Add test for Go-restful

smowton · smowton · commit 3c4a1b90fe16 · 2020-07-28T14:52:10.000+01:00
diff --git a/ql/src/semmle/go/frameworks/HTTP.qll b/ql/src/semmle/go/frameworks/HTTP.qll
@@ -242,7 +242,7 @@ private module GoRestfulHttp {
   private class GoRestfulSourceMethod extends Method {
     GoRestfulSourceMethod() {
       this
-          .hasQualifiedName("github.com/emicklei/go-restful", "Request",
+          .hasQualifiedName(package("github.com/emicklei/go-restful", ""), "Request",
             ["QueryParameters", "QueryParameter", "BodyParameter", "HeaderParameter",
                 "PathParameter", "PathParameters"])
     }
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/go.mod b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/go.mod
@@ -0,0 +1,8 @@
+module gorestfultest
+
+go 1.14
+
+require (
+	github.com/emicklei/go-restful/v3 v3.2.0
+	github.com/json-iterator/go v1.1.10 // indirect
+)
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected
@@ -0,0 +1,12 @@
+| gorestful.go:9:15:9:47 | index expression | gorestful.go:9:15:9:44 | call to QueryParameters : slice type | gorestful.go:9:15:9:47 | index expression | This command depends on $@. | gorestful.go:9:15:9:44 | call to QueryParameters | a user-provided value |
+| gorestful.go:10:15:10:43 | call to QueryParameter | gorestful.go:10:15:10:43 | call to QueryParameter | gorestful.go:10:15:10:43 | call to QueryParameter | This command depends on $@. | gorestful.go:10:15:10:43 | call to QueryParameter | a user-provided value |
+| gorestful.go:12:15:12:17 | val | gorestful.go:11:12:11:39 | call to BodyParameter : tuple type | gorestful.go:12:15:12:17 | val | This command depends on $@. | gorestful.go:11:12:11:39 | call to BodyParameter | a user-provided value |
+| gorestful.go:13:15:13:44 | call to HeaderParameter | gorestful.go:13:15:13:44 | call to HeaderParameter | gorestful.go:13:15:13:44 | call to HeaderParameter | This command depends on $@. | gorestful.go:13:15:13:44 | call to HeaderParameter | a user-provided value |
+| gorestful.go:14:15:14:42 | call to PathParameter | gorestful.go:14:15:14:42 | call to PathParameter | gorestful.go:14:15:14:42 | call to PathParameter | This command depends on $@. | gorestful.go:14:15:14:42 | call to PathParameter | a user-provided value |
+| gorestful.go:15:15:15:45 | index expression | gorestful.go:15:15:15:38 | call to PathParameters : map type | gorestful.go:15:15:15:45 | index expression | This command depends on $@. | gorestful.go:15:15:15:38 | call to PathParameters | a user-provided value |
+| gorestful_v2.go:9:15:9:47 | index expression | gorestful_v2.go:9:15:9:44 | call to QueryParameters : slice type | gorestful_v2.go:9:15:9:47 | index expression | This command depends on $@. | gorestful_v2.go:9:15:9:44 | call to QueryParameters | a user-provided value |
+| gorestful_v2.go:10:15:10:43 | call to QueryParameter | gorestful_v2.go:10:15:10:43 | call to QueryParameter | gorestful_v2.go:10:15:10:43 | call to QueryParameter | This command depends on $@. | gorestful_v2.go:10:15:10:43 | call to QueryParameter | a user-provided value |
+| gorestful_v2.go:12:15:12:17 | val | gorestful_v2.go:11:12:11:39 | call to BodyParameter : tuple type | gorestful_v2.go:12:15:12:17 | val | This command depends on $@. | gorestful_v2.go:11:12:11:39 | call to BodyParameter | a user-provided value |
+| gorestful_v2.go:13:15:13:44 | call to HeaderParameter | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | This command depends on $@. | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | a user-provided value |
+| gorestful_v2.go:14:15:14:42 | call to PathParameter | gorestful_v2.go:14:15:14:42 | call to PathParameter | gorestful_v2.go:14:15:14:42 | call to PathParameter | This command depends on $@. | gorestful_v2.go:14:15:14:42 | call to PathParameter | a user-provided value |
+| gorestful_v2.go:15:15:15:45 | index expression | gorestful_v2.go:15:15:15:38 | call to PathParameters : map type | gorestful_v2.go:15:15:15:45 | index expression | This command depends on $@. | gorestful_v2.go:15:15:15:38 | call to PathParameters | a user-provided value |
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go
@@ -0,0 +1,16 @@
+package gorestfultest
+
+import (
+	restful "github.com/emicklei/go-restful/v3"
+	"os/exec"
+)
+
+func requestHandler(request *restful.Request, response *restful.Response) {
+	exec.Command(request.QueryParameters("xyz")[0]) // BAD
+	exec.Command(request.QueryParameter("xyz"))     // BAD
+	val, _ := request.BodyParameter("xyz")
+	exec.Command(val)                             // BAD
+	exec.Command(request.HeaderParameter("xyz"))  // BAD
+	exec.Command(request.PathParameter("xyz"))    // BAD
+	exec.Command(request.PathParameters()["xyz"]) // BAD
+}
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.ql b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.ql
@@ -0,0 +1,7 @@
+import go
+import semmle.go.security.CommandInjection
+
+from CommandInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
+  "a user-provided value"
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go
@@ -0,0 +1,16 @@
+package gorestfultest
+
+import (
+	restful "github.com/emicklei/go-restful"
+	"os/exec"
+)
+
+func requestHandlerV2(request *restful.Request, response *restful.Response) {
+	exec.Command(request.QueryParameters("xyz")[0]) // BAD
+	exec.Command(request.QueryParameter("xyz"))     // BAD
+	val, _ := request.BodyParameter("xyz")
+	exec.Command(val)                             // BAD
+	exec.Command(request.HeaderParameter("xyz"))  // BAD
+	exec.Command(request.PathParameter("xyz"))    // BAD
+	exec.Command(request.PathParameters()["xyz"]) // BAD
+}
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/LICENSE b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/LICENSE
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/stub.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/stub.go
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/v3/stub.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/v3/stub.go
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/modules.txt
@@ -0,0 +1,6 @@
+# github.com/emicklei/go-restful/v3 v3.2.0
+## explicit
+github.com/emicklei/go-restful/v3
+# github.com/json-iterator/go v1.1.10
+## explicit
+github.com/json-iterator/go

Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,7 @@ private module GoRestfulHttp {`
`242`	`242`	`private class GoRestfulSourceMethod extends Method {`
`243`	`243`	`GoRestfulSourceMethod() {`
`244`	`244`	`this`
`245`		`- .hasQualifiedName("github.com/emicklei/go-restful", "Request",`
	`245`	`+ .hasQualifiedName(package("github.com/emicklei/go-restful", ""), "Request",`
`246`	`246`	`["QueryParameters", "QueryParameter", "BodyParameter", "HeaderParameter",`
`247`	`247`	`"PathParameter", "PathParameters"])`
`248`	`248`	`}`