[Go]: New File System Access Sinks

[am0o0]

Query PR

github/codeql#14064

Language

GoLang

CVE(s) ID list

• GHSA-hf7j-xj3w-87g4
• GHSA-85cf-gj29-f555 with this fix commit

CWE

CWE-022

Report

File System Access Sinks can are really valuable and can be used in multiple places to write security queries specially for writing Path Traversal detection queries.
I've added multiple New File System Access Sinks,

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[sylwia-budzynska]

Hello @amammad
After having a look at your submission, we realized there might be room for a future bug bounty submission, if you'd be interested.

Your submission adds fasthttp sinks. The fasthttp library is not modeled in CodeQL and if you'd like to, you could create a bug bounty submission modeling the whole library in CodeQL.

Let us know what you think and if you'd like to pursue this idea.

[am0o0]

@sylwia-budzynska Thank you! I'm interested in writing a codeql library for fasthttp. just one question, There are other web frameworks that have already been implemented before, and each of these modeled frameworks can have a structure like Range ones, Which of these library structures do you suggest I use as a base of fasthttp? if you don't consider one, I'll check most of them and I choose one of these library structures for modeling to be more similar to others.

[am0o0]

@sylwia-budzynska I forgot that @pwntester gave me some suggestion before. Thank you both.

[am0o0]

Hi @pwntester
There is a significant difference when I'm using these remote sources to find file system related sinks because these remote controllable sources mostly are related to file writes so attackers can upload files from these sources.
I just want to say I'd appreciate it if you reconsider another query evaluation of the impact of this review. I don't want to emphasize this at all so it is absolutely up to you.

[sylwia-budzynska]

@amammad 👋 I’m the one taking care of this submission, so I will answer.

We have a number of scores that we rate all submissions on. Adding more and new sources could increase the scope metric in this submission.

Your submission adds golang sinks for eight frameworks and libraries. It already has a very wide scope, so there’s no need to add more sources to it. Besides, these sources are already a part of your other submission with the DOS queries and so they cannot be a part of two submissions at the same time. All in all, this is already a very good submission in regards of scope. Looking forward to see more great submissions like these 👍

If you’d like to maximize payout for your future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.

• the submission models widely-used frameworks/libraries
• the vulnerability modeled in the submission is impactful
• the submission finds new true positive vulnerabilities
• the submission finds very few false positives
• code in the submission is easy to read and will be easy to maintain
• documentation is written clearly, highlighting the impact of the issue it finds and is written without grammatical or other errors. The code samples clearly show the vulnerability
• the submission includes tests, change note etc.

Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission.

Happy hacking!

[am0o0]

@sylwia-budzynska I didn't know who should I mention here because there aren't Assignees on this issue (and some other issues too) so I tried to mention your colleague/teammate too.

Thank you so much for the comprehensive explanation.

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 2206657 for bounty 520801 : [782] [Go]: New File System Access Sinks

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed