Convert WebSocketReaderAsSource to MaD

owen-mc · owen-mc · commit fc17b905f095 · 2024-07-18T10:53:13.000+01:00
diff --git a/go/ql/lib/ext/github.com.gobwas.ws.model.yml b/go/ql/lib/ext/github.com.gobwas.ws.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/gobwas/ws", "", True, "ReadFrame", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/gobwas/ws", "", True, "ReadHeader", "", "", "ReturnValue[0]", "remote", "manual"]
diff --git a/go/ql/lib/ext/github.com.gorilla.websocket.model.yml b/go/ql/lib/ext/github.com.gorilla.websocket.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/gorilla/websocket", "", True, "ReadJSON", "", "", "Argument[1]", "remote", "manual"]
+      - ["github.com/gorilla/websocket", "Conn", True, "ReadJSON", "", "", "Argument[0]", "remote", "manual"]
+      - ["github.com/gorilla/websocket", "Conn", True, "ReadMessage", "", "", "ReturnValue[1]", "remote", "manual"]
diff --git a/go/ql/lib/ext/github.com.revel.revel.model.yml b/go/ql/lib/ext/github.com.revel.revel.model.yml
@@ -30,6 +30,8 @@ extensions:
       - ["group:revel", "Request", True, "PostFormValue", "", "", "ReturnValue", "remote", "manual"]
       - ["group:revel", "Request", True, "Referer", "", "", "ReturnValue", "remote", "manual"]
       - ["group:revel", "Request", True, "UserAgent", "", "", "ReturnValue", "remote", "manual"]
+      - ["group:revel", "ServerWebSocket", True, "MessageReceive", "", "", "Argument[0]", "remote", "manual"]
+      - ["group:revel", "ServerWebSocket", True, "MessageReceiveJSON", "", "", "Argument[0]", "remote", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/ext/golang.org.x.net.websocket.model.yml b/go/ql/lib/ext/golang.org.x.net.websocket.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["golang.org/x/net/websocket", "Codec", True, "Receive", "", "", "Argument[1]", "remote", "manual"]
+      - ["golang.org/x/net/websocket", "Conn", True, "Read", "", "", "Argument[0]", "remote", "manual"]
diff --git a/go/ql/lib/ext/nhooyr.io.websocket.model.yml b/go/ql/lib/ext/nhooyr.io.websocket.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["nhooyr.io/websocket", "Conn", True, "Read", "", "", "ReturnValue[1]", "remote", "manual"]
+      - ["nhooyr.io/websocket", "Conn", True, "Reader", "", "", "ReturnValue[1]", "remote", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/WebSocket.qll b/go/ql/lib/semmle/go/frameworks/WebSocket.qll
@@ -125,9 +125,11 @@ module WebSocketRequestCall {
 }
 
 /**
+ * DEPRECATED: Use `WebSocketReader` or `RemoteFlowSource::Range` instead.
+ *
  * A message written to a WebSocket, considered as a flow sink for reflected XSS.
  */
-class WebSocketReaderAsSource extends RemoteFlowSource::Range {
+deprecated class WebSocketReaderAsSource extends RemoteFlowSource::Range {
   WebSocketReaderAsSource() {
     exists(WebSocketReader r | this = r.getAnOutput().getNode(r.getACall()))
   }

Original file line number	Diff line number	Diff line change
`@@ -125,9 +125,11 @@ module WebSocketRequestCall {`
`125`	`125`	`}`
`126`	`126`
`127`	`127`	`/**`
	`128`	+ * DEPRECATED: Use `WebSocketReader` or `RemoteFlowSource::Range` instead.
	`129`	`+ *`
`128`	`130`	`* A message written to a WebSocket, considered as a flow sink for reflected XSS.`
`129`	`131`	`*/`
`130`		`-class WebSocketReaderAsSource extends RemoteFlowSource::Range {`
	`132`	`+deprecated class WebSocketReaderAsSource extends RemoteFlowSource::Range {`
`131`	`133`	`WebSocketReaderAsSource() {`
`132`	`134`	`exists(WebSocketReader r \| this = r.getAnOutput().getNode(r.getACall()))`
`133`	`135`	`}`