Rename `UntrustedFlowSource` to `RemoteFlowSource`

Only the whole word. Skipped one instance in an old change note.
This commit is contained in:
Owen Mansel-Chan 2024-04-17 21:27:32 +01:00
Родитель da3fa22cbd
Коммит 5fba9895c6
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 67E427E02E6DA1B8
61 изменённых файлов: 169 добавлений и 173 удалений

Просмотреть файл

@ -15,14 +15,14 @@ Sources
-------
To mark a source of data that is controlled by an untrusted user, we
create a class extending ``UntrustedFlowSource::Range``. Inheritance and
create a class extending ``RemoteFlowSource::Range``. Inheritance and
the characteristic predicate of the class should be used to specify
exactly the dataflow node that introduces the data. Here is a short
example from ``Mux.qll``.
.. code-block:: ql
class RequestVars extends DataFlow::UntrustedFlowSource::Range, DataFlow::CallNode {
class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode {
RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") }
}

Просмотреть файл

@ -13,14 +13,14 @@ Sources
-------
To mark a source of data that is controlled by an untrusted user, we
create a class extending ``UntrustedFlowSource::Range``. Inheritance and
create a class extending ``RemoteFlowSource::Range``. Inheritance and
the characteristic predicate of the class should be used to specify
exactly the dataflow node that introduces the data. Here is a short
example from ``Mux.qll``.
.. code-block:: ql
class RequestVars extends DataFlow::UntrustedFlowSource::Range, DataFlow::CallNode {
class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode {
RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") }
}

Просмотреть файл

@ -6,7 +6,7 @@
import go
/** A source of input data in an AWS Lambda. */
private class LambdaInput extends UntrustedFlowSource::Range {
private class LambdaInput extends RemoteFlowSource::Range {
LambdaInput() {
exists(Parameter p | p = this.asParameter() |
p = any(HandlerFunction hf).getAParameter() and

Просмотреть файл

@ -50,7 +50,7 @@ module Beego {
/**
* `BeegoInput` sources of untrusted data.
*/
private class BeegoInputSource extends UntrustedFlowSource::Range {
private class BeegoInputSource extends RemoteFlowSource::Range {
string methodName;
BeegoInputSource() {
@ -81,7 +81,7 @@ module Beego {
/**
* `beego.Controller` sources of untrusted data.
*/
private class BeegoControllerSource extends UntrustedFlowSource::Range {
private class BeegoControllerSource extends RemoteFlowSource::Range {
BeegoControllerSource() {
exists(string methodName, FunctionOutput output |
methodName = "ParseForm" and
@ -105,7 +105,7 @@ module Beego {
/**
* `BeegoInputRequestBody` sources of untrusted data.
*/
private class BeegoInputRequestBodySource extends UntrustedFlowSource::Range {
private class BeegoInputRequestBodySource extends RemoteFlowSource::Range {
BeegoInputRequestBodySource() {
exists(DataFlow::FieldReadNode frn | this = frn |
frn.getField().hasQualifiedName(contextPackagePath(), "BeegoInput", "RequestBody")
@ -116,7 +116,7 @@ module Beego {
/**
* `beego/context.Context` sources of untrusted data.
*/
private class BeegoContextSource extends UntrustedFlowSource::Range {
private class BeegoContextSource extends RemoteFlowSource::Range {
BeegoContextSource() {
exists(Method m | m.hasQualifiedName(contextPackagePath(), "Context", "GetCookie") |
this = m.getACall().getResult()

Просмотреть файл

@ -11,7 +11,7 @@ private module Chi {
/**
* Functions that extract URL parameters, considered as a source of untrusted flow.
*/
private class UserControlledFunction extends UntrustedFlowSource::Range, DataFlow::CallNode {
private class UserControlledFunction extends RemoteFlowSource::Range, DataFlow::CallNode {
UserControlledFunction() {
this.getTarget().hasQualifiedName(packagePath(), ["URLParam", "URLParamFromCtx"])
}
@ -20,7 +20,7 @@ private module Chi {
/**
* Methods that extract URL parameters, considered as a source of untrusted flow.
*/
private class UserControlledRequestMethod extends UntrustedFlowSource::Range,
private class UserControlledRequestMethod extends RemoteFlowSource::Range,
DataFlow::MethodCallNode
{
UserControlledRequestMethod() {

Просмотреть файл

@ -12,7 +12,7 @@ private module Echo {
/**
* Data from a `Context` interface method, considered as a source of untrusted flow.
*/
private class EchoContextSource extends UntrustedFlowSource::Range {
private class EchoContextSource extends RemoteFlowSource::Range {
EchoContextSource() {
exists(DataFlow::MethodCallNode call, string methodName |
methodName =
@ -42,7 +42,7 @@ private module Echo {
/**
* A call to a method on `Context` struct that unmarshals data into a target.
*/
private class EchoContextBinder extends UntrustedFlowSource::Range {
private class EchoContextBinder extends RemoteFlowSource::Range {
EchoContextBinder() {
exists(DataFlow::MethodCallNode call |
call.getTarget().hasQualifiedName(packagePath(), "Context", "Bind")

Просмотреть файл

@ -95,7 +95,7 @@ module ElazarlGoproxy {
}
}
private class UserControlledRequestData extends UntrustedFlowSource::Range {
private class UserControlledRequestData extends RemoteFlowSource::Range {
UserControlledRequestData() {
exists(DataFlow::FieldReadNode frn | this = frn |
// liberally consider ProxyCtx.UserData to be untrusted; it's a data field set by a request handler

Просмотреть файл

@ -258,8 +258,8 @@ module Fasthttp {
/**
* The methods as Remote user controllable source which are part of the incoming URL.
*/
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
UntrustedFlowSource() {
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
RemoteFlowSource() {
exists(Method m |
m.hasQualifiedName(packagePath(), "URI",
["FullURI", "LastPathSegment", "Path", "PathOriginal", "QueryString", "String"]) and
@ -278,8 +278,8 @@ module Fasthttp {
*
* When support for lambdas has been implemented we should model "VisitAll".
*/
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
UntrustedFlowSource() {
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
RemoteFlowSource() {
exists(Method m |
m.hasQualifiedName(packagePath(), "Args",
["Peek", "PeekBytes", "PeekMulti", "PeekMultiBytes", "QueryString", "String"]) and
@ -389,8 +389,8 @@ module Fasthttp {
/**
* The methods as Remote user controllable source which can be many part of request.
*/
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
UntrustedFlowSource() {
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
RemoteFlowSource() {
exists(Method m |
m.hasQualifiedName(packagePath(), "Request",
[
@ -468,8 +468,8 @@ module Fasthttp {
*
* When support for lambdas has been implemented we should model "VisitAll", "VisitAllCookie", "VisitAllInOrder", "VisitAllTrailer".
*/
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
UntrustedFlowSource() {
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
RemoteFlowSource() {
exists(Method m |
m.hasQualifiedName(packagePath(), "RequestCtx",
[
@ -491,8 +491,8 @@ module Fasthttp {
*
* When support for lambdas has been implemented we should model "VisitAll", "VisitAllCookie", "VisitAllInOrder", "VisitAllTrailer".
*/
class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
UntrustedFlowSource() {
class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
RemoteFlowSource() {
exists(Method m |
m.hasQualifiedName(packagePath(), "RequestHeader",
[

Просмотреть файл

@ -12,7 +12,7 @@ private module Gin {
/**
* Data from a `Context` struct, considered as a source of untrusted flow.
*/
private class GithubComGinGonicGinContextSource extends UntrustedFlowSource::Range {
private class GithubComGinGonicGinContextSource extends RemoteFlowSource::Range {
GithubComGinGonicGinContextSource() {
// Method calls:
exists(DataFlow::MethodCallNode call, string methodName |
@ -39,7 +39,7 @@ private module Gin {
/**
* A call to a method on `Context` struct that unmarshals data into a target.
*/
private class GithubComGinGonicGinContextBindSource extends UntrustedFlowSource::Range {
private class GithubComGinGonicGinContextBindSource extends RemoteFlowSource::Range {
GithubComGinGonicGinContextBindSource() {
exists(DataFlow::MethodCallNode call, string methodName |
call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and

Просмотреть файл

@ -35,7 +35,7 @@ module GoKit {
DataFlow::exprNode(result.(FuncLit)) = getAnEndpointFactoryResult()
}
private class EndpointRequest extends UntrustedFlowSource::Range {
private class EndpointRequest extends RemoteFlowSource::Range {
EndpointRequest() { this = DataFlow::parameterNode(getAnEndpointFunction().getParameter(1)) }
}
}

Просмотреть файл

@ -142,7 +142,7 @@ module GoMicro {
/**
* A set of remote requests from a service handler.
*/
class Request extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
class Request extends RemoteFlowSource::Range instanceof DataFlow::ParameterNode {
Request() {
exists(ServiceHandler handler |
this.asParameter().isParameterOf(handler.getFuncDecl(), 1) and

Просмотреть файл

@ -27,14 +27,14 @@ private module GoRestfulHttp {
/**
* A model of go-restful's `Request` object as a source of user-controlled data.
*/
private class GoRestfulSource extends UntrustedFlowSource::Range {
private class GoRestfulSource extends RemoteFlowSource::Range {
GoRestfulSource() { this = any(GoRestfulSourceMethod g).getACall() }
}
/**
* A model of go-restful's `Request.ReadEntity` method as a source of user-controlled data.
*/
private class GoRestfulReadEntitySource extends UntrustedFlowSource::Range {
private class GoRestfulReadEntitySource extends RemoteFlowSource::Range {
GoRestfulReadEntitySource() {
exists(DataFlow::MethodCallNode call |
call.getTarget().hasQualifiedName(packagePath(), "Request", "ReadEntity")

Просмотреть файл

@ -39,7 +39,7 @@ module Gqlgen {
}
/** A parameter of a resolver method which receives untrusted input. */
class ResolverParameter extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
class ResolverParameter extends RemoteFlowSource::Range instanceof DataFlow::ParameterNode {
ResolverParameter() {
this.asParameter() = any(ResolverImplementationMethod h).getAnUntrustedParameter()
}

Просмотреть файл

@ -9,7 +9,7 @@ import go
*/
module Mux {
/** An access to a Mux middleware variable. */
class RequestVars extends DataFlow::UntrustedFlowSource::Range, DataFlow::CallNode {
class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode {
RequestVars() {
this.getTarget().hasQualifiedName(package("github.com/gorilla/mux", ""), "Vars")
}

Просмотреть файл

@ -12,7 +12,7 @@ module Revel {
result = package(["github.com/revel", "github.com/robfig"] + "/revel", "")
}
private class ControllerParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode {
private class ControllerParams extends RemoteFlowSource::Range, DataFlow::FieldReadNode {
ControllerParams() {
exists(Field f |
this.readsField(_, f) and
@ -32,7 +32,7 @@ module Revel {
}
}
private class RouteMatchParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode {
private class RouteMatchParams extends RemoteFlowSource::Range, DataFlow::FieldReadNode {
RouteMatchParams() {
exists(Field f |
this.readsField(_, f) and
@ -42,9 +42,7 @@ module Revel {
}
/** An access to an HTTP request field whose value may be controlled by an untrusted user. */
private class UserControlledRequestField extends UntrustedFlowSource::Range,
DataFlow::FieldReadNode
{
private class UserControlledRequestField extends RemoteFlowSource::Range, DataFlow::FieldReadNode {
UserControlledRequestField() {
exists(string fieldName |
this.getField().hasQualifiedName(packagePath(), "Request", fieldName)
@ -56,7 +54,7 @@ module Revel {
}
}
private class UserControlledRequestMethod extends UntrustedFlowSource::Range,
private class UserControlledRequestMethod extends RemoteFlowSource::Range,
DataFlow::MethodCallNode
{
UserControlledRequestMethod() {

Просмотреть файл

@ -130,7 +130,7 @@ module Twirp {
}
/** A request coming to the service handler. */
class Request extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
class Request extends RemoteFlowSource::Range instanceof DataFlow::ParameterNode {
Request() {
exists(ServiceHandler handler |
this.asParameter().isParameterOf(handler.getFuncDecl(), 1) and

Просмотреть файл

@ -127,7 +127,7 @@ module WebSocketRequestCall {
/**
* A message written to a WebSocket, considered as a flow sink for reflected XSS.
*/
class WebSocketReaderAsSource extends UntrustedFlowSource::Range {
class WebSocketReaderAsSource extends RemoteFlowSource::Range {
WebSocketReaderAsSource() {
exists(WebSocketReader r | this = r.getAnOutput().getNode(r.getACall()))
}

Просмотреть файл

@ -9,9 +9,7 @@ private import semmle.go.dataflow.internal.FlowSummaryImpl::Private
/** Provides models of commonly used functions in the `net/http` package. */
module NetHttp {
/** An access to an HTTP request field whose value may be controlled by an untrusted user. */
private class UserControlledRequestField extends UntrustedFlowSource::Range,
DataFlow::FieldReadNode
{
private class UserControlledRequestField extends RemoteFlowSource::Range, DataFlow::FieldReadNode {
UserControlledRequestField() {
exists(string fieldName | this.getField().hasQualifiedName("net/http", "Request", fieldName) |
fieldName =

Просмотреть файл

@ -30,7 +30,7 @@ module CommandInjection {
abstract class Sanitizer extends DataFlow::Node { }
/** A source of untrusted data, considered as a taint source for command injection. */
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
/** A command name, considered as a taint sink for command injection. */
class CommandNameAsSink extends Sink {

Просмотреть файл

@ -187,13 +187,13 @@ class UnknownExternalApiDataNode extends ExternalApiDataNode {
deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
}
private module UntrustedDataConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
}
@ -211,13 +211,13 @@ module UntrustedDataToExternalApiFlow = DataFlow::Global<UntrustedDataConfig>;
deprecated class UntrustedDataToUnknownExternalApiConfig extends TaintTracking::Configuration {
UntrustedDataToUnknownExternalApiConfig() { this = "UntrustedDataToUnknownExternalAPIConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
}
private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
}

Просмотреть файл

@ -9,17 +9,17 @@ private import semmle.go.dataflow.ExternalFlow as ExternalFlow
* A source of data that is controlled by an untrusted user.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `UntrustedFlowSource::Range` instead.
* extend `RemoteFlowSource::Range` instead.
*/
class UntrustedFlowSource extends DataFlow::Node instanceof UntrustedFlowSource::Range { }
class RemoteFlowSource extends DataFlow::Node instanceof RemoteFlowSource::Range { }
/** Provides a class for modeling new sources of untrusted data. */
module UntrustedFlowSource {
module RemoteFlowSource {
/**
* A source of data that is controlled by an untrusted user.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `UntrustedFlowSource` instead.
* extend `RemoteFlowSource` instead.
*/
abstract class Range extends DataFlow::Node { }

Просмотреть файл

@ -26,7 +26,7 @@ module LogInjection {
abstract class Sanitizer extends DataFlow::Node { }
/** A source of untrusted data, considered as a taint source for log injection. */
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
/** An argument to a logging mechanism. */
class LoggerSink extends Sink {

Просмотреть файл

@ -49,7 +49,7 @@ module MissingJwtSignatureCheck {
}
}
private class DefaultSource extends Source instanceof UntrustedFlowSource { }
private class DefaultSource extends Source instanceof RemoteFlowSource { }
private class DefaultSink extends Sink {
DefaultSink() { sinkNode(this, "jwt") }

Просмотреть файл

@ -45,7 +45,7 @@ module OpenUrlRedirect {
/**
* A source of third-party user input, considered as a flow source for URL redirects.
*/
class UntrustedFlowAsSource extends Source, UntrustedFlowSource {
class UntrustedFlowAsSource extends Source, RemoteFlowSource {
UntrustedFlowAsSource() {
// exclude some fields and methods of URLs that are generally not attacker-controllable for
// open redirect exploits

Просмотреть файл

@ -37,7 +37,7 @@ module ReflectedXss {
/**
* A third-party controllable input, considered as a flow source for reflected XSS.
*/
class UntrustedFlowAsSource extends Source, UntrustedFlowSource { }
class UntrustedFlowAsSource extends Source, RemoteFlowSource { }
/** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
private class AnySink extends Sink instanceof SharedXss::Sink { }

Просмотреть файл

@ -35,7 +35,7 @@ module RequestForgery {
/**
* A third-party controllable input, considered as a flow source for request forgery.
*/
class UntrustedFlowAsSource extends Source, UntrustedFlowSource { }
class UntrustedFlowAsSource extends Source, RemoteFlowSource { }
/**
* The URL of an HTTP request, viewed as a sink for request forgery.

Просмотреть файл

@ -26,7 +26,7 @@ module SqlInjection {
abstract class Sanitizer extends DataFlow::Node { }
/** A source of untrusted data, considered as a taint source for SQL injection. */
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
/** An SQL string, considered as a taint sink for SQL injection. */
class SqlQueryAsSink extends Sink instanceof SQL::QueryString { }

Просмотреть файл

@ -45,7 +45,7 @@ module TaintedPath {
}
/** A source of untrusted data, considered as a taint source for path traversal. */
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
/** A path expression, considered as a taint sink for path traversal. */
class PathAsSink extends Sink {

Просмотреть файл

@ -21,7 +21,7 @@ module UncontrolledAllocationSize {
abstract class Sanitizer extends DataFlow::Node { }
/** A source of untrusted data, considered as a taint source for uncontrolled size allocation vulnerabilities. */
private class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
private class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
/** The size argument of a memory allocation function. */
private class AllocationSizeAsSink extends Sink instanceof AllocationSizeOverflow::AllocationSize {

Просмотреть файл

@ -25,7 +25,7 @@ module XPathInjection {
abstract class Sanitizer extends DataFlow::ExprNode { }
/** A source of untrusted data, used in an XPath expression. */
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
/** An XPath expression string, considered as a taint sink for XPath injection. */
class XPathExpressionStringAsSink extends Sink instanceof XPath::XPathExpressionString { }

Просмотреть файл

@ -17,7 +17,7 @@ module EmailInjection {
abstract class Sink extends DataFlow::Node { }
/** A source of untrusted data, considered as a taint source for email injection. */
class UntrustedFlowSourceAsSource extends Source instanceof UntrustedFlowSource { }
class UntrustedFlowSourceAsSource extends Source instanceof RemoteFlowSource { }
/**
* A data-flow node that becomes part of an email considered as a taint sink for email injection.

Просмотреть файл

@ -98,13 +98,13 @@ private class LdapClientDNSink extends LdapSink {
/**
* DEPRECATED: Use `LdapInjectionFlow` instead.
*
* A taint-tracking configuration for reasoning about when an `UntrustedFlowSource`
* A taint-tracking configuration for reasoning about when an `RemoteFlowSource`
* flows into an argument or field that is vulnerable to LDAP injection.
*/
deprecated class LdapInjectionConfiguration extends TaintTracking::Configuration {
LdapInjectionConfiguration() { this = "Ldap injection" }
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink }
@ -112,7 +112,7 @@ deprecated class LdapInjectionConfiguration extends TaintTracking::Configuration
}
private module LdapInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink }
@ -120,7 +120,7 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig {
}
/**
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` flows
* Tracks taint flow for reasoning about when an `RemoteFlowSource` flows
* into an argument or field that is vulnerable to LDAP injection.
*/
module LdapInjectionFlow = TaintTracking::Global<LdapInjectionConfig>;

Просмотреть файл

@ -98,7 +98,7 @@ private class SensitiveStringSink extends Sink {
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof UntrustedFlowSource and not isBadResult(source)
source instanceof RemoteFlowSource and not isBadResult(source)
}
predicate isSink(DataFlow::Node sink) { sink instanceof Sink and not isBadResult(sink) }

Просмотреть файл

@ -68,7 +68,7 @@ module ImproperLdapAuth {
private module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof UntrustedFlowSource or source instanceof EmptyString
source instanceof RemoteFlowSource or source instanceof EmptyString
}
predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink }

Просмотреть файл

@ -28,7 +28,7 @@ predicate divideByZeroSanitizerGuard(DataFlow::Node g, Expr e, boolean branch) {
}
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(Function f, DataFlow::CallNode cn | cn = f.getACall() |

Просмотреть файл

@ -14,7 +14,7 @@ import DsnInjectionCustomizations
import DsnInjectionFlow::PathGraph
/** An untrusted flow source taken as a source for the `DsnInjection` taint-flow configuration. */
private class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
private class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
from DsnInjectionFlow::PathNode source, DsnInjectionFlow::PathNode sink
where DsnInjectionFlow::flowPath(source, sink)

Просмотреть файл

@ -36,7 +36,7 @@ class PassthroughTypeName extends string {
}
module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
additional predicate isSinkToPassthroughType(DataFlow::TypeCastNode sink, PassthroughTypeName name) {
exists(Type typ |
@ -53,7 +53,7 @@ module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig
}
/**
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` is
* Tracks taint flow for reasoning about when an `RemoteFlowSource` is
* converted into a special "passthrough" type which will not be escaped by the
* template generator; this allows the injection of arbitrary content (html,
* css, js) into the generated output of the templates.
@ -109,13 +109,13 @@ predicate isSinkToTemplateExec(DataFlow::Node sink, DataFlow::CallNode call) {
}
module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
}
/**
* Tracks taint flow from an `UntrustedFlowSource` into a template executor
* Tracks taint flow from an `RemoteFlowSource` into a template executor
* call.
*/
module FromUntrustedToTemplateExecutionCallFlow =

Просмотреть файл

@ -52,7 +52,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Condtional Expression Check Bypass" }
override predicate isSource(DataFlow::Node source) {
source instanceof UntrustedFlowSource
source instanceof RemoteFlowSource
or
exists(DataFlow::FieldReadNode f |
f.getField().hasQualifiedName("net/http", "Request", "Host")
@ -71,7 +71,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
private module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof UntrustedFlowSource
source instanceof RemoteFlowSource
or
exists(DataFlow::FieldReadNode f |
f.getField().hasQualifiedName("net/http", "Request", "Host")

Просмотреть файл

@ -14,7 +14,7 @@ import go
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof UntrustedFlowSource
source instanceof RemoteFlowSource
or
source = any(Field f | f.hasQualifiedName("net/http", "Request", "Host")).getARead()
}

Просмотреть файл

@ -90,7 +90,7 @@ module ServerSideRequestForgery {
/**
* An user controlled input, considered as a flow source for request forgery.
*/
class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
class UntrustedFlowAsSource extends Source instanceof RemoteFlowSource { }
/**
* The URL of an HTTP request, viewed as a sink for request forgery.

Просмотреть файл

@ -52,7 +52,7 @@ class AllowCredentialsHeaderWrite extends Http::HeaderWrite {
}
module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
additional predicate isSinkHW(DataFlow::Node sink, AllowOriginHeaderWrite hw) {
sink = hw.getValue()
@ -70,7 +70,7 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
}
module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) { sink = w }
@ -78,13 +78,13 @@ module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
}
/**
* Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
* Tracks taint flowfor reasoning about when an `RemoteFlowSource` flows to
* a `HeaderWrite` that writes an `Access-Control-Allow-Origin` header's value.
*/
module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global<UntrustedToAllowOriginHeaderConfig>;
/**
* Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
* Tracks taint flowfor reasoning about when an `RemoteFlowSource` flows to
* a `AllowOriginsWrite` that writes an `Access-Control-Allow-Origin` header's value.
*/
module UntrustedToAllowOriginConfigFlow = TaintTracking::Global<UntrustedToAllowOriginConfigConfig>;
@ -121,7 +121,7 @@ predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {
/**
* Holds if the provided `allowOriginHW` HeaderWrite's value is set using an
* UntrustedFlowSource.
* RemoteFlowSource.
* The `message` parameter is populated with the warning message to be returned by the query.
*/
predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, string message) {
@ -169,7 +169,7 @@ class MapRead extends DataFlow::ElementReadNode {
}
module FromUntrustedConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { isSinkCgn(sink, _) }
@ -208,13 +208,13 @@ module FromUntrustedConfig implements DataFlow::ConfigSig {
}
/**
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` flows
* Tracks taint flow for reasoning about when an `RemoteFlowSource` flows
* somewhere.
*/
module FromUntrustedFlow = TaintTracking::Global<FromUntrustedConfig>;
/**
* Holds if the provided `allowOriginHW` is also destination of a `UntrustedFlowSource`.
* Holds if the provided `allowOriginHW` is also destination of a `RemoteFlowSource`.
*/
predicate flowsToGuardedByCheckOnUntrusted(DataFlow::ExprNode allowOriginHW) {
exists(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn |

Просмотреть файл

@ -3,7 +3,7 @@
"Models": [
{
"Name": "UntrustedSources",
"Kind": "UntrustedFlowSource",
"Kind": "RemoteFlowSource",
"Methods": [
{
"Name": "{source:[](Param|Result|Fields|Type)} \u003c- $source",

Просмотреть файл

@ -16,7 +16,7 @@ private module CleverGo {
/**
* Provides models of untrusted flow sources.
*/
private class UntrustedSources extends UntrustedFlowSource::Range {
private class UntrustedSources extends RemoteFlowSource::Range {
UntrustedSources() {
// Methods on types of package: clevergo.tech/clevergo@v0.5.2
exists(string receiverName, string methodName, Method mtd, FunctionOutput out |

Просмотреть файл

@ -4,7 +4,7 @@
import go
class MimeMultipartFileHeader extends UntrustedFlowSource::Range {
class MimeMultipartFileHeader extends RemoteFlowSource::Range {
MimeMultipartFileHeader() {
exists(DataFlow::FieldReadNode frn | this = frn |
frn.getField().hasQualifiedName("mime/multipart", "FileHeader", ["Filename", "Header"])
@ -29,7 +29,7 @@ module DecompressionBomb {
class FlowState = DecompressionBombs::FlowState;
predicate isSource(DataFlow::Node source, FlowState state) {
source instanceof UntrustedFlowSource and
source instanceof RemoteFlowSource and
state = ""
}

Просмотреть файл

@ -729,7 +729,7 @@
},
{
"Name": "UntrustedFlowSources",
"Kind": "UntrustedFlowSource",
"Kind": "RemoteFlowSource",
"Methods": [
{
"Name": "{source:[](Param|Result|Fields|Type)} \u003c- $source",

Просмотреть файл

@ -295,7 +295,7 @@ private module Fiber {
/**
* Provides models of untrusted flow sources.
*/
private class UntrustedFlowSources extends UntrustedFlowSource::Range {
private class UntrustedFlowSources extends RemoteFlowSource::Range {
UntrustedFlowSources() {
// Methods on types of package: github.com/gofiber/fiber@v1.14.6
exists(string receiverName, string methodName, Method mtd, FunctionOutput out |

Просмотреть файл

@ -10,7 +10,7 @@ module UntrustedFlowSourceTest implements TestSig {
exists(DataFlow::CallNode sinkCall, DataFlow::ArgumentNode arg |
sinkCall.getCalleeName() = "sink" and
arg = sinkCall.getAnArgument() and
arg.getAPredecessor*() instanceof UntrustedFlowSource
arg.getAPredecessor*() instanceof RemoteFlowSource
|
element = arg.toString() and
value = "" and

Просмотреть файл

@ -10,7 +10,7 @@ module UntrustedFlowSourceTest implements TestSig {
exists(DataFlow::CallNode sinkCall, DataFlow::ArgumentNode arg |
sinkCall.getCalleeName() = "sink" and
arg = sinkCall.getAnArgument() and
arg.getAPredecessor*() instanceof UntrustedFlowSource
arg.getAPredecessor*() instanceof RemoteFlowSource
|
element = arg.toString() and
value = "" and

Просмотреть файл

@ -1,3 +1,3 @@
import go
select any(UntrustedFlowSource ufs)
select any(RemoteFlowSource ufs)

Просмотреть файл

@ -6,7 +6,7 @@
import go
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node n) { any(ReturnStmt s).getAnExpr() = n.asExpr() }
}

Просмотреть файл

@ -2,7 +2,7 @@ import go
import TestUtilities.InlineFlowTest
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) {
exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())

Просмотреть файл

@ -7,7 +7,7 @@ module UntrustedFlowSourceTest implements TestSig {
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "untrustedflowsource" and
value = element and
exists(UntrustedFlowSource src | value = "\"" + src.toString() + "\"" |
exists(RemoteFlowSource src | value = "\"" + src.toString() + "\"" |
src.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn())
)

Просмотреть файл

@ -6,7 +6,7 @@ class UntrustedFunction extends Function {
UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedBytes"] }
}
class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
class UntrustedSource extends DataFlow::Node, RemoteFlowSource::Range {
UntrustedSource() { this = any(UntrustedFunction f).getACall() }
}

Просмотреть файл

@ -2,16 +2,16 @@ import go
import TestUtilities.InlineExpectationsTest
module FasthttpTest implements TestSig {
string getARelevantTag() { result = "UntrustedFlowSource" }
string getARelevantTag() { result = "RemoteFlowSource" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(UntrustedFlowSource source |
exists(RemoteFlowSource source |
source
.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
element = source.toString() and
value = "\"" + source.toString() + "\"" and
tag = "UntrustedFlowSource"
tag = "RemoteFlowSource"
)
}
}

Просмотреть файл

@ -96,7 +96,7 @@ func main() {
func fasthttpServer() {
ln, _ := net.Listen("tcp4", "127.0.0.1:8080")
requestHandler := func(requestCtx *fasthttp.RequestCtx) {
filePath := requestCtx.QueryArgs().Peek("filePath") // $ UntrustedFlowSource="call to Peek"
filePath := requestCtx.QueryArgs().Peek("filePath") // $ RemoteFlowSource="call to Peek"
// File System Access
filePath_string := string(filePath)
_ = requestCtx.Response.SendFile(filePath_string) // $ FileSystemAccess=filePath_string
@ -112,67 +112,67 @@ func fasthttpServer() {
dstReader := &bufio.Reader{}
// user controlled methods as source
requestHeader := &fasthttp.RequestHeader{}
requestHeader.Header() // $ UntrustedFlowSource="call to Header"
requestHeader.TrailerHeader() // $ UntrustedFlowSource="call to TrailerHeader"
requestHeader.String() // $ UntrustedFlowSource="call to String"
requestHeader.RequestURI() // $ UntrustedFlowSource="call to RequestURI"
requestHeader.Host() // $ UntrustedFlowSource="call to Host"
requestHeader.UserAgent() // $ UntrustedFlowSource="call to UserAgent"
requestHeader.ContentEncoding() // $ UntrustedFlowSource="call to ContentEncoding"
requestHeader.ContentType() // $ UntrustedFlowSource="call to ContentType"
requestHeader.Cookie("ACookie") // $ UntrustedFlowSource="call to Cookie"
requestHeader.CookieBytes([]byte("ACookie")) // $ UntrustedFlowSource="call to CookieBytes"
requestHeader.MultipartFormBoundary() // $ UntrustedFlowSource="call to MultipartFormBoundary"
requestHeader.Peek("AHeaderName") // $ UntrustedFlowSource="call to Peek"
requestHeader.PeekAll("AHeaderName") // $ UntrustedFlowSource="call to PeekAll"
requestHeader.PeekBytes([]byte("AHeaderName")) // $ UntrustedFlowSource="call to PeekBytes"
requestHeader.PeekKeys() // $ UntrustedFlowSource="call to PeekKeys"
requestHeader.PeekTrailerKeys() // $ UntrustedFlowSource="call to PeekTrailerKeys"
requestHeader.Referer() // $ UntrustedFlowSource="call to Referer"
requestHeader.RawHeaders() // $ UntrustedFlowSource="call to RawHeaders"
requestHeader.Header() // $ RemoteFlowSource="call to Header"
requestHeader.TrailerHeader() // $ RemoteFlowSource="call to TrailerHeader"
requestHeader.String() // $ RemoteFlowSource="call to String"
requestHeader.RequestURI() // $ RemoteFlowSource="call to RequestURI"
requestHeader.Host() // $ RemoteFlowSource="call to Host"
requestHeader.UserAgent() // $ RemoteFlowSource="call to UserAgent"
requestHeader.ContentEncoding() // $ RemoteFlowSource="call to ContentEncoding"
requestHeader.ContentType() // $ RemoteFlowSource="call to ContentType"
requestHeader.Cookie("ACookie") // $ RemoteFlowSource="call to Cookie"
requestHeader.CookieBytes([]byte("ACookie")) // $ RemoteFlowSource="call to CookieBytes"
requestHeader.MultipartFormBoundary() // $ RemoteFlowSource="call to MultipartFormBoundary"
requestHeader.Peek("AHeaderName") // $ RemoteFlowSource="call to Peek"
requestHeader.PeekAll("AHeaderName") // $ RemoteFlowSource="call to PeekAll"
requestHeader.PeekBytes([]byte("AHeaderName")) // $ RemoteFlowSource="call to PeekBytes"
requestHeader.PeekKeys() // $ RemoteFlowSource="call to PeekKeys"
requestHeader.PeekTrailerKeys() // $ RemoteFlowSource="call to PeekTrailerKeys"
requestHeader.Referer() // $ RemoteFlowSource="call to Referer"
requestHeader.RawHeaders() // $ RemoteFlowSource="call to RawHeaders"
// multipart.Form is already implemented
// requestCtx.MultipartForm()
requestCtx.URI().Path() // $ UntrustedFlowSource="call to Path"
requestCtx.URI().PathOriginal() // $ UntrustedFlowSource="call to PathOriginal"
requestCtx.URI().FullURI() // $ UntrustedFlowSource="call to FullURI"
requestCtx.URI().LastPathSegment() // $ UntrustedFlowSource="call to LastPathSegment"
requestCtx.URI().QueryString() // $ UntrustedFlowSource="call to QueryString"
requestCtx.URI().String() // $ UntrustedFlowSource="call to String"
requestCtx.URI().Path() // $ RemoteFlowSource="call to Path"
requestCtx.URI().PathOriginal() // $ RemoteFlowSource="call to PathOriginal"
requestCtx.URI().FullURI() // $ RemoteFlowSource="call to FullURI"
requestCtx.URI().LastPathSegment() // $ RemoteFlowSource="call to LastPathSegment"
requestCtx.URI().QueryString() // $ RemoteFlowSource="call to QueryString"
requestCtx.URI().String() // $ RemoteFlowSource="call to String"
//or requestCtx.PostArgs()
requestCtx.URI().QueryArgs().Peek("arg1") // $ UntrustedFlowSource="call to Peek"
requestCtx.URI().QueryArgs().PeekBytes([]byte("arg1")) // $ UntrustedFlowSource="call to PeekBytes"
requestCtx.URI().QueryArgs().PeekMulti("arg1") // $ UntrustedFlowSource="call to PeekMulti"
requestCtx.URI().QueryArgs().PeekMultiBytes([]byte("arg1")) // $ UntrustedFlowSource="call to PeekMultiBytes"
requestCtx.URI().QueryArgs().QueryString() // $ UntrustedFlowSource="call to QueryString"
requestCtx.URI().QueryArgs().String() // $ UntrustedFlowSource="call to String"
requestCtx.String() // $ UntrustedFlowSource="call to String"
requestCtx.URI().QueryArgs().Peek("arg1") // $ RemoteFlowSource="call to Peek"
requestCtx.URI().QueryArgs().PeekBytes([]byte("arg1")) // $ RemoteFlowSource="call to PeekBytes"
requestCtx.URI().QueryArgs().PeekMulti("arg1") // $ RemoteFlowSource="call to PeekMulti"
requestCtx.URI().QueryArgs().PeekMultiBytes([]byte("arg1")) // $ RemoteFlowSource="call to PeekMultiBytes"
requestCtx.URI().QueryArgs().QueryString() // $ RemoteFlowSource="call to QueryString"
requestCtx.URI().QueryArgs().String() // $ RemoteFlowSource="call to String"
requestCtx.String() // $ RemoteFlowSource="call to String"
requestCtx.Path() // $ UntrustedFlowSource="call to Path"
requestCtx.Path() // $ RemoteFlowSource="call to Path"
// multipart.Form is already implemented
// requestCtx.FormFile("FileName")
// requestCtx.FormValue("ValueName")
requestCtx.Referer() // $ UntrustedFlowSource="call to Referer"
requestCtx.PostBody() // $ UntrustedFlowSource="call to PostBody"
requestCtx.RequestBodyStream() // $ UntrustedFlowSource="call to RequestBodyStream"
requestCtx.RequestURI() // $ UntrustedFlowSource="call to RequestURI"
requestCtx.UserAgent() // $ UntrustedFlowSource="call to UserAgent"
requestCtx.Host() // $ UntrustedFlowSource="call to Host"
requestCtx.Referer() // $ RemoteFlowSource="call to Referer"
requestCtx.PostBody() // $ RemoteFlowSource="call to PostBody"
requestCtx.RequestBodyStream() // $ RemoteFlowSource="call to RequestBodyStream"
requestCtx.RequestURI() // $ RemoteFlowSource="call to RequestURI"
requestCtx.UserAgent() // $ RemoteFlowSource="call to UserAgent"
requestCtx.Host() // $ RemoteFlowSource="call to Host"
requestCtx.Request.Host() // $ UntrustedFlowSource="call to Host"
requestCtx.Request.Body() // $ UntrustedFlowSource="call to Body"
requestCtx.Request.RequestURI() // $ UntrustedFlowSource="call to RequestURI"
body1, _ := requestCtx.Request.BodyGunzip() // $ UntrustedFlowSource="... := ...[0]"
body2, _ := requestCtx.Request.BodyInflate() // $ UntrustedFlowSource="... := ...[0]"
body3, _ := requestCtx.Request.BodyUnbrotli() // $ UntrustedFlowSource="... := ...[0]"
body4, _ := requestCtx.Request.BodyUncompressed() // $ UntrustedFlowSource="... := ...[0]"
requestCtx.Request.Host() // $ RemoteFlowSource="call to Host"
requestCtx.Request.Body() // $ RemoteFlowSource="call to Body"
requestCtx.Request.RequestURI() // $ RemoteFlowSource="call to RequestURI"
body1, _ := requestCtx.Request.BodyGunzip() // $ RemoteFlowSource="... := ...[0]"
body2, _ := requestCtx.Request.BodyInflate() // $ RemoteFlowSource="... := ...[0]"
body3, _ := requestCtx.Request.BodyUnbrotli() // $ RemoteFlowSource="... := ...[0]"
body4, _ := requestCtx.Request.BodyUncompressed() // $ RemoteFlowSource="... := ...[0]"
fmt.Println(body1, body2, body3, body4)
requestCtx.Request.BodyStream() // $ UntrustedFlowSource="call to BodyStream"
requestCtx.Request.BodyStream() // $ RemoteFlowSource="call to BodyStream"
requestCtx.Request.ReadBody(dstReader, 100, 1000) // $ UntrustedFlowSource="dstReader"
requestCtx.Request.ReadLimitBody(dstReader, 100) // $ UntrustedFlowSource="dstReader"
requestCtx.Request.ContinueReadBodyStream(dstReader, 100, true) // $ UntrustedFlowSource="dstReader"
requestCtx.Request.ContinueReadBody(dstReader, 100) // $ UntrustedFlowSource="dstReader"
requestCtx.Request.ReadBody(dstReader, 100, 1000) // $ RemoteFlowSource="dstReader"
requestCtx.Request.ReadLimitBody(dstReader, 100) // $ RemoteFlowSource="dstReader"
requestCtx.Request.ContinueReadBodyStream(dstReader, 100, true) // $ RemoteFlowSource="dstReader"
requestCtx.Request.ContinueReadBody(dstReader, 100) // $ RemoteFlowSource="dstReader"
// Response methods
// Xss Sinks Related method

Просмотреть файл

@ -1,3 +1,3 @@
import go
select any(UntrustedFlowSource src)
select any(RemoteFlowSource src)

Просмотреть файл

@ -5,7 +5,7 @@ module UntrustedFlowSourceTest implements TestSig {
string getARelevantTag() { result = "source" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(UntrustedFlowSource source |
exists(RemoteFlowSource source |
source
.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and

Просмотреть файл

@ -2,15 +2,15 @@ import go
import TestUtilities.InlineExpectationsTest
module UntrustedFlowSourceTest implements TestSig {
string getARelevantTag() { result = "UntrustedFlowSource" }
string getARelevantTag() { result = "RemoteFlowSource" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(UntrustedFlowSource src |
exists(RemoteFlowSource src |
src.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
element = src.toString() and
value = "" and
tag = "UntrustedFlowSource"
tag = "RemoteFlowSource"
)
}
}

Просмотреть файл

@ -7,16 +7,16 @@ import (
)
func sources(ctx *macaron.Context, body *macaron.RequestBody) {
_ = ctx.AllParams() // $UntrustedFlowSource
_ = ctx.GetCookie("") // $UntrustedFlowSource
_, _ = ctx.GetSecureCookie("") // $UntrustedFlowSource
_, _ = ctx.GetSuperSecureCookie("", "") // $UntrustedFlowSource
_, _, _ = ctx.GetFile("") // $UntrustedFlowSource
_ = ctx.Params("") // $UntrustedFlowSource
_ = ctx.ParamsEscape("") // $UntrustedFlowSource
_ = ctx.Query("") // $UntrustedFlowSource
_ = ctx.QueryEscape("") // $UntrustedFlowSource
_ = ctx.QueryStrings("") // $UntrustedFlowSource
_, _ = body.Bytes() // $UntrustedFlowSource
_, _ = body.String() // $UntrustedFlowSource
_ = ctx.AllParams() // $RemoteFlowSource
_ = ctx.GetCookie("") // $RemoteFlowSource
_, _ = ctx.GetSecureCookie("") // $RemoteFlowSource
_, _ = ctx.GetSuperSecureCookie("", "") // $RemoteFlowSource
_, _, _ = ctx.GetFile("") // $RemoteFlowSource
_ = ctx.Params("") // $RemoteFlowSource
_ = ctx.ParamsEscape("") // $RemoteFlowSource
_ = ctx.Query("") // $RemoteFlowSource
_ = ctx.QueryEscape("") // $RemoteFlowSource
_ = ctx.QueryStrings("") // $RemoteFlowSource
_, _ = body.Bytes() // $RemoteFlowSource
_, _ = body.String() // $RemoteFlowSource
}

Просмотреть файл

@ -1,3 +1,3 @@
import go
select any(UntrustedFlowSource ufs)
select any(RemoteFlowSource ufs)

Просмотреть файл

@ -8,7 +8,7 @@ class Sink extends DataFlow::Node {
}
private module TestConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
}