Skip to content

Commit 28fa06a

Browse files
authored
Merge pull request #10709 from gregxsunday/main
add BeegoInput.RequestBody source to Beego framework
2 parents 7a7d164 + 812a5e5 commit 28fa06a

File tree

7 files changed

+407
-379
lines changed

7 files changed

+407
-379
lines changed
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Added support for `BeegoInput.RequestBody` as a source of untrusted data.

go/ql/lib/semmle/go/frameworks/Beego.qll

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,17 @@ module Beego {
103103
}
104104
}
105105

106+
/**
107+
* `BeegoInputRequestBody` sources of untrusted data.
108+
*/
109+
private class BeegoInputRequestBodySource extends UntrustedFlowSource::Range {
110+
BeegoInputRequestBodySource() {
111+
exists(DataFlow::FieldReadNode frn | this = frn |
112+
frn.getField().hasQualifiedName(contextPackagePath(), "BeegoInput", "RequestBody")
113+
)
114+
}
115+
}
116+
106117
/**
107118
* `beego/context.Context` sources of untrusted data.
108119
*/

go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected

Lines changed: 66 additions & 66 deletions
Large diffs are not rendered by default.
Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
edges
22
nodes
3-
| test.go:246:13:246:34 | call to GetString | semmle.label | call to GetString |
4-
| test.go:247:20:247:41 | call to GetString | semmle.label | call to GetString |
5-
| test.go:310:13:310:27 | call to URI | semmle.label | call to URI |
6-
| test.go:310:13:310:27 | call to URI | semmle.label | call to URI |
7-
| test.go:311:20:311:34 | call to URL | semmle.label | call to URL |
8-
| test.go:311:20:311:34 | call to URL | semmle.label | call to URL |
3+
| test.go:247:13:247:34 | call to GetString | semmle.label | call to GetString |
4+
| test.go:248:20:248:41 | call to GetString | semmle.label | call to GetString |
5+
| test.go:311:13:311:27 | call to URI | semmle.label | call to URI |
6+
| test.go:311:13:311:27 | call to URI | semmle.label | call to URI |
7+
| test.go:312:20:312:34 | call to URL | semmle.label | call to URL |
8+
| test.go:312:20:312:34 | call to URL | semmle.label | call to URL |
99
subpaths
1010
#select
11-
| test.go:246:13:246:34 | call to GetString | test.go:246:13:246:34 | call to GetString | test.go:246:13:246:34 | call to GetString | Untrusted URL redirection depends on a $@. | test.go:246:13:246:34 | call to GetString | user-provided value |
12-
| test.go:247:20:247:41 | call to GetString | test.go:247:20:247:41 | call to GetString | test.go:247:20:247:41 | call to GetString | Untrusted URL redirection depends on a $@. | test.go:247:20:247:41 | call to GetString | user-provided value |
11+
| test.go:247:13:247:34 | call to GetString | test.go:247:13:247:34 | call to GetString | test.go:247:13:247:34 | call to GetString | Untrusted URL redirection depends on a $@. | test.go:247:13:247:34 | call to GetString | user-provided value |
12+
| test.go:248:20:248:41 | call to GetString | test.go:248:20:248:41 | call to GetString | test.go:248:20:248:41 | call to GetString | Untrusted URL redirection depends on a $@. | test.go:248:20:248:41 | call to GetString | user-provided value |

go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected

Lines changed: 295 additions & 295 deletions
Large diffs are not rendered by default.
Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,18 @@
11
edges
2-
| test.go:208:15:208:26 | call to Data : map type | test.go:209:18:209:26 | untrusted |
3-
| test.go:208:15:208:26 | call to Data : map type | test.go:210:10:210:18 | untrusted |
4-
| test.go:208:15:208:26 | call to Data : map type | test.go:211:35:211:43 | untrusted |
2+
| test.go:209:15:209:26 | call to Data : map type | test.go:210:18:210:26 | untrusted |
3+
| test.go:209:15:209:26 | call to Data : map type | test.go:211:10:211:18 | untrusted |
4+
| test.go:209:15:209:26 | call to Data : map type | test.go:212:35:212:43 | untrusted |
5+
| test.go:318:17:318:37 | selection of RequestBody : slice type | test.go:320:35:320:43 | untrusted |
56
nodes
6-
| test.go:208:15:208:26 | call to Data : map type | semmle.label | call to Data : map type |
7-
| test.go:209:18:209:26 | untrusted | semmle.label | untrusted |
8-
| test.go:210:10:210:18 | untrusted | semmle.label | untrusted |
9-
| test.go:211:35:211:43 | untrusted | semmle.label | untrusted |
7+
| test.go:209:15:209:26 | call to Data : map type | semmle.label | call to Data : map type |
8+
| test.go:210:18:210:26 | untrusted | semmle.label | untrusted |
9+
| test.go:211:10:211:18 | untrusted | semmle.label | untrusted |
10+
| test.go:212:35:212:43 | untrusted | semmle.label | untrusted |
11+
| test.go:318:17:318:37 | selection of RequestBody : slice type | semmle.label | selection of RequestBody : slice type |
12+
| test.go:320:35:320:43 | untrusted | semmle.label | untrusted |
1013
subpaths
1114
#select
12-
| test.go:209:18:209:26 | untrusted | test.go:208:15:208:26 | call to Data : map type | test.go:209:18:209:26 | untrusted | This path depends on a $@. | test.go:208:15:208:26 | call to Data | user-provided value |
13-
| test.go:210:10:210:18 | untrusted | test.go:208:15:208:26 | call to Data : map type | test.go:210:10:210:18 | untrusted | This path depends on a $@. | test.go:208:15:208:26 | call to Data | user-provided value |
14-
| test.go:211:35:211:43 | untrusted | test.go:208:15:208:26 | call to Data : map type | test.go:211:35:211:43 | untrusted | This path depends on a $@. | test.go:208:15:208:26 | call to Data | user-provided value |
15+
| test.go:210:18:210:26 | untrusted | test.go:209:15:209:26 | call to Data : map type | test.go:210:18:210:26 | untrusted | This path depends on a $@. | test.go:209:15:209:26 | call to Data | user-provided value |
16+
| test.go:211:10:211:18 | untrusted | test.go:209:15:209:26 | call to Data : map type | test.go:211:10:211:18 | untrusted | This path depends on a $@. | test.go:209:15:209:26 | call to Data | user-provided value |
17+
| test.go:212:35:212:43 | untrusted | test.go:209:15:209:26 | call to Data : map type | test.go:212:35:212:43 | untrusted | This path depends on a $@. | test.go:209:15:209:26 | call to Data | user-provided value |
18+
| test.go:320:35:320:43 | untrusted | test.go:318:17:318:37 | selection of RequestBody : slice type | test.go:320:35:320:43 | untrusted | This path depends on a $@. | test.go:318:17:318:37 | selection of RequestBody | user-provided value |

go/ql/test/library-tests/semmle/go/frameworks/Beego/test.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package test
22

33
import (
4+
"encoding/json"
45
"github.com/astaxie/beego"
56
"github.com/astaxie/beego/context"
67
"github.com/astaxie/beego/logs"
@@ -310,3 +311,11 @@ func testSafeRedirects(c *beego.Controller, ctx *context.Context) {
310311
c.Redirect(ctx.Input.URI(), 304)
311312
ctx.Redirect(304, ctx.Input.URL())
312313
}
314+
315+
// BAD: using RequestBody data as path in a file-system operation
316+
func requestBodySourceTest(ctx *context.Context, c *beego.Controller) {
317+
var dat map[string]interface{}
318+
json.Unmarshal(ctx.Input.RequestBody, &dat)
319+
untrusted := dat["filepath"].(string)
320+
c.SaveToFile("someReceviedFile", untrusted)
321+
}

0 commit comments

Comments
 (0)