Skip to content

Commit d1926f9

Browse files
am0o0am0o0
committed
update inline flow tests of AddittionalTaintSteps
1 parent 9f88717 commit d1926f9

2 files changed

Lines changed: 45 additions & 74 deletions

File tree

go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/AdditionalTaintSteps.ql

Lines changed: 1 addition & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -1,48 +1,3 @@
11
import go
22
import TestUtilities.InlineFlowTest
3-
import semmle.go.security.RequestForgeryCustomizations
4-
5-
module Config implements DataFlow::ConfigSig {
6-
predicate isSource(DataFlow::Node source) {
7-
exists(DataFlow::MethodCallNode m |
8-
m.getTarget()
9-
.hasQualifiedName("github.com/valyala/fasthttp", "URI",
10-
["SetHost", "SetHostBytes", "Update", "UpdateBytes"]) and
11-
source = m.getArgument(0)
12-
or
13-
m.getTarget().hasQualifiedName("github.com/valyala/fasthttp", "URI", "Parse") and
14-
source = m.getArgument([0, 1])
15-
)
16-
or
17-
exists(DataFlow::MethodCallNode m |
18-
m.getTarget()
19-
.hasQualifiedName("github.com/valyala/fasthttp", "Request",
20-
["SetRequestURI", "SetRequestURIBytes", "SetURI", "String", "SetHost", "SetHostBytes"]) and
21-
source = m.getArgument(0)
22-
)
23-
}
24-
25-
predicate isSink(DataFlow::Node source) {
26-
exists(DataFlow::MethodCallNode m, DataFlow::Variable frn |
27-
(
28-
m.getTarget()
29-
.hasQualifiedName("github.com/valyala/fasthttp", "URI",
30-
["SetHost", "SetHostBytes", "Update", "UpdateBytes"])
31-
or
32-
m.getTarget().hasQualifiedName("github.com/valyala/fasthttp", "URI", "Parse")
33-
) and
34-
frn.getARead() = m.getReceiver() and
35-
source = frn.getARead()
36-
)
37-
or
38-
exists(DataFlow::MethodCallNode m, DataFlow::Variable frn |
39-
m.getTarget()
40-
.hasQualifiedName("github.com/valyala/fasthttp", "Request",
41-
["SetRequestURI", "SetRequestURIBytes", "SetURI", "String", "SetHost", "SetHostBytes"]) and
42-
frn.getARead() = m.getReceiver() and
43-
source = frn.getARead()
44-
)
45-
}
46-
}
47-
48-
import TaintFlowTest<Config>
3+
import DefaultFlowTest

go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go

Lines changed: 44 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,13 @@ import (
1010
"github.com/valyala/fasthttp"
1111
)
1212

13+
func source() interface{} {
14+
return make([]byte, 1)
15+
}
16+
17+
func sink(interface{}) {
18+
}
19+
1320
func fasthttpClient() {
1421
userInput := "127.0.0.1:8909"
1522
userInputByte := []byte("user Controlled input")
@@ -20,33 +27,42 @@ func fasthttpClient() {
2027

2128
res := &fasthttp.Response{}
2229
req := &fasthttp.Request{}
23-
req.SetHost(userInput) // $ hasTaintFlow="req" ReqPred=userInput
24-
req.SetHostBytes(userInputByte) // $ hasTaintFlow="req" ReqPred=userInputByte
25-
req.SetRequestURI(userInput) // $ hasTaintFlow="req" ReqPred=userInput
26-
req.SetRequestURIBytes(userInputByte) // $ hasTaintFlow="req" ReqPred=userInputByte
30+
req.SetHost(source())
31+
sink(req) // $ hasTaintFlow="req"
32+
req.SetHostBytes(userInputByte)
33+
sink(req) // $ hasTaintFlow="req"
34+
req.SetRequestURI(userInput)
35+
sink(req) // $ hasTaintFlow="req"
36+
req.SetRequestURIBytes(userInputByte)
37+
sink(req) // $ hasTaintFlow="req"
2738

2839
uri := fasthttp.AcquireURI()
2940
userInput = "UserControlled.com:80"
3041
userInputByte = []byte("UserControlled.com:80")
31-
uri.SetHost(userInput) // $ hasTaintFlow="uri"
32-
uri.SetHostBytes(userInputByte) // $ hasTaintFlow="uri"
42+
uri.SetHost(source())
43+
sink(uri) // $ hasTaintFlow="uri"
44+
uri.SetHostBytes(source())
45+
sink(uri) // $ hasTaintFlow="uri"
3346
userInput = "http://UserControlled.com"
3447
userInputByte = []byte("http://UserControlled.com")
35-
uri.Update(userInput) // $ hasTaintFlow="uri"
36-
uri.UpdateBytes(userInputByte) // $ hasTaintFlow="uri"
37-
uri.Parse(userInputByte, userInputByte) // $ hasTaintFlow="uri"
38-
req.SetURI(uri) // $ hasTaintFlow="uri" hasTaintFlow="req"
48+
uri.Update(source())
49+
sink(uri) // $ hasTaintFlow="uri"
50+
uri.UpdateBytes(source())
51+
sink(uri) // $ hasTaintFlow="uri"
52+
uri.Parse(source(), source())
53+
sink(uri) // $ hasTaintFlow="uri"
54+
req.SetURI(uri)
3955

4056
resByte := make([]byte, 1000)
4157
userInput = "http://127.0.0.1:8909"
4258
fasthttp.Get(resByte, userInput) // $ SsrfSink=userInput
4359
fasthttp.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
4460
fasthttp.GetTimeout(resByte, userInput, 5) // $ SsrfSink=userInput
4561
fasthttp.Post(resByte, userInput, nil) // $ SsrfSink=userInput
46-
fasthttp.Do(req, res) // $ hasTaintFlow="req" SsrfSink=req
47-
fasthttp.DoRedirects(req, res, 2) // $ hasTaintFlow="req" SsrfSink=req
48-
fasthttp.DoDeadline(req, res, time.Time{}) // $ hasTaintFlow="req" SsrfSink=req
49-
fasthttp.DoTimeout(req, res, 5) // $ hasTaintFlow="req" SsrfSink=req
62+
fasthttp.Do(req, res) // $ SsrfSink=req
63+
fasthttp.DoRedirects(req, res, 2) // $ SsrfSink=req
64+
fasthttp.DoDeadline(req, res, time.Time{}) // $ SsrfSink=req
65+
fasthttp.DoTimeout(req, res, 5) // $ SsrfSink=req
5066

5167
hostClient := &fasthttp.HostClient{
5268
Addr: "localhost:8080",
@@ -55,31 +71,31 @@ func fasthttpClient() {
5571
hostClient.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
5672
hostClient.GetTimeout(resByte, userInput, 5) // $ SsrfSink=userInput
5773
hostClient.Post(resByte, userInput, nil) // $ SsrfSink=userInput
58-
hostClient.Do(req, res) // $ hasTaintFlow="req" SsrfSink=req
59-
hostClient.DoDeadline(req, res, time.Time{}) // $ hasTaintFlow="req" SsrfSink=req
60-
hostClient.DoRedirects(req, res, 2) // $ hasTaintFlow="req" SsrfSink=req
61-
hostClient.DoTimeout(req, res, 5) // $ hasTaintFlow="req" SsrfSink=req
74+
hostClient.Do(req, res) // $ SsrfSink=req
75+
hostClient.DoDeadline(req, res, time.Time{}) // $ SsrfSink=req
76+
hostClient.DoRedirects(req, res, 2) // $ SsrfSink=req
77+
hostClient.DoTimeout(req, res, 5) // $ SsrfSink=req
6278

6379
var lbclient fasthttp.LBClient
6480
lbclient.Clients = append(lbclient.Clients, hostClient)
65-
lbclient.Do(req, res) // $ hasTaintFlow="req" SsrfSink=req
66-
lbclient.DoDeadline(req, res, time.Time{}) // $ hasTaintFlow="req" SsrfSink=req
67-
lbclient.DoTimeout(req, res, 5) // $ hasTaintFlow="req" SsrfSink=req
81+
lbclient.Do(req, res) // $ SsrfSink=req
82+
lbclient.DoDeadline(req, res, time.Time{}) // $ SsrfSink=req
83+
lbclient.DoTimeout(req, res, 5) // $ SsrfSink=req
6884

6985
client := fasthttp.Client{}
7086
client.Get(resByte, userInput) // $ SsrfSink=userInput
7187
client.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
7288
client.GetTimeout(resByte, userInput, 5) // $ SsrfSink=userInput
7389
client.Post(resByte, userInput, nil) // $ SsrfSink=userInput
74-
client.Do(req, res) // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
75-
client.DoDeadline(req, res, time.Time{}) // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
76-
client.DoRedirects(req, res, 2) // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
77-
client.DoTimeout(req, res, 5) // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
90+
client.Do(req, res) // $ SsrfSink=req
91+
client.DoDeadline(req, res, time.Time{}) // $ SsrfSink=req
92+
client.DoRedirects(req, res, 2) // $ SsrfSink=req
93+
client.DoTimeout(req, res, 5) // $ SsrfSink=req
7894

7995
pipelineClient := fasthttp.PipelineClient{}
80-
pipelineClient.Do(req, res) // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
81-
pipelineClient.DoDeadline(req, res, time.Time{}) // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
82-
pipelineClient.DoTimeout(req, res, 5) // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
96+
pipelineClient.Do(req, res) // $ SsrfSink=req
97+
pipelineClient.DoDeadline(req, res, time.Time{}) // $ SsrfSink=req
98+
pipelineClient.DoTimeout(req, res, 5) // $ SsrfSink=req
8399

84100
tcpDialer := fasthttp.TCPDialer{}
85101
userInput = "127.0.0.1:8909"

0 commit comments

Comments
 (0)