Merge pull request #323 from gagliardetto/standard-lib-pt-8

Add taint-tracking for packages in `encoding/*`

Author: smowton

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -15,6 +15,18 @@ import semmle.go.frameworks.stdlib.CompressZlib
 import semmle.go.frameworks.stdlib.Mime
 import semmle.go.frameworks.stdlib.MimeMultipart
 import semmle.go.frameworks.stdlib.MimeQuotedprintable
+import semmle.go.frameworks.stdlib.Encoding
+import semmle.go.frameworks.stdlib.EncodingAscii85
+import semmle.go.frameworks.stdlib.EncodingAsn1
+import semmle.go.frameworks.stdlib.EncodingBase32
+import semmle.go.frameworks.stdlib.EncodingBase64
+import semmle.go.frameworks.stdlib.EncodingBinary
+import semmle.go.frameworks.stdlib.EncodingCsv
+import semmle.go.frameworks.stdlib.EncodingGob
+import semmle.go.frameworks.stdlib.EncodingHex
+import semmle.go.frameworks.stdlib.EncodingJson
+import semmle.go.frameworks.stdlib.EncodingPem
+import semmle.go.frameworks.stdlib.EncodingXml
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
@@ -697,53 +709,6 @@ module Log {
   }
 }
 
-/** Provides models of some functions in the `encoding/json` package. */
-module EncodingJson {
-  /** The `Marshal` or `MarshalIndent` function in the `encoding/json` package. */
-  class MarshalFunction extends TaintTracking::FunctionModel, MarshalingFunction::Range {
-    MarshalFunction() {
-      this.hasQualifiedName("encoding/json", "Marshal") or
-      this.hasQualifiedName("encoding/json", "MarshalIndent")
-    }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp = getAnInput() and outp = getOutput()
-    }
-
-    override FunctionInput getAnInput() { result.isParameter(0) }
-
-    override FunctionOutput getOutput() { result.isResult(0) }
-
-    override string getFormat() { result = "JSON" }
-  }
-
-  private class UnmarshalFunction extends TaintTracking::FunctionModel, UnmarshalingFunction::Range {
-    UnmarshalFunction() { this.hasQualifiedName("encoding/json", "Unmarshal") }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp = getAnInput() and outp = getOutput()
-    }
-
-    override FunctionInput getAnInput() { result.isParameter(0) }
-
-    override FunctionOutput getOutput() { result.isParameter(1) }
-
-    override string getFormat() { result = "JSON" }
-  }
-}
-
-/** Provides models of some functions in the `encoding/hex` package. */
-module EncodingHex {
-  private class DecodeStringFunction extends TaintTracking::FunctionModel {
-    DecodeStringFunction() { this.hasQualifiedName("encoding/hex", "DecodeString") }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and
-      outp.isResult(0)
-    }
-  }
-}
-
 /** Provides models of some functions in the `crypto/cipher` package. */
 module CryptoCipher {
   private class AeadOpenFunction extends TaintTracking::FunctionModel, Method {

ql/src/semmle/go/frameworks/stdlib/Encoding.qll

@@ -0,0 +1,35 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `encoding` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `encoding` package. */
+module Encoding {
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (BinaryMarshaler).MarshalBinary() (data []byte, err error)
+      this.implements("encoding", "BinaryMarshaler", "MarshalBinary") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (TextMarshaler).MarshalText() (text []byte, err error)
+      this.implements("encoding", "TextMarshaler", "MarshalText") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (BinaryUnmarshaler).UnmarshalBinary(data []byte) error
+      this.implements("encoding", "BinaryUnmarshaler", "UnmarshalBinary") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (TextUnmarshaler).UnmarshalText(text []byte) error
+      this.implements("encoding", "TextUnmarshaler", "UnmarshalText") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/EncodingAscii85.qll

@@ -0,0 +1,27 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `encoding/ascii85` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `encoding/ascii85` package. */
+module EncodingAscii85 {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Decode(dst []byte, src []byte, flush bool) (ndst int, nsrc int, err error)
+      hasQualifiedName("encoding/ascii85", "Decode") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func NewDecoder(r io.Reader) io.Reader
+      hasQualifiedName("encoding/ascii85", "NewDecoder") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/EncodingAsn1.qll

@@ -0,0 +1,69 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `encoding/asn1` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `encoding/asn1` package. */
+module EncodingAsn1 {
+  /** The `Marshal` or `MarshalWithParams` function in the `encoding/asn1` package. */
+  private class MarshalFunction extends MarshalingFunction::Range {
+    MarshalFunction() {
+      hasQualifiedName("encoding/asn1", "Marshal") or
+      hasQualifiedName("encoding/asn1", "MarshalWithParams")
+    }
+
+    override FunctionInput getAnInput() { result.isParameter(0) }
+
+    override FunctionOutput getOutput() { result.isResult(0) }
+
+    override string getFormat() { result = "ASN1" }
+  }
+
+  /** The `Unmarshal` or `UnmarshalWithParams` function in the `encoding/asn1` package. */
+  private class UnmarshalFunction extends UnmarshalingFunction::Range {
+    UnmarshalFunction() {
+      hasQualifiedName("encoding/asn1", "Unmarshal") or
+      hasQualifiedName("encoding/asn1", "UnmarshalWithParams")
+    }
+
+    override FunctionInput getAnInput() { result.isParameter(0) }
+
+    override FunctionOutput getOutput() { result.isParameter(1) }
+
+    override string getFormat() { result = "ASN1" }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Marshal(val interface{}) ([]byte, error)
+      hasQualifiedName("encoding/asn1", "Marshal") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func MarshalWithParams(val interface{}, params string) ([]byte, error)
+      hasQualifiedName("encoding/asn1", "MarshalWithParams") and
+      (inp.isParameter(_) and outp.isResult(0))
+      or
+      // signature: func Unmarshal(b []byte, val interface{}) (rest []byte, err error)
+      hasQualifiedName("encoding/asn1", "Unmarshal") and
+      (
+        inp.isParameter(0) and
+        (outp.isParameter(1) or outp.isResult(0))
+      )
+      or
+      // signature: func UnmarshalWithParams(b []byte, val interface{}, params string) (rest []byte, err error)
+      hasQualifiedName("encoding/asn1", "UnmarshalWithParams") and
+      (
+        inp.isParameter([0, 2]) and
+        (outp.isParameter(1) or outp.isResult(0))
+      )
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/EncodingBase32.qll

@@ -0,0 +1,42 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `encoding/base32` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `encoding/base32` package. */
+module EncodingBase32 {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func NewDecoder(enc *Encoding, r io.Reader) io.Reader
+      hasQualifiedName("encoding/base32", "NewDecoder") and
+      (inp.isParameter(1) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Encoding).Decode(dst []byte, src []byte) (n int, err error)
+      this.hasQualifiedName("encoding/base32", "Encoding", "Decode") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func (*Encoding).DecodeString(s string) ([]byte, error)
+      this.hasQualifiedName("encoding/base32", "Encoding", "DecodeString") and
+      (inp.isParameter(0) and outp.isResult(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/EncodingBase64.qll

@@ -0,0 +1,42 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `encoding/base64` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `encoding/base64` package. */
+module EncodingBase64 {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func NewDecoder(enc *Encoding, r io.Reader) io.Reader
+      hasQualifiedName("encoding/base64", "NewDecoder") and
+      (inp.isParameter(1) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Encoding).Decode(dst []byte, src []byte) (n int, err error)
+      this.hasQualifiedName("encoding/base64", "Encoding", "Decode") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func (*Encoding).DecodeString(s string) ([]byte, error)
+      this.hasQualifiedName("encoding/base64", "Encoding", "DecodeString") and
+      (inp.isParameter(0) and outp.isResult(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/EncodingBinary.qll

@@ -0,0 +1,27 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `encoding/binary` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `encoding/binary` package. */
+module EncodingBinary {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Read(r io.Reader, order ByteOrder, data interface{}) error
+      hasQualifiedName("encoding/binary", "Read") and
+      (inp.isParameter(0) and outp.isParameter(2))
+      or
+      // signature: func Write(w io.Writer, order ByteOrder, data interface{}) error
+      hasQualifiedName("encoding/binary", "Write") and
+      (inp.isParameter(2) and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/EncodingCsv.qll

@@ -0,0 +1,54 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `encoding/csv` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `encoding/csv` package. */
+module EncodingCsv {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func NewReader(r io.Reader) *Reader
+      hasQualifiedName("encoding/csv", "NewReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewWriter(w io.Writer) *Writer
+      hasQualifiedName("encoding/csv", "NewWriter") and
+      (inp.isResult() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Reader).Read() (record []string, err error)
+      this.hasQualifiedName("encoding/csv", "Reader", "Read") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Reader).ReadAll() (records [][]string, err error)
+      this.hasQualifiedName("encoding/csv", "Reader", "ReadAll") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Writer).Write(record []string) error
+      this.hasQualifiedName("encoding/csv", "Writer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Writer).WriteAll(records [][]string) error
+      this.hasQualifiedName("encoding/csv", "Writer", "WriteAll") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}