From 0cb0879381128734c0413e1548077482a87e209c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 16 Dec 2020 14:23:52 +0000 Subject: [PATCH] Model Secret and SecretList from k8s.io/api/core/v1 --- ql/src/go.qll | 1 + .../semmle/go/frameworks/K8sIoApiCoreV1.qll | 62 ++++ .../K8sIoApiCoreV1/TaintFlowsInline.expected | 0 .../K8sIoApiCoreV1/TaintFlowsInline.ql | 38 +++ .../go/frameworks/K8sIoApiCoreV1/go.mod | 8 + .../go/frameworks/K8sIoApiCoreV1/main.go | 96 ++++++ .../vendor/k8s.io/api/core/v1/stub.go | 299 ++++++++++++++++++ .../k8s.io/apimachinery/pkg/runtime/stub.go | 18 ++ .../K8sIoApiCoreV1/vendor/modules.txt | 6 + 9 files changed, 528 insertions(+) create mode 100644 ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll create mode 100644 ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.expected create mode 100644 ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.ql create mode 100644 ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/go.mod create mode 100644 ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/api/core/v1/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/apimachinery/pkg/runtime/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/modules.txt diff --git a/ql/src/go.qll b/ql/src/go.qll index 768779fae6f..2fb18272a11 100644 --- a/ql/src/go.qll +++ b/ql/src/go.qll @@ -39,6 +39,7 @@ import semmle.go.frameworks.Gin import semmle.go.frameworks.Glog import semmle.go.frameworks.GoRestfulHttp import semmle.go.frameworks.K8sIoApimachineryPkgRuntime +import semmle.go.frameworks.K8sIoApiCoreV1 import semmle.go.frameworks.K8sIoClientGo import semmle.go.frameworks.Logrus import semmle.go.frameworks.Macaron diff --git a/ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll b/ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll new file mode 100644 index 00000000000..fbadaa90dd8 --- /dev/null +++ b/ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll @@ -0,0 +1,62 @@ +/** Provides models of commonly used functions in the `k8s.io/api/core/v1` package. */ + +import go + +/** + * Provides models of commonly used functions in the `k8s.io/api/core/v1` package. + */ +module K8sIoApiCoreV1 { + /** Gets the package name. */ + bindingset[result] + string packagePath() { result = package("k8s.io/api", "core/v1") } + + private class SecretDeepCopy extends TaintTracking::FunctionModel, Method { + string methodName; + FunctionOutput output; + + SecretDeepCopy() { + ( + methodName in ["DeepCopy", "DeepCopyObject"] and output.isResult() + or + methodName = "DeepCopyInto" and output.isParameter(0) + ) and + this.hasQualifiedName(packagePath(), ["Secret", "SecretList"], methodName) + } + + override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { + inp.isReceiver() and outp = outp + } + } + + private class SecretMarshal extends TaintTracking::FunctionModel, Method, + MarshalingFunction::Range { + SecretMarshal() { this.hasQualifiedName(packagePath(), ["Secret", "SecretList"], "Marshal") } + + override DataFlow::FunctionInput getAnInput() { result.isReceiver() } + + override DataFlow::FunctionOutput getOutput() { result.isResult(0) } + + override string getFormat() { result = "protobuf" } + + override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) { + inp = getAnInput() and outp = getOutput() + } + } + + private class SecretUnmarshal extends TaintTracking::FunctionModel, Method, + UnmarshalingFunction::Range { + SecretUnmarshal() { + this.hasQualifiedName(packagePath(), ["Secret", "SecretList"], "Unmarshal") + } + + override DataFlow::FunctionInput getAnInput() { result.isReceiver() } + + override DataFlow::FunctionOutput getOutput() { result.isParameter(0) } + + override string getFormat() { result = "protobuf" } + + override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) { + inp = getAnInput() and outp = getOutput() + } + } +} diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.expected b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.ql b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.ql new file mode 100644 index 00000000000..c37858feb56 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.ql @@ -0,0 +1,38 @@ +import go +import TestUtilities.InlineExpectationsTest + +class SourceFunction extends Function { + SourceFunction() { this.getName() = "source" } +} + +class SinkFunction extends Function { + SinkFunction() { this.getName() = "sink" } +} + +class TestConfig extends TaintTracking::Configuration { + TestConfig() { this = "testconfig" } + + override predicate isSource(DataFlow::Node source) { + source = any(SourceFunction f).getACall().getResult(0) + } + + override predicate isSink(DataFlow::Node sink) { + sink = any(SinkFunction f).getACall().getArgument(0) + } +} + +class K8sIoApiCoreV1Test extends InlineExpectationsTest { + K8sIoApiCoreV1Test() { this = "K8sIoApiCoreV1Test" } + + override string getARelevantTag() { result = "KsIoApiCoreV" } + + override predicate hasActualResult(string file, int line, string element, string tag, string value) { + exists(TestConfig config, DataFlow::PathNode source, DataFlow::PathNode sink | + config.hasFlowPath(source, sink) and + sink.hasLocationInfo(file, line, _, _, _) and + element = sink.toString() and + value = "" and + tag = "KsIoApiCoreV" + ) + } +} diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/go.mod b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/go.mod new file mode 100644 index 00000000000..52890d17e76 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/go.mod @@ -0,0 +1,8 @@ +module codeql-go-tests/frameworks/K8sIoApiCoreV1 + +go 1.14 + +require ( + k8s.io/api v0.20.0 + k8s.io/apimachinery v0.20.0 +) diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go new file mode 100644 index 00000000000..16db50cc342 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go @@ -0,0 +1,96 @@ +package main + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +//go:generate depstubber -vendor k8s.io/api/core/v1 SecretList +//go:generate depstubber -vendor k8s.io/apimachinery/pkg/runtime ProtobufMarshaller,ProtobufReverseMarshaller + +func source() interface{} { + return make([]byte, 1, 1) +} + +func sink(...interface{}) { +} + +func main() { + + { + // func (in *Secret) DeepCopy() *Secret + sink(source().(*corev1.Secret).DeepCopy()) // $KsIoApiCoreV + } + { + // func (in *Secret) DeepCopyInto(out *Secret) + var out *corev1.Secret + source().(*corev1.Secret).DeepCopyInto(out) + sink(out) // $KsIoApiCoreV + } + { + // func (in *Secret) DeepCopyObject() runtime.Object + sink(source().(*corev1.Secret).DeepCopyObject()) // $KsIoApiCoreV + } + { + // func (m *Secret) Marshal() (dAtA []byte, err error) + sink(source().(*corev1.Secret).Marshal()) // $KsIoApiCoreV + } + { + // func (m *Secret) MarshalTo(dAtA []byte) (int, error) + var dAtA []byte + source().(*corev1.Secret).MarshalTo(dAtA) + sink(dAtA) // $KsIoApiCoreV + } + { + // func (m *Secret) MarshalToSizedBuffer(dAtA []byte) (int, error) + var dAtA []byte + source().(*corev1.Secret).MarshalToSizedBuffer(dAtA) + sink(dAtA) // $KsIoApiCoreV + } + { + // func (m *Secret) Unmarshal(dAtA []byte) error + var dAtA []byte + source().(*corev1.Secret).Unmarshal(dAtA) + sink(dAtA) // $KsIoApiCoreV + } + + { + // func (in *SecretList) DeepCopy() *SecretList + sink(source().(*corev1.SecretList).DeepCopy()) // $KsIoApiCoreV + } + { + // func (in *SecretList) DeepCopyInto(out *SecretList) + var out *corev1.SecretList + source().(*corev1.SecretList).DeepCopyInto(out) + sink(out) // $KsIoApiCoreV + } + { + // func (in *SecretList) DeepCopyObject() runtime.Object + sink(source().(*corev1.SecretList).DeepCopyObject()) // $KsIoApiCoreV + } + { + // func (m *SecretList) Marshal() (dAtA []byte, err error) + sink(source().(*corev1.SecretList).Marshal()) // $KsIoApiCoreV + } + { + // func (m *SecretList) MarshalTo(dAtA []byte) (int, error) + var dAtA []byte + source().(*corev1.SecretList).MarshalTo(dAtA) + sink(dAtA) // $KsIoApiCoreV + } + { + // func (m *SecretList) MarshalToSizedBuffer(dAtA []byte) (int, error) + var dAtA []byte + source().(*corev1.SecretList).MarshalToSizedBuffer(dAtA) + sink(dAtA) // $KsIoApiCoreV + } + { + // func (m *SecretList) Unmarshal(dAtA []byte) error + var dAtA []byte + source().(*corev1.SecretList).Unmarshal(dAtA) + sink(dAtA) // $KsIoApiCoreV + } +} + +func dummy1(runtime.ProtobufMarshaller) {} +func dummy2(runtime.ProtobufReverseMarshaller) {} diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/api/core/v1/stub.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/api/core/v1/stub.go new file mode 100644 index 00000000000..1c9a8e0dfdd --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/api/core/v1/stub.go @@ -0,0 +1,299 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for k8s.io/api/core/v1, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: k8s.io/api/core/v1 (exports: SecretList; functions: ) + +// Package core is a stub of k8s.io/api/core/v1, generated by depstubber. +package core + +import () + +type Secret struct { + TypeMeta interface{} + ObjectMeta interface{} + Immutable *bool + Data map[string][]byte + StringData map[string]string + Type SecretType +} + +func (_ Secret) SwaggerDoc() map[string]string { + return nil +} + +func (_ *Secret) DeepCopy() *Secret { + return nil +} + +func (_ *Secret) DeepCopyInto(_ *Secret) {} + +func (_ *Secret) DeepCopyObject() interface{} { + return nil +} + +func (_ *Secret) Descriptor() ([]byte, []int) { + return nil, nil +} + +func (_ *Secret) GetAnnotations() map[string]string { + return nil +} + +func (_ *Secret) GetClusterName() string { + return "" +} + +func (_ *Secret) GetCreationTimestamp() interface{} { + return nil +} + +func (_ *Secret) GetDeletionGracePeriodSeconds() *int64 { + return nil +} + +func (_ *Secret) GetDeletionTimestamp() interface{} { + return nil +} + +func (_ *Secret) GetFinalizers() []string { + return nil +} + +func (_ *Secret) GetGenerateName() string { + return "" +} + +func (_ *Secret) GetGeneration() int64 { + return 0 +} + +func (_ *Secret) GetLabels() map[string]string { + return nil +} + +func (_ *Secret) GetManagedFields() []interface{} { + return nil +} + +func (_ *Secret) GetName() string { + return "" +} + +func (_ *Secret) GetNamespace() string { + return "" +} + +func (_ *Secret) GetObjectKind() interface{} { + return nil +} + +func (_ *Secret) GetObjectMeta() interface{} { + return nil +} + +func (_ *Secret) GetOwnerReferences() []interface{} { + return nil +} + +func (_ *Secret) GetResourceVersion() string { + return "" +} + +func (_ *Secret) GetSelfLink() string { + return "" +} + +func (_ *Secret) GetUID() interface{} { + return nil +} + +func (_ *Secret) GroupVersionKind() interface{} { + return nil +} + +func (_ *Secret) Marshal() ([]byte, error) { + return nil, nil +} + +func (_ *Secret) MarshalTo(_ []byte) (int, error) { + return 0, nil +} + +func (_ *Secret) MarshalToSizedBuffer(_ []byte) (int, error) { + return 0, nil +} + +func (_ *Secret) ProtoMessage() {} + +func (_ *Secret) Reset() {} + +func (_ *Secret) SetAnnotations(_ map[string]string) {} + +func (_ *Secret) SetClusterName(_ string) {} + +func (_ *Secret) SetCreationTimestamp(_ interface{}) {} + +func (_ *Secret) SetDeletionGracePeriodSeconds(_ *int64) {} + +func (_ *Secret) SetDeletionTimestamp(_ interface{}) {} + +func (_ *Secret) SetFinalizers(_ []string) {} + +func (_ *Secret) SetGenerateName(_ string) {} + +func (_ *Secret) SetGeneration(_ int64) {} + +func (_ *Secret) SetGroupVersionKind(_ interface{}) {} + +func (_ *Secret) SetLabels(_ map[string]string) {} + +func (_ *Secret) SetManagedFields(_ []interface{}) {} + +func (_ *Secret) SetName(_ string) {} + +func (_ *Secret) SetNamespace(_ string) {} + +func (_ *Secret) SetOwnerReferences(_ []interface{}) {} + +func (_ *Secret) SetResourceVersion(_ string) {} + +func (_ *Secret) SetSelfLink(_ string) {} + +func (_ *Secret) SetUID(_ interface{}) {} + +func (_ *Secret) Size() int { + return 0 +} + +func (_ *Secret) String() string { + return "" +} + +func (_ *Secret) Unmarshal(_ []byte) error { + return nil +} + +func (_ *Secret) XXX_DiscardUnknown() {} + +func (_ *Secret) XXX_Marshal(_ []byte, _ bool) ([]byte, error) { + return nil, nil +} + +func (_ *Secret) XXX_Merge(_ interface{}) {} + +func (_ *Secret) XXX_Size() int { + return 0 +} + +func (_ *Secret) XXX_Unmarshal(_ []byte) error { + return nil +} + +type SecretList struct { + TypeMeta interface{} + ListMeta interface{} + Items []Secret +} + +func (_ SecretList) SwaggerDoc() map[string]string { + return nil +} + +func (_ *SecretList) DeepCopy() *SecretList { + return nil +} + +func (_ *SecretList) DeepCopyInto(_ *SecretList) {} + +func (_ *SecretList) DeepCopyObject() interface{} { + return nil +} + +func (_ *SecretList) Descriptor() ([]byte, []int) { + return nil, nil +} + +func (_ *SecretList) GetContinue() string { + return "" +} + +func (_ *SecretList) GetListMeta() interface{} { + return nil +} + +func (_ *SecretList) GetObjectKind() interface{} { + return nil +} + +func (_ *SecretList) GetRemainingItemCount() *int64 { + return nil +} + +func (_ *SecretList) GetResourceVersion() string { + return "" +} + +func (_ *SecretList) GetSelfLink() string { + return "" +} + +func (_ *SecretList) GroupVersionKind() interface{} { + return nil +} + +func (_ *SecretList) Marshal() ([]byte, error) { + return nil, nil +} + +func (_ *SecretList) MarshalTo(_ []byte) (int, error) { + return 0, nil +} + +func (_ *SecretList) MarshalToSizedBuffer(_ []byte) (int, error) { + return 0, nil +} + +func (_ *SecretList) ProtoMessage() {} + +func (_ *SecretList) Reset() {} + +func (_ *SecretList) SetContinue(_ string) {} + +func (_ *SecretList) SetGroupVersionKind(_ interface{}) {} + +func (_ *SecretList) SetRemainingItemCount(_ *int64) {} + +func (_ *SecretList) SetResourceVersion(_ string) {} + +func (_ *SecretList) SetSelfLink(_ string) {} + +func (_ *SecretList) Size() int { + return 0 +} + +func (_ *SecretList) String() string { + return "" +} + +func (_ *SecretList) Unmarshal(_ []byte) error { + return nil +} + +func (_ *SecretList) XXX_DiscardUnknown() {} + +func (_ *SecretList) XXX_Marshal(_ []byte, _ bool) ([]byte, error) { + return nil, nil +} + +func (_ *SecretList) XXX_Merge(_ interface{}) {} + +func (_ *SecretList) XXX_Size() int { + return 0 +} + +func (_ *SecretList) XXX_Unmarshal(_ []byte) error { + return nil +} + +type SecretType string diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/apimachinery/pkg/runtime/stub.go b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/apimachinery/pkg/runtime/stub.go new file mode 100644 index 00000000000..bb7bf043197 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/apimachinery/pkg/runtime/stub.go @@ -0,0 +1,18 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for k8s.io/apimachinery/pkg/runtime, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: k8s.io/apimachinery/pkg/runtime (exports: ProtobufMarshaller,ProtobufReverseMarshaller; functions: ) + +// Package runtime is a stub of k8s.io/apimachinery/pkg/runtime, generated by depstubber. +package runtime + +import () + +type ProtobufMarshaller interface { + MarshalTo(_ []byte) (int, error) +} + +type ProtobufReverseMarshaller interface { + MarshalToSizedBuffer(_ []byte) (int, error) +} diff --git a/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/modules.txt new file mode 100644 index 00000000000..bd3ad03a88b --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/modules.txt @@ -0,0 +1,6 @@ +# k8s.io/api v0.20.0 +## explicit +k8s.io/api +# k8s.io/apimachinery v0.20.0 +## explicit +k8s.io/apimachinery