зеркало из https://github.com/github/codeql.git
Rename `UntrustedFlowSource` to `RemoteFlowSource`
Only the whole word. Skipped one instance in an old change note.
This commit is contained in:
Owen Mansel-Chan
Родитель
da3fa22cbd
Коммит
5fba9895c6
|
|
@ -15,14 +15,14 @@ Sources
|
|||
-------
|
||||
|
||||
To mark a source of data that is controlled by an untrusted user, we
|
||||
create a class extending ``UntrustedFlowSource::Range``. Inheritance and
|
||||
create a class extending ``RemoteFlowSource::Range``. Inheritance and
|
||||
the characteristic predicate of the class should be used to specify
|
||||
exactly the dataflow node that introduces the data. Here is a short
|
||||
example from ``Mux.qll``.
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
class RequestVars extends DataFlow::UntrustedFlowSource::Range, DataFlow::CallNode {
|
||||
class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode {
|
||||
RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") }
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,14 +13,14 @@ Sources
|
|||
-------
|
||||
|
||||
To mark a source of data that is controlled by an untrusted user, we
|
||||
create a class extending ``UntrustedFlowSource::Range``. Inheritance and
|
||||
create a class extending ``RemoteFlowSource::Range``. Inheritance and
|
||||
the characteristic predicate of the class should be used to specify
|
||||
exactly the dataflow node that introduces the data. Here is a short
|
||||
example from ``Mux.qll``.
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
class RequestVars extends DataFlow::UntrustedFlowSource::Range, DataFlow::CallNode {
|
||||
class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode {
|
||||
RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") }
|
||||
}
|
||||
|
||||
|
|
@ -119,4 +119,4 @@ Here is a short example from ``Stdlib.qll``, which has been slightly simplified.
|
|||
This has the effect that any call to ``Print``, ``Printf``, or
|
||||
``Println`` in the package ``fmt`` is recognized as a logger call.
|
||||
Any query that uses logger calls as a sink will then identify when tainted data
|
||||
has been passed as an argument to ``Print``, ``Printf``, or ``Println``.
|
||||
has been passed as an argument to ``Print``, ``Printf``, or ``Println``.
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
import go
|
||||
|
||||
/** A source of input data in an AWS Lambda. */
|
||||
private class LambdaInput extends UntrustedFlowSource::Range {
|
||||
private class LambdaInput extends RemoteFlowSource::Range {
|
||||
LambdaInput() {
|
||||
exists(Parameter p | p = this.asParameter() |
|
||||
p = any(HandlerFunction hf).getAParameter() and
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ module Beego {
|
|||
/**
|
||||
* `BeegoInput` sources of untrusted data.
|
||||
*/
|
||||
private class BeegoInputSource extends UntrustedFlowSource::Range {
|
||||
private class BeegoInputSource extends RemoteFlowSource::Range {
|
||||
string methodName;
|
||||
|
||||
BeegoInputSource() {
|
||||
|
|
@ -81,7 +81,7 @@ module Beego {
|
|||
/**
|
||||
* `beego.Controller` sources of untrusted data.
|
||||
*/
|
||||
private class BeegoControllerSource extends UntrustedFlowSource::Range {
|
||||
private class BeegoControllerSource extends RemoteFlowSource::Range {
|
||||
BeegoControllerSource() {
|
||||
exists(string methodName, FunctionOutput output |
|
||||
methodName = "ParseForm" and
|
||||
|
|
@ -105,7 +105,7 @@ module Beego {
|
|||
/**
|
||||
* `BeegoInputRequestBody` sources of untrusted data.
|
||||
*/
|
||||
private class BeegoInputRequestBodySource extends UntrustedFlowSource::Range {
|
||||
private class BeegoInputRequestBodySource extends RemoteFlowSource::Range {
|
||||
BeegoInputRequestBodySource() {
|
||||
exists(DataFlow::FieldReadNode frn | this = frn |
|
||||
frn.getField().hasQualifiedName(contextPackagePath(), "BeegoInput", "RequestBody")
|
||||
|
|
@ -116,7 +116,7 @@ module Beego {
|
|||
/**
|
||||
* `beego/context.Context` sources of untrusted data.
|
||||
*/
|
||||
private class BeegoContextSource extends UntrustedFlowSource::Range {
|
||||
private class BeegoContextSource extends RemoteFlowSource::Range {
|
||||
BeegoContextSource() {
|
||||
exists(Method m | m.hasQualifiedName(contextPackagePath(), "Context", "GetCookie") |
|
||||
this = m.getACall().getResult()
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ private module Chi {
|
|||
/**
|
||||
* Functions that extract URL parameters, considered as a source of untrusted flow.
|
||||
*/
|
||||
private class UserControlledFunction extends UntrustedFlowSource::Range, DataFlow::CallNode {
|
||||
private class UserControlledFunction extends RemoteFlowSource::Range, DataFlow::CallNode {
|
||||
UserControlledFunction() {
|
||||
this.getTarget().hasQualifiedName(packagePath(), ["URLParam", "URLParamFromCtx"])
|
||||
}
|
||||
|
|
@ -20,7 +20,7 @@ private module Chi {
|
|||
/**
|
||||
* Methods that extract URL parameters, considered as a source of untrusted flow.
|
||||
*/
|
||||
private class UserControlledRequestMethod extends UntrustedFlowSource::Range,
|
||||
private class UserControlledRequestMethod extends RemoteFlowSource::Range,
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
UserControlledRequestMethod() {
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ private module Echo {
|
|||
/**
|
||||
* Data from a `Context` interface method, considered as a source of untrusted flow.
|
||||
*/
|
||||
private class EchoContextSource extends UntrustedFlowSource::Range {
|
||||
private class EchoContextSource extends RemoteFlowSource::Range {
|
||||
EchoContextSource() {
|
||||
exists(DataFlow::MethodCallNode call, string methodName |
|
||||
methodName =
|
||||
|
|
@ -42,7 +42,7 @@ private module Echo {
|
|||
/**
|
||||
* A call to a method on `Context` struct that unmarshals data into a target.
|
||||
*/
|
||||
private class EchoContextBinder extends UntrustedFlowSource::Range {
|
||||
private class EchoContextBinder extends RemoteFlowSource::Range {
|
||||
EchoContextBinder() {
|
||||
exists(DataFlow::MethodCallNode call |
|
||||
call.getTarget().hasQualifiedName(packagePath(), "Context", "Bind")
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ module ElazarlGoproxy {
|
|||
}
|
||||
}
|
||||
|
||||
private class UserControlledRequestData extends UntrustedFlowSource::Range {
|
||||
private class UserControlledRequestData extends RemoteFlowSource::Range {
|
||||
UserControlledRequestData() {
|
||||
exists(DataFlow::FieldReadNode frn | this = frn |
|
||||
// liberally consider ProxyCtx.UserData to be untrusted; it's a data field set by a request handler
|
||||
|
|
|
|||
|
|
@ -258,8 +258,8 @@ module Fasthttp {
|
|||
/**
|
||||
* The methods as Remote user controllable source which are part of the incoming URL.
|
||||
*/
|
||||
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
|
||||
UntrustedFlowSource() {
|
||||
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
|
||||
RemoteFlowSource() {
|
||||
exists(Method m |
|
||||
m.hasQualifiedName(packagePath(), "URI",
|
||||
["FullURI", "LastPathSegment", "Path", "PathOriginal", "QueryString", "String"]) and
|
||||
|
|
@ -278,8 +278,8 @@ module Fasthttp {
|
|||
*
|
||||
* When support for lambdas has been implemented we should model "VisitAll".
|
||||
*/
|
||||
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
|
||||
UntrustedFlowSource() {
|
||||
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
|
||||
RemoteFlowSource() {
|
||||
exists(Method m |
|
||||
m.hasQualifiedName(packagePath(), "Args",
|
||||
["Peek", "PeekBytes", "PeekMulti", "PeekMultiBytes", "QueryString", "String"]) and
|
||||
|
|
@ -389,8 +389,8 @@ module Fasthttp {
|
|||
/**
|
||||
* The methods as Remote user controllable source which can be many part of request.
|
||||
*/
|
||||
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
|
||||
UntrustedFlowSource() {
|
||||
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
|
||||
RemoteFlowSource() {
|
||||
exists(Method m |
|
||||
m.hasQualifiedName(packagePath(), "Request",
|
||||
[
|
||||
|
|
@ -468,8 +468,8 @@ module Fasthttp {
|
|||
*
|
||||
* When support for lambdas has been implemented we should model "VisitAll", "VisitAllCookie", "VisitAllInOrder", "VisitAllTrailer".
|
||||
*/
|
||||
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
|
||||
UntrustedFlowSource() {
|
||||
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
|
||||
RemoteFlowSource() {
|
||||
exists(Method m |
|
||||
m.hasQualifiedName(packagePath(), "RequestCtx",
|
||||
[
|
||||
|
|
@ -491,8 +491,8 @@ module Fasthttp {
|
|||
*
|
||||
* When support for lambdas has been implemented we should model "VisitAll", "VisitAllCookie", "VisitAllInOrder", "VisitAllTrailer".
|
||||
*/
|
||||
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
|
||||
UntrustedFlowSource() {
|
||||
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
|
||||
RemoteFlowSource() {
|
||||
exists(Method m |
|
||||
m.hasQualifiedName(packagePath(), "RequestHeader",
|
||||
[
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ private module Gin {
|
|||
/**
|
||||
* Data from a `Context` struct, considered as a source of untrusted flow.
|
||||
*/
|
||||
private class GithubComGinGonicGinContextSource extends UntrustedFlowSource::Range {
|
||||
private class GithubComGinGonicGinContextSource extends RemoteFlowSource::Range {
|
||||
GithubComGinGonicGinContextSource() {
|
||||
// Method calls:
|
||||
exists(DataFlow::MethodCallNode call, string methodName |
|
||||
|
|
@ -39,7 +39,7 @@ private module Gin {
|
|||
/**
|
||||
* A call to a method on `Context` struct that unmarshals data into a target.
|
||||
*/
|
||||
private class GithubComGinGonicGinContextBindSource extends UntrustedFlowSource::Range {
|
||||
private class GithubComGinGonicGinContextBindSource extends RemoteFlowSource::Range {
|
||||
GithubComGinGonicGinContextBindSource() {
|
||||
exists(DataFlow::MethodCallNode call, string methodName |
|
||||
call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ module GoKit {
|
|||
DataFlow::exprNode(result.(FuncLit)) = getAnEndpointFactoryResult()
|
||||
}
|
||||
|
||||
private class EndpointRequest extends UntrustedFlowSource::Range {
|
||||
private class EndpointRequest extends RemoteFlowSource::Range {
|
||||
EndpointRequest() { this = DataFlow::parameterNode(getAnEndpointFunction().getParameter(1)) }
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -142,7 +142,7 @@ module GoMicro {
|
|||
/**
|
||||
* A set of remote requests from a service handler.
|
||||
*/
|
||||
class Request extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
|
||||
class Request extends RemoteFlowSource::Range instanceof DataFlow::ParameterNode {
|
||||
Request() {
|
||||
exists(ServiceHandler handler |
|
||||
this.asParameter().isParameterOf(handler.getFuncDecl(), 1) and
|
||||
|
|
|
|||
|
|
@ -27,14 +27,14 @@ private module GoRestfulHttp {
|
|||
/**
|
||||
* A model of go-restful's `Request` object as a source of user-controlled data.
|
||||
*/
|
||||
private class GoRestfulSource extends UntrustedFlowSource::Range {
|
||||
private class GoRestfulSource extends RemoteFlowSource::Range {
|
||||
GoRestfulSource() { this = any(GoRestfulSourceMethod g).getACall() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A model of go-restful's `Request.ReadEntity` method as a source of user-controlled data.
|
||||
*/
|
||||
private class GoRestfulReadEntitySource extends UntrustedFlowSource::Range {
|
||||
private class GoRestfulReadEntitySource extends RemoteFlowSource::Range {
|
||||
GoRestfulReadEntitySource() {
|
||||
exists(DataFlow::MethodCallNode call |
|
||||
call.getTarget().hasQualifiedName(packagePath(), "Request", "ReadEntity")
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ module Gqlgen {
|
|||
}
|
||||
|
||||
/** A parameter of a resolver method which receives untrusted input. */
|
||||
class ResolverParameter extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
|
||||
class ResolverParameter extends RemoteFlowSource::Range instanceof DataFlow::ParameterNode {
|
||||
ResolverParameter() {
|
||||
this.asParameter() = any(ResolverImplementationMethod h).getAnUntrustedParameter()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import go
|
|||
*/
|
||||
module Mux {
|
||||
/** An access to a Mux middleware variable. */
|
||||
class RequestVars extends DataFlow::UntrustedFlowSource::Range, DataFlow::CallNode {
|
||||
class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode {
|
||||
RequestVars() {
|
||||
this.getTarget().hasQualifiedName(package("github.com/gorilla/mux", ""), "Vars")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ module Revel {
|
|||
result = package(["github.com/revel", "github.com/robfig"] + "/revel", "")
|
||||
}
|
||||
|
||||
private class ControllerParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode {
|
||||
private class ControllerParams extends RemoteFlowSource::Range, DataFlow::FieldReadNode {
|
||||
ControllerParams() {
|
||||
exists(Field f |
|
||||
this.readsField(_, f) and
|
||||
|
|
@ -32,7 +32,7 @@ module Revel {
|
|||
}
|
||||
}
|
||||
|
||||
private class RouteMatchParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode {
|
||||
private class RouteMatchParams extends RemoteFlowSource::Range, DataFlow::FieldReadNode {
|
||||
RouteMatchParams() {
|
||||
exists(Field f |
|
||||
this.readsField(_, f) and
|
||||
|
|
@ -42,9 +42,7 @@ module Revel {
|
|||
}
|
||||
|
||||
/** An access to an HTTP request field whose value may be controlled by an untrusted user. */
|
||||
private class UserControlledRequestField extends UntrustedFlowSource::Range,
|
||||
DataFlow::FieldReadNode
|
||||
{
|
||||
private class UserControlledRequestField extends RemoteFlowSource::Range, DataFlow::FieldReadNode {
|
||||
UserControlledRequestField() {
|
||||
exists(string fieldName |
|
||||
this.getField().hasQualifiedName(packagePath(), "Request", fieldName)
|
||||
|
|
@ -56,7 +54,7 @@ module Revel {
|
|||
}
|
||||
}
|
||||
|
||||
private class UserControlledRequestMethod extends UntrustedFlowSource::Range,
|
||||
private class UserControlledRequestMethod extends RemoteFlowSource::Range,
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
UserControlledRequestMethod() {
|
||||
|
|
|
|||
|
|
@ -130,7 +130,7 @@ module Twirp {
|
|||
}
|
||||
|
||||
/** A request coming to the service handler. */
|
||||
class Request extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
|
||||
class Request extends RemoteFlowSource::Range instanceof DataFlow::ParameterNode {
|
||||
Request() {
|
||||
exists(ServiceHandler handler |
|
||||
this.asParameter().isParameterOf(handler.getFuncDecl(), 1) and
|
||||
|
|
|
|||
|
|
@ -127,7 +127,7 @@ module WebSocketRequestCall {
|
|||
/**
|
||||
* A message written to a WebSocket, considered as a flow sink for reflected XSS.
|
||||
*/
|
||||
class WebSocketReaderAsSource extends UntrustedFlowSource::Range {
|
||||
class WebSocketReaderAsSource extends RemoteFlowSource::Range {
|
||||
WebSocketReaderAsSource() {
|
||||
exists(WebSocketReader r | this = r.getAnOutput().getNode(r.getACall()))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,9 +9,7 @@ private import semmle.go.dataflow.internal.FlowSummaryImpl::Private
|
|||
/** Provides models of commonly used functions in the `net/http` package. */
|
||||
module NetHttp {
|
||||
/** An access to an HTTP request field whose value may be controlled by an untrusted user. */
|
||||
private class UserControlledRequestField extends UntrustedFlowSource::Range,
|
||||
DataFlow::FieldReadNode
|
||||
{
|
||||
private class UserControlledRequestField extends RemoteFlowSource::Range, DataFlow::FieldReadNode {
|
||||
UserControlledRequestField() {
|
||||
exists(string fieldName | this.getField().hasQualifiedName("net/http", "Request", fieldName) |
|
||||
fieldName =
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ module CommandInjection {
|
|||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for command injection. */
|
||||
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
/** A command name, considered as a taint sink for command injection. */
|
||||
class CommandNameAsSink extends Sink {
|
||||
|
|
|
|||
|
|
@ -187,13 +187,13 @@ class UnknownExternalApiDataNode extends ExternalApiDataNode {
|
|||
deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
|
||||
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
private module UntrustedDataConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
|
@ -211,13 +211,13 @@ module UntrustedDataToExternalApiFlow = DataFlow::Global<UntrustedDataConfig>;
|
|||
deprecated class UntrustedDataToUnknownExternalApiConfig extends TaintTracking::Configuration {
|
||||
UntrustedDataToUnknownExternalApiConfig() { this = "UntrustedDataToUnknownExternalAPIConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
|
||||
}
|
||||
|
||||
private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,17 +9,17 @@ private import semmle.go.dataflow.ExternalFlow as ExternalFlow
|
|||
* A source of data that is controlled by an untrusted user.
|
||||
*
|
||||
* Extend this class to refine existing API models. If you want to model new APIs,
|
||||
* extend `UntrustedFlowSource::Range` instead.
|
||||
* extend `RemoteFlowSource::Range` instead.
|
||||
*/
|
||||
class UntrustedFlowSource extends DataFlow::Node instanceof UntrustedFlowSource::Range { }
|
||||
class RemoteFlowSource extends DataFlow::Node instanceof RemoteFlowSource::Range { }
|
||||
|
||||
/** Provides a class for modeling new sources of untrusted data. */
|
||||
module UntrustedFlowSource {
|
||||
module RemoteFlowSource {
|
||||
/**
|
||||
* A source of data that is controlled by an untrusted user.
|
||||
*
|
||||
* Extend this class to model new APIs. If you want to refine existing API models,
|
||||
* extend `UntrustedFlowSource` instead.
|
||||
* extend `RemoteFlowSource` instead.
|
||||
*/
|
||||
abstract class Range extends DataFlow::Node { }
|
||||
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ module LogInjection {
|
|||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for log injection. */
|
||||
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
/** An argument to a logging mechanism. */
|
||||
class LoggerSink extends Sink {
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ module MissingJwtSignatureCheck {
|
|||
}
|
||||
}
|
||||
|
||||
private class DefaultSource extends Source instanceof UntrustedFlowSource { }
|
||||
private class DefaultSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
private class DefaultSink extends Sink {
|
||||
DefaultSink() { sinkNode(this, "jwt") }
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ module OpenUrlRedirect {
|
|||
/**
|
||||
* A source of third-party user input, considered as a flow source for URL redirects.
|
||||
*/
|
||||
class UntrustedFlowAsSource extends Source, UntrustedFlowSource {
|
||||
class UntrustedFlowAsSource extends Source, RemoteFlowSource {
|
||||
UntrustedFlowAsSource() {
|
||||
// exclude some fields and methods of URLs that are generally not attacker-controllable for
|
||||
// open redirect exploits
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ module ReflectedXss {
|
|||
/**
|
||||
* A third-party controllable input, considered as a flow source for reflected XSS.
|
||||
*/
|
||||
class UntrustedFlowAsSource extends Source, UntrustedFlowSource { }
|
||||
class UntrustedFlowAsSource extends Source, RemoteFlowSource { }
|
||||
|
||||
/** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
|
||||
private class AnySink extends Sink instanceof SharedXss::Sink { }
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ module RequestForgery {
|
|||
/**
|
||||
* A third-party controllable input, considered as a flow source for request forgery.
|
||||
*/
|
||||
class UntrustedFlowAsSource extends Source, UntrustedFlowSource { }
|
||||
class UntrustedFlowAsSource extends Source, RemoteFlowSource { }
|
||||
|
||||
/**
|
||||
* The URL of an HTTP request, viewed as a sink for request forgery.
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ module SqlInjection {
|
|||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for SQL injection. */
|
||||
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
/** An SQL string, considered as a taint sink for SQL injection. */
|
||||
class SqlQueryAsSink extends Sink instanceof SQL::QueryString { }
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ module TaintedPath {
|
|||
}
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for path traversal. */
|
||||
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
/** A path expression, considered as a taint sink for path traversal. */
|
||||
class PathAsSink extends Sink {
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ module UncontrolledAllocationSize {
|
|||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for uncontrolled size allocation vulnerabilities. */
|
||||
private class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
private class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
/** The size argument of a memory allocation function. */
|
||||
private class AllocationSizeAsSink extends Sink instanceof AllocationSizeOverflow::AllocationSize {
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ module XPathInjection {
|
|||
abstract class Sanitizer extends DataFlow::ExprNode { }
|
||||
|
||||
/** A source of untrusted data, used in an XPath expression. */
|
||||
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
/** An XPath expression string, considered as a taint sink for XPath injection. */
|
||||
class XPathExpressionStringAsSink extends Sink instanceof XPath::XPathExpressionString { }
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ module EmailInjection {
|
|||
abstract class Sink extends DataFlow::Node { }
|
||||
|
||||
/** A source of untrusted data, considered as a taint source for email injection. */
|
||||
class UntrustedFlowSourceAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
class UntrustedFlowSourceAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
/**
|
||||
* A data-flow node that becomes part of an email considered as a taint sink for email injection.
|
||||
|
|
|
|||
|
|
@ -98,13 +98,13 @@ private class LdapClientDNSink extends LdapSink {
|
|||
/**
|
||||
* DEPRECATED: Use `LdapInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for reasoning about when an `UntrustedFlowSource`
|
||||
* A taint-tracking configuration for reasoning about when an `RemoteFlowSource`
|
||||
* flows into an argument or field that is vulnerable to LDAP injection.
|
||||
*/
|
||||
deprecated class LdapInjectionConfiguration extends TaintTracking::Configuration {
|
||||
LdapInjectionConfiguration() { this = "Ldap injection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink }
|
||||
|
||||
|
|
@ -112,7 +112,7 @@ deprecated class LdapInjectionConfiguration extends TaintTracking::Configuration
|
|||
}
|
||||
|
||||
private module LdapInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink }
|
||||
|
||||
|
|
@ -120,7 +120,7 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig {
|
|||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` flows
|
||||
* Tracks taint flow for reasoning about when an `RemoteFlowSource` flows
|
||||
* into an argument or field that is vulnerable to LDAP injection.
|
||||
*/
|
||||
module LdapInjectionFlow = TaintTracking::Global<LdapInjectionConfig>;
|
||||
|
|
|
|||
|
|
@ -98,7 +98,7 @@ private class SensitiveStringSink extends Sink {
|
|||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof UntrustedFlowSource and not isBadResult(source)
|
||||
source instanceof RemoteFlowSource and not isBadResult(source)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink and not isBadResult(sink) }
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ module ImproperLdapAuth {
|
|||
|
||||
private module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof UntrustedFlowSource or source instanceof EmptyString
|
||||
source instanceof RemoteFlowSource or source instanceof EmptyString
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink }
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ predicate divideByZeroSanitizerGuard(DataFlow::Node g, Expr e, boolean branch) {
|
|||
}
|
||||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(Function f, DataFlow::CallNode cn | cn = f.getACall() |
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import DsnInjectionCustomizations
|
|||
import DsnInjectionFlow::PathGraph
|
||||
|
||||
/** An untrusted flow source taken as a source for the `DsnInjection` taint-flow configuration. */
|
||||
private class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
private class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
from DsnInjectionFlow::PathNode source, DsnInjectionFlow::PathNode sink
|
||||
where DsnInjectionFlow::flowPath(source, sink)
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ class PassthroughTypeName extends string {
|
|||
}
|
||||
|
||||
module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
additional predicate isSinkToPassthroughType(DataFlow::TypeCastNode sink, PassthroughTypeName name) {
|
||||
exists(Type typ |
|
||||
|
|
@ -53,7 +53,7 @@ module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig
|
|||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` is
|
||||
* Tracks taint flow for reasoning about when an `RemoteFlowSource` is
|
||||
* converted into a special "passthrough" type which will not be escaped by the
|
||||
* template generator; this allows the injection of arbitrary content (html,
|
||||
* css, js) into the generated output of the templates.
|
||||
|
|
@ -109,13 +109,13 @@ predicate isSinkToTemplateExec(DataFlow::Node sink, DataFlow::CallNode call) {
|
|||
}
|
||||
|
||||
module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from an `UntrustedFlowSource` into a template executor
|
||||
* Tracks taint flow from an `RemoteFlowSource` into a template executor
|
||||
* call.
|
||||
*/
|
||||
module FromUntrustedToTemplateExecutionCallFlow =
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||
Configuration() { this = "Condtional Expression Check Bypass" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source instanceof UntrustedFlowSource
|
||||
source instanceof RemoteFlowSource
|
||||
or
|
||||
exists(DataFlow::FieldReadNode f |
|
||||
f.getField().hasQualifiedName("net/http", "Request", "Host")
|
||||
|
|
@ -71,7 +71,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||
|
||||
private module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof UntrustedFlowSource
|
||||
source instanceof RemoteFlowSource
|
||||
or
|
||||
exists(DataFlow::FieldReadNode f |
|
||||
f.getField().hasQualifiedName("net/http", "Request", "Host")
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import go
|
|||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof UntrustedFlowSource
|
||||
source instanceof RemoteFlowSource
|
||||
or
|
||||
source = any(Field f | f.hasQualifiedName("net/http", "Request", "Host")).getARead()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@ module ServerSideRequestForgery {
|
|||
/**
|
||||
* An user controlled input, considered as a flow source for request forgery.
|
||||
*/
|
||||
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
|
||||
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
|
||||
|
||||
/**
|
||||
* The URL of an HTTP request, viewed as a sink for request forgery.
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ class AllowCredentialsHeaderWrite extends Http::HeaderWrite {
|
|||
}
|
||||
|
||||
module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
additional predicate isSinkHW(DataFlow::Node sink, AllowOriginHeaderWrite hw) {
|
||||
sink = hw.getValue()
|
||||
|
|
@ -70,7 +70,7 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
|
|||
}
|
||||
|
||||
module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) { sink = w }
|
||||
|
||||
|
|
@ -78,13 +78,13 @@ module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
|
|||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
|
||||
* Tracks taint flowfor reasoning about when an `RemoteFlowSource` flows to
|
||||
* a `HeaderWrite` that writes an `Access-Control-Allow-Origin` header's value.
|
||||
*/
|
||||
module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global<UntrustedToAllowOriginHeaderConfig>;
|
||||
|
||||
/**
|
||||
* Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
|
||||
* Tracks taint flowfor reasoning about when an `RemoteFlowSource` flows to
|
||||
* a `AllowOriginsWrite` that writes an `Access-Control-Allow-Origin` header's value.
|
||||
*/
|
||||
module UntrustedToAllowOriginConfigFlow = TaintTracking::Global<UntrustedToAllowOriginConfigConfig>;
|
||||
|
|
@ -121,7 +121,7 @@ predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {
|
|||
|
||||
/**
|
||||
* Holds if the provided `allowOriginHW` HeaderWrite's value is set using an
|
||||
* UntrustedFlowSource.
|
||||
* RemoteFlowSource.
|
||||
* The `message` parameter is populated with the warning message to be returned by the query.
|
||||
*/
|
||||
predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, string message) {
|
||||
|
|
@ -169,7 +169,7 @@ class MapRead extends DataFlow::ElementReadNode {
|
|||
}
|
||||
|
||||
module FromUntrustedConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { isSinkCgn(sink, _) }
|
||||
|
||||
|
|
@ -208,13 +208,13 @@ module FromUntrustedConfig implements DataFlow::ConfigSig {
|
|||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` flows
|
||||
* Tracks taint flow for reasoning about when an `RemoteFlowSource` flows
|
||||
* somewhere.
|
||||
*/
|
||||
module FromUntrustedFlow = TaintTracking::Global<FromUntrustedConfig>;
|
||||
|
||||
/**
|
||||
* Holds if the provided `allowOriginHW` is also destination of a `UntrustedFlowSource`.
|
||||
* Holds if the provided `allowOriginHW` is also destination of a `RemoteFlowSource`.
|
||||
*/
|
||||
predicate flowsToGuardedByCheckOnUntrusted(DataFlow::ExprNode allowOriginHW) {
|
||||
exists(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn |
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
"Models": [
|
||||
{
|
||||
"Name": "UntrustedSources",
|
||||
"Kind": "UntrustedFlowSource",
|
||||
"Kind": "RemoteFlowSource",
|
||||
"Methods": [
|
||||
{
|
||||
"Name": "{source:[](Param|Result|Fields|Type)} \u003c- $source",
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ private module CleverGo {
|
|||
/**
|
||||
* Provides models of untrusted flow sources.
|
||||
*/
|
||||
private class UntrustedSources extends UntrustedFlowSource::Range {
|
||||
private class UntrustedSources extends RemoteFlowSource::Range {
|
||||
UntrustedSources() {
|
||||
// Methods on types of package: clevergo.tech/clevergo@v0.5.2
|
||||
exists(string receiverName, string methodName, Method mtd, FunctionOutput out |
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
import go
|
||||
|
||||
class MimeMultipartFileHeader extends UntrustedFlowSource::Range {
|
||||
class MimeMultipartFileHeader extends RemoteFlowSource::Range {
|
||||
MimeMultipartFileHeader() {
|
||||
exists(DataFlow::FieldReadNode frn | this = frn |
|
||||
frn.getField().hasQualifiedName("mime/multipart", "FileHeader", ["Filename", "Header"])
|
||||
|
|
@ -29,7 +29,7 @@ module DecompressionBomb {
|
|||
class FlowState = DecompressionBombs::FlowState;
|
||||
|
||||
predicate isSource(DataFlow::Node source, FlowState state) {
|
||||
source instanceof UntrustedFlowSource and
|
||||
source instanceof RemoteFlowSource and
|
||||
state = ""
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -729,7 +729,7 @@
|
|||
},
|
||||
{
|
||||
"Name": "UntrustedFlowSources",
|
||||
"Kind": "UntrustedFlowSource",
|
||||
"Kind": "RemoteFlowSource",
|
||||
"Methods": [
|
||||
{
|
||||
"Name": "{source:[](Param|Result|Fields|Type)} \u003c- $source",
|
||||
|
|
|
|||
|
|
@ -295,7 +295,7 @@ private module Fiber {
|
|||
/**
|
||||
* Provides models of untrusted flow sources.
|
||||
*/
|
||||
private class UntrustedFlowSources extends UntrustedFlowSource::Range {
|
||||
private class UntrustedFlowSources extends RemoteFlowSource::Range {
|
||||
UntrustedFlowSources() {
|
||||
// Methods on types of package: github.com/gofiber/fiber@v1.14.6
|
||||
exists(string receiverName, string methodName, Method mtd, FunctionOutput out |
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ module UntrustedFlowSourceTest implements TestSig {
|
|||
exists(DataFlow::CallNode sinkCall, DataFlow::ArgumentNode arg |
|
||||
sinkCall.getCalleeName() = "sink" and
|
||||
arg = sinkCall.getAnArgument() and
|
||||
arg.getAPredecessor*() instanceof UntrustedFlowSource
|
||||
arg.getAPredecessor*() instanceof RemoteFlowSource
|
||||
|
|
||||
element = arg.toString() and
|
||||
value = "" and
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ module UntrustedFlowSourceTest implements TestSig {
|
|||
exists(DataFlow::CallNode sinkCall, DataFlow::ArgumentNode arg |
|
||||
sinkCall.getCalleeName() = "sink" and
|
||||
arg = sinkCall.getAnArgument() and
|
||||
arg.getAPredecessor*() instanceof UntrustedFlowSource
|
||||
arg.getAPredecessor*() instanceof RemoteFlowSource
|
||||
|
|
||||
element = arg.toString() and
|
||||
value = "" and
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
import go
|
||||
|
||||
select any(UntrustedFlowSource ufs)
|
||||
select any(RemoteFlowSource ufs)
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
import go
|
||||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node n) { any(ReturnStmt s).getAnExpr() = n.asExpr() }
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ import go
|
|||
import TestUtilities.InlineFlowTest
|
||||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ module UntrustedFlowSourceTest implements TestSig {
|
|||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "untrustedflowsource" and
|
||||
value = element and
|
||||
exists(UntrustedFlowSource src | value = "\"" + src.toString() + "\"" |
|
||||
exists(RemoteFlowSource src | value = "\"" + src.toString() + "\"" |
|
||||
src.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
|
||||
location.getStartColumn(), location.getEndLine(), location.getEndColumn())
|
||||
)
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ class UntrustedFunction extends Function {
|
|||
UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedBytes"] }
|
||||
}
|
||||
|
||||
class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
|
||||
class UntrustedSource extends DataFlow::Node, RemoteFlowSource::Range {
|
||||
UntrustedSource() { this = any(UntrustedFunction f).getACall() }
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2,16 +2,16 @@ import go
|
|||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
module FasthttpTest implements TestSig {
|
||||
string getARelevantTag() { result = "UntrustedFlowSource" }
|
||||
string getARelevantTag() { result = "RemoteFlowSource" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(UntrustedFlowSource source |
|
||||
exists(RemoteFlowSource source |
|
||||
source
|
||||
.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
|
||||
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
|
||||
element = source.toString() and
|
||||
value = "\"" + source.toString() + "\"" and
|
||||
tag = "UntrustedFlowSource"
|
||||
tag = "RemoteFlowSource"
|
||||
)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -96,7 +96,7 @@ func main() {
|
|||
func fasthttpServer() {
|
||||
ln, _ := net.Listen("tcp4", "127.0.0.1:8080")
|
||||
requestHandler := func(requestCtx *fasthttp.RequestCtx) {
|
||||
filePath := requestCtx.QueryArgs().Peek("filePath") // $ UntrustedFlowSource="call to Peek"
|
||||
filePath := requestCtx.QueryArgs().Peek("filePath") // $ RemoteFlowSource="call to Peek"
|
||||
// File System Access
|
||||
filePath_string := string(filePath)
|
||||
_ = requestCtx.Response.SendFile(filePath_string) // $ FileSystemAccess=filePath_string
|
||||
|
|
@ -112,67 +112,67 @@ func fasthttpServer() {
|
|||
dstReader := &bufio.Reader{}
|
||||
// user controlled methods as source
|
||||
requestHeader := &fasthttp.RequestHeader{}
|
||||
requestHeader.Header() // $ UntrustedFlowSource="call to Header"
|
||||
requestHeader.TrailerHeader() // $ UntrustedFlowSource="call to TrailerHeader"
|
||||
requestHeader.String() // $ UntrustedFlowSource="call to String"
|
||||
requestHeader.RequestURI() // $ UntrustedFlowSource="call to RequestURI"
|
||||
requestHeader.Host() // $ UntrustedFlowSource="call to Host"
|
||||
requestHeader.UserAgent() // $ UntrustedFlowSource="call to UserAgent"
|
||||
requestHeader.ContentEncoding() // $ UntrustedFlowSource="call to ContentEncoding"
|
||||
requestHeader.ContentType() // $ UntrustedFlowSource="call to ContentType"
|
||||
requestHeader.Cookie("ACookie") // $ UntrustedFlowSource="call to Cookie"
|
||||
requestHeader.CookieBytes([]byte("ACookie")) // $ UntrustedFlowSource="call to CookieBytes"
|
||||
requestHeader.MultipartFormBoundary() // $ UntrustedFlowSource="call to MultipartFormBoundary"
|
||||
requestHeader.Peek("AHeaderName") // $ UntrustedFlowSource="call to Peek"
|
||||
requestHeader.PeekAll("AHeaderName") // $ UntrustedFlowSource="call to PeekAll"
|
||||
requestHeader.PeekBytes([]byte("AHeaderName")) // $ UntrustedFlowSource="call to PeekBytes"
|
||||
requestHeader.PeekKeys() // $ UntrustedFlowSource="call to PeekKeys"
|
||||
requestHeader.PeekTrailerKeys() // $ UntrustedFlowSource="call to PeekTrailerKeys"
|
||||
requestHeader.Referer() // $ UntrustedFlowSource="call to Referer"
|
||||
requestHeader.RawHeaders() // $ UntrustedFlowSource="call to RawHeaders"
|
||||
requestHeader.Header() // $ RemoteFlowSource="call to Header"
|
||||
requestHeader.TrailerHeader() // $ RemoteFlowSource="call to TrailerHeader"
|
||||
requestHeader.String() // $ RemoteFlowSource="call to String"
|
||||
requestHeader.RequestURI() // $ RemoteFlowSource="call to RequestURI"
|
||||
requestHeader.Host() // $ RemoteFlowSource="call to Host"
|
||||
requestHeader.UserAgent() // $ RemoteFlowSource="call to UserAgent"
|
||||
requestHeader.ContentEncoding() // $ RemoteFlowSource="call to ContentEncoding"
|
||||
requestHeader.ContentType() // $ RemoteFlowSource="call to ContentType"
|
||||
requestHeader.Cookie("ACookie") // $ RemoteFlowSource="call to Cookie"
|
||||
requestHeader.CookieBytes([]byte("ACookie")) // $ RemoteFlowSource="call to CookieBytes"
|
||||
requestHeader.MultipartFormBoundary() // $ RemoteFlowSource="call to MultipartFormBoundary"
|
||||
requestHeader.Peek("AHeaderName") // $ RemoteFlowSource="call to Peek"
|
||||
requestHeader.PeekAll("AHeaderName") // $ RemoteFlowSource="call to PeekAll"
|
||||
requestHeader.PeekBytes([]byte("AHeaderName")) // $ RemoteFlowSource="call to PeekBytes"
|
||||
requestHeader.PeekKeys() // $ RemoteFlowSource="call to PeekKeys"
|
||||
requestHeader.PeekTrailerKeys() // $ RemoteFlowSource="call to PeekTrailerKeys"
|
||||
requestHeader.Referer() // $ RemoteFlowSource="call to Referer"
|
||||
requestHeader.RawHeaders() // $ RemoteFlowSource="call to RawHeaders"
|
||||
// multipart.Form is already implemented
|
||||
// requestCtx.MultipartForm()
|
||||
requestCtx.URI().Path() // $ UntrustedFlowSource="call to Path"
|
||||
requestCtx.URI().PathOriginal() // $ UntrustedFlowSource="call to PathOriginal"
|
||||
requestCtx.URI().FullURI() // $ UntrustedFlowSource="call to FullURI"
|
||||
requestCtx.URI().LastPathSegment() // $ UntrustedFlowSource="call to LastPathSegment"
|
||||
requestCtx.URI().QueryString() // $ UntrustedFlowSource="call to QueryString"
|
||||
requestCtx.URI().String() // $ UntrustedFlowSource="call to String"
|
||||
requestCtx.URI().Path() // $ RemoteFlowSource="call to Path"
|
||||
requestCtx.URI().PathOriginal() // $ RemoteFlowSource="call to PathOriginal"
|
||||
requestCtx.URI().FullURI() // $ RemoteFlowSource="call to FullURI"
|
||||
requestCtx.URI().LastPathSegment() // $ RemoteFlowSource="call to LastPathSegment"
|
||||
requestCtx.URI().QueryString() // $ RemoteFlowSource="call to QueryString"
|
||||
requestCtx.URI().String() // $ RemoteFlowSource="call to String"
|
||||
|
||||
//or requestCtx.PostArgs()
|
||||
requestCtx.URI().QueryArgs().Peek("arg1") // $ UntrustedFlowSource="call to Peek"
|
||||
requestCtx.URI().QueryArgs().PeekBytes([]byte("arg1")) // $ UntrustedFlowSource="call to PeekBytes"
|
||||
requestCtx.URI().QueryArgs().PeekMulti("arg1") // $ UntrustedFlowSource="call to PeekMulti"
|
||||
requestCtx.URI().QueryArgs().PeekMultiBytes([]byte("arg1")) // $ UntrustedFlowSource="call to PeekMultiBytes"
|
||||
requestCtx.URI().QueryArgs().QueryString() // $ UntrustedFlowSource="call to QueryString"
|
||||
requestCtx.URI().QueryArgs().String() // $ UntrustedFlowSource="call to String"
|
||||
requestCtx.String() // $ UntrustedFlowSource="call to String"
|
||||
requestCtx.URI().QueryArgs().Peek("arg1") // $ RemoteFlowSource="call to Peek"
|
||||
requestCtx.URI().QueryArgs().PeekBytes([]byte("arg1")) // $ RemoteFlowSource="call to PeekBytes"
|
||||
requestCtx.URI().QueryArgs().PeekMulti("arg1") // $ RemoteFlowSource="call to PeekMulti"
|
||||
requestCtx.URI().QueryArgs().PeekMultiBytes([]byte("arg1")) // $ RemoteFlowSource="call to PeekMultiBytes"
|
||||
requestCtx.URI().QueryArgs().QueryString() // $ RemoteFlowSource="call to QueryString"
|
||||
requestCtx.URI().QueryArgs().String() // $ RemoteFlowSource="call to String"
|
||||
requestCtx.String() // $ RemoteFlowSource="call to String"
|
||||
|
||||
requestCtx.Path() // $ UntrustedFlowSource="call to Path"
|
||||
requestCtx.Path() // $ RemoteFlowSource="call to Path"
|
||||
// multipart.Form is already implemented
|
||||
// requestCtx.FormFile("FileName")
|
||||
// requestCtx.FormValue("ValueName")
|
||||
requestCtx.Referer() // $ UntrustedFlowSource="call to Referer"
|
||||
requestCtx.PostBody() // $ UntrustedFlowSource="call to PostBody"
|
||||
requestCtx.RequestBodyStream() // $ UntrustedFlowSource="call to RequestBodyStream"
|
||||
requestCtx.RequestURI() // $ UntrustedFlowSource="call to RequestURI"
|
||||
requestCtx.UserAgent() // $ UntrustedFlowSource="call to UserAgent"
|
||||
requestCtx.Host() // $ UntrustedFlowSource="call to Host"
|
||||
requestCtx.Referer() // $ RemoteFlowSource="call to Referer"
|
||||
requestCtx.PostBody() // $ RemoteFlowSource="call to PostBody"
|
||||
requestCtx.RequestBodyStream() // $ RemoteFlowSource="call to RequestBodyStream"
|
||||
requestCtx.RequestURI() // $ RemoteFlowSource="call to RequestURI"
|
||||
requestCtx.UserAgent() // $ RemoteFlowSource="call to UserAgent"
|
||||
requestCtx.Host() // $ RemoteFlowSource="call to Host"
|
||||
|
||||
requestCtx.Request.Host() // $ UntrustedFlowSource="call to Host"
|
||||
requestCtx.Request.Body() // $ UntrustedFlowSource="call to Body"
|
||||
requestCtx.Request.RequestURI() // $ UntrustedFlowSource="call to RequestURI"
|
||||
body1, _ := requestCtx.Request.BodyGunzip() // $ UntrustedFlowSource="... := ...[0]"
|
||||
body2, _ := requestCtx.Request.BodyInflate() // $ UntrustedFlowSource="... := ...[0]"
|
||||
body3, _ := requestCtx.Request.BodyUnbrotli() // $ UntrustedFlowSource="... := ...[0]"
|
||||
body4, _ := requestCtx.Request.BodyUncompressed() // $ UntrustedFlowSource="... := ...[0]"
|
||||
requestCtx.Request.Host() // $ RemoteFlowSource="call to Host"
|
||||
requestCtx.Request.Body() // $ RemoteFlowSource="call to Body"
|
||||
requestCtx.Request.RequestURI() // $ RemoteFlowSource="call to RequestURI"
|
||||
body1, _ := requestCtx.Request.BodyGunzip() // $ RemoteFlowSource="... := ...[0]"
|
||||
body2, _ := requestCtx.Request.BodyInflate() // $ RemoteFlowSource="... := ...[0]"
|
||||
body3, _ := requestCtx.Request.BodyUnbrotli() // $ RemoteFlowSource="... := ...[0]"
|
||||
body4, _ := requestCtx.Request.BodyUncompressed() // $ RemoteFlowSource="... := ...[0]"
|
||||
fmt.Println(body1, body2, body3, body4)
|
||||
requestCtx.Request.BodyStream() // $ UntrustedFlowSource="call to BodyStream"
|
||||
requestCtx.Request.BodyStream() // $ RemoteFlowSource="call to BodyStream"
|
||||
|
||||
requestCtx.Request.ReadBody(dstReader, 100, 1000) // $ UntrustedFlowSource="dstReader"
|
||||
requestCtx.Request.ReadLimitBody(dstReader, 100) // $ UntrustedFlowSource="dstReader"
|
||||
requestCtx.Request.ContinueReadBodyStream(dstReader, 100, true) // $ UntrustedFlowSource="dstReader"
|
||||
requestCtx.Request.ContinueReadBody(dstReader, 100) // $ UntrustedFlowSource="dstReader"
|
||||
requestCtx.Request.ReadBody(dstReader, 100, 1000) // $ RemoteFlowSource="dstReader"
|
||||
requestCtx.Request.ReadLimitBody(dstReader, 100) // $ RemoteFlowSource="dstReader"
|
||||
requestCtx.Request.ContinueReadBodyStream(dstReader, 100, true) // $ RemoteFlowSource="dstReader"
|
||||
requestCtx.Request.ContinueReadBody(dstReader, 100) // $ RemoteFlowSource="dstReader"
|
||||
|
||||
// Response methods
|
||||
// Xss Sinks Related method
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
import go
|
||||
|
||||
select any(UntrustedFlowSource src)
|
||||
select any(RemoteFlowSource src)
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ module UntrustedFlowSourceTest implements TestSig {
|
|||
string getARelevantTag() { result = "source" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(UntrustedFlowSource source |
|
||||
exists(RemoteFlowSource source |
|
||||
source
|
||||
.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
|
||||
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
|
||||
|
|
|
|||
|
|
@ -2,15 +2,15 @@ import go
|
|||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
module UntrustedFlowSourceTest implements TestSig {
|
||||
string getARelevantTag() { result = "UntrustedFlowSource" }
|
||||
string getARelevantTag() { result = "RemoteFlowSource" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(UntrustedFlowSource src |
|
||||
exists(RemoteFlowSource src |
|
||||
src.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
|
||||
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
|
||||
element = src.toString() and
|
||||
value = "" and
|
||||
tag = "UntrustedFlowSource"
|
||||
tag = "RemoteFlowSource"
|
||||
)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,16 +7,16 @@ import (
|
|||
)
|
||||
|
||||
func sources(ctx *macaron.Context, body *macaron.RequestBody) {
|
||||
_ = ctx.AllParams() // $UntrustedFlowSource
|
||||
_ = ctx.GetCookie("") // $UntrustedFlowSource
|
||||
_, _ = ctx.GetSecureCookie("") // $UntrustedFlowSource
|
||||
_, _ = ctx.GetSuperSecureCookie("", "") // $UntrustedFlowSource
|
||||
_, _, _ = ctx.GetFile("") // $UntrustedFlowSource
|
||||
_ = ctx.Params("") // $UntrustedFlowSource
|
||||
_ = ctx.ParamsEscape("") // $UntrustedFlowSource
|
||||
_ = ctx.Query("") // $UntrustedFlowSource
|
||||
_ = ctx.QueryEscape("") // $UntrustedFlowSource
|
||||
_ = ctx.QueryStrings("") // $UntrustedFlowSource
|
||||
_, _ = body.Bytes() // $UntrustedFlowSource
|
||||
_, _ = body.String() // $UntrustedFlowSource
|
||||
_ = ctx.AllParams() // $RemoteFlowSource
|
||||
_ = ctx.GetCookie("") // $RemoteFlowSource
|
||||
_, _ = ctx.GetSecureCookie("") // $RemoteFlowSource
|
||||
_, _ = ctx.GetSuperSecureCookie("", "") // $RemoteFlowSource
|
||||
_, _, _ = ctx.GetFile("") // $RemoteFlowSource
|
||||
_ = ctx.Params("") // $RemoteFlowSource
|
||||
_ = ctx.ParamsEscape("") // $RemoteFlowSource
|
||||
_ = ctx.Query("") // $RemoteFlowSource
|
||||
_ = ctx.QueryEscape("") // $RemoteFlowSource
|
||||
_ = ctx.QueryStrings("") // $RemoteFlowSource
|
||||
_, _ = body.Bytes() // $RemoteFlowSource
|
||||
_, _ = body.String() // $RemoteFlowSource
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
import go
|
||||
|
||||
select any(UntrustedFlowSource ufs)
|
||||
select any(RemoteFlowSource ufs)
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ class Sink extends DataFlow::Node {
|
|||
}
|
||||
|
||||
private module TestConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче