include review feedback

Alvaro Muñoz · Alvaro Muñoz · commit 8cb022713e3b · 2023-02-03T10:01:55.000+01:00
diff --git a/go/ql/lib/semmle/go/frameworks/Twirp.qll b/go/ql/lib/semmle/go/frameworks/Twirp.qll
@@ -40,7 +40,7 @@ module Twirp {
    * A type representing a protobuf message.
    */
   class ProtobufMessageType extends Type {
-    ProtobufMessage() {
+    ProtobufMessageType() {
       exists(TypeEntity te |
         te.getType() = this and
         te.getDeclaration().getLocation().getFile() instanceof ProtobufGeneratedFile
@@ -51,34 +51,34 @@ module Twirp {
   /**
    * An interface type representing a Twirp service.
    */
-  class ServiceInterface extends InterfaceType {
+  class ServiceInterfaceType extends InterfaceType {
     NamedType namedType;
 
-    ServiceInterface() {
+    ServiceInterfaceType() {
       exists(TypeEntity te |
-        te.getType() = serviceInterface and
-        serviceInterface.getUnderlyingType() = this and
+        te.getType() = namedType and
+        namedType.getUnderlyingType() = this and
         te.getDeclaration().getLocation().getFile() instanceof ServicesGeneratedFile
       )
     }
 
     /**
      * Gets the name of the interface.
      */
-    override string getName() { result = serviceInterface.getName() }
+    override string getName() { result = namedType.getName() }
 
     /**
      * Returns the named type on top of this interface type
      */
-    NamedType getNamedType() { result = serviceInterface }
+    NamedType getNamedType() { result = namedType }
   }
 
   /**
    * A Twirp client.
    */
-  class ServiceClient extends NamedType {
-    ServiceClient() {
-      exists(ServiceInterface i, PointerType p |
+  class ServiceClientType extends NamedType {
+    ServiceClientType() {
+      exists(ServiceInterfaceType i, PointerType p |
         p.implements(i) and
         this = p.getBaseType() and
         this.getName().toLowerCase() = i.getName().toLowerCase() + ["protobuf", "json"] + "client"
@@ -89,9 +89,9 @@ module Twirp {
   /**
    * A Twirp server
    */
-  class ServiceServer extends NamedType {
-    ServiceServer() {
-      exists(ServiceInterface i |
+  class ServiceServerType extends NamedType {
+    ServiceServerType() {
+      exists(ServiceInterfaceType i |
         this.implements(i) and
         this.getName().toLowerCase() = i.getName().toLowerCase() + "server"
       )
@@ -103,7 +103,7 @@ module Twirp {
    */
   class ClientConstructor extends Function {
     ClientConstructor() {
-      exists(ServiceClient c |
+      exists(ServiceClientType c |
         this.getName().toLowerCase() = "new" + c.getName().toLowerCase() and
         this.getParameter(0).getType() instanceof StringType and
         this.getParameterType(1).getName() = "HTTPClient"
@@ -117,7 +117,7 @@ module Twirp {
    */
   class ServerConstructor extends Function {
     ServerConstructor() {
-      exists(ServiceServer c, ServiceInterface i |
+      exists(ServiceServerType c, ServiceInterfaceType i |
         this.getName().toLowerCase() = "new" + c.getName().toLowerCase() and
         this.getParameter(0).getType() = i.getNamedType()
       )
@@ -145,10 +145,9 @@ module Twirp {
    */
   class ServiceHandler extends Method {
     ServiceHandler() {
-      exists(DataFlow::CallNode call, Type handlerType, ServiceInterface i |
+      exists(DataFlow::CallNode call, Type handlerType, ServiceInterfaceType i |
         call.getTarget() instanceof ServerConstructor and
         call.getArgument(0).getType() = handlerType and
-        handlerType.implements(i) and
         this = handlerType.getMethod(_) and
         this.implements(i.getNamedType().getMethod(_))
       )
@@ -164,7 +163,7 @@ module Twirp {
     Request() {
       handler.getParameter(0).getType().hasQualifiedName("context", "Context") and
       handler.getParameter(_) = this.asParameter() and
-      this.getType().(PointerType).getBaseType() instanceof ProtobufMessage
+      this.getType().(PointerType).getBaseType() instanceof ProtobufMessageType
     }
 
     override predicate isParameterOf(Callable c, int i) {
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/server/main.go b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/server/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+  "strconv"
 	"fmt"
 	"net/http"
 	"time"
@@ -26,6 +27,9 @@ func (s *notesService) CreateNote(ctx context.Context, params *notes.CreateNoteP
 		CreatedAt: time.Now().UnixMilli(),
 	}
 
+	notes.NewNotesServiceProtobufClient(params.Text, &http.Client{}) // test: ssrfSink, ssrf
+	notes.NewNotesServiceProtobufClient(strconv.FormatInt(int64(s.CurrentId), 10), &http.Client{}) // test: ssrfSink, !ssrf
+
 	s.Notes = append(s.Notes, note)
 
 	s.CurrentId++
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.expected b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.expected
@@ -5,14 +5,17 @@ passingPositiveTests
 | PASSED | message | rpc/notes/service.pb.go:86:32:86:49 | comment |
 | PASSED | message | rpc/notes/service.pb.go:133:33:133:50 | comment |
 | PASSED | message | rpc/notes/service.pb.go:171:33:171:50 | comment |
-| PASSED | request | server/main.go:18:111:18:140 | comment |
-| PASSED | request | server/main.go:36:126:36:155 | comment |
+| PASSED | request | server/main.go:19:111:19:140 | comment |
+| PASSED | request | server/main.go:40:126:40:155 | comment |
 | PASSED | serverConstructor | rpc/notes/service.twirp.go:334:81:334:106 | comment |
 | PASSED | serviceClient | rpc/notes/service.twirp.go:44:42:44:63 | comment |
 | PASSED | serviceClient | rpc/notes/service.twirp.go:183:38:183:59 | comment |
 | PASSED | serviceInterface | rpc/notes/service.twirp.go:34:31:34:55 | comment |
 | PASSED | serviceServer | rpc/notes/service.twirp.go:322:34:322:55 | comment |
+| PASSED | ssrf | server/main.go:30:67:30:89 | comment |
 | PASSED | ssrfSink | client/main.go:12:89:12:105 | comment |
+| PASSED | ssrfSink | server/main.go:30:67:30:89 | comment |
+| PASSED | ssrfSink | server/main.go:31:97:31:120 | comment |
 failingPositiveTests
 passingNegativeTests
 | PASSED | !handler | rpc/notes/service.twirp.go:87:109:87:125 | comment |
@@ -23,5 +26,6 @@ passingNegativeTests
 | PASSED | !handler | rpc/notes/service.twirp.go:255:109:255:125 | comment |
 | PASSED | !handler | rpc/notes/service.twirp.go:272:120:272:136 | comment |
 | PASSED | !handler | rpc/notes/service.twirp.go:301:124:301:140 | comment |
-| PASSED | !ssrfSink | server/main.go:56:51:56:68 | comment |
+| PASSED | !ssrf | server/main.go:31:97:31:120 | comment |
+| PASSED | !ssrfSink | server/main.go:60:51:60:68 | comment |
 failingNegativeTests
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.ql b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.ql
@@ -1,5 +1,6 @@
 import go
 import semmle.go.frameworks.Twirp
+import semmle.go.security.RequestForgery //.dataflow.ReflectedXssQuery as XssConfig
 
 class InlineTest extends LineComment {
   string tests;
@@ -49,22 +50,27 @@ query predicate passingPositiveTests(string res, string expectation, InlineTest
     exists(RequestForgery::Sink n | t.inNode(n))
     or
     expectation = "message" and
-    exists(Twirp::ProtobufMessage n | t.inType(n))
+    exists(Twirp::ProtobufMessageType n | t.inType(n))
     or
     expectation = "serviceInterface" and
-    exists(Twirp::ServiceInterface n | t.inType(n.getNamedType()))
+    exists(Twirp::ServiceInterfaceType n | t.inType(n.getNamedType()))
     or
     expectation = "serviceClient" and
-    exists(Twirp::ServiceClient n | t.inType(n))
+    exists(Twirp::ServiceClientType n | t.inType(n))
     or
     expectation = "serviceServer" and
-    exists(Twirp::ServiceServer n | t.inType(n))
+    exists(Twirp::ServiceServerType n | t.inType(n))
     or
     expectation = "clientConstructor" and
     exists(Twirp::ClientConstructor n | t.inEntity(n))
     or
     expectation = "serverConstructor" and
     exists(Twirp::ServerConstructor n | t.inEntity(n))
+    or
+    expectation = "ssrf" and
+    exists(RequestForgery::Configuration cfg, DataFlow::Node sink |
+      cfg.hasFlow(_, sink) and t.inNode(sink)
+    )
   )
 }
 
@@ -82,22 +88,27 @@ query predicate failingPositiveTests(string res, string expectation, InlineTest
     not exists(RequestForgery::Sink n | t.inNode(n))
     or
     expectation = "message" and
-    not exists(Twirp::ProtobufMessage n | t.inType(n))
+    not exists(Twirp::ProtobufMessageType n | t.inType(n))
     or
     expectation = "serviceInterface" and
-    not exists(Twirp::ServiceInterface n | t.inType(n.getNamedType()))
+    not exists(Twirp::ServiceInterfaceType n | t.inType(n.getNamedType()))
     or
     expectation = "serviceClient" and
-    not exists(Twirp::ServiceClient n | t.inType(n))
+    not exists(Twirp::ServiceClientType n | t.inType(n))
     or
     expectation = "serviceServer" and
-    not exists(Twirp::ServiceServer n | t.inType(n))
+    not exists(Twirp::ServiceServerType n | t.inType(n))
     or
     expectation = "clientConstructor" and
     not exists(Twirp::ClientConstructor n | t.inEntity(n))
     or
     expectation = "serverConstructor" and
     not exists(Twirp::ServerConstructor n | t.inEntity(n))
+    or
+    expectation = "ssrf" and
+    not exists(RequestForgery::Configuration cfg, DataFlow::Node sink |
+      cfg.hasFlow(_, sink) and t.inNode(sink)
+    )
   )
 }
 
@@ -115,22 +126,27 @@ query predicate passingNegativeTests(string res, string expectation, InlineTest
     not exists(RequestForgery::Sink n | t.inNode(n))
     or
     expectation = "!message" and
-    not exists(Twirp::ProtobufMessage n | t.inType(n))
+    not exists(Twirp::ProtobufMessageType n | t.inType(n))
     or
     expectation = "!serviceInterface" and
-    not exists(Twirp::ServiceInterface n | t.inType(n))
+    not exists(Twirp::ServiceInterfaceType n | t.inType(n))
     or
     expectation = "!serviceClient" and
-    not exists(Twirp::ServiceClient n | t.inType(n))
+    not exists(Twirp::ServiceClientType n | t.inType(n))
     or
     expectation = "!serviceServer" and
-    not exists(Twirp::ServiceServer n | t.inType(n))
+    not exists(Twirp::ServiceServerType n | t.inType(n))
     or
     expectation = "!clientConstructor" and
     not exists(Twirp::ClientConstructor n | t.inEntity(n))
     or
     expectation = "!serverConstructor" and
     not exists(Twirp::ServerConstructor n | t.inEntity(n))
+    or
+    expectation = "!ssrf" and
+    not exists(RequestForgery::Configuration cfg, DataFlow::Node sink |
+      cfg.hasFlow(_, sink) and t.inNode(sink)
+    )
   )
 }
 
@@ -148,21 +164,26 @@ query predicate failingNegativeTests(string res, string expectation, InlineTest
     exists(RequestForgery::Sink n | t.inNode(n))
     or
     expectation = "!message" and
-    exists(Twirp::ProtobufMessage n | t.inType(n))
+    exists(Twirp::ProtobufMessageType n | t.inType(n))
     or
     expectation = "!serviceInterface" and
-    exists(Twirp::ServiceInterface n | t.inType(n))
+    exists(Twirp::ServiceInterfaceType n | t.inType(n))
     or
     expectation = "!serviceClient" and
-    exists(Twirp::ServiceClient n | t.inType(n))
+    exists(Twirp::ServiceClientType n | t.inType(n))
     or
     expectation = "!serviceServer" and
-    exists(Twirp::ServiceServer n | t.inType(n))
+    exists(Twirp::ServiceServerType n | t.inType(n))
     or
     expectation = "!clientConstructor" and
     exists(Twirp::ClientConstructor n | t.inEntity(n))
     or
     expectation = "!serverConstructor" and
     exists(Twirp::ServerConstructor n | t.inEntity(n))
+    or
+    expectation = "!ssrf" and
+    exists(RequestForgery::Configuration cfg, DataFlow::Node sink |
+      cfg.hasFlow(_, sink) and t.inNode(sink)
+    )
   )
 }
