Merge pull request github#13602 from pwntester/ruby/add_gqlgen_support

Go: Add support for the gqlgen library

Author: owen-mc

go/ql/lib/change-notes/2023-06-28--add-support-for-gqlgen-framework.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Support for [gqlgen](https://github.com/99designs/gqlgen) has been added.

go/ql/lib/go.qll

@@ -42,6 +42,7 @@ import semmle.go.frameworks.Gin
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoMicro
 import semmle.go.frameworks.GoRestfulHttp
+import semmle.go.frameworks.Gqlgen
 import semmle.go.frameworks.K8sIoApimachineryPkgRuntime
 import semmle.go.frameworks.K8sIoApiCoreV1
 import semmle.go.frameworks.K8sIoClientGo

go/ql/lib/semmle/go/frameworks/Gqlgen.qll

@@ -0,0 +1,47 @@
+/** Provides models of commonly used functions and types in the gqlgen packages. */
+
+import go
+
+/** Provides models of commonly used functions and types in the gqlgen packages. */
+module Gqlgen {
+  /** An autogenerated file containing gqlgen code. */
+  private class GqlgenGeneratedFile extends File {
+    GqlgenGeneratedFile() {
+      exists(DataFlow::CallNode call |
+        call.getReceiver().getType().hasQualifiedName("github.com/99designs/gqlgen/graphql", _) and
+        call.getFile() = this
+      )
+    }
+  }
+
+  /** A resolver interface. */
+  private class ResolverInterface extends Type {
+    ResolverInterface() {
+      this.getQualifiedName().matches("%Resolver") and
+      this.getEntity().getDeclaration().getFile() instanceof GqlgenGeneratedFile
+    }
+  }
+
+  /** A resolver implementation. */
+  private class ResolverInterfaceMethod extends Method {
+    ResolverInterfaceMethod() { this.getReceiver().getType() instanceof ResolverInterface }
+  }
+
+  /** A resolver method which is exposed as a Graphql endpoint */
+  private class ResolverImplementationMethod extends Method {
+    ResolverImplementationMethod() { this.implements(any(ResolverInterfaceMethod r)) }
+
+    Parameter getAnUntrustedParameter() {
+      result.getFunction() = this.getFuncDecl() and
+      not result.getType().hasQualifiedName("context", "Context") and
+      result.getIndex() > 0
+    }
+  }
+
+  /** A parameter of a resolver method which receives untrusted input. */
+  class ResolverParameter extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
+    ResolverParameter() {
+      this.asParameter() = any(ResolverImplementationMethod h).getAnUntrustedParameter()
+    }
+  }
+}

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/go.mod

@@ -0,0 +1,29 @@
+module pwntester/gqlgen-todos
+
+go 1.19
+
+require (
+	github.com/99designs/gqlgen v0.17.3
+	github.com/vektah/gqlparser/v2 v2.5.4
+)
+
+require (
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hashicorp/golang-lru v0.5.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/matryer/moq v0.2.3 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/stretchr/testify v1.6.0 // indirect
+	github.com/urfave/cli/v2 v2.25.5 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	golang.org/x/mod v0.6.0-dev // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/tools v0.1.9 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+)

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/gqlgen.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/gqlgen.ql

@@ -0,0 +1,18 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+module ResolveParameterTest implements TestSig {
+  string getARelevantTag() { result = "resolverParameter" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "resolverParameter" and
+    exists(Gqlgen::ResolverParameter p |
+      element = p.toString() and
+      value = "\"" + p.toString() + "\"" and
+      p.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
+    )
+  }
+}
+
+import MakeTest<ResolveParameterTest>

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/graph/generated.go

@@ -0,0 +1,7 @@
+package graph
+
+// This file will not be regenerated automatically.
+//
+// It serves as dependency injection for your app, add any dependencies you require here.
+
+type Resolver struct{}

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/graph/model/models_gen.go

@@ -0,0 +1,28 @@
+# GraphQL schema example
+#
+# https://gqlgen.com/getting-started/
+
+type Todo {
+  id: ID!
+  text: String!
+  done: Boolean!
+  user: User!
+}
+
+type User {
+  id: ID!
+  name: String!
+}
+
+type Query {
+  todos: [Todo!]!
+}
+
+input NewTodo {
+  text: String!
+  userId: String!
+}
+
+type Mutation {
+  createTodo(input: NewTodo!): Todo!
+}