Move and extend Log module for package log with taint-tracking

gagliardetto · gagliardetto · commit bff19d5a379c · 2020-09-22T13:35:55.000+02:00
diff --git a/ql/src/semmle/go/frameworks/Stdlib.qll b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -37,6 +37,7 @@ import semmle.go.frameworks.stdlib.NetHttp
 import semmle.go.frameworks.stdlib.NetHttpHttputil
 import semmle.go.frameworks.stdlib.NetMail
 import semmle.go.frameworks.stdlib.NetTextproto
+import semmle.go.frameworks.stdlib.Log
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
@@ -481,31 +482,67 @@ module URL {
   }
 }
 
-/** Provides models of commonly used functions in the `log` package. */
-module Log {
-  private class LogCall extends LoggerCall::Range, DataFlow::CallNode {
-    LogCall() {
-      exists(string fn |
-        fn.matches("Fatal%")
-        or
-        fn.matches("Panic%")
-        or
-        fn.matches("Print%")
-      |
-        this.getTarget().hasQualifiedName("log", fn)
-        or
-        this.getTarget().(Method).hasQualifiedName("log", "Logger", fn)
+/** Provides models of commonly used APIs in the `regexp` package. */
+module Regexp {
+  private class Pattern extends RegexpPattern::Range, DataFlow::ArgumentNode {
+    string fnName;
+
+    Pattern() {
+      exists(Function fn | fnName.matches("Match%") or fnName.matches("%Compile%") |
+        fn.hasQualifiedName("regexp", fnName) and
+        this = fn.getACall().getArgument(0)
       )
     }
 
-    override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() }
+    override DataFlow::Node getAParse() { result = this.getCall() }
+
+    override string getPattern() { result = this.asExpr().getStringValue() }
+
+    override DataFlow::Node getAUse() {
+      fnName.matches("MustCompile%") and
+      result = this.getCall().getASuccessor*()
+      or
+      fnName.matches("Compile%") and
+      result = this.getCall().getResult(0).getASuccessor*()
+      or
+      result = this
+    }
   }
 
-  /** A fatal log function, which calls `os.Exit`. */
-  private class FatalLogFunction extends Function {
-    FatalLogFunction() { exists(string fn | fn.matches("Fatal%") | hasQualifiedName("log", fn)) }
+  private class MatchFunction extends RegexpMatchFunction::Range, Function {
+    MatchFunction() {
+      exists(string fn | fn.matches("Match%") | this.hasQualifiedName("regexp", fn))
+    }
+
+    override FunctionInput getRegexpArg() { result.isParameter(0) }
+
+    override FunctionInput getValue() { result.isParameter(1) }
+
+    override FunctionOutput getResult() { result.isResult(0) }
+  }
+
+  private class MatchMethod extends RegexpMatchFunction::Range, Method {
+    MatchMethod() {
+      exists(string fn | fn.matches("Match%") | this.hasQualifiedName("regexp", "Regexp", fn))
+    }
+
+    override FunctionInput getRegexpArg() { result.isReceiver() }
+
+    override FunctionInput getValue() { result.isParameter(0) }
+
+    override FunctionOutput getResult() { result.isResult() }
+  }
+
+  private class ReplaceFunction extends RegexpReplaceFunction::Range, Method {
+    ReplaceFunction() {
+      exists(string fn | fn.matches("ReplaceAll%") | this.hasQualifiedName("regexp", "Regexp", fn))
+    }
+
+    override FunctionInput getRegexpArg() { result.isReceiver() }
+
+    override FunctionInput getSource() { result.isParameter(0) }
 
-    override predicate mayReturnNormally() { none() }
+    override FunctionOutput getResult() { result.isResult() }
   }
 }
 
diff --git a/ql/src/semmle/go/frameworks/stdlib/Log.qll b/ql/src/semmle/go/frameworks/stdlib/Log.qll
@@ -0,0 +1,107 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `log` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `log` package. */
+module Log {
+  private class LogCall extends LoggerCall::Range, DataFlow::CallNode {
+    LogCall() {
+      exists(string fn |
+        fn.matches("Fatal%")
+        or
+        fn.matches("Panic%")
+        or
+        fn.matches("Print%")
+      |
+        this.getTarget().hasQualifiedName("log", fn)
+        or
+        this.getTarget().(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
+
+    override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() }
+  }
+
+  /** A fatal log function, which calls `os.Exit`. */
+  private class FatalLogFunction extends Function {
+    FatalLogFunction() { exists(string fn | fn.matches("Fatal%") | hasQualifiedName("log", fn)) }
+
+    override predicate mayReturnNormally() { none() }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func New(out io.Writer, prefix string, flag int) *Logger
+      hasQualifiedName("log", "New") and
+      (inp.isResult() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Logger).Fatal(v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Fatal") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Fatalf(format string, v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Fatalf") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Fatalln(v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Fatalln") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Panic(v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Panic") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Panicf(format string, v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Panicf") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Panicln(v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Panicln") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Print(v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Print") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Printf(format string, v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Printf") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Println(v ...interface{})
+      this.hasQualifiedName("log", "Logger", "Println") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (*Logger).SetOutput(w io.Writer)
+      this.hasQualifiedName("log", "Logger", "SetOutput") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Logger).SetPrefix(prefix string)
+      this.hasQualifiedName("log", "Logger", "SetPrefix") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Logger).Writer() io.Writer
+      this.hasQualifiedName("log", "Logger", "Writer") and
+      (inp.isResult() and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go
