Add tests for tainted path sanitizers and sanitizer guards

2022-01-19 00:12:07 +00:00 · 2022-01-19 00:12:07 +00:00 · 85319b2dbf
--- a/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
+++ b/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
@ -1,19 +1,19 @@
 edges
-| TaintedPath.go:10:10:10:14 | selection of URL : pointer type | TaintedPath.go:13:29:13:32 | path |
-| TaintedPath.go:10:10:10:14 | selection of URL : pointer type | TaintedPath.go:17:28:17:61 | call to Join |
+| TaintedPath.go:12:10:12:14 | selection of URL : pointer type | TaintedPath.go:15:29:15:32 | path |
+| TaintedPath.go:12:10:12:14 | selection of URL : pointer type | TaintedPath.go:19:28:19:61 | call to Join |
 | tst.go:14:2:14:39 | ... := ...[1] : pointer type | tst.go:17:41:17:47 | implicit dereference : FileHeader |
 | tst.go:14:2:14:39 | ... := ...[1] : pointer type | tst.go:17:41:17:56 | selection of Filename |
 | tst.go:17:41:17:47 | implicit dereference : FileHeader | tst.go:17:41:17:47 | implicit dereference : FileHeader |
 | tst.go:17:41:17:47 | implicit dereference : FileHeader | tst.go:17:41:17:56 | selection of Filename |
 nodes
-| TaintedPath.go:10:10:10:14 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
-| TaintedPath.go:13:29:13:32 | path | semmle.label | path |
-| TaintedPath.go:17:28:17:61 | call to Join | semmle.label | call to Join |
+| TaintedPath.go:12:10:12:14 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| TaintedPath.go:15:29:15:32 | path | semmle.label | path |
+| TaintedPath.go:19:28:19:61 | call to Join | semmle.label | call to Join |
 | tst.go:14:2:14:39 | ... := ...[1] : pointer type | semmle.label | ... := ...[1] : pointer type |
 | tst.go:17:41:17:47 | implicit dereference : FileHeader | semmle.label | implicit dereference : FileHeader |
 | tst.go:17:41:17:56 | selection of Filename | semmle.label | selection of Filename |
 subpaths
 #select
-| TaintedPath.go:13:29:13:32 | path | TaintedPath.go:10:10:10:14 | selection of URL : pointer type | TaintedPath.go:13:29:13:32 | path | This path depends on $@. | TaintedPath.go:10:10:10:14 | selection of URL | a user-provided value |
-| TaintedPath.go:17:28:17:61 | call to Join | TaintedPath.go:10:10:10:14 | selection of URL : pointer type | TaintedPath.go:17:28:17:61 | call to Join | This path depends on $@. | TaintedPath.go:10:10:10:14 | selection of URL | a user-provided value |
+| TaintedPath.go:15:29:15:32 | path | TaintedPath.go:12:10:12:14 | selection of URL : pointer type | TaintedPath.go:15:29:15:32 | path | This path depends on $@. | TaintedPath.go:12:10:12:14 | selection of URL | a user-provided value |
+| TaintedPath.go:19:28:19:61 | call to Join | TaintedPath.go:12:10:12:14 | selection of URL : pointer type | TaintedPath.go:19:28:19:61 | call to Join | This path depends on $@. | TaintedPath.go:12:10:12:14 | selection of URL | a user-provided value |
 | tst.go:17:41:17:56 | selection of Filename | tst.go:14:2:14:39 | ... := ...[1] : pointer type | tst.go:17:41:17:56 | selection of Filename | This path depends on $@. | tst.go:14:2:14:39 | ... := ...[1] | a user-provided value |
--- a/ql/test/query-tests/Security/CWE-022/TaintedPath.go
+++ b/ql/test/query-tests/Security/CWE-022/TaintedPath.go
@ -4,6 +4,8 @@ import (
 	"io/ioutil"
 	"net/http"
 	"path/filepath"
+	"regexp"
+	"strings"
 )

 func handler(w http.ResponseWriter, r *http.Request) {
@ -16,4 +18,37 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	// BAD: This could still read any file on the file system
 	data, _ = ioutil.ReadFile(filepath.Join("/home/user/", path))
 	w.Write(data)
+
+	// GOOD: This can only read inside the provided safe path
+	sanitized_filepath, _ := filepath.Rel("/home/user/safepath", path)
+	data, _ = ioutil.ReadFile(sanitized_filepath)
+	w.Write(data)
+
+	// GOOD: This can only read inside the provided safe path
+	if !strings.Contains(path, "..") {
+		data, _ = ioutil.ReadFile(path)
+		w.Write(data)
+	}
+
+	// GOOD: This can only read inside the provided safe path
+	_, err := filepath.Rel("/home/user/safepath", path)
+	if err == nil {
+		data, _ = ioutil.ReadFile(path)
+		w.Write(data)
+	}
+
+	// GOOD: An attempt has been made to ensure that this can only read inside
+	// the provided safe path
+	if strings.HasPrefix(path, "/home/user/safepath/") {
+		data, _ = ioutil.ReadFile(path)
+		w.Write(data)
+	}
+
+	// GOOD: An attempt has been made to ensure that this can only read inside
+	// the provided safe path
+	matched, _ := regexp.MatchString("\\.\\.", path)
+	if !matched {
+		data, _ = ioutil.ReadFile(filepath.Join("/home/user/", path))
+		w.Write(data)
+	}
 }