Unable to get TaintTracking to work in Golang

[chuayupeng]

Sorry to ask a beginner level question, but I was researching on a file upload vuln based on an unsanitised multipart form into fileURI in a codebase.

I have defined my Config to be:

class Config extends DataFlow::Configuration {
    Config() { this = "UnsanitisedFilepathName" }
   
    override predicate isSource(DataFlow::Node source) {
        source.asExpr().(CallExpr).getCalleeName() = "MultipartForm"
    }
  
    override predicate isSink(DataFlow::Node sink) {
        sink.asExpr().(CallExpr).getAnArgumenmt().toString() = "fileURI"
    }
}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source,sink)
select sink, source, sink, "Testing"

But even though individually the source and sink I have had success finding the vulnerable code from the user input to the execution, when I try to run the TaintTracking I get no results back. Have attempted to check for source.getASuccessor() to look at what Nodes follow from the source of a "call to MultipartForm" but no results came back as well. Unsure of how to proceed.

[intrigus-lgtm]

You're lucky, there is a brand-new article about debugging data-flow problems!
In fact, it's so new that it did not yet reach the official docs website :D

I hope this guide helps:
https://github.com/github/codeql/blob/8c37e90a7776b3561c025c482e2527a74dd44af1/docs/codeql/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow.rst
(if not it would be helpful if you could provide a sample source file that shows which flow you want to find)

[chuayupeng]

Hi @intrigus-lgtm thanks for the article! The steps to debugging for the partial flow still results in a query that returns no results though, let me try to write up a sample source file.

func UploadFileHandler(c *gin.Context) (interface{}, apperror.AppError) {
        formData, error := c.MultipartForm() <-source
	file, ok := formData.File["file"]
        fileName, err := UploadFile(ctx, file[0].FileName)
	return fileName, nil	
}

func UploadFile(ctx *app.Context, fileName string) (string, error) {
	filePath := filepath.Join(accountID, fileName)
	if err := StoreFile(ctx, filepath, true); err != nil {return "", err}
	return fileName, nil
}

func StoreFile(ctx *app.Context, fileURI string, overwrite bool) error {
	fileWrite,err := CreateFile(fileURI, overwrite) <- sink
	if err != nil{ return err }
}

[sauyon]

You're using a data-flow configuration here when I think you want a taint configuration. The reason you have no flow is because the result of the call is a tuple, and tuple values don't flow anywhere in Go.

[chuayupeng]

What should be the node value that allows me to get the flow I want then? I have changed DataFlow::Configuration to TaintTracking::Configuration, but cant seem to figure out what the proper source and sink should be

[sauyon]

That should work as-is; have you tried partial flow with the taint-tracking configuration?

[chuayupeng]

Have just tried the partial flow with taint tracking config, but I got back too many results instead, whereas the full query still returned no results. How should I structure my source and sink nodes such that it isnt a tuple value?