Convert EchoContextSource to MaD

github · Jun 27, 2024 · 05da8df · 05da8df
1 parent f746211
commit 05da8df
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 17 deletions.
diff --git a/go/ql/lib/ext/github.com.labstack.echo.model.yml b/go/ql/lib/ext/github.com.labstack.echo.model.yml
@@ -5,3 +5,19 @@ extensions:
     data:
       - ["github.com/labstack/echo", "Context", True, "Get", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
       - ["github.com/labstack/echo", "Context", True, "Set", "", "", "Argument[1]", "Argument[receiver]", "taint", "manual"]
+
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/labstack/echo", "Context", True, "Param", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "ParamValues", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "QueryParam", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "QueryParams", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "QueryString", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "FormValue", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "FormParams", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "FormFile", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "MultipartForm", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "Cookie", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/labstack/echo", "Context", True, "Cookies", "", "", "ReturnValue[0]", "remote", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/Echo.qll b/go/ql/lib/semmle/go/frameworks/Echo.qll
@@ -9,23 +9,6 @@ private module Echo {
   /** Gets the package name `github.com/labstack/echo`. */
   private string packagePath() { result = package("github.com/labstack/echo", "") }
 
-  /**
-   * Data from a `Context` interface method, considered as a source of remote flow.
-   */
-  private class EchoContextSource extends RemoteFlowSource::Range {
-    EchoContextSource() {
-      exists(DataFlow::MethodCallNode call, string methodName |
-        methodName =
-          [
-            "Param", "ParamValues", "QueryParam", "QueryParams", "QueryString", "FormValue",
-            "FormParams", "FormFile", "MultipartForm", "Cookie", "Cookies"
-          ] and
-        call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and
-        this = call.getResult(0)
-      )
-    }
-  }
-
   /**
    * Data from a `Context` interface method that is not generally exploitable for open-redirect attacks.
    */