Go: Add Macaron sources

atorralba · atorralba · commit fc12537699a8 · 2024-03-04T14:29:56.000+01:00
diff --git a/go/ql/lib/change-notes/2024-03-04-macaron-sources.md b/go/ql/lib/change-notes/2024-03-04-macaron-sources.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow sources for the package `gopkg.in/macaron.v1`.
diff --git a/go/ql/lib/ext/gopkg.in.macaron.model.yml b/go/ql/lib/ext/gopkg.in.macaron.model.yml
@@ -1,4 +1,20 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["gopkg.in/macaron", "Context", True, "AllParams", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "GetCookie", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "GetSecureCookie", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "GetSuperSecureCookie", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "GetFile", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "Params", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "ParamsEscape", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "Query", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "QueryEscape", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "Context", True, "QueryStrings", "", "", "ReturnValue", "remote", "manual"]
+      - ["gopkg.in/macaron", "RequestBody", True, "Bytes", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["gopkg.in/macaron", "RequestBody", True, "String", "", "", "ReturnValue[0]", "remote", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Macaron/Sources.expected b/go/ql/test/library-tests/semmle/go/frameworks/Macaron/Sources.expected
@@ -0,0 +1,12 @@
+| sources.go:10:6:10:20 | call to AllParams |
+| sources.go:11:6:11:22 | call to GetCookie |
+| sources.go:12:2:12:31 | ... = ...[0] |
+| sources.go:13:2:13:40 | ... = ...[0] |
+| sources.go:14:2:14:26 | ... = ...[0] |
+| sources.go:15:6:15:19 | call to Params |
+| sources.go:16:6:16:25 | call to ParamsEscape |
+| sources.go:17:6:17:18 | call to Query |
+| sources.go:18:6:18:24 | call to QueryEscape |
+| sources.go:19:6:19:25 | call to QueryStrings |
+| sources.go:20:2:20:20 | ... = ...[0] |
+| sources.go:21:2:21:21 | ... = ...[0] |
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Macaron/Sources.ql b/go/ql/test/library-tests/semmle/go/frameworks/Macaron/Sources.ql
@@ -0,0 +1,3 @@
+import go
+
+select any(UntrustedFlowSource ufs)
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Macaron/sources.go b/go/ql/test/library-tests/semmle/go/frameworks/Macaron/sources.go
@@ -0,0 +1,22 @@
+package main
+
+//go:generate depstubber -vendor gopkg.in/macaron.v1 Context,RequestBody
+
+import (
+	"gopkg.in/macaron.v1"
+)
+
+func sources(ctx *macaron.Context, body *macaron.RequestBody) {
+	_ = ctx.AllParams()
+	_ = ctx.GetCookie("")
+	_, _ = ctx.GetSecureCookie("")
+	_, _ = ctx.GetSuperSecureCookie("", "")
+	_, _, _ = ctx.GetFile("")
+	_ = ctx.Params("")
+	_ = ctx.ParamsEscape("")
+	_ = ctx.Query("")
+	_ = ctx.QueryEscape("")
+	_ = ctx.QueryStrings("")
+	_, _ = body.Bytes()
+	_, _ = body.String()
+}
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Macaron/vendor/gopkg.in/macaron.v1/stub.go b/go/ql/test/library-tests/semmle/go/frameworks/Macaron/vendor/gopkg.in/macaron.v1/stub.go

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added dataflow sources for the package `gopkg.in/macaron.v1`.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+import go`
	`2`	`+`
	`3`	`+select any(UntrustedFlowSource ufs)`