Merge pull request github#13872 from Kwstubbs/Kevin_error_sanitizer

Go: Add sanitizer to remove paths passing through http.Error

Author: mbg

go/ql/lib/change-notes/2023-08-28-add-error-sanitizer-for-xss.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added [http.Error](https://pkg.go.dev/net/http#Error) to XSS sanitzers.

go/ql/lib/semmle/go/security/Xss.qll

@@ -109,6 +109,18 @@ module SharedXss {
     }
   }
 
+  /**
+   * A http.Error function returns with the ContentType of text/plain, and is not a valid XSS sink
+   */
+  class ErrorSanitizer extends Sanitizer {
+    ErrorSanitizer() {
+      exists(Function f, DataFlow::CallNode call | call = f.getACall() |
+        f.hasQualifiedName("net/http", "Error") and
+        call.getArgument(1) = this
+      )
+    }
+  }
+
   /**
    * A regexp replacement involving an HTML meta-character, or a call to an escape
    * function, viewed as a sanitizer for XSS vulnerabilities.

go/ql/test/query-tests/Security/CWE-079/reflectedxsstest.go

@@ -25,9 +25,9 @@ func ServeJsonDirect(w http.ResponseWriter, r http.Request) {
 
 func ErrTest(w http.ResponseWriter, r http.Request) {
 	cookie, err := r.Cookie("somecookie")
-	w.Write([]byte(fmt.Sprintf("Cookie result: %v", cookie)))   // BAD: Cookie's value is user-controlled
-	w.Write([]byte(fmt.Sprintf("Cookie check error: %v", err))) // GOOD: Cookie's err return is harmless
-
+	w.Write([]byte(fmt.Sprintf("Cookie result: %v", cookie)))    // BAD: Cookie's value is user-controlled
+	w.Write([]byte(fmt.Sprintf("Cookie check error: %v", err)))  // GOOD: Cookie's err return is harmless
+	http.Error(w, fmt.Sprintf("Cookie result: %v", cookie), 500) // Good: only plain text is written.
 	file, header, err := r.FormFile("someFile")
 	content, err2 := ioutil.ReadAll(file)
 	w.Write([]byte(fmt.Sprintf("File content: %v", content)))      // BAD: file content is user-controlled