Merge pull request #379 from smowton/model-revel

Model Revel

Author: smowton

.github/workflows/codeqltest.yml

@@ -20,7 +20,7 @@ jobs:
         echo "Done"
         cd $HOME
         echo "Downloading CodeQL CLI..."
-        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.3.0/codeql.zip -L -o codeql.zip
+        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.3.1/codeql.zip -L -o codeql.zip
         echo "Done"
         echo "Unpacking CodeQL CLI..."
         unzip -q codeql.zip
@@ -65,7 +65,7 @@ jobs:
         echo "Done"
         cd $HOME
         echo "Downloading CodeQL CLI..."
-        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.2.5/codeql.zip -L -o codeql.zip
+        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.3.1/codeql.zip -L -o codeql.zip
         echo "Done"
         echo "Unpacking CodeQL CLI..."
         unzip -q codeql.zip
@@ -98,7 +98,7 @@ jobs:
         echo "Done"
         cd "$HOME"
         echo "Downloading CodeQL CLI..."
-        Invoke-WebRequest -Uri https://github.com/github/codeql-cli-binaries/releases/download/v2.2.5/codeql.zip -OutFile codeql.zip
+        Invoke-WebRequest -Uri https://github.com/github/codeql-cli-binaries/releases/download/v2.3.1/codeql.zip -OutFile codeql.zip
         echo "Done"
         echo "Unpacking CodeQL CLI..."
         Expand-Archive codeql.zip -DestinationPath $HOME

change-notes/2020-10-19-revel.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added basic support for the Revel web framework.

ql/src/go.qll

@@ -40,6 +40,7 @@ import semmle.go.frameworks.Macaron
 import semmle.go.frameworks.Mux
 import semmle.go.frameworks.NoSQL
 import semmle.go.frameworks.Protobuf
+import semmle.go.frameworks.Revel
 import semmle.go.frameworks.Spew
 import semmle.go.frameworks.SQL
 import semmle.go.frameworks.Stdlib

ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll

@@ -177,8 +177,10 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   localAdditionalTaintStep(src, sink)
 }
 
+abstract class DefaultTaintSanitizer extends DataFlow::Node { }
+
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
  * but not in local taint.
  */
-predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
+predicate defaultTaintSanitizer(DataFlow::Node node) { node instanceof DefaultTaintSanitizer }

ql/src/semmle/go/frameworks/Revel.qll

@@ -0,0 +1,218 @@
+/**
+ * Provides classes for working with untrusted flow sources from the `github.com/revel/revel` package.
+ */
+
+import go
+private import semmle.go.security.OpenUrlRedirectCustomizations
+
+module Revel {
+  /** Gets the package name. */
+  bindingset[result]
+  string packagePath() { result = package(["github.com/revel", "github.com/robfig"], "revel") }
+
+  private class ControllerParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode {
+    ControllerParams() {
+      exists(Field f |
+        this.readsField(_, f) and
+        f.hasQualifiedName(packagePath(), "Controller", "Params")
+      )
+    }
+  }
+
+  private class ParamsFixedSanitizer extends TaintTracking::DefaultTaintSanitizer,
+    DataFlow::FieldReadNode {
+    ParamsFixedSanitizer() {
+      exists(Field f |
+        this.readsField(_, f) and
+        f.hasQualifiedName(packagePath(), "Params", "Fixed")
+      )
+    }
+  }
+
+  private class ParamsBind extends TaintTracking::FunctionModel, Method {
+    ParamsBind() { this.hasQualifiedName(packagePath(), "Params", ["Bind", "BindJSON"]) }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isParameter(0)
+    }
+  }
+
+  private class RouteMatchParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode {
+    RouteMatchParams() {
+      exists(Field f |
+        this.readsField(_, f) and
+        f.hasQualifiedName(packagePath(), "RouteMatch", "Params")
+      )
+    }
+  }
+
+  /** An access to an HTTP request field whose value may be controlled by an untrusted user. */
+  private class UserControlledRequestField extends UntrustedFlowSource::Range,
+    DataFlow::FieldReadNode {
+    UserControlledRequestField() {
+      exists(string fieldName |
+        this.getField().hasQualifiedName(packagePath(), "Request", fieldName)
+      |
+        fieldName in ["Header", "ContentType", "AcceptLanguages", "Locale", "URL", "Form",
+              "MultipartForm"]
+      )
+    }
+  }
+
+  private class UserControlledRequestMethod extends UntrustedFlowSource::Range,
+    DataFlow::MethodCallNode {
+    UserControlledRequestMethod() {
+      this
+          .getTarget()
+          .hasQualifiedName(packagePath(), "Request",
+            ["FormValue", "PostFormValue", "GetQuery", "GetForm", "GetMultipartForm", "GetBody",
+                "Cookie", "GetHttpHeader", "GetRequestURI", "MultipartReader", "Referer",
+                "UserAgent"])
+    }
+  }
+
+  private class ServerCookieGetValue extends TaintTracking::FunctionModel, Method {
+    ServerCookieGetValue() { this.hasQualifiedName(packagePath(), "ServerCookie", "GetValue") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
+    }
+  }
+
+  private class ServerMultipartFormGetFiles extends TaintTracking::FunctionModel, Method {
+    ServerMultipartFormGetFiles() {
+      this.hasQualifiedName(packagePath(), "ServerMultipartForm", ["GetFiles", "GetValues"])
+    }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
+    }
+  }
+
+  private string contentTypeFromFilename(DataFlow::Node filename) {
+    if filename.getStringValue().toLowerCase().matches(["%.htm", "%.html"])
+    then result = "text/html"
+    else result = "application/octet-stream"
+    // Actually Revel can figure out a variety of other content-types, but none of our analyses care to
+    // distinguish ones other than text/html.
+  }
+
+  /**
+   * `revel.Controller` methods which set the response content-type to and designate a result in one operation.
+   *
+   * Note these don't actually generate the response, they return a struct which is then returned by the controller
+   * method, but it is very likely if a string is being rendered that it will end up sent to the user.
+   *
+   * The `Render` and `RenderTemplate` methods are excluded for now because both execute HTML templates, and deciding
+   * whether a particular value is exposed unescaped or not requires parsing the template.
+   *
+   * The `RenderError` method can actually return HTML content, but again only via an HTML template if one exists;
+   * we assume it falls back to return plain text as this implies there is probably not an injection opportunity
+   * but there is an information leakage issue.
+   *
+   * The `RenderBinary` method can also return a variety of content-types based on the file extension passed.
+   * We look particularly for html file extensions, since these are the only ones we currently have special rules
+   * for (in particular, detecting XSS vulnerabilities).
+   */
+  private class ControllerRenderMethods extends HTTP::ResponseBody::Range {
+    string contentType;
+
+    ControllerRenderMethods() {
+      exists(Method m, string methodName, DataFlow::CallNode methodCall |
+        m.hasQualifiedName(packagePath(), "Controller", methodName) and
+        methodCall = m.getACall()
+      |
+        exists(int exposedArgument |
+          this = methodCall.getArgument(exposedArgument) and
+          (
+            methodName = "RenderBinary" and
+            contentType = contentTypeFromFilename(methodCall.getArgument(1)) and
+            exposedArgument = 0
+            or
+            methodName = "RenderError" and contentType = "text/plain" and exposedArgument = 0
+            or
+            methodName = "RenderHTML" and contentType = "text/html" and exposedArgument = 0
+            or
+            methodName = "RenderJSON" and contentType = "application/json" and exposedArgument = 0
+            or
+            methodName = "RenderJSONP" and
+            contentType = "application/javascript" and
+            exposedArgument = 1
+            or
+            methodName = "RenderXML" and contentType = "text/xml" and exposedArgument = 0
+          )
+        )
+        or
+        methodName = "RenderText" and
+        contentType = "text/plain" and
+        this = methodCall.getAnArgument()
+      )
+    }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+
+    override string getAContentType() { result = contentType }
+  }
+
+  /**
+   * The `revel.Controller.RenderFileName` method, which instructs Revel to open a file and return its contents.
+   * We extend FileSystemAccess rather than HTTP::ResponseBody as this will usually mean exposing a user-controlled
+   * file rather than the actual contents being user-controlled.
+   */
+  private class RenderFileNameCall extends FileSystemAccess::Range, DataFlow::CallNode {
+    RenderFileNameCall() {
+      this =
+        any(Method m | m.hasQualifiedName(packagePath(), "Controller", "RenderFileName")).getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() { result = getArgument(0) }
+  }
+
+  /**
+   * The `revel.Controller.Redirect` method.
+   *
+   * It is currently assumed that a tainted `value` in `Redirect(url, value)`, which calls `Sprintf(url, value)`
+   * internally, cannot lead to an open redirect vulnerability.
+   */
+  private class ControllerRedirectMethod extends HTTP::Redirect::Range, DataFlow::CallNode {
+    ControllerRedirectMethod() {
+      exists(Method m | m.hasQualifiedName(packagePath(), "Controller", "Redirect") |
+        this = m.getACall()
+      )
+    }
+
+    override DataFlow::Node getUrl() { result = this.getArgument(0) }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+  }
+
+  /**
+   * The getter and setter methods of `revel.RevelHeader`.
+   *
+   * Note we currently don't implement `HeaderWrite` and related concepts, as they are currently only used
+   * to track content-type, and directly setting headers does not seem to be the usual way to set the response
+   * content-type for this framework. If and when the `HeaderWrite` concept has a more abstract idea of the
+   * relationship between header-writes and HTTP responses than looking for a particular `http.ResponseWriter`
+   * instance connecting the two, then we may implement it here for completeness.
+   */
+  private class RevelHeaderMethods extends TaintTracking::FunctionModel {
+    FunctionInput input;
+    FunctionOutput output;
+    string name;
+
+    RevelHeaderMethods() {
+      this.(Method).hasQualifiedName(packagePath(), "RevelHeader", name) and
+      (
+        name = ["Add", "Set"] and input.isParameter([0, 1]) and output.isReceiver()
+        or
+        name = ["Get", "GetAll"] and input.isReceiver() and output.isResult()
+        or
+        name = "SetCookie" and input.isParameter(0) and output.isReceiver()
+      )
+    }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp = input and outp = output
+    }
+  }
+}

ql/src/semmle/go/frameworks/WebSocket.qll

@@ -271,4 +271,28 @@ module WebSocketReader {
 
     override FunctionOutput getAnOutput() { result.isResult(1) }
   }
+
+  /**
+   * The `ServerWebSocket.MessageReceive` method of the `github.com/revel/revel` package.
+   */
+  private class RevelServerWebSocketMessageReceive extends Range, Method {
+    RevelServerWebSocketMessageReceive() {
+      // func MessageReceive(v interface{}) error
+      this.hasQualifiedName(Revel::packagePath(), "ServerWebSocket", "MessageReceive")
+    }
+
+    override FunctionOutput getAnOutput() { result.isParameter(0) }
+  }
+
+  /**
+   * The `ServerWebSocket.MessageReceiveJSON` method of the `github.com/revel/revel` package.
+   */
+  private class RevelServerWebSocketMessageReceiveJSON extends Range, Method {
+    RevelServerWebSocketMessageReceiveJSON() {
+      // func MessageReceiveJSON(v interface{}) error
+      this.hasQualifiedName(Revel::packagePath(), "ServerWebSocket", "MessageReceiveJSON")
+    }
+
+    override FunctionOutput getAnOutput() { result.isParameter(0) }
+  }
 }

ql/src/semmle/go/security/OpenUrlRedirect.qll

@@ -33,6 +33,9 @@ module OpenUrlRedirect {
       // taint steps that do not include flow through fields
       TaintTracking::localTaintStep(pred, succ) and not TaintTracking::fieldReadStep(pred, succ)
       or
+      // explicit extra taint steps for this query
+      any(AdditionalStep s).hasTaintStep(pred, succ)
+      or
       // propagate to a URL when its host is assigned to
       exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
         w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()

ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll

@@ -34,6 +34,14 @@ module OpenUrlRedirect {
    */
   abstract class BarrierGuard extends DataFlow::BarrierGuard { }
 
+  /**
+   * An additional taint propagation step specific to this query.
+   */
+  bindingset[this]
+  abstract class AdditionalStep extends string {
+    abstract predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ);
+  }
+
   /**
    * A source of third-party user input, considered as a flow source for URL redirects.
    */
@@ -120,3 +128,20 @@ private class UnsafeFieldReadSanitizer extends SafeUrlFlow::SanitizerEdge {
     )
   }
 }
+
+/**
+ * Reinstate the usual field propagation rules for fields, which the OpenURLRedirect
+ * query usually excludes, for fields of `Params` other than `Params.Fixed`.
+ */
+private class PropagateParamsFields extends OpenUrlRedirect::AdditionalStep {
+  PropagateParamsFields() { this = "PropagateParamsFields" }
+
+  override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(Field f, string field |
+      f.hasQualifiedName(Revel::packagePath(), "Params", field) and
+      field != "Fixed"
+    |
+      succ.(Read).readsField(pred, f)
+    )
+  }
+}

ql/src/semmle/go/security/ReflectedXssCustomizations.qll

@@ -56,6 +56,8 @@ module ReflectedXss {
   private predicate nonHtmlContentType(HTTP::ResponseBody body) {
     not htmlTypeSpecified(body) and
     (
+      exists(body.getAContentType())
+      or
       exists(body.getAContentTypeNode())
       or
       exists(DataFlow::CallNode call | call.getTarget().hasQualifiedName("fmt", "Fprintf") |

ql/test/library-tests/semmle/go/frameworks/Gin/Gin.ql

@@ -1,4 +1,3 @@
 import go
-import semmle.go.frameworks.Gin
 
 select any(UntrustedFlowSource src)