Merge pull request #285 from smowton/protobufs

Protobuf modelling

Author: max-schaefer

ql/src/go.qll

@@ -34,6 +34,7 @@ import semmle.go.frameworks.HTTP
 import semmle.go.frameworks.Macaron
 import semmle.go.frameworks.Mux
 import semmle.go.frameworks.NoSQL
+import semmle.go.frameworks.Protobuf
 import semmle.go.frameworks.SQL
 import semmle.go.frameworks.Stdlib
 import semmle.go.frameworks.SystemCommandExecutors

ql/src/semmle/go/controlflow/ControlFlowGraph.qll

@@ -165,6 +165,13 @@ module ControlFlow {
         self.getRhs() = rhs.asInstruction()
       )
     }
+
+    /**
+     * Holds if this node sets any field or element of `base` to `rhs`.
+     */
+    predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {
+      writesElement(base, _, rhs) or writesField(base, _, rhs)
+    }
   }
 
   /**

ql/src/semmle/go/controlflow/IR.qll

@@ -253,23 +253,32 @@ module IR {
     )
   }
 
+  /**
+   * An IR instruction that reads a component from a composite object.
+   *
+   * This is either a field of a struct, or an element of an array, map, slice or string.
+   */
+  class ComponentReadInstruction extends ReadInstruction, EvalInstruction {
+    ComponentReadInstruction() {
+      e instanceof IndexExpr
+      or
+      e.(SelectorExpr).getBase() instanceof ValueExpr and
+      not e.(SelectorExpr).getSelector() = any(Method method).getAReference()
+    }
+
+    /** Gets the instruction computing the base value on which the field or element is read. */
+    Instruction getBase() { result = selectorBase(e) }
+  }
+
   /**
    * An IR instruction that reads the value of a field.
    *
    * On snapshots with incomplete type information, method expressions may sometimes be
    * misclassified as field reads.
    */
-  class FieldReadInstruction extends ReadInstruction, EvalInstruction {
+  class FieldReadInstruction extends ComponentReadInstruction {
     override SelectorExpr e;
 
-    FieldReadInstruction() {
-      e.getBase() instanceof ValueExpr and
-      not e.getSelector() = any(Method method).getAReference()
-    }
-
-    /** Gets the instruction computing the base value on which the field is read. */
-    Instruction getBase() { result = selectorBase(e) }
-
     /** Gets the field being read. */
     Field getField() { e.getSelector() = result.getAReference() }
 
@@ -299,12 +308,9 @@ module IR {
   /**
    * An IR instruction that reads an element of an array, slice, map or string.
    */
-  class ElementReadInstruction extends ReadInstruction, EvalInstruction {
+  class ElementReadInstruction extends ComponentReadInstruction {
     override IndexExpr e;
 
-    /** Gets the instruction computing the base value on which the element is looked up. */
-    Instruction getBase() { result = selectorBase(e) }
-
     /** Gets the instruction computing the index of the element being looked up. */
     Instruction getIndex() { result = evalExprInstruction(e.getIndex()) }
 

ql/src/semmle/go/dataflow/internal/DataFlowUtil.qll

@@ -591,13 +591,20 @@ class ReadNode extends InstructionNode {
 }
 
 /**
- * A data-flow node that reads an element of an array, map, slice or string.
+ * A data-flow node that reads the value of a field from a struct, or an element from an array, slice, map or string.
  */
-class ElementReadNode extends ReadNode {
-  override IR::ElementReadInstruction insn;
+class ComponentReadNode extends ReadNode {
+  override IR::ComponentReadInstruction insn;
 
-  /** Gets the data-flow node representing the base from which the element is read. */
+  /** Gets the data-flow node representing the base from which the field or element is read. */
   Node getBase() { result = instructionNode(insn.getBase()) }
+}
+
+/**
+ * A data-flow node that reads an element of an array, map, slice or string.
+ */
+class ElementReadNode extends ComponentReadNode {
+  override IR::ElementReadInstruction insn;
 
   /** Gets the data-flow node representing the index of the element being read. */
   Node getIndex() { result = instructionNode(insn.getIndex()) }
@@ -744,12 +751,9 @@ class AddressOperationNode extends UnaryOperationNode, ExprNode {
 /**
  * A data-flow node that reads the value of a field.
  */
-class FieldReadNode extends ReadNode {
+class FieldReadNode extends ComponentReadNode {
   override IR::FieldReadInstruction insn;
 
-  /** Gets the base node from which the field is read. */
-  Node getBase() { result = instructionNode(insn.getBase()) }
-
   /** Gets the field this node reads. */
   Field getField() { result = insn.getField() }
 

ql/src/semmle/go/frameworks/Protobuf.qll

@@ -0,0 +1,174 @@
+/** Provides models of commonly used functions and types in the protobuf packages. */
+
+import go
+
+/** Provides models of commonly used functions and types in the protobuf packages. */
+module Protobuf {
+  /** Gets the name of the modern protobuf top-level implementation package. */
+  string modernProtobufPackage() { result = "google.golang.org/protobuf/proto" }
+
+  /** Gets the name of the modern protobuf implementation's `protoiface` subpackage. */
+  string protobufIfacePackage() { result = "google.golang.org/protobuf/runtime/protoiface" }
+
+  /** Gets the name of the modern protobuf implementation's `protoreflect` subpackage. */
+  string protobufReflectPackage() { result = "google.golang.org/protobuf/reflect/protoreflect" }
+
+  /** Gets the name of a top-level protobuf implementation package. */
+  string protobufPackages() {
+    result in ["github.com/golang/protobuf/proto", modernProtobufPackage()]
+  }
+
+  /** The `Marshal` and `MarshalAppend` functions in the protobuf packages. */
+  private class MarshalFunction extends TaintTracking::FunctionModel, MarshalingFunction::Range {
+    string name;
+
+    MarshalFunction() {
+      name = ["Marshal", "MarshalAppend"] and
+      (
+        this.hasQualifiedName(protobufPackages(), name) or
+        this.(Method).hasQualifiedName(modernProtobufPackage(), "MarshalOptions", name)
+      )
+    }
+
+    override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) {
+      inp = getAnInput() and outp = getOutput()
+    }
+
+    override DataFlow::FunctionInput getAnInput() {
+      if name = "MarshalAppend" then result.isParameter(1) else result.isParameter(0)
+    }
+
+    override DataFlow::FunctionOutput getOutput() {
+      name = "MarshalAppend" and result.isParameter(0)
+      or
+      result.isResult(0)
+    }
+
+    override string getFormat() { result = "protobuf" }
+  }
+
+  private Field inputMessageField() {
+    result.hasQualifiedName(protobufIfacePackage(), "MarshalInput", "Message")
+  }
+
+  private Method marshalStateMethod() {
+    result.hasQualifiedName(protobufIfacePackage(), "MarshalOptions", "MarshalState")
+  }
+
+  /**
+   * Additional taint-flow step modelling flow from `MarshalInput.Message` to `MarshalOutput`,
+   * mediated by a `MarshalOptions.MarshalState` call.
+   *
+   * Note we can taint the whole `MarshalOutput` as it only has one field (`Buf`), and taint-
+   * tracking always considers a field of a tainted struct to itself be tainted.
+   */
+  private class MarshalStateStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::PostUpdateNode marshalInput, DataFlow::CallNode marshalStateCall |
+        marshalStateCall = marshalStateMethod().getACall() and
+        // pred -> marshalInput.Message
+        any(DataFlow::Write w)
+            .writesField(marshalInput.getPreUpdateNode(), inputMessageField(), pred) and
+        // marshalInput -> marshalStateCall
+        marshalStateCall.getArgument(0) = globalValueNumber(marshalInput).getANode() and
+        // marshalStateCall -> succ
+        marshalStateCall.getResult() = succ
+      )
+    }
+  }
+
+  /** The `Unmarshal` function in the protobuf packages. */
+  class UnmarshalFunction extends TaintTracking::FunctionModel, UnmarshalingFunction::Range {
+    UnmarshalFunction() {
+      this.hasQualifiedName(protobufPackages(), "Unmarshal") or
+      this.(Method).hasQualifiedName(modernProtobufPackage(), "UnmarshalOptions", "Unmarshal")
+    }
+
+    override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) {
+      inp = getAnInput() and outp = getOutput()
+    }
+
+    override DataFlow::FunctionInput getAnInput() { result.isParameter(0) }
+
+    override DataFlow::FunctionOutput getOutput() { result.isParameter(1) }
+
+    override string getFormat() { result = "protobuf" }
+  }
+
+  /** The `Merge` function in the protobuf packages. */
+  private class MergeFunction extends TaintTracking::FunctionModel {
+    MergeFunction() { this.hasQualifiedName(protobufPackages(), "Merge") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isParameter(1) and outp.isParameter(0)
+    }
+  }
+
+  /** A protobuf `Message` type. */
+  class MessageType extends Type {
+    MessageType() { this.implements(protobufReflectPackage(), "ProtoMessage") }
+  }
+
+  /** The `Clone` function in the protobuf packages. */
+  private class MessageCloneFunction extends TaintTracking::FunctionModel {
+    MessageCloneFunction() { this.hasQualifiedName(protobufPackages(), "Clone") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isParameter(0) and outp.isResult()
+    }
+  }
+
+  /** A `Get` method of a protobuf `Message` type. */
+  private class GetMethod extends DataFlow::FunctionModel, Method {
+    GetMethod() {
+      exists(string name | name.matches("Get%") | this = any(MessageType msg).getMethod(name))
+    }
+
+    override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
+    }
+  }
+
+  /** A `ProtoReflect` method of a protobuf `Message` type. */
+  private class ProtoReflectMethod extends DataFlow::FunctionModel, Method {
+    ProtoReflectMethod() { this = any(MessageType msg).getMethod("ProtoReflect") }
+
+    override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
+    }
+  }
+
+  /**
+   * Gets the base of `node`, looking through any dereference node found.
+   */
+  private DataFlow::Node getBaseLookingThroughDerefs(DataFlow::ComponentReadNode node) {
+    result = node.getBase().(DataFlow::PointerDereferenceNode).getOperand()
+    or
+    result = node.getBase() and not node.getBase() instanceof DataFlow::PointerDereferenceNode
+  }
+
+  /**
+   * Gets the data-flow node representing the bottom of a stack of zero or more `ComponentReadNode`s
+   * perhaps with interleaved dereferences.
+   *
+   * For example, in the expression a.b[c].d[e], this would return the dataflow node for the read from `a`.
+   */
+  private DataFlow::Node getUnderlyingNode(DataFlow::ReadNode read) {
+    (result = read or result = getBaseLookingThroughDerefs+(read)) and
+    not result instanceof DataFlow::ComponentReadNode
+  }
+
+  /**
+   * Additional taint step tainting a Message when taint is written to any of its fields and/or elements.
+   */
+  private class WriteMessageFieldStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      [succ.getType(), succ.getType().getPointerType()] instanceof MessageType and
+      exists(DataFlow::ReadNode base |
+        succ.(DataFlow::PostUpdateNode).getPreUpdateNode() = getUnderlyingNode(base)
+      |
+        any(DataFlow::Write w).writesComponent(base, pred)
+      )
+    }
+  }
+}

ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected

@@ -0,0 +1,31 @@
+| testDeprecatedApi.go:22:22:22:41 | call to getUntrustedString : string | testDeprecatedApi.go:26:12:26:21 | serialized |
+| testDeprecatedApi.go:31:22:31:41 | call to getUntrustedString : string | testDeprecatedApi.go:37:12:37:21 | serialized |
+| testDeprecatedApi.go:41:25:41:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:45:13:45:29 | selection of Description |
+| testDeprecatedApi.go:49:25:49:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:53:13:53:34 | call to GetDescription |
+| testDeprecatedApi.go:58:23:58:42 | call to getUntrustedString : string | testDeprecatedApi.go:65:12:65:21 | serialized |
+| testDeprecatedApi.go:70:14:70:33 | call to getUntrustedString : string | testDeprecatedApi.go:77:12:77:21 | serialized |
+| testDeprecatedApi.go:85:24:85:43 | call to getUntrustedString : string | testDeprecatedApi.go:89:12:89:21 | serialized |
+| testDeprecatedApi.go:93:25:93:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:97:13:97:31 | selection of Msg |
+| testDeprecatedApi.go:104:22:104:41 | call to getUntrustedString : string | testDeprecatedApi.go:105:13:105:20 | selection of Id |
+| testDeprecatedApi.go:112:22:112:41 | call to getUntrustedString : string | testDeprecatedApi.go:117:12:117:21 | serialized |
+| testDeprecatedApi.go:133:29:133:48 | call to getUntrustedString : string | testDeprecatedApi.go:137:12:137:21 | serialized |
+| testDeprecatedApi.go:143:20:143:39 | call to getUntrustedString : string | testDeprecatedApi.go:148:12:148:21 | serialized |
+| testDeprecatedApi.go:152:25:152:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:157:13:157:36 | index expression |
+| testDeprecatedApi.go:161:25:161:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:168:13:168:25 | index expression |
+| testModernApi.go:11:22:11:41 | call to getUntrustedString : string | testModernApi.go:15:12:15:21 | serialized |
+| testModernApi.go:20:22:20:41 | call to getUntrustedString : string | testModernApi.go:26:12:26:21 | serialized |
+| testModernApi.go:30:25:30:43 | call to getUntrustedBytes : slice type | testModernApi.go:34:13:34:29 | selection of Description |
+| testModernApi.go:38:25:38:43 | call to getUntrustedBytes : slice type | testModernApi.go:42:13:42:34 | call to GetDescription |
+| testModernApi.go:47:23:47:42 | call to getUntrustedString : string | testModernApi.go:54:12:54:21 | serialized |
+| testModernApi.go:59:22:59:41 | call to getUntrustedString : string | testModernApi.go:64:12:64:21 | serialized |
+| testModernApi.go:71:22:71:41 | call to getUntrustedString : string | testModernApi.go:77:12:77:21 | serialized |
+| testModernApi.go:98:14:98:33 | call to getUntrustedString : string | testModernApi.go:105:12:105:21 | serialized |
+| testModernApi.go:113:24:113:43 | call to getUntrustedString : string | testModernApi.go:117:12:117:21 | serialized |
+| testModernApi.go:121:25:121:43 | call to getUntrustedBytes : slice type | testModernApi.go:125:13:125:31 | selection of Msg |
+| testModernApi.go:131:25:131:43 | call to getUntrustedBytes : slice type | testModernApi.go:135:13:135:29 | selection of Description |
+| testModernApi.go:142:22:142:41 | call to getUntrustedString : string | testModernApi.go:143:13:143:20 | selection of Id |
+| testModernApi.go:150:22:150:41 | call to getUntrustedString : string | testModernApi.go:155:12:155:21 | serialized |
+| testModernApi.go:190:29:190:48 | call to getUntrustedString : string | testModernApi.go:194:12:194:21 | serialized |
+| testModernApi.go:200:20:200:39 | call to getUntrustedString : string | testModernApi.go:205:12:205:21 | serialized |
+| testModernApi.go:209:25:209:43 | call to getUntrustedBytes : slice type | testModernApi.go:214:13:214:36 | index expression |
+| testModernApi.go:218:25:218:43 | call to getUntrustedBytes : slice type | testModernApi.go:225:13:225:25 | index expression |

ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.ql

@@ -0,0 +1,27 @@
+import go
+
+class UntrustedFunction extends Function {
+  UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedBytes"] }
+}
+
+class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
+  UntrustedSource() { this = any(UntrustedFunction f).getACall() }
+}
+
+class SinkFunction extends Function {
+  SinkFunction() { this.getName() = ["sinkString", "sinkBytes"] }
+}
+
+class TestConfig extends TaintTracking::Configuration {
+  TestConfig() { this = "testconfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(SinkFunction f).getACall().getAnArgument()
+  }
+}
+
+from TaintTracking::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select source, sink

ql/test/library-tests/semmle/go/frameworks/Protobuf/go.mod

@@ -0,0 +1,9 @@
+module codeql-go-tests/protobuf
+
+go 1.14
+
+require (
+	github.com/golang/protobuf v1.4.2
+	google.golang.org/protobuf v1.23.0
+)
+

ql/test/library-tests/semmle/go/frameworks/Protobuf/protos/query.proto

@@ -0,0 +1,25 @@
+syntax = "proto3";
+option go_package = "protos/query";
+
+message Query {
+  string description = 1;
+  string id = 2;
+
+  enum Severity {
+    ERROR = 0;
+    WARNING = 1;
+  }
+
+  message Alert {
+    string msg = 1;
+    int64 loc = 2;
+  }
+
+  repeated Alert alerts = 4;
+
+  map<int32, string> keyValuePairs = 5;
+}
+
+message QuerySuite {
+  repeated Query queries = 1;
+}