@@ -4,22 +4,24 @@ import go
44import semmle.go.concepts.HTTP
55import semmle.go.dataflow.DataFlow
66
7- /**
8- * Holds if the expression or its value has a sensitive name
9- */
10- private predicate isSensitiveExpr ( Expr expr , string val ) {
11- (
12- val = expr .getStringValue ( ) or
13- val = expr .( Name ) .getTarget ( ) .getName ( )
14- ) and
15- val .regexpMatch ( "(?i).*(session|login|token|user|auth|credential).*" ) and
16- not val .regexpMatch ( "(?i).*(xsrf|csrf|forgery).*" )
17- }
18-
197private module SensitiveCookieNameConfig implements DataFlow:: ConfigSig {
20- predicate isSource ( DataFlow:: Node source ) { isSensitiveExpr ( source .asExpr ( ) , _) }
8+ /**
9+ * Holds if `source` is an expression with a name or literal value `val` indicating a sensitive cookie.
10+ */
11+ additional predicate isSource ( DataFlow:: Node source , string val ) {
12+ (
13+ val = source .asExpr ( ) .getStringValue ( ) or
14+ val = source .asExpr ( ) .( Name ) .getTarget ( ) .getName ( )
15+ ) and
16+ val .regexpMatch ( "(?i).*(session|login|token|user|auth|credential).*" ) and
17+ not val .regexpMatch ( "(?i).*(xsrf|csrf|forgery).*" )
18+ }
19+
20+ predicate isSource ( DataFlow:: Node source ) { isSource ( source , _) }
21+
22+ additional predicate isSink ( DataFlow:: Node sink , Http:: CookieWrite cw ) { sink = cw .getName ( ) }
2123
22- predicate isSink ( DataFlow:: Node sink ) { exists ( Http :: CookieWrite cw | sink = cw . getName ( ) ) }
24+ predicate isSink ( DataFlow:: Node sink ) { isSink ( sink , _ ) }
2325
2426 predicate isAdditionalFlowStep ( DataFlow:: Node pred , DataFlow:: Node succ ) {
2527 exists ( Http:: CookieOptionWrite co | co .getName ( ) = pred and co .getCookieOutput ( ) = succ )
@@ -98,11 +100,10 @@ predicate isNonHttpOnlyCookie(Http::CookieWrite cw) {
98100 * `source` and `sink` represent the data flow path from the sensitive name expression to the cookie write.
99101 */
100102predicate isSensitiveCookie (
101- Http:: CookieWrite cw , Expr nameExpr , string name , SensitiveCookieNameFlow:: PathNode source ,
103+ Http:: CookieWrite cw , string name , SensitiveCookieNameFlow:: PathNode source ,
102104 SensitiveCookieNameFlow:: PathNode sink
103105) {
104106 SensitiveCookieNameFlow:: flowPath ( source , sink ) and
105- source .getNode ( ) .asExpr ( ) = nameExpr and
106- sink .getNode ( ) = cw .getName ( ) and
107- isSensitiveExpr ( nameExpr , name )
107+ SensitiveCookieNameConfig:: isSource ( source .getNode ( ) , name ) and
108+ SensitiveCookieNameConfig:: isSink ( sink .getNode ( ) , cw )
108109}
0 commit comments