Added gin cors framework

Author: Kwstubbs

go/ql/lib/semmle/go/frameworks/GinCors.qll

@@ -1,80 +1,100 @@
 /**
- * Provides classes for working with untrusted flow sources from the `github.com/gin-gonic/gin` package.
+ * Provides classes for working with untrusted flow sources from the `github.com/gin-contrib/cors` package.
  */
 
- import go
+import go
 
-  module GinCors {
-   /** Gets the package name `github.com/gin-gonic/gin`. */
-   string packagePath() { result = package("github.com/gin-contrib/cors", "") }
- 
-   /**
-    * Data from a `Context` struct, considered as a source of untrusted flow.
-    */
-     class New extends Function{
-        New() {
-            exists(Function f | f.hasQualifiedName(packagePath(), "New") | this = f)
-        }
+module GinCors {
+  /** Gets the package name `github.com/gin-gonic/gin`. */
+  string packagePath() { result = package("github.com/gin-contrib/cors", "") }
 
-   }
-   class Config extends Variable {
-    Config() { this.hasQualifiedName(packagePath(), "Config") }
-
-    // Field getAllowCredentials() {
-    //     result = this.getField("AllowCredentials")
-    // }
+  /**
+   * New function create a new gin Handler that passed to gin as middleware
+   */
+  class New extends Function {
+    New() { exists(Function f | f.hasQualifiedName(packagePath(), "New") | this = f) }
   }
-   class AllowCredentialsWrite extends DataFlow::ExprNode {
+
+  /**
+   * A write to the value of Access-Control-Allow-Credentials header
+   */
+  class AllowCredentialsWrite extends DataFlow::ExprNode {
     DataFlow::Node base;
     GinConfig gc;
+
     AllowCredentialsWrite() {
       exists(Field f, Write w |
         f.hasQualifiedName(packagePath(), "Config", "AllowCredentials") and
         w.writesField(base, f, this) and
         this.getType() instanceof BoolType and
-        (gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() = base.asInstruction() or
-        gc.getV().getAUse() = base)
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        )
       )
     }
-    GinConfig getConfig() { result =  gc}
+
+    GinConfig getConfig() { result = gc }
   }
-   class AllowOriginsWrite extends DataFlow::ExprNode {
+
+  /**
+   * A write to the value of Access-Control-Allow-Origins header
+   */
+  class AllowOriginsWrite extends DataFlow::ExprNode {
     DataFlow::Node base;
     GinConfig gc;
+
     AllowOriginsWrite() {
       exists(Field f, Write w |
         f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
         w.writesField(base, f, this) and
         this.asExpr() instanceof SliceLit and
-        (gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() = base.asInstruction() or
-        gc.getV().getAUse() = base)
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        )
       )
     }
-    GinConfig getConfig() { result = gc}
+
+    GinConfig getConfig() { result = gc }
   }
+
+  /**
+   * A write to the value of Access-Control-Allow-Origins to "*"
+   */
   class AllowAllOriginsWrite extends DataFlow::ExprNode {
     DataFlow::Node base;
+    GinConfig gc;
 
     AllowAllOriginsWrite() {
       exists(Field f, Write w |
         f.hasQualifiedName(packagePath(), "Config", "AllowAllOrigins") and
         w.writesField(base, f, this) and
-        this.getType() instanceof BoolType 
-        //and this.asExpr().(SliceLit).getAnElement().toString().matches("%null%")
+        this.getType() instanceof BoolType and
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        )
       )
     }
-    DataFlow::Node getBase() { result = base}
+
+    GinConfig getConfig() { result = gc }
   }
 
-   class GinConfig extends Variable {
+  /**
+   * A variable of type Config that holds the headers to be set.
+   */
+  class GinConfig extends Variable {
     SsaWithFields v;
 
     GinConfig() {
       this = v.getBaseVariable().getSourceVariable() and
       exists(Type t | t.hasQualifiedName(packagePath(), "Config") | v.getType() = t)
     }
-    SsaWithFields getV() { result = v}
+
+    SsaWithFields getV() { result = v }
   }
- 
- }
- 
+}

go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql

@@ -72,9 +72,7 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
 module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
 
-  additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) {
-    sink = w
-  }
+  additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) { sink = w }
 
   predicate isSink(DataFlow::Node sink) { isSinkWrite(sink, _) }
 }
@@ -96,17 +94,18 @@ predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOrigin) {
   exists(AllowCredentialsHeaderWrite allowCredentialsHW |
     allowCredentialsHW.getHeaderValue().toLowerCase() = "true"
   |
-  allowOrigin.(AllowOriginHeaderWrite).getResponseWriter() = allowCredentialsHW.getResponseWriter()
+    allowOrigin.(AllowOriginHeaderWrite).getResponseWriter() =
+      allowCredentialsHW.getResponseWriter()
   )
   or
   exists(GinCors::AllowCredentialsWrite allowCredentialsGin |
-    allowCredentialsGin.toString() = "true" 
-    |
+    allowCredentialsGin.toString() = "true"
+  |
     //flow only goes in one direction so fix this before PR
-    allowCredentialsGin.getConfig() = allowOrigin.(GinCors::AllowOriginsWrite).getConfig()
-    and
+    allowCredentialsGin.getConfig() = allowOrigin.(GinCors::AllowOriginsWrite).getConfig() and
     not exists(GinCors::AllowAllOriginsWrite allowAllOrigins |
-      allowAllOrigins.toString() = "true" //and DataFlow::localFlow(allowCredentialsGin.getBase(), allowAllOrigins.getBase())
+      allowAllOrigins.toString() = "true" and
+      allowCredentialsGin.getConfig() = allowAllOrigins.getConfig()
     )
   )
 }
@@ -119,8 +118,9 @@ predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOrigin) {
 predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, string message) {
   exists(DataFlow::Node sink |
     UntrustedToAllowOriginHeaderFlow::flowTo(sink) and
-    UntrustedToAllowOriginHeaderConfig::isSinkHW(sink, allowOriginHW) or
-    UntrustedToAllowOriginConfigFlow::flowTo(sink) and 
+    UntrustedToAllowOriginHeaderConfig::isSinkHW(sink, allowOriginHW)
+    or
+    UntrustedToAllowOriginConfigFlow::flowTo(sink) and
     UntrustedToAllowOriginConfigConfig::isSinkWrite(sink, allowOriginHW)
   |
     message =
@@ -136,14 +136,22 @@ predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, stri
 predicate allowOriginIsNull(DataFlow::ExprNode allowOrigin, string message) {
   allowOrigin.(AllowOriginHeaderWrite).getHeaderValue().toLowerCase() = "null" and
   message =
-    headerAllowOrigin() + " header is set to `" + allowOrigin.(AllowOriginHeaderWrite).getHeaderValue() + "`, and " +
-      headerAllowCredentials() + " is set to `true`"
+    headerAllowOrigin() + " header is set to `" +
+      allowOrigin.(AllowOriginHeaderWrite).getHeaderValue() + "`, and " + headerAllowCredentials() +
+      " is set to `true`"
   or
-  allowOrigin.(GinCors::AllowOriginsWrite).asExpr().(SliceLit).getAnElement().toString().matches("\"null%\"") and
+  allowOrigin
+      .(GinCors::AllowOriginsWrite)
+      .asExpr()
+      .(SliceLit)
+      .getAnElement()
+      .toString()
+      .toLowerCase()
+      .matches("\"null\"") and
   message =
-    headerAllowOrigin() + " header is set to `" + allowOrigin.(GinCors::AllowOriginsWrite).asExpr().(SliceLit).getAnElement().toString() + "`, and " +
+    headerAllowOrigin() + " header is set to `" + "null" + "`, and " +
+      //allowOrigin.(GinCors::AllowOriginsWrite).asExpr().(SliceLit).getAnElement().toString()
       headerAllowCredentials() + " is set to `true`"
-
 }
 
 /**

go/ql/test/experimental/CWE-942/CorsGin.go

@@ -0,0 +1,85 @@
+package main
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-contrib/cors"
+	"github.com/gin-gonic/gin"
+)
+
+/*
+** Function is vulnerable due to AllowAllOrigins = true aka Access-Control-Allow-Origin: null
+ */
+func vunlnerable() {
+	router := gin.Default()
+	// CORS for https://foo.com and null
+	// - GET and POST methods
+	// - Origin header
+	// - Credentials share
+	// - Preflight requests cached for 12 hours
+	config_vulnerable := cors.Config{
+		AllowMethods:     []string{"GET", "POST"},
+		AllowHeaders:     []string{"Origin"},
+		ExposeHeaders:    []string{"Content-Length"},
+		AllowCredentials: true,
+		MaxAge:           12 * time.Hour,
+	}
+	config_vulnerable.AllowOrigins = []string{"null", "https://foo.com"}
+	router.Use(cors.New(config_vulnerable))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "hello world")
+	})
+	router.Run()
+}
+
+/*
+** Function is safe due to hardcoded origin and AllowCredentials: true
+ */
+func safe() {
+	router := gin.Default()
+	// CORS for https://foo.com origin, allowing:
+	// - GET and POST methods
+	// - Origin header
+	// - Credentials share
+	// - Preflight requests cached for 12 hours
+	config_safe := cors.Config{
+		AllowMethods:     []string{"GET", "POST"},
+		AllowHeaders:     []string{"Origin"},
+		ExposeHeaders:    []string{"Content-Length"},
+		AllowCredentials: true,
+		MaxAge:           12 * time.Hour,
+	}
+	config_safe.AllowOrigins = []string{"https://foo.com"}
+	router.Use(cors.New(config_safe))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "hello world")
+	})
+	router.Run()
+}
+
+/*
+** Function is safe due to AllowAllOrigins = true aka Access-Control-Allow-Origin: *
+ */
+func AllowAllTrue() {
+	router := gin.Default()
+	// CORS for https://foo.com origin, allowing:
+	// - PUT and PATCH methods
+	// - Origin header
+	// - Credentials share
+	// - Preflight requests cached for 12 hours
+	config_allowall := cors.Config{
+		AllowMethods:     []string{"GET", "POST"},
+		AllowHeaders:     []string{"Origin"},
+		ExposeHeaders:    []string{"Content-Length"},
+		AllowCredentials: true,
+		MaxAge:           12 * time.Hour,
+	}
+	config_allowall.AllowOrigins = []string{"null"}
+	config_allowall.AllowAllOrigins = true
+	router.Use(cors.New(config_allowall))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "hello world")
+	})
+	router.Run()
+}

go/ql/test/experimental/CWE-942/CorsMisconfiguration.expected

@@ -1,3 +1,4 @@
+| CorsGin.go:28:35:28:69 | slice literal | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
 | CorsMisconfiguration.go:26:4:26:56 | call to Set | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
 | CorsMisconfiguration.go:32:4:32:42 | call to Set | access-control-allow-origin header is set to `null`, and access-control-allow-credentials is set to `true` |
 | CorsMisconfiguration.go:53:4:53:44 | call to Set | access-control-allow-origin header is set to a user-defined value, and access-control-allow-credentials is set to `true` |

go/ql/test/experimental/CWE-942/go.mod

@@ -0,0 +1,35 @@
+module corsmiconfiguration/test
+
+go 1.21
+
+require (
+	github.com/gin-contrib/cors v1.4.0
+	github.com/gin-gonic/gin v1.9.1
+)
+
+require (
+	github.com/bytedance/sonic v1.9.1 // indirect
+	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.14.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
+	github.com/leodido/go-urn v1.2.4 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.2.11 // indirect
+	golang.org/x/arch v0.3.0 // indirect
+	golang.org/x/crypto v0.9.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)