-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy path3.ql
52 lines (42 loc) · 1.41 KB
/
3.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
/**
* @kind path-problem
*/
import go
import DataFlow::PathGraph
class GfSource extends DataFlow::Node {
GfSource(){
exists( Function fun|
fun.hasQualifiedName("github.com./grafana/grafana/pkg/api/routing.RouteRegister",
["Get","Post","Delete","Put","Patch","Any"]) and
//["Get","Post"]) and
fun.getAReference()=this.asExpr()
)
}
}
class Gfconfig extends TaintTracking::Configuration{
Gfconfig() { this = "Gfconfig" }
override predicate isSource(DataFlow::Node source) {
source instanceof GfSource
}
override predicate isSink(DataFlow::Node sink) {
exists(Function fun ,CallExpr call|
fun.hasQualifiedName("os", "Open") and
call.getTarget() = fun and
call.getAnArgument()= sink.asExpr()
)
}
/**
* sink参数只能是两个,第二个参数才是真正的sink
*/
override predicate isAdditionalTaintStep(DataFlow::Node expSrc, DataFlow::Node expDest) {
exists(CallExpr call|
call=expSrc.asExpr() and
call.getArgument(0).getType().toString()="string" and
call.getNumArgument()=2 and
call.getArgument(1).(CallExpr).getTarget().getAParameter()=expDest.asParameter()
)
}
}
from Gfconfig gf,DataFlow::PathNode source,DataFlow::PathNode sink
where gf.hasFlowPath(source, sink)
select source.getNode(), source, sink, "test"