fix(taint): gate *http.Request auto-taint on entry-point detection#1630
Open
ravisastryk wants to merge 4 commits intosecurego:masterfrom
Open
fix(taint): gate *http.Request auto-taint on entry-point detection#1630ravisastryk wants to merge 4 commits intosecurego:masterfrom
ravisastryk wants to merge 4 commits intosecurego:masterfrom
Conversation
…ecurego#1629) isParameterTainted unconditionally tainted any *http.Request parameter by type, even when the function had known callers passing constant-URL requests. Check the CHA call graph first: only auto-taint when the function has no in-edges (true external entry point). When callers exist, fall through to the existing caller-verification loop instead. Fixes securego#1629
ravisastryk
temporarily deployed
to
security-review
GitHub Actions
Inactive
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1630 +/- ##
==========================================
+ Coverage 81.07% 81.18% +0.10%
==========================================
Files 108 108
Lines 10096 10123 +27
==========================================
+ Hits 8185 8218 +33
+ Misses 1426 1423 -3
+ Partials 485 482 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
ravisastryk
temporarily deployed
to
security-review
GitHub Actions
Inactive
ravisastryk
temporarily deployed
to
security-review
GitHub Actions
Inactive
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix G704 false positive on interface wrapper methods
Fixes #1629
isParameterTaintedunconditionally treated any*http.Requestparameter as tainted by type, without checking whether callers actually passed tainted data. This caused false positives on wrapper methods likeNamedClient.Docalled exclusively with constant-URL requests.Root cause
The type-based auto-taint in
isParameterTaintedshort-circuited before consulting the CHA call graph, so callers were never inspected.Fix
auto-taint only when the function has no known in-edges (true external entry point). When callers exist, fall through to the existing caller-verification loop.