diff --git a/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md b/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md index 93371d9f229d..e1577bf3a90f 100644 --- a/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md +++ b/go/ql/src/change-notes/2024-10-14-gopathsanitizer.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers. \ No newline at end of file +* Added [github.com/gorilla/mux.Vars](https://pkg.go.dev/github.com/gorilla/mux#Vars) to path sanitizers (disabled if [github.com/gorilla/mix.Router.SkipClean](https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean) has been called). \ No newline at end of file diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go index 25e39a1bfbf3..a5af6de55803 100644 --- a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go +++ b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/MuxClean.go @@ -1,4 +1,3 @@ -// GOOD: Sanitized by Gorilla's cleaner package main import ( @@ -9,6 +8,7 @@ import ( "github.com/gorilla/mux" ) +// GOOD: Sanitized by Gorilla's cleaner func GorillaHandler(w http.ResponseWriter, r *http.Request) { not_tainted_path := mux.Vars(r)["id"] data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path)) diff --git a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go index aafc93c75eab..cb3b5d2a7b89 100644 --- a/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go +++ b/go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go @@ -1,4 +1,3 @@ -// GOOD: Sanitized by Gorilla's cleaner package main import ( @@ -9,6 +8,7 @@ import ( "github.com/gorilla/mux" ) +// BAD: Gorilla's `Vars` is not a sanitizer as `Router.SkipClean` has been called func GorillaHandler(w http.ResponseWriter, r *http.Request) { not_tainted_path := mux.Vars(r)["id"] data, _ := ioutil.ReadFile(filepath.Join("/home/user/", not_tainted_path))