Remove database directory and add WebCacheDeceptionLib.qll

Author: krakendio

go/ql/src/experimental/CWE-525/WebCacheDeception.expected

@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select

go/ql/src/experimental/CWE-525/WebCacheDeception.ql

@@ -1,6 +1,6 @@
 /*
  * @name Web Cache Deception
- * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
+ * @description A caching system has been detected on the application and is vulnerable to web cache deception on Gofiber. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
  * @kind problem
  * @problem.severity error
  * @security-severity 9
@@ -11,17 +11,10 @@
  */
 
 import go
+import WebCacheDeceptionLib
+import WebCacheDeception::Flow::PathGraph
 
-from
-  DataFlow::CallNode httpHandleFuncCall, DataFlow::ReadNode rn, Http::HeaderWrite::Range hw,
-  DeclaredFunction f
-where
-  httpHandleFuncCall.getTarget().hasQualifiedName("net/http", "HandleFunc") and
-  httpHandleFuncCall.getArgument(0).getStringValue().matches("%/") and
-  httpHandleFuncCall.getArgument(1) = rn and
-  rn.reads(f) and
-  f.getParameter(0) = hw.getResponseWriter() and
-  hw.getHeaderName() = "cache-control"
-select httpHandleFuncCall.getArgument(0),
-  "Wildcard Endpoint used with " + httpHandleFuncCall.getArgument(0) + " and '" + hw.getHeaderName()
-    + "' Header is used"
+from WebCacheDeception::Flow::PathNode source, WebCacheDeception::Flow::PathNode sink
+where WebCacheDeception::Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "$@ is used as wildcard endpoint.", source.getNode(),
+  "Web Cache Deception"

go/ql/src/experimental/CWE-525/WebCacheDeceptionFiber.ql

@@ -0,0 +1,68 @@
+import go
+import StringOps
+
+module WebCacheDeception {
+  abstract class Source extends DataFlow::Node { }
+
+  abstract class Sink extends DataFlow::Node { }
+
+  private class GoNetHTTP extends Sink {
+    GoNetHTTP() {
+      exists(
+        DataFlow::CallNode m, DataFlow::ReadNode rn, Http::HeaderWrite::Range hw, DeclaredFunction f
+      |
+        m.getTarget().hasQualifiedName("net/http", "HandleFunc") and
+        m.getArgument(0).getStringValue().matches("%/") and
+        m.getArgument(1) = rn and
+        rn.reads(f) and
+        f.getParameter(0) = hw.getResponseWriter() and
+        hw.getHeaderName() = "cache-control" and
+        this = m.getArgument(0)
+      )
+    }
+  }
+
+  private class GoFiber extends Sink {
+    GoFiber() {
+      exists(ImportSpec i |
+        i.getPath() = "github.com/gofiber/fiber" or
+        i.getPath() = "github.com/gofiber/fiber/v2"
+      |
+        exists(DataFlow::MethodCallNode m |
+          m.getCall().getArgument(0).toString().matches("%/*%") and
+          this = m.getArgument(0)
+        )
+      )
+    }
+  }
+
+  private class GoChi extends Sink {
+    GoChi() {
+      exists(ImportSpec i |
+        i.getPath() = "github.com/go-chi/chi/v5" or
+        i.getPath() = "github.com/go-chi/chi/v5/middleware"
+      |
+        exists(DataFlow::MethodCallNode m |
+          m.getCall().getArgument(0).toString().matches("%/*%") and
+          this = m.getArgument(0)
+        )
+      )
+    }
+  }
+
+  deprecated class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "Web Cache Deception" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+  }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+  }
+
+  module Flow = TaintTracking::Global<Config>;
+}