Add models for the read side of golang.org/x/net/html

smowton · smowton · commit 02f353eabd29 · 2020-11-06T11:04:53.000Z
This covers cases where an HTML document is retrieved and then parts of its structure are output without proper escaping.
diff --git a/change-notes/2020-10-12-x-net-html.md b/change-notes/2020-10-12-x-net-html.md
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* Added partial support for the `golang.org/x/net/html` package, modelling tainted data flow from a retrieved HTML document to its attributes and other data.
+* Added partial support for the `golang.org/x/net/html` package, modeling tainted data flow from a retrieved HTML document to its attributes and other data.
diff --git a/ql/src/semmle/go/frameworks/XNetHtml.qll b/ql/src/semmle/go/frameworks/XNetHtml.qll
@@ -30,6 +30,10 @@ module XNetHtml {
             "NewTokenizer", "NewTokenizerFragment"] and
       input.isParameter(0) and
       output.isResult(0)
+      or
+      getName() = ["AppendChild", "InsertBefore"] and
+      input.isParameter(0) and
+      output.isReceiver()
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`lgtm,codescanning`
`2`		-* Added partial support for the `golang.org/x/net/html` package, modelling tainted data flow from a retrieved HTML document to its attributes and other data.
	`2`	+* Added partial support for the `golang.org/x/net/html` package, modeling tainted data flow from a retrieved HTML document to its attributes and other data.
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,10 @@ module XNetHtml {`
`30`	`30`	`"NewTokenizer", "NewTokenizerFragment"] and`
`31`	`31`	`input.isParameter(0) and`
`32`	`32`	`output.isResult(0)`
	`33`	`+ or`
	`34`	`+ getName() = ["AppendChild", "InsertBefore"] and`
	`35`	`+ input.isParameter(0) and`
	`36`	`+ output.isReceiver()`
`33`	`37`	`}`
`34`	`38`	`}`
`35`	`39`