From 0c9cd09140a9b2b4e880156e69cfe23ac5fb4371 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 9 Oct 2025 11:34:14 +0100 Subject: [PATCH 1/4] Make NumericOrBooleanSanitizer easier to access and rename it --- go/ql/lib/semmle/go/security/Sanitizers.qll | 16 ++++++++++++++++ .../go/security/SqlInjectionCustomizations.qll | 10 +++++----- 2 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 go/ql/lib/semmle/go/security/Sanitizers.qll diff --git a/go/ql/lib/semmle/go/security/Sanitizers.qll b/go/ql/lib/semmle/go/security/Sanitizers.qll new file mode 100644 index 000000000000..4391e12c25a0 --- /dev/null +++ b/go/ql/lib/semmle/go/security/Sanitizers.qll @@ -0,0 +1,16 @@ +/** + * Classes to represent sanitizers commonly used in dataflow and taint tracking + * configurations. + */ + +import go + +/** + * A node whose type is a simple type unlikely to carry taint, such as a + * numeric or boolean type. + */ +class SimpleTypeSanitizer extends DataFlow::Node { + SimpleTypeSanitizer() { + this.getType() instanceof NumericType or this.getType() instanceof BoolType + } +} diff --git a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll index 0b2f96a92838..f26168ad1d77 100644 --- a/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll +++ b/go/ql/lib/semmle/go/security/SqlInjectionCustomizations.qll @@ -4,6 +4,7 @@ */ import go +private import semmle.go.security.Sanitizers /** * Provides extension points for customizing the taint tracking configuration for reasoning about @@ -39,12 +40,11 @@ module SqlInjection { /** A NoSql query, considered as a taint sink for SQL injection. */ class NoSqlQueryAsSink extends Sink instanceof NoSql::Query { } + /** DEPRECATED: Use `SimpleTypeSanitizer` from semmle.go.security.Sanitizers instead. */ + deprecated class NumericOrBooleanSanitizer = SimpleTypeSanitizer; + /** * A numeric- or boolean-typed node, considered a sanitizer for sql injection. */ - class NumericOrBooleanSanitizer extends Sanitizer { - NumericOrBooleanSanitizer() { - this.getType() instanceof NumericType or this.getType() instanceof BoolType - } - } + private class DefaultSanitizer extends Sanitizer instanceof SimpleTypeSanitizer { } } From 7599fdd8fa0047d398efcda216d7998c5783e3b1 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 9 Oct 2025 11:57:10 +0100 Subject: [PATCH 2/4] Add request forgery test for numeric type --- .../Security/CWE-918/RequestForgery.expected | 133 ++++++++++-------- .../Security/CWE-918/RequestForgery.ext.yml | 6 + .../test/query-tests/Security/CWE-918/tst.go | 9 ++ 3 files changed, 87 insertions(+), 61 deletions(-) create mode 100644 go/ql/test/query-tests/Security/CWE-918/RequestForgery.ext.yml diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index 129613a3f1ab..224a2c2b72e9 100644 --- a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -1,18 +1,19 @@ #select | RequestForgery.go:11:15:11:66 | call to Get | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | The $@ of this request depends on a $@. | RequestForgery.go:11:24:11:65 | ...+... | URL | RequestForgery.go:8:12:8:34 | call to FormValue | user-provided value | -| tst.go:18:2:18:18 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:18:11:18:17 | tainted | The $@ of this request depends on a $@. | tst.go:18:11:18:17 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:20:2:20:19 | call to Head | tst.go:10:13:10:35 | call to FormValue | tst.go:20:12:20:18 | tainted | The $@ of this request depends on a $@. | tst.go:20:12:20:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:22:2:22:38 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:22:12:22:18 | tainted | The $@ of this request depends on a $@. | tst.go:22:12:22:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:24:2:24:28 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:24:16:24:22 | tainted | The $@ of this request depends on a $@. | tst.go:24:16:24:22 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:28:2:28:15 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:27:35:27:41 | tainted | The $@ of this request depends on a $@. | tst.go:27:35:27:41 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:31:2:31:15 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:30:68:30:74 | tainted | The $@ of this request depends on a $@. | tst.go:30:68:30:74 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:33:2:33:20 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:33:13:33:19 | tainted | The $@ of this request depends on a $@. | tst.go:33:13:33:19 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:34:2:34:21 | call to Head | tst.go:10:13:10:35 | call to FormValue | tst.go:34:14:34:20 | tainted | The $@ of this request depends on a $@. | tst.go:34:14:34:20 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:35:2:35:40 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:35:14:35:20 | tainted | The $@ of this request depends on a $@. | tst.go:35:14:35:20 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:36:2:36:30 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:36:18:36:24 | tainted | The $@ of this request depends on a $@. | tst.go:36:18:36:24 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:38:2:38:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:38:11:38:29 | ...+... | The $@ of this request depends on a $@. | tst.go:38:11:38:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:40:2:40:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:40:11:40:40 | ...+... | The $@ of this request depends on a $@. | tst.go:40:11:40:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | -| tst.go:48:2:48:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:48:11:48:20 | call to String | The $@ of this request depends on a $@. | tst.go:48:11:48:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value | +| tst.go:19:2:19:18 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:19:11:19:17 | tainted | The $@ of this request depends on a $@. | tst.go:19:11:19:17 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:21:2:21:19 | call to Head | tst.go:11:13:11:35 | call to FormValue | tst.go:21:12:21:18 | tainted | The $@ of this request depends on a $@. | tst.go:21:12:21:18 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:23:2:23:38 | call to Post | tst.go:11:13:11:35 | call to FormValue | tst.go:23:12:23:18 | tainted | The $@ of this request depends on a $@. | tst.go:23:12:23:18 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:25:2:25:28 | call to PostForm | tst.go:11:13:11:35 | call to FormValue | tst.go:25:16:25:22 | tainted | The $@ of this request depends on a $@. | tst.go:25:16:25:22 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:29:2:29:15 | call to Do | tst.go:11:13:11:35 | call to FormValue | tst.go:28:35:28:41 | tainted | The $@ of this request depends on a $@. | tst.go:28:35:28:41 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:32:2:32:15 | call to Do | tst.go:11:13:11:35 | call to FormValue | tst.go:31:68:31:74 | tainted | The $@ of this request depends on a $@. | tst.go:31:68:31:74 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:34:2:34:20 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:34:13:34:19 | tainted | The $@ of this request depends on a $@. | tst.go:34:13:34:19 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:35:2:35:21 | call to Head | tst.go:11:13:11:35 | call to FormValue | tst.go:35:14:35:20 | tainted | The $@ of this request depends on a $@. | tst.go:35:14:35:20 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:36:2:36:40 | call to Post | tst.go:11:13:11:35 | call to FormValue | tst.go:36:14:36:20 | tainted | The $@ of this request depends on a $@. | tst.go:36:14:36:20 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:37:2:37:30 | call to PostForm | tst.go:11:13:11:35 | call to FormValue | tst.go:37:18:37:24 | tainted | The $@ of this request depends on a $@. | tst.go:37:18:37:24 | tainted | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:39:2:39:30 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:39:11:39:29 | ...+... | The $@ of this request depends on a $@. | tst.go:39:11:39:29 | ...+... | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:41:2:41:41 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:41:11:41:40 | ...+... | The $@ of this request depends on a $@. | tst.go:41:11:41:40 | ...+... | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:49:2:49:21 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:49:11:49:20 | call to String | The $@ of this request depends on a $@. | tst.go:49:11:49:20 | call to String | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | +| tst.go:53:2:53:26 | call to Get | tst.go:52:42:52:52 | call to intSource | tst.go:53:11:53:25 | ...+... | The $@ of this request depends on a $@. | tst.go:53:11:53:25 | ...+... | URL | tst.go:52:42:52:52 | call to intSource | user-provided value | | websocket.go:65:12:65:53 | call to Dial | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:65:27:65:40 | untrustedInput | WebSocket URL | websocket.go:60:21:60:31 | call to Referer | user-provided value | | websocket.go:79:13:79:40 | call to DialConfig | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:78:36:78:49 | untrustedInput | WebSocket URL | websocket.go:74:21:74:31 | call to Referer | user-provided value | | websocket.go:91:3:91:50 | call to Dial | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:91:31:91:44 | untrustedInput | WebSocket URL | websocket.go:88:21:88:31 | call to Referer | user-provided value | @@ -23,59 +24,69 @@ | websocket.go:197:7:197:36 | call to BuildProxy | websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:197:22:197:35 | untrustedInput | WebSocket URL | websocket.go:195:21:195:31 | call to Referer | user-provided value | | websocket.go:204:7:204:29 | call to New | websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:204:15:204:28 | untrustedInput | WebSocket URL | websocket.go:202:21:202:31 | call to Referer | user-provided value | edges -| RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:18:11:18:17 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:20:12:20:18 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:22:12:22:18 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:24:16:24:22 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:27:35:27:41 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:30:68:30:74 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:33:13:33:19 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:34:14:34:20 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:35:14:35:20 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:36:18:36:24 | tainted | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:38:11:38:29 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:40:11:40:40 | ...+... | provenance | Src:MaD:1 | -| tst.go:10:13:10:35 | call to FormValue | tst.go:47:11:47:18 | tainted2 | provenance | Src:MaD:1 | -| tst.go:47:2:47:2 | implicit dereference [postupdate] | tst.go:47:2:47:2 | u [postupdate] | provenance | | -| tst.go:47:2:47:2 | u [postupdate] | tst.go:48:11:48:11 | u | provenance | | -| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | implicit dereference [postupdate] | provenance | Config | -| tst.go:47:11:47:18 | tainted2 | tst.go:47:2:47:2 | u [postupdate] | provenance | Config | -| tst.go:48:11:48:11 | u | tst.go:48:11:48:20 | call to String | provenance | MaD:3 | -| websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2 | -| websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2 | -| websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:2 | -| websocket.go:107:21:107:31 | call to Referer | websocket.go:110:15:110:28 | untrustedInput | provenance | Src:MaD:2 | -| websocket.go:126:21:126:31 | call to Referer | websocket.go:129:38:129:51 | untrustedInput | provenance | Src:MaD:2 | -| websocket.go:154:21:154:31 | call to Referer | websocket.go:155:31:155:44 | untrustedInput | provenance | Src:MaD:2 | -| websocket.go:160:21:160:31 | call to Referer | websocket.go:162:31:162:44 | untrustedInput | provenance | Src:MaD:2 | -| websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | provenance | Src:MaD:2 | -| websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | provenance | Src:MaD:2 | +| RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:19:11:19:17 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:21:12:21:18 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:23:12:23:18 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:25:16:25:22 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:28:35:28:41 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:31:68:31:74 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:34:13:34:19 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:35:14:35:20 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:36:14:36:20 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:37:18:37:24 | tainted | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:39:11:39:29 | ...+... | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:41:11:41:40 | ...+... | provenance | Src:MaD:2 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:48:11:48:18 | tainted2 | provenance | Src:MaD:2 | +| tst.go:48:2:48:2 | implicit dereference [postupdate] | tst.go:48:2:48:2 | u [postupdate] | provenance | | +| tst.go:48:2:48:2 | u [postupdate] | tst.go:49:11:49:11 | u | provenance | | +| tst.go:48:11:48:18 | tainted2 | tst.go:48:2:48:2 | implicit dereference [postupdate] | provenance | Config | +| tst.go:48:11:48:18 | tainted2 | tst.go:48:2:48:2 | u [postupdate] | provenance | Config | +| tst.go:49:11:49:11 | u | tst.go:49:11:49:20 | call to String | provenance | MaD:5 | +| tst.go:52:9:52:53 | []type{args} [array] | tst.go:52:9:52:53 | call to Sprintf | provenance | MaD:4 | +| tst.go:52:9:52:53 | call to Sprintf | tst.go:53:11:53:25 | ...+... | provenance | | +| tst.go:52:42:52:52 | call to intSource | tst.go:52:9:52:53 | []type{args} [array] | provenance | Src:MaD:1 | +| tst.go:52:42:52:52 | call to intSource | tst.go:52:9:52:53 | call to Sprintf | provenance | Src:MaD:1 FunctionModel | +| websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:3 | +| websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:3 | +| websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:3 | +| websocket.go:107:21:107:31 | call to Referer | websocket.go:110:15:110:28 | untrustedInput | provenance | Src:MaD:3 | +| websocket.go:126:21:126:31 | call to Referer | websocket.go:129:38:129:51 | untrustedInput | provenance | Src:MaD:3 | +| websocket.go:154:21:154:31 | call to Referer | websocket.go:155:31:155:44 | untrustedInput | provenance | Src:MaD:3 | +| websocket.go:160:21:160:31 | call to Referer | websocket.go:162:31:162:44 | untrustedInput | provenance | Src:MaD:3 | +| websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | provenance | Src:MaD:3 | +| websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | provenance | Src:MaD:3 | models -| 1 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual | -| 2 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual | -| 3 | Summary: fmt; Stringer; true; String; ; ; Argument[receiver]; ReturnValue; taint; manual | +| 1 | Source: main; ; false; intSource; ; ; ReturnValue; remote; manual | +| 2 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual | +| 3 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual | +| 4 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual | +| 5 | Summary: fmt; Stringer; true; String; ; ; Argument[receiver]; ReturnValue; taint; manual | nodes | RequestForgery.go:8:12:8:34 | call to FormValue | semmle.label | call to FormValue | | RequestForgery.go:11:24:11:65 | ...+... | semmle.label | ...+... | -| tst.go:10:13:10:35 | call to FormValue | semmle.label | call to FormValue | -| tst.go:18:11:18:17 | tainted | semmle.label | tainted | -| tst.go:20:12:20:18 | tainted | semmle.label | tainted | -| tst.go:22:12:22:18 | tainted | semmle.label | tainted | -| tst.go:24:16:24:22 | tainted | semmle.label | tainted | -| tst.go:27:35:27:41 | tainted | semmle.label | tainted | -| tst.go:30:68:30:74 | tainted | semmle.label | tainted | -| tst.go:33:13:33:19 | tainted | semmle.label | tainted | -| tst.go:34:14:34:20 | tainted | semmle.label | tainted | +| tst.go:11:13:11:35 | call to FormValue | semmle.label | call to FormValue | +| tst.go:19:11:19:17 | tainted | semmle.label | tainted | +| tst.go:21:12:21:18 | tainted | semmle.label | tainted | +| tst.go:23:12:23:18 | tainted | semmle.label | tainted | +| tst.go:25:16:25:22 | tainted | semmle.label | tainted | +| tst.go:28:35:28:41 | tainted | semmle.label | tainted | +| tst.go:31:68:31:74 | tainted | semmle.label | tainted | +| tst.go:34:13:34:19 | tainted | semmle.label | tainted | | tst.go:35:14:35:20 | tainted | semmle.label | tainted | -| tst.go:36:18:36:24 | tainted | semmle.label | tainted | -| tst.go:38:11:38:29 | ...+... | semmle.label | ...+... | -| tst.go:40:11:40:40 | ...+... | semmle.label | ...+... | -| tst.go:47:2:47:2 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] | -| tst.go:47:2:47:2 | u [postupdate] | semmle.label | u [postupdate] | -| tst.go:47:11:47:18 | tainted2 | semmle.label | tainted2 | -| tst.go:48:11:48:11 | u | semmle.label | u | -| tst.go:48:11:48:20 | call to String | semmle.label | call to String | +| tst.go:36:14:36:20 | tainted | semmle.label | tainted | +| tst.go:37:18:37:24 | tainted | semmle.label | tainted | +| tst.go:39:11:39:29 | ...+... | semmle.label | ...+... | +| tst.go:41:11:41:40 | ...+... | semmle.label | ...+... | +| tst.go:48:2:48:2 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] | +| tst.go:48:2:48:2 | u [postupdate] | semmle.label | u [postupdate] | +| tst.go:48:11:48:18 | tainted2 | semmle.label | tainted2 | +| tst.go:49:11:49:11 | u | semmle.label | u | +| tst.go:49:11:49:20 | call to String | semmle.label | call to String | +| tst.go:52:9:52:53 | []type{args} [array] | semmle.label | []type{args} [array] | +| tst.go:52:9:52:53 | call to Sprintf | semmle.label | call to Sprintf | +| tst.go:52:42:52:52 | call to intSource | semmle.label | call to intSource | +| tst.go:53:11:53:25 | ...+... | semmle.label | ...+... | | websocket.go:60:21:60:31 | call to Referer | semmle.label | call to Referer | | websocket.go:65:27:65:40 | untrustedInput | semmle.label | untrustedInput | | websocket.go:74:21:74:31 | call to Referer | semmle.label | call to Referer | diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.ext.yml b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.ext.yml new file mode 100644 index 000000000000..1fc92a07144b --- /dev/null +++ b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.ext.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/go-all + extensible: sourceModel + data: + - ["main", "", False, "intSource", "", "", "ReturnValue", "remote", "manual"] diff --git a/go/ql/test/query-tests/Security/CWE-918/tst.go b/go/ql/test/query-tests/Security/CWE-918/tst.go index 02f65507abd5..479d7aa8c92e 100644 --- a/go/ql/test/query-tests/Security/CWE-918/tst.go +++ b/go/ql/test/query-tests/Security/CWE-918/tst.go @@ -2,6 +2,7 @@ package main import ( "context" + "fmt" "net/http" "net/url" ) @@ -46,8 +47,16 @@ func handler2(w http.ResponseWriter, req *http.Request) { u, _ := url.Parse("http://example.com/relative-path") u.Host = tainted2 http.Get(u.String()) // $ Alert + + // Simple types are considered sanitized. + url := fmt.Sprintf("%s/%d", "some-url", intSource()) // $ SPURIOUS: Source + http.Get("http://" + url) // $ SPURIOUS: Alert } func main() { } + +func intSource() int64 { + return 0 +} From 3cbce80d0bf48a2bd8b90d9ddbb593a701e65c5a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 9 Oct 2025 12:15:29 +0100 Subject: [PATCH 3/4] Add SimpleTypeSanitizer to `go/request-forgery` --- .../security/RequestForgeryCustomizations.qll | 6 ++ .../Security/CWE-918/RequestForgery.expected | 65 ++++++++----------- .../test/query-tests/Security/CWE-918/tst.go | 4 +- 3 files changed, 35 insertions(+), 40 deletions(-) diff --git a/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll b/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll index 1298785b726c..82f9df4b5064 100644 --- a/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll +++ b/go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll @@ -9,6 +9,7 @@ import semmle.go.dataflow.barrierguardutil.RedirectCheckBarrierGuard import semmle.go.dataflow.barrierguardutil.RegexpCheck import semmle.go.dataflow.barrierguardutil.UrlCheck import semmle.go.dataflow.ExternalFlow +private import semmle.go.security.Sanitizers /** Provides classes and predicates for the request forgery query. */ module RequestForgery { @@ -114,6 +115,11 @@ module RequestForgery { * considered a barrier guard for `url`. */ class UrlCheckAsBarrierGuard extends UrlCheckBarrier, Sanitizer { } + + /** + * A simple-typed node, considered a sanitizer for request forgery. + */ + private class DefaultSanitizer extends Sanitizer instanceof SimpleTypeSanitizer { } } /** A sink for request forgery, considered as a sink for safe URL flow. */ diff --git a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index 224a2c2b72e9..15b0e179e983 100644 --- a/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -13,7 +13,6 @@ | tst.go:39:2:39:30 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:39:11:39:29 | ...+... | The $@ of this request depends on a $@. | tst.go:39:11:39:29 | ...+... | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | | tst.go:41:2:41:41 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:41:11:41:40 | ...+... | The $@ of this request depends on a $@. | tst.go:41:11:41:40 | ...+... | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | | tst.go:49:2:49:21 | call to Get | tst.go:11:13:11:35 | call to FormValue | tst.go:49:11:49:20 | call to String | The $@ of this request depends on a $@. | tst.go:49:11:49:20 | call to String | URL | tst.go:11:13:11:35 | call to FormValue | user-provided value | -| tst.go:53:2:53:26 | call to Get | tst.go:52:42:52:52 | call to intSource | tst.go:53:11:53:25 | ...+... | The $@ of this request depends on a $@. | tst.go:53:11:53:25 | ...+... | URL | tst.go:52:42:52:52 | call to intSource | user-provided value | | websocket.go:65:12:65:53 | call to Dial | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:65:27:65:40 | untrustedInput | WebSocket URL | websocket.go:60:21:60:31 | call to Referer | user-provided value | | websocket.go:79:13:79:40 | call to DialConfig | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:78:36:78:49 | untrustedInput | WebSocket URL | websocket.go:74:21:74:31 | call to Referer | user-provided value | | websocket.go:91:3:91:50 | call to Dial | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:91:31:91:44 | untrustedInput | WebSocket URL | websocket.go:88:21:88:31 | call to Referer | user-provided value | @@ -24,44 +23,38 @@ | websocket.go:197:7:197:36 | call to BuildProxy | websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:197:22:197:35 | untrustedInput | WebSocket URL | websocket.go:195:21:195:31 | call to Referer | user-provided value | | websocket.go:204:7:204:29 | call to New | websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:204:15:204:28 | untrustedInput | WebSocket URL | websocket.go:202:21:202:31 | call to Referer | user-provided value | edges -| RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:19:11:19:17 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:21:12:21:18 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:23:12:23:18 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:25:16:25:22 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:28:35:28:41 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:31:68:31:74 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:34:13:34:19 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:35:14:35:20 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:36:14:36:20 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:37:18:37:24 | tainted | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:39:11:39:29 | ...+... | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:41:11:41:40 | ...+... | provenance | Src:MaD:2 | -| tst.go:11:13:11:35 | call to FormValue | tst.go:48:11:48:18 | tainted2 | provenance | Src:MaD:2 | +| RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:19:11:19:17 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:21:12:21:18 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:23:12:23:18 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:25:16:25:22 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:28:35:28:41 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:31:68:31:74 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:34:13:34:19 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:35:14:35:20 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:36:14:36:20 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:37:18:37:24 | tainted | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:39:11:39:29 | ...+... | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:41:11:41:40 | ...+... | provenance | Src:MaD:1 | +| tst.go:11:13:11:35 | call to FormValue | tst.go:48:11:48:18 | tainted2 | provenance | Src:MaD:1 | | tst.go:48:2:48:2 | implicit dereference [postupdate] | tst.go:48:2:48:2 | u [postupdate] | provenance | | | tst.go:48:2:48:2 | u [postupdate] | tst.go:49:11:49:11 | u | provenance | | | tst.go:48:11:48:18 | tainted2 | tst.go:48:2:48:2 | implicit dereference [postupdate] | provenance | Config | | tst.go:48:11:48:18 | tainted2 | tst.go:48:2:48:2 | u [postupdate] | provenance | Config | -| tst.go:49:11:49:11 | u | tst.go:49:11:49:20 | call to String | provenance | MaD:5 | -| tst.go:52:9:52:53 | []type{args} [array] | tst.go:52:9:52:53 | call to Sprintf | provenance | MaD:4 | -| tst.go:52:9:52:53 | call to Sprintf | tst.go:53:11:53:25 | ...+... | provenance | | -| tst.go:52:42:52:52 | call to intSource | tst.go:52:9:52:53 | []type{args} [array] | provenance | Src:MaD:1 | -| tst.go:52:42:52:52 | call to intSource | tst.go:52:9:52:53 | call to Sprintf | provenance | Src:MaD:1 FunctionModel | -| websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:3 | -| websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:3 | -| websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:3 | -| websocket.go:107:21:107:31 | call to Referer | websocket.go:110:15:110:28 | untrustedInput | provenance | Src:MaD:3 | -| websocket.go:126:21:126:31 | call to Referer | websocket.go:129:38:129:51 | untrustedInput | provenance | Src:MaD:3 | -| websocket.go:154:21:154:31 | call to Referer | websocket.go:155:31:155:44 | untrustedInput | provenance | Src:MaD:3 | -| websocket.go:160:21:160:31 | call to Referer | websocket.go:162:31:162:44 | untrustedInput | provenance | Src:MaD:3 | -| websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | provenance | Src:MaD:3 | -| websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | provenance | Src:MaD:3 | +| tst.go:49:11:49:11 | u | tst.go:49:11:49:20 | call to String | provenance | MaD:3 | +| websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2 | +| websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2 | +| websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:2 | +| websocket.go:107:21:107:31 | call to Referer | websocket.go:110:15:110:28 | untrustedInput | provenance | Src:MaD:2 | +| websocket.go:126:21:126:31 | call to Referer | websocket.go:129:38:129:51 | untrustedInput | provenance | Src:MaD:2 | +| websocket.go:154:21:154:31 | call to Referer | websocket.go:155:31:155:44 | untrustedInput | provenance | Src:MaD:2 | +| websocket.go:160:21:160:31 | call to Referer | websocket.go:162:31:162:44 | untrustedInput | provenance | Src:MaD:2 | +| websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | provenance | Src:MaD:2 | +| websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | provenance | Src:MaD:2 | models -| 1 | Source: main; ; false; intSource; ; ; ReturnValue; remote; manual | -| 2 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual | -| 3 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual | -| 4 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual | -| 5 | Summary: fmt; Stringer; true; String; ; ; Argument[receiver]; ReturnValue; taint; manual | +| 1 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual | +| 2 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual | +| 3 | Summary: fmt; Stringer; true; String; ; ; Argument[receiver]; ReturnValue; taint; manual | nodes | RequestForgery.go:8:12:8:34 | call to FormValue | semmle.label | call to FormValue | | RequestForgery.go:11:24:11:65 | ...+... | semmle.label | ...+... | @@ -83,10 +76,6 @@ nodes | tst.go:48:11:48:18 | tainted2 | semmle.label | tainted2 | | tst.go:49:11:49:11 | u | semmle.label | u | | tst.go:49:11:49:20 | call to String | semmle.label | call to String | -| tst.go:52:9:52:53 | []type{args} [array] | semmle.label | []type{args} [array] | -| tst.go:52:9:52:53 | call to Sprintf | semmle.label | call to Sprintf | -| tst.go:52:42:52:52 | call to intSource | semmle.label | call to intSource | -| tst.go:53:11:53:25 | ...+... | semmle.label | ...+... | | websocket.go:60:21:60:31 | call to Referer | semmle.label | call to Referer | | websocket.go:65:27:65:40 | untrustedInput | semmle.label | untrustedInput | | websocket.go:74:21:74:31 | call to Referer | semmle.label | call to Referer | diff --git a/go/ql/test/query-tests/Security/CWE-918/tst.go b/go/ql/test/query-tests/Security/CWE-918/tst.go index 479d7aa8c92e..e237f5f30e75 100644 --- a/go/ql/test/query-tests/Security/CWE-918/tst.go +++ b/go/ql/test/query-tests/Security/CWE-918/tst.go @@ -49,8 +49,8 @@ func handler2(w http.ResponseWriter, req *http.Request) { http.Get(u.String()) // $ Alert // Simple types are considered sanitized. - url := fmt.Sprintf("%s/%d", "some-url", intSource()) // $ SPURIOUS: Source - http.Get("http://" + url) // $ SPURIOUS: Alert + url := fmt.Sprintf("%s/%d", "some-url", intSource()) + http.Get("http://" + url) } func main() { From 37151791b42a7f056ca636dc18c4e69605aa9ff7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 9 Oct 2025 12:24:58 +0100 Subject: [PATCH 4/4] Add change notes --- ...-10-09-deprecate-sqlinjection-numericorbooleansanitizer.md | 4 ++++ .../2025-10-09-sanitize-simple-types-request-forgery.md | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 go/ql/lib/change-notes/2025-10-09-deprecate-sqlinjection-numericorbooleansanitizer.md create mode 100644 go/ql/lib/change-notes/2025-10-09-sanitize-simple-types-request-forgery.md diff --git a/go/ql/lib/change-notes/2025-10-09-deprecate-sqlinjection-numericorbooleansanitizer.md b/go/ql/lib/change-notes/2025-10-09-deprecate-sqlinjection-numericorbooleansanitizer.md new file mode 100644 index 000000000000..647d9a4332cd --- /dev/null +++ b/go/ql/lib/change-notes/2025-10-09-deprecate-sqlinjection-numericorbooleansanitizer.md @@ -0,0 +1,4 @@ +--- +category: deprecated +--- +* The class `SqlInjection::NumericOrBooleanSanitizer` has been deprecated. Use `SimpleTypeSanitizer` from `semmle.go.security.Sanitizers` instead. diff --git a/go/ql/lib/change-notes/2025-10-09-sanitize-simple-types-request-forgery.md b/go/ql/lib/change-notes/2025-10-09-sanitize-simple-types-request-forgery.md new file mode 100644 index 000000000000..1bbf8c7f88a9 --- /dev/null +++ b/go/ql/lib/change-notes/2025-10-09-sanitize-simple-types-request-forgery.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The query `go/request-forgery` will no longer report alerts when the user input is of a simple type, like a number or a boolean.