Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 1962aa3

Browse files
owen-mcowen-mc
committed
Make SSRF use new API
1 parent 71735c8 commit 1962aa3

2 files changed

Lines changed: 25 additions & 4 deletions

File tree

go/ql/src/experimental/CWE-918/SSRF.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,12 @@
1212

1313
import go
1414
import SSRF
15-
import DataFlow::PathGraph
15+
import ServerSideRequestForgery::Flow::PathGraph
1616

1717
from
18-
ServerSideRequestForgery::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
18+
ServerSideRequestForgery::Flow::PathNode source, ServerSideRequestForgery::Flow::PathNode sink,
1919
DataFlow::Node request
2020
where
21-
cfg.hasFlowPath(source, sink) and
21+
ServerSideRequestForgery::Flow::flowPath(source, sink) and
2222
request = sink.getNode().(ServerSideRequestForgery::Sink).getARequest()
2323
select request, source, sink, "The URL of this request depends on a user-provided value."

go/ql/src/experimental/CWE-918/SSRF.qll

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,11 @@ module ServerSideRequestForgery {
1717
private import semmle.go.dataflow.Properties
1818

1919
/**
20+
* DEPRECATED: Use `Flow` instead.
21+
*
2022
* A taint-tracking configuration for reasoning about request forgery.
2123
*/
22-
class Configuration extends TaintTracking::Configuration {
24+
deprecated class Configuration extends TaintTracking::Configuration {
2325
Configuration() { this = "SSRF" }
2426

2527
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -44,6 +46,25 @@ module ServerSideRequestForgery {
4446
}
4547
}
4648

49+
private module Config implements DataFlow::ConfigSig {
50+
predicate isSource(DataFlow::Node source) { source instanceof Source }
51+
52+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
53+
54+
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
55+
// propagate to a URL when its host is assigned to
56+
exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
57+
w.writesField(v.getAUse(), f, node1) and node2 = v.getAUse()
58+
)
59+
}
60+
61+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
62+
63+
predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge }
64+
}
65+
66+
module Flow = TaintTracking::Global<Config>;
67+
4768
/** A data flow source for request forgery vulnerabilities. */
4869
abstract class Source extends DataFlow::Node { }
4970

0 commit comments

Comments
 (0)