Golang: Mark filepath.IsLocal as a tainted-path sanitizer guard

2025-12-16 16:53:25 +01:00 · 2025-07-15 14:47:17 +01:00
parent b13f11883c
commit c8eefb7c5c
2 changed files with 22 additions and 0 deletions
--- a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
@@ -243,4 +243,20 @@ module TaintedPath {

    override predicate checks(Expr e, boolean branch) { regexpFunctionChecksExpr(this, e, branch) }
  }
+
+  /**
+   * A call of the form `filepath.IsLocal(path)` considered as a sanitizer guard for `path`.
+   */
+  class IsLocalCheck extends SanitizerGuard, DataFlow::CallNode {
+    IsLocalCheck() {
+      exists(Function f |
+        f.hasQualifiedName("filepath", "IsLocal") and
+        this = f.getACall()
+      )
+    }
+
+    override predicate checks(Expr e, boolean branch) {
+      e = this.getArgument(0).asExpr() and branch = true
+    }
+  }
 }
--- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go
+++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go
@@ -93,4 +93,10 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	}

 	data, _ = ioutil.ReadFile(part.FileName())
+
+	// GOOD: An attempt has been made to prevent path traversal
+	if filepath.IsLocal(tainted_path) {
+		data, _ = ioutil.ReadFile(tainted_path)
+		w.Write(data)
+	}
 }