Add models for the Echo framework

Author: smowton

change-notes/2020-09-17-echo.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Echo web framework

ql/src/go.qll

@@ -27,6 +27,7 @@ import semmle.go.dataflow.GlobalValueNumbering
 import semmle.go.dataflow.SSA
 import semmle.go.dataflow.TaintTracking
 import semmle.go.frameworks.Chi
+import semmle.go.frameworks.Echo
 import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Gin

ql/src/semmle/go/frameworks/Echo.qll

@@ -0,0 +1,122 @@
+/**
+ * Provides classes for working with untrusted flow sources, taint propagators, and HTTP sinks
+ * from the `github.com/labstack/echo` package.
+ */
+
+import go
+
+private module Echo {
+  /** Gets an Echo package name. */
+  bindingset[result]
+  private string packagePath() { result = package("github.com/labstack/echo", "") }
+
+  /**
+   * Data from a `Context` interface method, considered as a source of untrusted flow.
+   */
+  private class EchoContextSource extends UntrustedFlowSource::Range {
+    EchoContextSource() {
+      exists(DataFlow::MethodCallNode call, string methodName |
+        methodName =
+          ["Param", "ParamValues", "QueryParam", "QueryParams", "QueryString", "FormValue",
+              "FormParams", "FormFile", "MultipartForm", "Cookie", "Cookies"] and
+        call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and
+        this = call.getResult(0)
+      )
+    }
+  }
+
+  /**
+   * Data from a `Context` interface method that is not generally exploitable for open-redirect attacks.
+   */
+  private class EchoContextRedirectUnexploitableSource extends HTTP::Redirect::UnexploitableSource {
+    EchoContextRedirectUnexploitableSource() {
+      exists(DataFlow::MethodCallNode call, string methodName |
+        methodName = ["FormValue", "FormParams", "FormFile", "MultipartForm", "Cookie", "Cookies"] and
+        call.getTarget().hasQualifiedName(packagePath(), "Context", methodName) and
+        this = call.getResult(0)
+      )
+    }
+  }
+
+  /**
+   * Models of `Context.Get/Set`. `Context` behaves like a map, with corresponding taint propagation.
+   */
+  private class ContextMapModels extends TaintTracking::FunctionModel, Method {
+    string methodName;
+    FunctionInput input;
+    FunctionOutput output;
+
+    ContextMapModels() {
+      (
+        methodName = "Get" and input.isReceiver() and output.isResult()
+        or
+        methodName = "Set" and input.isParameter(1) and output.isReceiver()
+      ) and
+      this.hasQualifiedName(packagePath(), "Context", methodName)
+    }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp = input and outp = output
+    }
+  }
+
+  /**
+   * A call to a method on `Context` struct that unmarshals data into a target.
+   */
+  private class EchoContextBinder extends UntrustedFlowSource::Range {
+    EchoContextBinder() {
+      exists(DataFlow::MethodCallNode call |
+        call.getTarget().hasQualifiedName(packagePath(), "Context", "Bind")
+      |
+        this = any(FunctionOutput output | output.isParameter(0)).getExitNode(call)
+      )
+    }
+  }
+
+  /**
+   * `echo.Context` methods which set the content-type to `text/html` and write a result in one operation.
+   */
+  private class EchoHtmlOutputs extends HTTP::ResponseBody::Range {
+    EchoHtmlOutputs() {
+      exists(Method m | m.hasQualifiedName(packagePath(), "Context", ["HTML", "HTMLBlob"]) |
+        this = m.getACall().getArgument(1)
+      )
+    }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+
+    override string getAContentType() { result = "text/html" }
+  }
+
+  /**
+   * `echo.Context` methods which take a content-type as a parameter.
+   */
+  private class EchoParameterizedOutputs extends HTTP::ResponseBody::Range {
+    DataFlow::CallNode callNode;
+
+    EchoParameterizedOutputs() {
+      exists(Method m | m.hasQualifiedName(packagePath(), "Context", ["Blob", "Stream"]) |
+        callNode = m.getACall() and this = callNode.getArgument(2)
+      )
+    }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+
+    override DataFlow::Node getAContentTypeNode() { result = callNode.getArgument(1) }
+  }
+
+  /**
+   * The `echo.Context.Redirect` method.
+   */
+  private class EchoRedirectMethod extends HTTP::Redirect::Range, DataFlow::CallNode {
+    EchoRedirectMethod() {
+      exists(Method m | m.hasQualifiedName(packagePath(), "Context", "Redirect") |
+        this = m.getACall()
+      )
+    }
+
+    override DataFlow::Node getUrl() { result = this.getArgument(1) }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+  }
+}

ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected

@@ -0,0 +1,19 @@
+edges
+| test.go:170:11:170:32 | call to Param : string | test.go:171:20:171:24 | param |
+| test.go:176:11:176:32 | call to Param : string | test.go:180:20:180:28 | ...+... |
+| test.go:188:10:188:26 | selection of URL : pointer type | test.go:188:10:188:26 | selection of URL : pointer type |
+| test.go:188:10:188:26 | selection of URL : pointer type | test.go:188:10:188:26 | selection of URL : pointer type |
+| test.go:188:10:188:26 | selection of URL : pointer type | test.go:191:21:191:32 | call to String |
+| test.go:188:10:188:26 | selection of URL : pointer type | test.go:191:21:191:32 | call to String |
+nodes
+| test.go:170:11:170:32 | call to Param : string | semmle.label | call to Param : string |
+| test.go:171:20:171:24 | param | semmle.label | param |
+| test.go:176:11:176:32 | call to Param : string | semmle.label | call to Param : string |
+| test.go:180:20:180:28 | ...+... | semmle.label | ...+... |
+| test.go:188:10:188:26 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| test.go:188:10:188:26 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| test.go:191:21:191:32 | call to String | semmle.label | call to String |
+| test.go:191:21:191:32 | call to String | semmle.label | call to String |
+#select
+| test.go:171:20:171:24 | param | test.go:170:11:170:32 | call to Param : string | test.go:171:20:171:24 | param | Untrusted URL redirection due to $@. | test.go:170:11:170:32 | call to Param | user-provided value |
+| test.go:180:20:180:28 | ...+... | test.go:176:11:176:32 | call to Param : string | test.go:180:20:180:28 | ...+... | Untrusted URL redirection due to $@. | test.go:176:11:176:32 | call to Param | user-provided value |

ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.qlref

@@ -0,0 +1 @@
+Security/CWE-601/OpenUrlRedirect.ql

ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.expected

@@ -0,0 +1,95 @@
+edges
+| test.go:13:11:13:32 | call to Param : string | test.go:14:16:14:20 | param |
+| test.go:19:11:19:27 | call to ParamValues : slice type | test.go:20:16:20:20 | param |
+| test.go:25:11:25:37 | call to QueryParam : string | test.go:26:16:26:20 | param |
+| test.go:31:11:31:27 | call to QueryParams : Values | test.go:32:16:32:20 | param |
+| test.go:37:10:37:26 | call to QueryString : string | test.go:38:16:38:19 | qstr |
+| test.go:43:9:43:34 | call to FormValue : string | test.go:44:16:44:18 | val |
+| test.go:49:2:49:30 | ... := ...[0] : Values | test.go:50:16:50:37 | index expression |
+| test.go:55:2:55:46 | ... := ...[0] : pointer type | test.go:59:20:59:25 | buffer |
+| test.go:64:2:64:31 | ... := ...[0] : pointer type | test.go:65:16:65:19 | implicit dereference : Form |
+| test.go:64:2:64:31 | ... := ...[0] : pointer type | test.go:65:16:65:41 | index expression |
+| test.go:65:16:65:19 | implicit dereference : Form | test.go:65:16:65:19 | implicit dereference : Form |
+| test.go:65:16:65:19 | implicit dereference : Form | test.go:65:16:65:41 | index expression |
+| test.go:70:2:70:31 | ... := ...[0] : pointer type | test.go:71:16:71:19 | implicit dereference : Form |
+| test.go:70:2:70:31 | ... := ...[0] : pointer type | test.go:75:20:75:25 | buffer |
+| test.go:71:16:71:19 | implicit dereference : Form | test.go:71:16:71:19 | implicit dereference : Form |
+| test.go:71:16:71:19 | implicit dereference : Form | test.go:75:20:75:25 | buffer |
+| test.go:80:2:80:32 | ... := ...[0] : pointer type | test.go:81:16:81:18 | implicit dereference : Cookie |
+| test.go:80:2:80:32 | ... := ...[0] : pointer type | test.go:81:16:81:24 | selection of Value |
+| test.go:81:16:81:18 | implicit dereference : Cookie | test.go:81:16:81:18 | implicit dereference : Cookie |
+| test.go:81:16:81:18 | implicit dereference : Cookie | test.go:81:16:81:24 | selection of Value |
+| test.go:86:13:86:25 | call to Cookies : slice type | test.go:87:16:87:25 | implicit dereference : Cookie |
+| test.go:86:13:86:25 | call to Cookies : slice type | test.go:87:16:87:31 | selection of Value |
+| test.go:87:16:87:25 | implicit dereference : Cookie | test.go:87:16:87:25 | implicit dereference : Cookie |
+| test.go:87:16:87:25 | implicit dereference : Cookie | test.go:87:16:87:31 | selection of Value |
+| test.go:97:11:97:15 | &... : pointer type | test.go:98:16:98:21 | selection of s |
+| test.go:111:21:111:42 | call to Param : string | test.go:112:16:112:42 | type assertion |
+| test.go:122:11:122:32 | call to Param : string | test.go:123:16:123:20 | param |
+| test.go:128:11:128:32 | call to Param : string | test.go:129:20:129:32 | type conversion |
+| test.go:134:11:134:32 | call to Param : string | test.go:135:29:135:41 | type conversion |
+| test.go:146:11:146:32 | call to Param : string | test.go:148:31:148:36 | reader |
+| test.go:162:11:162:32 | call to Param : string | test.go:163:23:163:35 | type conversion |
+nodes
+| test.go:13:11:13:32 | call to Param : string | semmle.label | call to Param : string |
+| test.go:14:16:14:20 | param | semmle.label | param |
+| test.go:19:11:19:27 | call to ParamValues : slice type | semmle.label | call to ParamValues : slice type |
+| test.go:20:16:20:20 | param | semmle.label | param |
+| test.go:25:11:25:37 | call to QueryParam : string | semmle.label | call to QueryParam : string |
+| test.go:26:16:26:20 | param | semmle.label | param |
+| test.go:31:11:31:27 | call to QueryParams : Values | semmle.label | call to QueryParams : Values |
+| test.go:32:16:32:20 | param | semmle.label | param |
+| test.go:37:10:37:26 | call to QueryString : string | semmle.label | call to QueryString : string |
+| test.go:38:16:38:19 | qstr | semmle.label | qstr |
+| test.go:43:9:43:34 | call to FormValue : string | semmle.label | call to FormValue : string |
+| test.go:44:16:44:18 | val | semmle.label | val |
+| test.go:49:2:49:30 | ... := ...[0] : Values | semmle.label | ... := ...[0] : Values |
+| test.go:50:16:50:37 | index expression | semmle.label | index expression |
+| test.go:55:2:55:46 | ... := ...[0] : pointer type | semmle.label | ... := ...[0] : pointer type |
+| test.go:59:20:59:25 | buffer | semmle.label | buffer |
+| test.go:64:2:64:31 | ... := ...[0] : pointer type | semmle.label | ... := ...[0] : pointer type |
+| test.go:65:16:65:19 | implicit dereference : Form | semmle.label | implicit dereference : Form |
+| test.go:65:16:65:41 | index expression | semmle.label | index expression |
+| test.go:70:2:70:31 | ... := ...[0] : pointer type | semmle.label | ... := ...[0] : pointer type |
+| test.go:71:16:71:19 | implicit dereference : Form | semmle.label | implicit dereference : Form |
+| test.go:75:20:75:25 | buffer | semmle.label | buffer |
+| test.go:80:2:80:32 | ... := ...[0] : pointer type | semmle.label | ... := ...[0] : pointer type |
+| test.go:81:16:81:18 | implicit dereference : Cookie | semmle.label | implicit dereference : Cookie |
+| test.go:81:16:81:24 | selection of Value | semmle.label | selection of Value |
+| test.go:86:13:86:25 | call to Cookies : slice type | semmle.label | call to Cookies : slice type |
+| test.go:87:16:87:25 | implicit dereference : Cookie | semmle.label | implicit dereference : Cookie |
+| test.go:87:16:87:31 | selection of Value | semmle.label | selection of Value |
+| test.go:97:11:97:15 | &... : pointer type | semmle.label | &... : pointer type |
+| test.go:98:16:98:21 | selection of s | semmle.label | selection of s |
+| test.go:111:21:111:42 | call to Param : string | semmle.label | call to Param : string |
+| test.go:112:16:112:42 | type assertion | semmle.label | type assertion |
+| test.go:122:11:122:32 | call to Param : string | semmle.label | call to Param : string |
+| test.go:123:16:123:20 | param | semmle.label | param |
+| test.go:128:11:128:32 | call to Param : string | semmle.label | call to Param : string |
+| test.go:129:20:129:32 | type conversion | semmle.label | type conversion |
+| test.go:134:11:134:32 | call to Param : string | semmle.label | call to Param : string |
+| test.go:135:29:135:41 | type conversion | semmle.label | type conversion |
+| test.go:146:11:146:32 | call to Param : string | semmle.label | call to Param : string |
+| test.go:148:31:148:36 | reader | semmle.label | reader |
+| test.go:162:11:162:32 | call to Param : string | semmle.label | call to Param : string |
+| test.go:163:23:163:35 | type conversion | semmle.label | type conversion |
+#select
+| test.go:14:16:14:20 | param | test.go:13:11:13:32 | call to Param : string | test.go:14:16:14:20 | param | Cross-site scripting vulnerability due to $@. | test.go:13:11:13:32 | call to Param | user-provided value |
+| test.go:20:16:20:20 | param | test.go:19:11:19:27 | call to ParamValues : slice type | test.go:20:16:20:20 | param | Cross-site scripting vulnerability due to $@. | test.go:19:11:19:27 | call to ParamValues | user-provided value |
+| test.go:26:16:26:20 | param | test.go:25:11:25:37 | call to QueryParam : string | test.go:26:16:26:20 | param | Cross-site scripting vulnerability due to $@. | test.go:25:11:25:37 | call to QueryParam | user-provided value |
+| test.go:32:16:32:20 | param | test.go:31:11:31:27 | call to QueryParams : Values | test.go:32:16:32:20 | param | Cross-site scripting vulnerability due to $@. | test.go:31:11:31:27 | call to QueryParams | user-provided value |
+| test.go:38:16:38:19 | qstr | test.go:37:10:37:26 | call to QueryString : string | test.go:38:16:38:19 | qstr | Cross-site scripting vulnerability due to $@. | test.go:37:10:37:26 | call to QueryString | user-provided value |
+| test.go:44:16:44:18 | val | test.go:43:9:43:34 | call to FormValue : string | test.go:44:16:44:18 | val | Cross-site scripting vulnerability due to $@. | test.go:43:9:43:34 | call to FormValue | user-provided value |
+| test.go:50:16:50:37 | index expression | test.go:49:2:49:30 | ... := ...[0] : Values | test.go:50:16:50:37 | index expression | Cross-site scripting vulnerability due to $@. | test.go:49:2:49:30 | ... := ...[0] | user-provided value |
+| test.go:59:20:59:25 | buffer | test.go:55:2:55:46 | ... := ...[0] : pointer type | test.go:59:20:59:25 | buffer | Cross-site scripting vulnerability due to $@. | test.go:55:2:55:46 | ... := ...[0] | user-provided value |
+| test.go:65:16:65:41 | index expression | test.go:64:2:64:31 | ... := ...[0] : pointer type | test.go:65:16:65:41 | index expression | Cross-site scripting vulnerability due to $@. | test.go:64:2:64:31 | ... := ...[0] | user-provided value |
+| test.go:75:20:75:25 | buffer | test.go:70:2:70:31 | ... := ...[0] : pointer type | test.go:75:20:75:25 | buffer | Cross-site scripting vulnerability due to $@. | test.go:70:2:70:31 | ... := ...[0] | user-provided value |
+| test.go:81:16:81:24 | selection of Value | test.go:80:2:80:32 | ... := ...[0] : pointer type | test.go:81:16:81:24 | selection of Value | Cross-site scripting vulnerability due to $@. | test.go:80:2:80:32 | ... := ...[0] | user-provided value |
+| test.go:87:16:87:31 | selection of Value | test.go:86:13:86:25 | call to Cookies : slice type | test.go:87:16:87:31 | selection of Value | Cross-site scripting vulnerability due to $@. | test.go:86:13:86:25 | call to Cookies | user-provided value |
+| test.go:98:16:98:21 | selection of s | test.go:97:11:97:15 | &... : pointer type | test.go:98:16:98:21 | selection of s | Cross-site scripting vulnerability due to $@. | test.go:97:11:97:15 | &... | user-provided value |
+| test.go:112:16:112:42 | type assertion | test.go:111:21:111:42 | call to Param : string | test.go:112:16:112:42 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:111:21:111:42 | call to Param | user-provided value |
+| test.go:123:16:123:20 | param | test.go:122:11:122:32 | call to Param : string | test.go:123:16:123:20 | param | Cross-site scripting vulnerability due to $@. | test.go:122:11:122:32 | call to Param | user-provided value |
+| test.go:129:20:129:32 | type conversion | test.go:128:11:128:32 | call to Param : string | test.go:129:20:129:32 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:128:11:128:32 | call to Param | user-provided value |
+| test.go:135:29:135:41 | type conversion | test.go:134:11:134:32 | call to Param : string | test.go:135:29:135:41 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:134:11:134:32 | call to Param | user-provided value |
+| test.go:148:31:148:36 | reader | test.go:146:11:146:32 | call to Param : string | test.go:148:31:148:36 | reader | Cross-site scripting vulnerability due to $@. | test.go:146:11:146:32 | call to Param | user-provided value |
+| test.go:163:23:163:35 | type conversion | test.go:162:11:162:32 | call to Param : string | test.go:163:23:163:35 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:162:11:162:32 | call to Param | user-provided value |

ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.qlref

@@ -0,0 +1 @@
+Security/CWE-079/ReflectedXss.ql

ql/test/library-tests/semmle/go/frameworks/Echo/go.mod

@@ -0,0 +1,7 @@
+go 1.14
+
+module test
+
+require (
+	github.com/labstack/echo/v4 v4.1.17
+)