Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9b19cde

Browse files
owen-mcowen-mc
committed
Make SensitiveConditionBypass use new API
1 parent 2d3d21d commit 9b19cde

2 files changed

Lines changed: 28 additions & 5 deletions

File tree

go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,13 +17,13 @@ import SensitiveConditionBypass
1717

1818
from
1919
ControlFlow::ConditionGuardNode guard, DataFlow::Node sensitiveSink,
20-
SensitiveExpr::Classification classification, Configuration config, DataFlow::PathNode source,
21-
DataFlow::PathNode operand, ComparisonExpr comp
20+
SensitiveExpr::Classification classification, DataFlow::Node source, DataFlow::Node operand,
21+
ComparisonExpr comp
2222
where
2323
// there should be a flow between source and the operand sink
24-
config.hasFlowPath(source, operand) and
24+
Flow::flow(source, operand) and
2525
// both the operand should belong to the same comparison expression
26-
operand.getNode().asExpr() = comp.getAnOperand() and
26+
operand.asExpr() = comp.getAnOperand() and
2727
// get the ConditionGuardNode corresponding to the comparison expr.
2828
guard.getCondition() = comp and
2929
// the sink `sensitiveSink` should be sensitive,

go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,10 +43,12 @@ private class ConstComparisonExpr extends ComparisonExpr {
4343
}
4444

4545
/**
46+
* DEPRECATED: Use `Flow` instead.
47+
*
4648
* A data-flow configuration for reasoning about
4749
* user-controlled bypassing of sensitive actions.
4850
*/
49-
class Configuration extends TaintTracking::Configuration {
51+
deprecated class Configuration extends TaintTracking::Configuration {
5052
Configuration() { this = "Condtional Expression Check Bypass" }
5153

5254
override predicate isSource(DataFlow::Node source) {
@@ -66,3 +68,24 @@ class Configuration extends TaintTracking::Configuration {
6668
)
6769
}
6870
}
71+
72+
private module Config implements DataFlow::ConfigSig {
73+
predicate isSource(DataFlow::Node source) {
74+
source instanceof UntrustedFlowSource
75+
or
76+
exists(DataFlow::FieldReadNode f |
77+
f.getField().hasQualifiedName("net/http", "Request", "Host")
78+
|
79+
source = f
80+
)
81+
}
82+
83+
predicate isSink(DataFlow::Node sink) {
84+
exists(ConstComparisonExpr c |
85+
c.getAnOperand() = sink.asExpr() and
86+
not c.isPotentialFalsePositive()
87+
)
88+
}
89+
}
90+
91+
module Flow = TaintTracking::Global<Config>;

0 commit comments

Comments
 (0)