Merge branch 'main' into sabrowning1/queries-panel-language-selector

Author: sabrowning1

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -1,4 +1,16 @@
 edges
-subpaths
+| main.cpp:6:27:6:30 | argv indirection | main.cpp:10:20:10:23 | argv indirection |
+| main.cpp:10:20:10:23 | argv indirection | tests.cpp:618:32:618:35 | argv indirection |
+| tests.cpp:613:19:613:24 | source indirection | tests.cpp:615:17:615:22 | source indirection |
+| tests.cpp:618:32:618:35 | argv indirection | tests.cpp:643:9:643:15 | access to array indirection |
+| tests.cpp:643:9:643:15 | access to array indirection | tests.cpp:613:19:613:24 | source indirection |
 nodes
+| main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
+| main.cpp:10:20:10:23 | argv indirection | semmle.label | argv indirection |
+| tests.cpp:613:19:613:24 | source indirection | semmle.label | source indirection |
+| tests.cpp:615:17:615:22 | source indirection | semmle.label | source indirection |
+| tests.cpp:618:32:618:35 | argv indirection | semmle.label | argv indirection |
+| tests.cpp:643:9:643:15 | access to array indirection | semmle.label | access to array indirection |
+subpaths
 #select
+| tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:615:17:615:22 | source indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp

@@ -407,7 +407,7 @@ void test15()
 		{
 			if (ptr[5] == ' ') // GOOD
 			{
-				// ...
+				break;
 			}
 		}
 	}
@@ -608,6 +608,13 @@ int test23() {
 	return sizeof(buffer) / sizeof(buffer[101]); // GOOD
 }
 
+char* strcpy(char *, const char *);
+
+void test24(char* source) {
+	char buffer[100];
+	strcpy(buffer, source); // BAD
+}
+
 int tests_main(int argc, char *argv[])
 {
 	long long arr17[19];
@@ -633,6 +640,7 @@ int tests_main(int argc, char *argv[])
 	test21(argc == 0);
 	test22(argc == 0, argv[0]);
 	test23();
+	test24(argv[0]);
 
 	return 0;
 }

go/ql/lib/change-notes/2023-10-31-add-gin-cors-framework.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the [gin cors](https://github.com/gin-contrib/cors) library to the CorsMisconfiguration.ql query

go/ql/lib/go.qll

@@ -41,6 +41,7 @@ import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Fiber
 import semmle.go.frameworks.Gin
+import semmle.go.frameworks.GinCors
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoKit
 import semmle.go.frameworks.GoMicro

go/ql/lib/semmle/go/frameworks/GinCors.qll

@@ -0,0 +1,139 @@
+/**
+ * Provides classes for modeling the `github.com/gin-contrib/cors` package.
+ */
+
+import go
+
+/**
+ * Provides classes for modeling the `github.com/gin-contrib/cors` package.
+ */
+module GinCors {
+  /** Gets the package name `github.com/gin-gonic/gin`. */
+  string packagePath() { result = package("github.com/gin-contrib/cors", "") }
+
+  /**
+   * A new function create a new gin Handler that passed to gin as middleware
+   */
+  class New extends Function {
+    New() { exists(Function f | f.hasQualifiedName(packagePath(), "New") | this = f) }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Credentials header
+   */
+  class AllowCredentialsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+
+    AllowCredentialsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowCredentials") and
+        w.writesField(base, f, this) and
+        this.getType() instanceof BoolType
+      )
+    }
+
+    /**
+     * Get config struct holding header values
+     */
+    DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get config variable holding header values
+     */
+    GinConfig getConfig() {
+      exists(GinConfig gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Origins header
+   */
+  class AllowOriginsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+
+    AllowOriginsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
+        w.writesField(base, f, this) and
+        this.asExpr() instanceof SliceLit
+      )
+    }
+
+    /**
+     * Get config struct holding header values
+     */
+    DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get config variable holding header values
+     */
+    GinConfig getConfig() {
+      exists(GinConfig gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A write to the value of Access-Control-Allow-Origins of value "*", overriding AllowOrigins
+   */
+  class AllowAllOriginsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+
+    AllowAllOriginsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowAllOrigins") and
+        w.writesField(base, f, this) and
+        this.getType() instanceof BoolType
+      )
+    }
+
+    /**
+     * Get config struct holding header values
+     */
+    DataFlow::Node getBase() { result = base }
+
+    /**
+     * Get config variable holding header values
+     */
+    GinConfig getConfig() {
+      exists(GinConfig gc |
+        (
+          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+            base.asInstruction() or
+          gc.getV().getAUse() = base
+        ) and
+        result = gc
+      )
+    }
+  }
+
+  /**
+   * A variable of type Config that holds the headers to be set.
+   */
+  class GinConfig extends Variable {
+    SsaWithFields v;
+
+    GinConfig() {
+      this = v.getBaseVariable().getSourceVariable() and
+      exists(Type t | t.hasQualifiedName(packagePath(), "Config") | v.getType() = t)
+    }
+
+    /**
+     * Get variable declaration of GinConfig
+     */
+    SsaWithFields getV() { result = v }
+  }
+}

go/ql/src/experimental/CWE-287/ImproperLdapAuth.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      If an LDAP connection uses user-supplied data as password, anonymous bind could be caused using an empty password 
+to result in a successful authentication.
+</p>
+  </overview>
+
+  <recommendation>
+    <p>Don't use user-supplied data as password while establishing an LDAP connection.
+ </p>
+  </recommendation>
+
+  <example>
+    <p>In the following examples, the code accepts a bind password via a HTTP request in variable <code>
+      bindPassword</code>. The code builds a LDAP query whose authentication depends on user supplied data.</p>
+
+
+    <sample src="examples/LdapAuthBad.go" />
+
+    <p>In the following examples, the code accepts a bind password via a HTTP request in variable <code>
+      bindPassword</code>. The function ensures that the password provided is not empty before binding. </p>
+
+    <sample src="examples/LdapAuthGood.go" />
+  </example>
+
+  <references>
+    <li>MITRE: <a href="https://cwe.mitre.org/data/definitions/287.html">CWE-287: Improper Authentication</a>.</li>
+  </references>
+</qhelp>

go/ql/src/experimental/CWE-287/ImproperLdapAuth.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Improper LDAP Authentication
+ * @description A user-controlled query carries no authentication
+ * @kind path-problem
+ * @problem.severity warning
+ * @id go/improper-ldap-auth
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-287
+ */
+
+import go
+import ImproperLdapAuthCustomizations
+import ImproperLdapAuth::Flow::PathGraph
+
+from ImproperLdapAuth::Flow::PathNode source, ImproperLdapAuth::Flow::PathNode sink
+where ImproperLdapAuth::Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "LDAP binding password depends on a $@.", source.getNode(),
+  "user-provided value"

go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll

@@ -0,0 +1,84 @@
+import go
+import semmle.go.dataflow.barrierguardutil.RegexpCheck
+
+module ImproperLdapAuth {
+  /**
+   * A sink that is vulnerable to improper LDAP Authentication vulnerabilities.
+   */
+  abstract class LdapAuthSink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer function that prevents improper LDAP Authentication attacks.
+   */
+  abstract class LdapSanitizer extends DataFlow::Node { }
+
+  /**
+   * A vulnerable argument to `go-ldap` or `ldap`'s `bind` function (Only v2).
+   */
+  private class GoLdapBindSink extends LdapAuthSink {
+    GoLdapBindSink() {
+      exists(Method meth |
+        meth.hasQualifiedName("gopkg.in/ldap.v2", "Conn", "Bind") and
+        this = meth.getACall().getArgument(1)
+      )
+    }
+  }
+
+  /**
+   * A call to a regexp match function, considered as a barrier guard for sanitizing untrusted URLs.
+   *
+   * This is overapproximate: we do not attempt to reason about the correctness of the regexp.
+   */
+  class RegexpCheckAsBarrierGuard extends RegexpCheckBarrier, LdapSanitizer { }
+
+  /**
+   * An empty string.
+   */
+  class EmptyString extends DataFlow::Node {
+    EmptyString() { this.asExpr().getStringValue() = "" }
+  }
+
+  private predicate equalityAsSanitizerGuard(DataFlow::Node g, Expr e, boolean outcome) {
+    exists(DataFlow::Node nonConstNode, DataFlow::Node constNode, DataFlow::EqualityTestNode eq |
+      g = eq and
+      nonConstNode = eq.getAnOperand() and
+      not nonConstNode.isConst() and
+      constNode = eq.getAnOperand() and
+      constNode.isConst() and
+      e = nonConstNode.asExpr() and
+      (
+        // If `constNode` is not an empty string a comparison is considered a sanitizer
+        not constNode instanceof EmptyString and outcome = eq.getPolarity()
+        or
+        // If `constNode` is an empty string a not comparison is considered a sanitizer
+        constNode instanceof EmptyString and outcome = eq.getPolarity().booleanNot()
+      )
+    )
+  }
+
+  /**
+   * An equality check comparing a data-flow node against a constant string, considered as
+   * a barrier guard for sanitizing untrusted user input.
+   */
+  class EqualityAsSanitizerGuard extends LdapSanitizer {
+    EqualityAsSanitizerGuard() {
+      this = DataFlow::BarrierGuard<equalityAsSanitizerGuard/3>::getABarrierNode()
+    }
+  }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+      source instanceof UntrustedFlowSource or source instanceof EmptyString
+    }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer }
+  }
+
+  /**
+   * Tracks taint flow for reasoning about improper ldap auth vulnerabilities
+   * with sinks which are not sanitized by string comparisons.
+   */
+  module Flow = TaintTracking::Global<Config>;
+}

go/ql/src/experimental/CWE-287/examples/LdapAuthBad.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"fmt"
+	"log"
+)
+
+func bad() interface{} {
+	bindPassword := req.URL.Query()["password"][0]
+
+	// Connect to the LDAP server
+	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", "ldap.example.com", 389))
+	if err != nil {
+		log.Fatalf("Failed to connect to LDAP server: %v", err)
+	}
+	defer l.Close()
+
+	err = l.Bind("cn=admin,dc=example,dc=com", bindPassword)
+	if err != nil {
+		log.Fatalf("LDAP bind failed: %v", err)
+	}
+}

go/ql/src/experimental/CWE-287/examples/LdapAuthGood.go

@@ -0,0 +1,24 @@
+package main
+
+import (
+	"fmt"
+	"log"
+)
+
+func good() interface{} {
+	bindPassword := req.URL.Query()["password"][0]
+
+	// Connect to the LDAP server
+	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", "ldap.example.com", 389))
+	if err != nil {
+		log.Fatalf("Failed to connect to LDAP server: %v", err)
+	}
+	defer l.Close()
+
+	if bindPassword != "" {
+		err = l.Bind("cn=admin,dc=example,dc=com", bindPassword)
+		if err != nil {
+			log.Fatalf("LDAP bind failed: %v", err)
+		}
+	}
+}