Merge pull request github#13625 from GeekMasher/go-micro

[Go] GoMicro framework support

Author: owen-mc

go/ql/lib/change-notes/2023-06-29-modelling-go-micro.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Add support for v4 of the [Go Micro framework](https://github.com/go-micro/go-micro).

go/ql/lib/go.qll

@@ -40,6 +40,7 @@ import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Gin
 import semmle.go.frameworks.Glog
+import semmle.go.frameworks.GoMicro
 import semmle.go.frameworks.GoRestfulHttp
 import semmle.go.frameworks.K8sIoApimachineryPkgRuntime
 import semmle.go.frameworks.K8sIoApiCoreV1

go/ql/lib/semmle/go/frameworks/GoMicro.qll

@@ -0,0 +1,154 @@
+/**
+ * Provides models of the [Go Micro library](https://github.com/go-micro/go-micro).
+ */
+
+import go
+private import semmle.go.security.RequestForgeryCustomizations
+
+/**
+ * Module for Go Micro framework.
+ */
+module GoMicro {
+  /**
+   * A GoMicro server type.
+   */
+  class GoMicroServerType extends Type {
+    GoMicroServerType() { this.hasQualifiedName("go-micro.dev/v4/server", "Server") }
+  }
+
+  /**
+   * A GoMicro client type.
+   */
+  class GoMicroClientType extends Type {
+    GoMicroClientType() { this.hasQualifiedName("go-micro.dev/v4/client", "Client") }
+  }
+
+  /**
+   * A file that is generated by the protobuf compiler.
+   */
+  class ProtocGeneratedFile extends File {
+    ProtocGeneratedFile() { this.getBaseName().regexpMatch(".*\\.pb(\\.micro)?\\.go$") }
+  }
+
+  /**
+   * A type that is generated by the protobuf compiler.
+   */
+  class ProtocMessageType extends Type {
+    ProtocMessageType() {
+      this.hasLocationInfo(any(ProtocGeneratedFile f).getAbsolutePath(), _, _, _, _) and
+      exists(MethodDecl md |
+        md.getName() = "ProtoMessage" and
+        this = md.getReceiverDecl().getTypeExpr().getAChild().(TypeName).getType()
+      )
+    }
+  }
+
+  /**
+   * A Server Interface type.
+   */
+  class ServiceInterfaceType extends InterfaceType {
+    NamedType namedType;
+
+    ServiceInterfaceType() {
+      this = namedType.getUnderlyingType() and
+      namedType.hasLocationInfo(any(ProtocGeneratedFile f).getAbsolutePath(), _, _, _, _)
+    }
+
+    /**
+     * Gets the name of the interface.
+     */
+    override string getName() { result = namedType.getName() }
+
+    /**
+     * Gets the named type on top of this interface type.
+     */
+    NamedType getNamedType() { result = namedType }
+  }
+
+  /**
+   * A Service server handler type.
+   */
+  class ServiceServerType extends NamedType {
+    ServiceServerType() {
+      this.implements(any(ServiceInterfaceType i)) and
+      this.getName().regexpMatch("(?i).*Handler") and
+      this.hasLocationInfo(any(ProtocGeneratedFile f).getAbsolutePath(), _, _, _, _)
+    }
+  }
+
+  /**
+   * A Client server handler type.
+   */
+  class ClientServiceType extends NamedType {
+    ClientServiceType() {
+      this.implements(any(ServiceInterfaceType i)) and
+      this.getName().regexpMatch("(?i).*Service") and
+      this.hasLocationInfo(any(ProtocGeneratedFile f).getAbsolutePath(), _, _, _, _)
+    }
+  }
+
+  /**
+   * A service register handler.
+   */
+  class ServiceRegisterHandler extends Function {
+    ServiceRegisterHandler() {
+      this.getName().regexpMatch("(?i)register" + any(ServiceServerType c).getName()) and
+      this.getParameterType(0) instanceof GoMicroServerType and
+      this.hasLocationInfo(any(ProtocGeneratedFile f).getAbsolutePath(), _, _, _, _)
+    }
+  }
+
+  /**
+   * A service handler.
+   */
+  class ServiceHandler extends Method {
+    ServiceHandler() {
+      exists(DataFlow::CallNode call |
+        call.getTarget() instanceof ServiceRegisterHandler and
+        this = call.getArgument(1).getType().getMethod(_) and
+        this.implements(any(ServiceInterfaceType i).getNamedType().getMethod(_))
+      )
+    }
+  }
+
+  /**
+   * A client service function.
+   */
+  class ClientService extends Function {
+    ClientService() {
+      this.getName().regexpMatch("(?i)new" + any(ClientServiceType c).getName()) and
+      this.getParameterType(0) instanceof StringType and
+      this.getParameterType(1) instanceof GoMicroClientType and
+      this.hasLocationInfo(any(ProtocGeneratedFile f).getAbsolutePath(), _, _, _, _)
+    }
+  }
+
+  /**
+   * An SSRF sink for the Client service function.
+   */
+  class ClientRequestUrlAsSink extends RequestForgery::Sink {
+    ClientRequestUrlAsSink() {
+      exists(DataFlow::CallNode call |
+        call.getArgument(0) = this and
+        call.getTarget() instanceof ClientService
+      )
+    }
+
+    override DataFlow::Node getARequest() { result = this }
+
+    override string getKind() { result = "URL" }
+  }
+
+  /**
+   * A set of remote requests from a service handler.
+   */
+  class Request extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
+    Request() {
+      exists(ServiceHandler handler |
+        this.asParameter().isParameterOf(handler.getFuncDecl(), 1) and
+        handler.getParameterType(0).hasQualifiedName("context", "Context") and
+        this.getType().(PointerType).getBaseType() instanceof ProtocMessageType
+      )
+    }
+  }
+}

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected

@@ -0,0 +1,24 @@
+edges
+| main.go:18:46:18:48 | definition of req | main.go:18:46:18:48 | definition of req |
+| main.go:18:46:18:48 | definition of req | main.go:18:46:18:48 | definition of req |
+| main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name |
+| main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name |
+| main.go:18:46:18:48 | definition of req | proto/Hello.pb.micro.go:85:53:85:54 | definition of in |
+| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in |
+| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:86:37:86:38 | in |
+| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:86:37:86:38 | in |
+| proto/Hello.pb.micro.go:86:37:86:38 | in | main.go:18:46:18:48 | definition of req |
+| proto/Hello.pb.micro.go:86:37:86:38 | in | main.go:18:46:18:48 | definition of req |
+| proto/Hello.pb.micro.go:86:37:86:38 | in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in |
+| proto/Hello.pb.micro.go:86:37:86:38 | in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in |
+nodes
+| main.go:18:46:18:48 | definition of req | semmle.label | definition of req |
+| main.go:18:46:18:48 | definition of req | semmle.label | definition of req |
+| main.go:21:28:21:31 | name | semmle.label | name |
+| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | semmle.label | definition of in |
+| proto/Hello.pb.micro.go:85:53:85:54 | definition of in | semmle.label | definition of in |
+| proto/Hello.pb.micro.go:86:37:86:38 | in | semmle.label | in |
+| proto/Hello.pb.micro.go:86:37:86:38 | in | semmle.label | in |
+subpaths
+#select
+| main.go:21:28:21:31 | name | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | This log entry depends on a $@. | main.go:18:46:18:48 | definition of req | user-provided value |

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref

@@ -0,0 +1 @@
+Security/CWE-117/LogInjection.ql

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/client/main.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	pb "codeql-go-tests/frameworks/GoMicro/proto"
+	"context"
+	"fmt"
+	"log"
+
+	micro "go-micro.dev/v4"
+)
+
+func main() {
+	// service
+	service := micro.NewService()
+	service.Init()
+	// context
+	ctx := context.Background()
+
+	greeterService := pb.NewGreeterService("http://localhost:8000", service.Client()) // $ clientRequest="http:\/\/localhost:8000"
+	// request
+	req := pb.Request{Name: "Mona"}
+	resp, err := greeterService.Hello(ctx, &req)
+
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Println("Hello :: %s", resp.Greeting)
+}

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/go.mod

@@ -0,0 +1,8 @@
+module codeql-go-tests/frameworks/GoMicro
+
+go 1.15
+
+require (
+	go-micro.dev/v4 v4.10.2
+	google.golang.org/protobuf v1.28.1
+)

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/gomicro.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/gomicro.ql

@@ -0,0 +1,26 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+module GoMicroTest implements TestSig {
+  string getARelevantTag() { result = ["serverRequest", "clientRequest"] }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlow::Node node |
+      node.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      (
+        node instanceof GoMicro::Request and
+        element = node.toString() and
+        value = "\"" + node.toString() + "\"" and
+        tag = "serverRequest"
+        or
+        node instanceof GoMicro::ClientRequestUrlAsSink and
+        element = node.toString() and
+        value = node.toString().replaceAll("/", "\\/") and
+        tag = "clientRequest"
+      )
+    )
+  }
+}
+
+import MakeTest<GoMicroTest>

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go

@@ -0,0 +1,39 @@
+package main
+
+//go:generate depstubber -vendor go-micro.dev/v4 Service,Option,Options NewService,Name,Handle,Server,Client
+//go:generate depstubber -vendor go-micro.dev/v4/server Server Handle
+//go:generate depstubber -vendor go-micro.dev/v4/client Client Call
+
+import (
+	pb "codeql-go-tests/frameworks/GoMicro/proto"
+	"context"
+	"fmt"
+	"log"
+
+	micro "go-micro.dev/v4"
+)
+
+type Greeter struct{}
+
+func (g *Greeter) Hello(ctx context.Context, req *pb.Request, rsp *pb.Response) error { // $ serverRequest="definition of req"
+	// var access
+	name := req.Name
+	fmt.Println("Name :: %s", name)
+	return nil
+}
+
+func main() {
+	// service
+	service := micro.NewService(
+		micro.Name("helloworld"),
+		micro.Handle(":8080"),
+	)
+
+	service.Init()
+
+	pb.RegisterGreeterHandler(service.Server(), new(Greeter))
+
+	if err := service.Run(); err != nil {
+		log.Fatal(err)
+	}
+}