Oauth2 state: note bufio.NewScanner is also a sign of probable terminal-interactive use

smowton · smowton · commit 3d877fc67d6a · 2020-09-02T15:05:21.000+01:00
diff --git a/ql/src/experimental/CWE-352/ConstantOauth2State.ql b/ql/src/experimental/CWE-352/ConstantOauth2State.ql
@@ -65,17 +65,27 @@ predicate resultFlowsToPrinter(DataFlow::CallNode authCodeURLCall) {
   )
 }
 
+/** Gets dataflow nodes that read the value of os.Stdin */
+DataFlow::Node getAStdinNode() {
+  result = any(ValueEntity v | v.hasQualifiedName("os", "Stdin")).getARead()
+}
+
+/**
+ * Gets a call to a scanner function that reads from os.Stdin, or which creates a scanner
+ * instance wrapping os.Stdin.
+ */
+DataFlow::CallNode getAScannerCall() {
+  result instanceof Fmt::ScannerCall or
+  result.(Fmt::FScannerCall).getReader() = getAStdinNode() or
+  result.(Bufio::NewScannerCall).getReader() = getAStdinNode()
+}
+
 /**
  * Holds if the provided CallNode is within the same root as a call
  * to a scanner that reads from os.Stdin.
  */
-predicate rootContainsCallToStdinScanner(DataFlow::CallNode authCodeURLCall) {
-  exists(Fmt::ScannerCall scannerCall | scannerCall.getRoot() = authCodeURLCall.getRoot())
-  or
-  exists(Fmt::FScannerCall fScannerCall |
-    fScannerCall.getReader() = any(ValueEntity v | v.hasQualifiedName("os", "Stdin")).getARead() and
-    fScannerCall.getRoot() = authCodeURLCall.getRoot()
-  )
+predicate containsCallToStdinScanner(FuncDef funcDef) {
+  exists(DataFlow::CallNode call | call = getAScannerCall() | call.getRoot() = funcDef)
 }
 
 /**
@@ -86,7 +96,7 @@ predicate rootContainsCallToStdinScanner(DataFlow::CallNode authCodeURLCall) {
  */
 predicate seemsLikeDoneWithinATerminal(DataFlow::CallNode authCodeURLCall) {
   resultFlowsToPrinter(authCodeURLCall) and
-  rootContainsCallToStdinScanner(authCodeURLCall)
+  containsCallToStdinScanner(authCodeURLCall.getRoot())
 }
 
 from
diff --git a/ql/src/semmle/go/frameworks/stdlib/Bufio.qll b/ql/src/semmle/go/frameworks/stdlib/Bufio.qll
@@ -6,6 +6,26 @@ import go
 
 /** Provides models of commonly used functions in the `bufio` package. */
 module Bufio {
+  /**
+   * The function bufio.NewScanner.
+   */
+  class NewScanner extends Function {
+    NewScanner() { this.hasQualifiedName("bufio", "NewScanner") }
+  }
+
+  /**
+   * A call to bufio.NewScanner.
+   */
+  class NewScannerCall extends DataFlow::CallNode {
+    NewScannerCall() { this.getTarget() instanceof NewScanner }
+
+    /**
+     * Returns the node corresponding to the io.Reader
+     * argument provided in the call.
+     */
+    DataFlow::Node getReader() { result = this.getArgument(0) }
+  }
+
   private class FunctionModels extends TaintTracking::FunctionModel {
     FunctionInput inp;
     FunctionOutput outp;
