Skip to content

Update Go Path Injection Sanitizer and Sink #20064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
owen-mc merged 4 commits into from
Sep 3, 2025
Merged

Update Go Path Injection Sanitizer and Sink #20064

owen-mc merged 4 commits into from
Sep 3, 2025

Conversation

@Kwstubbs
Copy link
Contributor

@Kwstubbs Kwstubbs commented Jul 16, 2025

Account for os.PathSeparator in Go sanitizer and remove CreateTemp from valid sinks

Copilot AI review requested due to automatic review settings July 16, 2025 06:16
@Kwstubbs Kwstubbs requested a review from a team as a code owner July 16, 2025 06:16
Copilot AI reviewed Jul 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the Go path injection query to improve sanitization detection and removes a false positive. The changes account for os.PathSeparator as a valid path sanitizer alongside hardcoded "/" and remove CreateTemp from path injection sinks due to proper built-in sanitization.

  • Updates path injection sanitizers to recognize os.PathSeparator usage
  • Removes CreateTemp from path injection sinks in the os package model
  • Adds test coverage for the new sanitizer pattern

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
go/ql/test/query-tests/Security/CWE-022/TaintedPath.go Adds test case for os.PathSeparator sanitization pattern
go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected Updates expected test results for line number changes
go/ql/lib/ext/os.model.yml Removes CreateTemp from path injection sinks
go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md Documents the changes in release notes

@github-actions
Copy link
Contributor

github-actions bot commented Jul 16, 2025
edited
Loading

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. A recent commit removed the previously reported differences.

owen-mc
owen-mc reviewed Jul 16, 2025
View reviewed changes
@Kwstubbs Kwstubbs requested a review from owen-mc July 16, 2025 21:33
@Kwstubbs
Copy link
Contributor Author

Kwstubbs commented Jul 16, 2025

Sorry, I somehow forgot to add the actual CodeQL change.

owen-mc
owen-mc requested changes Jul 18, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll also have to update the test expectation here since CreateTemp is no longer a sink.

go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll Outdated
Comment on lines 91 to 96
concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/"
or
exists(DeclaredConstant dc |
dc.hasQualifiedName("os", "PathSeparator") and
dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*()
)
Copy link
Contributor

@owen-mc owen-mc Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we use getStringValue on any reference of os.PathSeparator then we'll get its actual string value (the compiler knows what value a constant has). On Windows of course this is "\". So we can simplify this to:

Suggested change
concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/"
or
exists(DeclaredConstant dc |
dc.hasQualifiedName("os", "PathSeparator") and
dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*()
)
concatNode.getOperand(0).getStringValue() = ["/", "\"]

The above code allows using the string literal "\" as well, which seems sensible for any code which is written to only be run on Windows. What do you think?

Copy link
Contributor Author

@Kwstubbs Kwstubbs Jul 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added concatNode.getOperand(0).getStringValue().prefix(1) to account for cases where there is additional text but the first element is still appropriate.

@Kwstubbs Kwstubbs requested a review from owen-mc July 21, 2025 22:32
owen-mc
owen-mc reviewed Jul 21, 2025
View reviewed changes
owen-mc
owen-mc reviewed Jul 21, 2025
View reviewed changes
owen-mc
owen-mc approved these changes Jul 21, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for these improvements. I've taken the liberty of rewording the change note directly as I'm about to go away for 4 weeks so you'd be waiting a long time for a review otherwise.

@Kwstubbs
Copy link
Contributor Author

Kwstubbs commented Sep 2, 2025

@owen-mc just want to send a reminder for possibly merging soon 😄

@owen-mc
Copy link
Contributor

owen-mc commented Sep 3, 2025
edited
Loading

Oops. Thanks for the reminder. I think I forgot that you can't merge it yourself.

@owen-mc owen-mc merged commit 2a45b28 into github:main Sep 3, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@owen-mc owen-mc owen-mc approved these changes

Assignees

No one assigned

Labels

documentation Go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kwstubbs @owen-mc