Skip to content

Commit c4c0b22

Browse files
KwstubbsKwstubbs
committed
Formattinga and change notes
1 parent c9b49d3 commit c4c0b22

File tree

2 files changed

+13
-7
lines changed

2 files changed

+13
-7
lines changed

go/ql/lib/change-notes/2023-10-08-addional-gopath-sanitizers.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
2+
* ---
3+
category: minorAnalysis
4+
---
5+
* Added filepath.Base, strings.ReplaceAll, http.ParseMultipartForm sanitizers and remove path sanitizer.

go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
import go
77
import semmle.go.dataflow.barrierguardutil.RegexpCheck
88
import DataFlow
9+
910
/**
1011
* Provides extension points for customizing the taint tracking configuration for reasoning about
1112
* path-traversal vulnerabilities.
@@ -79,15 +80,15 @@ module TaintedPath {
7980
class FilepathCleanSanitizer extends Sanitizer {
8081
FilepathCleanSanitizer() {
8182
exists(DataFlow::CallNode cleanCall, StringOps::Concatenation concatNode |
82-
cleanCall =
83-
any(Function f | f.hasQualifiedName("path/filepath", "Clean")).getACall() and
83+
cleanCall = any(Function f | f.hasQualifiedName("path/filepath", "Clean")).getACall() and
8484
concatNode = cleanCall.getArgument(0) and
8585
concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/" and
8686
this = cleanCall.getResult()
8787
)
8888
}
8989
}
90-
/**
90+
91+
/**
9192
* A call to `filepath.Base(e)`, considered to sanitize `e` against path traversal.
9293
*/
9394
class FilepathBaseSanitizer extends Sanitizer {
@@ -107,8 +108,8 @@ module TaintedPath {
107108
frn.getField().hasQualifiedName("mime/multipart", "FileHeader", "Filename") and
108109
this = frn
109110
)
110-
}
111111
}
112+
}
112113

113114
/**
114115
* A check of the form `!strings.Contains(nd, "..")`, considered as a sanitizer guard for
@@ -127,15 +128,15 @@ module TaintedPath {
127128
branch = false
128129
}
129130
}
130-
/**
131+
132+
/**
131133
* A replacement of the form `!strings.ReplaceAll(nd, "..")` or `!strings.ReplaceAll(nd, ".")`, considered as a sanitizer for
132134
* path traversal.
133135
*/
134136
class DotDotReplace extends Sanitizer {
135137
DotDotReplace() {
136138
exists(DataFlow::CallNode cleanCall, DataFlow::Node valueNode |
137-
cleanCall =
138-
any(Function f | f.hasQualifiedName("strings", "ReplaceAll")).getACall() and
139+
cleanCall = any(Function f | f.hasQualifiedName("strings", "ReplaceAll")).getACall() and
139140
valueNode = cleanCall.getArgument(1) and
140141
valueNode.asExpr().(StringLit).getValue() = ["..", "."] and
141142
this = cleanCall.getResult()

0 commit comments

Comments
 (0)