Merge pull request #270 from smowton/smowton/cleanup/ricterz-libraries

Add support for Gorm, Gorestful, Sqlx and Json-iterator

Author: max-schaefer

change-notes/2020-07-28-library-models.md

@@ -0,0 +1,11 @@
+lgtm,codescanning
+* Basic support for the [Go-restful](https://github.com/emicklei/go-restful) HTTP library has been added, which
+  may lead to more results from the security queries.
+* Basic support for the [Gorm](https://github.com/go-gorm/gorm) ORM library has been added (specifically, its SQL statement building facilities), which
+  may lead to more results from the security queries.
+* Basic support for the [Sqlx](https://github.com/jmoiron/sqlx) database access library has been added, which
+  may lead to more results from the security queries.
+* Basic support for the [Json-iterator](https://github.com/json-iterator/go) JSON library has been added, which
+  may lead to more results from the security queries.
+
+

ql/src/go.qll

@@ -26,6 +26,7 @@ import semmle.go.dataflow.GlobalValueNumbering
 import semmle.go.dataflow.SSA
 import semmle.go.dataflow.TaintTracking
 import semmle.go.frameworks.Email
+import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.HTTP
 import semmle.go.frameworks.Macaron

ql/src/semmle/go/frameworks/Encoding.qll

@@ -0,0 +1,28 @@
+/**
+ * Provides classes modelling taint propagation through marshalling and encoding functions.
+ */
+
+import go
+
+/** A model of json-iterator's `Unmarshal` function, propagating taint from the JSON input to the decoded object. */
+private class JsonIteratorUnmarshalFunction extends TaintTracking::FunctionModel,
+  UnmarshalingFunction::Range {
+  JsonIteratorUnmarshalFunction() {
+    this.hasQualifiedName("github.com/json-iterator/go", ["Unmarshal", "UnmarshalFromString"])
+    or
+    exists(Method m |
+      m.hasQualifiedName("github.com/json-iterator/go", "API", ["Unmarshal", "UnmarshalFromString"]) and
+      this.(Method).implements(m)
+    )
+  }
+
+  override DataFlow::FunctionInput getAnInput() { result.isParameter(0) }
+
+  override DataFlow::FunctionOutput getOutput() { result.isParameter(1) }
+
+  override string getFormat() { result = "JSON" }
+
+  override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) {
+    inp = getAnInput() and outp = getOutput()
+  }
+}

ql/src/semmle/go/frameworks/HTTP.qll

@@ -231,3 +231,42 @@ private module StdlibHttp {
     }
   }
 }
+
+/**
+ * Provides models of the go-restful library (https://github.com/emicklei/go-restful).
+ */
+private module GoRestfulHttp {
+  /**
+   * A model for methods defined on go-restful's `Request` object that may return user-controlled data.
+   */
+  private class GoRestfulSourceMethod extends Method {
+    GoRestfulSourceMethod() {
+      this
+          .hasQualifiedName(package("github.com/emicklei/go-restful", ""), "Request",
+            ["QueryParameters", "QueryParameter", "BodyParameter", "HeaderParameter",
+                "PathParameter", "PathParameters"])
+    }
+  }
+
+  /**
+   * A model of go-restful's `Request` object as a source of user-controlled data.
+   */
+  private class GoRestfulSource extends UntrustedFlowSource::Range {
+    GoRestfulSource() { this = any(GoRestfulSourceMethod g).getACall() }
+  }
+
+  /**
+   * A model of go-restful's `Request.ReadEntity` method as a source of user-controlled data.
+   */
+  private class GoRestfulReadEntitySource extends UntrustedFlowSource::Range {
+    GoRestfulReadEntitySource() {
+      exists(DataFlow::MethodCallNode call |
+        call
+            .getTarget()
+            .hasQualifiedName(package("github.com/emicklei/go-restful", ""), "Request", "ReadEntity")
+      |
+        this = any(FunctionOutput output | output.isParameter(0)).getExitNode(call)
+      )
+    }
+  }
+}

ql/src/semmle/go/frameworks/SQL.qll

@@ -160,4 +160,29 @@ module SQL {
       }
     }
   }
+
+  /** A model for sinks of github.com/jinzhu/gorm. */
+  private class GormSink extends SQL::QueryString::Range {
+    GormSink() {
+      exists(Method meth, string name |
+        meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and
+        this = meth.getACall().getArgument(0) and
+        name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"]
+      )
+    }
+  }
+
+  /** A model for sinks of github.com/jmoiron/sqlx. */
+  private class SqlxSink extends SQL::QueryString::Range {
+    SqlxSink() {
+      exists(Method meth, string name, int n |
+        meth.hasQualifiedName("github.com/jmoiron/sqlx", ["DB", "Tx"], name) and
+        this = meth.getACall().getArgument(n)
+      |
+        name = ["Select", "Get"] and n = 1
+        or
+        name = ["MustExec", "Queryx", "NamedExec", "NamedQuery"] and n = 0
+      )
+    }
+  }
 }

ql/test/library-tests/semmle/go/frameworks/Encoding/go.mod

@@ -0,0 +1,7 @@
+module jsonittest
+
+go 1.14
+
+require (
+	github.com/json-iterator/go v1.1.10
+)

ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.expected

@@ -0,0 +1,4 @@
+| jsoniter.go:28:15:28:24 | selection of field | jsoniter.go:23:20:23:38 | call to getUntrustedBytes : slice type | jsoniter.go:28:15:28:24 | selection of field | This command depends on $@. | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | a user-provided value |
+| jsoniter.go:32:15:32:25 | selection of field | jsoniter.go:23:20:23:38 | call to getUntrustedBytes : slice type | jsoniter.go:32:15:32:25 | selection of field | This command depends on $@. | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | a user-provided value |
+| jsoniter.go:36:15:36:25 | selection of field | jsoniter.go:24:21:24:40 | call to getUntrustedString : string | jsoniter.go:36:15:36:25 | selection of field | This command depends on $@. | jsoniter.go:24:21:24:40 | call to getUntrustedString | a user-provided value |
+| jsoniter.go:40:15:40:25 | selection of field | jsoniter.go:24:21:24:40 | call to getUntrustedString : string | jsoniter.go:40:15:40:25 | selection of field | This command depends on $@. | jsoniter.go:24:21:24:40 | call to getUntrustedString | a user-provided value |

ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.go

@@ -0,0 +1,42 @@
+package jsonittest
+
+import (
+	jsoniter "github.com/json-iterator/go"
+	"os/exec"
+)
+
+func getUntrustedString() string {
+	return "trouble"
+}
+
+func getUntrustedBytes() []byte {
+	return []byte{}
+}
+
+type myData struct {
+	field string
+}
+
+func main() {
+
+	var json = jsoniter.ExampleConfig{}
+	untrustedInput := getUntrustedBytes()
+	untrustedString := getUntrustedString()
+
+	data := myData{}
+	json.Unmarshal(untrustedInput, &data)
+	exec.Command(data.field)
+
+	data2 := myData{}
+	jsoniter.Unmarshal(untrustedInput, &data2)
+	exec.Command(data2.field)
+
+	data3 := myData{}
+	json.UnmarshalFromString(untrustedString, &data3)
+	exec.Command(data3.field)
+
+	data4 := myData{}
+	jsoniter.UnmarshalFromString(untrustedString, &data4)
+	exec.Command(data4.field)
+
+}

ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.ql

@@ -0,0 +1,15 @@
+import go
+import semmle.go.security.CommandInjection
+
+class UntrustedFunction extends Function {
+  UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedBytes"] }
+}
+
+class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
+  UntrustedSource() { this = any(UntrustedFunction f).getACall() }
+}
+
+from CommandInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
+  "a user-provided value"