Merge pull request github#16697 from egregius313/egregius313/go/dataflow/threat-modeling

Go: Introduce Threat Modeling

Author: egregius313

go/ql/lib/change-notes/2024-06-06-add-go-threatmodelflowsource.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the `ThreatModelFlowSource` class to `FlowSources.qll`. The `ThreatModelFlowSource` class can be used to include sources which match the current *threat model* configuration. This is the first step in supporting threat modeling for Go.

go/ql/lib/qlpack.yml

@@ -8,6 +8,7 @@ upgrades: upgrades
 dependencies:
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
+  codeql/threat-models: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
 dataExtensions:

go/ql/lib/semmle/go/security/FlowSources.qll

@@ -4,6 +4,7 @@
 
 import go
 private import semmle.go.dataflow.ExternalFlow as ExternalFlow
+private import codeql.threatmodels.ThreatModels
 
 /**
  * DEPRECATED: Use `RemoteFlowSource` instead.
@@ -31,7 +32,9 @@ module RemoteFlowSource {
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `RemoteFlowSource` instead.
    */
-  abstract class Range extends DataFlow::Node { }
+  abstract class Range extends SourceNode {
+    override string getThreatModel() { result = "remote" }
+  }
 
   /**
    * A source of data that is controlled by an untrusted user.
@@ -40,3 +43,27 @@ module RemoteFlowSource {
     MaDRemoteSource() { ExternalFlow::sourceNode(this, "remote") }
   }
 }
+
+/**
+ * A data flow source.
+ */
+abstract class SourceNode extends DataFlow::Node {
+  /**
+   * Gets a string that represents the source kind with respect to threat modeling.
+   */
+  abstract string getThreatModel();
+}
+
+/**
+ * A class of data flow sources that respects the
+ * current threat model configuration.
+ */
+class ThreatModelFlowSource extends DataFlow::Node {
+  ThreatModelFlowSource() {
+    exists(string kind |
+      // Specific threat model.
+      currentThreatModel(kind) and
+      (this.(SourceNode).getThreatModel() = kind or ExternalFlow::sourceNode(this, kind))
+    )
+  }
+}

go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/Test.qll

@@ -0,0 +1,14 @@
+private import go
+private import semmle.go.security.FlowSources
+private import semmle.go.dataflow.ExternalFlow
+private import semmle.go.dataflow.DataFlow
+
+private module ThreatModelConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink = any(DataFlow::CallNode c | c.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+module ThreatModelFlow = TaintTracking::Global<ThreatModelConfig>;

go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/go.mod

@@ -0,0 +1,5 @@
+module semmle.go.dataflow.ThreatModels
+
+go 1.22.3
+
+require github.com/nonexistent/sources v0.0.0-20240601000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/test.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"github.com/nonexistent/sources"
+	"net/http"
+)
+
+func Environment() {
+	home := sources.ReadEnvironment("HOME")
+
+	sink("SELECT * FROM " + home)
+}
+
+func Cli() {
+	arg := sources.GetCliArg("arg")
+
+	sink("SELECT * FROM " + arg)
+}
+
+func Custom() {
+	query := sources.GetCustom("query")
+
+	sink("SELECT * FROM " + query)
+}
+
+func StoredSqlInjection() {
+	query := sources.ExecuteQuery("SELECT * FROM queries LIMIT 1")
+	sink(query)
+}
+
+func Handler(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query().Get("query")
+
+	sink("SELECT * FROM " + query)
+}
+
+func sink(s string) {
+}

go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/threat-models-flowtest1.expected

@@ -0,0 +1,12 @@
+edges
+| test.go:32:11:32:15 | selection of URL | test.go:32:11:32:23 | call to Query | provenance | MaD:738 |
+| test.go:32:11:32:23 | call to Query | test.go:32:11:32:36 | call to Get | provenance | MaD:745 |
+| test.go:32:11:32:36 | call to Get | test.go:34:7:34:30 | ...+... | provenance |  |
+nodes
+| test.go:32:11:32:15 | selection of URL | semmle.label | selection of URL |
+| test.go:32:11:32:23 | call to Query | semmle.label | call to Query |
+| test.go:32:11:32:36 | call to Get | semmle.label | call to Get |
+| test.go:34:7:34:30 | ...+... | semmle.label | ...+... |
+subpaths
+#select
+| test.go:32:11:32:15 | selection of URL | test.go:34:7:34:30 | ...+... |

go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/threat-models-flowtest1.ext.yml

@@ -0,0 +1,15 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data: []
+
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/nonexistent/sources", "", False, "ExecuteQuery", "", "", "ReturnValue", "database", "manual"]
+      - ["github.com/nonexistent/sources", "", False, "ReadEnvironment", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/nonexistent/sources", "", False, "GetCustom", "", "", "ReturnValue", "custom", "manual"]
+      - ["github.com/nonexistent/sources", "", False, "GetCliArg", "", "", "ReturnValue", "commandargs", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/threat-models-flowtest1.ql

@@ -0,0 +1,10 @@
+/**
+ * This is a dataflow test using the "default" threat model.
+ */
+
+import Test
+import ThreatModelFlow::PathGraph
+
+from ThreatModelFlow::PathNode source, ThreatModelFlow::PathNode sink
+where ThreatModelFlow::flowPath(source, sink)
+select source, sink

go/ql/test/library-tests/semmle/go/dataflow/ThreatModels/threat-models-flowtest2.expected

@@ -0,0 +1,16 @@
+edges
+| test.go:27:11:27:63 | call to ExecuteQuery | test.go:28:7:28:11 | query | provenance | Src:MaD:1  |
+| test.go:32:11:32:15 | selection of URL | test.go:32:11:32:23 | call to Query | provenance | MaD:738 |
+| test.go:32:11:32:23 | call to Query | test.go:32:11:32:36 | call to Get | provenance | MaD:745 |
+| test.go:32:11:32:36 | call to Get | test.go:34:7:34:30 | ...+... | provenance |  |
+nodes
+| test.go:27:11:27:63 | call to ExecuteQuery | semmle.label | call to ExecuteQuery |
+| test.go:28:7:28:11 | query | semmle.label | query |
+| test.go:32:11:32:15 | selection of URL | semmle.label | selection of URL |
+| test.go:32:11:32:23 | call to Query | semmle.label | call to Query |
+| test.go:32:11:32:36 | call to Get | semmle.label | call to Get |
+| test.go:34:7:34:30 | ...+... | semmle.label | ...+... |
+subpaths
+#select
+| test.go:27:11:27:63 | call to ExecuteQuery | test.go:28:7:28:11 | query |
+| test.go:32:11:32:15 | selection of URL | test.go:34:7:34:30 | ...+... |