Convert RequestForgery test to inline expectations

Author: owen-mc

go/ql/test/query-tests/Security/CWE-918/RequestForgery.go

@@ -5,10 +5,10 @@ import (
 )
 
 func handler(w http.ResponseWriter, req *http.Request) {
-	target := req.FormValue("target")
+	target := req.FormValue("target") // $ Source
 
 	// BAD: `target` is controlled by the attacker
-	resp, err := http.Get("https://" + target + ".example.com/data/")
+	resp, err := http.Get("https://" + target + ".example.com/data/") // $ Alert
 	if err != nil {
 		// error handling
 	}

go/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-918/RequestForgery.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/Security/CWE-918/tst.go

@@ -7,34 +7,34 @@ import (
 )
 
 func handler2(w http.ResponseWriter, req *http.Request) {
-	tainted := req.FormValue("target")
+	tainted := req.FormValue("target") // $ Source
 
 	http.Get("example.com") // OK
 
-	http.Get(tainted) // Not OK
+	http.Get(tainted) // $ Alert
 
 	http.Head(tainted) // OK
 
-	http.Post(tainted, "text/basic", nil) // Not OK
+	http.Post(tainted, "text/basic", nil) // $ Alert
 
 	client := &http.Client{}
-	rq, _ := http.NewRequest("GET", tainted, nil)
-	client.Do(rq) // Not OK
+	rq, _ := http.NewRequest("GET", tainted, nil) // $ Sink
+	client.Do(rq)                                 // $ Alert
 
-	rq, _ = http.NewRequestWithContext(context.Background(), "GET", tainted, nil)
-	client.Do(rq) // Not OK
+	rq, _ = http.NewRequestWithContext(context.Background(), "GET", tainted, nil) // $ Sink
+	client.Do(rq)                                                                 // $ Alert
 
-	http.Get("http://" + tainted) // Not OK
+	http.Get("http://" + tainted) // $ Alert
 
-	http.Get("http://example.com" + tainted) // Not OK
+	http.Get("http://example.com" + tainted) // $ Alert
 
 	http.Get("http://example.com/" + tainted) // OK
 
 	http.Get("http://example.com/?" + tainted) // OK
 
 	u, _ := url.Parse("http://example.com/relative-path")
 	u.Host = tainted
-	http.Get(u.String()) // Not OK
+	http.Get(u.String()) // $ Alert
 }
 
 func main() {

go/ql/test/query-tests/Security/CWE-918/websocket.go

@@ -57,12 +57,12 @@ func test() {
 
 	// x net websocket dial bad
 	http.HandleFunc("/ex2", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 
 		origin := "http://localhost/"
 
 		// bad as input is directly passed to dial function
-		ws, _ := websocket.Dial(untrustedInput, "", origin)
+		ws, _ := websocket.Dial(untrustedInput, "", origin) // $ Alert
 		var msg = make([]byte, 512)
 		var n int
 		n, _ = ws.Read(msg)
@@ -71,12 +71,12 @@ func test() {
 
 	// x net websocket dialConfig bad
 	http.HandleFunc("/ex3", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 
 		origin := "http://localhost/"
 		// bad as input is directly used
-		config, _ := websocket.NewConfig(untrustedInput, origin) // good
-		ws2, _ := websocket.DialConfig(config)
+		config, _ := websocket.NewConfig(untrustedInput, origin) // $ Sink
+		ws2, _ := websocket.DialConfig(config)                   // $ Alert
 		var msg = make([]byte, 512)
 		var n int
 		n, _ = ws2.Read(msg)
@@ -85,10 +85,10 @@ func test() {
 
 	// nhooyr websocket dial bad
 	http.HandleFunc("/ex4", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 
 		// bad as input is used directly
-		nhooyr.Dial(context.TODO(), untrustedInput, nil)
+		nhooyr.Dial(context.TODO(), untrustedInput, nil) // $ Alert
 		w.WriteHeader(500)
 	})
 
@@ -104,10 +104,10 @@ func test() {
 
 	// gorilla websocket Dialer.Dial bad
 	http.HandleFunc("/ex6", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 
 		dialer := gorilla.Dialer{}
-		dialer.Dial(untrustedInput, r.Header)
+		dialer.Dial(untrustedInput, r.Header) // $ Alert
 	})
 
 	// gorilla websocket Dialer.Dial good
@@ -123,10 +123,10 @@ func test() {
 
 	// gorilla websocket Dialer.DialContext bad
 	http.HandleFunc("/ex8", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 
 		dialer := gorilla.Dialer{}
-		dialer.DialContext(context.TODO(), untrustedInput, r.Header)
+		dialer.DialContext(context.TODO(), untrustedInput, r.Header) // $ Alert
 	})
 
 	// gorilla websocket Dialer.DialContext good
@@ -151,15 +151,15 @@ func test() {
 
 	// gobwas websocket Dial bad
 	http.HandleFunc("/ex11", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
-		gobwas.Dial(context.TODO(), untrustedInput)
+		untrustedInput := r.Referer()               // $ Source
+		gobwas.Dial(context.TODO(), untrustedInput) // $ Alert
 	})
 
 	// gobwas websocket Dialer.Dial bad
 	http.HandleFunc("/ex12", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 		dialer := gobwas.Dialer{}
-		dialer.Dial(context.TODO(), untrustedInput)
+		dialer.Dial(context.TODO(), untrustedInput) // $ Alert
 	})
 
 	// gobwas websocket Dialer.Dial good
@@ -192,16 +192,16 @@ func test() {
 
 	// sac007 websocket BuildProxy bad
 	http.HandleFunc("/ex15", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 
-		_ = sac.BuildProxy(untrustedInput)
+		_ = sac.BuildProxy(untrustedInput) // $ Alert
 	})
 
 	// sac007 websocket New bad
 	http.HandleFunc("/ex16", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 
-		_ = sac.New(untrustedInput)
+		_ = sac.New(untrustedInput) // $ Alert
 	})
 
 	log.Println(http.ListenAndServe(":80", nil))