Merge pull request #322 from gagliardetto/standard-lib-pt-11

max-schaefer · web-flow · commit 88e03c3ee5ce · 2020-09-15T17:54:35.000+01:00
Add taint-tracking for packages in `html/*`
diff --git a/ql/src/semmle/go/frameworks/Stdlib.qll b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -27,6 +27,8 @@ import semmle.go.frameworks.stdlib.EncodingHex
 import semmle.go.frameworks.stdlib.EncodingJson
 import semmle.go.frameworks.stdlib.EncodingPem
 import semmle.go.frameworks.stdlib.EncodingXml
+import semmle.go.frameworks.stdlib.Html
+import semmle.go.frameworks.stdlib.HtmlTemplate
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
diff --git a/ql/src/semmle/go/frameworks/stdlib/Html.qll b/ql/src/semmle/go/frameworks/stdlib/Html.qll
@@ -0,0 +1,33 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `html` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `html` package. */
+module Html {
+  private class Escape extends EscapeFunction::Range {
+    Escape() { hasQualifiedName("html", "EscapeString") }
+
+    override string kind() { result = "html" }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func EscapeString(s string) string
+      hasQualifiedName("html", "EscapeString") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func UnescapeString(s string) string
+      hasQualifiedName("html", "UnescapeString") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
diff --git a/ql/src/semmle/go/frameworks/stdlib/HtmlTemplate.qll b/ql/src/semmle/go/frameworks/stdlib/HtmlTemplate.qll
@@ -0,0 +1,84 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `html/template` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `html/template` package. */
+module HtmlTemplate {
+  private class TemplateEscape extends EscapeFunction::Range {
+    string kind;
+
+    TemplateEscape() {
+      exists(string fn |
+        fn.matches("HTMLEscape%") and kind = "html"
+        or
+        fn.matches("JSEscape%") and kind = "js"
+        or
+        fn.matches("URLQueryEscape%") and kind = "url"
+      |
+        this.hasQualifiedName("html/template", fn)
+      )
+    }
+
+    override string kind() { result = kind }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func HTMLEscape(w io.Writer, b []byte)
+      hasQualifiedName("html/template", "HTMLEscape") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func HTMLEscapeString(s string) string
+      hasQualifiedName("html/template", "HTMLEscapeString") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func HTMLEscaper(args ...interface{}) string
+      hasQualifiedName("html/template", "HTMLEscaper") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func JSEscape(w io.Writer, b []byte)
+      hasQualifiedName("html/template", "JSEscape") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func JSEscapeString(s string) string
+      hasQualifiedName("html/template", "JSEscapeString") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func JSEscaper(args ...interface{}) string
+      hasQualifiedName("html/template", "JSEscaper") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func URLQueryEscaper(args ...interface{}) string
+      hasQualifiedName("html/template", "URLQueryEscaper") and
+      (inp.isParameter(_) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Template).Execute(wr io.Writer, data interface{}) error
+      this.hasQualifiedName("html/template", "Template", "Execute") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func (*Template).ExecuteTemplate(wr io.Writer, name string, data interface{}) error
+      this.hasQualifiedName("html/template", "Template", "ExecuteTemplate") and
+      (inp.isParameter(2) and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
diff --git a/ql/src/semmle/go/frameworks/stdlib/TextTemplate.qll b/ql/src/semmle/go/frameworks/stdlib/TextTemplate.qll
@@ -18,8 +18,6 @@ module TextTemplate {
         fn.matches("URLQueryEscape%") and kind = "url"
       |
         this.hasQualifiedName("text/template", fn)
-        or
-        this.hasQualifiedName("html/template", fn)
       )
     }
 
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Html.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Html.go
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/HtmlTemplate.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/HtmlTemplate.go

Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,6 @@ module TextTemplate {`
`18`	`18`	`fn.matches("URLQueryEscape%") and kind = "url"`
`19`	`19`	`\|`
`20`	`20`	`this.hasQualifiedName("text/template", fn)`
`21`		`- or`
`22`		`- this.hasQualifiedName("html/template", fn)`
`23`	`21`	`)`
`24`	`22`	`}`
`25`	`23`