Fix select query, Add httprouter library and update test files

krakendio · krakendio · commit 5f6de79c09dc · 2023-12-14T00:19:11.000+03:00
diff --git a/go/ql/src/experimental/CWE-525/WebCacheDeception.qhelp b/go/ql/src/experimental/CWE-525/WebCacheDeception.qhelp
@@ -36,6 +36,12 @@
             Vulnerable code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
         </p>
         <sample src="examples/WebCacheDeceptionGoChi.go" />
+    </example>
+     <example>
+        <p>
+            Vulnerable code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
+        </p>
+        <sample src="examples/WebCacheDeceptionHTTPRouter.go" />
     </example>
     <references>
         <li>
diff --git a/go/ql/src/experimental/CWE-525/WebCacheDeceptionLib.qll b/go/ql/src/experimental/CWE-525/WebCacheDeceptionLib.qll
@@ -47,4 +47,17 @@ module WebCacheDeception {
       )
     }
   }
+
+  private class GoHTTPRouter extends Sink {
+    GoHTTPRouter() {
+      exists(string pkg |
+        pkg = "github.com/julienschmidt/httprouter"
+      |
+        exists(DataFlow::CallNode m |
+          m.getCall().getArgument(0).toString().matches("%/*%") and
+          this = m.getArgument(0)
+        )
+      )
+    }
+  }
 }
diff --git a/go/ql/test/experimental/CWE-525/WebCacheDeception.expected b/go/ql/test/experimental/CWE-525/WebCacheDeception.expected
@@ -2,3 +2,4 @@
 | WebCacheDeceptionFiber.go:15:10:15:17 | "/api/*" | "/api/*" is used as wildcard endpoint. |
 | WebCacheDeceptionFiber.go:20:11:20:18 | "/api/*" | "/api/*" is used as wildcard endpoint. |
 | WebCacheDeceptionGoChi.go:13:8:13:11 | "/*" | "/*" is used as wildcard endpoint. |
+| WebCacheDeceptionHTTPRouter.go:21:13:21:25 | "/test/*test" | "/test/*test" is used as wildcard endpoint. |
diff --git a/go/ql/test/experimental/CWE-525/go.mod b/go/ql/test/experimental/CWE-525/go.mod
@@ -5,6 +5,7 @@ go 1.21
 require (
 	github.com/go-chi/chi/v5 v5.0.10
 	github.com/gofiber/fiber/v2 v2.51.0
+	github.com/julienschmidt/httprouter v1.3.0
 )
 
 require (
diff --git a/go/ql/test/experimental/CWE-525/vendor/modules.txt b/go/ql/test/experimental/CWE-525/vendor/modules.txt
@@ -4,6 +4,9 @@ github.com/go-chi/chi/v5
 # github.com/gofiber/fiber/v2 v2.51.0
 ## explicit
 github.com/gofiber/fiber/v2
+# github.com/julienschmidt/httprouter v1.3.0
+## explicit
+github.com/julienschmidt/httprouter
 # github.com/andybalholm/brotli v1.0.5
 ## explicit
 github.com/andybalholm/brotli

Original file line number	Diff line number	Diff line change
`@@ -47,4 +47,17 @@ module WebCacheDeception {`
`47`	`47`	`)`
`48`	`48`	`}`
`49`	`49`	`}`
	`50`	`+`
	`51`	`+ private class GoHTTPRouter extends Sink {`
	`52`	`+ GoHTTPRouter() {`
	`53`	`+ exists(string pkg \|`
	`54`	`+ pkg = "github.com/julienschmidt/httprouter"`
	`55`	`+ \|`
	`56`	`+ exists(DataFlow::CallNode m \|`
	`57`	`+ m.getCall().getArgument(0).toString().matches("%/*%") and`
	`58`	`+ this = m.getArgument(0)`
	`59`	`+ )`
	`60`	`+ )`
	`61`	`+ }`
	`62`	`+ }`
`50`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ go 1.21`
`5`	`5`	`require (`
`6`	`6`	`github.com/go-chi/chi/v5 v5.0.10`
`7`	`7`	`github.com/gofiber/fiber/v2 v2.51.0`
	`8`	`+ github.com/julienschmidt/httprouter v1.3.0`
`8`	`9`	`)`
`9`	`10`
`10`	`11`	`require (`