Merge pull request github#10026 from pwntester/patch-2

owen-mc · web-flow · commit 8a4ca7fb8466 · 2023-04-14T13:52:11.000+01:00
Go: Partial URLs should not sanitize against SSRF
diff --git a/go/ql/lib/change-notes/2023-04-14-partial-URLs-should-not-sanitize-against-SSRF.md b/go/ql/lib/change-notes/2023-04-14-partial-URLs-should-not-sanitize-against-SSRF.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Taking a slice is now considered a sanitizer for `SafeUrlFlow`.
diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll b/go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll
@@ -35,4 +35,9 @@ module SafeUrlFlow {
   private class UnsafeUrlMethodEdge extends SanitizerEdge {
     UnsafeUrlMethodEdge() { this = any(UnsafeUrlMethod um).getACall().getReceiver() }
   }
+
+  /** Any slicing of the URL, considered as a sanitizer for safe URL flow. */
+  private class StringSlicingEdge extends SanitizerEdge {
+    StringSlicingEdge() { this = any(DataFlow::SliceNode sn) }
+  }
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Taking a slice is now considered a sanitizer for `SafeUrlFlow`.
Original file line number	Diff line number	Diff line change
`@@ -35,4 +35,9 @@ module SafeUrlFlow {`
`35`	`35`	`private class UnsafeUrlMethodEdge extends SanitizerEdge {`
`36`	`36`	`UnsafeUrlMethodEdge() { this = any(UnsafeUrlMethod um).getACall().getReceiver() }`
`37`	`37`	`}`
	`38`	`+`
	`39`	`+ /** Any slicing of the URL, considered as a sanitizer for safe URL flow. */`
	`40`	`+ private class StringSlicingEdge extends SanitizerEdge {`
	`41`	`+ StringSlicingEdge() { this = any(DataFlow::SliceNode sn) }`
	`42`	`+ }`
`38`	`43`	`}`