Merge pull request #15795 from atorralba/atorralba/go/macaron-sources

Go: Add Macaron sources

Author: atorralba

go/ql/lib/change-notes/2024-03-04-macaron-sources.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow sources for the package `gopkg.in/macaron.v1`.

go/ql/lib/ext/gopkg.in.macaron.model.yml

@@ -1,4 +1,20 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["gopkg.in/macaron", "Context", True, "AllParams", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "GetCookie", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "GetSecureCookie", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "GetSuperSecureCookie", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "GetFile", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "Params", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "ParamsEscape", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "Query", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "QueryEscape", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "QueryStrings", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "RequestBody", True, "Bytes", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["gopkg.in/macaron", "RequestBody", True, "String", "", "", "ReturnValue[0]", "remote", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel

go/ql/test/library-tests/semmle/go/frameworks/Macaron/Sources.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

go/ql/test/library-tests/semmle/go/frameworks/Macaron/Sources.ql

@@ -0,0 +1,18 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+module UntrustedFlowSourceTest implements TestSig {
+  string getARelevantTag() { result = "UntrustedFlowSource" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(UntrustedFlowSource src |
+      src.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = src.toString() and
+      value = "" and
+      tag = "UntrustedFlowSource"
+    )
+  }
+}
+
+import MakeTest<UntrustedFlowSourceTest>

go/ql/test/library-tests/semmle/go/frameworks/Macaron/sources.go

@@ -0,0 +1,22 @@
+package main
+
+//go:generate depstubber -vendor gopkg.in/macaron.v1 Context,RequestBody
+
+import (
+	"gopkg.in/macaron.v1"
+)
+
+func sources(ctx *macaron.Context, body *macaron.RequestBody) {
+	_ = ctx.AllParams()                     // $UntrustedFlowSource
+	_ = ctx.GetCookie("")                   // $UntrustedFlowSource
+	_, _ = ctx.GetSecureCookie("")          // $UntrustedFlowSource
+	_, _ = ctx.GetSuperSecureCookie("", "") // $UntrustedFlowSource
+	_, _, _ = ctx.GetFile("")               // $UntrustedFlowSource
+	_ = ctx.Params("")                      // $UntrustedFlowSource
+	_ = ctx.ParamsEscape("")                // $UntrustedFlowSource
+	_ = ctx.Query("")                       // $UntrustedFlowSource
+	_ = ctx.QueryEscape("")                 // $UntrustedFlowSource
+	_ = ctx.QueryStrings("")                // $UntrustedFlowSource
+	_, _ = body.Bytes()                     // $UntrustedFlowSource
+	_, _ = body.String()                    // $UntrustedFlowSource
+}