Convert regex-use sinks to use MaD

Author: owen-mc

go/ql/lib/ext/regexp.model.yml

@@ -1,4 +1,18 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["regexp", "", True, "Compile", "", "", "Argument[0]", "regex-use[c]", "manual"]
+      - ["regexp", "", True, "CompilePOSIX", "", "", "Argument[0]", "regex-use[c]", "manual"]
+      - ["regexp", "", True, "MustCompile", "", "", "Argument[0]", "regex-use[c]", "manual"]
+      - ["regexp", "", True, "MustCompilePOSIX", "", "", "Argument[0]", "regex-use[c]", "manual"]
+      - ["regexp", "", True, "Match", "", "", "Argument[0]", "regex-use[1]", "manual"]
+      - ["regexp", "", True, "MatchReader", "", "", "Argument[0]", "regex-use[1]", "manual"]
+      - ["regexp", "", True, "MatchString", "", "", "Argument[0]", "regex-use[1]", "manual"]
+      - ["regexp", "Regexp", True, "Match", "", "", "Argument[receiver]", "regex-use[0]", "manual"]
+      - ["regexp", "Regexp", True, "MatchReader", "", "", "Argument[receiver]", "regex-use[0]", "manual"]
+      - ["regexp", "Regexp", True, "MatchString", "", "", "Argument[receiver]", "regex-use[0]", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel

go/ql/lib/semmle/go/frameworks/stdlib/Regexp.qll

@@ -6,13 +6,43 @@ import go
 
 /** Provides models of commonly used functions in the `regexp` package. */
 module Regexp {
-  private class Pattern extends RegexpPattern::Range, DataFlow::ArgumentNode {
-    string fnName;
+  /**
+   * Holds if `kind` is an external sink kind that is relevant for regex flow.
+   * `strArg` is the index of the argument to methods with this sink kind that
+   * contain the string to be matched against, where -1 is the qualifier; or -2
+   * if no such argument exists and the function compiles the regex; or -3 if
+   * no such argument exists and the function does not compile the regex.
+   *
+   * So `regex-use[0]` indicates that argument 0 contains the string to matched
+   * against, `regex-use[c]` indicates that there is no string to be matched
+   * against and the return value of the function is a compiled regex, and
+   * `regex-use` means that there is no string to be matched against and the
+   * function does not compile the regex.
+   */
+  private predicate regexSinkKindInfo(string kind, int strArg) {
+    sinkModel(_, _, _, _, _, _, _, kind, _, _) and
+    exists(string strArgStr |
+      (
+        strArgStr.toInt() = strArg
+        or
+        strArg = -2 and
+        strArgStr = "c"
+      )
+    |
+      kind = "regex-use[" + strArgStr + "]"
+    )
+    or
+    strArg = -3 and
+    kind = "regex-use"
+  }
 
-    Pattern() {
-      exists(Function fn | fnName.matches("Match%") or fnName.matches("%Compile%") |
-        fn.hasQualifiedName("regexp", fnName) and
-        this = fn.getACall().getArgument(0)
+  private class DefaultRegexpPattern extends RegexpPattern::Range, DataFlow::ArgumentNode {
+    int strArg;
+
+    DefaultRegexpPattern() {
+      exists(string kind |
+        regexSinkKindInfo(kind, strArg) and
+        sinkNode(this, kind)
       )
     }
 
@@ -21,38 +51,37 @@ module Regexp {
     override string getPattern() { result = this.asExpr().getStringValue() }
 
     override DataFlow::Node getAUse() {
-      fnName.matches("MustCompile%") and
-      result = this.getCall().getASuccessor*()
-      or
-      fnName.matches("Compile%") and
+      strArg = -2 and
       result = this.getCall().getResult(0).getASuccessor*()
       or
       result = this
     }
   }
 
-  private class MatchFunction extends RegexpMatchFunction::Range, Function {
-    MatchFunction() {
-      exists(string fn | fn.matches("Match%") | this.hasQualifiedName("regexp", fn))
+  private class DefaultRegexpMatchFunction extends RegexpMatchFunction::Range, Function {
+    int patArg;
+    int strArg;
+
+    DefaultRegexpMatchFunction() {
+      exists(DefaultRegexpPattern drp, string kind |
+        drp.getCall() = this.getACall() and
+        sinkNode(drp, kind)
+      |
+        patArg = drp.getPosition() and
+        regexSinkKindInfo(kind, strArg) and
+        strArg >= -1
+      )
     }
 
-    override FunctionInput getRegexpArg() { result.isParameter(0) }
-
-    override FunctionInput getValue() { result.isParameter(1) }
-
-    override FunctionOutput getResult() { result.isResult(0) }
-  }
-
-  private class MatchMethod extends RegexpMatchFunction::Range, Method {
-    MatchMethod() {
-      exists(string fn | fn.matches("Match%") | this.hasQualifiedName("regexp", "Regexp", fn))
+    override FunctionInput getRegexpArg() {
+      patArg = -1 and result.isReceiver()
+      or
+      patArg >= 0 and result.isParameter(patArg)
     }
 
-    override FunctionInput getRegexpArg() { result.isReceiver() }
+    override FunctionInput getValue() { result.isParameter(strArg) }
 
-    override FunctionInput getValue() { result.isParameter(0) }
-
-    override FunctionOutput getResult() { result.isResult() }
+    override FunctionOutput getResult() { result.isResult(0) }
   }
 
   private class ReplaceFunction extends RegexpReplaceFunction::Range, Method {

go/ql/test/library-tests/semmle/go/concepts/Regexp/RegexpMatchFunction.expected

@@ -1,3 +1,6 @@
 | file://:0:0:0:0 | Match | stdlib.go:16:30:16:37 | "posix?" | stdlib.go:28:11:28:24 | type conversion | stdlib.go:28:2:28:25 | call to Match |
+| file://:0:0:0:0 | Match | stdlib.go:28:2:28:3 | re | stdlib.go:28:11:28:24 | type conversion | stdlib.go:28:2:28:25 | call to Match |
 | file://:0:0:0:0 | MatchReader | stdlib.go:16:30:16:37 | "posix?" | stdlib.go:29:17:29:37 | call to NewReader | stdlib.go:29:2:29:38 | call to MatchReader |
+| file://:0:0:0:0 | MatchReader | stdlib.go:29:2:29:3 | re | stdlib.go:29:17:29:37 | call to NewReader | stdlib.go:29:2:29:38 | call to MatchReader |
 | file://:0:0:0:0 | MatchString | stdlib.go:16:30:16:37 | "posix?" | stdlib.go:17:17:17:22 | "posi" | stdlib.go:17:2:17:23 | call to MatchString |
+| file://:0:0:0:0 | MatchString | stdlib.go:17:2:17:3 | re | stdlib.go:17:17:17:22 | "posi" | stdlib.go:17:2:17:23 | call to MatchString |

go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.expected

@@ -1,7 +1,17 @@
+#select
+| IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" | IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" | IncompleteHostnameRegexp.go:12:38:12:39 | re | This regular expression has an unescaped dot before ')?example.com', so it might match more hosts than expected when $@. | IncompleteHostnameRegexp.go:12:38:12:39 | re | the regular expression is used |
+| main.go:40:60:40:79 | "^test2.github.com$" | main.go:40:60:40:79 | "^test2.github.com$" | main.go:40:60:40:79 | "^test2.github.com$" | This regular expression has an unescaped dot before 'github.com', so it might match more hosts than expected when $@. | main.go:40:60:40:79 | "^test2.github.com$" | the regular expression is used |
+| main.go:45:15:45:39 | `https://www.example.com` | main.go:45:15:45:39 | `https://www.example.com` | main.go:45:15:45:39 | `https://www.example.com` | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when $@. | main.go:45:15:45:39 | `https://www.example.com` | the regular expression is used |
+| main.go:49:21:49:45 | `https://www.example.com` | main.go:49:21:49:45 | `https://www.example.com` | main.go:65:15:65:23 | localVar3 | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when $@. | main.go:65:15:65:23 | localVar3 | the regular expression is used |
+| main.go:56:15:56:34 | ...+... | main.go:56:15:56:34 | ...+... | main.go:56:15:56:34 | ...+... | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when $@. | main.go:56:15:56:34 | ...+... | the regular expression is used |
+| main.go:58:15:58:42 | ...+... | main.go:58:15:58:42 | ...+... | main.go:58:15:58:42 | ...+... | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when $@. | main.go:58:15:58:42 | ...+... | the regular expression is used |
 edges
-| IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" | IncompleteHostnameRegexp.go:12:38:12:39 | re | provenance |  |
+| IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" | IncompleteHostnameRegexp.go:12:38:12:39 | re | provenance |  Sink:MaD:2 |
 | main.go:49:21:49:45 | `https://www.example.com` | main.go:62:15:62:25 | sourceConst | provenance |  |
-| main.go:62:15:62:25 | sourceConst | main.go:65:15:65:23 | localVar3 | provenance |  |
+| main.go:62:15:62:25 | sourceConst | main.go:65:15:65:23 | localVar3 | provenance |  Sink:MaD:1 |
+models
+| 1 | Sink: regexp; ; true; Match; ; ; Argument[0]; regex-use[1]; manual |
+| 2 | Sink: regexp; ; true; MatchString; ; ; Argument[0]; regex-use[1]; manual |
 nodes
 | IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" | semmle.label | "^((www\|beta).)?example.com/" |
 | IncompleteHostnameRegexp.go:12:38:12:39 | re | semmle.label | re |
@@ -13,10 +23,3 @@ nodes
 | main.go:62:15:62:25 | sourceConst | semmle.label | sourceConst |
 | main.go:65:15:65:23 | localVar3 | semmle.label | localVar3 |
 subpaths
-#select
-| IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" | IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" | IncompleteHostnameRegexp.go:12:38:12:39 | re | This regular expression has an unescaped dot before ')?example.com', so it might match more hosts than expected when $@. | IncompleteHostnameRegexp.go:12:38:12:39 | re | the regular expression is used |
-| main.go:40:60:40:79 | "^test2.github.com$" | main.go:40:60:40:79 | "^test2.github.com$" | main.go:40:60:40:79 | "^test2.github.com$" | This regular expression has an unescaped dot before 'github.com', so it might match more hosts than expected when $@. | main.go:40:60:40:79 | "^test2.github.com$" | the regular expression is used |
-| main.go:45:15:45:39 | `https://www.example.com` | main.go:45:15:45:39 | `https://www.example.com` | main.go:45:15:45:39 | `https://www.example.com` | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when $@. | main.go:45:15:45:39 | `https://www.example.com` | the regular expression is used |
-| main.go:49:21:49:45 | `https://www.example.com` | main.go:49:21:49:45 | `https://www.example.com` | main.go:65:15:65:23 | localVar3 | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when $@. | main.go:65:15:65:23 | localVar3 | the regular expression is used |
-| main.go:56:15:56:34 | ...+... | main.go:56:15:56:34 | ...+... | main.go:56:15:56:34 | ...+... | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when $@. | main.go:56:15:56:34 | ...+... | the regular expression is used |
-| main.go:58:15:58:42 | ...+... | main.go:58:15:58:42 | ...+... | main.go:58:15:58:42 | ...+... | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when $@. | main.go:58:15:58:42 | ...+... | the regular expression is used |

go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.qlref

@@ -1 +1,2 @@
-Security/CWE-020/IncompleteHostnameRegexp.ql
+query: Security/CWE-020/IncompleteHostnameRegexp.ql
+postprocess: TestUtilities/PrettyPrintModels.ql