Partial URLs should not sanitize against SSRF

Alvaro Muñoz · owen-mc · commit 8bf4b55309b6 · 2023-04-14T12:00:38.000+01:00
As an example:

```go
	urlPath := ctx.Req.URL.Path
	hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
        req, _ := http.NewRequest("GET", source+hash, nil)
```
diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll b/go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll
@@ -35,4 +35,10 @@ module SafeUrlFlow {
   private class UnsafeUrlMethodEdge extends SanitizerEdge {
     UnsafeUrlMethodEdge() { this = any(UnsafeUrlMethod um).getACall().getReceiver() }
   }
+  
+  /** Any slicing of the URL, considered as a sanitizer for safe URL flow. */
+  private class StringSlicingEdge extends SanitizerEdge {
+    StringSlicingEdge() { this = any(DataFlow::SliceNode sn) }
+  }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -35,4 +35,10 @@ module SafeUrlFlow {`
`35`	`35`	`private class UnsafeUrlMethodEdge extends SanitizerEdge {`
`36`	`36`	`UnsafeUrlMethodEdge() { this = any(UnsafeUrlMethod um).getACall().getReceiver() }`
`37`	`37`	`}`
	`38`	`+`
	`39`	`+ /** Any slicing of the URL, considered as a sanitizer for safe URL flow. */`
	`40`	`+ private class StringSlicingEdge extends SanitizerEdge {`
	`41`	`+ StringSlicingEdge() { this = any(DataFlow::SliceNode sn) }`
	`42`	`+ }`
	`43`	`+`
`38`	`44`	`}`