Fix x/net/html.EscapeString modelling

smowton · smowton · commit 1a7927d3a196 · 2023-04-12T14:19:04.000+01:00
This had never worked due to accidentally extending non-abstract class HtmlEscapeFunction; consequently it was neither a taint propagator in general, nor an HTML escape function. Added tests to ensure it is now behaving as intended.
diff --git a/go/ql/lib/ext/golang.org.x.net.html.model.yml b/go/ql/lib/ext/golang.org.x.net.html.model.yml
@@ -3,6 +3,7 @@ extensions:
       pack: codeql/go-all
       extensible: summaryModel
     data:
+      - ["golang.org/x/net/$ANYVERSION/html", "", False, "EscapeString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["golang.org/x/net/$ANYVERSION/html", "", False, "NewTokenizer", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["golang.org/x/net/$ANYVERSION/html", "", False, "NewTokenizerFragment", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["golang.org/x/net/$ANYVERSION/html", "", False, "Parse", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/XNetHtml.qll b/go/ql/lib/semmle/go/frameworks/XNetHtml.qll
@@ -13,4 +13,10 @@ import go
 module XNetHtml {
   /** Gets the package name `golang.org/x/net/html`. */
   string packagePath() { result = package("golang.org/x/net", "html") }
+
+  private class EscapeString extends EscapeFunction::Range {
+    EscapeString() { this.hasQualifiedName(packagePath(), "EscapeString") }
+
+    override string kind() { result = "html" }
+  }
 }
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/SqlInjection.qlref b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/SqlInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-089/SqlInjection.ql
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go
@@ -1,14 +1,14 @@
 package test
 
 import (
+	"database/sql"
 	"golang.org/x/net/html"
 	"net/http"
 )
 
 func test(request *http.Request, writer http.ResponseWriter) {
 
 	cookie, _ := request.Cookie("SomeCookie")
-
 	writer.Write([]byte(html.EscapeString(cookie.Value))) // GOOD: escaped.
 
 	writer.Write([]byte(html.UnescapeString(cookie.Value))) // BAD: unescaped.
@@ -49,3 +49,9 @@ func test(request *http.Request, writer http.ResponseWriter) {
 	html.Render(writer, &cleanNode2) // BAD: writing unescaped HTML data
 
 }
+
+func sqlTest(request *http.Request, db *sql.DB) {
+	// Ensure EscapeString is a taint propagator for non-XSS queries, e.g. SQL injection:
+	cookie, _ := request.Cookie("SomeCookie")
+	db.Query(html.EscapeString(cookie.Value))
+}
