fix tests, better afero support!

Author: am0o0

go/ql/lib/semmle/go/security/FileSystemAccess.qll

@@ -1,6 +1,5 @@
 import go
 
-
 /**
  * The File system access sinks of `net/http` package
  */
@@ -127,55 +126,100 @@ class FiberSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
   override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
 }
 
-string aferoPackage() { result = "github.com/spf13/afero" }
-
 /**
- * Provide File system access sinks of [afero](https://github.com/spf13/afero) filesystem framework
+ * Provide File system access sinks of [afero](https://github.com/spf13/afero) framework
  * The Types that are not vulnerable: `afero.BasePathFs` and `afero.IOFS`
  */
-class AferoSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
-  int pathArg;
+module Afero {
+  string aferoPackage() { result = "github.com/spf13/afero" }
+
+  /**
+   * Provide File system access sinks of [afero](https://github.com/spf13/afero) framework methods
+   */
+  class AferoSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
+    int pathArg;
+
+    AferoSystemAccess() {
+      exists(Method f |
+        f.hasQualifiedName(package(aferoPackage(), ""), "HttpFs",
+          ["Create", "Open", "OpenFile", "Remove", "RemoveAll"]) and
+        this = f.getACall() and
+        pathArg = 0
+        or
+        f.hasQualifiedName(package(aferoPackage(), ""), "RegexpFs",
+          ["Create", "Open", "OpenFile", "Remove", "RemoveAll", "Mkdir", "MkdirAll"]) and
+        this = f.getACall() and
+        pathArg = 0
+        or
+        f.hasQualifiedName(package(aferoPackage(), ""), "ReadOnlyFs",
+          ["Create", "Open", "OpenFile", "ReadDir", "ReadlinkIfPossible", "Mkdir", "MkdirAll"]) and
+        this = f.getACall() and
+        pathArg = 0
+        or
+        f.hasQualifiedName(package(aferoPackage(), ""), "OsFs",
+          [
+            "Create", "Open", "OpenFile", "ReadlinkIfPossible", "Remove", "RemoveAll", "Mkdir",
+            "MkdirAll"
+          ]) and
+        this = f.getACall() and
+        pathArg = 0
+        or
+        f.hasQualifiedName(package(aferoPackage(), ""), "MemMapFs",
+          ["Create", "Open", "OpenFile", "Remove", "RemoveAll", "Mkdir", "MkdirAll"]) and
+        this = f.getACall() and
+        pathArg = 0
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
+  }
+
+  /**
+   * Provide File system access sinks of [afero](https://github.com/spf13/afero) framework utility functions
+   * The Types that are not vulnerable: `afero.BasePathFs` and `afero.IOFS`
+   */
+  class AferoUtilityFunctionSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
+    int pathArg;
+
+    AferoUtilityFunctionSystemAccess() {
+      // utility functions
+      exists(Function f |
+        f.hasQualifiedName(package(aferoPackage(), ""),
+          ["WriteReader", "SafeWriteReader", "WriteFile", "ReadFile", "ReadDir"]) and
+        this = f.getACall() and
+        pathArg = 1 and
+        not aferoSanitizer(this.getArgument(0))
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
+  }
 
-  AferoSystemAccess() {
-    // utility functions
+  /**
+   * A sanitizer for when the Afero utility functions has a first argument of a safe type like NewBasePathFs
+   *
+   * e.g.
+   * ```
+   * basePathFs := afero.NewBasePathFs(osFS, "tmp")
+   * afero.ReadFile(basePathFs, filepath)
+   * ```
+   */
+  predicate aferoSanitizer(DataFlow::Node n) {
     exists(Function f |
-      f.hasQualifiedName(package(aferoPackage(), ""),
-        ["WriteReader", "SafeWriteReader", "WriteFile", "ReadFile", "ReadDir"]) and
-      this = f.getACall() and
-      pathArg = 1
-    )
-    or
-    // afero FS Types
-    exists(Method f |
-      f.hasQualifiedName(package(aferoPackage(), ""), "HttpFs",
-        ["Create", "Open", "OpenFile", "Remove", "RemoveAll"]) and
-      this = f.getACall() and
-      pathArg = 0
-      or
-      f.hasQualifiedName(package(aferoPackage(), ""), "RegexpFs",
-        ["Create", "Open", "OpenFile", "Remove", "RemoveAll", "Mkdir", "MkdirAll"]) and
-      this = f.getACall() and
-      pathArg = 0
-      or
-      f.hasQualifiedName(package(aferoPackage(), ""), "ReadOnlyFs",
-        ["Create", "Open", "OpenFile", "ReadDir", "ReadlinkIfPossible", "Mkdir", "MkdirAll"]) and
-      this = f.getACall() and
-      pathArg = 0
-      or
-      f.hasQualifiedName(package(aferoPackage(), ""), "OsFs",
-        [
-          "Create", "Open", "OpenFile", "ReadlinkIfPossible", "Remove", "RemoveAll", "Mkdir",
-          "MkdirAll"
-        ]) and
-      this = f.getACall() and
-      pathArg = 0
-      or
-      f.hasQualifiedName(package(aferoPackage(), ""), "MemMapFs",
-        ["Create", "Open", "OpenFile", "Remove", "RemoveAll", "Mkdir", "MkdirAll"]) and
-      this = f.getACall() and
-      pathArg = 0
+      f.hasQualifiedName(package(aferoPackage(), ""), "NewBasePathFs") and
+      TaintTracking::localTaint(f.getACall(), n)
     )
   }
 
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
+  /**
+   * A helper for `aferoSanitizer` for when the Afero instance is initialized with one of the safe FS types like IOFS
+   *
+   * e.g.`n2 := &afero.Afero{Fs: afero.NewBasePathFs(osFS, "./")}` n1 is `afero.NewBasePathFs(osFS, "./")`
+   */
+  predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(StructLit st | st.getType().hasQualifiedName(package(aferoPackage(), ""), "Afero") |
+      n1.asExpr() = st.getAChildExpr*() and
+      n2.asExpr() = st
+    )
+  }
 }

go/ql/test/library-tests/semmle/go/security/FileSystemAccess/FileSystemAccess.expected

@@ -1,26 +1,28 @@
-| main.go:26:6:26:69 | call to SaveToFileWithBuffer |
-| main.go:33:14:33:76 | call to WriteFile |
-| main.go:34:16:34:45 | call to ReadFile |
-| main.go:41:14:41:49 | call to ReadFile |
-| main.go:47:14:47:47 | call to ReadFile |
-| main.go:52:14:52:49 | call to ReadFile |
-| main.go:57:14:57:52 | call to ReadFile |
-| main.go:70:14:70:35 | call to ReadFile |
-| main.go:87:10:87:41 | call to File |
-| main.go:91:10:91:72 | call to Attachment |
-| main.go:100:10:100:29 | call to SendFile |
-| main.go:105:7:105:34 | call to SaveFile |
-| main.go:106:3:106:24 | call to Attachment |
-| main.go:107:10:107:29 | call to SendFile |
-| main.go:116:7:116:45 | call to SendFile |
-| main.go:117:3:117:32 | call to SendFile |
-| main.go:118:3:118:29 | call to SendFileBytes |
-| main.go:120:7:120:62 | call to SaveMultipartFile |
-| main.go:121:3:121:43 | call to ServeFile |
-| main.go:122:3:122:55 | call to ServeFileUncompressed |
-| main.go:123:3:123:40 | call to ServeFileBytes |
-| main.go:124:3:124:52 | call to ServeFileBytesUncompressed |
-| main.go:152:3:152:18 | call to File |
-| main.go:153:3:153:47 | call to ServeFile |
-| main.go:154:3:154:53 | call to FileAttachment |
-| main.go:156:7:156:40 | call to SaveUploadedFile |
+| main.go:23:2:23:48 | call to Download |
+| main.go:25:6:25:85 | call to SaveToFileWithBuffer |
+| main.go:33:14:33:41 | call to MkdirAll |
+| main.go:34:14:34:75 | call to WriteFile |
+| main.go:35:14:35:77 | call to WriteFile |
+| main.go:36:14:36:75 | call to WriteFile |
+| main.go:37:16:37:45 | call to ReadFile |
+| main.go:39:14:39:32 | call to Open |
+| main.go:41:14:41:61 | call to SafeWriteReader |
+| main.go:42:14:42:57 | call to WriteReader |
+| main.go:48:14:48:47 | call to ReadFile |
+| main.go:53:14:53:49 | call to ReadFile |
+| main.go:58:14:58:52 | call to ReadFile |
+| main.go:63:17:63:37 | call to Open |
+| main.go:94:10:94:41 | call to File |
+| main.go:98:10:98:72 | call to Attachment |
+| main.go:108:7:108:34 | call to SaveFile |
+| main.go:109:10:109:29 | call to SendFile |
+| main.go:116:6:116:35 | call to SendFile |
+| main.go:117:6:117:49 | call to SendFileWithRate |
+| main.go:118:6:118:28 | call to ServeFile |
+| main.go:119:6:119:42 | call to ServeFileWithRate |
+| main.go:120:12:120:45 | call to UploadFormFiles |
+| main.go:122:9:122:46 | call to SaveFormFile |
+| main.go:129:3:129:18 | call to File |
+| main.go:130:3:130:47 | call to ServeFile |
+| main.go:131:3:131:53 | call to FileAttachment |
+| main.go:133:7:133:40 | call to SaveUploadedFile |

go/ql/test/library-tests/semmle/go/security/FileSystemAccess/main.go

@@ -3,82 +3,89 @@ package main
 import (
 	"fmt"
 	beego "github.com/beego/beego/v2/server/web"
+	BeegoContext "github.com/beego/beego/v2/server/web/context"
 	"github.com/gin-gonic/gin"
 	"github.com/gofiber/fiber/v2"
-	"github.com/kataras/iris/v12"
+	"github.com/kataras/iris/v12/context"
 	"github.com/labstack/echo/v4"
 	"github.com/spf13/afero"
-	"github.com/valyala/fasthttp"
-	"mime/multipart"
-	"net"
 	"net/http"
+	"os"
 	"regexp"
 )
 
-type MainController struct {
-	beego.Controller
+func main() {
+	return
 }
 
-func (c *MainController) Get() {
-	filepath := c.Ctx.Request.URL.Query()["filepath"][0]
-	c.Ctx.Output.Download(filepath, "license.txt")
+func BeegoController(beegoController beego.Controller) {
+	beegoOutput := BeegoContext.BeegoOutput{}
+	beegoOutput.Download("filepath", "license.txt")
 	buffer := make([]byte, 10)
-	_ = c.SaveToFileWithBuffer("filenameExistsInForm", filepath, buffer)
-
+	_ = beegoController.SaveToFileWithBuffer("filenameExistsInForm", "filepath", buffer)
 }
 
 func Afero(writer http.ResponseWriter, request *http.Request) {
 	filepath := request.URL.Query()["filepath"][0]
+	//osFS := afero.NewMemMapFs()
+	// OR
 	osFS := afero.NewOsFs()
-	fmt.Println(afero.WriteFile(osFS, filepath, []byte("this is me d !"), 0755))
+	fmt.Println(osFS.MkdirAll("tmp/b", 0755))
+	fmt.Println(afero.WriteFile(osFS, "tmp/a", []byte("this is me a !"), 0755))
+	fmt.Println(afero.WriteFile(osFS, "tmp/b/c", []byte("this is me c !"), 0755))
+	fmt.Println(afero.WriteFile(osFS, "tmp/d", []byte("this is me d !"), 0755))
 	content, _ := afero.ReadFile(osFS, filepath)
 	fmt.Println(string(content))
 	fmt.Println(osFS.Open(filepath))
+	// BAD
+	fmt.Println(afero.SafeWriteReader(osFS, filepath, os.Stdout))
+	fmt.Println(afero.WriteReader(osFS, filepath, os.Stdout))
 
-	// BasePathFs
-	fmt.Println("BasePathFs:")
-	basePathFs := afero.NewBasePathFs(osFS, "tmp")
-	fmt.Println(afero.ReadFile(basePathFs, filepath))
-
-	// RegexpFs
+	// RegexpFs ==> BAD
 	fmt.Println("RegexpFs:")
 	regex, _ := regexp.Compile(".*")
 	regexpFs := afero.NewRegexpFs(osFS, regex)
 	fmt.Println(afero.ReadFile(regexpFs, filepath))
 
-	// ReadOnlyFS
+	// ReadOnlyFS ==> BAD
 	fmt.Println("ReadOnlyFS:")
 	readOnlyFS := afero.NewReadOnlyFs(osFS)
 	fmt.Println(afero.ReadFile(readOnlyFS, filepath))
 
-	// CacheOnReadFs
+	// CacheOnReadFs ==> BAD
 	fmt.Println("CacheOnReadFs:")
 	cacheOnReadFs := afero.NewCacheOnReadFs(osFS, osFS, 10)
 	fmt.Println(afero.ReadFile(cacheOnReadFs, filepath))
 
-	// HttpFS
+	// HttpFS ==> BAD
 	fmt.Println("HttpFS:")
 	httpFs := afero.NewHttpFs(osFS)
 	httpFile, _ := httpFs.Open(filepath)
 	tmpbytes := make([]byte, 30)
 	fmt.Println(httpFile.Read(tmpbytes))
 	fmt.Println(string(tmpbytes))
 
-	// Afero
+	// osFS ==> BAD
 	fmt.Println("Afero:")
 	afs := &afero.Afero{Fs: osFS}
 	fmt.Println(afs.ReadFile(filepath))
 
-	// IOFS ==> OK
+	// BasePathFs ==> BAD
+	fmt.Println("Afero:")
+	basePathFs0 := &afero.Afero{Fs: afero.NewBasePathFs(osFS, "tmp")}
+	fmt.Println(basePathFs0.ReadFile(filepath))
+
+	// IOFS ==> GOOD
 	fmt.Println("IOFS:")
 	ioFS := afero.NewIOFS(osFS)
 	fmt.Println(ioFS.ReadFile(filepath))
 	fmt.Println(ioFS.Open(filepath))
-}
 
-func Beego() {
-	beego.Router("/", &MainController{})
-	beego.Run()
+	// BasePathFs ==> GOOD
+	fmt.Println("BasePathFs:")
+	basePathFs := afero.NewBasePathFs(osFS, "tmp")
+	fmt.Println(afero.ReadFile(basePathFs, filepath))
+	afero.ReadFile(basePathFs, filepath)
 }
 
 func Echo() {
@@ -104,41 +111,16 @@ func Fiber() {
 	_ = app.Listen(":3000")
 }
 
-func Fasthttp() {
-	ln, _ := net.Listen("tcp4", "127.0.0.1:8080")
-	requestHandler := func(ctx *fasthttp.RequestCtx) {
-		filePath := ctx.QueryArgs().Peek("filePath")
-		_ = ctx.Response.SendFile(string(filePath))
-		ctx.SendFile(string(filePath))
-		ctx.SendFileBytes(filePath)
-		fileHeader, _ := ctx.FormFile("file")
-		_ = fasthttp.SaveMultipartFile(fileHeader, string(filePath))
-		fasthttp.ServeFile(ctx, string(filePath))
-		fasthttp.ServeFileUncompressed(ctx, string(filePath))
-		fasthttp.ServeFileBytes(ctx, filePath)
-		fasthttp.ServeFileBytesUncompressed(ctx, filePath)
-	}
-	_ = fasthttp.Serve(ln, requestHandler)
-}
-func IrisTest() {
-	app := iris.New()
-	app.UseRouter(iris.Compression)
-	app.Get("/", func(ctx iris.Context) {
-		filepath := ctx.URLParam("filepath")
-		_ = ctx.SendFile(filepath, "file")
-		_ = ctx.SendFileWithRate(filepath, "file", 0, 0)
-		_ = ctx.ServeFile(filepath)
-		_ = ctx.ServeFileWithRate(filepath, 0, 0)
-		_, _, _ = ctx.UploadFormFiles(filepath, beforeSave)
-		_, fileHeader, _ := ctx.FormFile("file")
-		_, _ = ctx.SaveFormFile(fileHeader, filepath)
+func IrisTest(ctx context.Context) {
+	filepath := ctx.URLParam("filepath")
+	_ = ctx.SendFile(filepath, "file")
+	_ = ctx.SendFileWithRate(filepath, "file", 0, 0)
+	_ = ctx.ServeFile(filepath)
+	_ = ctx.ServeFileWithRate(filepath, 0, 0)
+	_, _, _ = ctx.UploadFormFiles(filepath, nil)
+	_, fileHeader, _ := ctx.FormFile("file")
+	_, _ = ctx.SaveFormFile(fileHeader, filepath)
 
-	})
-	app.Listen(":8080")
-
-}
-func beforeSave(ctx iris.Context, file *multipart.FileHeader) bool {
-	return true
 }
 func Gin() {
 	router := gin.Default()