Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Commit fa04d5a

Browse files
committed
Add taint-tracking for package net
1 parent fee596a commit fa04d5a

File tree

3 files changed

+1052
-0
lines changed

3 files changed

+1052
-0
lines changed

ql/src/semmle/go/frameworks/Stdlib.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ import semmle.go.frameworks.stdlib.EncodingPem
2929
import semmle.go.frameworks.stdlib.EncodingXml
3030
import semmle.go.frameworks.stdlib.Html
3131
import semmle.go.frameworks.stdlib.HtmlTemplate
32+
import semmle.go.frameworks.stdlib.Net
3233
import semmle.go.frameworks.stdlib.Path
3334
import semmle.go.frameworks.stdlib.PathFilepath
3435
import semmle.go.frameworks.stdlib.Reflect
Lines changed: 258 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,258 @@
1+
/**
2+
* Provides classes modeling security-relevant aspects of the `net` package.
3+
*/
4+
5+
import go
6+
7+
/** Provides models of commonly used functions in the `net` package. */
8+
module Net {
9+
private class FunctionModels extends TaintTracking::FunctionModel {
10+
FunctionInput inp;
11+
FunctionOutput outp;
12+
13+
FunctionModels() {
14+
// signature: func FileConn(f *os.File) (c Conn, err error)
15+
hasQualifiedName("net", "FileConn") and
16+
(
17+
inp.isParameter(0) and outp.isResult(0)
18+
or
19+
inp.isResult(0) and outp.isParameter(0)
20+
)
21+
or
22+
// signature: func FilePacketConn(f *os.File) (c PacketConn, err error)
23+
hasQualifiedName("net", "FilePacketConn") and
24+
(
25+
inp.isParameter(0) and outp.isResult(0)
26+
or
27+
inp.isResult(0) and outp.isParameter(0)
28+
)
29+
or
30+
// signature: func JoinHostPort(host string, port string) string
31+
hasQualifiedName("net", "JoinHostPort") and
32+
(inp.isParameter(_) and outp.isResult())
33+
or
34+
// signature: func ParseCIDR(s string) (IP, *IPNet, error)
35+
hasQualifiedName("net", "ParseCIDR") and
36+
(inp.isParameter(0) and outp.isResult([0, 1]))
37+
or
38+
// signature: func ParseIP(s string) IP
39+
hasQualifiedName("net", "ParseIP") and
40+
(inp.isParameter(0) and outp.isResult())
41+
or
42+
// signature: func ParseMAC(s string) (hw HardwareAddr, err error)
43+
hasQualifiedName("net", "ParseMAC") and
44+
(inp.isParameter(0) and outp.isResult(0))
45+
or
46+
// signature: func Pipe() (Conn, Conn)
47+
hasQualifiedName("net", "Pipe") and
48+
(
49+
inp.isResult(0) and outp.isResult(1)
50+
or
51+
inp.isResult(1) and outp.isResult(0)
52+
)
53+
or
54+
// signature: func SplitHostPort(hostport string) (host string, port string, err error)
55+
hasQualifiedName("net", "SplitHostPort") and
56+
(inp.isParameter(0) and outp.isResult([0, 1]))
57+
}
58+
59+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
60+
input = inp and output = outp
61+
}
62+
}
63+
64+
private class MethodModels extends TaintTracking::FunctionModel, Method {
65+
FunctionInput inp;
66+
FunctionOutput outp;
67+
68+
MethodModels() {
69+
// signature: func (*Buffers).Read(p []byte) (n int, err error)
70+
this.hasQualifiedName("net", "Buffers", "Read") and
71+
(inp.isReceiver() and outp.isParameter(0))
72+
or
73+
// signature: func (*Buffers).WriteTo(w io.Writer) (n int64, err error)
74+
this.hasQualifiedName("net", "Buffers", "WriteTo") and
75+
(inp.isReceiver() and outp.isParameter(0))
76+
or
77+
// signature: func (IP).MarshalText() ([]byte, error)
78+
this.hasQualifiedName("net", "IP", "MarshalText") and
79+
(inp.isReceiver() and outp.isResult(0))
80+
or
81+
// signature: func (IP).To16() IP
82+
this.hasQualifiedName("net", "IP", "To16") and
83+
(inp.isReceiver() and outp.isResult())
84+
or
85+
// signature: func (IP).To4() IP
86+
this.hasQualifiedName("net", "IP", "To4") and
87+
(inp.isReceiver() and outp.isResult())
88+
or
89+
// signature: func (*IP).UnmarshalText(text []byte) error
90+
this.hasQualifiedName("net", "IP", "UnmarshalText") and
91+
(inp.isParameter(0) and outp.isReceiver())
92+
or
93+
// signature: func (*IPConn).ReadFrom(b []byte) (int, Addr, error)
94+
this.hasQualifiedName("net", "IPConn", "ReadFrom") and
95+
(inp.isReceiver() and outp.isParameter(0))
96+
or
97+
// signature: func (*IPConn).ReadFromIP(b []byte) (int, *IPAddr, error)
98+
this.hasQualifiedName("net", "IPConn", "ReadFromIP") and
99+
(inp.isReceiver() and outp.isParameter(0))
100+
or
101+
// signature: func (*IPConn).ReadMsgIP(b []byte, oob []byte) (n int, oobn int, flags int, addr *IPAddr, err error)
102+
this.hasQualifiedName("net", "IPConn", "ReadMsgIP") and
103+
(inp.isReceiver() and outp.isParameter(_))
104+
or
105+
// signature: func (*IPConn).SyscallConn() (syscall.RawConn, error)
106+
this.hasQualifiedName("net", "IPConn", "SyscallConn") and
107+
(
108+
inp.isReceiver() and outp.isResult(0)
109+
or
110+
inp.isResult(0) and outp.isReceiver()
111+
)
112+
or
113+
// signature: func (*IPConn).WriteMsgIP(b []byte, oob []byte, addr *IPAddr) (n int, oobn int, err error)
114+
this.hasQualifiedName("net", "IPConn", "WriteMsgIP") and
115+
(inp.isParameter([0, 1]) and outp.isReceiver())
116+
or
117+
// signature: func (*IPConn).WriteTo(b []byte, addr Addr) (int, error)
118+
this.hasQualifiedName("net", "IPConn", "WriteTo") and
119+
(inp.isParameter(0) and outp.isReceiver())
120+
or
121+
// signature: func (*IPConn).WriteToIP(b []byte, addr *IPAddr) (int, error)
122+
this.hasQualifiedName("net", "IPConn", "WriteToIP") and
123+
(inp.isParameter(0) and outp.isReceiver())
124+
or
125+
// signature: func (*TCPConn).ReadFrom(r io.Reader) (int64, error)
126+
this.hasQualifiedName("net", "TCPConn", "ReadFrom") and
127+
(inp.isParameter(0) and outp.isReceiver())
128+
or
129+
// signature: func (*TCPConn).SyscallConn() (syscall.RawConn, error)
130+
this.hasQualifiedName("net", "TCPConn", "SyscallConn") and
131+
(
132+
inp.isReceiver() and outp.isResult(0)
133+
or
134+
inp.isResult(0) and outp.isReceiver()
135+
)
136+
or
137+
// signature: func (*TCPListener).File() (f *os.File, err error)
138+
this.hasQualifiedName("net", "TCPListener", "File") and
139+
(
140+
inp.isReceiver() and outp.isResult(0)
141+
or
142+
inp.isResult(0) and outp.isReceiver()
143+
)
144+
or
145+
// signature: func (*TCPListener).SyscallConn() (syscall.RawConn, error)
146+
this.hasQualifiedName("net", "TCPListener", "SyscallConn") and
147+
(
148+
inp.isReceiver() and outp.isResult(0)
149+
or
150+
inp.isResult(0) and outp.isReceiver()
151+
)
152+
or
153+
// signature: func (*UDPConn).ReadFrom(b []byte) (int, Addr, error)
154+
this.hasQualifiedName("net", "UDPConn", "ReadFrom") and
155+
(inp.isReceiver() and outp.isParameter(0))
156+
or
157+
// signature: func (*UDPConn).ReadFromUDP(b []byte) (int, *UDPAddr, error)
158+
this.hasQualifiedName("net", "UDPConn", "ReadFromUDP") and
159+
(inp.isReceiver() and outp.isParameter(0))
160+
or
161+
// signature: func (*UDPConn).ReadMsgUDP(b []byte, oob []byte) (n int, oobn int, flags int, addr *UDPAddr, err error)
162+
this.hasQualifiedName("net", "UDPConn", "ReadMsgUDP") and
163+
(inp.isReceiver() and outp.isParameter(_))
164+
or
165+
// signature: func (*UDPConn).SyscallConn() (syscall.RawConn, error)
166+
this.hasQualifiedName("net", "UDPConn", "SyscallConn") and
167+
(
168+
inp.isReceiver() and outp.isResult(0)
169+
or
170+
inp.isResult(0) and outp.isReceiver()
171+
)
172+
or
173+
// signature: func (*UDPConn).WriteMsgUDP(b []byte, oob []byte, addr *UDPAddr) (n int, oobn int, err error)
174+
this.hasQualifiedName("net", "UDPConn", "WriteMsgUDP") and
175+
(inp.isParameter([0, 1]) and outp.isReceiver())
176+
or
177+
// signature: func (*UDPConn).WriteTo(b []byte, addr Addr) (int, error)
178+
this.hasQualifiedName("net", "UDPConn", "WriteTo") and
179+
(inp.isParameter(0) and outp.isReceiver())
180+
or
181+
// signature: func (*UDPConn).WriteToUDP(b []byte, addr *UDPAddr) (int, error)
182+
this.hasQualifiedName("net", "UDPConn", "WriteToUDP") and
183+
(inp.isParameter(0) and outp.isReceiver())
184+
or
185+
// signature: func (*UnixConn).ReadFrom(b []byte) (int, Addr, error)
186+
this.hasQualifiedName("net", "UnixConn", "ReadFrom") and
187+
(inp.isReceiver() and outp.isParameter(0))
188+
or
189+
// signature: func (*UnixConn).ReadFromUnix(b []byte) (int, *UnixAddr, error)
190+
this.hasQualifiedName("net", "UnixConn", "ReadFromUnix") and
191+
(inp.isReceiver() and outp.isParameter(0))
192+
or
193+
// signature: func (*UnixConn).ReadMsgUnix(b []byte, oob []byte) (n int, oobn int, flags int, addr *UnixAddr, err error)
194+
this.hasQualifiedName("net", "UnixConn", "ReadMsgUnix") and
195+
(inp.isReceiver() and outp.isParameter(_))
196+
or
197+
// signature: func (*UnixConn).SyscallConn() (syscall.RawConn, error)
198+
this.hasQualifiedName("net", "UnixConn", "SyscallConn") and
199+
(
200+
inp.isReceiver() and outp.isResult(0)
201+
or
202+
inp.isResult(0) and outp.isReceiver()
203+
)
204+
or
205+
// signature: func (*UnixConn).WriteMsgUnix(b []byte, oob []byte, addr *UnixAddr) (n int, oobn int, err error)
206+
this.hasQualifiedName("net", "UnixConn", "WriteMsgUnix") and
207+
(inp.isParameter([0, 1]) and outp.isReceiver())
208+
or
209+
// signature: func (*UnixConn).WriteTo(b []byte, addr Addr) (int, error)
210+
this.hasQualifiedName("net", "UnixConn", "WriteTo") and
211+
(inp.isParameter(0) and outp.isReceiver())
212+
or
213+
// signature: func (*UnixConn).WriteToUnix(b []byte, addr *UnixAddr) (int, error)
214+
this.hasQualifiedName("net", "UnixConn", "WriteToUnix") and
215+
(inp.isParameter(0) and outp.isReceiver())
216+
or
217+
// signature: func (*UnixListener).File() (f *os.File, err error)
218+
this.hasQualifiedName("net", "UnixListener", "File") and
219+
(
220+
inp.isReceiver() and outp.isResult(0)
221+
or
222+
inp.isResult(0) and outp.isReceiver()
223+
)
224+
or
225+
// signature: func (*UnixListener).SyscallConn() (syscall.RawConn, error)
226+
this.hasQualifiedName("net", "UnixListener", "SyscallConn") and
227+
(
228+
inp.isReceiver() and outp.isResult(0)
229+
or
230+
inp.isResult(0) and outp.isReceiver()
231+
)
232+
or
233+
// signature: func (Conn).Read(b []byte) (n int, err error)
234+
this.implements("net", "Conn", "Read") and
235+
(inp.isReceiver() and outp.isParameter(0))
236+
or
237+
// signature: func (PacketConn).ReadFrom(p []byte) (n int, addr Addr, err error)
238+
this.implements("net", "PacketConn", "ReadFrom") and
239+
(inp.isReceiver() and outp.isParameter(0))
240+
or
241+
// signature: func (Addr).String() string
242+
this.implements("net", "Addr", "String") and
243+
(inp.isReceiver() and outp.isResult())
244+
or
245+
// signature: func (Conn).Write(b []byte) (n int, err error)
246+
this.implements("net", "Conn", "Write") and
247+
(inp.isParameter(0) and outp.isReceiver())
248+
or
249+
// signature: func (PacketConn).WriteTo(p []byte, addr Addr) (n int, err error)
250+
this.implements("net", "PacketConn", "WriteTo") and
251+
(inp.isParameter(0) and outp.isReceiver())
252+
}
253+
254+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
255+
input = inp and output = outp
256+
}
257+
}
258+
}

0 commit comments

Comments
 (0)