Merge pull request #17335 from egregius313/egregius313/go/dataflow/models/stdin

egregius313 · web-flow · commit ade5686e5233 · 2024-10-14T10:38:27.000-04:00
Go: Implement `stdin` models
diff --git a/go/ql/lib/change-notes/2024-08-29-add-stdin-threat-models.md b/go/ql/lib/change-notes/2024-08-29-add-stdin-threat-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Local source models with the `stdin` source kind have been added for the variable `os.Stdin` and the functions `fmt.Scan`, `fmt.Scanf` and `fmt.Scanln`. You can optionally include threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll
@@ -112,6 +112,15 @@ module Fmt {
     Scanner() { this.hasQualifiedName("fmt", ["Scan", "Scanf", "Scanln"]) }
   }
 
+  private class ScannerSource extends SourceNode {
+    ScannerSource() {
+      // All of the arguments which are sources are varargs.
+      this.asExpr() = any(Scanner s).getACall().getAnImplicitVarargsArgument().asExpr()
+    }
+
+    override string getThreatModel() { result = "stdin" }
+  }
+
   /**
    * The `Fscan` function or one of its variants,
    * all of which read from a specified `io.Reader`.
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Os.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Os.qll
@@ -43,4 +43,12 @@ module Os {
       input = inp and output = outp
     }
   }
+
+  private class Stdin extends SourceNode {
+    Stdin() {
+      exists(Variable osStdin | osStdin.hasQualifiedName("os", "Stdin") | this = osStdin.getARead())
+    }
+
+    override string getThreatModel() { result = "stdin" }
+  }
 }
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/go.mod b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/go.mod
@@ -0,0 +1,3 @@
+module test
+
+go 1.22.6
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.expected b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.expected
@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["stdin", true, 0]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ql b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ql
@@ -0,0 +1,19 @@
+import go
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SourceTest implements TestSig {
+  string getARelevantTag() { result = "source" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(ActiveThreatModelSource s |
+      s.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = s.toString() and
+      value = "" and
+      tag = "source"
+    )
+  }
+}
+
+import MakeTest<SourceTest>
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.expected b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.expected
@@ -0,0 +1,2 @@
+testFailures
+invalidModelRow
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["stdin", true, 0]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.go
@@ -0,0 +1,48 @@
+package test
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+)
+
+func sink(string) {
+
+}
+
+func readStdinBuffer() {
+	buf := make([]byte, 1024)
+	n, err := os.Stdin.Read(buf) // $source
+	if err != nil {
+		return
+	}
+	sink(string(buf[:n])) // $hasTaintFlow="type conversion"
+}
+
+func readStdinBuffReader() {
+	buf := make([]byte, 1024)
+	r := bufio.NewReader(os.Stdin) // $source
+	n, err := r.Read(buf)
+	if err != nil {
+		return
+	}
+	sink(string(buf[:n])) // $hasTaintFlow="type conversion"
+}
+
+func scan() {
+	var username, email string
+	fmt.Scan(&username, &email) // $source
+	sink(username)              // $hasTaintFlow="username"
+}
+
+func scanf() {
+	var s string
+	fmt.Scanf("%s", &s) // $source
+	sink(s)             // $hasTaintFlow="s"
+}
+
+func scanl() {
+	var s string
+	fmt.Scanln(&s) // $source
+	sink(s)        // $hasTaintFlow="s"
+}
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.ql b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.ql
@@ -0,0 +1,15 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import experimental.frameworks.CleverGo
+import TestUtilities.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(CallExpr c | c.getTarget().getName() = "sink").getArgument(0)
+  }
+}
+
+import TaintFlowTest<Config>

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Local source models with the `stdin` source kind have been added for the variable `os.Stdin` and the functions `fmt.Scan`, `fmt.Scanf` and `fmt.Scanln`. You can optionally include threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
Original file line number	Diff line number	Diff line change
`@@ -43,4 +43,12 @@ module Os {`
`43`	`43`	`input = inp and output = outp`
`44`	`44`	`}`
`45`	`45`	`}`
	`46`	`+`
	`47`	`+ private class Stdin extends SourceNode {`
	`48`	`+ Stdin() {`
	`49`	`+ exists(Variable osStdin \| osStdin.hasQualifiedName("os", "Stdin") \| this = osStdin.getARead())`
	`50`	`+ }`
	`51`	`+`
	`52`	`+ override string getThreatModel() { result = "stdin" }`
	`53`	`+ }`
`46`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+testFailures`
	`2`	`+invalidModelRow`
	`3`	`+failures`