Merge pull request #373 from smowton/smowton/feature/golang-x-net-html

Add models for the read side of golang.org/x/net/html

Author: smowton

change-notes/2020-10-12-x-net-html.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Added partial support for the `golang.org/x/net/html` package, modeling tainted data flow from a retrieved HTML document to its attributes and other data.
+* Modeled more ways of writing data to an `net/http.ResponseWriter`. This may produce more results from queries such as `go/reflected-xss` which look for data flowing to an HTTP response.

ql/src/go.qll

@@ -47,5 +47,6 @@ import semmle.go.frameworks.Stdlib
 import semmle.go.frameworks.SystemCommandExecutors
 import semmle.go.frameworks.Testing
 import semmle.go.frameworks.WebSocket
+import semmle.go.frameworks.XNetHtml
 import semmle.go.frameworks.XPath
 import semmle.go.security.FlowSources

ql/src/semmle/go/Concepts.qll

@@ -366,7 +366,12 @@ module HTTP {
      * extend `HTTP::ResponseWriter` instead.
      */
     abstract class Range extends Variable {
-      /** Gets a data-flow node that is a use of this response writer. */
+      /**
+       * Gets a data-flow node that is a use of this response writer.
+       *
+       * Note that `PostUpdateNode`s for nodes that this predicate gets do not need to be
+       * included, as they are handled by the concrete `ResponseWriter`'s `getANode`.
+       */
       abstract DataFlow::Node getANode();
     }
   }
@@ -392,7 +397,10 @@ module HTTP {
     Redirect getARedirect() { result.getResponseWriter() = this }
 
     /** Gets a data-flow node that is a use of this response writer. */
-    DataFlow::Node getANode() { result = self.getANode() }
+    DataFlow::Node getANode() {
+      result = self.getANode() or
+      result.(DataFlow::PostUpdateNode).getPreUpdateNode() = self.getANode()
+    }
   }
 
   /** Provides a class for modeling new HTTP header-write APIs. */

ql/src/semmle/go/frameworks/XNetHtml.qll

@@ -0,0 +1,56 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `golang.org/x/net/html` subpackage.
+ *
+ * Currently we support the unmarshalling aspect of this package, conducting taint from an untrusted
+ * reader to an untrusted `Node` tree or `Tokenizer` instance, as well as simple remarshalling of `Node`s
+ * that were already untrusted. We do not yet model adding a child `Node` to a tree then calling `Render`
+ * yielding an untrustworthy string.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `golang.org/x/net/html` subpackage. */
+module XNetHtml {
+  /** Gets the package name `golang.org/x/net/html`. */
+  string packagePath() { result = "golang.org/x/net/html" }
+
+  private class EscapeString extends HtmlEscapeFunction, TaintTracking::FunctionModel {
+    EscapeString() { this.hasQualifiedName(packagePath(), "EscapeString") }
+
+    override predicate hasTaintFlow(DataFlow::FunctionInput input, DataFlow::FunctionOutput output) {
+      input.isParameter(0) and output.isResult()
+    }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionModels() { hasQualifiedName(packagePath(), _) }
+
+    override predicate hasTaintFlow(DataFlow::FunctionInput input, DataFlow::FunctionOutput output) {
+      getName() =
+        ["UnescapeString", "Parse", "ParseFragment", "ParseFragmentWithOptions", "ParseWithOptions",
+            "NewTokenizer", "NewTokenizerFragment"] and
+      input.isParameter(0) and
+      output.isResult(0)
+      or
+      getName() = ["AppendChild", "InsertBefore"] and
+      input.isParameter(0) and
+      output.isReceiver()
+      or
+      getName() = "Render" and
+      input.isParameter(1) and
+      output.isParameter(0)
+    }
+  }
+
+  private class TokenizerMethodModels extends Method, TaintTracking::FunctionModel {
+    TokenizerMethodModels() { this.hasQualifiedName(packagePath(), "Tokenizer", _) }
+
+    // Note that `TagName` and the key part of `TagAttr` are not sources by default under the assumption
+    // that their character-set restrictions usually rule them out as useful attack routes.
+    override predicate hasTaintFlow(DataFlow::FunctionInput input, DataFlow::FunctionOutput output) {
+      getName() = ["Buffered", "Raw", "Text", "Token"] and input.isReceiver() and output.isResult(0)
+      or
+      getName() = "TagAttr" and input.isReceiver() and output.isResult(1)
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/NetHttp.qll

@@ -135,33 +135,25 @@ module NetHttp {
   }
 
   private class ResponseBody extends HTTP::ResponseBody::Range, DataFlow::ArgumentNode {
-    int arg;
+    DataFlow::Node responseWriter;
 
     ResponseBody() {
       exists(DataFlow::CallNode call |
+        // A direct call to ResponseWriter.Write, conveying taint from the argument to the receiver
         call.getTarget().(Method).implements("net/http", "ResponseWriter", "Write") and
-        arg = 0
-        or
-        (
-          call.getTarget().hasQualifiedName("fmt", "Fprintf")
-          or
-          call.getTarget().hasQualifiedName("io", "WriteString")
-        ) and
-        call.getArgument(0).getType().hasQualifiedName("net/http", "ResponseWriter") and
-        arg >= 1
-      |
-        this = call.getArgument(arg)
+        this = call.getArgument(0) and
+        responseWriter = call.(DataFlow::MethodCallNode).getReceiver()
       )
-    }
-
-    override HTTP::ResponseWriter getResponseWriter() {
-      // the response writer is the receiver of this call
-      result.getANode() = this.getCall().(DataFlow::MethodCallNode).getReceiver()
       or
-      // the response writer is an argument to Fprintf or WriteString
-      arg >= 1 and
-      result.getANode() = this.getCall().getArgument(0)
+      exists(TaintTracking::FunctionModel model |
+        // A modelled function conveying taint from some input to the response writer,
+        // e.g. `io.Copy(responseWriter, someTaintedReader)`
+        model.taintStep(this, responseWriter) and
+        responseWriter.getType().implements("net/http", "ResponseWriter")
+      )
     }
+
+    override HTTP::ResponseWriter getResponseWriter() { result.getANode() = responseWriter }
   }
 
   private class RedirectCall extends HTTP::Redirect::Range, DataFlow::CallNode {

ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.expected

@@ -0,0 +1,66 @@
+edges
+| test.go:10:15:10:42 | call to Cookie : tuple type | test.go:14:15:14:55 | type conversion |
+| test.go:10:15:10:42 | call to Cookie : tuple type | test.go:14:42:14:47 | implicit dereference : Cookie |
+| test.go:14:42:14:47 | implicit dereference : Cookie | test.go:14:15:14:55 | type conversion |
+| test.go:14:42:14:47 | implicit dereference : Cookie | test.go:14:42:14:47 | implicit dereference : Cookie |
+| test.go:16:24:16:35 | selection of Body : ReadCloser | test.go:17:15:17:31 | type conversion |
+| test.go:16:24:16:35 | selection of Body : ReadCloser | test.go:17:22:17:25 | implicit dereference : Node |
+| test.go:16:24:16:35 | selection of Body : ReadCloser | test.go:28:22:28:25 | node |
+| test.go:17:22:17:25 | implicit dereference : Node | test.go:17:15:17:31 | type conversion |
+| test.go:17:22:17:25 | implicit dereference : Node | test.go:17:22:17:25 | implicit dereference : Node |
+| test.go:17:22:17:25 | implicit dereference : Node | test.go:28:22:28:25 | node |
+| test.go:19:36:19:47 | selection of Body : ReadCloser | test.go:20:15:20:32 | type conversion |
+| test.go:19:36:19:47 | selection of Body : ReadCloser | test.go:20:22:20:26 | implicit dereference : Node |
+| test.go:20:22:20:26 | implicit dereference : Node | test.go:20:15:20:32 | type conversion |
+| test.go:20:22:20:26 | implicit dereference : Node | test.go:20:22:20:26 | implicit dereference : Node |
+| test.go:22:33:22:44 | selection of Body : ReadCloser | test.go:23:15:23:35 | type conversion |
+| test.go:22:33:22:44 | selection of Body : ReadCloser | test.go:23:22:23:29 | implicit dereference : Node |
+| test.go:23:22:23:29 | implicit dereference : Node | test.go:23:15:23:35 | type conversion |
+| test.go:23:22:23:29 | implicit dereference : Node | test.go:23:22:23:29 | implicit dereference : Node |
+| test.go:25:45:25:56 | selection of Body : ReadCloser | test.go:26:15:26:36 | type conversion |
+| test.go:25:45:25:56 | selection of Body : ReadCloser | test.go:26:22:26:30 | implicit dereference : Node |
+| test.go:26:22:26:30 | implicit dereference : Node | test.go:26:15:26:36 | type conversion |
+| test.go:26:22:26:30 | implicit dereference : Node | test.go:26:22:26:30 | implicit dereference : Node |
+| test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:31:15:31:34 | call to Buffered |
+| test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:32:15:32:29 | call to Raw |
+| test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:34:15:34:19 | value |
+| test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:35:15:35:30 | call to Text |
+| test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:36:15:36:44 | type conversion |
+| test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:36:22:36:38 | call to Token : Token |
+| test.go:36:22:36:38 | call to Token : Token | test.go:36:15:36:44 | type conversion |
+nodes
+| test.go:10:15:10:42 | call to Cookie : tuple type | semmle.label | call to Cookie : tuple type |
+| test.go:14:15:14:55 | type conversion | semmle.label | type conversion |
+| test.go:14:42:14:47 | implicit dereference : Cookie | semmle.label | implicit dereference : Cookie |
+| test.go:16:24:16:35 | selection of Body : ReadCloser | semmle.label | selection of Body : ReadCloser |
+| test.go:17:15:17:31 | type conversion | semmle.label | type conversion |
+| test.go:17:22:17:25 | implicit dereference : Node | semmle.label | implicit dereference : Node |
+| test.go:19:36:19:47 | selection of Body : ReadCloser | semmle.label | selection of Body : ReadCloser |
+| test.go:20:15:20:32 | type conversion | semmle.label | type conversion |
+| test.go:20:22:20:26 | implicit dereference : Node | semmle.label | implicit dereference : Node |
+| test.go:22:33:22:44 | selection of Body : ReadCloser | semmle.label | selection of Body : ReadCloser |
+| test.go:23:15:23:35 | type conversion | semmle.label | type conversion |
+| test.go:23:22:23:29 | implicit dereference : Node | semmle.label | implicit dereference : Node |
+| test.go:25:45:25:56 | selection of Body : ReadCloser | semmle.label | selection of Body : ReadCloser |
+| test.go:26:15:26:36 | type conversion | semmle.label | type conversion |
+| test.go:26:22:26:30 | implicit dereference : Node | semmle.label | implicit dereference : Node |
+| test.go:28:22:28:25 | node | semmle.label | node |
+| test.go:30:33:30:44 | selection of Body : ReadCloser | semmle.label | selection of Body : ReadCloser |
+| test.go:31:15:31:34 | call to Buffered | semmle.label | call to Buffered |
+| test.go:32:15:32:29 | call to Raw | semmle.label | call to Raw |
+| test.go:34:15:34:19 | value | semmle.label | value |
+| test.go:35:15:35:30 | call to Text | semmle.label | call to Text |
+| test.go:36:15:36:44 | type conversion | semmle.label | type conversion |
+| test.go:36:22:36:38 | call to Token : Token | semmle.label | call to Token : Token |
+#select
+| test.go:14:15:14:55 | type conversion | test.go:10:15:10:42 | call to Cookie : tuple type | test.go:14:15:14:55 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:10:15:10:42 | call to Cookie | user-provided value |
+| test.go:17:15:17:31 | type conversion | test.go:16:24:16:35 | selection of Body : ReadCloser | test.go:17:15:17:31 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:16:24:16:35 | selection of Body | user-provided value |
+| test.go:20:15:20:32 | type conversion | test.go:19:36:19:47 | selection of Body : ReadCloser | test.go:20:15:20:32 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:19:36:19:47 | selection of Body | user-provided value |
+| test.go:23:15:23:35 | type conversion | test.go:22:33:22:44 | selection of Body : ReadCloser | test.go:23:15:23:35 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:22:33:22:44 | selection of Body | user-provided value |
+| test.go:26:15:26:36 | type conversion | test.go:25:45:25:56 | selection of Body : ReadCloser | test.go:26:15:26:36 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:25:45:25:56 | selection of Body | user-provided value |
+| test.go:28:22:28:25 | node | test.go:16:24:16:35 | selection of Body : ReadCloser | test.go:28:22:28:25 | node | Cross-site scripting vulnerability due to $@. | test.go:16:24:16:35 | selection of Body | user-provided value |
+| test.go:31:15:31:34 | call to Buffered | test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:31:15:31:34 | call to Buffered | Cross-site scripting vulnerability due to $@. | test.go:30:33:30:44 | selection of Body | user-provided value |
+| test.go:32:15:32:29 | call to Raw | test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:32:15:32:29 | call to Raw | Cross-site scripting vulnerability due to $@. | test.go:30:33:30:44 | selection of Body | user-provided value |
+| test.go:34:15:34:19 | value | test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:34:15:34:19 | value | Cross-site scripting vulnerability due to $@. | test.go:30:33:30:44 | selection of Body | user-provided value |
+| test.go:35:15:35:30 | call to Text | test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:35:15:35:30 | call to Text | Cross-site scripting vulnerability due to $@. | test.go:30:33:30:44 | selection of Body | user-provided value |
+| test.go:36:15:36:44 | type conversion | test.go:30:33:30:44 | selection of Body : ReadCloser | test.go:36:15:36:44 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:30:33:30:44 | selection of Body | user-provided value |

ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.qlref

@@ -0,0 +1 @@
+Security/CWE-079/ReflectedXss.ql

ql/test/library-tests/semmle/go/frameworks/XNetHtml/go.mod

@@ -0,0 +1,7 @@
+module example.com/m
+
+go 1.14
+
+require (
+	golang.org/x/net v0.0.0-20201010224723-4f7140c49acb
+)

ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go

@@ -0,0 +1,38 @@
+package test
+
+import (
+	"golang.org/x/net/html"
+	"net/http"
+)
+
+func test(request *http.Request, writer http.ResponseWriter) {
+
+	cookie, _ := request.Cookie("SomeCookie")
+
+	writer.Write([]byte(html.EscapeString(cookie.Value))) // GOOD: escaped.
+
+	writer.Write([]byte(html.UnescapeString(cookie.Value))) // BAD: unescaped.
+
+	node, _ := html.Parse(request.Body)
+	writer.Write([]byte(node.Data)) // BAD: writing unescaped HTML data
+
+	node2, _ := html.ParseWithOptions(request.Body)
+	writer.Write([]byte(node2.Data)) // BAD: writing unescaped HTML data
+
+	nodes, _ := html.ParseFragment(request.Body, nil)
+	writer.Write([]byte(nodes[0].Data)) // BAD: writing unescaped HTML data
+
+	nodes2, _ := html.ParseFragmentWithOptions(request.Body, nil)
+	writer.Write([]byte(nodes2[0].Data)) // BAD: writing unescaped HTML data
+
+	html.Render(writer, node) // BAD: rendering untrusted HTML to `writer`
+
+	tokenizer := html.NewTokenizer(request.Body)
+	writer.Write(tokenizer.Buffered()) // BAD: writing unescaped HTML data
+	writer.Write(tokenizer.Raw())      // BAD: writing unescaped HTML data
+	_, value, _ := tokenizer.TagAttr()
+	writer.Write(value)                          // BAD: writing unescaped HTML data
+	writer.Write(tokenizer.Text())               // BAD: writing unescaped HTML data
+	writer.Write([]byte(tokenizer.Token().Data)) // BAD: writing unescaped HTML data
+
+}