hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix OpenUrlRedirect barrier for write to Url.Host

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-09-25 16:13:43 +01:00
parent 414bab1f30
commit c9a2816bfe
2 changed files with 4 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
go/ql/lib/semmle/go/security/OpenUrlRedirect.qll
View File

@@ -48,8 +48,10 @@ module OpenUrlRedirect {
predicate isBarrierOut(DataFlow::Node node) {
// block propagation of this unsafe value when its host is overwritten
exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
w.writesField(node.(DataFlow::PostUpdateNode).getPreUpdateNode(), f, _)
exists(Write w, Field f, DataFlow::Node base |
f.hasQualifiedName("net/url", "URL", "Host") and
w.writesField(base, f, _) and
base.(DataFlow::PostUpdateNode).getPreUpdateNode() = node
)
or
hostnameSanitizingPrefixEdge(node, _)

32
go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.expected
View File

@@ -10,8 +10,6 @@
| stdlib.go:188:23:188:28 | target | stdlib.go:186:13:186:33 | call to FormValue | stdlib.go:188:23:188:28 | target | This path to an untrusted URL redirection depends on a $@. | stdlib.go:186:13:186:33 | call to FormValue | user-provided value |
| stdlib.go:196:23:196:33 | selection of Path | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:196:23:196:33 | selection of Path | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value |
| stdlib.go:198:23:198:42 | call to EscapedPath | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:198:23:198:42 | call to EscapedPath | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value |
| stdlib.go:201:23:201:33 | selection of Path | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:201:23:201:33 | selection of Path | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value |
| stdlib.go:203:23:203:37 | call to String | stdlib.go:194:36:194:56 | call to FormValue | stdlib.go:203:23:203:37 | call to String | This path to an untrusted URL redirection depends on a $@. | stdlib.go:194:36:194:56 | call to FormValue | user-provided value |
| stdlib.go:212:23:212:28 | selection of Path | stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:212:23:212:28 | selection of Path | This path to an untrusted URL redirection depends on a $@. | stdlib.go:210:12:210:30 | call to FormValue | user-provided value |
| stdlib.go:214:23:214:32 | call to String | stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:214:23:214:32 | call to String | This path to an untrusted URL redirection depends on a $@. | stdlib.go:210:12:210:30 | call to FormValue | user-provided value |
edges
@@ -59,28 +57,11 @@ edges
| stdlib.go:196:23:196:28 | target | stdlib.go:196:23:196:28 | implicit dereference | provenance | Config |
| stdlib.go:196:23:196:28 | target | stdlib.go:196:23:196:33 | selection of Path | provenance | Config Sink:MaD:1 |
| stdlib.go:196:23:196:28 | target | stdlib.go:198:23:198:28 | target | provenance | |
| stdlib.go:196:23:196:28 | target | stdlib.go:199:3:199:8 | target | provenance | |
| stdlib.go:196:23:196:28 | target [postupdate] | stdlib.go:196:23:196:28 | implicit dereference | provenance | Config |
| stdlib.go:196:23:196:28 | target [postupdate] | stdlib.go:198:23:198:28 | target | provenance | |
| stdlib.go:196:23:196:28 | target [postupdate] | stdlib.go:199:3:199:8 | target | provenance | |
| stdlib.go:198:23:198:28 | target | stdlib.go:198:23:198:42 | call to EscapedPath | provenance | Config Sink:MaD:1 |
| stdlib.go:199:3:199:8 | implicit dereference | stdlib.go:199:3:199:8 | target [postupdate] | provenance | Config |
| stdlib.go:199:3:199:8 | target | stdlib.go:199:3:199:8 | implicit dereference | provenance | Config |
| stdlib.go:199:3:199:8 | target | stdlib.go:201:23:201:28 | target | provenance | |
| stdlib.go:199:3:199:8 | target [postupdate] | stdlib.go:199:3:199:8 | implicit dereference | provenance | Config |
| stdlib.go:199:3:199:8 | target [postupdate] | stdlib.go:201:23:201:28 | target | provenance | |
| stdlib.go:201:23:201:28 | implicit dereference | stdlib.go:201:23:201:28 | target [postupdate] | provenance | Config |
| stdlib.go:201:23:201:28 | implicit dereference | stdlib.go:201:23:201:33 | selection of Path | provenance | Config Sink:MaD:1 |
| stdlib.go:201:23:201:28 | target | stdlib.go:201:23:201:28 | implicit dereference | provenance | Config |
| stdlib.go:201:23:201:28 | target | stdlib.go:201:23:201:33 | selection of Path | provenance | Config Sink:MaD:1 |
| stdlib.go:201:23:201:28 | target | stdlib.go:203:23:203:28 | target | provenance | |
| stdlib.go:201:23:201:28 | target [postupdate] | stdlib.go:201:23:201:28 | implicit dereference | provenance | Config |
| stdlib.go:201:23:201:28 | target [postupdate] | stdlib.go:203:23:203:28 | target | provenance | |
| stdlib.go:203:23:203:28 | target | stdlib.go:203:23:203:37 | call to String | provenance | Config Sink:MaD:1 |
| stdlib.go:210:3:210:3 | implicit dereference | stdlib.go:210:3:210:3 | u [postupdate] | provenance | Config |
| stdlib.go:210:3:210:3 | implicit dereference [postupdate] | stdlib.go:210:3:210:3 | u [postupdate] | provenance | Config |
| stdlib.go:210:3:210:3 | implicit dereference [postupdate] | stdlib.go:210:3:210:3 | u [postupdate] [pointer] | provenance | |
| stdlib.go:210:3:210:3 | u [postupdate] | stdlib.go:210:3:210:3 | implicit dereference | provenance | Config |
| stdlib.go:210:3:210:3 | u [postupdate] | stdlib.go:212:23:212:23 | u | provenance | |
| stdlib.go:210:3:210:3 | u [postupdate] [pointer] | stdlib.go:212:23:212:23 | u [pointer] | provenance | |
| stdlib.go:210:12:210:30 | call to FormValue | stdlib.go:210:3:210:3 | implicit dereference [postupdate] | provenance | Src:MaD:3 Config |
@@ -155,16 +136,6 @@ nodes
| stdlib.go:196:23:196:33 | selection of Path | semmle.label | selection of Path |
| stdlib.go:198:23:198:28 | target | semmle.label | target |
| stdlib.go:198:23:198:42 | call to EscapedPath | semmle.label | call to EscapedPath |
| stdlib.go:199:3:199:8 | implicit dereference | semmle.label | implicit dereference |
| stdlib.go:199:3:199:8 | target | semmle.label | target |
| stdlib.go:199:3:199:8 | target [postupdate] | semmle.label | target [postupdate] |
| stdlib.go:201:23:201:28 | implicit dereference | semmle.label | implicit dereference |
| stdlib.go:201:23:201:28 | target | semmle.label | target |
| stdlib.go:201:23:201:28 | target [postupdate] | semmle.label | target [postupdate] |
| stdlib.go:201:23:201:33 | selection of Path | semmle.label | selection of Path |
| stdlib.go:203:23:203:28 | target | semmle.label | target |
| stdlib.go:203:23:203:37 | call to String | semmle.label | call to String |
| stdlib.go:210:3:210:3 | implicit dereference | semmle.label | implicit dereference |
| stdlib.go:210:3:210:3 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
| stdlib.go:210:3:210:3 | u [postupdate] | semmle.label | u [postupdate] |
| stdlib.go:210:3:210:3 | u [postupdate] [pointer] | semmle.label | u [postupdate] [pointer] |
@@ -177,6 +148,3 @@ nodes
| stdlib.go:214:23:214:23 | u | semmle.label | u |
| stdlib.go:214:23:214:32 | call to String | semmle.label | call to String |
subpaths
testFailures
| stdlib.go:201:23:201:33 | selection of Path | Fixed missing result: Alert |
| stdlib.go:203:23:203:37 | call to String | Unexpected result: Alert |