Add mux.Vars() and url.Path sanitizers

Kwstubbs · Kwstubbs · commit d195273bf4f2 · 2024-10-14T19:49:29.000-07:00
diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
@@ -93,6 +93,35 @@ module TaintedPath {
     }
   }
 
+  // /**
+  // * A call to `mux.Vars(path)`, considered to sanitize `path` against path traversal.
+  // * Only enabled when `SkipClean` is not set true.
+  // */
+  class MuxVarsSanitizer extends Sanitizer {
+    MuxVarsSanitizer() {
+      exists(Function m |
+        m.hasQualifiedName("github.com/gorilla/mux", "Vars") and
+        this = m.getACall().getResult()
+      ) and
+      not exists(CallExpr f |
+        f.getTarget().hasQualifiedName("github.com/gorilla/mux", "SkipClean") and
+        f.getArgument(0).toString().toLowerCase() = "true"
+      )
+    }
+  }
+
+  // /**
+  // * A read from `net/url` which is sanitized
+  // */
+  class UrlPathSanitizer extends Sanitizer {
+    UrlPathSanitizer() {
+      exists(DataFlow::Field fld |
+        this = fld.getARead() and
+        fld.hasQualifiedName("net/url", "URL", "Path")
+      )
+    }
+  }
+
   /**
    * A read from the field `Filename` of the type `mime/multipart.FileHeader`,
    * considered as a sanitizer for path traversal.
diff --git a/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md b/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers.
diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
@@ -1,25 +1,25 @@
 #select
-| TaintedPath.go:17:29:17:40 | tainted_path | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:17:29:17:40 | tainted_path | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value |
-| TaintedPath.go:21:28:21:69 | call to Join | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:21:28:21:69 | call to Join | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value |
-| TaintedPath.go:68:28:68:57 | call to Clean | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:68:28:68:57 | call to Clean | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value |
+| TaintedPath.go:19:29:19:40 | tainted_path | TaintedPath.go:16:18:16:22 | selection of URL | TaintedPath.go:19:29:19:40 | tainted_path | This path depends on a $@. | TaintedPath.go:16:18:16:22 | selection of URL | user-provided value |
+| TaintedPath.go:23:28:23:69 | call to Join | TaintedPath.go:16:18:16:22 | selection of URL | TaintedPath.go:23:28:23:69 | call to Join | This path depends on a $@. | TaintedPath.go:16:18:16:22 | selection of URL | user-provided value |
+| TaintedPath.go:70:28:70:57 | call to Clean | TaintedPath.go:16:18:16:22 | selection of URL | TaintedPath.go:70:28:70:57 | call to Clean | This path depends on a $@. | TaintedPath.go:16:18:16:22 | selection of URL | user-provided value |
 edges
-| TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:14:18:14:30 | call to Query | provenance | Src:MaD:2 MaD:3 |
-| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:17:29:17:40 | tainted_path | provenance | Sink:MaD:1 |
-| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:21:57:21:68 | tainted_path | provenance |  |
-| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:68:39:68:56 | ...+... | provenance |  |
-| TaintedPath.go:21:57:21:68 | tainted_path | TaintedPath.go:21:28:21:69 | call to Join | provenance | FunctionModel Sink:MaD:1 |
-| TaintedPath.go:68:39:68:56 | ...+... | TaintedPath.go:68:28:68:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 |
+| TaintedPath.go:16:18:16:22 | selection of URL | TaintedPath.go:16:18:16:30 | call to Query | provenance | Src:MaD:2 MaD:3 |
+| TaintedPath.go:16:18:16:30 | call to Query | TaintedPath.go:19:29:19:40 | tainted_path | provenance | Sink:MaD:1 |
+| TaintedPath.go:16:18:16:30 | call to Query | TaintedPath.go:23:57:23:68 | tainted_path | provenance |  |
+| TaintedPath.go:16:18:16:30 | call to Query | TaintedPath.go:70:39:70:56 | ...+... | provenance |  |
+| TaintedPath.go:23:57:23:68 | tainted_path | TaintedPath.go:23:28:23:69 | call to Join | provenance | FunctionModel Sink:MaD:1 |
+| TaintedPath.go:70:39:70:56 | ...+... | TaintedPath.go:70:28:70:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 |
 models
 | 1 | Sink: io/ioutil; ; false; ReadFile; ; ; Argument[0]; path-injection; manual |
 | 2 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
 | 3 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual |
 | 4 | Summary: path; ; false; Clean; ; ; Argument[0]; ReturnValue; taint; manual |
 nodes
-| TaintedPath.go:14:18:14:22 | selection of URL | semmle.label | selection of URL |
-| TaintedPath.go:14:18:14:30 | call to Query | semmle.label | call to Query |
-| TaintedPath.go:17:29:17:40 | tainted_path | semmle.label | tainted_path |
-| TaintedPath.go:21:28:21:69 | call to Join | semmle.label | call to Join |
-| TaintedPath.go:21:57:21:68 | tainted_path | semmle.label | tainted_path |
-| TaintedPath.go:68:28:68:57 | call to Clean | semmle.label | call to Clean |
-| TaintedPath.go:68:39:68:56 | ...+... | semmle.label | ...+... |
+| TaintedPath.go:16:18:16:22 | selection of URL | semmle.label | selection of URL |
+| TaintedPath.go:16:18:16:30 | call to Query | semmle.label | call to Query |
+| TaintedPath.go:19:29:19:40 | tainted_path | semmle.label | tainted_path |
+| TaintedPath.go:23:28:23:69 | call to Join | semmle.label | call to Join |
+| TaintedPath.go:23:57:23:68 | tainted_path | semmle.label | tainted_path |
+| TaintedPath.go:70:28:70:57 | call to Clean | semmle.label | call to Clean |
+| TaintedPath.go:70:39:70:56 | ...+... | semmle.label | ...+... |
 subpaths
diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go
@@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+
+	"github.com/gorilla/mux"
 )
 
 func handler(w http.ResponseWriter, r *http.Request) {
@@ -94,3 +96,10 @@ func handler(w http.ResponseWriter, r *http.Request) {
 
 	data, _ = ioutil.ReadFile(part.FileName())
 }
+
+// GOOD: Sanitized by Gorilla's cleaner
+func GorillaHandler(w http.ResponseWriter, r *http.Request) {
+	not_tainted_path := mux.Vars(r)
+	data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path))
+	w.Write(data)
+}
diff --git a/go/ql/test/query-tests/Security/CWE-022/go.mod b/go/ql/test/query-tests/Security/CWE-022/go.mod
@@ -0,0 +1,5 @@
+module codeql-go-tests/frameworks/Mux
+
+go 1.14
+
+require github.com/gorilla/mux v1.7.4
diff --git a/go/ql/test/query-tests/Security/CWE-022/vendor/github.com/gorilla/mux/LICENSE b/go/ql/test/query-tests/Security/CWE-022/vendor/github.com/gorilla/mux/LICENSE
diff --git a/go/ql/test/query-tests/Security/CWE-022/vendor/github.com/gorilla/mux/stub.go b/go/ql/test/query-tests/Security/CWE-022/vendor/github.com/gorilla/mux/stub.go
diff --git a/go/ql/test/query-tests/Security/CWE-022/vendor/modules.txt b/go/ql/test/query-tests/Security/CWE-022/vendor/modules.txt
@@ -0,0 +1,3 @@
+# github.com/gorilla/mux v1.7.4
+## explicit
+github.com/gorilla/mux

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# github.com/gorilla/mux v1.7.4`
	`2`	`+## explicit`
	`3`	`+github.com/gorilla/mux`