fix tests for FileSystemAccess, add comments for adding some functions in future, remove old comments

am0o0 · am0o0 · commit c361caf0b0f8 · 2023-11-08T14:15:26.000+01:00
diff --git a/go/ql/lib/semmle/go/frameworks/Fasthttp.qll b/go/ql/lib/semmle/go/frameworks/Fasthttp.qll
@@ -75,8 +75,6 @@ module Fasthttp {
 
     /**
      * A function that sends HTTP requests.
-     * First argument of following functions need Additional steps.
-     * look at URI module, additional steps part for more information.
      */
     class RequestForgerySinkDo extends RequestForgery::Sink {
       RequestForgerySinkDo() {
@@ -134,6 +132,8 @@ module Fasthttp {
   module Args {
     /**
      * The methods as Remote user controllable source which are part of the incoming URL Parameters.
+     *
+     * When support for lambdas has been implemented we should model "VisitAll"
      */
     class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
       UntrustedFlowSource() {
@@ -195,8 +195,6 @@ module Fasthttp {
 
     /**
      * A method that sends HTTP requests.
-     * First argument of following methods need Additional steps.
-     * Look at Request module, additional steps part for more information.
      */
     class RequestForgerySinkDo extends RequestForgery::Sink {
       RequestForgerySinkDo() {
@@ -220,8 +218,6 @@ module Fasthttp {
   module PipelineClient {
     /**
      * A method that sends HTTP requests.
-     * First argument of following methods need Additional steps.
-     * Look at Request module, additional steps part for more information.
      */
     class RequestForgerySinkDo extends RequestForgery::Sink {
       RequestForgerySinkDo() {
@@ -264,8 +260,6 @@ module Fasthttp {
 
     /**
      * A method that sends HTTP requests.
-     * first argument of following methods need Additional steps.
-     * Look at Request module, additional steps part for more information.
      */
     class RequestForgerySinkDo extends RequestForgery::Sink {
       RequestForgerySinkDo() {
@@ -289,8 +283,6 @@ module Fasthttp {
   module LBClient {
     /**
      * A method that sends HTTP requests.
-     * first argument of following methods need Additional steps.
-     * Look at Request module, additional steps part for more information.
      */
     class RequestForgerySinkDo extends RequestForgery::Sink {
       RequestForgerySinkDo() {
@@ -379,10 +371,7 @@ module Fasthttp {
         )
       }
 
-      override DataFlow::Node getAPathArgument() {
-        this.getTarget().getName() = ["SendFile", "SendFileBytes"] and
-        result = this.getArgument(0)
-      }
+      override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
     }
 
     /**
@@ -402,7 +391,9 @@ module Fasthttp {
     }
 
     /**
-     * The methods as Remote user controllable source which are generally related to HTTP request
+     * The methods as Remote user controllable source which are generally related to HTTP request.
+     *
+     * When support for lambdas has been implemented we should model "VisitAll", "VisitAllCookie", "VisitAllInOrder", "VisitAllTrailer"
      */
     class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
       UntrustedFlowSource() {
@@ -436,7 +427,9 @@ module Fasthttp {
    */
   module RequestHeader {
     /**
-     * The methods as Remote user controllable source which are mostly related to HTTP Request Headers
+     * The methods as Remote user controllable source which are mostly related to HTTP Request Headers.
+     *
+     * When support for lambdas has been implemented we should model "VisitAll", "VisitAllCookie", "VisitAllInOrder", "VisitAllTrailer"
      */
     class UntrustedFlowSource extends UntrustedFlowSource::Range instanceof DataFlow::Node {
       UntrustedFlowSource() {
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/FileSystemAccess.expected b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/FileSystemAccess.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/FileSystemAccess.ql b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/FileSystemAccess.ql
@@ -0,0 +1,21 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+module FasthttpFileSystemAccessTest implements TestSig {
+  string getARelevantTag() { result = "FileSystemAccess" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(FileSystemAccess fileSystemAccess, DataFlow::Node aPathArgument |
+      aPathArgument = fileSystemAccess.getAPathArgument()
+    |
+      aPathArgument
+          .hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+            location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = aPathArgument.toString() and
+      value = aPathArgument.toString() and
+      tag = "FileSystemAccess"
+    )
+  }
+}
+
+import MakeTest<FasthttpFileSystemAccessTest>
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go
@@ -121,15 +121,16 @@ func fasthttpServer() {
 	requestHandler := func(requestCtx *fasthttp.RequestCtx) {
 		filePath := requestCtx.QueryArgs().Peek("filePath") // $ UntrustedFlowSource="call to Peek"
 		// File System Access
-		_ = requestCtx.Response.SendFile(string(filePath)) // $ FileSystemAccess=string(filePath)
-		requestCtx.SendFile(string(filePath))              // $ FileSystemAccess=string(filePath)
-		requestCtx.SendFileBytes(filePath)                 // $ FileSystemAccess=filePath
+		filePath_string := string(filePath)
+		_ = requestCtx.Response.SendFile(filePath_string) // $ FileSystemAccess=filePath_string
+		requestCtx.SendFile(filePath_string)              // $ FileSystemAccess=filePath_string
+		requestCtx.SendFileBytes(filePath)                // $ FileSystemAccess=filePath
 		fileHeader, _ := requestCtx.FormFile("file")
-		_ = fasthttp.SaveMultipartFile(fileHeader, string(filePath)) // $ FileSystemAccess=string(filePath)
-		fasthttp.ServeFile(requestCtx, string(filePath))             // $ FileSystemAccess=string(filePath)
-		fasthttp.ServeFileUncompressed(requestCtx, string(filePath)) // $ FileSystemAccess=string(filePath)
-		fasthttp.ServeFileBytes(requestCtx, filePath)                // $ FileSystemAccess=filePath
-		fasthttp.ServeFileBytesUncompressed(requestCtx, filePath)    // $ FileSystemAccess=filePath
+		_ = fasthttp.SaveMultipartFile(fileHeader, filePath_string) // $ FileSystemAccess=filePath_string
+		fasthttp.ServeFile(requestCtx, filePath_string)             // $ FileSystemAccess=filePath_string
+		fasthttp.ServeFileUncompressed(requestCtx, filePath_string) // $ FileSystemAccess=filePath_string
+		fasthttp.ServeFileBytes(requestCtx, filePath)               // $ FileSystemAccess=filePath
+		fasthttp.ServeFileBytesUncompressed(requestCtx, filePath)   // $ FileSystemAccess=filePath
 
 		dstReader := &bufio.Reader{}
 		// user controlled methods as source
