Add support and tests for protobuf messages with map fields

Author: smowton

ql/src/semmle/go/frameworks/Protobuf.qll

@@ -153,6 +153,11 @@ module Protobuf {
       exists(DataFlow::ReadNode base | succ = DataFlow::getUnderlyingNode(base) |
         any(DataFlow::Write w).writesField(base, getAMessageField(), pred)
       )
+      or
+      exists(DataFlow::ReadNode base | succ = DataFlow::getUnderlyingNode(base) |
+        any(DataFlow::Write w).writesElement(base, _, pred) and
+        [succ.getType(), succ.getType().getPointerType()] instanceof MessageType
+      )
     }
   }
 }

ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected

@@ -8,6 +8,10 @@
 | testDeprecatedApi.go:93:25:93:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:97:13:97:31 | selection of Msg |
 | testDeprecatedApi.go:104:22:104:41 | call to getUntrustedString : string | testDeprecatedApi.go:105:13:105:20 | selection of Id |
 | testDeprecatedApi.go:112:22:112:41 | call to getUntrustedString : string | testDeprecatedApi.go:117:12:117:21 | serialized |
+| testDeprecatedApi.go:133:29:133:48 | call to getUntrustedString : string | testDeprecatedApi.go:137:12:137:21 | serialized |
+| testDeprecatedApi.go:143:20:143:39 | call to getUntrustedString : string | testDeprecatedApi.go:148:12:148:21 | serialized |
+| testDeprecatedApi.go:152:25:152:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:157:13:157:36 | index expression |
+| testDeprecatedApi.go:161:25:161:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:168:13:168:25 | index expression |
 | testModernApi.go:11:22:11:41 | call to getUntrustedString : string | testModernApi.go:15:12:15:21 | serialized |
 | testModernApi.go:20:22:20:41 | call to getUntrustedString : string | testModernApi.go:26:12:26:21 | serialized |
 | testModernApi.go:30:25:30:43 | call to getUntrustedBytes : slice type | testModernApi.go:34:13:34:29 | selection of Description |
@@ -21,3 +25,7 @@
 | testModernApi.go:131:25:131:43 | call to getUntrustedBytes : slice type | testModernApi.go:135:13:135:29 | selection of Description |
 | testModernApi.go:142:22:142:41 | call to getUntrustedString : string | testModernApi.go:143:13:143:20 | selection of Id |
 | testModernApi.go:150:22:150:41 | call to getUntrustedString : string | testModernApi.go:155:12:155:21 | serialized |
+| testModernApi.go:190:29:190:48 | call to getUntrustedString : string | testModernApi.go:194:12:194:21 | serialized |
+| testModernApi.go:200:20:200:39 | call to getUntrustedString : string | testModernApi.go:205:12:205:21 | serialized |
+| testModernApi.go:209:25:209:43 | call to getUntrustedBytes : slice type | testModernApi.go:214:13:214:36 | index expression |
+| testModernApi.go:218:25:218:43 | call to getUntrustedBytes : slice type | testModernApi.go:225:13:225:25 | index expression |

ql/test/library-tests/semmle/go/frameworks/Protobuf/protos/query.proto

@@ -16,6 +16,8 @@ message Query {
   }
 
   repeated Alert alerts = 4;
+
+  map<int32, string> keyValuePairs = 5;
 }
 
 message QuerySuite {

ql/test/library-tests/semmle/go/frameworks/Protobuf/protos/query/query.pb.go

@@ -127,3 +127,43 @@ func testSubmessageAliasFalseNegative() {
 
 	sinkBytes(serialized) // BAD (but not noticed by our current implementation)
 }
+
+func testTaintedMapFieldWrite() {
+	query := &query.Query{}
+	query.KeyValuePairs[123] = getUntrustedString()
+
+	serialized, _ := proto.Marshal(query)
+
+	sinkBytes(serialized) // BAD
+}
+
+func testTaintedMapWriteWholeMap() {
+	query := &query.Query{}
+	taintedMap := map[int32]string{}
+	taintedMap[123] = getUntrustedString()
+	query.KeyValuePairs = taintedMap
+
+	serialized, _ := proto.Marshal(query)
+
+	sinkBytes(serialized) // BAD
+}
+
+func testTaintedMapFieldRead() {
+	untrustedSerialized := getUntrustedBytes()
+	query := &query.Query{}
+
+	proto.Unmarshal(untrustedSerialized, query)
+
+	sinkString(query.KeyValuePairs[123]) // BAD
+}
+
+func testTaintedMapFieldReadViaAlias() {
+	untrustedSerialized := getUntrustedBytes()
+	query := &query.Query{}
+
+	proto.Unmarshal(untrustedSerialized, query)
+
+	alias := &query.KeyValuePairs
+
+	sinkString((*alias)[123]) // BAD
+}

ql/test/library-tests/semmle/go/frameworks/Protobuf/testDeprecatedApi.go

@@ -184,3 +184,43 @@ func testMarshalStateFalseNegative() {
 
 	sinkBytes(serialized.Buf) // BAD (but not noticed by our current implementation)
 }
+
+func testTaintedMapFieldWriteModern() {
+	query := &query.Query{}
+	query.KeyValuePairs[123] = getUntrustedString()
+
+	serialized, _ := proto.Marshal(query)
+
+	sinkBytes(serialized) // BAD
+}
+
+func testTaintedMapWriteWholeMapModern() {
+	query := &query.Query{}
+	taintedMap := map[int32]string{}
+	taintedMap[123] = getUntrustedString()
+	query.KeyValuePairs = taintedMap
+
+	serialized, _ := proto.Marshal(query)
+
+	sinkBytes(serialized) // BAD
+}
+
+func testTaintedMapFieldReadModern() {
+	untrustedSerialized := getUntrustedBytes()
+	query := &query.Query{}
+
+	proto.Unmarshal(untrustedSerialized, query)
+
+	sinkString(query.KeyValuePairs[123]) // BAD
+}
+
+func testTaintedMapFieldReadViaAliasModern() {
+	untrustedSerialized := getUntrustedBytes()
+	query := &query.Query{}
+
+	proto.Unmarshal(untrustedSerialized, query)
+
+	alias := &query.KeyValuePairs
+
+	sinkString((*alias)[123]) // BAD
+}