Remove duplication of UnsafeFieldReadSanitizer

2025-12-17 01:03:14 +01:00 · 2025-09-30 12:04:39 +01:00
parent 2cd1d2fd2f
commit b5fda88bd3
3 changed files with 15 additions and 30 deletions
--- a/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -121,21 +121,6 @@ module OpenUrlRedirect {
 /** A sink for an open redirect, considered as a sink for safe URL flow. */
 private class SafeUrlSink extends SafeUrlFlow::Sink instanceof OpenUrlRedirect::Sink { }
 /**
 * A read of a field considered unsafe to redirect to, considered as a sanitizer for a safe
 * URL.
 */
 private class UnsafeFieldReadSanitizer extends SafeUrlFlow::SanitizerEdge {
  UnsafeFieldReadSanitizer() {
    exists(DataFlow::FieldReadNode frn, string name |
      name = ["User", "RawQuery", "Fragment"] and
      frn.getField().hasQualifiedName("net/url", "URL")
    |
      this = frn.getBase()
    )
  }
 }
 /**
 * Reinstate the usual field propagation rules for fields, which the OpenURLRedirect
 * query usually excludes, for fields of `Params` other than `Params.Fixed`.
--- a/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll
@@ -118,18 +118,3 @@ module RequestForgery {
 /** A sink for request forgery, considered as a sink for safe URL flow. */
 private class SafeUrlSink extends SafeUrlFlow::Sink instanceof RequestForgery::Sink { }
 /**
 * A read of a field considered unsafe for request forgery, considered as a sanitizer for a safe
 * URL.
 */
 private class UnsafeFieldReadSanitizer extends SafeUrlFlow::SanitizerEdge {
  UnsafeFieldReadSanitizer() {
    exists(DataFlow::FieldReadNode frn, string name |
      (name = "RawQuery" or name = "Fragment" or name = "User") and
      frn.getField().hasQualifiedName("net/url", "URL")
    |
      this = frn.getBase()
    )
  }
 }
--- a/go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll
@@ -40,4 +40,19 @@ module SafeUrlFlow {
  private class StringSlicingEdge extends SanitizerEdge {
    StringSlicingEdge() { this = any(DataFlow::SliceNode sn) }
  }
  /**
   * A read of a field considered unsafe to redirect to, considered as a sanitizer for a safe
   * URL.
   */
  private class UnsafeFieldReadSanitizer extends SanitizerEdge {
    UnsafeFieldReadSanitizer() {
      exists(DataFlow::FieldReadNode frn, string name |
        name = ["Fragment", "RawQuery", "User"] and
        frn.getField().hasQualifiedName("net/url", "URL")
      |
        this = frn.getBase()
      )
    }
  }
 }