Add taint-tracking for archive/tar and archive/zip

Author: gagliardetto

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -3,6 +3,7 @@
  */
 
 import go
+import semmle.go.frameworks.stdlib.ImportAll
 
 /** A `String()` method. */
 class StringMethod extends TaintTracking::FunctionModel, Method {

ql/src/semmle/go/frameworks/stdlib/ArchiveTarTaintTracking.qll

@@ -0,0 +1,63 @@
+/**
+ * Provides classes modeling security-relevant aspects of the standard libraries.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `archive/tar` package. */
+module ArchiveTarTaintTracking {
+  private class FunctionTaintTracking extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionTaintTracking() {
+      // signature: func FileInfoHeader(fi os.FileInfo, link string) (*Header, error)
+      hasQualifiedName("archive/tar", "FileInfoHeader") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func NewReader(r io.Reader) *Reader
+      hasQualifiedName("archive/tar", "NewReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewWriter(w io.Writer) *Writer
+      hasQualifiedName("archive/tar", "NewWriter") and
+      (inp.isResult() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodAndInterfaceTaintTracking extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodAndInterfaceTaintTracking() {
+      // Methods:
+      // signature: func (*Header).FileInfo() os.FileInfo
+      this.(Method).hasQualifiedName("archive/tar", "Header", "FileInfo") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Reader).Next() (*Header, error)
+      this.(Method).hasQualifiedName("archive/tar", "Reader", "Next") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Reader).Read(b []byte) (int, error)
+      this.(Method).hasQualifiedName("archive/tar", "Reader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Writer).Write(b []byte) (int, error)
+      this.(Method).hasQualifiedName("archive/tar", "Writer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Writer).WriteHeader(hdr *Header) error
+      this.(Method).hasQualifiedName("archive/tar", "Writer", "WriteHeader") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/ArchiveZipTaintTracking.qll

@@ -0,0 +1,86 @@
+/**
+ * Provides classes modeling security-relevant aspects of the standard libraries.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `archive/zip` package. */
+module ArchiveZipTaintTracking {
+  private class FunctionTaintTracking extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionTaintTracking() {
+      // signature: func FileInfoHeader(fi os.FileInfo) (*FileHeader, error)
+      hasQualifiedName("archive/zip", "FileInfoHeader") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func NewReader(r io.ReaderAt, size int64) (*Reader, error)
+      hasQualifiedName("archive/zip", "NewReader") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func NewWriter(w io.Writer) *Writer
+      hasQualifiedName("archive/zip", "NewWriter") and
+      (inp.isResult() and outp.isParameter(0))
+      or
+      // signature: func OpenReader(name string) (*ReadCloser, error)
+      hasQualifiedName("archive/zip", "OpenReader") and
+      (inp.isParameter(0) and outp.isResult(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodAndInterfaceTaintTracking extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodAndInterfaceTaintTracking() {
+      // Methods:
+      // signature: func (*File).Open() (io.ReadCloser, error)
+      this.(Method).hasQualifiedName("archive/zip", "File", "Open") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*FileHeader).FileInfo() os.FileInfo
+      this.(Method).hasQualifiedName("archive/zip", "FileHeader", "FileInfo") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*FileHeader).Mode() (mode os.FileMode)
+      this.(Method).hasQualifiedName("archive/zip", "FileHeader", "Mode") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*FileHeader).SetMode(mode os.FileMode)
+      this.(Method).hasQualifiedName("archive/zip", "FileHeader", "SetMode") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Reader).RegisterDecompressor(method uint16, dcomp Decompressor)
+      this.(Method).hasQualifiedName("archive/zip", "Reader", "RegisterDecompressor") and
+      (inp.isParameter(1) and outp.isReceiver())
+      or
+      // signature: func (*Writer).Create(name string) (io.Writer, error)
+      this.(Method).hasQualifiedName("archive/zip", "Writer", "Create") and
+      (inp.isResult(0) and outp.isReceiver())
+      or
+      // signature: func (*Writer).CreateHeader(fh *FileHeader) (io.Writer, error)
+      this.(Method).hasQualifiedName("archive/zip", "Writer", "CreateHeader") and
+      (
+        (inp.isParameter(0) or inp.isResult(0)) and
+        outp.isReceiver()
+      )
+      or
+      // signature: func (*Writer).RegisterCompressor(method uint16, comp Compressor)
+      this.(Method).hasQualifiedName("archive/zip", "Writer", "RegisterCompressor") and
+      (inp.isParameter(1) and outp.isReceiver())
+      or
+      // signature: func (*Writer).SetComment(comment string) error
+      this.(Method).hasQualifiedName("archive/zip", "Writer", "SetComment") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/ImportAll.qll

@@ -0,0 +1,7 @@
+/**
+ * Provides imports of all the standard libraries.
+ */
+
+import go
+import semmle.go.frameworks.stdlib.ArchiveTarTaintTracking
+import semmle.go.frameworks.stdlib.ArchiveZipTaintTracking

ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/ArchiveTarTaintTracking.go

@@ -0,0 +1,210 @@
+// WARNING: This file was automatically generated. DO NOT EDIT.
+
+package main
+
+import (
+	"archive/tar"
+	"io"
+	"os"
+)
+
+func TaintStepTest_ArchiveTarFileInfoHeader_B0I0O0(sourceCQL interface{}) interface{} {
+	// The flow is from `fromFileInfo656` into `intoHeader414`.
+
+	// Assume that `sourceCQL` has the underlying type of `fromFileInfo656`:
+	fromFileInfo656 := sourceCQL.(os.FileInfo)
+
+	// Call the function that transfers the taint
+	// from the parameter `fromFileInfo656` to result `intoHeader414`
+	// (`intoHeader414` is now tainted).
+	intoHeader414, _ := tar.FileInfoHeader(fromFileInfo656, "")
+
+	// Return the tainted `intoHeader414`:
+	return intoHeader414
+}
+
+func TaintStepTest_ArchiveTarNewReader_B0I0O0(sourceCQL interface{}) interface{} {
+	// The flow is from `fromReader518` into `intoReader650`.
+
+	// Assume that `sourceCQL` has the underlying type of `fromReader518`:
+	fromReader518 := sourceCQL.(io.Reader)
+
+	// Call the function that transfers the taint
+	// from the parameter `fromReader518` to result `intoReader650`
+	// (`intoReader650` is now tainted).
+	intoReader650 := tar.NewReader(fromReader518)
+
+	// Return the tainted `intoReader650`:
+	return intoReader650
+}
+
+func TaintStepTest_ArchiveTarNewWriter_B0I0O0(sourceCQL interface{}) interface{} {
+	// The flow is from `fromWriter784` into `intoWriter957`.
+
+	// Assume that `sourceCQL` has the underlying type of `fromWriter784`:
+	fromWriter784 := sourceCQL.(*tar.Writer)
+
+	// Declare `intoWriter957` variable:
+	var intoWriter957 io.Writer
+
+	// Call the function that will transfer the taint
+	// from the result `intermediateCQL` to parameter `intoWriter957`:
+	intermediateCQL := tar.NewWriter(intoWriter957)
+
+	// Extra step (`fromWriter784` taints `intermediateCQL`, which taints `intoWriter957`:
+	link(fromWriter784, intermediateCQL)
+
+	// Return the tainted `intoWriter957`:
+	return intoWriter957
+}
+
+func TaintStepTest_ArchiveTarHeaderFileInfo_B0I0O0(sourceCQL interface{}) interface{} {
+	// The flow is from `fromHeader520` into `intoFileInfo443`.
+
+	// Assume that `sourceCQL` has the underlying type of `fromHeader520`:
+	fromHeader520 := sourceCQL.(tar.Header)
+
+	// Call the method that transfers the taint
+	// from the receiver `fromHeader520` to the result `intoFileInfo443`
+	// (`intoFileInfo443` is now tainted).
+	intoFileInfo443 := fromHeader520.FileInfo()
+
+	// Return the tainted `intoFileInfo443`:
+	return intoFileInfo443
+}
+
+func TaintStepTest_ArchiveTarReaderNext_B0I0O0(sourceCQL interface{}) interface{} {
+	// The flow is from `fromReader127` into `intoHeader483`.
+
+	// Assume that `sourceCQL` has the underlying type of `fromReader127`:
+	fromReader127 := sourceCQL.(tar.Reader)
+
+	// Call the method that transfers the taint
+	// from the receiver `fromReader127` to the result `intoHeader483`
+	// (`intoHeader483` is now tainted).
+	intoHeader483, _ := fromReader127.Next()
+
+	// Return the tainted `intoHeader483`:
+	return intoHeader483
+}
+
+func TaintStepTest_ArchiveTarReaderRead_B0I0O0(sourceCQL interface{}) interface{} {
+	// The flow is from `fromReader989` into `intoByte982`.
+
+	// Assume that `sourceCQL` has the underlying type of `fromReader989`:
+	fromReader989 := sourceCQL.(tar.Reader)
+
+	// Declare `intoByte982` variable:
+	var intoByte982 []byte
+
+	// Call the method that transfers the taint
+	// from the receiver `fromReader989` to the argument `intoByte982`
+	// (`intoByte982` is now tainted).
+	fromReader989.Read(intoByte982)
+
+	// Return the tainted `intoByte982`:
+	return intoByte982
+}
+
+func TaintStepTest_ArchiveTarWriterWrite_B0I0O0(sourceCQL interface{}) interface{} {
+	// The flow is from `fromByte417` into `intoWriter584`.
+
+	// Assume that `sourceCQL` has the underlying type of `fromByte417`:
+	fromByte417 := sourceCQL.([]byte)
+
+	// Declare `intoWriter584` variable:
+	var intoWriter584 tar.Writer
+
+	// Call the method that transfers the taint
+	// from the parameter `fromByte417` to the receiver `intoWriter584`
+	// (`intoWriter584` is now tainted).
+	intoWriter584.Write(fromByte417)
+
+	// Return the tainted `intoWriter584`:
+	return intoWriter584
+}
+
+func TaintStepTest_ArchiveTarWriterWriteHeader_B0I0O0(sourceCQL interface{}) interface{} {
+	// The flow is from `fromHeader991` into `intoWriter881`.
+
+	// Assume that `sourceCQL` has the underlying type of `fromHeader991`:
+	fromHeader991 := sourceCQL.(*tar.Header)
+
+	// Declare `intoWriter881` variable:
+	var intoWriter881 tar.Writer
+
+	// Call the method that transfers the taint
+	// from the parameter `fromHeader991` to the receiver `intoWriter881`
+	// (`intoWriter881` is now tainted).
+	intoWriter881.WriteHeader(fromHeader991)
+
+	// Return the tainted `intoWriter881`:
+	return intoWriter881
+}
+
+func RunAllTaints_ArchiveTar() {
+	{
+		// Create a new source:
+		source := newSource()
+		// Run the taint scenario:
+		out := TaintStepTest_ArchiveTarFileInfoHeader_B0I0O0(source)
+		// If the taint step(s) succeeded, then `out` is tainted and will be sink-able here:
+		sink(out)
+	}
+	{
+		// Create a new source:
+		source := newSource()
+		// Run the taint scenario:
+		out := TaintStepTest_ArchiveTarNewReader_B0I0O0(source)
+		// If the taint step(s) succeeded, then `out` is tainted and will be sink-able here:
+		sink(out)
+	}
+	{
+		// Create a new source:
+		source := newSource()
+		// Run the taint scenario:
+		out := TaintStepTest_ArchiveTarNewWriter_B0I0O0(source)
+		// If the taint step(s) succeeded, then `out` is tainted and will be sink-able here:
+		sink(out)
+	}
+	{
+		// Create a new source:
+		source := newSource()
+		// Run the taint scenario:
+		out := TaintStepTest_ArchiveTarHeaderFileInfo_B0I0O0(source)
+		// If the taint step(s) succeeded, then `out` is tainted and will be sink-able here:
+		sink(out)
+	}
+	{
+		// Create a new source:
+		source := newSource()
+		// Run the taint scenario:
+		out := TaintStepTest_ArchiveTarReaderNext_B0I0O0(source)
+		// If the taint step(s) succeeded, then `out` is tainted and will be sink-able here:
+		sink(out)
+	}
+	{
+		// Create a new source:
+		source := newSource()
+		// Run the taint scenario:
+		out := TaintStepTest_ArchiveTarReaderRead_B0I0O0(source)
+		// If the taint step(s) succeeded, then `out` is tainted and will be sink-able here:
+		sink(out)
+	}
+	{
+		// Create a new source:
+		source := newSource()
+		// Run the taint scenario:
+		out := TaintStepTest_ArchiveTarWriterWrite_B0I0O0(source)
+		// If the taint step(s) succeeded, then `out` is tainted and will be sink-able here:
+		sink(out)
+	}
+	{
+		// Create a new source:
+		source := newSource()
+		// Run the taint scenario:
+		out := TaintStepTest_ArchiveTarWriterWriteHeader_B0I0O0(source)
+		// If the taint step(s) succeeded, then `out` is tainted and will be sink-able here:
+		sink(out)
+	}
+}