From 053496dbcc6f737677bd1cd8cfbd2674e2e1d589 Mon Sep 17 00:00:00 2001 From: Slavomir Date: Wed, 5 Aug 2020 18:32:51 +0200 Subject: [PATCH] Add compress/gzip taint tracking --- ql/src/semmle/go/frameworks/Stdlib.qll | 1 + .../go/frameworks/stdlib/CompressGzip.qll | 58 +++++++++++ .../StdlibTaintFlow/CompressGzip.go | 96 +++++++++++++++++++ 3 files changed, 155 insertions(+) create mode 100644 ql/src/semmle/go/frameworks/stdlib/CompressGzip.qll create mode 100644 ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/CompressGzip.go diff --git a/ql/src/semmle/go/frameworks/Stdlib.qll b/ql/src/semmle/go/frameworks/Stdlib.qll index 619b29d7636..47944d1c6e5 100644 --- a/ql/src/semmle/go/frameworks/Stdlib.qll +++ b/ql/src/semmle/go/frameworks/Stdlib.qll @@ -9,6 +9,7 @@ import semmle.go.frameworks.stdlib.Bufio import semmle.go.frameworks.stdlib.Bytes import semmle.go.frameworks.stdlib.CompressBzip2 import semmle.go.frameworks.stdlib.CompressFlate +import semmle.go.frameworks.stdlib.CompressGzip /** A `String()` method. */ class StringMethod extends TaintTracking::FunctionModel, Method { diff --git a/ql/src/semmle/go/frameworks/stdlib/CompressGzip.qll b/ql/src/semmle/go/frameworks/stdlib/CompressGzip.qll new file mode 100644 index 00000000000..d9cd38e9673 --- /dev/null +++ b/ql/src/semmle/go/frameworks/stdlib/CompressGzip.qll @@ -0,0 +1,58 @@ +/** + * Provides classes modeling security-relevant aspects of the `compress/gzip` package. + */ + +import go + +/** Provides models of commonly used functions in the `compress/gzip` package. */ +module CompressGzip { + private class FunctionModels extends TaintTracking::FunctionModel { + FunctionInput inp; + FunctionOutput outp; + + FunctionModels() { + // signature: func NewReader(r io.Reader) (*Reader, error) + hasQualifiedName("compress/gzip", "NewReader") and + (inp.isParameter(0) and outp.isResult(0)) + or + // signature: func NewWriter(w io.Writer) *Writer + hasQualifiedName("compress/gzip", "NewWriter") and + (inp.isResult() and outp.isParameter(0)) + or + // signature: func NewWriterLevel(w io.Writer, level int) (*Writer, error) + hasQualifiedName("compress/gzip", "NewWriterLevel") and + (inp.isResult(0) and outp.isParameter(0)) + } + + override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { + input = inp and output = outp + } + } + + private class MethodModels extends TaintTracking::FunctionModel, Method { + FunctionInput inp; + FunctionOutput outp; + + MethodModels() { + // signature: func (*Reader).Read(p []byte) (n int, err error) + this.hasQualifiedName("compress/gzip", "Reader", "Read") and + (inp.isReceiver() and outp.isParameter(0)) + or + // signature: func (*Reader).Reset(r io.Reader) error + this.hasQualifiedName("compress/gzip", "Reader", "Reset") and + (inp.isParameter(0) and outp.isReceiver()) + or + // signature: func (*Writer).Reset(w io.Writer) + this.hasQualifiedName("compress/gzip", "Writer", "Reset") and + (inp.isReceiver() and outp.isParameter(0)) + or + // signature: func (*Writer).Write(p []byte) (int, error) + this.hasQualifiedName("compress/gzip", "Writer", "Write") and + (inp.isParameter(0) and outp.isReceiver()) + } + + override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { + input = inp and output = outp + } + } +} diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/CompressGzip.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/CompressGzip.go new file mode 100644 index 00000000000..246b746025c --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/CompressGzip.go @@ -0,0 +1,96 @@ +// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT. + +package main + +import ( + "compress/gzip" + "io" +) + +func TaintStepTest_CompressGzipNewReader_B0I0O0(sourceCQL interface{}) interface{} { + fromReader656 := sourceCQL.(io.Reader) + intoReader414, _ := gzip.NewReader(fromReader656) + return intoReader414 +} + +func TaintStepTest_CompressGzipNewWriter_B0I0O0(sourceCQL interface{}) interface{} { + fromWriter518 := sourceCQL.(*gzip.Writer) + var intoWriter650 io.Writer + intermediateCQL := gzip.NewWriter(intoWriter650) + link(fromWriter518, intermediateCQL) + return intoWriter650 +} + +func TaintStepTest_CompressGzipNewWriterLevel_B0I0O0(sourceCQL interface{}) interface{} { + fromWriter784 := sourceCQL.(*gzip.Writer) + var intoWriter957 io.Writer + intermediateCQL, _ := gzip.NewWriterLevel(intoWriter957, 0) + link(fromWriter784, intermediateCQL) + return intoWriter957 +} + +func TaintStepTest_CompressGzipReaderRead_B0I0O0(sourceCQL interface{}) interface{} { + fromReader520 := sourceCQL.(gzip.Reader) + var intoByte443 []byte + fromReader520.Read(intoByte443) + return intoByte443 +} + +func TaintStepTest_CompressGzipReaderReset_B0I0O0(sourceCQL interface{}) interface{} { + fromReader127 := sourceCQL.(io.Reader) + var intoReader483 gzip.Reader + intoReader483.Reset(fromReader127) + return intoReader483 +} + +func TaintStepTest_CompressGzipWriterReset_B0I0O0(sourceCQL interface{}) interface{} { + fromWriter989 := sourceCQL.(gzip.Writer) + var intoWriter982 io.Writer + fromWriter989.Reset(intoWriter982) + return intoWriter982 +} + +func TaintStepTest_CompressGzipWriterWrite_B0I0O0(sourceCQL interface{}) interface{} { + fromByte417 := sourceCQL.([]byte) + var intoWriter584 gzip.Writer + intoWriter584.Write(fromByte417) + return intoWriter584 +} + +func RunAllTaints_CompressGzip() { + { + source := newSource(0) + out := TaintStepTest_CompressGzipNewReader_B0I0O0(source) + sink(0, out) + } + { + source := newSource(1) + out := TaintStepTest_CompressGzipNewWriter_B0I0O0(source) + sink(1, out) + } + { + source := newSource(2) + out := TaintStepTest_CompressGzipNewWriterLevel_B0I0O0(source) + sink(2, out) + } + { + source := newSource(3) + out := TaintStepTest_CompressGzipReaderRead_B0I0O0(source) + sink(3, out) + } + { + source := newSource(4) + out := TaintStepTest_CompressGzipReaderReset_B0I0O0(source) + sink(4, out) + } + { + source := newSource(5) + out := TaintStepTest_CompressGzipWriterReset_B0I0O0(source) + sink(5, out) + } + { + source := newSource(6) + out := TaintStepTest_CompressGzipWriterWrite_B0I0O0(source) + sink(6, out) + } +}