Address Feedback

Kwstubbs · Kwstubbs · commit 1f2e8d898def · 2023-11-05T14:28:34.000-08:00
diff --git a/go/ql/lib/semmle/go/frameworks/GinCors.qll b/go/ql/lib/semmle/go/frameworks/GinCors.qll
@@ -22,11 +22,10 @@ module GinCors {
    * A write to the value of Access-Control-Allow-Credentials header
    */
   class AllowCredentialsWrite extends DataFlow::ExprNode {
-    DataFlow::Node base;
     GinConfig gc;
 
     AllowCredentialsWrite() {
-      exists(Field f, Write w |
+      exists(Field f, Write w, DataFlow::Node base |
         f.hasQualifiedName(packagePath(), "Config", "AllowCredentials") and
         w.writesField(base, f, this) and
         this.getType() instanceof BoolType and
@@ -48,11 +47,10 @@ module GinCors {
    * A write to the value of Access-Control-Allow-Origins header
    */
   class AllowOriginsWrite extends DataFlow::ExprNode {
-    DataFlow::Node base;
     GinConfig gc;
 
     AllowOriginsWrite() {
-      exists(Field f, Write w |
+      exists(Field f, Write w, DataFlow::Node base |
         f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
         w.writesField(base, f, this) and
         this.asExpr() instanceof SliceLit and
@@ -74,11 +72,10 @@ module GinCors {
    * A write to the value of Access-Control-Allow-Origins of value "*", overriding AllowOrigins
    */
   class AllowAllOriginsWrite extends DataFlow::ExprNode {
-    DataFlow::Node base;
     GinConfig gc;
 
     AllowAllOriginsWrite() {
-      exists(Field f, Write w |
+      exists(Field f, Write w, DataFlow::Node base |
         f.hasQualifiedName(packagePath(), "Config", "AllowAllOrigins") and
         w.writesField(base, f, this) and
         this.getType() instanceof BoolType and
diff --git a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
@@ -103,12 +103,12 @@ predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {
   )
   or
   exists(GinCors::AllowCredentialsWrite allowCredentialsGin |
-    allowCredentialsGin.toString() = "true"
+    allowCredentialsGin.getExpr().getBoolValue() = true
   |
     //flow only goes in one direction so fix this before PR
     allowCredentialsGin.getConfig() = allowOriginHW.(GinCors::AllowOriginsWrite).getConfig() and
     not exists(GinCors::AllowAllOriginsWrite allowAllOrigins |
-      allowAllOrigins.toString() = "true" and
+      allowAllOrigins.getExpr().getBoolValue() = true and
       allowCredentialsGin.getConfig() = allowAllOrigins.getConfig()
     )
   )
@@ -149,8 +149,8 @@ predicate allowOriginIsNull(DataFlow::ExprNode allowOriginHW, string message) {
       .asExpr()
       .(SliceLit)
       .getAnElement()
-      .toString()
-      .toLowerCase() = "\"null\"" and
+      .getStringValue()
+      .toLowerCase() = "null" and
   message =
     headerAllowOrigin() + " header is set to `" + "null" + "`, and " + headerAllowCredentials() +
       " is set to `true`"
diff --git a/go/ql/test/experimental/CWE-942/vendor/github.com/gin-contrib/cors/stub.go b/go/ql/test/experimental/CWE-942/vendor/github.com/gin-contrib/cors/stub.go
