Merge pull request github#12558 from smowton/smowton/fix/flow-to-external-api-write-only-methods

smowton · web-flow · commit 0cadf4d94a46 · 2023-03-17T11:52:48.000Z
Go: exclude `net/http.Header.Set` and `.Del` from `go/untrusted-data-to-external-api`
diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -19,6 +19,16 @@ abstract class SafeExternalApiFunction extends Function { }
 /** DEPRECATED: Alias for SafeExternalApiFunction */
 deprecated class SafeExternalAPIFunction = SafeExternalApiFunction;
 
+/**
+ * A `Function` with one or more arguments that are considered "safe" from a security perspective.
+ */
+abstract class SafeExternalApiArgument extends Function {
+  /**
+   * Holds if `i` is a safe argument to this function.
+   */
+  abstract predicate isSafeArgument(int i);
+}
+
 private predicate isDefaultSafePackage(Package package) {
   package.getPath() in ["time", "unicode/utf8", package("gopkg.in/go-playground/validator", "")]
 }
@@ -44,6 +54,16 @@ private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction {
   }
 }
 
+private class DefaultSafeExternalApiFunctionArgument extends SafeExternalApiArgument {
+  int index;
+
+  DefaultSafeExternalApiFunctionArgument() {
+    this.(Method).hasQualifiedName("net/http", "Header", ["Set", "Del"]) and index = -1
+  }
+
+  override predicate isSafeArgument(int i) { i = index }
+}
+
 /** Holds if `callNode` is a local function pointer. */
 private predicate isProbableLocalFunctionPointer(DataFlow::CallNode callNode) {
   // Not a method call
@@ -77,7 +97,9 @@ class ExternalApiDataNode extends DataFlow::Node {
     // Not already modeled as a taint step
     not TaintTracking::localTaintStep(this, _) and
     // Not a call to a known safe external API
-    not call.getTarget() instanceof SafeExternalApiFunction
+    not call.getTarget() instanceof SafeExternalApiFunction and
+    // Not a known safe argument to an external API
+    not any(SafeExternalApiArgument seaa).isSafeArgument(i)
   }
 
   /** Gets the called API `Function`. */
diff --git a/go/ql/src/change-notes/2023-03-16-untrusted-data-write-only-args.md b/go/ql/src/change-notes/2023-03-16-untrusted-data-write-only-args.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The receiver arguments of `net/http.Header.Set` and `.Del` are no longer flagged by query `go/untrusted-data-to-external-api`.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The receiver arguments of `net/http.Header.Set` and `.Del` are no longer flagged by query `go/untrusted-data-to-external-api`.