Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Commit a2e2e26

Browse files
author
Sauyon Lee
committed
Merge branch 'master' into WebsocketXss
2 parents d1d4c2e + f599a50 commit a2e2e26

10 files changed

Lines changed: 32 additions & 46 deletions

File tree

ql/src/semmle/go/frameworks/Stdlib.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -791,6 +791,7 @@ module Log {
791791

792792
/** Provides models of some functions in the `encoding/json` package. */
793793
module EncodingJson {
794+
/** The `Marshal` or `MarshalIndent` function in the `encoding/json` package. */
794795
class MarshalFunction extends TaintTracking::FunctionModel, MarshalingFunction::Range {
795796
MarshalFunction() {
796797
this.hasQualifiedName("encoding/json", "Marshal") or

ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,9 +51,7 @@ module AllocationSizeOverflow {
5151
exists(MarshalingFunction marshal, DataFlow::CallNode call |
5252
call = marshal.getACall() and
5353
// rule out cases where we can tell that the result will always be small
54-
exists(FunctionInput inp | inp = marshal.getAnInput() |
55-
isBig(inp.getNode(call).asExpr())
56-
) and
54+
exists(FunctionInput inp | inp = marshal.getAnInput() | isBig(inp.getNode(call).asExpr())) and
5755
this = marshal.getOutput().getNode(call)
5856
)
5957
}

ql/test/library-tests/semmle/go/Packages/package.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
| PackageName/test |
2+
| PackageName/v2/test |

ql/test/library-tests/semmle/go/Packages/package.ql

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
import go
2+
3+
from string path
4+
where
5+
(
6+
path = "PackageName/v2/test" or // OK
7+
path = "PackageName/test" or // OK
8+
path = "PackageName//v//test" or // NOT OK
9+
path = "PackageName//v/test" or // NOT OK
10+
path = "PackageName/v//test" or // NOT OK
11+
path = "PackageName/v/asd/v2/test" or // NOT OK
12+
path = "PackageName/v/test" or // NOT OK
13+
path = "PackageName//v2//test" or // NOT OK
14+
path = "PackageName//v2/test" or // NOT OK
15+
path = "PackageName/v2//test" // NOT OK
16+
) and
17+
path = package("PackageName", "test")
18+
select path

ql/test/library-tests/semmle/go/Packages/packagePredicate.go

Lines changed: 0 additions & 22 deletions
This file was deleted.

ql/test/library-tests/semmle/go/Packages/predicate.expected

Lines changed: 0 additions & 2 deletions
This file was deleted.

ql/test/library-tests/semmle/go/Packages/predicate.ql

Lines changed: 0 additions & 8 deletions
This file was deleted.

ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.expected

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
| DialFunction.go:25:11:25:52 | call to Dial | DialFunction.go:25:26:25:39 | untrustedInput |
2-
| DialFunction.go:28:12:28:39 | call to DialConfig | DialFunction.go:27:35:27:48 | untrustedInput |
1+
| DialFunction.go:25:2:25:43 | call to Dial | DialFunction.go:25:17:25:30 | untrustedInput |
2+
| DialFunction.go:28:2:28:29 | call to DialConfig | DialFunction.go:27:35:27:48 | untrustedInput |
33
| DialFunction.go:30:2:30:49 | call to Dial | DialFunction.go:30:30:30:43 | untrustedInput |
4-
| DialFunction.go:33:2:33:38 | call to Dial | DialFunction.go:33:14:33:27 | untrustedInput |
5-
| DialFunction.go:35:2:35:61 | call to DialContext | DialFunction.go:35:37:35:50 | untrustedInput |
4+
| DialFunction.go:33:2:33:33 | call to Dial | DialFunction.go:33:14:33:27 | untrustedInput |
5+
| DialFunction.go:35:2:35:56 | call to DialContext | DialFunction.go:35:37:35:50 | untrustedInput |
66
| DialFunction.go:37:2:37:44 | call to Dial | DialFunction.go:37:30:37:43 | untrustedInput |
77
| DialFunction.go:40:2:40:45 | call to Dial | DialFunction.go:40:31:40:44 | untrustedInput |
88
| DialFunction.go:42:2:42:31 | call to BuildProxy | DialFunction.go:42:17:42:30 | untrustedInput |

ql/test/library-tests/semmle/go/frameworks/Websocket/DialFunction.go

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,22 +17,22 @@ import (
1717
)
1818

1919
func main() {
20-
untrustedInput := r.Referer()
20+
untrustedInput := "referrer"
2121

2222
origin := "http://localhost/"
2323

2424
// bad as input is directly passed to dial function
25-
ws, _ := websocket.Dial(untrustedInput, "", origin)
25+
websocket.Dial(untrustedInput, "", origin)
2626

2727
config, _ := websocket.NewConfig(untrustedInput, origin) // good
28-
ws2, _ := websocket.DialConfig(config)
28+
websocket.DialConfig(config)
2929

3030
nhooyr.Dial(context.TODO(), untrustedInput, nil)
3131

3232
dialer := gorilla.Dialer{}
33-
dialer.Dial(untrustedInput, r.Header)
33+
dialer.Dial(untrustedInput, nil)
3434

35-
dialer.DialContext(context.TODO(), untrustedInput, r.Header)
35+
dialer.DialContext(context.TODO(), untrustedInput, nil)
3636

3737
gobwas.Dial(context.TODO(), untrustedInput)
3838

@@ -41,5 +41,4 @@ func main() {
4141

4242
sac.BuildProxy(untrustedInput)
4343
sac.New(untrustedInput)
44-
4544
}

ql/test/query-tests/Security/CWE-079/tst.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ func serve9(log io.Writer) {
6565
r.ParseForm()
6666
username := r.Form.Get("username")
6767
// OK: not a ResponseWriter
68-
log.Write(username)
68+
log.Write([]byte(username))
6969
})
7070
http.ListenAndServe(":80", nil)
7171
}

0 commit comments

Comments
 (0)