hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 14:23:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add model for net/http.NewRequest noting that if the URL is tainted then the response should be considered tainted also.

Browse Source
This commit is contained in:
Chris Smowton
2020-09-23 08:46:36 +01:00
parent c61881acb3
commit c1fbbfb05a
2 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ql/src/semmle/go/frameworks/stdlib/NetHttp.qll
View File

@@ -252,6 +252,14 @@ module NetHttp {
hasQualifiedName("net/http", "MaxBytesReader") and
(inp.isParameter(1) and outp.isResult())
or
// signature: func NewRequest(method, url string, body io.Reader) (*Request, error)
hasQualifiedName("net/http", "NewRequest") and
(inp.isParameter(1) and outp.isResult(0))
or
// signature: func NewRequestWithContext(ctx context.Context, method, url string, body io.Reader) (*Request, error)
hasQualifiedName("net/http", "NewRequestWithContext") and
(inp.isParameter(2) and outp.isResult(0))
or
// signature: func ReadRequest(b *bufio.Reader) (*Request, error)
hasQualifiedName("net/http", "ReadRequest") and
(inp.isParameter(0) and outp.isResult(0))

20
ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/NetHttp.go
View File

@@ -27,6 +27,16 @@ func TaintStepTest_NetHttpMaxBytesReader_B0I0O0(sourceCQL interface{}) interface
return intoReadCloser957
}
func TaintStepTest_NetHttpNewRequest(taintedString string) interface{} {
result, _ := http.NewRequest("GET", taintedString, nil)
return result
}
func TaintStepTest_NetHttpNewRequestWithContext(taintedString string) interface{} {
result, _ := http.NewRequestWithContext(nil, "GET", taintedString, nil)
return result
}
func TaintStepTest_NetHttpReadRequest_B0I0O0(sourceCQL interface{}) interface{} {
fromReader520 := sourceCQL.(*bufio.Reader)
intoRequest443, _ := http.ReadRequest(fromReader520)
@@ -181,6 +191,16 @@ func RunAllTaints_NetHttp() {
out := TaintStepTest_NetHttpMaxBytesReader_B0I0O0(source)
sink(2, out)
}
{
source := newSource(24)
out := TaintStepTest_NetHttpNewRequest(source.(string))
sink(24, out)
}
{
source := newSource(25)
out := TaintStepTest_NetHttpNewRequestWithContext(source.(string))
sink(25, out)
}
{
source := newSource(3)
out := TaintStepTest_NetHttpReadRequest_B0I0O0(source)