Merge pull request #274 from gagliardetto/standard-lib-pt-2

Add taint tracking for bufio and bytes packages

Author: max-schaefer

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -5,6 +5,8 @@
 import go
 import semmle.go.frameworks.stdlib.ArchiveTar
 import semmle.go.frameworks.stdlib.ArchiveZip
+import semmle.go.frameworks.stdlib.Bufio
+import semmle.go.frameworks.stdlib.Bytes
 
 /** A `String()` method. */
 class StringMethod extends TaintTracking::FunctionModel, Method {
@@ -73,17 +75,6 @@ module PathFilePath {
   }
 }
 
-/** Provides models of commonly used functions in the `bytes` package. */
-private module Bytes {
-  private class BufferBytes extends TaintTracking::FunctionModel, Method {
-    BufferBytes() { this.hasQualifiedName("bytes", "Buffer", ["Bytes", "String"]) }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isResult()
-    }
-  }
-}
-
 /** Provides models of commonly used functions in the `fmt` package. */
 module Fmt {
   /** The `Sprint` function or one of its variants. */
@@ -384,17 +375,6 @@ module Io {
   }
 }
 
-/** Provides models of commonly used functions in the `bufio` package. */
-module Bufio {
-  private class NewWriter extends TaintTracking::FunctionModel {
-    NewWriter() { this.hasQualifiedName("bufio", "NewWriter") }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isResult() and output.isParameter(0)
-    }
-  }
-}
-
 /** Provides models of commonly used functions in the `io/ioutil` package. */
 module IoUtil {
   private class IoUtilFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {

ql/src/semmle/go/frameworks/stdlib/Bufio.qll

@@ -0,0 +1,126 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `bufio` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `bufio` package. */
+module Bufio {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func NewReadWriter(r *Reader, w *Writer) *ReadWriter
+      hasQualifiedName("bufio", "NewReadWriter") and
+      (
+        inp.isParameter(0) and outp.isResult()
+        or
+        inp.isResult() and outp.isParameter(1)
+      )
+      or
+      // signature: func NewReader(rd io.Reader) *Reader
+      hasQualifiedName("bufio", "NewReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewReaderSize(rd io.Reader, size int) *Reader
+      hasQualifiedName("bufio", "NewReaderSize") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewScanner(r io.Reader) *Scanner
+      hasQualifiedName("bufio", "NewScanner") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewWriter(w io.Writer) *Writer
+      hasQualifiedName("bufio", "NewWriter") and
+      (inp.isResult() and outp.isParameter(0))
+      or
+      // signature: func NewWriterSize(w io.Writer, size int) *Writer
+      hasQualifiedName("bufio", "NewWriterSize") and
+      (inp.isResult() and outp.isParameter(0))
+      or
+      // signature: func ScanBytes(data []byte, atEOF bool) (advance int, token []byte, err error)
+      hasQualifiedName("bufio", "ScanBytes") and
+      (inp.isParameter(0) and outp.isResult(1))
+      or
+      // signature: func ScanLines(data []byte, atEOF bool) (advance int, token []byte, err error)
+      hasQualifiedName("bufio", "ScanLines") and
+      (inp.isParameter(0) and outp.isResult(1))
+      or
+      // signature: func ScanRunes(data []byte, atEOF bool) (advance int, token []byte, err error)
+      hasQualifiedName("bufio", "ScanRunes") and
+      (inp.isParameter(0) and outp.isResult(1))
+      or
+      // signature: func ScanWords(data []byte, atEOF bool) (advance int, token []byte, err error)
+      hasQualifiedName("bufio", "ScanWords") and
+      (inp.isParameter(0) and outp.isResult(1))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Reader).Peek(n int) ([]byte, error)
+      this.hasQualifiedName("bufio", "Reader", "Peek") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Reader).ReadBytes(delim byte) ([]byte, error)
+      this.hasQualifiedName("bufio", "Reader", "ReadBytes") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Reader).ReadLine() (line []byte, isPrefix bool, err error)
+      this.hasQualifiedName("bufio", "Reader", "ReadLine") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Reader).ReadSlice(delim byte) (line []byte, err error)
+      this.hasQualifiedName("bufio", "Reader", "ReadSlice") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Reader).ReadString(delim byte) (string, error)
+      this.hasQualifiedName("bufio", "Reader", "ReadString") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Reader).Reset(r io.Reader)
+      this.hasQualifiedName("bufio", "Reader", "Reset") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Reader).WriteTo(w io.Writer) (n int64, err error)
+      this.hasQualifiedName("bufio", "Reader", "WriteTo") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Scanner).Bytes() []byte
+      this.hasQualifiedName("bufio", "Scanner", "Bytes") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Scanner).Text() string
+      this.hasQualifiedName("bufio", "Scanner", "Text") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Writer).ReadFrom(r io.Reader) (n int64, err error)
+      this.hasQualifiedName("bufio", "Writer", "ReadFrom") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Writer).Reset(w io.Writer)
+      this.hasQualifiedName("bufio", "Writer", "Reset") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Writer).Write(p []byte) (nn int, err error)
+      this.hasQualifiedName("bufio", "Writer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Writer).WriteString(s string) (int, error)
+      this.hasQualifiedName("bufio", "Writer", "WriteString") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/Bytes.qll

@@ -0,0 +1,206 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `bytes` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `bytes` package. */
+module Bytes {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Fields(s []byte) [][]byte
+      hasQualifiedName("bytes", "Fields") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func FieldsFunc(s []byte, f func(rune) bool) [][]byte
+      hasQualifiedName("bytes", "FieldsFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Join(s [][]byte, sep []byte) []byte
+      hasQualifiedName("bytes", "Join") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Map(mapping func(r rune) rune, s []byte) []byte
+      hasQualifiedName("bytes", "Map") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func NewBuffer(buf []byte) *Buffer
+      hasQualifiedName("bytes", "NewBuffer") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewBufferString(s string) *Buffer
+      hasQualifiedName("bytes", "NewBufferString") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewReader(b []byte) *Reader
+      hasQualifiedName("bytes", "NewReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Repeat(b []byte, count int) []byte
+      hasQualifiedName("bytes", "Repeat") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Replace(s []byte, old []byte, new []byte, n int) []byte
+      hasQualifiedName("bytes", "Replace") and
+      (inp.isParameter([0, 2]) and outp.isResult())
+      or
+      // signature: func ReplaceAll(s []byte, old []byte, new []byte) []byte
+      hasQualifiedName("bytes", "ReplaceAll") and
+      (inp.isParameter([0, 2]) and outp.isResult())
+      or
+      // signature: func Runes(s []byte) []rune
+      hasQualifiedName("bytes", "Runes") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Split(s []byte, sep []byte) [][]byte
+      hasQualifiedName("bytes", "Split") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitAfter(s []byte, sep []byte) [][]byte
+      hasQualifiedName("bytes", "SplitAfter") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitAfterN(s []byte, sep []byte, n int) [][]byte
+      hasQualifiedName("bytes", "SplitAfterN") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitN(s []byte, sep []byte, n int) [][]byte
+      hasQualifiedName("bytes", "SplitN") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Title(s []byte) []byte
+      hasQualifiedName("bytes", "Title") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToLower(s []byte) []byte
+      hasQualifiedName("bytes", "ToLower") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToLowerSpecial(c unicode.SpecialCase, s []byte) []byte
+      hasQualifiedName("bytes", "ToLowerSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToTitle(s []byte) []byte
+      hasQualifiedName("bytes", "ToTitle") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToTitleSpecial(c unicode.SpecialCase, s []byte) []byte
+      hasQualifiedName("bytes", "ToTitleSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToUpper(s []byte) []byte
+      hasQualifiedName("bytes", "ToUpper") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToUpperSpecial(c unicode.SpecialCase, s []byte) []byte
+      hasQualifiedName("bytes", "ToUpperSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToValidUTF8(s []byte, replacement []byte) []byte
+      hasQualifiedName("bytes", "ToValidUTF8") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Trim(s []byte, cutset string) []byte
+      hasQualifiedName("bytes", "Trim") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimFunc(s []byte, f func(r rune) bool) []byte
+      hasQualifiedName("bytes", "TrimFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimLeft(s []byte, cutset string) []byte
+      hasQualifiedName("bytes", "TrimLeft") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimLeftFunc(s []byte, f func(r rune) bool) []byte
+      hasQualifiedName("bytes", "TrimLeftFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimPrefix(s []byte, prefix []byte) []byte
+      hasQualifiedName("bytes", "TrimPrefix") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimRight(s []byte, cutset string) []byte
+      hasQualifiedName("bytes", "TrimRight") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimRightFunc(s []byte, f func(r rune) bool) []byte
+      hasQualifiedName("bytes", "TrimRightFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimSpace(s []byte) []byte
+      hasQualifiedName("bytes", "TrimSpace") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimSuffix(s []byte, suffix []byte) []byte
+      hasQualifiedName("bytes", "TrimSuffix") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Buffer).Bytes() []byte
+      this.hasQualifiedName("bytes", "Buffer", "Bytes") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Buffer).Next(n int) []byte
+      this.hasQualifiedName("bytes", "Buffer", "Next") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Buffer).ReadBytes(delim byte) (line []byte, err error)
+      this.hasQualifiedName("bytes", "Buffer", "ReadBytes") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Buffer).ReadFrom(r io.Reader) (n int64, err error)
+      this.hasQualifiedName("bytes", "Buffer", "ReadFrom") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Buffer).ReadString(delim byte) (line string, err error)
+      this.hasQualifiedName("bytes", "Buffer", "ReadString") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Buffer).String() string
+      this.hasQualifiedName("bytes", "Buffer", "String") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Buffer).Write(p []byte) (n int, err error)
+      this.hasQualifiedName("bytes", "Buffer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Buffer).WriteString(s string) (n int, err error)
+      this.hasQualifiedName("bytes", "Buffer", "WriteString") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Buffer).WriteTo(w io.Writer) (n int64, err error)
+      this.hasQualifiedName("bytes", "Buffer", "WriteTo") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Reader).ReadAt(b []byte, off int64) (n int, err error)
+      this.hasQualifiedName("bytes", "Reader", "ReadAt") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Reader).Reset(b []byte)
+      this.hasQualifiedName("bytes", "Reader", "Reset") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Reader).WriteTo(w io.Writer) (n int64, err error)
+      this.hasQualifiedName("bytes", "Reader", "WriteTo") and
+      (inp.isReceiver() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}