Remove database directory and add WebCacheDeceptionLib.qll

2026-04-30 03:05:15 +02:00 · 2023-12-13 01:50:32 +03:00
parent bc81201c2e
commit bb2083d10a
6 changed files with 79 additions and 60 deletions
--- a/go/ql/src/experimental/CWE-525/WebCacheDeception.expected
+++ b/go/ql/src/experimental/CWE-525/WebCacheDeception.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
--- a/go/ql/src/experimental/CWE-525/WebCacheDeception.ql
+++ b/go/ql/src/experimental/CWE-525/WebCacheDeception.ql
@@ -1,6 +1,6 @@
 /*
 * @name Web Cache Deception
- * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
+ * @description A caching system has been detected on the application and is vulnerable to web cache deception on Gofiber. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
 * @kind problem
 * @problem.severity error
 * @security-severity 9
@@ -11,17 +11,10 @@
 */

 import go
+import WebCacheDeceptionLib
+import WebCacheDeception::Flow::PathGraph

-from
-  DataFlow::CallNode httpHandleFuncCall, DataFlow::ReadNode rn, Http::HeaderWrite::Range hw,
-  DeclaredFunction f
-where
-  httpHandleFuncCall.getTarget().hasQualifiedName("net/http", "HandleFunc") and
-  httpHandleFuncCall.getArgument(0).getStringValue().matches("%/") and
-  httpHandleFuncCall.getArgument(1) = rn and
-  rn.reads(f) and
-  f.getParameter(0) = hw.getResponseWriter() and
-  hw.getHeaderName() = "cache-control"
-select httpHandleFuncCall.getArgument(0),
-  "Wildcard Endpoint used with " + httpHandleFuncCall.getArgument(0) + " and '" + hw.getHeaderName()
-    + "' Header is used"
+from WebCacheDeception::Flow::PathNode source, WebCacheDeception::Flow::PathNode sink
+where WebCacheDeception::Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "$@ is used as wildcard endpoint.", source.getNode(),
+  "Web Cache Deception"
--- a/go/ql/src/experimental/CWE-525/WebCacheDeceptionFiber.ql
+++ b/go/ql/src/experimental/CWE-525/WebCacheDeceptionFiber.ql
@@ -1,22 +0,0 @@
-/*
- * @name Web Cache Deception
- * @description A caching system has been detected on the application and is vulnerable to web cache deception on Gofiber. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
- * @kind problem
- * @problem.severity error
- * @security-severity 9
- * @precision high
- * @id go/web-cache-deception-fiber
- * @tags security
- *       external/cwe/cwe-525
- */
-
-import go
-
-from DataFlow::CallNode httpHandleFuncCall, ImportSpec importSpec
-where
-  importSpec.getPath() = "github.com/gofiber/fiber/v2" and
-  httpHandleFuncCall.getCall().getArgument(0).toString().matches("%/*%") and
-  not httpHandleFuncCall.getCall().getArgument(0).toString().matches("%$%") and
-  importSpec.getFile() = httpHandleFuncCall.getFile()
-select httpHandleFuncCall.getCall().getArgument(0),
-  "Wildcard Endpoint used with " + httpHandleFuncCall.getCall().getArgument(0)
--- a/go/ql/src/experimental/CWE-525/WebCacheDeceptionGoChi.expected
+++ b/go/ql/src/experimental/CWE-525/WebCacheDeceptionGoChi.expected
@@ -1 +0,0 @@
-| WebCacheDeceptionGoChi.go:13:8:13:11 | "/*" | Wildcard Endpoint used with "/*" in file: WebCacheDeceptionGoChi.go |
--- a/go/ql/src/experimental/CWE-525/WebCacheDeceptionGoChi.ql
+++ b/go/ql/src/experimental/CWE-525/WebCacheDeceptionGoChi.ql
@@ -1,23 +0,0 @@
-/*
- * @name Web Cache Deception
- * @description A caching system has been detected on the application and is vulnerable to web cache deception on GoChi. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
- * @kind problem
- * @problem.severity error
- * @security-severity 9
- * @precision high
- * @id go/web-cache-deception-go-chi
- * @tags security
- *       external/cwe/cwe-525
- */
-
-import go
-
-from DataFlow::CallNode httpHandleFuncCall, ImportSpec importSpec
-where
-  importSpec.getPath() = "github.com/go-chi/chi/v5" and
-  httpHandleFuncCall.getCall().getArgument(0).toString().matches("%/*%") and
-  not httpHandleFuncCall.getCall().getArgument(0).toString().matches("%$%") and
-  importSpec.getFile() = httpHandleFuncCall.getFile()
-select httpHandleFuncCall.getCall().getArgument(0),
-  "Wildcard Endpoint used with " + httpHandleFuncCall.getCall().getArgument(0) + " in file: " +
-    importSpec.getFile().getBaseName()
--- a/go/ql/src/experimental/CWE-525/WebCacheDeceptionLib.qll
+++ b/go/ql/src/experimental/CWE-525/WebCacheDeceptionLib.qll
@@ -0,0 +1,68 @@
+import go
+import StringOps
+
+module WebCacheDeception {
+  abstract class Source extends DataFlow::Node { }
+
+  abstract class Sink extends DataFlow::Node { }
+
+  private class GoNetHTTP extends Sink {
+    GoNetHTTP() {
+      exists(
+        DataFlow::CallNode m, DataFlow::ReadNode rn, Http::HeaderWrite::Range hw, DeclaredFunction f
+      |
+        m.getTarget().hasQualifiedName("net/http", "HandleFunc") and
+        m.getArgument(0).getStringValue().matches("%/") and
+        m.getArgument(1) = rn and
+        rn.reads(f) and
+        f.getParameter(0) = hw.getResponseWriter() and
+        hw.getHeaderName() = "cache-control" and
+        this = m.getArgument(0)
+      )
+    }
+  }
+
+  private class GoFiber extends Sink {
+    GoFiber() {
+      exists(ImportSpec i |
+        i.getPath() = "github.com/gofiber/fiber" or
+        i.getPath() = "github.com/gofiber/fiber/v2"
+      |
+        exists(DataFlow::MethodCallNode m |
+          m.getCall().getArgument(0).toString().matches("%/*%") and
+          this = m.getArgument(0)
+        )
+      )
+    }
+  }
+
+  private class GoChi extends Sink {
+    GoChi() {
+      exists(ImportSpec i |
+        i.getPath() = "github.com/go-chi/chi/v5" or
+        i.getPath() = "github.com/go-chi/chi/v5/middleware"
+      |
+        exists(DataFlow::MethodCallNode m |
+          m.getCall().getArgument(0).toString().matches("%/*%") and
+          this = m.getArgument(0)
+        )
+      )
+    }
+  }
+
+  deprecated class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "Web Cache Deception" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+  }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+  }
+
+  module Flow = TaintTracking::Global<Config>;
+}
				`@@ -1 +0,0 @@`
				`\| WebCacheDeceptionGoChi.go:13:8:13:11 \| "/" \| Wildcard Endpoint used with "/" in file: WebCacheDeceptionGoChi.go \|`