Merge pull request #343 from smowton/smowton/feature/chi-models

Add models for the Chi web framework

Author: smowton

change-notes/2020-09-15-chi.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Chi web framework

ql/src/go.qll

@@ -26,6 +26,7 @@ import semmle.go.dataflow.DataFlow
 import semmle.go.dataflow.GlobalValueNumbering
 import semmle.go.dataflow.SSA
 import semmle.go.dataflow.TaintTracking
+import semmle.go.frameworks.Chi
 import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Gin

ql/src/semmle/go/frameworks/Chi.qll

@@ -0,0 +1,26 @@
+/**
+ * Provides classes for working with untrusted flow sources from the `github.com/go-chi/chi` package.
+ */
+
+import go
+
+private module Chi {
+  /**
+   * Functions that extract URL parameters, considered as a source of untrusted flow.
+   */
+  private class UserControlledFunction extends UntrustedFlowSource::Range, DataFlow::CallNode {
+    UserControlledFunction() {
+      this.getTarget().hasQualifiedName("github.com/go-chi/chi", ["URLParam", "URLParamFromCtx"])
+    }
+  }
+
+  /**
+   * Methods that extract URL parameters, considered as a source of untrusted flow.
+   */
+  private class UserControlledRequestMethod extends UntrustedFlowSource::Range,
+    DataFlow::MethodCallNode {
+    UserControlledRequestMethod() {
+      this.getTarget().hasQualifiedName("github.com/go-chi/chi", "Context", "URLParam")
+    }
+  }
+}

ql/test/library-tests/semmle/go/frameworks/Chi/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2015-present Peter Kieltyka (https://github.com/pkieltyka), Google Inc.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ql/test/library-tests/semmle/go/frameworks/Chi/ReflectedXss.expected

@@ -0,0 +1,29 @@
+edges
+| test.go:13:12:13:16 | implicit dereference : URL | test.go:13:12:13:16 | implicit dereference : URL |
+| test.go:13:12:13:16 | implicit dereference : URL | test.go:13:12:13:16 | selection of URL : pointer type |
+| test.go:13:12:13:16 | implicit dereference : URL | test.go:13:12:13:21 | selection of Path : string |
+| test.go:13:12:13:16 | selection of URL : pointer type | test.go:13:12:13:16 | implicit dereference : URL |
+| test.go:13:12:13:16 | selection of URL : pointer type | test.go:13:12:13:16 | selection of URL : pointer type |
+| test.go:13:12:13:16 | selection of URL : pointer type | test.go:13:12:13:21 | selection of Path : string |
+| test.go:13:12:13:21 | selection of Path : string | test.go:21:18:21:23 | hidden : string |
+| test.go:21:18:21:23 | hidden : string | test.go:21:11:21:24 | type conversion |
+| test.go:22:18:22:45 | call to URLParam : string | test.go:22:11:22:46 | type conversion |
+| test.go:23:18:23:60 | call to URLParamFromCtx : string | test.go:23:11:23:61 | type conversion |
+| test.go:24:18:24:71 | call to URLParam : string | test.go:24:11:24:72 | type conversion |
+nodes
+| test.go:13:12:13:16 | implicit dereference : URL | semmle.label | implicit dereference : URL |
+| test.go:13:12:13:16 | selection of URL : pointer type | semmle.label | selection of URL : pointer type |
+| test.go:13:12:13:21 | selection of Path : string | semmle.label | selection of Path : string |
+| test.go:21:11:21:24 | type conversion | semmle.label | type conversion |
+| test.go:21:18:21:23 | hidden : string | semmle.label | hidden : string |
+| test.go:22:11:22:46 | type conversion | semmle.label | type conversion |
+| test.go:22:18:22:45 | call to URLParam : string | semmle.label | call to URLParam : string |
+| test.go:23:11:23:61 | type conversion | semmle.label | type conversion |
+| test.go:23:18:23:60 | call to URLParamFromCtx : string | semmle.label | call to URLParamFromCtx : string |
+| test.go:24:11:24:72 | type conversion | semmle.label | type conversion |
+| test.go:24:18:24:71 | call to URLParam : string | semmle.label | call to URLParam : string |
+#select
+| test.go:21:11:21:24 | type conversion | test.go:13:12:13:16 | selection of URL : pointer type | test.go:21:11:21:24 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:13:12:13:16 | selection of URL | user-provided value |
+| test.go:22:11:22:46 | type conversion | test.go:22:18:22:45 | call to URLParam : string | test.go:22:11:22:46 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:22:18:22:45 | call to URLParam | user-provided value |
+| test.go:23:11:23:61 | type conversion | test.go:23:18:23:60 | call to URLParamFromCtx : string | test.go:23:11:23:61 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:23:18:23:60 | call to URLParamFromCtx | user-provided value |
+| test.go:24:11:24:72 | type conversion | test.go:24:18:24:71 | call to URLParam : string | test.go:24:11:24:72 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:24:18:24:71 | call to URLParam | user-provided value |

ql/test/library-tests/semmle/go/frameworks/Chi/ReflectedXss.qlref

@@ -0,0 +1 @@
+Security/CWE-079/ReflectedXss.ql

ql/test/library-tests/semmle/go/frameworks/Chi/go.mod

@@ -0,0 +1,7 @@
+go 1.14
+
+module test
+
+require (
+	github.com/go-chi/chi v4.1.2+incompatible
+)

ql/test/library-tests/semmle/go/frameworks/Chi/test.go

@@ -0,0 +1,27 @@
+package main
+
+import (
+	"net/http"
+
+	"github.com/go-chi/chi"
+)
+
+var hidden string
+
+func hideUserData(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		hidden = r.URL.Path
+		next.ServeHTTP(w, r)
+	})
+}
+
+func main() {
+	r := chi.NewRouter()
+	r.With(hideUserData).Get("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(hidden))
+		w.Write([]byte(chi.URLParam(r, "someParam")))
+		w.Write([]byte(chi.URLParamFromCtx(r.Context(), "someKey")))
+		w.Write([]byte(chi.RouteContext(r.Context()).URLParam("someOtherKey")))
+	})
+	http.ListenAndServe(":3000", r)
+}

ql/test/library-tests/semmle/go/frameworks/Chi/vendor/github.com/go-chi/chi/stub.go

@@ -0,0 +1,3 @@
+# github.com/go-chi/chi v4.1.2+incompatible
+## explicit
+github.com/go-chi/chi