Merge pull request #13602 from pwntester/ruby/add_gqlgen_support

Go: Add support for the gqlgen library

go/ql/lib/change-notes/2023-06-28--add-support-for-gqlgen-framework.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Support for [gqlgen](https://github.com/99designs/gqlgen) has been added.

go/ql/lib/go.qll

@@ -42,6 +42,7 @@ import semmle.go.frameworks.Gin
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoMicro
 import semmle.go.frameworks.GoRestfulHttp
+import semmle.go.frameworks.Gqlgen
 import semmle.go.frameworks.K8sIoApimachineryPkgRuntime
 import semmle.go.frameworks.K8sIoApiCoreV1
 import semmle.go.frameworks.K8sIoClientGo

go/ql/lib/semmle/go/frameworks/Gqlgen.qll

@@ -0,0 +1,47 @@
+/** Provides models of commonly used functions and types in the gqlgen packages. */
+
+import go
+
+/** Provides models of commonly used functions and types in the gqlgen packages. */
+module Gqlgen {
+  /** An autogenerated file containing gqlgen code. */
+  private class GqlgenGeneratedFile extends File {
+    GqlgenGeneratedFile() {
+      exists(DataFlow::CallNode call |
+        call.getReceiver().getType().hasQualifiedName("github.com/99designs/gqlgen/graphql", _) and
+        call.getFile() = this
+      )
+    }
+  }
+
+  /** A resolver interface. */
+  private class ResolverInterface extends Type {
+    ResolverInterface() {
+      this.getQualifiedName().matches("%Resolver") and
+      this.getEntity().getDeclaration().getFile() instanceof GqlgenGeneratedFile
+    }
+  }
+
+  /** A resolver implementation. */
+  private class ResolverInterfaceMethod extends Method {
+    ResolverInterfaceMethod() { this.getReceiver().getType() instanceof ResolverInterface }
+  }
+
+  /** A resolver method which is exposed as a Graphql endpoint */
+  private class ResolverImplementationMethod extends Method {
+    ResolverImplementationMethod() { this.implements(any(ResolverInterfaceMethod r)) }
+
+    Parameter getAnUntrustedParameter() {
+      result.getFunction() = this.getFuncDecl() and
+      not result.getType().hasQualifiedName("context", "Context") and
+      result.getIndex() > 0
+    }
+  }
+
+  /** A parameter of a resolver method which receives untrusted input. */
+  class ResolverParameter extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
+    ResolverParameter() {
+      this.asParameter() = any(ResolverImplementationMethod h).getAnUntrustedParameter()
+    }
+  }
+}

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/go.mod

@@ -0,0 +1,29 @@
+module pwntester/gqlgen-todos
+
+go 1.19
+
+require (
+	github.com/99designs/gqlgen v0.17.3
+	github.com/vektah/gqlparser/v2 v2.5.4
+)
+
+require (
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hashicorp/golang-lru v0.5.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/matryer/moq v0.2.3 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/stretchr/testify v1.6.0 // indirect
+	github.com/urfave/cli/v2 v2.25.5 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	golang.org/x/mod v0.6.0-dev // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/tools v0.1.9 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+)

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/gqlgen.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/gqlgen.ql

@@ -0,0 +1,18 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+module ResolveParameterTest implements TestSig {
+  string getARelevantTag() { result = "resolverParameter" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "resolverParameter" and
+    exists(Gqlgen::ResolverParameter p |
+      element = p.toString() and
+      value = "\"" + p.toString() + "\"" and
+      p.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
+    )
+  }
+}
+
+import MakeTest<ResolveParameterTest>

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/graph/generated.go

@@ -0,0 +1,28 @@
+// Code generated by github.com/99designs/gqlgen, DO NOT EDIT.
+
+package graph
+
+import (
+	"context"
+	"pwntester/gqlgen-todos/graph/model"
+
+	"github.com/99designs/gqlgen/graphql"
+)
+
+type ResolverRoot interface {
+	Mutation() MutationResolver
+	Query() QueryResolver
+}
+
+type MutationResolver interface {
+	CreateTodo(ctx context.Context, input model.NewTodo) (*model.Todo, error)
+}
+type QueryResolver interface {
+	Todos(ctx context.Context) ([]*model.Todo, error)
+}
+
+func stub(dg graphql.CollectedField) {
+	dg.GetPosition()
+}
+
+// endregion ***************************** type.gotpl *****************************

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/graph/model/models_gen.go

@@ -0,0 +1,20 @@
+// Code generated by github.com/99designs/gqlgen, DO NOT EDIT.
+
+package model
+
+type NewTodo struct {
+	Text   string `json:"text"`
+	UserID string `json:"userId"`
+}
+
+type Todo struct {
+	ID   string `json:"id"`
+	Text string `json:"text"`
+	Done bool   `json:"done"`
+	User *User  `json:"user"`
+}
+
+type User struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+}

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/graph/resolver.go

@@ -0,0 +1,7 @@
+package graph
+
+// This file will not be regenerated automatically.
+//
+// It serves as dependency injection for your app, add any dependencies you require here.
+
+type Resolver struct{}

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/graph/schema.graphqls

@@ -0,0 +1,28 @@
+# GraphQL schema example
+#
+# https://gqlgen.com/getting-started/
+
+type Todo {
+  id: ID!
+  text: String!
+  done: Boolean!
+  user: User!
+}
+
+type User {
+  id: ID!
+  name: String!
+}
+
+type Query {
+  todos: [Todo!]!
+}
+
+input NewTodo {
+  text: String!
+  userId: String!
+}
+
+type Mutation {
+  createTodo(input: NewTodo!): Todo!
+}

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/graph/schema.resolvers.go

@@ -0,0 +1,30 @@
+package graph
+
+// This file will be automatically regenerated based on the schema, any resolver implementations
+// will be copied through when generating and any unknown code will be moved to the end.
+// Code generated by github.com/99designs/gqlgen version v0.17.34
+
+import (
+	"context"
+	"fmt"
+	"pwntester/gqlgen-todos/graph/model"
+)
+
+// CreateTodo is the resolver for the createTodo field.
+func (r *mutationResolver) CreateTodo(ctx context.Context, input model.NewTodo) (*model.Todo, error) { // $ resolverParameter="definition of input"
+	panic(fmt.Errorf("not implemented: CreateTodo - createTodo %v", input))
+}
+
+// Todos is the resolver for the todos field.
+func (r *queryResolver) Todos(ctx context.Context) ([]*model.Todo, error) {
+	panic(fmt.Errorf("not implemented: Todos - todos"))
+}
+
+// Mutation returns MutationResolver implementation.
+func (r *Resolver) Mutation() MutationResolver { return &mutationResolver{r} }
+
+// Query returns QueryResolver implementation.
+func (r *Resolver) Query() QueryResolver { return &queryResolver{r} }
+
+type mutationResolver struct{ *Resolver }
+type queryResolver struct{ *Resolver }

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/vendor/github.com/99designs/gqlgen/graphql/stub.go

@@ -0,0 +1,25 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/99designs/gqlgen/graphql, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/99designs/gqlgen/graphql (exports: CollectedField; functions: )
+
+// Package graphql is a stub of github.com/99designs/gqlgen/graphql, generated by depstubber.
+package graphql
+
+type CollectedField struct {
+	Field      interface{}
+	Selections interface{}
+}
+
+func (_ CollectedField) ArgumentMap(_ map[string]interface{}) map[string]interface{} {
+	return nil
+}
+
+func (_ CollectedField) GetPosition() interface{} {
+	return nil
+}
+
+func (_ CollectedField) UnmarshalJSON(_ []byte) error {
+	return nil
+}

go/ql/test/library-tests/semmle/go/frameworks/gqlgen/vendor/modules.txt

@@ -0,0 +1,60 @@
+# github.com/99designs/gqlgen v0.17.3
+## explicit
+github.com/99designs/gqlgen
+# github.com/vektah/gqlparser/v2 v2.5.4
+## explicit
+github.com/vektah/gqlparser/v2
+# github.com/agnivade/levenshtein v1.1.1
+## explicit
+github.com/agnivade/levenshtein
+# github.com/cpuguy83/go-md2man/v2 v2.0.2
+## explicit
+github.com/cpuguy83/go-md2man/v2
+# github.com/gorilla/websocket v1.5.0
+## explicit
+github.com/gorilla/websocket
+# github.com/hashicorp/golang-lru v0.5.0
+## explicit
+github.com/hashicorp/golang-lru
+# github.com/kr/text v0.2.0
+## explicit
+github.com/kr/text
+# github.com/matryer/moq v0.2.3
+## explicit
+github.com/matryer/moq
+# github.com/mitchellh/mapstructure v1.5.0
+## explicit
+github.com/mitchellh/mapstructure
+# github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e
+## explicit
+github.com/niemeyer/pretty
+# github.com/russross/blackfriday/v2 v2.1.0
+## explicit
+github.com/russross/blackfriday/v2
+# github.com/stretchr/testify v1.6.0
+## explicit
+github.com/stretchr/testify
+# github.com/urfave/cli/v2 v2.25.5
+## explicit
+github.com/urfave/cli/v2
+# github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673
+## explicit
+github.com/xrash/smetrics
+# golang.org/x/mod v0.6.0-dev
+## explicit
+golang.org/x/mod
+# golang.org/x/sys v0.8.0
+## explicit
+golang.org/x/sys
+# golang.org/x/tools v0.1.9
+## explicit
+golang.org/x/tools
+# golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
+## explicit
+golang.org/x/xerrors
+# gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f
+## explicit
+gopkg.in/check.v1
+# gopkg.in/yaml.v2 v2.4.0
+## explicit
+gopkg.in/yaml.v2