added more sinks related to io.Writer of BodyWriter

am0o0 · am0o0 · commit cc5416406f21 · 2023-12-10T22:06:27.000+01:00
diff --git a/go/ql/lib/semmle/go/frameworks/Fasthttp.qll b/go/ql/lib/semmle/go/frameworks/Fasthttp.qll
@@ -96,10 +96,43 @@ module Fasthttp {
     )
     or
     exists(DataFlow::CallNode writerCall |
-      writerCall = any(Function fprintf | fprintf.hasQualifiedName("fmt", "Fprintf")).getACall() and
+      writerCall =
+        any(Function fprintf | fprintf.hasQualifiedName("fmt", ["Fprint", "Fprintf", "Fprintln"]))
+            .getACall() and
       sink = writerCall.getArgument(0) and
       body = writerCall.getSyntacticArgument(any(int i | i > 1))
     )
+    or
+    exists(DataFlow::CallNode writerCall |
+      writerCall =
+        any(Function ioCopy |
+          ioCopy.hasQualifiedName("io", ["copy", "CopyBuffer", "CopyN", "WriteString"])
+        ).getACall() and
+      sink = writerCall.getArgument(0) and
+      body = writerCall.getArgument(1)
+    )
+    or
+    exists(DataFlow::CallNode writerCall |
+      writerCall =
+        any(Function ioTeeReader | ioTeeReader.hasQualifiedName("io", "TeeReader")).getACall() and
+      sink = writerCall.getArgument(1) and
+      body = writerCall.getArgument(0)
+    )
+    or
+    exists(DataFlow::CallNode writerCall |
+      writerCall =
+        any(Method bufioWriteTo | bufioWriteTo.hasQualifiedName("bufio", "Reader", "WriteTo"))
+            .getACall() and
+      sink = writerCall.getArgument(0) and
+      body = writerCall.getReceiver()
+    )
+    or
+    exists(DataFlow::CallNode writerCall |
+      writerCall =
+        any(Method bytes | bytes.hasQualifiedName("bytes", "Buffer", "WriteTo")).getACall() and
+      sink = writerCall.getArgument(0) and
+      body = writerCall.getReceiver()
+    )
   }
 
   private predicate writerSink(DataFlow::Node sink) { writerSinkAndBody(sink, _) }
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go
@@ -4,7 +4,9 @@ package main
 
 import (
 	"bufio"
+	"bytes"
 	"fmt"
+	"io"
 	"net"
 	"time"
 
@@ -176,11 +178,19 @@ func fasthttpServer() {
 		userInput := "user Controlled input"
 		requestCtx.SetContentType("text/html")
 		userInputByte := []byte("user Controlled input")
+		userInputReader := bytes.NewReader(userInputByte)
 		requestCtx.Response.AppendBody(userInputByte)   // $ XssSink=userInputByte
 		requestCtx.Response.AppendBodyString(userInput) // $ XssSink=userInput
 		rspWriter := requestCtx.Response.BodyWriter()
-		rspWriter.Write(userInputByte)                    // $ XssSink=userInputByte
-		fmt.Fprintf(rspWriter, "%s", userInputByte)       // $ XssSink=userInputByte
+		rspWriter.Write(userInputByte)              // $ XssSink=userInputByte
+		fmt.Fprintf(rspWriter, "%s", userInputByte) // $ XssSink=userInputByte
+		io.WriteString(rspWriter, userInput)        // $ XssSink=userInput
+		io.TeeReader(userInputReader, rspWriter)    // $ XssSink=userInputReader
+		io.TeeReader(userInputReader, rspWriter)    // $ XssSink=userInputReader
+		bufioReader := bufio.NewReader(dstReader)
+		bufioReader.WriteTo(rspWriter) // $ XssSink=bufioReader
+		bytesUserInput := bytes.NewBuffer(userInputByte)
+		bytesUserInput.WriteTo(rspWriter)                 // $ XssSink=bytesUserInput
 		requestCtx.Response.SetBody(userInputByte)        // $ XssSink=userInputByte
 		requestCtx.Response.SetBodyString(userInput)      // $ XssSink=userInput
 		requestCtx.Response.SetBodyRaw(userInputByte)     // $ XssSink=userInputByte
