Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Commit 0d5c7e3

Browse files
committed
Add taint-tracking for text/template template.
1 parent db0b09b commit 0d5c7e3

File tree

3 files changed

+183
-0
lines changed

3 files changed

+183
-0
lines changed

ql/src/semmle/go/frameworks/Stdlib.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import semmle.go.frameworks.stdlib.Path
1616
import semmle.go.frameworks.stdlib.PathFilepath
1717
import semmle.go.frameworks.stdlib.TextScanner
1818
import semmle.go.frameworks.stdlib.TextTabwriter
19+
import semmle.go.frameworks.stdlib.TextTemplate
1920

2021
/** A `String()` method. */
2122
class StringMethod extends TaintTracking::FunctionModel, Method {
Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
/**
2+
* Provides classes modeling security-relevant aspects of the `text/template` package.
3+
*/
4+
5+
import go
6+
7+
/** Provides models of commonly used functions in the `text/template` package. */
8+
module TextTemplate {
9+
private class FunctionModels extends TaintTracking::FunctionModel {
10+
FunctionInput inp;
11+
FunctionOutput outp;
12+
13+
FunctionModels() {
14+
// signature: func HTMLEscape(w io.Writer, b []byte)
15+
hasQualifiedName("text/template", "HTMLEscape") and
16+
(inp.isParameter(1) and outp.isParameter(0))
17+
or
18+
// signature: func HTMLEscapeString(s string) string
19+
hasQualifiedName("text/template", "HTMLEscapeString") and
20+
(inp.isParameter(0) and outp.isResult())
21+
or
22+
// signature: func HTMLEscaper(args ...interface{}) string
23+
hasQualifiedName("text/template", "HTMLEscaper") and
24+
(inp.isParameter(_) and outp.isResult())
25+
or
26+
// signature: func JSEscape(w io.Writer, b []byte)
27+
hasQualifiedName("text/template", "JSEscape") and
28+
(inp.isParameter(1) and outp.isParameter(0))
29+
or
30+
// signature: func JSEscapeString(s string) string
31+
hasQualifiedName("text/template", "JSEscapeString") and
32+
(inp.isParameter(0) and outp.isResult())
33+
or
34+
// signature: func JSEscaper(args ...interface{}) string
35+
hasQualifiedName("text/template", "JSEscaper") and
36+
(inp.isParameter(_) and outp.isResult())
37+
or
38+
// signature: func URLQueryEscaper(args ...interface{}) string
39+
hasQualifiedName("text/template", "URLQueryEscaper") and
40+
(inp.isParameter(_) and outp.isResult())
41+
}
42+
43+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
44+
input = inp and output = outp
45+
}
46+
}
47+
48+
private class MethodModels extends TaintTracking::FunctionModel, Method {
49+
FunctionInput inp;
50+
FunctionOutput outp;
51+
52+
MethodModels() {
53+
// signature: func (*Template).Execute(wr io.Writer, data interface{}) error
54+
this.hasQualifiedName("text/template", "Template", "Execute") and
55+
(inp.isParameter(1) and outp.isParameter(0))
56+
or
57+
// signature: func (*Template).ExecuteTemplate(wr io.Writer, name string, data interface{}) error
58+
this.hasQualifiedName("text/template", "Template", "ExecuteTemplate") and
59+
(inp.isParameter(2) and outp.isParameter(0))
60+
}
61+
62+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
63+
input = inp and output = outp
64+
}
65+
}
66+
}

ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/TextTemplate.go

Lines changed: 116 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)