File tree Expand file tree Collapse file tree 4 files changed +46
-1
lines changed
semmle/go/dataflow/internal
test/library-tests/semmle/go/dataflow/DefaultTaintSanitizer Expand file tree Collapse file tree 4 files changed +46
-1
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ category : minorAnalysis
3+ ---
4+ * There was a bug which meant that the built-in function ` clear ` was considered as a sanitizer in some cases when it shouldn't have been. This has now been fixed, which may lead to more alerts.
Original file line number Diff line number Diff line change @@ -423,7 +423,7 @@ private class ClearSanitizer extends DefaultTaintSanitizer {
423423 arg = call .getAnArgument ( ) and
424424 arg = var .getAUse ( ) and
425425 arg != this and
426- this .getBasicBlock ( ) .( ReachableBasicBlock ) .dominates ( this .getBasicBlock ( ) )
426+ arg .getBasicBlock ( ) .( ReachableBasicBlock ) .dominates ( this .getBasicBlock ( ) )
427427 )
428428 }
429429}
Original file line number Diff line number Diff line change @@ -8,9 +8,38 @@ func clearTestBad(sourceReq *http.Request) string {
88 return string (b )
99}
1010
11+ func clearTestBad2 (sourceReq * http.Request , x bool ) string {
12+ b := make ([]byte , 8 )
13+ sourceReq .Body .Read (b )
14+ if x {
15+ clear (b )
16+ }
17+ return string (b )
18+ }
19+
20+ func clearTestBad3 (sourceReq * http.Request , x bool ) string {
21+ b := make ([]byte , 8 )
22+ sourceReq .Body .Read (b )
23+ if x {
24+ return string (b )
25+ }
26+ clear (b )
27+ return string (b )
28+ }
29+
1130func clearTestGood (sourceReq * http.Request ) string {
1231 b := make ([]byte , 8 )
1332 sourceReq .Body .Read (b )
1433 clear (b ) // should prevent taint flow
1534 return string (b )
1635}
36+
37+ func clearTestGood2 (sourceReq * http.Request , x bool ) string {
38+ b := make ([]byte , 8 )
39+ sourceReq .Body .Read (b )
40+ clear (b ) // should prevent taint flow
41+ if x {
42+ return string (b )
43+ }
44+ return ""
45+ }
Original file line number Diff line number Diff line change 11edges
22| Builtin.go:6:2:6:2 | definition of b | Builtin.go:8:9:8:17 | type conversion | provenance | |
33| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:6:2:6:2 | definition of b | provenance | MaD:626 |
4+ | Builtin.go:12:2:12:2 | definition of b | Builtin.go:17:9:17:17 | type conversion | provenance | |
5+ | Builtin.go:13:2:13:15 | selection of Body | Builtin.go:12:2:12:2 | definition of b | provenance | MaD:626 |
6+ | Builtin.go:21:2:21:2 | definition of b | Builtin.go:24:10:24:18 | type conversion | provenance | |
7+ | Builtin.go:22:2:22:15 | selection of Body | Builtin.go:21:2:21:2 | definition of b | provenance | MaD:626 |
48nodes
59| Builtin.go:6:2:6:2 | definition of b | semmle.label | definition of b |
610| Builtin.go:7:2:7:15 | selection of Body | semmle.label | selection of Body |
711| Builtin.go:8:9:8:17 | type conversion | semmle.label | type conversion |
12+ | Builtin.go:12:2:12:2 | definition of b | semmle.label | definition of b |
13+ | Builtin.go:13:2:13:15 | selection of Body | semmle.label | selection of Body |
14+ | Builtin.go:17:9:17:17 | type conversion | semmle.label | type conversion |
15+ | Builtin.go:21:2:21:2 | definition of b | semmle.label | definition of b |
16+ | Builtin.go:22:2:22:15 | selection of Body | semmle.label | selection of Body |
17+ | Builtin.go:24:10:24:18 | type conversion | semmle.label | type conversion |
818subpaths
919#select
1020| Builtin.go:8:9:8:17 | type conversion | Builtin.go:7:2:7:15 | selection of Body | Builtin.go:8:9:8:17 | type conversion | Found taint flow |
21+ | Builtin.go:17:9:17:17 | type conversion | Builtin.go:13:2:13:15 | selection of Body | Builtin.go:17:9:17:17 | type conversion | Found taint flow |
22+ | Builtin.go:24:10:24:18 | type conversion | Builtin.go:22:2:22:15 | selection of Body | Builtin.go:24:10:24:18 | type conversion | Found taint flow |
You can’t perform that action at this time.
0 commit comments