Check replacer will replace \r or \n

owen-mc · owen-mc · commit f38867dae4cb · 2023-01-17T15:43:28.000Z
Implementation copied from string break.
diff --git a/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll
@@ -59,17 +59,52 @@ module LogInjection {
     }
   }
 
+  /**
+   * A call to `strings.NewReplacer`.
+   */
+  class StringsNewReplacerCall extends DataFlow::CallNode {
+    StringsNewReplacerCall() { this.getTarget().hasQualifiedName("strings", "NewReplacer") }
+
+    /**
+     * Gets an argument to this call corresponding to a string that will be
+     * replaced.
+     */
+    DataFlow::Node getAReplacedArgument() { exists(int n | n % 2 = 0 and result = getArgument(n)) }
+  }
+
+  /**
+   * A configuration for tracking flow from a call to `strings.NewReplacer` to
+   * the receiver of a call to `strings.Replacer.Replace` or
+   * `strings.Replacer.WriteString`.
+   */
+  class StringsNewReplacerConfiguration extends DataFlow2::Configuration {
+    StringsNewReplacerConfiguration() { this = "StringsNewReplacerConfiguration" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof StringsNewReplacerCall }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(DataFlow::MethodCallNode call |
+        sink = call.getReceiver() and
+        call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"])
+      )
+    }
+  }
+
   /**
    * A call to `strings.Replacer.Replace`, considered as a sanitizer for log
    * injection.
    */
   class ReplacerReplaceSanitizer extends Sanitizer {
     ReplacerReplaceSanitizer() {
-      exists(DataFlow::MethodCallNode call |
-        call.(DataFlow::MethodCallNode)
-            .getTarget()
-            .hasQualifiedName("strings", "Replacer", "Replace") and
-        this = call.getResult()
+      exists(
+        StringsNewReplacerConfiguration config, DataFlow::Node source, DataFlow::Node sink,
+        DataFlow::MethodCallNode call
+      |
+        config.hasFlow(source, sink) and
+        call.getTarget().hasQualifiedName("strings", "Replacer", "Replace") and
+        sink = call.getReceiver() and
+        this = call.getResult() and
+        source.(StringsNewReplacerCall).getAReplacedArgument().getStringValue() = ["\r", "\n"]
       )
     }
   }
@@ -80,9 +115,15 @@ module LogInjection {
    */
   class ReplacerWriteStringSanitizer extends Sanitizer {
     ReplacerWriteStringSanitizer() {
-      exists(DataFlow::MethodCallNode call |
+      exists(
+        StringsNewReplacerConfiguration config, DataFlow::Node source, DataFlow::Node sink,
+        DataFlow::MethodCallNode call
+      |
+        config.hasFlow(source, sink) and
         call.getTarget().hasQualifiedName("strings", "Replacer", "WriteString") and
-        this = call.getArgument(1)
+        sink = call.getReceiver() and
+        this = call.getArgument(1) and
+        source.(StringsNewReplacerCall).getAReplacedArgument().getStringValue() = ["\r", "\n"]
       )
     }
   }
