Merge pull request #251 from gagliardetto/standard-lib-pt-1

Add taint-tracking for archive/tar and archive/zip

Author: max-schaefer

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -3,6 +3,8 @@
  */
 
 import go
+import semmle.go.frameworks.stdlib.ArchiveTar
+import semmle.go.frameworks.stdlib.ArchiveZip
 
 /** A `String()` method. */
 class StringMethod extends TaintTracking::FunctionModel, Method {

ql/src/semmle/go/frameworks/stdlib/ArchiveTar.qll

@@ -0,0 +1,63 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `archive/tar` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `archive/tar` package. */
+module ArchiveTar {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func FileInfoHeader(fi os.FileInfo, link string) (*Header, error)
+      hasQualifiedName("archive/tar", "FileInfoHeader") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func NewReader(r io.Reader) *Reader
+      hasQualifiedName("archive/tar", "NewReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewWriter(w io.Writer) *Writer
+      hasQualifiedName("archive/tar", "NewWriter") and
+      (inp.isResult() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // Methods:
+      // signature: func (*Header).FileInfo() os.FileInfo
+      this.(Method).hasQualifiedName("archive/tar", "Header", "FileInfo") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Reader).Next() (*Header, error)
+      this.(Method).hasQualifiedName("archive/tar", "Reader", "Next") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Reader).Read(b []byte) (int, error)
+      this.(Method).hasQualifiedName("archive/tar", "Reader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Writer).Write(b []byte) (int, error)
+      this.(Method).hasQualifiedName("archive/tar", "Writer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Writer).WriteHeader(hdr *Header) error
+      this.(Method).hasQualifiedName("archive/tar", "Writer", "WriteHeader") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/src/semmle/go/frameworks/stdlib/ArchiveZip.qll

@@ -0,0 +1,59 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `archive/zip` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `archive/zip` package. */
+module ArchiveZip {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func FileInfoHeader(fi os.FileInfo) (*FileHeader, error)
+      hasQualifiedName("archive/zip", "FileInfoHeader") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func NewReader(r io.ReaderAt, size int64) (*Reader, error)
+      hasQualifiedName("archive/zip", "NewReader") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func NewWriter(w io.Writer) *Writer
+      hasQualifiedName("archive/zip", "NewWriter") and
+      (inp.isResult() and outp.isParameter(0))
+      or
+      // signature: func OpenReader(name string) (*ReadCloser, error)
+      hasQualifiedName("archive/zip", "OpenReader") and
+      (inp.isParameter(0) and outp.isResult(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // Methods:
+      // signature: func (*File).Open() (io.ReadCloser, error)
+      this.(Method).hasQualifiedName("archive/zip", "File", "Open") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (*Writer).Create(name string) (io.Writer, error)
+      this.(Method).hasQualifiedName("archive/zip", "Writer", "Create") and
+      (inp.isResult(0) and outp.isReceiver())
+      or
+      // signature: func (*Writer).CreateHeader(fh *FileHeader) (io.Writer, error)
+      this.(Method).hasQualifiedName("archive/zip", "Writer", "CreateHeader") and
+      (inp.isResult(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/ArchiveTar.go

@@ -0,0 +1,56 @@
+/**
+ * @kind problem
+ */
+
+import go
+
+/* A special helper function used inside the test code */
+class Link extends TaintTracking::FunctionModel {
+  Link() { hasQualifiedName(_, "link") }
+
+  override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+    inp.isParameter(0) and outp.isParameter(1)
+  }
+}
+
+predicate isSource(DataFlow::Node source, DataFlow::CallNode call) {
+  exists(Function fn | fn.hasQualifiedName(_, "newSource") |
+    call = fn.getACall() and source = call.getResult()
+  )
+}
+
+predicate isSink(DataFlow::Node sink, DataFlow::CallNode call) {
+  exists(Function fn | fn.hasQualifiedName(_, "sink") |
+    call = fn.getACall() and sink = call.getArgument(1)
+  )
+}
+
+class FlowConf extends TaintTracking::Configuration {
+  FlowConf() { this = "FlowConf" }
+
+  override predicate isSource(DataFlow::Node source) { isSource(source, _) }
+
+  override predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
+}
+
+/**
+ * True if the result of the provided sourceCall flows to the corresponding sink,
+ * both marked by the same numeric first argument.
+ */
+predicate flowsToSink(DataFlow::CallNode sourceCall) {
+  exists(
+    FlowConf cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::CallNode sinkCall
+  |
+    cfg.hasFlowPath(source, sink) and
+    (
+      isSource(source.getNode(), sourceCall) and
+      isSink(sink.getNode(), sinkCall) and
+      sourceCall.getArgument(0).getIntValue() = sinkCall.getArgument(0).getIntValue()
+    )
+  )
+}
+
+/* Show only flow sources that DON'T flow to their dedicated sink. */
+from DataFlow::CallNode sourceCall
+where isSource(_, sourceCall) and not flowsToSink(sourceCall)
+select sourceCall, "No flow to its sink"