feat(go): Update dependencies and add GHSL sources and sinks implementation

GeekMasher · GeekMasher · commit c521b9873738 · 2025-04-18T09:59:22.000+01:00
diff --git a/go/lib/codeql-pack.lock.yml b/go/lib/codeql-pack.lock.yml
@@ -2,19 +2,19 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.1.8
+    version: 2.0.4
   codeql/go-all:
-    version: 3.0.1
+    version: 4.2.2
   codeql/mad:
-    version: 1.0.14
+    version: 1.0.20
   codeql/ssa:
-    version: 1.0.14
+    version: 1.0.20
   codeql/threat-models:
-    version: 1.0.14
+    version: 1.0.20
   codeql/tutorial:
-    version: 1.0.14
+    version: 1.0.20
   codeql/typetracking:
-    version: 1.0.14
+    version: 2.0.4
   codeql/util:
-    version: 2.0.1
+    version: 2.0.7
 compiled: false
diff --git a/go/lib/ghsl.qll b/go/lib/ghsl.qll
@@ -0,0 +1,4 @@
+import go
+import ghsl.Utils
+import ghsl.LocalSources
+import ghsl.Sinks
diff --git a/go/lib/ghsl/Sinks.qll b/go/lib/ghsl/Sinks.qll
@@ -0,0 +1,48 @@
+private import go
+private import semmle.go.dataflow.DataFlow
+private import semmle.go.security.CommandInjectionCustomizations
+private import semmle.go.security.OpenUrlRedirectCustomizations
+private import semmle.go.security.ReflectedXssCustomizations
+private import semmle.go.security.RequestForgeryCustomizations
+private import semmle.go.security.SqlInjectionCustomizations
+private import semmle.go.security.UnsafeUnzipSymlinkCustomizations
+private import semmle.go.security.XPathInjectionCustomizations
+private import semmle.go.security.ZipSlipCustomizations
+
+/**
+ * List of all the sinks that we want to check.
+ */
+class AllSinks extends DataFlow::Node {
+  private string sink;
+
+  AllSinks() {
+    this instanceof CommandInjection::Sink and
+    sink = "command-injection"
+    or
+    this instanceof OpenUrlRedirect::Sink and
+    sink = "open-url-redirect"
+    or
+    this instanceof ReflectedXss::Sink and
+    sink = "reflected-xss"
+    or
+    this instanceof RequestForgery::Sink and
+    sink = "request-forgery"
+    or
+    this instanceof SqlInjection::Sink and
+    sink = "sql-injection"
+    or
+    this instanceof UnsafeUnzipSymlink::EvalSymlinksSink and
+    sink = "unsafe-unzip"
+    or
+    this instanceof XPathInjection::Sink and
+    sink = "xpath-injection"
+    or
+    this instanceof ZipSlip::Sink and
+    sink = "zip-slip"
+  }
+
+  /**
+   * Gets the sink sink type.
+   */
+  string sinkType() { result = sink }
+}
diff --git a/go/lib/ghsl/Utils.qll b/go/lib/ghsl/Utils.qll
@@ -1,5 +1,44 @@
-import go
-import semmle.go.frameworks.stdlib.Fmt
+private import go
+private import semmle.go.dataflow.DataFlow
+private import semmle.go.dataflow.TaintTracking
+private import semmle.go.frameworks.stdlib.Fmt
+
+/**
+ * Find Node at Location
+ */
+predicate filterByLocation(DataFlow::Node node, string relative_path, int linenumber) {
+  node.getLocation().getFile().getRelativePath() = relative_path and
+  node.getLocation().getStartLine() = linenumber
+}
+
+/**
+ * List of all the souces
+ */
+class AllSources extends DataFlow::Node {
+  private string threatmodel;
+
+  AllSources() {
+    this instanceof RemoteFlowSource::Range and
+    threatmodel = "remote"
+    or
+    this instanceof LocalSources and
+    threatmodel = "local"
+  }
+
+  /**
+   * Gets the source threat model.
+   */
+  string getThreatModel() { result = threatmodel }
+}
+
+/**
+ * Local sources
+ */
+class LocalSources extends DataFlow::Node {
+  LocalSources() {
+    this.(SourceNode).getThreatModel() = "local"
+  }
+}
 
 class DynamicStrings extends DataFlow::Node {
     DynamicStrings() {
