Skip to content

Commit c6ad358

Browse files
am0o0am0o0
committed
fix package FPs, fix additioanlstep issue
1 parent 73803ea commit c6ad358

File tree

1 file changed

+18
-7
lines changed

1 file changed

+18
-7
lines changed

go/ql/lib/semmle/go/security/FileSystemAccess.qll

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -23,11 +23,15 @@ class BeegoFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode
2323
BeegoFileSystemAccess() {
2424
exists(Method m |
2525
(
26-
m.hasQualifiedName(package("github.com/beego/beego", "server/web/context"), "BeegoOutput",
27-
"Download") and
26+
(
27+
m.hasQualifiedName(["github.com/beego/beego/context", "github.com/astaxie/beego/context"],
28+
"BeegoOutput", "Download") or
29+
m.hasQualifiedName("github.com/beego/beego/v2/server/web/context", "BeegoOutput",
30+
"Download")
31+
) and
2832
pathArg = 0
2933
or
30-
m.hasQualifiedName(package("github.com/beego/beego", "server/web"), "Controller",
34+
m.hasQualifiedName("github.com/beego/beego/v2/server/web", "Controller",
3135
"SaveToFileWithBuffer") and
3236
pathArg = 1
3337
) and
@@ -91,7 +95,7 @@ class IrisFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
9195
["SendFile", "ServeFile", "SendFileWithRate", "ServeFileWithRate", "UploadFormFiles"]) and
9296
pathArg = 0
9397
or
94-
m.hasQualifiedName(package("github.com/kataras/iris", "context"), "Context", "SaveFormFile") and
98+
m.hasQualifiedName("github.com/kataras/iris/v12/context", "Context", "SaveFormFile") and
9599
pathArg = 1
96100
) and
97101
this = m.getACall()
@@ -110,11 +114,14 @@ class FiberSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
110114
FiberSystemAccess() {
111115
exists(Method m |
112116
(
113-
m.hasQualifiedName(package("github.com/gofiber/fiber", ""), "Ctx", "SendFile") and
117+
m.hasQualifiedName(package("github.com/gofiber/fiber", ""), "Ctx", ["SendFile", "Download"]) and
114118
pathArg = 0
115119
or
116120
m.hasQualifiedName(package("github.com/gofiber/fiber", ""), "Ctx", "SaveFile") and
117121
pathArg = 1
122+
or
123+
m.hasQualifiedName("github.com/gofiber/fiber/v2", "Ctx", "SaveFileToStorage") and
124+
pathArg = 1
118125
) and
119126
this = m.getACall()
120127
)
@@ -127,6 +134,9 @@ class FiberSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
127134
* Provide File system access sinks of [afero](https://github.com/spf13/afero) framework
128135
*/
129136
module Afero {
137+
/**
138+
* Gets all versions of `github.com/spf13/afero`
139+
*/
130140
string aferoPackage() { result = package("github.com/spf13/afero", "") }
131141

132142
/**
@@ -207,7 +217,7 @@ module Afero {
207217
predicate aferoSanitizer(DataFlow::Node n) {
208218
exists(Function f |
209219
f.hasQualifiedName(aferoPackage(), ["NewBasePathFs", "NewIOFS"]) and
210-
TaintTracking::localTaint(f.getACall(), n)
220+
DataFlow::localFlow(f.getACall(), n)
211221
)
212222
}
213223

@@ -221,7 +231,8 @@ module Afero {
221231
predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
222232
exists(StructLit st | st.getType().hasQualifiedName(aferoPackage(), "Afero") |
223233
n1.asExpr() = st.getAChildExpr().(KeyValueExpr).getAChildExpr() and
224-
n2.asExpr() = st.getParent()
234+
not aferoSanitizer(n1) and
235+
n2.asExpr() = st
225236
)
226237
}
227238
}

0 commit comments

Comments
 (0)