Merge pull request #330 from smowton/smowton/admin/standard-lib-pt-21-with-sanitiser

Move `strconv` and `strings` packages' taint-tracking to stdlib, and expand them + sanitise substrings of the HTTP Authorization header

Author: smowton

ql/src/Security/CWE-681/IncorrectIntegerConversion.ql

@@ -101,7 +101,7 @@ class ConversionWithoutBoundsCheckConfig extends TaintTracking::Configuration {
         // If we are reading a variable, check if it is
         // `strconv.IntSize`, and use 0 if it is.
         exists(DataFlow::Node rawBitSize | rawBitSize = ip.getTargetBitSizeInput().getNode(c) |
-          if rawBitSize = any(StrConv::IntSize intSize).getARead()
+          if rawBitSize = any(Strconv::IntSize intSize).getARead()
           then apparentBitSize = 0
           else apparentBitSize = rawBitSize.getIntValue()
         )

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -18,6 +18,8 @@ import semmle.go.frameworks.stdlib.MimeQuotedprintable
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
+import semmle.go.frameworks.stdlib.Strconv
+import semmle.go.frameworks.stdlib.Strings
 import semmle.go.frameworks.stdlib.TextScanner
 import semmle.go.frameworks.stdlib.TextTabwriter
 import semmle.go.frameworks.stdlib.TextTemplate
@@ -483,105 +485,6 @@ module IntegerParser {
   }
 }
 
-/**
- * Provides classes for some functions in the `strconv` package for
- * converting strings to numbers.
- */
-module StrConv {
-  /** The `Atoi` function. */
-  class Atoi extends IntegerParser::Range {
-    Atoi() { this.hasQualifiedName("strconv", "Atoi") }
-
-    override int getTargetBitSize() { result = 0 }
-  }
-
-  /** The `ParseInt` function. */
-  class ParseInt extends IntegerParser::Range {
-    ParseInt() { this.hasQualifiedName("strconv", "ParseInt") }
-
-    override FunctionInput getTargetBitSizeInput() { result.isParameter(2) }
-  }
-
-  /** The `ParseUint` function. */
-  class ParseUint extends IntegerParser::Range {
-    ParseUint() { this.hasQualifiedName("strconv", "ParseUint") }
-
-    override FunctionInput getTargetBitSizeInput() { result.isParameter(2) }
-  }
-
-  /**
-   * The `IntSize` constant, that gives the size in bits of an `int` or
-   * `uint` value on the current architecture (32 or 64).
-   */
-  class IntSize extends DeclaredConstant {
-    IntSize() { this.hasQualifiedName("strconv", "IntSize") }
-  }
-}
-
-/** Provides models of commonly used functions in the `strings` package. */
-module Strings {
-  /** The `Join` function. */
-  class Join extends TaintTracking::FunctionModel {
-    Join() { hasQualifiedName("strings", "Join") }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter([0 .. 1]) and outp.isResult()
-    }
-  }
-
-  /** The `Repeat` function. */
-  class Repeat extends TaintTracking::FunctionModel {
-    Repeat() { hasQualifiedName("strings", "Repeat") }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and outp.isResult()
-    }
-  }
-
-  /** The `Replace` or `ReplaceAll` function. */
-  class Replacer extends TaintTracking::FunctionModel {
-    Replacer() {
-      hasQualifiedName("strings", "Replace") or hasQualifiedName("strings", "ReplaceAll")
-    }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      (inp.isParameter(0) or inp.isParameter(2)) and
-      outp.isResult()
-    }
-  }
-
-  /** The `Split` function or one of its variants. */
-  class Splitter extends TaintTracking::FunctionModel {
-    Splitter() {
-      exists(string split | split.matches("Split%") | hasQualifiedName("strings", split))
-    }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and outp.isResult()
-    }
-  }
-
-  /** One of the case-converting functions in the `strings` package. */
-  class CaseConverter extends TaintTracking::FunctionModel {
-    CaseConverter() {
-      exists(string conv | conv.matches("To%") | hasQualifiedName("strings", conv))
-    }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(getNumParameter() - 1) and outp.isResult()
-    }
-  }
-
-  /** The `Trim` function or one of its variants. */
-  class Trimmer extends TaintTracking::FunctionModel {
-    Trimmer() { exists(string split | split.matches("Trim%") | hasQualifiedName("strings", split)) }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and outp.isResult()
-    }
-  }
-}
-
 /** Provides models of commonly used functions in the `net/url` package. */
 module URL {
   /** The `PathEscape` or `QueryEscape` function. */

ql/src/semmle/go/frameworks/stdlib/Strconv.qll

@@ -0,0 +1,80 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `strconv` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `strconv` package. */
+module Strconv {
+  /** The `Atoi` function. */
+  class Atoi extends IntegerParser::Range {
+    Atoi() { this.hasQualifiedName("strconv", "Atoi") }
+
+    override int getTargetBitSize() { result = 0 }
+  }
+
+  /** The `ParseInt` function. */
+  class ParseInt extends IntegerParser::Range {
+    ParseInt() { this.hasQualifiedName("strconv", "ParseInt") }
+
+    override FunctionInput getTargetBitSizeInput() { result.isParameter(2) }
+  }
+
+  /** The `ParseUint` function. */
+  class ParseUint extends IntegerParser::Range {
+    ParseUint() { this.hasQualifiedName("strconv", "ParseUint") }
+
+    override FunctionInput getTargetBitSizeInput() { result.isParameter(2) }
+  }
+
+  /**
+   * The `IntSize` constant, that gives the size in bits of an `int` or
+   * `uint` value on the current architecture (32 or 64).
+   */
+  class IntSize extends DeclaredConstant {
+    IntSize() { this.hasQualifiedName("strconv", "IntSize") }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func AppendQuote(dst []byte, s string) []byte
+      hasQualifiedName("strconv", "AppendQuote") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func AppendQuoteToASCII(dst []byte, s string) []byte
+      hasQualifiedName("strconv", "AppendQuoteToASCII") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func AppendQuoteToGraphic(dst []byte, s string) []byte
+      hasQualifiedName("strconv", "AppendQuoteToGraphic") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Quote(s string) string
+      hasQualifiedName("strconv", "Quote") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func QuoteToASCII(s string) string
+      hasQualifiedName("strconv", "QuoteToASCII") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func QuoteToGraphic(s string) string
+      hasQualifiedName("strconv", "QuoteToGraphic") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Unquote(s string) (string, error)
+      hasQualifiedName("strconv", "Unquote") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func UnquoteChar(s string, quote byte) (value rune, multibyte bool, tail string, err error)
+      hasQualifiedName("strconv", "UnquoteChar") and
+      (inp.isParameter(0) and outp.isResult(2))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/Strings.qll

@@ -0,0 +1,186 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `strings` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `strings` package. */
+module Strings {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Fields(s string) []string
+      hasQualifiedName("strings", "Fields") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func FieldsFunc(s string, f func(rune) bool) []string
+      hasQualifiedName("strings", "FieldsFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Join(elems []string, sep string) string
+      hasQualifiedName("strings", "Join") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Map(mapping func(rune) rune, s string) string
+      hasQualifiedName("strings", "Map") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func NewReader(s string) *Reader
+      hasQualifiedName("strings", "NewReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewReplacer(oldnew ...string) *Replacer
+      hasQualifiedName("strings", "NewReplacer") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Repeat(s string, count int) string
+      hasQualifiedName("strings", "Repeat") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Replace(s string, old string, new string, n int) string
+      hasQualifiedName("strings", "Replace") and
+      (inp.isParameter([0, 2]) and outp.isResult())
+      or
+      // signature: func ReplaceAll(s string, old string, new string) string
+      hasQualifiedName("strings", "ReplaceAll") and
+      (inp.isParameter([0, 2]) and outp.isResult())
+      or
+      // signature: func Split(s string, sep string) []string
+      hasQualifiedName("strings", "Split") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitAfter(s string, sep string) []string
+      hasQualifiedName("strings", "SplitAfter") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitAfterN(s string, sep string, n int) []string
+      hasQualifiedName("strings", "SplitAfterN") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitN(s string, sep string, n int) []string
+      hasQualifiedName("strings", "SplitN") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Title(s string) string
+      hasQualifiedName("strings", "Title") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToLower(s string) string
+      hasQualifiedName("strings", "ToLower") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToLowerSpecial(c unicode.SpecialCase, s string) string
+      hasQualifiedName("strings", "ToLowerSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToTitle(s string) string
+      hasQualifiedName("strings", "ToTitle") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToTitleSpecial(c unicode.SpecialCase, s string) string
+      hasQualifiedName("strings", "ToTitleSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToUpper(s string) string
+      hasQualifiedName("strings", "ToUpper") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToUpperSpecial(c unicode.SpecialCase, s string) string
+      hasQualifiedName("strings", "ToUpperSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToValidUTF8(s string, replacement string) string
+      hasQualifiedName("strings", "ToValidUTF8") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Trim(s string, cutset string) string
+      hasQualifiedName("strings", "Trim") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimFunc(s string, f func(rune) bool) string
+      hasQualifiedName("strings", "TrimFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimLeft(s string, cutset string) string
+      hasQualifiedName("strings", "TrimLeft") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimLeftFunc(s string, f func(rune) bool) string
+      hasQualifiedName("strings", "TrimLeftFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimPrefix(s string, prefix string) string
+      hasQualifiedName("strings", "TrimPrefix") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimRight(s string, cutset string) string
+      hasQualifiedName("strings", "TrimRight") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimRightFunc(s string, f func(rune) bool) string
+      hasQualifiedName("strings", "TrimRightFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimSpace(s string) string
+      hasQualifiedName("strings", "TrimSpace") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimSuffix(s string, suffix string) string
+      hasQualifiedName("strings", "TrimSuffix") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Builder).String() string
+      this.hasQualifiedName("strings", "Builder", "String") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Builder).Write(p []byte) (int, error)
+      this.hasQualifiedName("strings", "Builder", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Builder).WriteString(s string) (int, error)
+      this.hasQualifiedName("strings", "Builder", "WriteString") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Reader).Read(b []byte) (n int, err error)
+      this.hasQualifiedName("strings", "Reader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Reader).ReadAt(b []byte, off int64) (n int, err error)
+      this.hasQualifiedName("strings", "Reader", "ReadAt") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Reader).Reset(s string)
+      this.hasQualifiedName("strings", "Reader", "Reset") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Reader).WriteTo(w io.Writer) (n int64, err error)
+      this.hasQualifiedName("strings", "Reader", "WriteTo") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Replacer).Replace(s string) string
+      this.hasQualifiedName("strings", "Replacer", "Replace") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func (*Replacer).WriteString(w io.Writer, s string) (n int, err error)
+      this.hasQualifiedName("strings", "Replacer", "WriteString") and
+      (inp.isParameter(1) and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}