Merge pull request github#16809 from owen-mc/go/mad-sources-beego

Go: Convert Beego sources to MaD

Author: owen-mc

go/ql/lib/ext/github.com.astaxie.beego.context.model.yml

@@ -5,3 +5,54 @@ extensions:
     data:
       - ["github.com/astaxie/beego/context", "", False, "WriteBody", "", "", "Argument[2]", "Argument[1]", "taint", "manual"]
       - ["github.com/beego/beego/server/web/context", "", False, "WriteBody", "", "", "Argument[2]", "Argument[1]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Bind", "", "", "Argument[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Cookie", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Data", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "GetData", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Header", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Param", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Params", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Query", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Refer", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "Referer", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "RequestBody", "", "", "", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "URI", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "URL", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "BeegoInput", True, "UserAgent", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego/context", "Context", True, "GetCookie", "", "", "ReturnValue", "remote", "manual"]
+
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Bind", "", "", "Argument[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Cookie", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Data", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "GetData", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Header", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Param", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Params", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Query", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Refer", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "Referer", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "RequestBody", "", "", "", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "URI", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "URL", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "BeegoInput", True, "UserAgent", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/context", "Context", True, "GetCookie", "", "", "ReturnValue", "remote", "manual"]
+
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Bind", "", "", "Argument[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Cookie", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Data", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "GetData", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Header", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Param", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Params", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Query", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Refer", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "Referer", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "RequestBody", "", "", "", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "URI", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "URL", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "BeegoInput", True, "UserAgent", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web/context", "Context", True, "GetCookie", "", "", "ReturnValue", "remote", "manual"]

go/ql/lib/ext/github.com.astaxie.beego.model.yml

@@ -10,10 +10,39 @@ extensions:
       - ["github.com/astaxie/beego", "", False, "ParseForm", "", "", "Argument[0]", "Argument[1]", "taint", "manual"]
       - ["github.com/astaxie/beego", "", False, "Str2html", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["github.com/astaxie/beego", "", False, "Substr", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["github.com/beego/beego", "", False, "HTML2str", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["github.com/beego/beego", "", False, "Htmlquote", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["github.com/beego/beego", "", False, "Htmlunquote", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["github.com/beego/beego", "", False, "MapGet", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
+      - ["github.com/beego/beego", "", False, "ParseForm", "", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["github.com/beego/beego", "", False, "Str2html", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["github.com/beego/beego", "", False, "Substr", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["github.com/beego/beego/server/web", "", False, "HTML2str", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["github.com/beego/beego/server/web", "", False, "Htmlquote", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["github.com/beego/beego/server/web", "", False, "Htmlunquote", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["github.com/beego/beego/server/web", "", False, "MapGet", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
       - ["github.com/beego/beego/server/web", "", False, "ParseForm", "", "", "Argument[0]", "Argument[1]", "taint", "manual"]
       - ["github.com/beego/beego/server/web", "", False, "Str2html", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["github.com/beego/beego/server/web", "", False, "Substr", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/astaxie/beego", "Controller", True, "ParseForm", "", "", "Argument[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego", "Controller", True, "GetFile", "", "", "ReturnValue[0..1]", "remote", "manual"]
+      - ["github.com/astaxie/beego", "Controller", True, "GetFiles", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego", "Controller", True, "GetString", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego", "Controller", True, "GetStrings", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/astaxie/beego", "Controller", True, "Input", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego", "Controller", True, "ParseForm", "", "", "Argument[0]", "remote", "manual"]
+      - ["github.com/beego/beego", "Controller", True, "GetFile", "", "", "ReturnValue[0..1]", "remote", "manual"]
+      - ["github.com/beego/beego", "Controller", True, "GetFiles", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego", "Controller", True, "GetString", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego", "Controller", True, "GetStrings", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego", "Controller", True, "Input", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web", "Controller", True, "ParseForm", "", "", "Argument[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web", "Controller", True, "GetFile", "", "", "ReturnValue[0..1]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web", "Controller", True, "GetFiles", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web", "Controller", True, "GetString", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web", "Controller", True, "GetStrings", "", "", "ReturnValue[0]", "remote", "manual"]
+      - ["github.com/beego/beego/server/web", "Controller", True, "Input", "", "", "ReturnValue[0]", "remote", "manual"]

go/ql/lib/semmle/go/frameworks/Beego.qll

@@ -47,79 +47,11 @@ module Beego {
     result = package(v2modulePath(), "core/utils")
   }
 
-  /**
-   * `BeegoInput` sources of untrusted data.
-   */
-  private class BeegoInputSource extends RemoteFlowSource::Range {
-    string methodName;
-
-    BeegoInputSource() {
-      exists(FunctionOutput output |
-        methodName = "Bind" and
-        output.isParameter(0)
-        or
-        methodName in [
-            "Cookie", "Data", "GetData", "Header", "Param", "Params", "Query", "Refer", "Referer",
-            "URI", "URL", "UserAgent"
-          ] and
-        output.isResult(0)
-      |
-        exists(DataFlow::MethodCallNode c | this = output.getExitNode(c) |
-          c.getTarget().hasQualifiedName(contextPackagePath(), "BeegoInput", methodName)
-        )
-      )
-    }
-
-    predicate isSafeUrlSource() { methodName in ["URI", "URL"] }
-  }
-
   /** `BeegoInput` sources that are safe to use for redirection. */
   private class BeegoInputSafeUrlSource extends SafeUrlFlow::Source {
-    BeegoInputSafeUrlSource() { this.(BeegoInputSource).isSafeUrlSource() }
-  }
-
-  /**
-   * `beego.Controller` sources of untrusted data.
-   */
-  private class BeegoControllerSource extends RemoteFlowSource::Range {
-    BeegoControllerSource() {
-      exists(string methodName, FunctionOutput output |
-        methodName = "ParseForm" and
-        output.isParameter(0)
-        or
-        methodName in ["GetFile", "GetFiles", "GetString", "GetStrings", "Input"] and
-        output.isResult(0)
-        or
-        methodName = "GetFile" and
-        output.isResult(1)
-      |
-        exists(DataFlow::MethodCallNode c |
-          c.getTarget().hasQualifiedName(packagePath(), "Controller", methodName)
-        |
-          this = output.getExitNode(c)
-        )
-      )
-    }
-  }
-
-  /**
-   * `BeegoInputRequestBody` sources of untrusted data.
-   */
-  private class BeegoInputRequestBodySource extends RemoteFlowSource::Range {
-    BeegoInputRequestBodySource() {
-      exists(DataFlow::FieldReadNode frn | this = frn |
-        frn.getField().hasQualifiedName(contextPackagePath(), "BeegoInput", "RequestBody")
-      )
-    }
-  }
-
-  /**
-   * `beego/context.Context` sources of untrusted data.
-   */
-  private class BeegoContextSource extends RemoteFlowSource::Range {
-    BeegoContextSource() {
-      exists(Method m | m.hasQualifiedName(contextPackagePath(), "Context", "GetCookie") |
-        this = m.getACall().getResult()
+    BeegoInputSafeUrlSource() {
+      exists(Method m | m.hasQualifiedName(contextPackagePath(), "BeegoInput", ["URI", "URL"]) |
+        this = m.getACall().getResult(0)
       )
     }
   }

go/ql/test/experimental/CWE-090/LDAPInjection.expected

@@ -1,18 +1,18 @@
 edges
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:59:3:59:11 | untrusted | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:61:3:61:51 | ...+... | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:3:62:33 | slice literal | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:24:62:32 | untrusted | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:66:3:66:11 | untrusted | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:68:3:68:51 | ...+... | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:3:69:33 | slice literal | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:24:69:32 | untrusted | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:73:3:73:11 | untrusted | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:75:3:75:51 | ...+... | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:3:76:33 | slice literal | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:24:76:32 | untrusted | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:80:22:80:30 | untrusted | provenance | Src:MaD:677  |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:81:25:81:33 | untrusted | provenance | Src:MaD:677  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:59:3:59:11 | untrusted | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:61:3:61:51 | ...+... | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:3:62:33 | slice literal | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:24:62:32 | untrusted | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:66:3:66:11 | untrusted | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:68:3:68:51 | ...+... | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:3:69:33 | slice literal | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:24:69:32 | untrusted | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:73:3:73:11 | untrusted | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:75:3:75:51 | ...+... | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:3:76:33 | slice literal | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:24:76:32 | untrusted | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:80:22:80:30 | untrusted | provenance | Src:MaD:747  |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:81:25:81:33 | untrusted | provenance | Src:MaD:747  |
 | LDAPInjection.go:62:3:62:33 | slice literal [array] | LDAPInjection.go:62:3:62:33 | slice literal | provenance |  |
 | LDAPInjection.go:62:24:62:32 | untrusted | LDAPInjection.go:62:3:62:33 | slice literal [array] | provenance |  |
 | LDAPInjection.go:69:3:69:33 | slice literal [array] | LDAPInjection.go:69:3:69:33 | slice literal | provenance |  |

go/ql/test/experimental/CWE-203/Timing.expected

@@ -1,9 +1,9 @@
 edges
-| timing.go:15:18:15:27 | selection of Header | timing.go:15:18:15:45 | call to Get | provenance | MaD:658 |
+| timing.go:15:18:15:27 | selection of Header | timing.go:15:18:15:45 | call to Get | provenance | MaD:728 |
 | timing.go:15:18:15:45 | call to Get | timing.go:17:31:17:42 | headerSecret | provenance |  |
-| timing.go:28:18:28:27 | selection of Header | timing.go:28:18:28:45 | call to Get | provenance | MaD:658 |
+| timing.go:28:18:28:27 | selection of Header | timing.go:28:18:28:45 | call to Get | provenance | MaD:728 |
 | timing.go:28:18:28:45 | call to Get | timing.go:30:47:30:58 | headerSecret | provenance |  |
-| timing.go:41:18:41:27 | selection of Header | timing.go:41:18:41:45 | call to Get | provenance | MaD:658 |
+| timing.go:41:18:41:27 | selection of Header | timing.go:41:18:41:45 | call to Get | provenance | MaD:728 |
 | timing.go:41:18:41:45 | call to Get | timing.go:42:25:42:36 | headerSecret | provenance |  |
 nodes
 | timing.go:15:18:15:27 | selection of Header | semmle.label | selection of Header |

go/ql/test/experimental/CWE-287/ImproperLdapAuth.expected

@@ -1,5 +1,5 @@
 edges
-| ImproperLdapAuth.go:18:18:18:24 | selection of URL | ImproperLdapAuth.go:18:18:18:32 | call to Query | provenance | MaD:738 |
+| ImproperLdapAuth.go:18:18:18:24 | selection of URL | ImproperLdapAuth.go:18:18:18:32 | call to Query | provenance | MaD:808 |
 | ImproperLdapAuth.go:18:18:18:32 | call to Query | ImproperLdapAuth.go:28:23:28:34 | bindPassword | provenance |  |
 | ImproperLdapAuth.go:87:18:87:19 | "" | ImproperLdapAuth.go:97:23:97:34 | bindPassword | provenance |  |
 nodes