add flow summary instead of additional flow steps

am0o0 · am0o0 · commit 88e75a6ec8de · 2023-11-05T17:49:32.000+03:30
diff --git a/go/ql/lib/ext/github.com.valyala.fasthttp.model.yml b/go/ql/lib/ext/github.com.valyala.fasthttp.model.yml
@@ -0,0 +1,18 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/valyala/fasthttp", "URI", False, "SetHost", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "URI", False, "SetHostBytes", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "URI", False, "Update", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "URI", False, "UpdateBytes", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "URI", False, "Parse", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "URI", False, "Parse", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", False, "SetRequestURI", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", False, "SetRequestURIBytes", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", False, "SetURI", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", False, "String", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", False, "SetHost", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", False, "SetHost", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", False, "SetHostBytes", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/Fasthttp.qll b/go/ql/lib/semmle/go/frameworks/Fasthttp.qll
@@ -16,17 +16,6 @@ module Fasthttp {
   /** Gets the path for the root package of fasthttp. */
   string packagePath() { result = package(v1modulePath(), "") }
 
-  /**
-   * A class when you are using Fasthttp related queries to fully supports additional steps
-   */
-  bindingset[this]
-  abstract class AdditionalStep extends string {
-    /**
-     * Holds if `pred` to `succ` is an additional taint-propagating step for this query.
-     */
-    abstract predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ);
-  }
-
   /**
    * Provide models for sanitizer/Dangerous Functions of fasthttp
    */
@@ -125,32 +114,6 @@ module Fasthttp {
    * Provide modeling for fasthttp.URI Type
    */
   module URI {
-    /**
-     * The additioanl steps that can be used in fasthttp framework.
-     * Fasthttp has its own uri creating/manipulation methods and these methods usually are used in code.
-     * Pred can be an user controlled value like any potential part of URL and succ is the URI instance.
-     * So if we called a method like `URIInstance.SetHost(pred)` then the URIInstance is succ.
-     */
-    class UriAdditionalStep extends AdditionalStep {
-      UriAdditionalStep() { this = "URI additional steps" }
-
-      override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-        exists(DataFlow::MethodCallNode m, DataFlow::Variable frn |
-          (
-            m.getTarget()
-                .hasQualifiedName(packagePath(), "URI",
-                  ["SetHost", "SetHostBytes", "Update", "UpdateBytes"]) and
-            pred = m.getArgument(0)
-            or
-            m.getTarget().hasQualifiedName(packagePath(), "URI", "Parse") and
-            pred = m.getArgument([0, 1])
-          ) and
-          frn.getARead() = m.getReceiver() and
-          succ = frn.getARead()
-        )
-      }
-    }
-
     /**
      * The methods as Remote user controllable source which are part of the incoming URL
      */
@@ -384,30 +347,6 @@ module Fasthttp {
    * Provide modeling for fasthttp.Request Type
    */
   module Request {
-    /**
-     * The additioanl steps that can be used in fasthttp framework.
-     * Pred can be an user controlled value like any potential part of URL and succ is the URI instance.
-     * So if we called a method like `RequestInstance.SetHost(pred)` then the RequestInstance is succ.
-     * for SetURI the argument type is fasthttp.URI which is already modeled, look at URI module.
-     */
-    class RequestAdditionalStep extends AdditionalStep {
-      RequestAdditionalStep() { this = "Request additional steps" }
-
-      override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-        exists(DataFlow::MethodCallNode m, DataFlow::Variable frn |
-          m.getTarget()
-              .hasQualifiedName(packagePath(), "Request",
-                [
-                  "SetRequestURI", "SetRequestURIBytes", "SetURI", "String", "SetHost",
-                  "SetHostBytes"
-                ]) and
-          pred = m.getArgument(0) and
-          frn.getARead() = m.getReceiver() and
-          succ = frn.getARead()
-        )
-      }
-    }
-
     /**
      * The methods as Remote user controllable source which can be many part of request
      */
diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll
@@ -175,30 +175,4 @@ module ServerSideRequestForgery {
    * of the error binding exists, and the tag to check is one of "alpha", "alphanum", "alphaunicode", "alphanumunicode", "number", "numeric".
    */
   class ValidatorAsSanitizer extends Sanitizer, ValidatorVarCheckBarrier { }
-
-  /**
-   * A additional step that can be used mostly for request forgery related queries
-   */
-  bindingset[this]
-  abstract class AdditionalStep extends string {
-    /**
-     * Holds if `pred` to `succ` is an additional taint-propagating step for this query.
-     */
-    abstract predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ);
-  }
-
-  /**
-   * An additional step for Fasthttp framework uri and request instances.
-   *
-   * These steps can help to track the user provided URI to a dangerous SSRF sink.
-   */
-  class FasthttpAdditionalStep extends AdditionalStep {
-    FasthttpAdditionalStep() { this = "FastHTtp additional steps" }
-
-    override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      any(Fasthttp::Request::RequestAdditionalStep r).hasTaintStep(pred, succ)
-      or
-      any(Fasthttp::URI::UriAdditionalStep r).hasTaintStep(pred, succ)
-    }
-  }
 }
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/AdditionalTaintSteps.expected b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/AdditionalTaintSteps.expected
@@ -1,2 +0,0 @@
-testFailures
-failures
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/AdditionalTaintSteps.ql b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/AdditionalTaintSteps.ql
@@ -1,46 +1,48 @@
 import go
-import TestUtilities.InlineExpectationsTest
+import TestUtilities.InlineFlowTest
+import semmle.go.security.RequestForgeryCustomizations
 
-module FasthttpTest implements TestSig {
-  string getARelevantTag() { result = ["UriSucc", "UriPred", "ReqSucc", "ReqPred"] }
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(DataFlow::MethodCallNode m |
+      m.getTarget()
+          .hasQualifiedName("github.com/valyala/fasthttp", "URI",
+            ["SetHost", "SetHostBytes", "Update", "UpdateBytes"]) and
+      source = m.getArgument(0)
+      or
+      m.getTarget().hasQualifiedName("github.com/valyala/fasthttp", "URI", "Parse") and
+      source = m.getArgument([0, 1])
+    )
+    or
+    exists(DataFlow::MethodCallNode m |
+      m.getTarget()
+          .hasQualifiedName("github.com/valyala/fasthttp", "Request",
+            ["SetRequestURI", "SetRequestURIBytes", "SetURI", "String", "SetHost", "SetHostBytes"]) and
+      source = m.getArgument(0)
+    )
+  }
 
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Fasthttp::Request::RequestAdditionalStep q, DataFlow::Node succ, DataFlow::Node pred |
-      q.hasTaintStep(pred, succ)
-    |
+  predicate isSink(DataFlow::Node source) {
+    exists(DataFlow::MethodCallNode m, DataFlow::Variable frn |
       (
-        pred.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-          location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-        element = pred.toString() and
-        value = pred.toString() and
-        tag = "ReqPred"
+        m.getTarget()
+            .hasQualifiedName("github.com/valyala/fasthttp", "URI",
+              ["SetHost", "SetHostBytes", "Update", "UpdateBytes"])
         or
-        succ.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-          location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-        element = succ.toString() and
-        value = succ.toString() and
-        tag = "ReqSucc"
-      )
+        m.getTarget().hasQualifiedName("github.com/valyala/fasthttp", "URI", "Parse")
+      ) and
+      frn.getARead() = m.getReceiver() and
+      source = frn.getARead()
     )
     or
-    exists(Fasthttp::URI::UriAdditionalStep q, DataFlow::Node succ, DataFlow::Node pred |
-      q.hasTaintStep(pred, succ)
-    |
-      (
-        pred.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-          location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-        element = pred.toString() and
-        value = pred.toString() and
-        tag = "UriPred"
-        or
-        succ.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-          location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-        element = succ.toString() and
-        value = succ.toString() and
-        tag = "UriSucc"
-      )
+    exists(DataFlow::MethodCallNode m, DataFlow::Variable frn |
+      m.getTarget()
+          .hasQualifiedName("github.com/valyala/fasthttp", "Request",
+            ["SetRequestURI", "SetRequestURIBytes", "SetURI", "String", "SetHost", "SetHostBytes"]) and
+      frn.getARead() = m.getReceiver() and
+      source = frn.getARead()
     )
   }
 }
 
-import MakeTest<FasthttpTest>
+import TaintFlowTest<Config>
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go
@@ -20,33 +20,33 @@ func fasthttpClient() {
 
 	res := &fasthttp.Response{}
 	req := &fasthttp.Request{}
-	req.SetHost(userInput)                // $ ReqSucc=req ReqPred=userInput
-	req.SetHostBytes(userInputByte)       // $ ReqSucc=req ReqPred=userInputByte
-	req.SetRequestURI(userInput)          // $ ReqSucc=req ReqPred=userInput
-	req.SetRequestURIBytes(userInputByte) // $ ReqSucc=req ReqPred=userInputByte
+	req.SetHost(userInput)                // $ hasTaintFlow="req" ReqPred=userInput
+	req.SetHostBytes(userInputByte)       // $ hasTaintFlow="req" ReqPred=userInputByte
+	req.SetRequestURI(userInput)          // $ hasTaintFlow="req" ReqPred=userInput
+	req.SetRequestURIBytes(userInputByte) // $ hasTaintFlow="req" ReqPred=userInputByte
 
 	uri := fasthttp.AcquireURI()
 	userInput = "UserControlled.com:80"
 	userInputByte = []byte("UserControlled.com:80")
-	uri.SetHost(userInput)          // $ UriPred=userInput UriSucc=uri
-	uri.SetHostBytes(userInputByte) // $ UriPred=userInputByte UriSucc=uri
+	uri.SetHost(userInput)          // $ hasTaintFlow="uri"
+	uri.SetHostBytes(userInputByte) // $ hasTaintFlow="uri"
 	userInput = "http://UserControlled.com"
 	userInputByte = []byte("http://UserControlled.com")
-	uri.Update(userInput)                   // $ UriPred=userInput UriSucc=uri
-	uri.UpdateBytes(userInputByte)          // $ UriPred=userInputByte UriSucc=uri
-	uri.Parse(userInputByte, userInputByte) // $ UriPred=userInputByte UriPred=userInputByte UriSucc=uri
-	req.SetURI(uri)                         // $ ReqSucc=req ReqPred=uri UriSucc=uri
+	uri.Update(userInput)                   // $ hasTaintFlow="uri"
+	uri.UpdateBytes(userInputByte)          // $ hasTaintFlow="uri"
+	uri.Parse(userInputByte, userInputByte) // $ hasTaintFlow="uri"
+	req.SetURI(uri)                         // $ hasTaintFlow="uri" hasTaintFlow="req"
 
 	resByte := make([]byte, 1000)
 	userInput = "http://127.0.0.1:8909"
 	fasthttp.Get(resByte, userInput)                      // $ SsrfSink=userInput
 	fasthttp.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
 	fasthttp.GetTimeout(resByte, userInput, 5)            // $ SsrfSink=userInput
 	fasthttp.Post(resByte, userInput, nil)                // $ SsrfSink=userInput
-	fasthttp.Do(req, res)                                 // $ ReqSucc=req SsrfSink=req
-	fasthttp.DoRedirects(req, res, 2)                     // $ ReqSucc=req SsrfSink=req
-	fasthttp.DoDeadline(req, res, time.Time{})            // $ ReqSucc=req SsrfSink=req
-	fasthttp.DoTimeout(req, res, 5)                       // $ ReqSucc=req SsrfSink=req
+	fasthttp.Do(req, res)                                 // $ hasTaintFlow="req" SsrfSink=req
+	fasthttp.DoRedirects(req, res, 2)                     // $ hasTaintFlow="req" SsrfSink=req
+	fasthttp.DoDeadline(req, res, time.Time{})            // $ hasTaintFlow="req" SsrfSink=req
+	fasthttp.DoTimeout(req, res, 5)                       // $ hasTaintFlow="req" SsrfSink=req
 
 	hostClient := &fasthttp.HostClient{
 		Addr: "localhost:8080",
@@ -55,31 +55,31 @@ func fasthttpClient() {
 	hostClient.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
 	hostClient.GetTimeout(resByte, userInput, 5)            // $ SsrfSink=userInput
 	hostClient.Post(resByte, userInput, nil)                // $ SsrfSink=userInput
-	hostClient.Do(req, res)                                 // $ ReqSucc=req SsrfSink=req
-	hostClient.DoDeadline(req, res, time.Time{})            // $ ReqSucc=req SsrfSink=req
-	hostClient.DoRedirects(req, res, 2)                     // $ ReqSucc=req SsrfSink=req
-	hostClient.DoTimeout(req, res, 5)                       // $ ReqSucc=req SsrfSink=req
+	hostClient.Do(req, res)                                 // $ hasTaintFlow="req" SsrfSink=req
+	hostClient.DoDeadline(req, res, time.Time{})            // $ hasTaintFlow="req" SsrfSink=req
+	hostClient.DoRedirects(req, res, 2)                     // $ hasTaintFlow="req" SsrfSink=req
+	hostClient.DoTimeout(req, res, 5)                       // $ hasTaintFlow="req" SsrfSink=req
 
 	var lbclient fasthttp.LBClient
 	lbclient.Clients = append(lbclient.Clients, hostClient)
-	lbclient.Do(req, res)                      // $ ReqSucc=req SsrfSink=req
-	lbclient.DoDeadline(req, res, time.Time{}) // $ ReqSucc=req SsrfSink=req
-	lbclient.DoTimeout(req, res, 5)            // $ ReqSucc=req SsrfSink=req
+	lbclient.Do(req, res)                      // $ hasTaintFlow="req" SsrfSink=req
+	lbclient.DoDeadline(req, res, time.Time{}) // $ hasTaintFlow="req" SsrfSink=req
+	lbclient.DoTimeout(req, res, 5)            // $ hasTaintFlow="req" SsrfSink=req
 
 	client := fasthttp.Client{}
 	client.Get(resByte, userInput)                      // $ SsrfSink=userInput
 	client.GetDeadline(resByte, userInput, time.Time{}) // $ SsrfSink=userInput
 	client.GetTimeout(resByte, userInput, 5)            // $ SsrfSink=userInput
 	client.Post(resByte, userInput, nil)                // $ SsrfSink=userInput
-	client.Do(req, res)                                 // $ ReqSucc=req SsrfSink=req SsrfSink=req
-	client.DoDeadline(req, res, time.Time{})            // $ ReqSucc=req SsrfSink=req SsrfSink=req
-	client.DoRedirects(req, res, 2)                     // $ ReqSucc=req SsrfSink=req SsrfSink=req
-	client.DoTimeout(req, res, 5)                       // $ ReqSucc=req SsrfSink=req SsrfSink=req
+	client.Do(req, res)                                 // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
+	client.DoDeadline(req, res, time.Time{})            // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
+	client.DoRedirects(req, res, 2)                     // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
+	client.DoTimeout(req, res, 5)                       // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
 
 	pipelineClient := fasthttp.PipelineClient{}
-	pipelineClient.Do(req, res)                      // $ ReqSucc=req SsrfSink=req SsrfSink=req
-	pipelineClient.DoDeadline(req, res, time.Time{}) // $ ReqSucc=req SsrfSink=req SsrfSink=req
-	pipelineClient.DoTimeout(req, res, 5)            // $ ReqSucc=req SsrfSink=req SsrfSink=req
+	pipelineClient.Do(req, res)                      // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
+	pipelineClient.DoDeadline(req, res, time.Time{}) // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
+	pipelineClient.DoTimeout(req, res, 5)            // $ hasTaintFlow="req" SsrfSink=req SsrfSink=req
 
 	tcpDialer := fasthttp.TCPDialer{}
 	userInput = "127.0.0.1:8909"
