Skip to content

General issue Go. Why isn't the following code recognized as a source in a global data stream? #19807

New issue
New issue
Open
Open
General issue Go. Why isn't the following code recognized as a source in a global data stream?#19807
Labels
questionFurther information is requested
@Weirdokky

Description

@Weirdokky
Weirdokky
opened on Jun 18, 2025

Why isn't the following code recognized as a source in a global data stream? If I want to identify this source in the global data stream, how should I write my QL?

Here's the code context:

//router.go
func RegisterServers(group *gin.RouterGroup) {
	group.POST("/abc/test", val.Validate[*param.TestParam], controller.TestReadFile)
}

//controller.go
func TestReadFile(c *gin.Context) {
	req := val.Get[*param.TestParam](c)
	cleanPath := req.Path
	file, err := os.Open(cleanPath)
	if err != nil {
		if os.IsNotExist(err) {
			c.JSON(http.StatusNotFound, gin.H{"error": "file not found"})
		} else {
			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to open file"})
		}
		return
	}
......
}

//validator.go
package val
func Validate[T any](ctx *gin.Context) {
	var req T
	if err := ctx.ShouldBindJSON(&req); err != nil {
		ctx.JSON(http.StatusBadRequest, gin.H{"code": constant.UnknownErrorCode, "msg": util.GetErrorText(constant.UnknownErrorCode)})
		ctx.Abort()
		return
	}
	ctx.Set("params", req)
	ctx.Next()
}

func Get[T any](ctx *gin.Context) T {
	return ctx.MustGet("params").(T)
}

//param.go
package param

type TestParam struct {
	Path string `json:"filepath"`
}

I found that the default "ActiveThreatModelSource" in the official rule "TainterPath.ql" is not recognizable as a source by the above code.
Here's the code I wrote to try to add a new class about this kind of source, and I use "req" from "req.Path" as the source, although the result can be recognized when "Quick Evaluation" is used, but when it is run in the whole "TaintTracking::Global", it cannot be recognized that there is a problem with this "controller.go".
Image

class GinContextGetSource extends DataFlow::Node {
  GinContextGetSource() {
    exists(Function asmGet, CallExpr call |
    asmGet.hasQualifiedName("project/router/val", "Get")
    and call.getTarget() =  asmGet
    and call.getEnclosingFunction() = this.asExpr().getEnclosingFunction()
    and this.asExpr().toString() = "req"
    and this.asExpr().getEnclosingFunction().getAParameter().toString() = "c"
    )
  }
}

I need to address this issue urgently. Because the routing and controller parts of the entire Gin project that I am currently responsible for are developed in this form, the global data flow in each of my official rules cannot be identified in any of the sources
Thank you so much!

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions