Go Environment variable (parsing) models and tests

Author: egregius313

go/ql/lib/ext/github.com.hashicorp.go-envparse.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/hashicorp/go-envparse", "", False, "Parse", "", "", "ReturnValue", "environment", "manual"]

go/ql/lib/ext/github.com.joho.godotenv.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/joho/godotenv", "", False, "Parse", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "Read", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "Unmarshal", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "UnmarshalBytes", "", "", "ReturnValue", "environment", "manual"]

go/ql/lib/ext/github.com.kelseyhightower.envconfig.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/kelseyhightower/envconfig", "", False, "CheckDisallowed", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "MustProcess", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Process", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usage", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usagef", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usaget", "", "", "Argument[1]", "environment", "manual"]

go/ql/lib/ext/os.model.yml

@@ -46,6 +46,9 @@ extensions:
       pack: codeql/go-all
       extensible: sourceModel
     data:
+      - ["os", "", False, "Environ", "", "", "ReturnValue", "environment", "manual"]
+      - ["os", "", False, "Getenv", "", "", "ReturnValue", "environment", "manual"]
+      - ["os", "", False, "LookupEnv", "", "", "ReturnValue[0]", "environment", "manual"]
       - ["os", "", False, "Open", "", "", "ReturnValue[0]", "file", "manual"]
       - ["os", "", False, "OpenFile", "", "", "ReturnValue[0]", "file", "manual"]
-      - ["os", "", False, "ReadFile", "", "", "ReturnValue[0]", "file", "manual"]
+      - ["os", "", False, "ReadFile", "", "", "ReturnValue[0]", "file", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/go.mod

@@ -0,0 +1,9 @@
+module test
+
+go 1.22.5
+
+require (
+	github.com/hashicorp/go-envparse v0.1.0
+	github.com/joho/godotenv v1.5.1
+	github.com/kelseyhightower/envconfig v1.4.0
+)

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.expected

@@ -0,0 +1,6 @@
+| test.go:12:10:12:26 | call to Getenv |
+| test.go:14:2:14:33 | ... := ...[0] |
+| test.go:19:20:19:31 | call to Environ |
+| test.go:34:29:34:32 | &... |
+| test.go:41:2:41:40 | ... := ...[0] |
+| test.go:48:2:48:52 | ... := ...[0] |

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["environment", true, 0]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.go

@@ -0,0 +1,67 @@
+package test
+
+import (
+	"fmt"
+	"github.com/hashicorp/go-envparse"
+	"github.com/joho/godotenv"
+	"github.com/kelseyhightower/envconfig"
+	"os"
+)
+
+func osEnvironmentVariables() {
+	home := os.Getenv("HOME")
+
+	port, ok := os.LookupEnv("PORT")
+	if !ok {
+		port = "3000"
+	}
+
+	for _, e := range os.Environ() {
+		_ = e
+	}
+
+	fmt.Printf("HOME: %s\n", home)
+	fmt.Printf("PORT: %s\n", port)
+}
+
+type ServerConfig struct {
+	Port int    `envconfig:"PORT"`
+	Host string `envconfig:"HOST"`
+}
+
+func envconfigEnvironmentVariables() {
+	var cfg ServerConfig
+	envconfig.Process("myapp", &cfg)
+}
+
+func godotenvEnvironmentVariables() {
+	var err error
+	var username, greeting string
+
+	users, err := godotenv.Read("user.env")
+	if err != nil {
+		return
+	}
+
+	username := users["USERNAME"]
+
+	greetings, err := godotenv.Unmarshal("HELLO=hello")
+	if err != nil {
+		return
+	}
+
+	greeting := greetings["HELLO"]
+
+	fmt.Printf("%s, %s!\n", greeting, username)
+}
+
+func envparseEnvironmentVariables() {
+	f := os.Open("file.txt")
+	envVars, ok := envparse.Parse(f)
+
+	if !ok {
+		return
+	}
+
+	fmt.Printf("HOME: %s\n", envVars["HOME"])
+}

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ql

@@ -0,0 +1,5 @@
+import go
+
+from DataFlow::Node source
+where source instanceof ThreatModelFlowSource
+select source