Initial support for Twirp framework

Author: Alvaro Muñoz

go/ql/lib/semmle/go/frameworks/Twirp.qll

@@ -0,0 +1,167 @@
+import go
+import semmle.go.security.RequestForgery
+
+module Twirp {
+  /**
+   * A *.pb.go file generated by Twirp.
+   * This file will all the types representing protobuf messages and should have a companion *.twirp.go file.
+   */
+  class ProtobufGeneratedFile extends File {
+    ProtobufGeneratedFile() {
+      this.getBaseName().matches("%.pb.go") and
+      exists(File f |
+        this.getParentContainer() = f.getParentContainer() and
+        this.getBaseName().splitAt(".", 0) = f.getBaseName().splitAt(".", 0) and
+        f.getBaseName().matches("%.twirp.go")
+      )
+    }
+  }
+
+  /**
+   * A *.twirp.go file generated by Twirp.
+   * This file contains all the types representing protobuf services and should have a companion *.pb.go file.
+   */
+  class ServicesGeneratedFile extends File {
+    ServicesGeneratedFile() {
+      this.getBaseName().matches("%.twirp.go") and
+      exists(File f |
+        this.getParentContainer() = f.getParentContainer() and
+        this.getBaseName().splitAt(".", 0) = f.getBaseName().splitAt(".", 0) and
+        f.getBaseName().matches("%.pb.go")
+      )
+    }
+  }
+
+  /**
+   * A type representing a protobuf message.
+   */
+  class ProtobufMessage extends Type {
+    ProtobufMessage() {
+      exists(TypeEntity te |
+        te.getType() = this and
+        te.getDeclaration().getLocation().getFile() instanceof ProtobufGeneratedFile
+      )
+    }
+  }
+
+  /**
+   * An interface type representing a Twirp service.
+   */
+  class ServiceInterface extends NamedType {
+    ServiceInterface() {
+      exists(TypeEntity te |
+        te.getType() = this and
+        // To match an Interface type we need to use a NamedType whose getUnderlying type is an InterfaceType
+        this.getUnderlyingType() instanceof InterfaceType and
+        te.getDeclaration().getLocation().getFile() instanceof ServicesGeneratedFile
+      )
+    }
+
+    InterfaceType getInterfaceType() { result = this.getUnderlyingType() }
+  }
+
+  /**
+   * A Twirp client
+   */
+  class ServiceClient extends NamedType {
+    PointerType pointerType;
+
+    ServiceClient() {
+      exists(ServiceInterface i |
+        pointerType.implements(i.getInterfaceType()) and
+        this = pointerType.getBaseType() and
+        this.getName().toLowerCase() = i.getName().toLowerCase() + ["protobuf", "json"] + "client"
+      )
+    }
+  }
+
+  /**
+   * A Twirp server
+   */
+  class ServiceServer extends NamedType {
+    ServiceServer() {
+      exists(ServiceInterface i |
+        this.implements(i.getInterfaceType()) and
+        this.getName().toLowerCase() = i.getName().toLowerCase() + "server"
+      )
+    }
+  }
+
+  /**
+   * Twirp function to construct a Client
+   */
+  class ClientConstructor extends Function {
+    ClientConstructor() {
+      exists(ServiceClient c |
+        this.getName().toLowerCase() = "new" + c.getName().toLowerCase() and
+        this.getParameter(0).getType().getName() = "string" and
+        this.getParameter(1).getType().getName() = "HTTPClient"
+      )
+    }
+  }
+
+  /**
+   * Twirp function to construct a Server
+   * Its first argument should be an implementation of the service interface
+   */
+  class ServerConstructor extends Function {
+    ServerConstructor() {
+      exists(ServiceServer c |
+        this.getName().toLowerCase() = "new" + c.getName().toLowerCase() and
+        this.getParameter(0).getType() instanceof ServiceInterface
+      )
+    }
+  }
+
+  /**
+   * SSRF sink for the Client constructor
+   */
+  class ClientRequestUrlAsSink extends RequestForgery::Sink {
+    ClientRequestUrlAsSink() {
+      exists(DataFlow::CallNode call |
+        call.getArgument(0) = this and
+        call.getTarget() instanceof ClientConstructor
+      )
+    }
+
+    override DataFlow::Node getARequest() { none() }
+
+    override string getKind() { result = "URL" }
+  }
+
+  /**
+   * A service handler
+   */
+  class ServiceHandler extends Method {
+    Method m;
+
+    ServiceHandler() {
+      exists(DataFlow::CallNode call, Type handlerType, ServiceInterface i |
+        call.getTarget() instanceof ServerConstructor and
+        call.getArgument(0).getType() = handlerType and
+        handlerType.implements(i.getInterfaceType()) and
+        this = handlerType.getMethod(_) and
+        this.implements(m) and
+        i.getMethod(_) = m
+      )
+    }
+  }
+
+  /**
+   * A request comming to the service handler
+   */
+  class Request extends UntrustedFlowSource::Range, DataFlow::ParameterNode {
+    ServiceHandler handler;
+
+    Request() {
+      handler.getParameter(0).getType().hasQualifiedName("context", "Context") and
+      handler.getParameter(_) = this.asParameter() and
+      this.getType().(PointerType).getBaseType() instanceof ProtobufMessage
+    }
+
+    override predicate isParameterOf(Callable c, int i) {
+      c.asFunction() = handler and
+      i = 1
+    }
+  }
+}

go/ql/test/library-tests/semmle/go/frameworks/Twirp/client/main.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"context"
+	"log"
+	"net/http"
+
+	"github.com/pwntester/go-twirp-rpc-example/rpc/notes"
+)
+
+func main() {
+  client := notes.NewNotesServiceProtobufClient("http://localhost:8000", &http.Client{}) // test: ssrfSink
+
+	ctx := context.Background()
+
+	_, err := client.CreateNote(ctx, &notes.CreateNoteParams{Text: "Hello World"})
+	if err != nil {
+		log.Fatal(err)
+	}
+	allNotes, err := client.GetAllNotes(ctx, &notes.GetAllNotesParams{})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	for _, note := range allNotes.Notes {
+		log.Println(note)
+	}
+}

go/ql/test/library-tests/semmle/go/frameworks/Twirp/go.mod

@@ -0,0 +1,10 @@
+module github.com/pwntester/go-twirp-rpc-example
+
+go 1.19
+
+require (
+	github.com/twitchtv/twirp v8.1.3+incompatible
+	google.golang.org/protobuf v1.28.1
+)
+
+require github.com/pkg/errors v0.9.1 // indirect