added *ReadBody* Methods as UntrustedFlowSource

2026-05-05 13:45:19 +02:00 · 2023-12-14 15:31:09 +01:00
parent bfa0fb6d74
commit d84333dad8
2 changed files with 13 additions and 5 deletions
--- a/go/ql/lib/semmle/go/frameworks/Fasthttp.qll
+++ b/go/ql/lib/semmle/go/frameworks/Fasthttp.qll
@@ -399,6 +399,12 @@ module Fasthttp {
            ]) and
          this = m.getACall().getResult(0)
        )
+        or
+        exists(Method m |
+          m.hasQualifiedName(packagePath(), "Request",
+            ["ReadBody", "ReadLimitBody", "ContinueReadBodyStream", "ContinueReadBody"]) and
+          this = m.getACall().getArgument(0)
+        )
      }
    }

--- a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go
@@ -166,12 +166,13 @@ func fasthttpServer() {
 		body2, _ := requestCtx.Request.BodyInflate()      // $ UntrustedFlowSource="... := ...[0]"
 		body3, _ := requestCtx.Request.BodyUnbrotli()     // $ UntrustedFlowSource="... := ...[0]"
 		body4, _ := requestCtx.Request.BodyUncompressed() // $ UntrustedFlowSource="... := ...[0]"
-		requestCtx.Request.BodyStream()                   // $ UntrustedFlowSource="call to BodyStream"
-		requestCtx.Request.ReadBody(dstReader, 100, 1000)
-		requestCtx.Request.ReadLimitBody(dstReader, 100)
-		requestCtx.Request.ContinueReadBodyStream(dstReader, 100, true)
-		requestCtx.Request.ContinueReadBody(dstReader, 100)
 		fmt.Println(body1, body2, body3, body4)
+		requestCtx.Request.BodyStream() // $ UntrustedFlowSource="call to BodyStream"
+
+		requestCtx.Request.ReadBody(dstReader, 100, 1000)               // $ UntrustedFlowSource="dstReader"
+		requestCtx.Request.ReadLimitBody(dstReader, 100)                // $ UntrustedFlowSource="dstReader"
+		requestCtx.Request.ContinueReadBodyStream(dstReader, 100, true) // $ UntrustedFlowSource="dstReader"
+		requestCtx.Request.ContinueReadBody(dstReader, 100)             // $ UntrustedFlowSource="dstReader"

 		// Response methods
 		// Xss Sinks Related method
@@ -186,6 +187,7 @@ func fasthttpServer() {
 		fmt.Fprintf(rspWriter, "%s", userInputByte) // $ XssSink=userInputByte
 		io.WriteString(rspWriter, userInput)        // $ XssSink=userInput
 		io.TeeReader(userInputReader, rspWriter)    // $ XssSink=userInputReader
+		io.TeeReader(userInputReader, rspWriter)    // $ XssSink=userInputReader
 		bufioReader := bufio.NewReader(dstReader)
 		bufioReader.WriteTo(rspWriter) // $ XssSink=bufioReader
 		bytesUserInput := bytes.NewBuffer(userInputByte)