Convert 3 barriers for path injection to MaD

owen-mc · owen-mc · commit d5739b2d5db4 · 2025-12-15T22:42:03.000Z
diff --git a/go/ql/lib/ext/mime.multipart.model.yml b/go/ql/lib/ext/mime.multipart.model.yml
@@ -1,4 +1,21 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: barrierModel
+    data:
+      #  The only way to create a `mime/multipart.FileHeader` is to create a
+      #  `mime/multipart.Form`, which creates the `Filename` field of each
+      #  `mime/multipart.FileHeader` by calling `Part.FileName`, which calls
+      #  `path/filepath.Base` on its return value. In general `path/filepath.Base`
+      #  is not a sanitizer for path traversal, but in this specific case where the
+      #  output is going to be used as a filename rather than a directory name, it
+      #  is adequate.
+      - ["mime/multipart", "FileHeader", False, "Filename", "", "", "", "path-injection", "manual"]
+      # `Part.FileName` calls `path/filepath.Base` on its return value. In
+      # general `path/filepath.Base` is not a sanitizer for path traversal, but in
+      # this specific case where the output is going to be used as a filename
+      # rather than a directory name, it is adequate.
+      - ["mime/multipart", "Part", False, "FileName", "", "", "ReturnValue", "path-injection", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/ext/path.filepath.model.yml b/go/ql/lib/ext/path.filepath.model.yml
@@ -1,4 +1,9 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: barrierModel
+    data:
+      - ["path/filepath", "", False, "Rel", "", "", "ReturnValue", "path-injection", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
@@ -57,6 +57,10 @@ module TaintedPath {
     PathAsSink() { this = any(FileSystemAccess fsa).getAPathArgument() }
   }
 
+  private class ExternalSanitizer extends Sanitizer {
+    ExternalSanitizer() { barrierNode(this, "path-injection") }
+  }
+
   /**
    * A numeric- or boolean-typed node, considered a sanitizer for path traversal.
    */
@@ -66,19 +70,6 @@ module TaintedPath {
     }
   }
 
-  /**
-   * A call to `filepath.Rel`, considered as a sanitizer for path traversal.
-   */
-  class FilepathRelSanitizer extends Sanitizer {
-    FilepathRelSanitizer() {
-      exists(Function f, FunctionOutput outp |
-        f.hasQualifiedName("path/filepath", "Rel") and
-        outp.isResult(0) and
-        this = outp.getNode(f.getACall())
-      )
-    }
-  }
-
   /**
    * A call to `filepath.Clean("/" + e)`, considered to sanitize `e` against path traversal.
    */
@@ -112,44 +103,6 @@ module TaintedPath {
     }
   }
 
-  /**
-   * A read from the field `Filename` of the type `mime/multipart.FileHeader`,
-   * considered as a sanitizer for path traversal.
-   *
-   * The only way to create a `mime/multipart.FileHeader` is to create a
-   * `mime/multipart.Form`, which creates the `Filename` field of each
-   * `mime/multipart.FileHeader` by calling `Part.FileName`, which calls
-   * `path/filepath.Base` on its return value. In general `path/filepath.Base`
-   * is not a sanitizer for path traversal, but in this specific case where the
-   * output is going to be used as a filename rather than a directory name, it
-   * is adequate.
-   */
-  class MimeMultipartFileHeaderFilenameSanitizer extends Sanitizer {
-    MimeMultipartFileHeaderFilenameSanitizer() {
-      this.(DataFlow::FieldReadNode)
-          .getField()
-          .hasQualifiedName("mime/multipart", "FileHeader", "Filename")
-    }
-  }
-
-  /**
-   * A call to `mime/multipart.Part.FileName`, considered as a sanitizer
-   * against path traversal.
-   *
-   * `Part.FileName` calls `path/filepath.Base` on its return value. In
-   * general `path/filepath.Base` is not a sanitizer for path traversal, but in
-   * this specific case where the output is going to be used as a filename
-   * rather than a directory name, it is adequate.
-   */
-  class MimeMultipartPartFileNameSanitizer extends Sanitizer {
-    MimeMultipartPartFileNameSanitizer() {
-      this =
-        any(Method m | m.hasQualifiedName("mime/multipart", "Part", "FileName"))
-            .getACall()
-            .getResult()
-    }
-  }
-
   /**
    * A check of the form `!strings.Contains(nd, "..")`, considered as a sanitizer guard for
    * path traversal.
