- Notifications
You must be signed in to change notification settings - Fork1.7k
Update Go Path Injection Sanitizer and Sink#20064
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Pull Request Overview
This PR updates the Go path injection query to improve sanitization detection and removes a false positive. The changes account foros.PathSeparator as a valid path sanitizer alongside hardcoded "/" and removeCreateTemp from path injection sinks due to proper built-in sanitization.
- Updates path injection sanitizers to recognize
os.PathSeparatorusage - Removes
CreateTempfrom path injection sinks in theospackage model - Adds test coverage for the new sanitizer pattern
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| go/ql/test/query-tests/Security/CWE-022/TaintedPath.go | Adds test case foros.PathSeparator sanitization pattern |
| go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected | Updates expected test results for line number changes |
| go/ql/lib/ext/os.model.yml | RemovesCreateTemp from path injection sinks |
| go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md | Documents the changes in release notes |
Uh oh!
There was an error while loading.Please reload this page.
Click to show differences in coveragegoGenerated file changes for go
- `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,609,104+ `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,609,103- Totals,,688,1069,1557+ Totals,,688,1069,1556
- os,29,12,6,3,,,,,26,,,,,,,,,,,1,,7,3,,1,6,+ os,28,12,6,3,,,,,25,,,,,,,,,,,1,,7,3,,1,6, |
Uh oh!
There was an error while loading.Please reload this page.
Sorry, I somehow forgot to add the actual CodeQL change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
You'll also have to update the test expectationhere sinceCreateTemp is no longer a sink.
| concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/" | ||
| or | ||
| exists(DeclaredConstant dc | | ||
| dc.hasQualifiedName("os", "PathSeparator") and | ||
| dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*() | ||
| ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If we usegetStringValue on any reference ofos.PathSeparator then we'll get its actual string value (the compiler knows what value a constant has). On Windows of course this is"\". So we can simplify this to:
| concatNode.getOperand(0).asExpr().(StringLit).getValue()="/" | |
| or | |
| exists(DeclaredConstantdc| | |
| dc.hasQualifiedName("os","PathSeparator")and | |
| dc.getAReference()=concatNode.getOperand(0).asExpr().getAChildExpr*() | |
| ) | |
| concatNode.getOperand(0).getStringValue()=["/", "\"] |
The above code allows using the string literal"\" as well, which seems sensible for any code which is written to only be run on Windows. What do you think?
Account for os.PathSeparator in Go sanitizer and remove CreateTemp from valid sinks