Move OpenUrlRedirect customisation into the query's qll file

2026-05-03 04:39:29 +02:00 · 2020-10-26 12:25:56 +00:00
parent 62c6b0dc37
commit f0c0a890a5
2 changed files with 17 additions and 17 deletions
--- a/ql/src/semmle/go/frameworks/Revel.qll
+++ b/ql/src/semmle/go/frameworks/Revel.qll
@@ -29,23 +29,6 @@ module Revel {
    }
  }

-  /**
-   * Reinstate the usual field propagation rules for fields, which the OpenURLRedirect
-   * query usually excludes, for fields of `Params` other than `Params.Fixed`.
-   */
-  private class PropagateParamsFields extends OpenUrlRedirect::AdditionalStep {
-    PropagateParamsFields() { this = "PropagateParamsFields" }
-
-    override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(Field f, string field |
-        f.hasQualifiedName(packagePath(), "Params", field) and
-        field != "Fixed"
-      |
-        succ.(Read).readsField(pred, f)
-      )
-    }
-  }
-
  private class ParamsBind extends TaintTracking::FunctionModel, Method {
    ParamsBind() { this.hasQualifiedName(packagePath(), "Params", ["Bind", "BindJSON"]) }

--- a/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll
+++ b/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -128,3 +128,20 @@ private class UnsafeFieldReadSanitizer extends SafeUrlFlow::SanitizerEdge {
    )
  }
 }
+
+/**
+ * Reinstate the usual field propagation rules for fields, which the OpenURLRedirect
+ * query usually excludes, for fields of `Params` other than `Params.Fixed`.
+ */
+private class PropagateParamsFields extends OpenUrlRedirect::AdditionalStep {
+  PropagateParamsFields() { this = "PropagateParamsFields" }
+
+  override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(Field f, string field |
+      f.hasQualifiedName(Revel::packagePath(), "Params", field) and
+      field != "Fixed"
+    |
+      succ.(Read).readsField(pred, f)
+    )
+  }
+}