Skip to content

Commit ffd4e52

Browse files
KwstubbsKwstubbs
committed
Formattinga and change notes
1 parent db14838 commit ffd4e52

File tree

2 files changed

+13
-7
lines changed

2 files changed

+13
-7
lines changed

go/ql/lib/change-notes/2023-10-08-addional-gopath-sanitizers.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
2+
* ---
3+
category: minorAnalysis
4+
---
5+
* Added filepath.Base, strings.ReplaceAll, http.ParseMultipartForm sanitizers and remove path sanitizer.

go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
import go
77
import semmle.go.dataflow.barrierguardutil.RegexpCheck
88
import DataFlow
9+
910
/**
1011
* Provides extension points for customizing the taint tracking configuration for reasoning about
1112
* path-traversal vulnerabilities.
@@ -96,15 +97,15 @@ module TaintedPath {
9697
class FilepathCleanSanitizer extends Sanitizer {
9798
FilepathCleanSanitizer() {
9899
exists(DataFlow::CallNode cleanCall, StringOps::Concatenation concatNode |
99-
cleanCall =
100-
any(Function f | f.hasQualifiedName("path/filepath", "Clean")).getACall() and
100+
cleanCall = any(Function f | f.hasQualifiedName("path/filepath", "Clean")).getACall() and
101101
concatNode = cleanCall.getArgument(0) and
102102
concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/" and
103103
this = cleanCall.getResult()
104104
)
105105
}
106106
}
107-
/**
107+
108+
/**
108109
* A call to `filepath.Base(e)`, considered to sanitize `e` against path traversal.
109110
*/
110111
class FilepathBaseSanitizer extends Sanitizer {
@@ -124,8 +125,8 @@ module TaintedPath {
124125
frn.getField().hasQualifiedName("mime/multipart", "FileHeader", "Filename") and
125126
this = frn
126127
)
127-
}
128128
}
129+
}
129130

130131
/**
131132
* A check of the form `!strings.Contains(nd, "..")`, considered as a sanitizer guard for
@@ -144,15 +145,15 @@ module TaintedPath {
144145
branch = false
145146
}
146147
}
147-
/**
148+
149+
/**
148150
* A replacement of the form `!strings.ReplaceAll(nd, "..")` or `!strings.ReplaceAll(nd, ".")`, considered as a sanitizer for
149151
* path traversal.
150152
*/
151153
class DotDotReplace extends Sanitizer {
152154
DotDotReplace() {
153155
exists(DataFlow::CallNode cleanCall, DataFlow::Node valueNode |
154-
cleanCall =
155-
any(Function f | f.hasQualifiedName("strings", "ReplaceAll")).getACall() and
156+
cleanCall = any(Function f | f.hasQualifiedName("strings", "ReplaceAll")).getACall() and
156157
valueNode = cleanCall.getArgument(1) and
157158
valueNode.asExpr().(StringLit).getValue() = ["..", "."] and
158159
this = cleanCall.getResult()

0 commit comments

Comments
 (0)