@@ -81,19 +81,15 @@ module Fasthttp {
8181 }
8282 }
8383
84- /**
85- * The methods that can write to HTTP Response Body.
86- * These methods can be dangerous if they are user controllable.
87- */
88- class HttpResponseBodySink extends SharedXss:: Sink {
89- HttpResponseBodySink ( ) {
90- exists ( Method m |
91- m .hasQualifiedName ( packagePath ( ) , "RequestCtx" , [ "Success" , "SuccessString" ] ) and
92- this = m .getACall ( ) .getArgument ( 1 )
93- )
94- }
84+ private predicate responseBodyWriterResult ( DataFlow:: Node src ) {
85+ exists ( Method responseBodyWriter |
86+ responseBodyWriter .hasQualifiedName ( packagePath ( ) , "Response" , "BodyWriter" ) and
87+ src = responseBodyWriter .getACall ( ) .getResult ( 0 )
88+ )
9589 }
9690
91+ private module ResponseBodyWriterFlow = DataFlow:: SimpleGlobal< responseBodyWriterResult / 1 > ;
92+
9793 private class ResponseBody extends Http:: ResponseBody:: Range {
9894 DataFlow:: MethodCallNode call ;
9995 string methodName ;
@@ -112,6 +108,14 @@ module Fasthttp {
112108 "AppendBody" , "AppendBodyString" , "SetBody" , "SetBodyRaw" , "SetBodyStream" ,
113109 "SetBodyString" , "Success" , "SuccessString"
114110 ]
111+ or
112+ exists ( Method write , DataFlow:: CallNode writeCall |
113+ write .hasQualifiedName ( "io" , "Writer" , "Write" ) and
114+ writeCall = write .getACall ( ) and
115+ ResponseBodyWriterFlow:: flowsTo ( writeCall .getReceiver ( ) ) and
116+ this = writeCall .getArgument ( 0 )
117+ ) and
118+ methodName = "BodyWriter"
115119 }
116120
117121 override Http:: ResponseWriter getResponseWriter ( ) { result .getANode ( ) = call .getReceiver ( ) }
0 commit comments