Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b5ac0c9

Browse files
owen-mcowen-mc
committed
Make ZipSlip use new API
1 parent 7341b61 commit b5ac0c9

2 files changed

Lines changed: 17 additions & 5 deletions

File tree

go/ql/lib/semmle/go/security/ZipSlip.qll

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,11 @@ module ZipSlip {
1212
import ZipSlipCustomizations::ZipSlip
1313

1414
/**
15+
* DEPRECATED: Use `Flow` instead.
16+
*
1517
* A taint-tracking configuration for reasoning about zip-slip vulnerabilities.
1618
*/
17-
class Configuration extends TaintTracking::Configuration {
19+
deprecated class Configuration extends TaintTracking::Configuration {
1820
Configuration() { this = "ZipSlip" }
1921

2022
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -30,4 +32,14 @@ module ZipSlip {
3032
guard instanceof SanitizerGuard
3133
}
3234
}
35+
36+
private module Config implements DataFlow::ConfigSig {
37+
predicate isSource(DataFlow::Node source) { source instanceof Source }
38+
39+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
40+
41+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
42+
}
43+
44+
module Flow = TaintTracking::Global<Config>;
3345
}

go/ql/src/Security/CWE-022/ZipSlip.ql

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,11 @@
1313
*/
1414

1515
import go
16-
import semmle.go.security.ZipSlip::ZipSlip
17-
import DataFlow::PathGraph
16+
import semmle.go.security.ZipSlip
17+
import ZipSlip::Flow::PathGraph
1818

19-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
20-
where cfg.hasFlowPath(source, sink)
19+
from ZipSlip::Flow::PathNode source, ZipSlip::Flow::PathNode sink
20+
where ZipSlip::Flow::flowPath(source, sink)
2121
select source.getNode(), source, sink,
2222
"Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
2323
"file system operation"

0 commit comments

Comments
 (0)