Skip to content

Update Go Path Injection Sanitizer and Sink #20064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Update Go Path Injection Sanitizer and Sink #20064

wants to merge 4 commits into from
+30 −19

Conversation

Kwstubbs
Copy link
Contributor

Account for os.PathSeparator in Go sanitizer and remove CreateTemp from valid sinks

@Copilot Copilot AI review requested due to automatic review settings July 16, 2025 06:16
@Kwstubbs Kwstubbs requested a review from a team as a code owner July 16, 2025 06:16
Copilot
Copilot AI reviewed Jul 16, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the Go path injection query to improve sanitization detection and removes a false positive. The changes account for os.PathSeparator as a valid path sanitizer alongside hardcoded "/" and remove CreateTemp from path injection sinks due to proper built-in sanitization.

  • Updates path injection sanitizers to recognize os.PathSeparator usage
  • Removes CreateTemp from path injection sinks in the os package model
  • Adds test coverage for the new sanitizer pattern

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
go/ql/test/query-tests/Security/CWE-022/TaintedPath.go Adds test case for os.PathSeparator sanitization pattern
go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected Updates expected test results for line number changes
go/ql/lib/ext/os.model.yml Removes CreateTemp from path injection sinks
go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md Documents the changes in release notes

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 16, 2025
edited
Loading

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. A recent commit removed the previously reported differences.

owen-mc
owen-mc reviewed Jul 16, 2025
View reviewed changes
@Kwstubbs Kwstubbs requested a review from owen-mc July 16, 2025 21:33
@Kwstubbs
Copy link
Contributor Author

Sorry, I somehow forgot to add the actual CodeQL change.

owen-mc
owen-mc requested changes Jul 18, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll also have to update the test expectation here since CreateTemp is no longer a sink.

go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll Outdated
Comment on lines 91 to 96
concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/"
or
exists(DeclaredConstant dc |
dc.hasQualifiedName("os", "PathSeparator") and
dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*()
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we use getStringValue on any reference of os.PathSeparator then we'll get its actual string value (the compiler knows what value a constant has). On Windows of course this is "\". So we can simplify this to:

Suggested change
concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/"
or
exists(DeclaredConstant dc |
dc.hasQualifiedName("os", "PathSeparator") and
dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*()
)
concatNode.getOperand(0).getStringValue() = ["/", "\"]

The above code allows using the string literal "\" as well, which seems sensible for any code which is written to only be run on Windows. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added concatNode.getOperand(0).getStringValue().prefix(1) to account for cases where there is additional text but the first element is still appropriate.

@Kwstubbs Kwstubbs requested a review from owen-mc July 21, 2025 22:32
owen-mc
owen-mc reviewed Jul 21, 2025
View reviewed changes
owen-mc
owen-mc reviewed Jul 21, 2025
View reviewed changes
owen-mc
owen-mc approved these changes Jul 21, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for these improvements. I've taken the liberty of rewording the change note directly as I'm about to go away for 4 weeks so you'd be waiting a long time for a review otherwise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@owen-mc owen-mc owen-mc approved these changes

Assignees
No one assigned
Labels
documentation Go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Kwstubbs @owen-mc