File tree Expand file tree Collapse file tree 1 file changed +17
-7
lines changed
go/ql/lib/semmle/go/security Expand file tree Collapse file tree 1 file changed +17
-7
lines changed Original file line number Diff line number Diff line change @@ -88,13 +88,23 @@ module TaintedPath {
8888 }
8989 }
9090
91- /**An call to ParseMultipartForm creates multipart.Form and cleans multipart.Form.FileHeader.Filename using path.Base() */
92- class MultipartClean extends Sanitizer {
93- MultipartClean ( ) {
94- exists ( DataFlow:: FieldReadNode frn |
95- frn .getField ( ) .hasQualifiedName ( "mime/multipart" , "FileHeader" , "Filename" ) and
96- this = frn
97- )
91+ /**
92+ * A read from the field `Filename` of the type `mime/multipart.FileHeader`,
93+ * considered as a sanitizer for path traversal.
94+ *
95+ * The only way to create a `mime/multipart.FileHeader` is to create a
96+ * `mime/multipart.Form`, which creates the `Filename` field of each
97+ * `mime/multipart.FileHeader` by calling `Part.FileName`, which calls
98+ * `path/filepath.Base` on its return value. In general `path/filepath.Base`
99+ * is not a sanitizer for path traversal, but in this specific case where the
100+ * output is going to be used as a filename rather than a directory name, it
101+ * is adequate.
102+ */
103+ class MimeMultipartFileHeaderFilenameSanitizer extends Sanitizer {
104+ MimeMultipartFileHeaderFilenameSanitizer ( ) {
105+ this .( DataFlow:: FieldReadNode )
106+ .getField ( )
107+ .hasQualifiedName ( "mime/multipart" , "FileHeader" , "Filename" )
98108 }
99109 }
100110
You can’t perform that action at this time.
0 commit comments