Merge pull request #9947 from github/smowton/fix/golang-path-injection-numeric-sanitizer

smowton · web-flow · commit 96091e4fa014 · 2022-08-04T09:00:34.000+01:00
Go: note that numeric-typed nodes can't cause path traversal
diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
@@ -70,6 +70,15 @@ module TaintedPath {
     PathAsSink() { this = any(FileSystemAccess fsa).getAPathArgument() }
   }
 
+  /**
+   * A numeric- or boolean-typed node, considered a sanitizer for path traversal.
+   */
+  class NumericOrBooleanSanitizer extends Sanitizer {
+    NumericOrBooleanSanitizer() {
+      this.getType() instanceof NumericType or this.getType() instanceof BoolType
+    }
+  }
+
   /**
    * A call to `filepath.Rel`, considered as a sanitizer for path traversal.
    */
diff --git a/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md b/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The query `go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.