Convert GoRestfulSource to MaD

owen-mc · owen-mc · commit 7bfa4c194760 · 2024-07-16T11:18:14.000+01:00
diff --git a/go/ql/lib/ext/github.com.emicklei.go-restful.model.yml b/go/ql/lib/ext/github.com.emicklei.go-restful.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/emicklei/go-restful", "Request", True, "QueryParameters", "", "", "ReturnValue", "remote", "manual"] # TODO: should be .ArrayElement
+      - ["github.com/emicklei/go-restful", "Request", True, "QueryParameter", "", "", "ReturnValue", "remote", "manual"]
+      - ["github.com/emicklei/go-restful", "Request", True, "BodyParameter", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/emicklei/go-restful", "Request", True, "HeaderParameter", "", "", "ReturnValue", "remote", "manual"]
+      - ["github.com/emicklei/go-restful", "Request", True, "PathParameter", "", "", "ReturnValue", "remote", "manual"]
+      - ["github.com/emicklei/go-restful", "Request", True, "PathParameters", "", "", "ReturnValue", "remote", "manual"] # TODO: should be .MapValue
diff --git a/go/ql/lib/semmle/go/frameworks/GoRestfulHttp.qll b/go/ql/lib/semmle/go/frameworks/GoRestfulHttp.qll
@@ -11,26 +11,6 @@ private module GoRestfulHttp {
   /** Gets the package name `github.com/emicklei/go-restful`. */
   string packagePath() { result = package("github.com/emicklei/go-restful", "") }
 
-  /**
-   * A model for methods defined on go-restful's `Request` object that may return user-controlled data.
-   */
-  private class GoRestfulSourceMethod extends Method {
-    GoRestfulSourceMethod() {
-      this.hasQualifiedName(packagePath(), "Request",
-        [
-          "QueryParameters", "QueryParameter", "BodyParameter", "HeaderParameter", "PathParameter",
-          "PathParameters"
-        ])
-    }
-  }
-
-  /**
-   * A model of go-restful's `Request` object as a source of user-controlled data.
-   */
-  private class GoRestfulSource extends RemoteFlowSource::Range {
-    GoRestfulSource() { this = any(GoRestfulSourceMethod g).getACall() }
-  }
-
   /**
    * A model of go-restful's `Request.ReadEntity` method as a source of user-controlled data.
    */
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Gorestful/gorestful.expected b/go/ql/test/library-tests/semmle/go/frameworks/Gorestful/gorestful.expected
@@ -1,18 +1,18 @@
 invalidModelRow
 edges
-| gorestful.go:15:15:15:44 | call to QueryParameters | gorestful.go:15:15:15:47 | index expression | provenance |  |
-| gorestful.go:17:12:17:39 | call to BodyParameter | gorestful.go:18:15:18:17 | val | provenance |  |
-| gorestful.go:21:15:21:38 | call to PathParameters | gorestful.go:21:15:21:45 | index expression | provenance |  |
+| gorestful.go:15:15:15:44 | call to QueryParameters | gorestful.go:15:15:15:47 | index expression | provenance | Src:MaD:316  |
+| gorestful.go:17:2:17:39 | ... := ...[0] | gorestful.go:18:15:18:17 | val | provenance | Src:MaD:318  |
+| gorestful.go:21:15:21:38 | call to PathParameters | gorestful.go:21:15:21:45 | index expression | provenance | Src:MaD:321  |
 | gorestful.go:23:21:23:24 | &... | gorestful.go:24:15:24:21 | selection of cmd | provenance |  |
-| gorestful_v2.go:15:15:15:44 | call to QueryParameters | gorestful_v2.go:15:15:15:47 | index expression | provenance |  |
-| gorestful_v2.go:17:12:17:39 | call to BodyParameter | gorestful_v2.go:18:15:18:17 | val | provenance |  |
-| gorestful_v2.go:21:15:21:38 | call to PathParameters | gorestful_v2.go:21:15:21:45 | index expression | provenance |  |
+| gorestful_v2.go:15:15:15:44 | call to QueryParameters | gorestful_v2.go:15:15:15:47 | index expression | provenance | Src:MaD:316  |
+| gorestful_v2.go:17:2:17:39 | ... := ...[0] | gorestful_v2.go:18:15:18:17 | val | provenance | Src:MaD:318  |
+| gorestful_v2.go:21:15:21:38 | call to PathParameters | gorestful_v2.go:21:15:21:45 | index expression | provenance | Src:MaD:321  |
 | gorestful_v2.go:23:21:23:24 | &... | gorestful_v2.go:24:15:24:21 | selection of cmd | provenance |  |
 nodes
 | gorestful.go:15:15:15:44 | call to QueryParameters | semmle.label | call to QueryParameters |
 | gorestful.go:15:15:15:47 | index expression | semmle.label | index expression |
 | gorestful.go:16:15:16:43 | call to QueryParameter | semmle.label | call to QueryParameter |
-| gorestful.go:17:12:17:39 | call to BodyParameter | semmle.label | call to BodyParameter |
+| gorestful.go:17:2:17:39 | ... := ...[0] | semmle.label | ... := ...[0] |
 | gorestful.go:18:15:18:17 | val | semmle.label | val |
 | gorestful.go:19:15:19:44 | call to HeaderParameter | semmle.label | call to HeaderParameter |
 | gorestful.go:20:15:20:42 | call to PathParameter | semmle.label | call to PathParameter |
@@ -23,7 +23,7 @@ nodes
 | gorestful_v2.go:15:15:15:44 | call to QueryParameters | semmle.label | call to QueryParameters |
 | gorestful_v2.go:15:15:15:47 | index expression | semmle.label | index expression |
 | gorestful_v2.go:16:15:16:43 | call to QueryParameter | semmle.label | call to QueryParameter |
-| gorestful_v2.go:17:12:17:39 | call to BodyParameter | semmle.label | call to BodyParameter |
+| gorestful_v2.go:17:2:17:39 | ... := ...[0] | semmle.label | ... := ...[0] |
 | gorestful_v2.go:18:15:18:17 | val | semmle.label | val |
 | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | semmle.label | call to HeaderParameter |
 | gorestful_v2.go:20:15:20:42 | call to PathParameter | semmle.label | call to PathParameter |
@@ -35,14 +35,14 @@ subpaths
 #select
 | gorestful.go:15:15:15:47 | index expression | gorestful.go:15:15:15:44 | call to QueryParameters | gorestful.go:15:15:15:47 | index expression | This command depends on $@. | gorestful.go:15:15:15:44 | call to QueryParameters | a user-provided value |
 | gorestful.go:16:15:16:43 | call to QueryParameter | gorestful.go:16:15:16:43 | call to QueryParameter | gorestful.go:16:15:16:43 | call to QueryParameter | This command depends on $@. | gorestful.go:16:15:16:43 | call to QueryParameter | a user-provided value |
-| gorestful.go:18:15:18:17 | val | gorestful.go:17:12:17:39 | call to BodyParameter | gorestful.go:18:15:18:17 | val | This command depends on $@. | gorestful.go:17:12:17:39 | call to BodyParameter | a user-provided value |
+| gorestful.go:18:15:18:17 | val | gorestful.go:17:2:17:39 | ... := ...[0] | gorestful.go:18:15:18:17 | val | This command depends on $@. | gorestful.go:17:2:17:39 | ... := ...[0] | a user-provided value |
 | gorestful.go:19:15:19:44 | call to HeaderParameter | gorestful.go:19:15:19:44 | call to HeaderParameter | gorestful.go:19:15:19:44 | call to HeaderParameter | This command depends on $@. | gorestful.go:19:15:19:44 | call to HeaderParameter | a user-provided value |
 | gorestful.go:20:15:20:42 | call to PathParameter | gorestful.go:20:15:20:42 | call to PathParameter | gorestful.go:20:15:20:42 | call to PathParameter | This command depends on $@. | gorestful.go:20:15:20:42 | call to PathParameter | a user-provided value |
 | gorestful.go:21:15:21:45 | index expression | gorestful.go:21:15:21:38 | call to PathParameters | gorestful.go:21:15:21:45 | index expression | This command depends on $@. | gorestful.go:21:15:21:38 | call to PathParameters | a user-provided value |
 | gorestful.go:24:15:24:21 | selection of cmd | gorestful.go:23:21:23:24 | &... | gorestful.go:24:15:24:21 | selection of cmd | This command depends on $@. | gorestful.go:23:21:23:24 | &... | a user-provided value |
 | gorestful_v2.go:15:15:15:47 | index expression | gorestful_v2.go:15:15:15:44 | call to QueryParameters | gorestful_v2.go:15:15:15:47 | index expression | This command depends on $@. | gorestful_v2.go:15:15:15:44 | call to QueryParameters | a user-provided value |
 | gorestful_v2.go:16:15:16:43 | call to QueryParameter | gorestful_v2.go:16:15:16:43 | call to QueryParameter | gorestful_v2.go:16:15:16:43 | call to QueryParameter | This command depends on $@. | gorestful_v2.go:16:15:16:43 | call to QueryParameter | a user-provided value |
-| gorestful_v2.go:18:15:18:17 | val | gorestful_v2.go:17:12:17:39 | call to BodyParameter | gorestful_v2.go:18:15:18:17 | val | This command depends on $@. | gorestful_v2.go:17:12:17:39 | call to BodyParameter | a user-provided value |
+| gorestful_v2.go:18:15:18:17 | val | gorestful_v2.go:17:2:17:39 | ... := ...[0] | gorestful_v2.go:18:15:18:17 | val | This command depends on $@. | gorestful_v2.go:17:2:17:39 | ... := ...[0] | a user-provided value |
 | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | This command depends on $@. | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | a user-provided value |
 | gorestful_v2.go:20:15:20:42 | call to PathParameter | gorestful_v2.go:20:15:20:42 | call to PathParameter | gorestful_v2.go:20:15:20:42 | call to PathParameter | This command depends on $@. | gorestful_v2.go:20:15:20:42 | call to PathParameter | a user-provided value |
 | gorestful_v2.go:21:15:21:45 | index expression | gorestful_v2.go:21:15:21:38 | call to PathParameters | gorestful_v2.go:21:15:21:45 | index expression | This command depends on $@. | gorestful_v2.go:21:15:21:38 | call to PathParameters | a user-provided value |
