Merge pull request #320 from gagliardetto/standard-lib-pt-24

Add taint-tracking for packages inside `text/*`

Author: max-schaefer

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -15,6 +15,9 @@ import semmle.go.frameworks.stdlib.CompressZlib
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
+import semmle.go.frameworks.stdlib.TextScanner
+import semmle.go.frameworks.stdlib.TextTabwriter
+import semmle.go.frameworks.stdlib.TextTemplate
 
 /** A `String()` method. */
 class StringMethod extends TaintTracking::FunctionModel, Method {
@@ -576,48 +579,6 @@ module Strings {
   }
 }
 
-/** Provides models of commonly used functions in the `text/template` package. */
-module Template {
-  private class TemplateEscape extends EscapeFunction::Range {
-    string kind;
-
-    TemplateEscape() {
-      exists(string fn |
-        fn.matches("HTMLEscape%") and kind = "html"
-        or
-        fn.matches("JSEscape%") and kind = "js"
-        or
-        fn.matches("URLQueryEscape%") and kind = "url"
-      |
-        this.hasQualifiedName("text/template", fn)
-        or
-        this.hasQualifiedName("html/template", fn)
-      )
-    }
-
-    override string kind() { result = kind }
-  }
-
-  private class TextTemplateInstantiation extends TemplateInstantiation::Range,
-    DataFlow::MethodCallNode {
-    int dataArg;
-
-    TextTemplateInstantiation() {
-      exists(string m | getTarget().hasQualifiedName("text/template", "Template", m) |
-        m = "Execute" and
-        dataArg = 1
-        or
-        m = "ExecuteTemplate" and
-        dataArg = 2
-      )
-    }
-
-    override DataFlow::Node getTemplateArgument() { result = this.getReceiver() }
-
-    override DataFlow::Node getADataArgument() { result = this.getArgument(dataArg) }
-  }
-}
-
 /** Provides models of commonly used functions in the `net/url` package. */
 module URL {
   /** The `PathEscape` or `QueryEscape` function. */

ql/src/semmle/go/frameworks/stdlib/TextScanner.qll

@@ -0,0 +1,30 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `text/scanner` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `text/scanner` package. */
+module TextScanner {
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Scanner).Init(src io.Reader) *Scanner
+      this.hasQualifiedName("text/scanner", "Scanner", "Init") and
+      (
+        inp.isParameter(0) and
+        (outp.isReceiver() or outp.isResult())
+      )
+      or
+      // signature: func (*Scanner).TokenText() string
+      this.hasQualifiedName("text/scanner", "Scanner", "TokenText") and
+      (inp.isReceiver() and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/TextTabwriter.qll

@@ -0,0 +1,45 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `text/tabwriter` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `text/tabwriter` package. */
+module TextTabwriter {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func NewWriter(output io.Writer, minwidth int, tabwidth int, padding int, padchar byte, flags uint) *Writer
+      hasQualifiedName("text/tabwriter", "NewWriter") and
+      (inp.isResult() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Writer).Init(output io.Writer, minwidth int, tabwidth int, padding int, padchar byte, flags uint) *Writer
+      this.hasQualifiedName("text/tabwriter", "Writer", "Init") and
+      (
+        (inp.isReceiver() or inp.isResult()) and
+        outp.isParameter(0)
+      )
+      or
+      // signature: func (*Writer).Write(buf []byte) (n int, err error)
+      this.hasQualifiedName("text/tabwriter", "Writer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/TextTemplate.qll

@@ -0,0 +1,105 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `text/template` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `text/template` package. */
+module TextTemplate {
+  private class TemplateEscape extends EscapeFunction::Range {
+    string kind;
+
+    TemplateEscape() {
+      exists(string fn |
+        fn.matches("HTMLEscape%") and kind = "html"
+        or
+        fn.matches("JSEscape%") and kind = "js"
+        or
+        fn.matches("URLQueryEscape%") and kind = "url"
+      |
+        this.hasQualifiedName("text/template", fn)
+        or
+        this.hasQualifiedName("html/template", fn)
+      )
+    }
+
+    override string kind() { result = kind }
+  }
+
+  private class TextTemplateInstantiation extends TemplateInstantiation::Range,
+    DataFlow::MethodCallNode {
+    int dataArg;
+
+    TextTemplateInstantiation() {
+      exists(string m | getTarget().hasQualifiedName("text/template", "Template", m) |
+        m = "Execute" and
+        dataArg = 1
+        or
+        m = "ExecuteTemplate" and
+        dataArg = 2
+      )
+    }
+
+    override DataFlow::Node getTemplateArgument() { result = this.getReceiver() }
+
+    override DataFlow::Node getADataArgument() { result = this.getArgument(dataArg) }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func HTMLEscape(w io.Writer, b []byte)
+      hasQualifiedName("text/template", "HTMLEscape") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func HTMLEscapeString(s string) string
+      hasQualifiedName("text/template", "HTMLEscapeString") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func HTMLEscaper(args ...interface{}) string
+      hasQualifiedName("text/template", "HTMLEscaper") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func JSEscape(w io.Writer, b []byte)
+      hasQualifiedName("text/template", "JSEscape") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func JSEscapeString(s string) string
+      hasQualifiedName("text/template", "JSEscapeString") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func JSEscaper(args ...interface{}) string
+      hasQualifiedName("text/template", "JSEscaper") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func URLQueryEscaper(args ...interface{}) string
+      hasQualifiedName("text/template", "URLQueryEscaper") and
+      (inp.isParameter(_) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Template).Execute(wr io.Writer, data interface{}) error
+      this.hasQualifiedName("text/template", "Template", "Execute") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func (*Template).ExecuteTemplate(wr io.Writer, name string, data interface{}) error
+      this.hasQualifiedName("text/template", "Template", "ExecuteTemplate") and
+      (inp.isParameter(2) and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}