Merge branch 'standard-lib-pt-9' into stdlib-339-340-342-346-347

Author: gagliardetto

ql/src/semmle/go/frameworks/SQL.qll

@@ -6,6 +6,79 @@ import go
 
 /** Provides classes for working with SQL-related APIs. */
 module SQL {
+  private class SqlFunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    SqlFunctionModels() {
+      // signature: func Named(name string, value interface{}) NamedArg
+      hasQualifiedName("database/sql", "Named") and
+      (inp.isParameter(_) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class SqlMethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    SqlMethodModels() {
+      // signature: func (*Row).Scan(dest ...interface{}) error
+      this.hasQualifiedName("database/sql", "Row", "Scan") and
+      (inp.isReceiver() and outp.isParameter(_))
+      or
+      // signature: func (*Rows).Scan(dest ...interface{}) error
+      this.hasQualifiedName("database/sql", "Rows", "Scan") and
+      (inp.isReceiver() and outp.isParameter(_))
+      or
+      // signature: func (Scanner).Scan(src interface{}) error
+      this.implements("database/sql", "Scanner", "Scan") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class SqlDriverMethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    SqlDriverMethodModels() {
+      // signature: func (NotNull).ConvertValue(v interface{}) (Value, error)
+      this.hasQualifiedName("database/sql/driver", "NotNull", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (Null).ConvertValue(v interface{}) (Value, error)
+      this.hasQualifiedName("database/sql/driver", "Null", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (ValueConverter).ConvertValue(v interface{}) (Value, error)
+      this.implements("database/sql/driver", "ValueConverter", "ConvertValue") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (Conn).Prepare(query string) (Stmt, error)
+      this.implements("database/sql/driver", "Conn", "Prepare") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func (ConnPrepareContext).PrepareContext(ctx context.Context, query string) (Stmt, error)
+      this.implements("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
+      (inp.isParameter(1) and outp.isResult(0))
+      or
+      // signature: func (Valuer).Value() (Value, error)
+      this.implements("database/sql/driver", "Valuer", "Value") and
+      (inp.isReceiver() and outp.isResult(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
   /**
    * A data-flow node whose string value is interpreted as (part of) a SQL query.
    *
@@ -34,7 +107,8 @@ module SQL {
         exists(Method meth, string base, string m, int n |
           (
             meth.hasQualifiedName("database/sql", "DB", m) or
-            meth.hasQualifiedName("database/sql", "Tx", m)
+            meth.hasQualifiedName("database/sql", "Tx", m) or
+            meth.hasQualifiedName("database/sql", "Conn", m)
           ) and
           this = meth.getACall().getArgument(n)
         |
@@ -48,6 +122,29 @@ module SQL {
       }
     }
 
+    /** A query string used in an API function of the standard `database/sql/driver` package. */
+    private class DriverQueryString extends Range {
+      DriverQueryString() {
+        exists(Method meth, int n |
+          (
+            meth.hasQualifiedName("database/sql/driver", "Execer", "Exec") and n = 0
+            or
+            meth.hasQualifiedName("database/sql/driver", "ExecerContext", "ExecContext") and n = 1
+            or
+            meth.hasQualifiedName("database/sql/driver", "Conn", "Prepare") and n = 0
+            or
+            meth.hasQualifiedName("database/sql/driver", "ConnPrepareContext", "PrepareContext") and
+            n = 1
+            or
+            meth.hasQualifiedName("database/sql/driver", "Queryer", "Query") and n = 0
+            or
+            meth.hasQualifiedName("database/sql/driver", "QueryerContext", "QueryContext") and n = 1
+          ) and
+          this = meth.getACall().getArgument(n)
+        )
+      }
+    }
+
     /**
      * An argument to an API of the squirrel library that is directly interpreted as SQL without
      * taking syntactic structure into account.

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -40,6 +40,8 @@ import semmle.go.frameworks.stdlib.NetTextproto
 import semmle.go.frameworks.stdlib.Log
 import semmle.go.frameworks.stdlib.Io
 import semmle.go.frameworks.stdlib.IoIoutil
+import semmle.go.frameworks.stdlib.Errors
+import semmle.go.frameworks.stdlib.Expvar
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect

ql/src/semmle/go/frameworks/stdlib/Errors.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `errors` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `errors` package. */
+module Errors {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func As(err error, target interface{}) bool
+      hasQualifiedName("errors", "As") and
+      (inp.isParameter(0) and outp.isParameter(1))
+      or
+      // signature: func New(text string) error
+      hasQualifiedName("errors", "New") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Unwrap(err error) error
+      hasQualifiedName("errors", "Unwrap") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/Expvar.qll

@@ -0,0 +1,51 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `expvar` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `expvar` package. */
+module Expvar {
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (Func).Value() interface{}
+      this.hasQualifiedName("expvar", "Func", "Value") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Map).Get(key string) Var
+      this.hasQualifiedName("expvar", "Map", "Get") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Map).Set(key string, av Var)
+      this.hasQualifiedName("expvar", "Map", "Set") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Map).String() string
+      this.hasQualifiedName("expvar", "Map", "String") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*String).Set(value string)
+      this.hasQualifiedName("expvar", "String", "Set") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*String).String() string
+      this.hasQualifiedName("expvar", "String", "String") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*String).Value() string
+      this.hasQualifiedName("expvar", "String", "Value") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Var).String() string
+      this.implements("expvar", "Var", "String") and
+      (inp.isReceiver() and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}