Merge pull request #14649 from Kwstubbs/go-cors

Go: Add Cors Gin Support

Author: owen-mc

go/ql/lib/change-notes/2023-10-31-add-gin-cors-framework.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the [gin cors](https://github.com/gin-contrib/cors) library to the CorsMisconfiguration.ql query

go/ql/lib/go.qll

@@ -41,6 +41,7 @@ import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Fiber
 import semmle.go.frameworks.Gin
+import semmle.go.frameworks.GinCors
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoKit
 import semmle.go.frameworks.GoMicro

go/ql/lib/semmle/go/frameworks/GinCors.qll

@@ -0,0 +1,139 @@
+/**
+ * Provides classes for modeling the `github.com/gin-contrib/cors` package.
+ */
+
+import go
+
+/**
+ * Provides classes for modeling the `github.com/gin-contrib/cors` package.
+ */
+module GinCors {
+  /** Gets the package name `github.com/gin-gonic/gin`. */
+  string packagePath() { result = package("github.com/gin-contrib/cors", "") }
+
+  /**
+   * A new function create a new gin Handler that passed to gin as middleware
+   */
+  class New extends Function {
+    New() { exists(Function f | f.hasQualifiedName(packagePath(), "New") | this = f) }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Credentials header
+   */
+  class AllowCredentialsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+
+    AllowCredentialsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowCredentials") and
+        w.writesField(base, f, this) and
+        this.getType() instanceof BoolType
+      )
+    }
+
+    /**
+     * Get config struct holding header values
+     */
+    DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get config variable holding header values
+     */
+    GinConfig getConfig() {
+      exists(GinConfig gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Origins header
+   */
+  class AllowOriginsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+
+    AllowOriginsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
+        w.writesField(base, f, this) and
+        this.asExpr() instanceof SliceLit
+      )
+    }
+
+    /**
+     * Get config struct holding header values
+     */
+    DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get config variable holding header values
+     */
+    GinConfig getConfig() {
+      exists(GinConfig gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Origins of value "*", overriding AllowOrigins
+   */
+  class AllowAllOriginsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+
+    AllowAllOriginsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowAllOrigins") and
+        w.writesField(base, f, this) and
+        this.getType() instanceof BoolType
+      )
+    }
+
+    /**
+     * Get config struct holding header values
+     */
+    DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get config variable holding header values
+     */
+    GinConfig getConfig() {
+      exists(GinConfig gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A variable of type Config that holds the headers to be set.
+   */
+  class GinConfig extends Variable {
+    SsaWithFields v;
+
+    GinConfig() {
+      this = v.getBaseVariable().getSourceVariable() and
+      exists(Type t | t.hasQualifiedName(packagePath(), "Config") | v.getType() = t)
+    }
+
+    /**
+     * Get variable declaration of GinConfig
+     */
+    SsaWithFields getV() { result = v }
+  }
+}

go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql

@@ -69,22 +69,53 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSinkHW(sink, _) }
 }
 
+module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
+
+  additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) { sink = w }
+
+  predicate isSink(DataFlow::Node sink) { isSinkWrite(sink, _) }
+}
+
 /**
  * Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
  * a `HeaderWrite` that writes an `Access-Control-Allow-Origin` header's value.
  */
 module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global<UntrustedToAllowOriginHeaderConfig>;
 
+/**
+ * Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
+ * a `AllowOriginsWrite` that writes an `Access-Control-Allow-Origin` header's value.
+ */
+module UntrustedToAllowOriginConfigFlow = TaintTracking::Global<UntrustedToAllowOriginConfigConfig>;
+
 /**
  * Holds if the provided `allowOriginHW` HeaderWrite's parent ResponseWriter
  * also has another HeaderWrite that sets a `Access-Control-Allow-Credentials`
  * header to `true`.
  */
-predicate allowCredentialsIsSetToTrue(AllowOriginHeaderWrite allowOriginHW) {
+predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {
   exists(AllowCredentialsHeaderWrite allowCredentialsHW |
     allowCredentialsHW.getHeaderValue().toLowerCase() = "true"
   |
-    allowOriginHW.getResponseWriter() = allowCredentialsHW.getResponseWriter()
+    allowOriginHW.(AllowOriginHeaderWrite).getResponseWriter() =
+      allowCredentialsHW.getResponseWriter()
+  )
+  or
+  exists(GinCors::AllowCredentialsWrite allowCredentialsGin |
+    allowCredentialsGin.getExpr().getBoolValue() = true
+  |
+    allowCredentialsGin.getConfig() = allowOriginHW.(GinCors::AllowOriginsWrite).getConfig() and
+    not exists(GinCors::AllowAllOriginsWrite allowAllOrigins |
+      allowAllOrigins.getExpr().getBoolValue() = true and
+      allowCredentialsGin.getConfig() = allowAllOrigins.getConfig()
+    )
+    or
+    allowCredentialsGin.getBase() = allowOriginHW.(GinCors::AllowOriginsWrite).getBase() and
+    not exists(GinCors::AllowAllOriginsWrite allowAllOrigins |
+      allowAllOrigins.getExpr().getBoolValue() = true and
+      allowCredentialsGin.getBase() = allowAllOrigins.getBase()
+    )
   )
 }
 
@@ -93,10 +124,13 @@ predicate allowCredentialsIsSetToTrue(AllowOriginHeaderWrite allowOriginHW) {
  * UntrustedFlowSource.
  * The `message` parameter is populated with the warning message to be returned by the query.
  */
-predicate flowsFromUntrustedToAllowOrigin(AllowOriginHeaderWrite allowOriginHW, string message) {
+predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, string message) {
   exists(DataFlow::Node sink |
     UntrustedToAllowOriginHeaderFlow::flowTo(sink) and
     UntrustedToAllowOriginHeaderConfig::isSinkHW(sink, allowOriginHW)
+    or
+    UntrustedToAllowOriginConfigFlow::flowTo(sink) and
+    UntrustedToAllowOriginConfigConfig::isSinkWrite(sink, allowOriginHW)
   |
     message =
       headerAllowOrigin() + " header is set to a user-defined value, and " +
@@ -108,11 +142,23 @@ predicate flowsFromUntrustedToAllowOrigin(AllowOriginHeaderWrite allowOriginHW,
  * Holds if the provided `allowOriginHW` HeaderWrite is for a `Access-Control-Allow-Origin`
  * header and the value is set to `null`.
  */
-predicate allowOriginIsNull(AllowOriginHeaderWrite allowOriginHW, string message) {
-  allowOriginHW.getHeaderValue().toLowerCase() = "null" and
+predicate allowOriginIsNull(DataFlow::ExprNode allowOriginHW, string message) {
+  allowOriginHW.(AllowOriginHeaderWrite).getHeaderValue().toLowerCase() = "null" and
+  message =
+    headerAllowOrigin() + " header is set to `" +
+      allowOriginHW.(AllowOriginHeaderWrite).getHeaderValue() + "`, and " + headerAllowCredentials()
+      + " is set to `true`"
+  or
+  allowOriginHW
+      .(GinCors::AllowOriginsWrite)
+      .asExpr()
+      .(SliceLit)
+      .getAnElement()
+      .getStringValue()
+      .toLowerCase() = "null" and
   message =
-    headerAllowOrigin() + " header is set to `" + allowOriginHW.getHeaderValue() + "`, and " +
-      headerAllowCredentials() + " is set to `true`"
+    headerAllowOrigin() + " header is set to `" + "null" + "`, and " + headerAllowCredentials() +
+      " is set to `true`"
 }
 
 /**
@@ -170,15 +216,15 @@ module FromUntrustedFlow = TaintTracking::Global<FromUntrustedConfig>;
 /**
  * Holds if the provided `allowOriginHW` is also destination of a `UntrustedFlowSource`.
  */
-predicate flowsToGuardedByCheckOnUntrusted(AllowOriginHeaderWrite allowOriginHW) {
+predicate flowsToGuardedByCheckOnUntrusted(DataFlow::ExprNode allowOriginHW) {
   exists(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn |
     FromUntrustedFlow::flowTo(sink) and FromUntrustedConfig::isSinkCgn(sink, cgn)
   |
     cgn.dominates(allowOriginHW.getBasicBlock())
   )
 }
 
-from AllowOriginHeaderWrite allowOriginHW, string message
+from DataFlow::ExprNode allowOriginHW, string message
 where
   allowCredentialsIsSetToTrue(allowOriginHW) and
   (

go/ql/test/experimental/CWE-942/CorsGin.go

@@ -0,0 +1,106 @@
+package main
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-contrib/cors"
+	"github.com/gin-gonic/gin"
+)
+
+/*
+** Function is vulnerable due to AllowAllOrigins = true aka Access-Control-Allow-Origin: null
+ */
+func vunlnerable() {
+	router := gin.Default()
+	// CORS for https://foo.com and null
+	// - PUT and PATCH methods
+	// - Origin header
+	// - Credentials share
+	// - Preflight requests cached for 12 hours
+	config_vulnerable := cors.Config{
+		AllowMethods:     []string{"PUT", "PATCH"},
+		AllowHeaders:     []string{"Origin"},
+		ExposeHeaders:    []string{"Content-Length"},
+		AllowCredentials: true,
+		MaxAge:           12 * time.Hour,
+	}
+	config_vulnerable.AllowOrigins = []string{"null", "https://foo.com"}
+	router.Use(cors.New(config_vulnerable))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "hello world")
+	})
+	router.Run()
+}
+
+/*
+** Function is safe due to hardcoded origin and AllowCredentials: true
+ */
+func safe() {
+	router := gin.Default()
+	// CORS for https://foo.com origin, allowing:
+	// - PUT and PATCH methods
+	// - Origin header
+	// - Credentials share
+	// - Preflight requests cached for 12 hours
+	config_safe := cors.Config{
+		AllowMethods:     []string{"PUT", "PATCH"},
+		AllowHeaders:     []string{"Origin"},
+		ExposeHeaders:    []string{"Content-Length"},
+		AllowCredentials: true,
+		MaxAge:           12 * time.Hour,
+	}
+	config_safe.AllowOrigins = []string{"https://foo.com"}
+	router.Use(cors.New(config_safe))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "hello world")
+	})
+	router.Run()
+}
+
+/*
+** Function is safe due to AllowAllOrigins = true aka Access-Control-Allow-Origin: *
+ */
+func AllowAllTrue() {
+	router := gin.Default()
+	// CORS for "*" origin, allowing:
+	// - PUT and PATCH methods
+	// - Origin header
+	// - Credentials share
+	// - Preflight requests cached for 12 hours
+	config_allowall := cors.Config{
+		AllowMethods:     []string{"PUT", "PATCH"},
+		AllowHeaders:     []string{"Origin"},
+		ExposeHeaders:    []string{"Content-Length"},
+		AllowCredentials: true,
+		MaxAge:           12 * time.Hour,
+	}
+	config_allowall.AllowOrigins = []string{"null"}
+	config_allowall.AllowAllOrigins = true
+	router.Use(cors.New(config_allowall))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "hello world")
+	})
+	router.Run()
+}
+
+func NoVariableVulnerable() {
+	router := gin.Default()
+	// CORS for https://foo.com origin, allowing:
+	// - PUT and PATCH methods
+	// - Origin header
+	// - Credentials share
+	// - Preflight requests cached for 12 hours
+	router.Use(cors.New(cors.Config{
+		AllowMethods:     []string{"GET", "POST"},
+		AllowHeaders:     []string{"Origin"},
+		ExposeHeaders:    []string{"Content-Length"},
+		AllowOrigins:     []string{"null", "https://foo.com"},
+		AllowCredentials: true,
+		MaxAge:           12 * time.Hour,
+	}))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "hello world")
+	})
+	router.Run()
+}

go/ql/test/experimental/CWE-942/CorsMisconfiguration.expected

@@ -1,3 +1,5 @@
+| CorsGin.go:28:35:28:69 | slice literal | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
+| CorsGin.go:98:21:98:55 | slice literal | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
 | CorsMisconfiguration.go:26:4:26:56 | call to Set | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
 | CorsMisconfiguration.go:32:4:32:42 | call to Set | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
 | CorsMisconfiguration.go:53:4:53:44 | call to Set | access-control-allow-origin header is set to a user-defined value, and access-control-allow-credentials is set to `true` |