Add SimpleTypeSanitizer to go/request-forgery

Author: owen-mc

go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll

@@ -9,6 +9,7 @@ import semmle.go.dataflow.barrierguardutil.RedirectCheckBarrierGuard
 import semmle.go.dataflow.barrierguardutil.RegexpCheck
 import semmle.go.dataflow.barrierguardutil.UrlCheck
 import semmle.go.dataflow.ExternalFlow
+private import semmle.go.security.Sanitizers
 
 /** Provides classes and predicates for the request forgery query. */
 module RequestForgery {
@@ -114,6 +115,11 @@ module RequestForgery {
    * considered a barrier guard for `url`.
    */
   class UrlCheckAsBarrierGuard extends UrlCheckBarrier, Sanitizer { }
+
+  /**
+   * A simple-typed node, considered a sanitizer for request forgery.
+   */
+  private class DefaultSanitizer extends Sanitizer instanceof SimpleTypeSanitizer { }
 }
 
 /** A sink for request forgery, considered as a sink for safe URL flow. */

go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected

@@ -13,7 +13,6 @@
 | tst.go:39:2:39:30 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:39:11:39:29 | ...+... | The $@ of this request depends on a $@. | tst.go:39:11:39:29 | ...+... | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value |
 | tst.go:41:2:41:41 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:41:11:41:40 | ...+... | The $@ of this request depends on a $@. | tst.go:41:11:41:40 | ...+... | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value |
 | tst.go:49:2:49:21 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:49:11:49:20 | call to String | The $@ of this request depends on a $@. | tst.go:49:11:49:20 | call to String | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value |
-| tst.go:53:2:53:26 | call to Get | tst.go:52:42:52:52 | call to intSource | tst.go:53:11:53:25 | ...+... | The $@ of this request depends on a $@. | tst.go:53:11:53:25 | ...+... | URL | tst.go:52:42:52:52 | call to intSource | user-provided value |
 | websocket.go:65:12:65:53 | call to Dial | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:65:27:65:40 | untrustedInput | WebSocket URL | websocket.go:60:21:60:31 | call to Referer | user-provided value |
 | websocket.go:79:13:79:40 | call to DialConfig | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:78:36:78:49 | untrustedInput | WebSocket URL | websocket.go:74:21:74:31 | call to Referer | user-provided value |
 | websocket.go:91:3:91:50 | call to Dial | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:91:31:91:44 | untrustedInput | WebSocket URL | websocket.go:88:21:88:31 | call to Referer | user-provided value |
@@ -24,44 +23,38 @@
 | websocket.go:197:7:197:36 | call to BuildProxy | websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:197:22:197:35 | untrustedInput | WebSocket URL | websocket.go:195:21:195:31 | call to Referer | user-provided value |
 | websocket.go:204:7:204:29 | call to New | websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:204:15:204:28 | untrustedInput | WebSocket URL | websocket.go:202:21:202:31 | call to Referer | user-provided value |
 edges
-| RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:19:11:19:17 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:21:12:21:18 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:23:12:23:18 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:25:16:25:22 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:28:35:28:41 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:31:68:31:74 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:34:13:34:19 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:35:14:35:20 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:36:14:36:20 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:37:18:37:24 | tainted | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:39:11:39:29 | ...+... | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:41:11:41:40 | ...+... | provenance | Src:MaD:2  |
-| tst.go:11:13:11:35 | call to FormValue | tst.go:48:11:48:18 | tainted2 | provenance | Src:MaD:2  |
+| RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:19:11:19:17 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:21:12:21:18 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:23:12:23:18 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:25:16:25:22 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:28:35:28:41 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:31:68:31:74 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:34:13:34:19 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:35:14:35:20 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:36:14:36:20 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:37:18:37:24 | tainted | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:39:11:39:29 | ...+... | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:41:11:41:40 | ...+... | provenance | Src:MaD:1  |
+| tst.go:11:13:11:35 | call to FormValue | tst.go:48:11:48:18 | tainted2 | provenance | Src:MaD:1  |
 | tst.go:48:2:48:2 | implicit dereference [postupdate] | tst.go:48:2:48:2 | u [postupdate] | provenance |  |
 | tst.go:48:2:48:2 | u [postupdate] | tst.go:49:11:49:11 | u | provenance |  |
 | tst.go:48:11:48:18 | tainted2 | tst.go:48:2:48:2 | implicit dereference [postupdate] | provenance | Config |
 | tst.go:48:11:48:18 | tainted2 | tst.go:48:2:48:2 | u [postupdate] | provenance | Config |
-| tst.go:49:11:49:11 | u | tst.go:49:11:49:20 | call to String | provenance | MaD:5 |
-| tst.go:52:9:52:53 | []type{args} [array] | tst.go:52:9:52:53 | call to Sprintf | provenance | MaD:4 |
-| tst.go:52:9:52:53 | call to Sprintf | tst.go:53:11:53:25 | ...+... | provenance |  |
-| tst.go:52:42:52:52 | call to intSource | tst.go:52:9:52:53 | []type{args} [array] | provenance | Src:MaD:1  |
-| tst.go:52:42:52:52 | call to intSource | tst.go:52:9:52:53 | call to Sprintf | provenance | Src:MaD:1 FunctionModel |
-| websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:3  |
-| websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:3  |
-| websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:3  |
-| websocket.go:107:21:107:31 | call to Referer | websocket.go:110:15:110:28 | untrustedInput | provenance | Src:MaD:3  |
-| websocket.go:126:21:126:31 | call to Referer | websocket.go:129:38:129:51 | untrustedInput | provenance | Src:MaD:3  |
-| websocket.go:154:21:154:31 | call to Referer | websocket.go:155:31:155:44 | untrustedInput | provenance | Src:MaD:3  |
-| websocket.go:160:21:160:31 | call to Referer | websocket.go:162:31:162:44 | untrustedInput | provenance | Src:MaD:3  |
-| websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | provenance | Src:MaD:3  |
-| websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | provenance | Src:MaD:3  |
+| tst.go:49:11:49:11 | u | tst.go:49:11:49:20 | call to String | provenance | MaD:3 |
+| websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2  |
+| websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2  |
+| websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:2  |
+| websocket.go:107:21:107:31 | call to Referer | websocket.go:110:15:110:28 | untrustedInput | provenance | Src:MaD:2  |
+| websocket.go:126:21:126:31 | call to Referer | websocket.go:129:38:129:51 | untrustedInput | provenance | Src:MaD:2  |
+| websocket.go:154:21:154:31 | call to Referer | websocket.go:155:31:155:44 | untrustedInput | provenance | Src:MaD:2  |
+| websocket.go:160:21:160:31 | call to Referer | websocket.go:162:31:162:44 | untrustedInput | provenance | Src:MaD:2  |
+| websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | provenance | Src:MaD:2  |
+| websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | provenance | Src:MaD:2  |
 models
-| 1 | Source: main; ; false; intSource; ; ; ReturnValue; remote; manual |
-| 2 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual |
-| 3 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual |
-| 4 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
-| 5 | Summary: fmt; Stringer; true; String; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 1 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual |
+| 2 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual |
+| 3 | Summary: fmt; Stringer; true; String; ; ; Argument[receiver]; ReturnValue; taint; manual |
 nodes
 | RequestForgery.go:8:12:8:34 | call to FormValue | semmle.label | call to FormValue |
 | RequestForgery.go:11:24:11:65 | ...+... | semmle.label | ...+... |
@@ -83,10 +76,6 @@ nodes
 | tst.go:48:11:48:18 | tainted2 | semmle.label | tainted2 |
 | tst.go:49:11:49:11 | u | semmle.label | u |
 | tst.go:49:11:49:20 | call to String | semmle.label | call to String |
-| tst.go:52:9:52:53 | []type{args} [array] | semmle.label | []type{args} [array] |
-| tst.go:52:9:52:53 | call to Sprintf | semmle.label | call to Sprintf |
-| tst.go:52:42:52:52 | call to intSource | semmle.label | call to intSource |
-| tst.go:53:11:53:25 | ...+... | semmle.label | ...+... |
 | websocket.go:60:21:60:31 | call to Referer | semmle.label | call to Referer |
 | websocket.go:65:27:65:40 | untrustedInput | semmle.label | untrustedInput |
 | websocket.go:74:21:74:31 | call to Referer | semmle.label | call to Referer |

go/ql/test/query-tests/Security/CWE-918/tst.go

@@ -49,8 +49,8 @@ func handler2(w http.ResponseWriter, req *http.Request) {
 	http.Get(u.String()) // $ Alert
 
 	// Simple types are considered sanitized.
-	url := fmt.Sprintf("%s/%d", "some-url", intSource()) // $ SPURIOUS: Source
-	http.Get("http://" + url)                            // $ SPURIOUS: Alert
+	url := fmt.Sprintf("%s/%d", "some-url", intSource())
+	http.Get("http://" + url)
 }
 
 func main() {