Skip to content

Commit d99c0a2

Browse files
am0o0am0o0
committed
update tests
1 parent 9245e1c commit d99c0a2

19 files changed

Lines changed: 1321 additions & 223 deletions

File tree

go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql

Lines changed: 23 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -19,40 +19,36 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
1919
class FlowState = DataFlow::FlowState;
2020

2121
predicate isSource(DataFlow::Node source, FlowState state) {
22-
23-
source instanceof UntrustedFlowSource
24-
and
22+
source instanceof UntrustedFlowSource and
2523
state = ""
2624
}
2725

2826
predicate isSink(DataFlow::Node sink, FlowState state) {
2927
(
30-
exists(DataFlow::Function f | f.hasQualifiedName("io", ["Copy", "CopyBuffer", "CopyN"]) |
28+
exists(Function f | f.hasQualifiedName("io", ["Copy", "CopyBuffer", "CopyN"]) |
3129
sink = f.getACall().getArgument(1)
3230
)
3331
or
34-
exists(DataFlow::Function f |
35-
f.hasQualifiedName("io", ["Pipe", "ReadAll", "ReadAtLeast", "ReadFull"])
36-
|
32+
exists(Function f | f.hasQualifiedName("io", ["Pipe", "ReadAll", "ReadAtLeast", "ReadFull"]) |
3733
sink = f.getACall().getArgument(0)
3834
)
3935
or
40-
exists(DataFlow::Function f |
36+
exists(Function f |
4137
f.hasQualifiedName("bufio.Reader",
4238
["Read", "ReadBytes", "ReadByte", "ReadLine", "ReadRune", "ReadSlice", "ReadString"])
4339
|
4440
sink = f.getACall().getReceiver()
4541
)
4642
or
47-
exists(DataFlow::Function f | f.hasQualifiedName("bufio.Scanner", ["Text", "Bytes"]) |
43+
exists(Function f | f.hasQualifiedName("bufio.Scanner", ["Text", "Bytes"]) |
4844
sink = f.getACall().getReceiver()
4945
)
5046
or
51-
exists(DataFlow::Function f | f.hasQualifiedName("io/ioutil", "ReadAll") |
47+
exists(Function f | f.hasQualifiedName("io/ioutil", "ReadAll") |
5248
sink = f.getACall().getArgument(0)
5349
)
5450
or
55-
exists(DataFlow::Function f |
51+
exists(Function f |
5652
f.hasQualifiedName([
5753
"github.com/klauspost/compress/flate.decompressor",
5854
"github.com/dsnet/compress/bzip2.Reader", "compress/flate.decompressor",
@@ -67,7 +63,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
6763
sink = f.getACall().getReceiver()
6864
)
6965
or
70-
exists(DataFlow::Function f |
66+
exists(Function f |
7167
f.hasQualifiedName("github.com/klauspost/compress/s2.Reader",
7268
["DecodeConcurrent", "ReadByte"])
7369
or
@@ -97,8 +93,8 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
9793
toNode = fi
9894
)
9995
or
100-
exists(DataFlow::Function f, DataFlow::CallNode call |
101-
f.hasQualifiedName("github.com/klauspost/compress/zip.File", ["Open", "OpenRaw"]) and
96+
exists(Method f, DataFlow::CallNode call |
97+
f.hasQualifiedName("github.com/klauspost/compress/zip", "File", ["Open", "OpenRaw"]) and
10298
call = f.getACall()
10399
|
104100
fromNode = call.getReceiver() and
@@ -109,7 +105,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
109105
predicate isAdditionalFlowStep(
110106
DataFlow::Node fromNode, FlowState fromState, DataFlow::Node toNode, FlowState toState
111107
) {
112-
exists(DataFlow::Function f, DataFlow::CallNode call |
108+
exists(Function f, DataFlow::CallNode call |
113109
f.hasQualifiedName("archive/zip", ["OpenReader", "NewReader"]) and call = f.getACall()
114110
|
115111
fromNode = call.getArgument(0) and
@@ -118,7 +114,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
118114
toState = "ZipOpenReader"
119115
)
120116
or
121-
exists(DataFlow::Function f, DataFlow::CallNode call |
117+
exists(Function f, DataFlow::CallNode call |
122118
f.hasQualifiedName("github.com/klauspost/compress/zip", ["NewReader", "OpenReader"]) and
123119
call = f.getACall()
124120
|
@@ -128,7 +124,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
128124
toState = "ZipKlauspost"
129125
)
130126
or
131-
exists(DataFlow::Function f, DataFlow::CallNode call |
127+
exists(Function f, DataFlow::CallNode call |
132128
f.hasQualifiedName("github.com/ulikunitz/xz", "NewReader") and call = f.getACall()
133129
|
134130
fromNode = call.getArgument(0) and
@@ -137,7 +133,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
137133
toState = "XzNewReader"
138134
)
139135
or
140-
exists(DataFlow::Function f, DataFlow::CallNode call |
136+
exists(Function f, DataFlow::CallNode call |
141137
f.hasQualifiedName([
142138
"compress/gzip", "github.com/klauspost/compress/gzip", "github.com/klauspost/pgzip"
143139
], "NewReader") and
@@ -149,7 +145,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
149145
toState = "GzipNewReader"
150146
)
151147
or
152-
exists(DataFlow::Function f, DataFlow::CallNode call |
148+
exists(Function f, DataFlow::CallNode call |
153149
f.hasQualifiedName([
154150
"compress/bzip2", "github.com/dsnet/compress/bzip2", "github.com/cosnicolaou/pbzip2"
155151
], "NewReader") and
@@ -161,7 +157,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
161157
toState = "Bzip2NewReader"
162158
)
163159
or
164-
exists(DataFlow::Function f, DataFlow::CallNode call |
160+
exists(Function f, DataFlow::CallNode call |
165161
(
166162
f.hasQualifiedName("github.com/dsnet/compress/flate", "NewReader") or
167163
f.hasQualifiedName(["compress/flate", "github.com/klauspost/compress/flate"],
@@ -175,7 +171,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
175171
toState = "FlateNewReader"
176172
)
177173
or
178-
exists(DataFlow::Function f, DataFlow::CallNode call |
174+
exists(Function f, DataFlow::CallNode call |
179175
f.hasQualifiedName(["compress/zlib", "github.com/klauspost/compress/zlib"], "NewReader") and
180176
call = f.getACall()
181177
|
@@ -185,7 +181,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
185181
toState = "ZlibNewReader"
186182
)
187183
or
188-
exists(DataFlow::Function f, DataFlow::CallNode call |
184+
exists(Function f, DataFlow::CallNode call |
189185
f.hasQualifiedName(["github.com/klauspost/compress/zstd", "github.com/DataDog/zstd"],
190186
"NewReader") and
191187
call = f.getACall()
@@ -196,7 +192,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
196192
toState = "ZstdNewReader"
197193
)
198194
or
199-
exists(DataFlow::Function f, DataFlow::CallNode call |
195+
exists(Function f, DataFlow::CallNode call |
200196
f.hasQualifiedName(["github.com/golang/snappy", "github.com/klauspost/compress/snappy"],
201197
"NewReader") and
202198
call = f.getACall()
@@ -207,7 +203,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
207203
toState = "SnapyNewReader"
208204
)
209205
or
210-
exists(DataFlow::Function f, DataFlow::CallNode call |
206+
exists(Function f, DataFlow::CallNode call |
211207
f.hasQualifiedName("github.com/klauspost/compress/s2", "NewReader") and
212208
call = f.getACall()
213209
|
@@ -220,13 +216,13 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
220216

221217
predicate isBarrier(DataFlow::Node node, FlowState state) {
222218
// //here I want to the CopyN return value be compared with < or > but I can't reach the tainted result
223-
// // exists(DataFlow::Function f | f.hasQualifiedName("io", "CopyN") |
219+
// // exists(Function f | f.hasQualifiedName("io", "CopyN") |
224220
// // node = f.getACall().getArgument([0, 1]) and
225221
// // TaintTracking::localExprTaint(f.getACall().getResult(_).asExpr(),
226222
// // any(RelationalComparisonExpr e).getAChildExpr*())
227223
// // )
228224
// // or
229-
// exists(DataFlow::Function f | f.hasQualifiedName("io", "LimitReader") |
225+
// exists(Function f | f.hasQualifiedName("io", "LimitReader") |
230226
// node = f.getACall().getArgument(0) and f.getACall().getArgument(1).isConst()
231227
// ) and
232228
// state =
@@ -243,7 +239,7 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
243239
// class Test extends DataFlow::Configuration {
244240
// Test() { this = "test" }
245241
// override predicate isSource(DataFlow::Node source) {
246-
// exists(DataFlow::Function f | f.hasQualifiedName("io", "CopyN") |
242+
// exists(Function f | f.hasQualifiedName("io", "CopyN") |
247243
// f.getACall().getResult(0) = source
248244
// )
249245
// }

go/ql/src/experimental/CWE-522-DecompressionBombs/MultipartAndFormRemoteSource.qll

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
import go
22
import semmle.go.dataflow.Properties
3-
import semmle.go.security.FlowSources
43

54
class MimeMultipartFileHeader extends UntrustedFlowSource::Range {
65
MimeMultipartFileHeader() {

0 commit comments

Comments
 (0)