Convert ElazarlGoproxy::UserControlledRequestData to MaD

github · Jun 27, 2024 · 18061d1 · 18061d1
1 parent f8b5d29
commit 18061d1
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 13 deletions.
diff --git a/go/ql/lib/ext/github.com.elazarl.goproxy.model.yml b/go/ql/lib/ext/github.com.elazarl.goproxy.model.yml
@@ -5,3 +5,10 @@ extensions:
     data:
       - ["github.com/elazarl/goproxy", "CertStorage", True, "Fetch", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
       - ["github.com/elazarl/goproxy", "CertStorage", True, "Fetch", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"]
+
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/elazarl/goproxy", "ProxyCtx", True, "UserData", "", "", "", "remote", "manual"]
+      - ["github.com/elazarl/goproxy", "ProxyCtx", True, "Charset", "", "", "ReturnValue", "remote", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll b/go/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll
@@ -95,19 +95,6 @@ module ElazarlGoproxy {
     }
   }
 
-  private class UserControlledRequestData extends RemoteFlowSource::Range {
-    UserControlledRequestData() {
-      exists(DataFlow::FieldReadNode frn | this = frn |
-        // liberally consider ProxyCtx.UserData to be untrusted; it's a data field set by a request handler
-        frn.getField().hasQualifiedName(packagePath(), "ProxyCtx", "UserData")
-      )
-      or
-      exists(DataFlow::MethodCallNode call | this = call |
-        call.getTarget().hasQualifiedName(packagePath(), "ProxyCtx", "Charset")
-      )
-    }
-  }
-
   private class ProxyLogFunction extends StringOps::Formatting::Range, Method {
     ProxyLogFunction() { this.hasQualifiedName(packagePath(), "ProxyCtx", ["Logf", "Warnf"]) }