perfomed review suggestions, make Decompression Sink simpler, uncomment the isBarrier, fix some naming issues in tests

Author: am0o0

go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql

@@ -47,37 +47,17 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
     )
   }
 
-  predicate isBarrier(DataFlow::Node node, FlowState state) {
-    // //here I want to the CopyN return value be compared with < or > but I can't reach the tainted result
-    // // exists(Function f | f.hasQualifiedName("io", "CopyN") |
-    // //   node = f.getACall().getArgument([0, 1]) and
-    // //   TaintTracking::localExprTaint(f.getACall().getResult(_).asExpr(),
-    // //     any(RelationalComparisonExpr e).getAChildExpr*())
-    // // )
-    // // or
-    // exists(Function f | f.hasQualifiedName("io", "LimitReader") |
-    //   node = f.getACall().getArgument(0) and f.getACall().getArgument(1).isConst()
-    // ) and
-    // state =
-    //   [
-    //     "ZstdNewReader", "XzNewReader", "GzipNewReader", "S2NewReader", "SnapyNewReader",
-    //     "ZlibNewReader", "FlateNewReader", "Bzip2NewReader", "ZipOpenReader", "ZipKlauspost"
-    //   ]
-    none()
+  predicate isBarrier(DataFlow::Node node) {
+    // here I want to the CopyN return value be compared with < or > but I can't reach the tainted result
+    exists(Function f | f.hasQualifiedName("io", "CopyN") |
+      node = f.getACall().getArgument(1) and
+      TaintTracking::localExprTaint(f.getACall().getResult(0).asExpr(),
+        // only >=, <=,>,<
+        any(RelationalComparisonExpr rce).getAnOperand())
+    )
   }
 }
 
-// // here I want to the CopyN return value be compared with < or > but I can't reach the tainted result
-// predicate test(DataFlow::Node n2) { any(Test testconfig).hasFlowTo(n2) }
-// class Test extends DataFlow::Configuration {
-//   Test() { this = "test" }
-//   override predicate isSource(DataFlow::Node source) {
-//     exists(Function f | f.hasQualifiedName("io", "CopyN") |
-//       f.getACall().getResult(0) = source
-//     )
-//   }
-//   override predicate isSink(DataFlow::Node sink) { sink instanceof DataFlow::Node }
-// }
 module DecompressionBombsFlow = TaintTracking::GlobalWithState<DecompressionBombsConfig>;
 
 import DecompressionBombsFlow::PathGraph

go/ql/src/experimental/CWE-522-DecompressionBombs/MultipartAndFormRemoteSource.qll

@@ -3,19 +3,18 @@ import semmle.go.dataflow.Properties
 
 class MimeMultipartFileHeader extends UntrustedFlowSource::Range {
   MimeMultipartFileHeader() {
-    exists(DataFlow::Variable v |
-      v.hasQualifiedName("mime/multipart.FileHeader", ["Filename", "Header"]) and
-      this = v.getARead()
+    exists(DataFlow::FieldReadNode frn | this = frn |
+      frn.getField()
+          .hasQualifiedName("mime/multipart.FileHeader", ["Filename", "Header"], "RequestBody")
     )
     or
     exists(DataFlow::Method m |
       m.hasQualifiedName("mime/multipart.FileHeader", "Open") and
-      this = m.getACall()
+      this = m.getACall().getResult(0)
     )
     or
-    exists(DataFlow::Variable v |
-      v.hasQualifiedName("mime/multipart.Form", "Value") and
-      this = v.getARead()
+    exists(DataFlow::FieldReadNode frn |
+      frn.getField().hasQualifiedName("mime/multipart.Form", "Value")
     )
   }
 }

go/ql/src/experimental/CWE-522-DecompressionBombs/example_good.go

@@ -12,8 +12,9 @@ func ZipOpenReader(filename string) {
 	r, _ := zip.OpenReader(filename)
 	var totalBytes int64
 	for _, f := range r.File {
+		rc, _ := f.Open()
+		totalBytes = 0
 		for {
-			rc, _ := f.Open()
 			result, _ := io.CopyN(os.Stdout, rc, 68)
 			if result == 0 {
 				break

go/ql/src/experimental/frameworks/DecompressionBombs.qll

@@ -3,13 +3,6 @@ import go
 module DecompressionBombs {
   class FlowState = DataFlow::FlowState;
 
-  /**
-   * The Sinks of uncontrolled data decompression
-   */
-  class Sink extends DataFlow::Node {
-    Sink() { this = any(Range r).sink() }
-  }
-
   /**
    * The additional taint steps that need for creating taint tracking or dataflow.
    */
@@ -30,30 +23,20 @@ module DecompressionBombs {
   }
 
   /**
-   * A abstract class responsible for extending new decompression sinks
+   * The Sinks of uncontrolled data decompression
    */
-  abstract private class Range extends DataFlow::Node {
-    /**
-     * Gets the sink of responsible for decompression node
-     *
-     * it can be a path, stream of compressed data,
-     * or a call to function that use pipe
-     */
-    abstract DataFlow::Node sink();
-  }
+  abstract class Sink extends DataFlow::Node { }
 
   /**
    * Provides Decompression Sinks and additional flow steps for `github.com/DataDog/zstd` package
    */
   module DataDogZstd {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("github.com/DataDog/zstd", "reader", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -83,7 +66,7 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional flow steps for `github.com/klauspost/compress/zstd` package
    */
   module KlauspostZstd {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f |
           f.hasQualifiedName("github.com/klauspost/compress/zstd", "Decoder",
@@ -98,8 +81,6 @@ module DecompressionBombs {
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -195,14 +176,12 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `github.com/ulikunitz/xz` package
    */
   module UlikunitzXz {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("github.com/ulikunitz/xz", "Reader", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -231,14 +210,12 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `compress/gzip` package
    */
   module CompressGzip {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("compress/gzip", "Reader", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -268,7 +245,7 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `github.com/klauspost/compress/gzip` package
    */
   module KlauspostGzip {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f |
           f.hasQualifiedName("github.com/klauspost/compress/gzip", "Reader", "Read")
@@ -283,8 +260,6 @@ module DecompressionBombs {
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -315,14 +290,12 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `compress/bzip2` package
    */
   module CompressBzip2 {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("compress/bzip2", "reader", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -352,14 +325,12 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `github.com/dsnet/compress/bzip2` package
    */
   module DsnetBzip2 {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("github.com/dsnet/compress/bzip2", "Reader", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -389,14 +360,12 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `github.com/dsnet/compress/flate` package
    */
   module DsnetFlate {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("github.com/dsnet/compress/flate", "Reader", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -426,14 +395,12 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `compress/flate` package
    */
   module CompressFlate {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("compress/flate", "decompressor", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -463,16 +430,14 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `github.com/klauspost/compress/flate` package
    */
   module KlauspostFlate {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f |
           f.hasQualifiedName("github.com/klauspost/compress/flate", "decompressor", "Read")
         |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -482,7 +447,7 @@ module DecompressionBombs {
         DataFlow::Node fromNode, FlowState fromState, DataFlow::Node toNode, FlowState toState
       ) {
         exists(Function f, DataFlow::CallNode call |
-          f.hasQualifiedName(["github.com/klauspost/compress/flate"], ["NewReaderDict", "NewReader"]) and
+          f.hasQualifiedName("github.com/klauspost/compress/flate", ["NewReaderDict", "NewReader"]) and
           call = f.getACall()
         |
           fromNode = call.getArgument(0) and
@@ -502,16 +467,14 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `github.com/klauspost/compress/zlib` package
    */
   module KlauspostZlib {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f |
           f.hasQualifiedName("github.com/klauspost/compress/zlib", "reader", "Read")
         |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -541,14 +504,12 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `compress/zlib` package
    */
   module CompressZlib {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("compress/zlib", "reader", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -578,16 +539,14 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `github.com/golang/snappy` package
    */
   module GolangSnappy {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f |
           f.hasQualifiedName("github.com/golang/snappy", "Reader", ["Read", "ReadByte"])
         |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -644,7 +603,7 @@ module DecompressionBombs {
    * Provides Decompression Sinks and additional taint steps for `github.com/klauspost/compress/s2` package
    */
   module KlauspostS2 {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method m |
           m.hasQualifiedName("github.com/klauspost/compress/s2", "Reader",
@@ -653,8 +612,6 @@ module DecompressionBombs {
           this = m.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
 
     class TheAdditionalTaintStep extends AdditionalTaintStep {
@@ -684,22 +641,20 @@ module DecompressionBombs {
    * Provides Decompression Sinks for `"archive/tar` package
    */
   module ArchiveTar {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Method f | f.hasQualifiedName("archive/tar", "Reader", "Read") |
           this = f.getACall().getReceiver()
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
   }
 
   /**
    * Provides Decompression Sinks for packages that use some standard IO interfaces/methods for reading decompressed data
    */
   module GeneralReadIoSink {
-    class TheSink extends Range {
+    class TheSink extends Sink {
       TheSink() {
         exists(Function f | f.hasQualifiedName("io", ["Copy", "CopyBuffer", "CopyN"]) |
           this = f.getACall().getArgument(1)
@@ -726,8 +681,6 @@ module DecompressionBombs {
           this = f.getACall().getArgument(0)
         )
       }
-
-      override DataFlow::Node sink() { result = this }
     }
   }
 }