fix SSRF sinks

Author: am0o0

go/ql/lib/ext/github.com.valyala.fasthttp.model.yml

@@ -8,11 +8,4 @@ extensions:
       - ["github.com/valyala/fasthttp", "URI", False, "Update", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["github.com/valyala/fasthttp", "URI", False, "UpdateBytes", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["github.com/valyala/fasthttp", "URI", False, "Parse", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["github.com/valyala/fasthttp", "URI", False, "Parse", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
-      - ["github.com/valyala/fasthttp", "Request", False, "SetRequestURI", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["github.com/valyala/fasthttp", "Request", False, "SetRequestURIBytes", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["github.com/valyala/fasthttp", "Request", False, "SetURI", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["github.com/valyala/fasthttp", "Request", False, "String", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["github.com/valyala/fasthttp", "Request", False, "SetHost", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["github.com/valyala/fasthttp", "Request", False, "SetHost", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["github.com/valyala/fasthttp", "Request", False, "SetHostBytes", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "URI", False, "Parse", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]

go/ql/lib/semmle/go/frameworks/Fasthttp.qll

@@ -73,22 +73,6 @@ module Fasthttp {
       override string getKind() { result = "URL" }
     }
 
-    /**
-     * A function that sends HTTP requests.
-     */
-    class RequestForgerySinkDo extends RequestForgery::Sink {
-      RequestForgerySinkDo() {
-        exists(Function f |
-          f.hasQualifiedName(packagePath(), ["Do", "DoDeadline", "DoTimeout", "DoRedirects"]) and
-          this = f.getACall().getArgument(0)
-        )
-      }
-
-      override DataFlow::Node getARequest() { result = this }
-
-      override string getKind() { result = "URL" }
-    }
-
     /**
      * A function that create initial connection to a TCP address.
      * Following Functions only accept TCP address + Port in their first argument
@@ -192,46 +176,6 @@ module Fasthttp {
 
       override string getKind() { result = "URL" }
     }
-
-    /**
-     * A method that sends HTTP requests.
-     */
-    class RequestForgerySinkDo extends RequestForgery::Sink {
-      RequestForgerySinkDo() {
-        exists(Method m |
-          m.hasQualifiedName(packagePath(), "Client",
-            ["Do", "DoDeadline", "DoTimeout", "DoRedirects"]) and
-          this = m.getACall().getArgument(0)
-        )
-      }
-
-      override DataFlow::Node getARequest() { result = this }
-
-      // Kind can be vary because input is a fasthttp.URI type
-      override string getKind() { result = "URL" }
-    }
-  }
-
-  /**
-   * Provide modeling for fasthttp.PipelineClient Type
-   */
-  module PipelineClient {
-    /**
-     * A method that sends HTTP requests.
-     */
-    class RequestForgerySinkDo extends RequestForgery::Sink {
-      RequestForgerySinkDo() {
-        exists(Method m |
-          m.hasQualifiedName(packagePath(), "PipelineClient", ["Do", "DoDeadline", "DoTimeout"]) and
-          this = m.getACall().getArgument(0)
-        )
-      }
-
-      override DataFlow::Node getARequest() { result = this }
-
-      // Kind can be vary because input is a fasthttp.URI type
-      override string getKind() { result = "URL" }
-    }
   }
 
   /**
@@ -257,46 +201,6 @@ module Fasthttp {
 
       override string getKind() { result = "URL" }
     }
-
-    /**
-     * A method that sends HTTP requests.
-     */
-    class RequestForgerySinkDo extends RequestForgery::Sink {
-      RequestForgerySinkDo() {
-        exists(Method m |
-          m.hasQualifiedName(packagePath(), "HostClient",
-            ["Do", "DoDeadline", "DoTimeout", "DoRedirects"]) and
-          this = m.getACall().getArgument(0)
-        )
-      }
-
-      override DataFlow::Node getARequest() { result = this }
-
-      // Kind can be vary because input is a fasthttp.URI type
-      override string getKind() { result = "URL" }
-    }
-  }
-
-  /**
-   * Provide modeling for fasthttp.LBClient Type
-   */
-  module LBClient {
-    /**
-     * A method that sends HTTP requests.
-     */
-    class RequestForgerySinkDo extends RequestForgery::Sink {
-      RequestForgerySinkDo() {
-        exists(Method m |
-          m.hasQualifiedName(packagePath(), "LBClient", ["Do", "DoDeadline", "DoTimeout"]) and
-          this = m.getACall().getArgument(0)
-        )
-      }
-
-      override DataFlow::Node getARequest() { result = this }
-
-      // Kind can be vary because input is a fasthttp.URI type
-      override string getKind() { result = "URL" }
-    }
   }
 
   /**
@@ -354,6 +258,26 @@ module Fasthttp {
         )
       }
     }
+
+    /**
+     * A method that create the URL and Host parts of a `Request` type.
+     *
+     * This instance of `Request` type can be used in some functions/methods
+     * like `func Do(req *Request, resp *Response) error` that will lead to server side request forgery vulnerability.
+     */
+    class RequestForgerySink extends RequestForgery::Sink {
+      RequestForgerySink() {
+        exists(Method m |
+          m.hasQualifiedName(packagePath(), "Request",
+            ["SetRequestURI", "SetRequestURIBytes", "SetURI", "SetHost", "SetHostBytes"]) and
+          this = m.getACall().getArgument(0)
+        )
+      }
+
+      override DataFlow::Node getARequest() { result = this }
+
+      override string getKind() { result = "URL" }
+    }
   }
 
   /**

go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go

@@ -24,19 +24,7 @@ func fasthttpClient() {
 	fasthttp.DialTimeout(userInput, 5)          // $ SsrfSink=userInput
 	fasthttp.DialDualStackTimeout(userInput, 5) // $ SsrfSink=userInput
 
-	res := &fasthttp.Response{}
-	req1 := &fasthttp.Request{}
-	req1.SetHost(source().(string))
-	sink(req1) // $ hasTaintFlow="req1"
-	req2 := &fasthttp.Request{}
-	req2.SetHostBytes(source().([]byte))
-	sink(req2) // $ hasTaintFlow="req2"
-	req3 := &fasthttp.Request{}
-	req3.SetRequestURI(source().(string))
-	sink(req3) // $ hasTaintFlow="req3"
-	req4 := &fasthttp.Request{}
-	req4.SetRequestURIBytes(source().([]byte))
-	sink(req4) // $ hasTaintFlow="req4"
+	req := &fasthttp.Request{}
 
 	uri1 := fasthttp.AcquireURI()
 	userInput = "UserControlled.com:80"
@@ -55,20 +43,19 @@ func fasthttpClient() {
 	uri5 := fasthttp.AcquireURI()
 	uri5.Parse(source().([]byte), source().([]byte))
 	sink(uri5) // $ hasTaintFlow="uri5"
-	req := &fasthttp.Request{}
-	uri6 := fasthttp.AcquireURI()
-	req.SetURI(uri6)
 
 	resByte := make([]byte, 1000)
 	userInput = "http://127.0.0.1:8909"
+	userInputBytes := []byte("http://127.0.0.1:8909")
+	req.SetURI(uri5)                                      // $ SsrfSink=uri5
+	req.SetHost(userInput)                                // $ SsrfSink=userInput
+	req.SetHostBytes(userInputBytes)                      // $ SsrfSink=userInputBytes
+	req.SetRequestURI(userInput)                          // $ SsrfSink=userInput
+	req.SetRequestURIBytes(userInputBytes)                // $ SsrfSink=userInputBytes
 	fasthttp.Get(resByte, userInput)                      // $ SsrfSink=userInput
 	fasthttp.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
 	fasthttp.GetTimeout(resByte, userInput, 5)            // $ SsrfSink=userInput
 	fasthttp.Post(resByte, userInput, nil)                // $ SsrfSink=userInput
-	fasthttp.Do(req, res)                                 // $ SsrfSink=req
-	fasthttp.DoRedirects(req, res, 2)                     // $ SsrfSink=req
-	fasthttp.DoDeadline(req, res, time.Time{})            // $ SsrfSink=req
-	fasthttp.DoTimeout(req, res, 5)                       // $ SsrfSink=req
 
 	hostClient := &fasthttp.HostClient{
 		Addr: "localhost:8080",
@@ -77,31 +64,15 @@ func fasthttpClient() {
 	hostClient.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
 	hostClient.GetTimeout(resByte, userInput, 5)            // $ SsrfSink=userInput
 	hostClient.Post(resByte, userInput, nil)                // $ SsrfSink=userInput
-	hostClient.Do(req, res)                                 // $ SsrfSink=req
-	hostClient.DoDeadline(req, res, time.Time{})            // $ SsrfSink=req
-	hostClient.DoRedirects(req, res, 2)                     // $ SsrfSink=req
-	hostClient.DoTimeout(req, res, 5)                       // $ SsrfSink=req
 
 	var lbclient fasthttp.LBClient
 	lbclient.Clients = append(lbclient.Clients, hostClient)
-	lbclient.Do(req, res)                      // $ SsrfSink=req
-	lbclient.DoDeadline(req, res, time.Time{}) // $ SsrfSink=req
-	lbclient.DoTimeout(req, res, 5)            // $ SsrfSink=req
 
 	client := fasthttp.Client{}
 	client.Get(resByte, userInput)                      // $ SsrfSink=userInput
 	client.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
 	client.GetTimeout(resByte, userInput, 5)            // $ SsrfSink=userInput
 	client.Post(resByte, userInput, nil)                // $ SsrfSink=userInput
-	client.Do(req, res)                                 // $ SsrfSink=req
-	client.DoDeadline(req, res, time.Time{})            // $ SsrfSink=req
-	client.DoRedirects(req, res, 2)                     // $ SsrfSink=req
-	client.DoTimeout(req, res, 5)                       // $ SsrfSink=req
-
-	pipelineClient := fasthttp.PipelineClient{}
-	pipelineClient.Do(req, res)                      // $ SsrfSink=req
-	pipelineClient.DoDeadline(req, res, time.Time{}) // $ SsrfSink=req
-	pipelineClient.DoTimeout(req, res, 5)            // $ SsrfSink=req
 
 	tcpDialer := fasthttp.TCPDialer{}
 	userInput = "127.0.0.1:8909"