Skip to content

Update Go Path Injection Sanitizer and Sink #20064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update Go Path Injection Sanitizer and Sink #20064

wants to merge 2 commits into from
+34 −18

Conversation

Kwstubbs
Copy link
Contributor

Account for os.PathSeparator in Go sanitizer and remove CreateTemp from valid sinks

@Copilot Copilot AI review requested due to automatic review settings July 16, 2025 06:16
@Kwstubbs Kwstubbs requested a review from a team as a code owner July 16, 2025 06:16
Copilot
Copilot AI reviewed Jul 16, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the Go path injection query to improve sanitization detection and removes a false positive. The changes account for os.PathSeparator as a valid path sanitizer alongside hardcoded "/" and remove CreateTemp from path injection sinks due to proper built-in sanitization.

  • Updates path injection sanitizers to recognize os.PathSeparator usage
  • Removes CreateTemp from path injection sinks in the os package model
  • Adds test coverage for the new sanitizer pattern

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
go/ql/test/query-tests/Security/CWE-022/TaintedPath.go Adds test case for os.PathSeparator sanitization pattern
go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected Updates expected test results for line number changes
go/ql/lib/ext/os.model.yml Removes CreateTemp from path injection sinks
go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md Documents the changes in release notes

@github-actions GitHub Actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

go

Generated file changes for go

  • Changes to framework-coverage-go.rst:
-    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,609,104
+    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,609,103
-    Totals,,688,1069,1557
+    Totals,,688,1069,1556
  • Changes to framework-coverage-go.csv:
- os,29,12,6,3,,,,,26,,,,,,,,,,,1,,7,3,,1,6,
+ os,28,12,6,3,,,,,25,,,,,,,,,,,1,,7,3,,1,6,

owen-mc
owen-mc reviewed Jul 16, 2025
View reviewed changes
@Kwstubbs Kwstubbs requested a review from owen-mc July 16, 2025 21:33
@Kwstubbs
Copy link
Contributor Author

Sorry, I somehow forgot to add the actual CodeQL change.

owen-mc
owen-mc requested changes Jul 18, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll also have to update the test expectation here since CreateTemp is no longer a sink.

go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
Comment on lines +91 to +96
concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/"
or
exists(DeclaredConstant dc |
dc.hasQualifiedName("os", "PathSeparator") and
dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*()
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we use getStringValue on any reference of os.PathSeparator then we'll get its actual string value (the compiler knows what value a constant has). On Windows of course this is "\". So we can simplify this to:

Suggested change
concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/"
or
exists(DeclaredConstant dc |
dc.hasQualifiedName("os", "PathSeparator") and
dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*()
)
concatNode.getOperand(0).getStringValue() = ["/", "\"]

The above code allows using the string literal "\" as well, which seems sensible for any code which is written to only be run on Windows. What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@owen-mc owen-mc owen-mc requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
documentation Go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Kwstubbs @owen-mc
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy