Make SafeUrlFlow use new API

owen-mc · owen-mc · commit d2a5d19439bb · 2023-08-10T15:48:54.000+01:00
diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
@@ -17,9 +17,11 @@ module SafeUrlFlow {
   import SafeUrlFlowCustomizations::SafeUrlFlow
 
   /**
+   * DEPRECATED: Use `Flow` instead.
+   *
    * A taint-tracking configuration for reasoning about safe URLs.
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "SafeUrlFlow" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -42,4 +44,28 @@ module SafeUrlFlow {
       node instanceof SanitizerEdge
     }
   }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      // propagate to a URL when its host is assigned to
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesField(v.getAUse(), f, node1) and node2 = v.getAUse()
+      )
+    }
+
+    predicate isBarrierOut(DataFlow::Node node) {
+      // block propagation of this safe value when its host is overwritten
+      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesField(node.getASuccessor(), f, _)
+      )
+      or
+      node instanceof SanitizerEdge
+    }
+  }
+
+  module Flow = TaintTracking::Global<Config>;
 }
diff --git a/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql b/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql
@@ -16,13 +16,11 @@ import semmle.go.security.OpenUrlRedirect::OpenUrlRedirect
 import semmle.go.security.SafeUrlFlow
 import DataFlow::PathGraph
 
-from
-  Configuration cfg, SafeUrlFlow::Configuration scfg, DataFlow::PathNode source,
-  DataFlow::PathNode sink
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where
   cfg.hasFlowPath(source, sink) and
   // this excludes flow from safe parts of request URLs, for example the full URL when the
   // doing a redirect from `http://<path>` to `https://<path>`
-  not scfg.hasFlow(_, sink.getNode())
+  not SafeUrlFlow::Flow::flow(_, sink.getNode())
 select sink.getNode(), source, sink, "This path to an untrusted URL redirection depends on a $@.",
   source.getNode(), "user-provided value"
diff --git a/go/ql/src/Security/CWE-918/RequestForgery.ql b/go/ql/src/Security/CWE-918/RequestForgery.ql
@@ -16,12 +16,11 @@ import semmle.go.security.SafeUrlFlow
 import RequestForgery::Flow::PathGraph
 
 from
-  SafeUrlFlow::Configuration scfg, RequestForgery::Flow::PathNode source,
-  RequestForgery::Flow::PathNode sink, DataFlow::Node request
+  RequestForgery::Flow::PathNode source, RequestForgery::Flow::PathNode sink, DataFlow::Node request
 where
   RequestForgery::Flow::flowPath(source, sink) and
   request = sink.getNode().(RequestForgery::Sink).getARequest() and
   // this excludes flow from safe parts of request URLs, for example the full URL
-  not scfg.hasFlow(_, sink.getNode())
+  not SafeUrlFlow::Flow::flow(_, sink.getNode())
 select request, source, sink, "The $@ of this request depends on a $@.", sink.getNode(),
   sink.getNode().(RequestForgery::Sink).getKind(), source, "user-provided value"
