go-restful model: Add support for ReadEntity method

smowton · smowton · commit a813607a767e · 2020-07-28T14:52:10.000+01:00
diff --git a/ql/src/semmle/go/frameworks/HTTP.qll b/ql/src/semmle/go/frameworks/HTTP.qll
@@ -254,4 +254,19 @@ private module GoRestfulHttp {
   private class GoRestfulSource extends UntrustedFlowSource::Range {
     GoRestfulSource() { this = any(GoRestfulSourceMethod g).getACall() }
   }
+
+  /**
+   * A model of go-restful's `Request.ReadEntity` method as a source of user-controlled data.
+   */
+  private class GoRestfulReadEntitySource extends UntrustedFlowSource::Range {
+    GoRestfulReadEntitySource() {
+      exists(DataFlow::MethodCallNode call |
+        call
+            .getTarget()
+            .hasQualifiedName(package("github.com/emicklei/go-restful", ""), "Request", "ReadEntity")
+      |
+        this = any(FunctionOutput output | output.isParameter(0)).getExitNode(call)
+      )
+    }
+  }
 }
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected
@@ -1,12 +1,14 @@
-| gorestful.go:9:15:9:47 | index expression | gorestful.go:9:15:9:44 | call to QueryParameters : slice type | gorestful.go:9:15:9:47 | index expression | This command depends on $@. | gorestful.go:9:15:9:44 | call to QueryParameters | a user-provided value |
-| gorestful.go:10:15:10:43 | call to QueryParameter | gorestful.go:10:15:10:43 | call to QueryParameter | gorestful.go:10:15:10:43 | call to QueryParameter | This command depends on $@. | gorestful.go:10:15:10:43 | call to QueryParameter | a user-provided value |
-| gorestful.go:12:15:12:17 | val | gorestful.go:11:12:11:39 | call to BodyParameter : tuple type | gorestful.go:12:15:12:17 | val | This command depends on $@. | gorestful.go:11:12:11:39 | call to BodyParameter | a user-provided value |
-| gorestful.go:13:15:13:44 | call to HeaderParameter | gorestful.go:13:15:13:44 | call to HeaderParameter | gorestful.go:13:15:13:44 | call to HeaderParameter | This command depends on $@. | gorestful.go:13:15:13:44 | call to HeaderParameter | a user-provided value |
-| gorestful.go:14:15:14:42 | call to PathParameter | gorestful.go:14:15:14:42 | call to PathParameter | gorestful.go:14:15:14:42 | call to PathParameter | This command depends on $@. | gorestful.go:14:15:14:42 | call to PathParameter | a user-provided value |
-| gorestful.go:15:15:15:45 | index expression | gorestful.go:15:15:15:38 | call to PathParameters : map type | gorestful.go:15:15:15:45 | index expression | This command depends on $@. | gorestful.go:15:15:15:38 | call to PathParameters | a user-provided value |
-| gorestful_v2.go:9:15:9:47 | index expression | gorestful_v2.go:9:15:9:44 | call to QueryParameters : slice type | gorestful_v2.go:9:15:9:47 | index expression | This command depends on $@. | gorestful_v2.go:9:15:9:44 | call to QueryParameters | a user-provided value |
-| gorestful_v2.go:10:15:10:43 | call to QueryParameter | gorestful_v2.go:10:15:10:43 | call to QueryParameter | gorestful_v2.go:10:15:10:43 | call to QueryParameter | This command depends on $@. | gorestful_v2.go:10:15:10:43 | call to QueryParameter | a user-provided value |
-| gorestful_v2.go:12:15:12:17 | val | gorestful_v2.go:11:12:11:39 | call to BodyParameter : tuple type | gorestful_v2.go:12:15:12:17 | val | This command depends on $@. | gorestful_v2.go:11:12:11:39 | call to BodyParameter | a user-provided value |
-| gorestful_v2.go:13:15:13:44 | call to HeaderParameter | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | This command depends on $@. | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | a user-provided value |
-| gorestful_v2.go:14:15:14:42 | call to PathParameter | gorestful_v2.go:14:15:14:42 | call to PathParameter | gorestful_v2.go:14:15:14:42 | call to PathParameter | This command depends on $@. | gorestful_v2.go:14:15:14:42 | call to PathParameter | a user-provided value |
-| gorestful_v2.go:15:15:15:45 | index expression | gorestful_v2.go:15:15:15:38 | call to PathParameters : map type | gorestful_v2.go:15:15:15:45 | index expression | This command depends on $@. | gorestful_v2.go:15:15:15:38 | call to PathParameters | a user-provided value |
+| gorestful.go:13:15:13:47 | index expression | gorestful.go:13:15:13:44 | call to QueryParameters : slice type | gorestful.go:13:15:13:47 | index expression | This command depends on $@. | gorestful.go:13:15:13:44 | call to QueryParameters | a user-provided value |
+| gorestful.go:14:15:14:43 | call to QueryParameter | gorestful.go:14:15:14:43 | call to QueryParameter | gorestful.go:14:15:14:43 | call to QueryParameter | This command depends on $@. | gorestful.go:14:15:14:43 | call to QueryParameter | a user-provided value |
+| gorestful.go:16:15:16:17 | val | gorestful.go:15:12:15:39 | call to BodyParameter : tuple type | gorestful.go:16:15:16:17 | val | This command depends on $@. | gorestful.go:15:12:15:39 | call to BodyParameter | a user-provided value |
+| gorestful.go:17:15:17:44 | call to HeaderParameter | gorestful.go:17:15:17:44 | call to HeaderParameter | gorestful.go:17:15:17:44 | call to HeaderParameter | This command depends on $@. | gorestful.go:17:15:17:44 | call to HeaderParameter | a user-provided value |
+| gorestful.go:18:15:18:42 | call to PathParameter | gorestful.go:18:15:18:42 | call to PathParameter | gorestful.go:18:15:18:42 | call to PathParameter | This command depends on $@. | gorestful.go:18:15:18:42 | call to PathParameter | a user-provided value |
+| gorestful.go:19:15:19:45 | index expression | gorestful.go:19:15:19:38 | call to PathParameters : map type | gorestful.go:19:15:19:45 | index expression | This command depends on $@. | gorestful.go:19:15:19:38 | call to PathParameters | a user-provided value |
+| gorestful.go:22:15:22:21 | selection of cmd | gorestful.go:21:21:21:24 | &... : pointer type | gorestful.go:22:15:22:21 | selection of cmd | This command depends on $@. | gorestful.go:21:21:21:24 | &... | a user-provided value |
+| gorestful_v2.go:13:15:13:47 | index expression | gorestful_v2.go:13:15:13:44 | call to QueryParameters : slice type | gorestful_v2.go:13:15:13:47 | index expression | This command depends on $@. | gorestful_v2.go:13:15:13:44 | call to QueryParameters | a user-provided value |
+| gorestful_v2.go:14:15:14:43 | call to QueryParameter | gorestful_v2.go:14:15:14:43 | call to QueryParameter | gorestful_v2.go:14:15:14:43 | call to QueryParameter | This command depends on $@. | gorestful_v2.go:14:15:14:43 | call to QueryParameter | a user-provided value |
+| gorestful_v2.go:16:15:16:17 | val | gorestful_v2.go:15:12:15:39 | call to BodyParameter : tuple type | gorestful_v2.go:16:15:16:17 | val | This command depends on $@. | gorestful_v2.go:15:12:15:39 | call to BodyParameter | a user-provided value |
+| gorestful_v2.go:17:15:17:44 | call to HeaderParameter | gorestful_v2.go:17:15:17:44 | call to HeaderParameter | gorestful_v2.go:17:15:17:44 | call to HeaderParameter | This command depends on $@. | gorestful_v2.go:17:15:17:44 | call to HeaderParameter | a user-provided value |
+| gorestful_v2.go:18:15:18:42 | call to PathParameter | gorestful_v2.go:18:15:18:42 | call to PathParameter | gorestful_v2.go:18:15:18:42 | call to PathParameter | This command depends on $@. | gorestful_v2.go:18:15:18:42 | call to PathParameter | a user-provided value |
+| gorestful_v2.go:19:15:19:45 | index expression | gorestful_v2.go:19:15:19:38 | call to PathParameters : map type | gorestful_v2.go:19:15:19:45 | index expression | This command depends on $@. | gorestful_v2.go:19:15:19:38 | call to PathParameters | a user-provided value |
+| gorestful_v2.go:22:15:22:21 | selection of cmd | gorestful_v2.go:21:21:21:24 | &... : pointer type | gorestful_v2.go:22:15:22:21 | selection of cmd | This command depends on $@. | gorestful_v2.go:21:21:21:24 | &... | a user-provided value |
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go
@@ -5,6 +5,10 @@ import (
 	"os/exec"
 )
 
+type myObject struct {
+	cmd string
+}
+
 func requestHandler(request *restful.Request, response *restful.Response) {
 	exec.Command(request.QueryParameters("xyz")[0]) // BAD
 	exec.Command(request.QueryParameter("xyz"))     // BAD
@@ -13,4 +17,7 @@ func requestHandler(request *restful.Request, response *restful.Response) {
 	exec.Command(request.HeaderParameter("xyz"))  // BAD
 	exec.Command(request.PathParameter("xyz"))    // BAD
 	exec.Command(request.PathParameters()["xyz"]) // BAD
+	obj := myObject{}
+	request.ReadEntity(&obj)
+	exec.Command(obj.cmd) // BAD
 }
diff --git a/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go b/ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go
@@ -5,6 +5,10 @@ import (
 	"os/exec"
 )
 
+type myObjectV2 struct {
+	cmd string
+}
+
 func requestHandlerV2(request *restful.Request, response *restful.Response) {
 	exec.Command(request.QueryParameters("xyz")[0]) // BAD
 	exec.Command(request.QueryParameter("xyz"))     // BAD
@@ -13,4 +17,7 @@ func requestHandlerV2(request *restful.Request, response *restful.Response) {
 	exec.Command(request.HeaderParameter("xyz"))  // BAD
 	exec.Command(request.PathParameter("xyz"))    // BAD
 	exec.Command(request.PathParameters()["xyz"]) // BAD
+	obj := myObjectV2{}
+	request.ReadEntity(&obj)
+	exec.Command(obj.cmd) // BAD
 }
