Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

add BeegoInput.RequestBody source to Beego framework #751

Closed
wants to merge 2 commits into from
Closed

add BeegoInput.RequestBody source to Beego framework #751

wants to merge 2 commits into from

Conversation

gregxsunday
Copy link

The Controller.Context.BeegoInput.RequestBody source is not currently modelled. It seems like a go-to way to access a JSON request body using this framework.

Looks to me, like it's the only field in the class worth modelling:
https://pkg.go.dev/github.com/beego/beego/v2/server/web/context#BeegoInput

Here are examples of how this is used in practice:
https://cs.github.com/?q=Input.RequestBody%20language%3AGo&scopeName=All%20repos&scope=

I also wanted to add some tests showcasing this source but I must admit I'm quite overwhelmed as I'm new to CodeQL and most of the docs/guidelines are for people submitting new queries.

@gregxsunday gregxsunday requested a review from a team as a code owner October 3, 2022 14:43
@gregxsunday gregxsunday mentioned this pull request Oct 3, 2022
Closed
2 tasks
@smowton
Copy link
Contributor

smowton commented Oct 4, 2022

To add a test, add a function to https://github.com/github/codeql/blob/main/go/ql/test/library-tests/semmle/go/frameworks/Beego/test.go that would expose a problem via this field, e.g. by simulating an XSS vulnerability, then use codeql test run --learn go/ql/test/library-tests/semmle/go/frameworks/Beego to execute the test -- you should find the ReflectedXss.expected file is altered to reflect new results if the test worked as expected.

@gregxsunday
Copy link
Author

Thanks @smowton, I added the test.
Unfortunately, I also added import of encoding/json which changed line numbers thus all of the .expected files changed as well. Perhaps we could force a test without adding the import but I've not encountered using the ctx.Input.RequestBody in a different context than json.Unmarshall.

@smowton
Copy link
Contributor

smowton commented Oct 6, 2022

Shame about the movement -- for that reason we've been shifting to Inline Expectation Tests, where we use a comment to indicate where results should occur and the .expected file records variances against the expectations (i.e., the good answer is the file is empty) -- however there's no need to go to that effort for just this change.

One last thing to change: the codeql-go repository is now merged into https://github.com/github/codeql -- please retarget your PR over there.

@gregxsunday gregxsunday mentioned this pull request Oct 6, 2022
Merged
@gregxsunday
Copy link
Author

I created another PR in that repo: github/codeql#10709
I hope that's what you meant by retarget, I didn't find a way to do this more elegantly. We can probably close this pr now.

@smowton
Copy link
Contributor

smowton commented Oct 6, 2022

Replaced by github/codeql#10709

@smowton smowton closed this Oct 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gregxsunday @smowton