Go: exclude protobuf read steps from cleartext-logging query

This query already treats structs differently to usual: it includes field -> whole struct taint steps, but explicitly excludes struct -> field steps. This means that a logging framework sinking an entire struct with a tainted field yields an alert, but we don't get FPs caused by writing field `x` but then reading field `y`.

However, protobuf messages have a special treatment, with taint usually associated with the whole struct and getter methods propagating that taint out. Suppressing these getter method steps specifically for the cleartext-logging query mirrors its treatment of structs in general and avoids this sort of field-mismatch FP.

On the downside we will miss same-field propagation like `m.field = password; Log(m.GetField())` if we don't have source code for the implementation of `m`. However this is hopefully unusual since the typical use of protobufs is to serialize and deserialize, rather than using the struct as a general-purpose datastructure.

Author: smowton

go/ql/lib/semmle/go/frameworks/Protobuf.qll

@@ -123,21 +123,21 @@ module Protobuf {
   }
 
   /** A `Get` method of a protobuf `Message` type. */
-  private class GetMethod extends DataFlow::FunctionModel, Method {
+  class GetMethod extends TaintTracking::FunctionModel, Method {
     GetMethod() {
       exists(string name | name.matches("Get%") | this = any(MessageType msg).getMethod(name))
     }
 
-    override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp) {
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
       inp.isReceiver() and outp.isResult()
     }
   }
 
   /** A `ProtoReflect` method of a protobuf `Message` type. */
-  private class ProtoReflectMethod extends DataFlow::FunctionModel, Method {
+  private class ProtoReflectMethod extends TaintTracking::FunctionModel, Method {
     ProtoReflectMethod() { this = any(MessageType msg).getMethod("ProtoReflect") }
 
-    override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp) {
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
       inp.isReceiver() and outp.isResult()
     }
   }

go/ql/lib/semmle/go/security/CleartextLogging.qll

@@ -8,6 +8,7 @@
  */
 
 import go
+private import semmle.go.frameworks.Protobuf
 
 /**
  * Provides a data-flow tracking configuration for reasoning about
@@ -48,8 +49,12 @@ module CleartextLogging {
         write.writesField(trg.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, src)
       )
       or
-      // taint steps that do not include flow through fields
-      TaintTracking::localTaintStep(src, trg) and not TaintTracking::fieldReadStep(src, trg)
+      // taint steps that do not include flow through fields. Field reads would produce FPs due to
+      // the additional taint step above that taints whole structs from individual field writes.
+      TaintTracking::localTaintStep(src, trg) and
+      not TaintTracking::fieldReadStep(src, trg) and
+      // Also exclude protobuf field fetches, since they amount to single field reads.
+      not any(Protobuf::GetMethod gm).taintStep(src, trg)
     }
   }
 }

go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -24,6 +24,25 @@ edges
 | passwords.go:122:13:122:25 | call to getPassword : string | passwords.go:125:14:125:19 | config |
 | passwords.go:126:14:126:19 | config [x] : string | passwords.go:126:14:126:21 | selection of x |
 | passwords.go:127:14:127:19 | config [y] : string | passwords.go:127:14:127:21 | selection of y |
+| protobuf.go:11:2:11:6 | definition of query [pointer, Description] : string | protobuf.go:12:2:12:6 | query [pointer, Description] : string |
+| protobuf.go:11:2:11:6 | definition of query [pointer, Description] : string | protobuf.go:14:14:14:18 | query [pointer, Description] : string |
+| protobuf.go:11:2:11:6 | definition of query [pointer] : Query | protobuf.go:12:2:12:6 | query [pointer] : Query |
+| protobuf.go:12:2:12:6 | implicit dereference : Query | protobuf.go:11:2:11:6 | definition of query [pointer] : Query |
+| protobuf.go:12:2:12:6 | implicit dereference : Query | protobuf.go:12:2:12:6 | implicit dereference : Query |
+| protobuf.go:12:2:12:6 | implicit dereference : Query | protobuf.go:14:14:14:35 | call to GetDescription |
+| protobuf.go:12:2:12:6 | implicit dereference : Query | protobuf.go:15:14:15:26 | call to GetId |
+| protobuf.go:12:2:12:6 | implicit dereference [Description] : string | protobuf.go:11:2:11:6 | definition of query [pointer, Description] : string |
+| protobuf.go:12:2:12:6 | query [pointer, Description] : string | protobuf.go:12:2:12:6 | implicit dereference [Description] : string |
+| protobuf.go:12:2:12:6 | query [pointer] : Query | protobuf.go:12:2:12:6 | implicit dereference : Query |
+| protobuf.go:12:22:12:29 | password : string | protobuf.go:12:2:12:6 | implicit dereference : Query |
+| protobuf.go:12:22:12:29 | password : string | protobuf.go:12:2:12:6 | implicit dereference [Description] : string |
+| protobuf.go:12:22:12:29 | password : string | protobuf.go:14:14:14:35 | call to GetDescription |
+| protobuf.go:12:22:12:29 | password : string | protobuf.go:15:14:15:26 | call to GetId |
+| protobuf.go:14:14:14:18 | query [pointer, Description] : string | protobuf.go:14:14:14:35 | call to GetDescription |
+| protobuf.go:14:14:14:18 | query [pointer, Description] : string | protos/query/query.pb.go:117:7:117:7 | definition of x [pointer, Description] : string |
+| protos/query/query.pb.go:117:7:117:7 | definition of x [pointer, Description] : string | protos/query/query.pb.go:119:10:119:10 | x [pointer, Description] : string |
+| protos/query/query.pb.go:119:10:119:10 | implicit dereference [Description] : string | protos/query/query.pb.go:119:10:119:22 | selection of Description : string |
+| protos/query/query.pb.go:119:10:119:10 | x [pointer, Description] : string | protos/query/query.pb.go:119:10:119:10 | implicit dereference [Description] : string |
 | util.go:16:9:16:18 | selection of password : string | passwords.go:28:14:28:28 | call to getPassword |
 nodes
 | klog.go:20:30:20:37 | selection of Header : Header | semmle.label | selection of Header : Header |
@@ -77,8 +96,23 @@ nodes
 | passwords.go:126:14:126:21 | selection of x | semmle.label | selection of x |
 | passwords.go:127:14:127:19 | config [y] : string | semmle.label | config [y] : string |
 | passwords.go:127:14:127:21 | selection of y | semmle.label | selection of y |
+| protobuf.go:11:2:11:6 | definition of query [pointer, Description] : string | semmle.label | definition of query [pointer, Description] : string |
+| protobuf.go:11:2:11:6 | definition of query [pointer] : Query | semmle.label | definition of query [pointer] : Query |
+| protobuf.go:12:2:12:6 | implicit dereference : Query | semmle.label | implicit dereference : Query |
+| protobuf.go:12:2:12:6 | implicit dereference [Description] : string | semmle.label | implicit dereference [Description] : string |
+| protobuf.go:12:2:12:6 | query [pointer, Description] : string | semmle.label | query [pointer, Description] : string |
+| protobuf.go:12:2:12:6 | query [pointer] : Query | semmle.label | query [pointer] : Query |
+| protobuf.go:12:22:12:29 | password : string | semmle.label | password : string |
+| protobuf.go:14:14:14:18 | query [pointer, Description] : string | semmle.label | query [pointer, Description] : string |
+| protobuf.go:14:14:14:35 | call to GetDescription | semmle.label | call to GetDescription |
+| protobuf.go:15:14:15:26 | call to GetId | semmle.label | call to GetId |
+| protos/query/query.pb.go:117:7:117:7 | definition of x [pointer, Description] : string | semmle.label | definition of x [pointer, Description] : string |
+| protos/query/query.pb.go:119:10:119:10 | implicit dereference [Description] : string | semmle.label | implicit dereference [Description] : string |
+| protos/query/query.pb.go:119:10:119:10 | x [pointer, Description] : string | semmle.label | x [pointer, Description] : string |
+| protos/query/query.pb.go:119:10:119:22 | selection of Description : string | semmle.label | selection of Description : string |
 | util.go:16:9:16:18 | selection of password : string | semmle.label | selection of password : string |
 subpaths
+| protobuf.go:14:14:14:18 | query [pointer, Description] : string | protos/query/query.pb.go:117:7:117:7 | definition of x [pointer, Description] : string | protos/query/query.pb.go:119:10:119:22 | selection of Description : string | protobuf.go:14:14:14:35 | call to GetDescription : string |
 #select
 | klog.go:22:15:22:20 | header | klog.go:20:30:20:37 | selection of Header : Header | klog.go:22:15:22:20 | header | $@ flows to a logging call. | klog.go:20:30:20:37 | selection of Header | Sensitive data returned by HTTP request headers |
 | klog.go:28:13:28:41 | call to Get | klog.go:28:13:28:20 | selection of Header : Header | klog.go:28:13:28:41 | call to Get | $@ flows to a logging call. | klog.go:28:13:28:20 | selection of Header | Sensitive data returned by HTTP request headers |
@@ -111,3 +145,5 @@ subpaths
 | passwords.go:125:14:125:19 | config | passwords.go:122:13:122:25 | call to getPassword : string | passwords.go:125:14:125:19 | config | $@ flows to a logging call. | passwords.go:122:13:122:25 | call to getPassword | Sensitive data returned by a call to getPassword |
 | passwords.go:126:14:126:21 | selection of x | passwords.go:121:13:121:20 | password : string | passwords.go:126:14:126:21 | selection of x | $@ flows to a logging call. | passwords.go:121:13:121:20 | password | Sensitive data returned by an access to password |
 | passwords.go:127:14:127:21 | selection of y | passwords.go:122:13:122:25 | call to getPassword : string | passwords.go:127:14:127:21 | selection of y | $@ flows to a logging call. | passwords.go:122:13:122:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:12:22:12:29 | password : string | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:12:22:12:29 | password | Sensitive data returned by an access to password |
+| protobuf.go:15:14:15:26 | call to GetId | protobuf.go:12:22:12:29 | password : string | protobuf.go:15:14:15:26 | call to GetId | $@ flows to a logging call. | protobuf.go:12:22:12:29 | password | Sensitive data returned by an access to password |

go/ql/test/query-tests/Security/CWE-312/go.mod

@@ -6,4 +6,6 @@ require (
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/sirupsen/logrus v1.5.0
 	k8s.io/klog v1.0.0
+        github.com/golang/protobuf v1.4.2
+        google.golang.org/protobuf v1.23.0
 )

go/ql/test/query-tests/Security/CWE-312/protobuf.go

@@ -0,0 +1,16 @@
+package main
+
+import (
+	"log"
+	"main/protos/query"
+)
+
+func testProtobuf() {
+	password := "P@ssw0rd"
+
+	query := &query.Query{}
+	query.Description = password
+
+	log.Println(query.GetDescription()) // NOT OK
+	log.Println(query.GetId()) // OK
+}

go/ql/test/query-tests/Security/CWE-312/protos/query.proto

@@ -0,0 +1,25 @@
+syntax = "proto3";
+option go_package = "protos/query";
+
+message Query {
+  string description = 1;
+  string id = 2;
+
+  enum Severity {
+    ERROR = 0;
+    WARNING = 1;
+  }
+
+  message Alert {
+    string msg = 1;
+    int64 loc = 2;
+  }
+
+  repeated Alert alerts = 4;
+
+  map<int32, string> keyValuePairs = 5;
+}
+
+message QuerySuite {
+  repeated Query queries = 1;
+}