Skip to content

Commit f2356de

Browse files
owen-mcowen-mc
committed
Convert OpenUrlRedirect tests to InlineExpectations
1 parent 61379ec commit f2356de

File tree

3 files changed

+23
-21
lines changed

3 files changed

+23
-21
lines changed

go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,6 @@ import (
77
func serve() {
88
http.HandleFunc("/redir", func(w http.ResponseWriter, r *http.Request) {
99
r.ParseForm()
10-
http.Redirect(w, r, r.Form.Get("target"), 302)
10+
http.Redirect(w, r, r.Form.Get("target"), 302) // $ Alert
1111
})
1212
}

go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.qlref

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,4 @@
11
query: Security/CWE-601/OpenUrlRedirect.ql
2-
postprocess: utils/test/PrettyPrintModels.ql
2+
postprocess:
3+
- utils/test/PrettyPrintModels.ql
4+
- utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -10,18 +10,18 @@ func serveStdlib() {
1010
http.HandleFunc("/ex", func(w http.ResponseWriter, r *http.Request) {
1111
r.ParseForm()
1212

13-
target := r.Form.Get("target")
13+
target := r.Form.Get("target") // $ Source
1414
// BAD: a request parameter is incorporated without validation into a URL redirect
15-
w.Header().Set("Location", target)
15+
w.Header().Set("Location", target) // $ Alert
1616
w.WriteHeader(302)
1717
})
1818

1919
http.HandleFunc("/ex1", func(w http.ResponseWriter, r *http.Request) {
2020
r.ParseForm()
2121

22-
target := r.Form.Get("target")
22+
target := r.Form.Get("target") // $ Source
2323
// Probably OK because the status is set to 500, but we catch it anyway
24-
w.Header().Set("Location", target)
24+
w.Header().Set("Location", target) // $ Alert
2525
w.WriteHeader(500)
2626
})
2727

@@ -30,13 +30,13 @@ func serveStdlib() {
3030

3131
// Taking gratuitous copies of target so that sanitizing the use in
3232
// the first request doesn't also sanitize other uses
33-
target := r.Form.Get("target")
33+
target := r.Form.Get("target") // $ Source
3434
target2 := target
3535
target3 := target
3636
// GOOD: local redirects are unproblematic
3737
w.Header().Set("Location", "/local"+target)
3838
// BAD: this could be a non-local redirect
39-
w.Header().Set("Location", "/"+target2)
39+
w.Header().Set("Location", "/"+target2) // $ Alert
4040
// GOOD: localhost redirects are unproblematic
4141
w.Header().Set("Location", "//localhost/"+target3)
4242
w.WriteHeader(302)
@@ -45,9 +45,9 @@ func serveStdlib() {
4545
http.HandleFunc("/ex3", func(w http.ResponseWriter, r *http.Request) {
4646
r.ParseForm()
4747

48-
target := r.Form.Get("target")
48+
target := r.Form.Get("target") // $ Source
4949
// BAD: using the utility function
50-
http.Redirect(w, r, target, 301)
50+
http.Redirect(w, r, target, 301) // $ Alert
5151
})
5252

5353
http.HandleFunc("/ex4", func(w http.ResponseWriter, r *http.Request) {
@@ -65,10 +65,10 @@ func serveStdlib() {
6565
http.HandleFunc("/ex5", func(w http.ResponseWriter, r *http.Request) {
6666
r.ParseForm()
6767

68-
target := r.Form.Get("target")
68+
target := r.Form.Get("target") // $ Source
6969
me := "me"
7070
// BAD: may be a global redirection
71-
http.Redirect(w, r, target+"?from="+me, 301)
71+
http.Redirect(w, r, target+"?from="+me, 301) // $ Alert
7272
})
7373

7474
http.HandleFunc("/ex6", func(w http.ResponseWriter, r *http.Request) {
@@ -90,10 +90,10 @@ func serveStdlib() {
9090
http.HandleFunc("/ex7", func(w http.ResponseWriter, r *http.Request) {
9191
r.ParseForm()
9292

93-
target := r.Form.Get("target")
93+
target := r.Form.Get("target") // $ Source
9494
target += "/index.html"
9595
// BAD
96-
http.Redirect(w, r, target, 302)
96+
http.Redirect(w, r, target, 302) // $ Alert
9797
})
9898

9999
http.HandleFunc("/ex7", func(w http.ResponseWriter, r *http.Request) {
@@ -147,13 +147,13 @@ func serveStdlib() {
147147
http.HandleFunc("/ex9", func(w http.ResponseWriter, r *http.Request) {
148148
r.ParseForm()
149149

150-
target := r.Form.Get("target")
150+
target := r.Form.Get("target") // $ Source
151151
// GOOD, but we catch this anyway: a check is done on the URL
152152
if !isValidRedirect(target) {
153153
target = "/"
154154
}
155155

156-
http.Redirect(w, r, target, 302)
156+
http.Redirect(w, r, target, 302) // $ SPURIOUS: Alert
157157
})
158158

159159
http.HandleFunc("/ex8", func(w http.ResponseWriter, r *http.Request) {
@@ -183,19 +183,19 @@ func serveStdlib() {
183183
http.HandleFunc("/ex9", func(w http.ResponseWriter, r *http.Request) {
184184
r.ParseForm()
185185

186-
target := r.FormValue("target")
186+
target := r.FormValue("target") // $ Source
187187
// BAD: a request parameter is incorporated without validation into a URL redirect
188-
http.Redirect(w, r, target, 301)
188+
http.Redirect(w, r, target, 301) // $ Alert
189189
})
190190

191191
http.HandleFunc("/ex10", func(w http.ResponseWriter, r *http.Request) {
192192
r.ParseForm()
193193

194-
target, _ := url.ParseRequestURI(r.FormValue("target"))
194+
target, _ := url.ParseRequestURI(r.FormValue("target")) // $ Source
195195
// BAD: Path could start with `//`
196-
http.Redirect(w, r, target.Path, 301)
196+
http.Redirect(w, r, target.Path, 301) // $ Alert
197197
// BAD: EscapedPath() does not help with that
198-
http.Redirect(w, r, target.EscapedPath(), 301)
198+
http.Redirect(w, r, target.EscapedPath(), 301) // $ Alert
199199
})
200200

201201
http.HandleFunc("/ex11", func(w http.ResponseWriter, r *http.Request) {

0 commit comments

Comments
 (0)