.Dial(untrustedInput, "", origin)
+	websocket.Dial(untrustedInput, "", origin)

 	config, _ := websocket.NewConfig(untrustedInput, origin) // good
-	ws2, _ := websocket.DialConfig(config)
+	websocket.DialConfig(config)

 	nhooyr.Dial(context.TODO(), untrustedInput, nil)

 	dialer := gorilla.Dialer{}
-	dialer.Dial(untrustedInput, r.Header)
+	dialer.Dial(untrustedInput, nil)

-	dialer.DialContext(context.TODO(), untrustedInput, r.Header)
+	dialer.DialContext(context.TODO(), untrustedInput, nil)

 	gobwas.Dial(context.TODO(), untrustedInput)

@@ -41,5 +41,4 @@ func main() {

 	sac.BuildProxy(untrustedInput)
 	sac.New(untrustedInput)
-
 }
--- a/ql/test/query-tests/Security/CWE-079/tst.go
+++ b/ql/test/query-tests/Security/CWE-079/tst.go
@@ -65,7 +65,7 @@ func serve9(log io.Writer) {
 		r.ParseForm()
 		username := r.Form.Get("username")
 		// OK: not a ResponseWriter
-		log.Write(username)
+		log.Write([]byte(username))
 	})
 	http.ListenAndServe(":80", nil)
 }