Apply suggestions from code review

Co-authored-by: Owen Mansel-Chan <[email protected]>
github · Nov 13, 2024 · a94ba25 · a94ba25
1 parent 460ed30
commit a94ba25
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md b/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md
@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers.
+* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers (disabled if [github.com/gorilla/mix.Router.SkipClean](https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean) has been called).
diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go
@@ -1,4 +1,3 @@
-// GOOD: Sanitized by Gorilla's cleaner
 package main
 
 import (
@@ -9,6 +8,7 @@ import (
 	"github.com/gorilla/mux"
 )
 
+// GOOD: Sanitized by Gorilla's cleaner
 func GorillaHandler(w http.ResponseWriter, r *http.Request) {
 	not_tainted_path := mux.Vars(r)["id"]
 	data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path))

diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go
@@ -1,4 +1,3 @@
-// GOOD: Sanitized by Gorilla's cleaner
 package main
 
 import (
@@ -9,6 +8,7 @@ import (
 	"github.com/gorilla/mux"
 )
 
+// BAD: Gorilla's `Vars` is not a sanitizer as `Router.SkipClean` has been called
 func GorillaHandler(w http.ResponseWriter, r *http.Request) {
 	not_tainted_path := mux.Vars(r)["id"]
 	data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path))