hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Simplify PathAssignmentBarrier

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-10-01 13:06:24 +01:00
parent 6d6852fb8d
commit c006777714
1 changed files with 6 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
View File

@@ -75,25 +75,18 @@ module OpenUrlRedirect {
} }
} }
bindingset[var, w]
pragma[inline_late]
private predicate useIsDominated(SsaWithFields var, Write w, DataFlow::ReadNode sanitizedRead) {
w.dominatesNode(sanitizedRead.asInstruction()) and
sanitizedRead = var.getAUse()
}
/** /**
* An access to a variable that is preceded by an assignment to its `Path` field. * An assignment of a safe value to the field `Path`, considered as a barrier for sanitizing
* untrusted URLs.
* *
* This is overapproximate; this will currently remove flow through all `Url.Path` assignments * This is overapproximate; this will currently remove flow through all `Url.Path` assignments
* which contain a substring that could sanitize data. * which contain a substring that could sanitize data.
*/ */
class PathAssignmentBarrier extends Barrier, Read { class PathAssignmentBarrier extends Barrier {
PathAssignmentBarrier() { PathAssignmentBarrier() {
exists(Write w, SsaWithFields var | exists(Write w, DataFlow::Node rhs |
hasHostnameSanitizingSubstring(w.getRhs()) and hasHostnameSanitizingSubstring(rhs) and
w.writesFieldPreUpdate(var.getAUse(), any(Field f | f.getName() = "Path"), _) and w.writesFieldPreUpdate(this, any(Field f | f.getName() = "Path"), rhs)
useIsDominated(var, w, this)
) )
} }
} }