From ac618e1cb263a4066d3d6841dfb641cd3dac6326 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 25 Jun 2026 22:50:21 +0100 Subject: [PATCH] Expand `FileNameSource` for stored xss --- go/ql/lib/semmle/go/security/StoredXssCustomizations.qll | 8 +++++--- .../test/query-tests/Security/CWE-079/StoredXss.expected | 6 ++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/go/ql/lib/semmle/go/security/StoredXssCustomizations.qll b/go/ql/lib/semmle/go/security/StoredXssCustomizations.qll index 1216844f994..43c2e0c9119 100644 --- a/go/ql/lib/semmle/go/security/StoredXssCustomizations.qll +++ b/go/ql/lib/semmle/go/security/StoredXssCustomizations.qll @@ -33,9 +33,11 @@ module StoredXss { walkFn.getACall().getArgument(1) = f.getASuccessor*() ) or - // A call to os.FileInfo.Name - exists(Method m | m.implements("io/fs", "FileInfo", "Name") | - m = this.(DataFlow::CallNode).getTarget() + // The return value of a call to `os.DirEntry.Name`, `os.FileInfo.Name` + // or `os.File.ReadDirNames`. + exists(DataFlow::CallNode cn, Method m | m = cn.getTarget() and this = cn.getResult(0) | + m.implements("io/fs", ["DirEntry", "FileInfo"], "Name") or + m.hasQualifiedName("os", "File", "ReadDirNames") ) } } diff --git a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected index c7f959372ee..cde1a866c75 100644 --- a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected +++ b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected @@ -1,7 +1,9 @@ #select +| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value | | stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value | | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | SSA def(path) | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | SSA def(path) | stored value | edges +| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance | | | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1 | | stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... [postupdate] | provenance | FunctionModel | | stored.go:25:29:25:33 | &... [postupdate] | stored.go:30:22:30:25 | name | provenance | | @@ -9,6 +11,8 @@ edges models | 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual | nodes +| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name | +| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... | | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] | | stored.go:25:14:25:17 | rows | semmle.label | rows | | stored.go:25:29:25:33 | &... [postupdate] | semmle.label | &... [postupdate] | @@ -16,5 +20,3 @@ nodes | stored.go:59:30:59:33 | SSA def(path) | semmle.label | SSA def(path) | | stored.go:61:22:61:25 | path | semmle.label | path | subpaths -testFailures -| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |