New tests

Author: Kwstubbs

go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll

@@ -104,7 +104,9 @@ module TaintedPath {
         this = m.getACall().getResult()
       ) and
       not exists(CallExpr f |
-        f.getTarget().hasQualifiedName(package("github.com/gorilla/mux", ""), "SkipClean") and
+        f.getTarget()
+            .(Method)
+            .hasQualifiedName(package("github.com/gorilla/mux", ""), "Router", "SkipClean") and
         f.getArgument(0).getBoolValue() = true
       )
     }

go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go

@@ -0,0 +1,22 @@
+// GOOD: Sanitized by Gorilla's cleaner
+package main
+
+import (
+	"io/ioutil"
+	"net/http"
+	"path/filepath"
+
+	"github.com/gorilla/mux"
+)
+
+func GorillaHandler(w http.ResponseWriter, r *http.Request) {
+	not_tainted_path := mux.Vars(r)["id"]
+	data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path))
+	w.Write(data)
+}
+
+func main() {
+	var router = mux.NewRouter()
+	router.SkipClean(false)
+	router.HandleFunc("/{category}", GorillaHandler)
+}

go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/TaintedPath.expected

@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select

go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/TaintedPath.qlref

@@ -0,0 +1,2 @@
+query: Security/CWE-022/TaintedPath.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

go/ql/test/query-tests/Security/CWE-022/go.mod renamed to go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/go.mod

@@ -0,0 +1,22 @@
+// GOOD: Sanitized by Gorilla's cleaner
+package main
+
+import (
+	"io/ioutil"
+	"net/http"
+	"path/filepath"
+
+	"github.com/gorilla/mux"
+)
+
+func GorillaHandler(w http.ResponseWriter, r *http.Request) {
+	not_tainted_path := mux.Vars(r)["id"]
+	data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path))
+	w.Write(data)
+}
+
+func main() {
+	var router = mux.NewRouter()
+	router.SkipClean(true)
+	router.HandleFunc("/{category}", GorillaHandler)
+}

go/ql/test/query-tests/Security/CWE-022/vendor/github.com/gorilla/mux/LICENSE renamed to go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/vendor/github.com/gorilla/mux/LICENSE

@@ -0,0 +1,10 @@
+edges
+| MuxClean.go:13:22:13:32 | call to Vars | MuxClean.go:14:58:14:73 | not_tainted_path | provenance | Src:MaD:524  |
+| MuxClean.go:14:58:14:73 | not_tainted_path | MuxClean.go:14:29:14:74 | call to Join | provenance | FunctionModel Sink:MaD:854 |
+nodes
+| MuxClean.go:13:22:13:32 | call to Vars | semmle.label | call to Vars |
+| MuxClean.go:14:29:14:74 | call to Join | semmle.label | call to Join |
+| MuxClean.go:14:58:14:73 | not_tainted_path | semmle.label | not_tainted_path |
+subpaths
+#select
+| MuxClean.go:14:29:14:74 | call to Join | MuxClean.go:13:22:13:32 | call to Vars | MuxClean.go:14:29:14:74 | call to Join | This path depends on a $@. | MuxClean.go:13:22:13:32 | call to Vars | user-provided value |