Finish up

Kwstubbs · Kwstubbs · commit 020b4becfdb1 · 2023-10-31T11:00:00.000-07:00
diff --git a/go/ql/lib/change-notes/2023-10-31-add-gin-cors-framework.md b/go/ql/lib/change-notes/2023-10-31-add-gin-cors-framework.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the [gin cors](https://github.com/gin-contrib/cors) library to the CorsMisconfiguration.ql query
diff --git a/go/ql/lib/semmle/go/frameworks/GinCors.qll b/go/ql/lib/semmle/go/frameworks/GinCors.qll
@@ -62,7 +62,7 @@ module GinCors {
   }
 
   /**
-   * A write to the value of Access-Control-Allow-Origins to "*"
+   * A write to the value of Access-Control-Allow-Origins of value "*", overriding AllowOrigins
    */
   class AllowAllOriginsWrite extends DataFlow::ExprNode {
     DataFlow::Node base;
diff --git a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
@@ -83,6 +83,10 @@ module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
  */
 module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global<UntrustedToAllowOriginHeaderConfig>;
 
+/**
+ * Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
+ * a `AllowOriginsWrite` that writes an `Access-Control-Allow-Origin` header's value.
+ */
 module UntrustedToAllowOriginConfigFlow = TaintTracking::Global<UntrustedToAllowOriginConfigConfig>;
 
 /**
@@ -111,17 +115,17 @@ predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOrigin) {
 }
 
 /**
- * Holds if the provided `allowOriginHW` HeaderWrite's value is set using an
+ * Holds if the provided `allowOrigin` HeaderWrite's value is set using an
  * UntrustedFlowSource.
  * The `message` parameter is populated with the warning message to be returned by the query.
  */
-predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, string message) {
+predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOrigin, string message) {
   exists(DataFlow::Node sink |
     UntrustedToAllowOriginHeaderFlow::flowTo(sink) and
-    UntrustedToAllowOriginHeaderConfig::isSinkHW(sink, allowOriginHW)
+    UntrustedToAllowOriginHeaderConfig::isSinkHW(sink, allowOrigin)
     or
     UntrustedToAllowOriginConfigFlow::flowTo(sink) and
-    UntrustedToAllowOriginConfigConfig::isSinkWrite(sink, allowOriginHW)
+    UntrustedToAllowOriginConfigConfig::isSinkWrite(sink, allowOrigin)
   |
     message =
       headerAllowOrigin() + " header is set to a user-defined value, and " +
@@ -146,8 +150,7 @@ predicate allowOriginIsNull(DataFlow::ExprNode allowOrigin, string message) {
       .(SliceLit)
       .getAnElement()
       .toString()
-      .toLowerCase()
-      .matches("\"null\"") and
+      .toLowerCase() = "\"null\"" and
   message =
     headerAllowOrigin() + " header is set to `" + "null" + "`, and " +
       //allowOrigin.(GinCors::AllowOriginsWrite).asExpr().(SliceLit).getAnElement().toString()
diff --git a/go/ql/src/experimental/CWE-942/GinCors.ql b/go/ql/src/experimental/CWE-942/GinCors.ql

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added the [gin cors](https://github.com/gin-contrib/cors) library to the CorsMisconfiguration.ql query
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ module GinCors {`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`/**`
`65`		`- * A write to the value of Access-Control-Allow-Origins to "*"`
	`65`	`+ * A write to the value of Access-Control-Allow-Origins of value "*", overriding AllowOrigins`
`66`	`66`	`*/`
`67`	`67`	`class AllowAllOriginsWrite extends DataFlow::ExprNode {`
`68`	`68`	`DataFlow::Node base;`