Convert Gorm sql-injection sinks to MaD

owen-mc · owen-mc · commit ba310417a8ce · 2024-08-16T11:18:55.000+01:00
diff --git a/go/ql/lib/ext/gorm.io.gorm.model.yml b/go/ql/lib/ext/gorm.io.gorm.model.yml
@@ -0,0 +1,25 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["gorm", "gorm.io/gorm"]
+      - ["gorm", "github.com/jinzhu/gorm"]
+      - ["gorm", "github.com/go-gorm/gorm"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:gorm", "DB", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Order", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Not", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Or", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Select", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Table", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Group", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Having", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Joins", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Exec", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Distinct", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["group:gorm", "DB", True, "Pluck", "", "", "Argument[0]", "sql-injection", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/SQL.qll b/go/ql/lib/semmle/go/frameworks/SQL.qll
@@ -150,21 +150,6 @@ module SQL {
       }
     }
   }
-
-  /** A model for sinks of GORM. */
-  private class GormSink extends SQL::QueryString::Range {
-    GormSink() {
-      exists(Method meth, string package, string name |
-        meth.hasQualifiedName(package, "DB", name) and
-        this = meth.getACall().getSyntacticArgument(0) and
-        package = Gorm::packagePath() and
-        name in [
-            "Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins",
-            "Exec", "Distinct", "Pluck"
-          ]
-      )
-    }
-  }
 }
 
 /**
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/QueryString.expected b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/QueryString.expected
@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/QueryString.ql b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/QueryString.ql
@@ -0,0 +1,60 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SqlTest implements TestSig {
+  string getARelevantTag() { result = "query" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "query" and
+    exists(SQL::Query q, SQL::QueryString qs | qs = q.getAQueryString() |
+      q.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = q.toString() and
+      value = qs.toString()
+    )
+  }
+}
+
+module QueryString implements TestSig {
+  string getARelevantTag() { result = "querystring" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "querystring" and
+    element = "" and
+    exists(SQL::QueryString qs | not exists(SQL::Query q | qs = q.getAQueryString()) |
+      qs.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      value = qs.toString()
+    )
+  }
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLit }
+
+  predicate isSink(DataFlow::Node n) {
+    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+module TaintFlow implements TestSig {
+  string getARelevantTag() { result = "flowfrom" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "flowfrom" and
+    element = "" and
+    exists(DataFlow::Node fromNode, DataFlow::Node toNode |
+      toNode
+          .hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+            location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      Flow::flow(fromNode, toNode) and
+      value = fromNode.asExpr().(StringLit).getValue()
+    )
+  }
+}
+
+import MakeTest<MergeTests3<SqlTest, QueryString, TaintFlow>>
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.expected
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.go
@@ -13,36 +13,35 @@ func getUntrustedString() string {
 }
 
 func main() {
-
 	untrusted := getUntrustedString()
 
 	db1 := gorm1.DB{}
-	db1.Where(untrusted)
-	db1.Raw(untrusted)
-	db1.Not(untrusted)
-	db1.Order(untrusted)
-	db1.Or(untrusted)
-	db1.Select(untrusted)
-	db1.Table(untrusted)
-	db1.Group(untrusted)
-	db1.Having(untrusted)
-	db1.Joins(untrusted)
-	db1.Exec(untrusted)
-	db1.Pluck(untrusted, nil)
+	db1.Where(untrusted)      // $ querystring=untrusted
+	db1.Raw(untrusted)        // $ querystring=untrusted
+	db1.Not(untrusted)        // $ querystring=untrusted
+	db1.Order(untrusted)      // $ querystring=untrusted
+	db1.Or(untrusted)         // $ querystring=untrusted
+	db1.Select(untrusted)     // $ querystring=untrusted
+	db1.Table(untrusted)      // $ querystring=untrusted
+	db1.Group(untrusted)      // $ querystring=untrusted
+	db1.Having(untrusted)     // $ querystring=untrusted
+	db1.Joins(untrusted)      // $ querystring=untrusted
+	db1.Exec(untrusted)       // $ querystring=untrusted
+	db1.Pluck(untrusted, nil) // $ querystring=untrusted
 
 	db2 := gorm2.DB{}
-	db2.Where(untrusted)
-	db2.Raw(untrusted)
-	db2.Not(untrusted)
-	db2.Order(untrusted)
-	db2.Or(untrusted)
-	db2.Select(untrusted)
-	db2.Table(untrusted)
-	db2.Group(untrusted)
-	db2.Having(untrusted)
-	db2.Joins(untrusted)
-	db2.Exec(untrusted)
-	db2.Distinct(untrusted)
-	db2.Pluck(untrusted, nil)
+	db2.Where(untrusted)      // $ querystring=untrusted
+	db2.Raw(untrusted)        // $ querystring=untrusted
+	db2.Not(untrusted)        // $ querystring=untrusted
+	db2.Order(untrusted)      // $ querystring=untrusted
+	db2.Or(untrusted)         // $ querystring=untrusted
+	db2.Select(untrusted)     // $ querystring=untrusted
+	db2.Table(untrusted)      // $ querystring=untrusted
+	db2.Group(untrusted)      // $ querystring=untrusted
+	db2.Having(untrusted)     // $ querystring=untrusted
+	db2.Joins(untrusted)      // $ querystring=untrusted
+	db2.Exec(untrusted)       // $ querystring=untrusted
+	db2.Distinct(untrusted)   // $ querystring=untrusted
+	db2.Pluck(untrusted, nil) // $ querystring=untrusted
 
 }
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql b/go/ql/test/library-tests/semmle/go/frameworks/SQL/Gorm/gorm.ql

Original file line number	Diff line number	Diff line change
`@@ -150,21 +150,6 @@ module SQL {`
`150`	`150`	`}`
`151`	`151`	`}`
`152`	`152`	`}`
`153`		`-`
`154`		`- /** A model for sinks of GORM. */`
`155`		`- private class GormSink extends SQL::QueryString::Range {`
`156`		`- GormSink() {`
`157`		`- exists(Method meth, string package, string name \|`
`158`		`- meth.hasQualifiedName(package, "DB", name) and`
`159`		`- this = meth.getACall().getSyntacticArgument(0) and`
`160`		`- package = Gorm::packagePath() and`
`161`		`- name in [`
`162`		`- "Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins",`
`163`		`- "Exec", "Distinct", "Pluck"`
`164`		`- ]`
`165`		`- )`
`166`		`- }`
`167`		`- }`
`168`	`153`	`}`
`169`	`154`
`170`	`155`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+testFailures`
	`2`	`+invalidModelRow`
	`3`	`+failures`