Merge pull request github#12059 from pwntester/go_twirp_support

[GoLang] Add support for Twirp framework

Author: smowton

go/ql/lib/change-notes/2023-02-01--add-support-for-twirp-framework.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Support for the Twirp framework has been added.

go/ql/lib/go.qll

@@ -56,6 +56,7 @@ import semmle.go.frameworks.SQL
 import semmle.go.frameworks.Stdlib
 import semmle.go.frameworks.SystemCommandExecutors
 import semmle.go.frameworks.Testing
+import semmle.go.frameworks.Twirp
 import semmle.go.frameworks.WebSocket
 import semmle.go.frameworks.XNetHtml
 import semmle.go.frameworks.XPath

go/ql/lib/semmle/go/frameworks/Twirp.qll

@@ -0,0 +1,175 @@
+/** Provides models of commonly used functions and types in the twirp packages. */
+
+import go
+private import semmle.go.security.RequestForgeryCustomizations
+
+/** Provides models of commonly used functions and types in the twirp packages. */
+module Twirp {
+  /**
+   * A *.pb.go file generated by Twirp.
+   *
+   * This file contains all the types representing protobuf messages and should have a companion *.twirp.go file.
+   */
+  class ProtobufGeneratedFile extends File {
+    ProtobufGeneratedFile() {
+      exists(string prefix, File f |
+        prefix = this.getBaseName().regexpCapture("^(.*)\\.pb\\.go$", 1) and
+        this.getParentContainer() = f.getParentContainer() and
+        f.getBaseName() = prefix + ".twirp.go"
+      )
+    }
+  }
+
+  /**
+   * A *.twirp.go file generated by Twirp.
+   *
+   * This file contains all the types representing protobuf services and should have a companion *.pb.go file.
+   */
+  class ServicesGeneratedFile extends File {
+    ServicesGeneratedFile() {
+      exists(string prefix, File f |
+        prefix = this.getBaseName().regexpCapture("^(.*)\\.twirp\\.go$", 1) and
+        this.getParentContainer() = f.getParentContainer() and
+        f.getBaseName() = prefix + ".pb.go"
+      )
+    }
+  }
+
+  /**
+   * A type representing a protobuf message.
+   */
+  class ProtobufMessageType extends Type {
+    ProtobufMessageType() {
+      exists(TypeEntity te |
+        te.getType() = this and
+        te.getDeclaration().getLocation().getFile() instanceof ProtobufGeneratedFile
+      )
+    }
+  }
+
+  /**
+   * An interface type representing a Twirp service.
+   */
+  class ServiceInterfaceType extends InterfaceType {
+    NamedType namedType;
+
+    ServiceInterfaceType() {
+      exists(TypeEntity te |
+        te.getType() = namedType and
+        namedType.getUnderlyingType() = this and
+        te.getDeclaration().getLocation().getFile() instanceof ServicesGeneratedFile
+      )
+    }
+
+    /**
+     * Gets the name of the interface.
+     */
+    override string getName() { result = namedType.getName() }
+
+    /**
+     * Gets the named type on top of this interface type.
+     */
+    NamedType getNamedType() { result = namedType }
+  }
+
+  /**
+   * A Twirp client.
+   */
+  class ServiceClientType extends NamedType {
+    ServiceClientType() {
+      exists(ServiceInterfaceType i, PointerType p, TypeEntity te |
+        p.implements(i) and
+        this = p.getBaseType() and
+        this.getName().regexpMatch("(?i)" + i.getName() + "(protobuf|json)client") and
+        te.getType() = this and
+        te.getDeclaration().getLocation().getFile() instanceof ServicesGeneratedFile
+      )
+    }
+  }
+
+  /**
+   * A Twirp server.
+   */
+  class ServiceServerType extends NamedType {
+    ServiceServerType() {
+      exists(ServiceInterfaceType i, TypeEntity te |
+        this.implements(i) and
+        this.getName().regexpMatch("(?i)" + i.getName() + "server") and
+        te.getType() = this and
+        te.getDeclaration().getLocation().getFile() instanceof ServicesGeneratedFile
+      )
+    }
+  }
+
+  /**
+   * A Twirp function to construct a Client.
+   */
+  class ClientConstructor extends Function {
+    ClientConstructor() {
+      exists(ServiceClientType c |
+        this.getName().regexpMatch("(?i)new" + c.getName()) and
+        this.getParameterType(0) instanceof StringType and
+        this.getParameterType(1).getName() = "HTTPClient" and
+        this.getDeclaration().getLocation().getFile() instanceof ServicesGeneratedFile
+      )
+    }
+  }
+
+  /**
+   * A Twirp function to construct a Server.
+   *
+   * Its first argument should be an implementation of the service interface.
+   */
+  class ServerConstructor extends Function {
+    ServerConstructor() {
+      exists(ServiceServerType c, ServiceInterfaceType i |
+        this.getName().regexpMatch("(?i)new" + c.getName()) and
+        this.getParameterType(0) = i.getNamedType() and
+        this.getDeclaration().getLocation().getFile() instanceof ServicesGeneratedFile
+      )
+    }
+  }
+
+  /**
+   * An SSRF sink for the Client constructor.
+   */
+  class ClientRequestUrlAsSink extends RequestForgery::Sink {
+    ClientRequestUrlAsSink() {
+      exists(DataFlow::CallNode call |
+        call.getArgument(0) = this and
+        call.getTarget() instanceof ClientConstructor
+      )
+    }
+
+    override DataFlow::Node getARequest() { result = this }
+
+    override string getKind() { result = "URL" }
+  }
+
+  /**
+   * A service handler.
+   */
+  class ServiceHandler extends Method {
+    ServiceHandler() {
+      exists(DataFlow::CallNode call, Type handlerType, ServiceInterfaceType i |
+        call.getTarget() instanceof ServerConstructor and
+        call.getArgument(0).getType() = handlerType and
+        this = handlerType.getMethod(_) and
+        this.implements(i.getNamedType().getMethod(_))
+      )
+    }
+  }
+
+  /**
+   * A request coming to the service handler.
+   */
+  class Request extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
+    Request() {
+      exists(Callable c, ServiceHandler handler | c.asFunction() = handler |
+        this.isParameterOf(c, 1) and
+        handler.getParameterType(0).hasQualifiedName("context", "Context") and
+        this.getType().(PointerType).getBaseType() instanceof ProtobufMessageType
+      )
+    }
+  }
+}

go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected

@@ -0,0 +1,26 @@
+edges
+| client/main.go:16:35:16:78 | &... | client/main.go:16:35:16:78 | &... |
+| client/main.go:16:35:16:78 | &... | server/main.go:19:56:19:61 | definition of params |
+| rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | rpc/notes/service.twirp.go:477:44:477:51 | typedReq |
+| rpc/notes/service.twirp.go:477:44:477:51 | typedReq | server/main.go:19:56:19:61 | definition of params |
+| rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | rpc/notes/service.twirp.go:558:44:558:51 | typedReq |
+| rpc/notes/service.twirp.go:558:44:558:51 | typedReq | server/main.go:19:56:19:61 | definition of params |
+| server/main.go:19:56:19:61 | definition of params | client/main.go:16:35:16:78 | &... |
+| server/main.go:19:56:19:61 | definition of params | rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq |
+| server/main.go:19:56:19:61 | definition of params | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq |
+| server/main.go:19:56:19:61 | definition of params | server/main.go:19:56:19:61 | definition of params |
+| server/main.go:19:56:19:61 | definition of params | server/main.go:19:56:19:61 | definition of params |
+| server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text |
+| server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text |
+nodes
+| client/main.go:16:35:16:78 | &... | semmle.label | &... |
+| rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | semmle.label | definition of typedReq |
+| rpc/notes/service.twirp.go:477:44:477:51 | typedReq | semmle.label | typedReq |
+| rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | semmle.label | definition of typedReq |
+| rpc/notes/service.twirp.go:558:44:558:51 | typedReq | semmle.label | typedReq |
+| server/main.go:19:56:19:61 | definition of params | semmle.label | definition of params |
+| server/main.go:19:56:19:61 | definition of params | semmle.label | definition of params |
+| server/main.go:30:38:30:48 | selection of Text | semmle.label | selection of Text |
+subpaths
+#select
+| server/main.go:30:38:30:48 | selection of Text | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | The $@ of this request depends on a $@. | server/main.go:30:38:30:48 | selection of Text | URL | server/main.go:19:56:19:61 | definition of params | user-provided value |

go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.qlref

@@ -0,0 +1 @@
+Security/CWE-918/RequestForgery.ql

go/ql/test/library-tests/semmle/go/frameworks/Twirp/client/main.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"context"
+	"log"
+	"net/http"
+
+	"github.com/pwntester/go-twirp-rpc-example/rpc/notes"
+)
+
+func main() {
+	client := notes.NewNotesServiceProtobufClient("http://localhost:8000", &http.Client{}) // test: ssrfSink
+
+	ctx := context.Background()
+
+	_, err := client.CreateNote(ctx, &notes.CreateNoteParams{Text: "Hello World"})
+	if err != nil {
+		log.Fatal(err)
+	}
+	allNotes, err := client.GetAllNotes(ctx, &notes.GetAllNotesParams{})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	for _, note := range allNotes.Notes {
+		log.Println(note)
+	}
+}

go/ql/test/library-tests/semmle/go/frameworks/Twirp/go.mod

@@ -0,0 +1,10 @@
+module github.com/pwntester/go-twirp-rpc-example
+
+go 1.19
+
+require (
+	github.com/twitchtv/twirp v8.1.3+incompatible
+	google.golang.org/protobuf v1.28.1
+)
+
+require github.com/pkg/errors v0.9.1 // indirect