hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix tests, add more comments

Browse Source
This commit is contained in:
amammad
2023-10-06 22:34:31 +02:00
parent 21f477a674
commit 13577f71d6
17 changed files with 601 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
View File

@@ -14,7 +14,7 @@
import go
import semmle.go.dataflow.Properties
import MultipartAndFormRemoteSource
import DecompressionBombs
import experimental.frameworks.DecompressionBombs
module DecompressionBombsConfig implements DataFlow::StateConfigSig {
class FlowState = DecompressionBombs::FlowState;

86
go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qll → go/ql/src/experimental/frameworks/DecompressionBombs.qll
View File

@@ -42,12 +42,13 @@ module DecompressionBombs {
abstract DataFlow::Node sink();
}
/**
* Provides Decompression Sinks and additional flow steps for `github.com/DataDog/zstd` package
*/
module DataDogZstd {
class TheSink extends Range {
TheSink() {
exists(Method f |
f.hasQualifiedName("github.com/klauspost/compress/zstd", "Decoder", "Read")
|
exists(Method f | f.hasQualifiedName("github.com/DataDog/zstd", "reader", "Read") |
this = f.getACall().getReceiver()
)
}
@@ -78,6 +79,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional flow steps for `github.com/klauspost/compress/zstd` package
*/
module KlauspostZstd {
class TheSink extends Range {
TheSink() {
@@ -121,6 +125,9 @@ module DecompressionBombs {
}
}
/**
* Provides additional flow steps for `archive/zip` package
*/
module ArchiveZip {
class TheAdditionalTaintStep extends AdditionalTaintStep {
TheAdditionalTaintStep() { this = "AdditionalTaintStep" }
@@ -144,26 +151,10 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression additional taint steps for `github.com/klauspost/compress/zip` package
*/
module KlauspostZip {
class TheSink extends Range {
TheSink() {
exists(Method f |
f.hasQualifiedName("github.com/klauspost/compress/zstd", "Decoder",
["WriteTo", "DecodeAll"])
|
this = f.getACall().getReceiver()
)
or
exists(Method f |
f.hasQualifiedName("github.com/klauspost/compress/zstd", "Decoder", "Read")
|
this = f.getACall().getReceiver()
)
}
override DataFlow::Node sink() { result = this }
}
class TheAdditionalTaintStep extends AdditionalTaintStep {
TheAdditionalTaintStep() { this = "AdditionalTaintStep" }
@@ -200,6 +191,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `github.com/ulikunitz/xz` package
*/
module UlikunitzXz {
class TheSink extends Range {
TheSink() {
@@ -233,6 +227,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `compress/gzip` package
*/
module CompressGzip {
class TheSink extends Range {
TheSink() {
@@ -267,6 +264,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `github.com/klauspost/compress/gzip` package
*/
module KlauspostGzip {
class TheSink extends Range {
TheSink() {
@@ -311,6 +311,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `compress/bzip2` package
*/
module CompressBzip2 {
class TheSink extends Range {
TheSink() {
@@ -345,6 +348,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `github.com/dsnet/compress/bzip2` package
*/
module DsnetBzip2 {
class TheSink extends Range {
TheSink() {
@@ -379,6 +385,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `github.com/dsnet/compress/flate` package
*/
module DsnetFlate {
class TheSink extends Range {
TheSink() {
@@ -413,6 +422,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `compress/flate` package
*/
module CompressFlate {
class TheSink extends Range {
TheSink() {
@@ -447,6 +459,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `github.com/klauspost/compress/flate` package
*/
module KlauspostFlate {
class TheSink extends Range {
TheSink() {
@@ -483,6 +498,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `github.com/klauspost/compress/zlib` package
*/
module KlauspostZlib {
class TheSink extends Range {
TheSink() {
@@ -519,6 +537,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `compress/zlib` package
*/
module CompressZlib {
class TheSink extends Range {
TheSink() {
@@ -553,6 +574,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `github.com/golang/snappy` package
*/
module GolangSnappy {
class TheSink extends Range {
TheSink() {
@@ -589,6 +613,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression additional taint steps for `github.com/klauspost/compress/snappy` package
*/
module KlauspostSnappy {
class TheAdditionalTaintStep extends AdditionalTaintStep {
TheAdditionalTaintStep() { this = "AdditionalTaintStep" }
@@ -613,14 +640,17 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks and additional taint steps for `github.com/klauspost/compress/s2` package
*/
module KlauspostS2 {
class TheSink extends Range {
TheSink() {
exists(Function f |
f.hasQualifiedName("github.com/klauspost/compress/s2.Reader",
exists(Method m |
m.hasQualifiedName("github.com/klauspost/compress/s2", "Reader",
["DecodeConcurrent", "ReadByte", "Read"])
|
this = f.getACall().getReceiver()
this = m.getACall().getReceiver()
)
}
@@ -650,6 +680,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks for `"archive/tar` package
*/
module ArchiveTar {
class TheSink extends Range {
TheSink() {
@@ -662,6 +695,9 @@ module DecompressionBombs {
}
}
/**
* Provides Decompression Sinks for packages that use some standard IO interfaces/methods for reading decompressed data
*/
module GeneralReadIoSink {
class TheSink extends Range {
TheSink() {

1
go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected
View File

@@ -1,4 +1,3 @@
WARNING: Reference to DecompressionBombs references a local library, not the named module. (/home/am/CodeQL-home/codeql-repo-amammad/go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql:17,8-26)
edges
| test.go:56:18:56:29 | selection of Body | test.go:165:22:165:25 | definition of file |
| test.go:57:15:57:26 | selection of Body | test.go:135:19:135:22 | definition of file |

12
go/ql/test/experimental/CWE-522-DecompressionBombs/go.mod Normal file
View File

@@ -0,0 +1,12 @@
module Bombs
go 1.20
require (
github.com/DataDog/zstd v1.5.5
github.com/dsnet/compress v0.0.1
github.com/golang/snappy v0.0.4
github.com/klauspost/compress v1.16.6
github.com/klauspost/pgzip v1.2.6
github.com/ulikunitz/xz v0.5.11
)

16
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/DataDog/zstd/stub.go generated vendored Normal file
View File

@@ -0,0 +1,16 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/DataDog/zstd, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/DataDog/zstd (exports: ; functions: NewReader)
// Package zstd is a stub of github.com/DataDog/zstd, generated by depstubber.
package zstd
import (
io "io"
)
func NewReader(_ io.Reader) io.ReadCloser {
return nil
}

35
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/dsnet/compress/flate/stub.go generated vendored Normal file
View File

@@ -0,0 +1,35 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/dsnet/compress/flate, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/dsnet/compress/flate (exports: Reader; functions: NewReader)
// Package flate is a stub of github.com/dsnet/compress/flate, generated by depstubber.
package flate
import (
io "io"
)
func NewReader(_ io.Reader, _ *ReaderConfig) (*Reader, error) {
return nil, nil
}
type Reader struct {
InputOffset int64
OutputOffset int64
}
func (_ *Reader) Close() error {
return nil
}
func (_ *Reader) Read(_ []byte) (int, error) {
return 0, nil
}
func (_ *Reader) Reset(_ io.Reader) error {
return nil
}
type ReaderConfig struct{}

28
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/golang/snappy/stub.go generated vendored Normal file
View File

@@ -0,0 +1,28 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang/snappy, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang/snappy (exports: Reader; functions: NewReader)
// Package snappy is a stub of github.com/golang/snappy, generated by depstubber.
package snappy
import (
io "io"
)
func NewReader(_ io.Reader) *Reader {
return nil
}
type Reader struct{}
func (_ *Reader) Read(_ []byte) (int, error) {
return 0, nil
}
func (_ *Reader) ReadByte() (byte, error) {
return 0, nil
}
func (_ *Reader) Reset(_ io.Reader) {}

16
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/klauspost/compress/flate/stub.go generated vendored Normal file
View File

@@ -0,0 +1,16 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/klauspost/compress/flate, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/klauspost/compress/flate (exports: ; functions: NewReader)
// Package flate is a stub of github.com/klauspost/compress/flate, generated by depstubber.
package flate
import (
io "io"
)
func NewReader(_ io.Reader) io.ReadCloser {
return nil
}

47
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/klauspost/compress/gzip/stub.go generated vendored Normal file
View File

@@ -0,0 +1,47 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/klauspost/compress/gzip, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/klauspost/compress/gzip (exports: Reader; functions: NewReader)
// Package gzip is a stub of github.com/klauspost/compress/gzip, generated by depstubber.
package gzip
import (
io "io"
time "time"
)
type Header struct {
Comment string
Extra []byte
ModTime time.Time
Name string
OS byte
}
func NewReader(_ io.Reader) (*Reader, error) {
return nil, nil
}
type Reader struct {
Header Header
}
func (_ *Reader) Close() error {
return nil
}
func (_ *Reader) Multistream(_ bool) {}
func (_ *Reader) Read(_ []byte) (int, error) {
return 0, nil
}
func (_ *Reader) Reset(_ io.Reader) error {
return nil
}
func (_ *Reader) WriteTo(_ io.Writer) (int64, error) {
return 0, nil
}

84
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/klauspost/compress/s2/stub.go generated vendored Normal file
View File

@@ -0,0 +1,84 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/klauspost/compress/s2, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/klauspost/compress/s2 (exports: Reader; functions: NewReader)
// Package s2 is a stub of github.com/klauspost/compress/s2, generated by depstubber.
package s2
import (
io "io"
)
func NewReader(_ io.Reader, _ ...ReaderOption) *Reader {
return nil
}
type ReadSeeker struct {
Reader *Reader
}
func (_ ReadSeeker) DecodeConcurrent(_ io.Writer, _ int) (int64, error) {
return 0, nil
}
func (_ ReadSeeker) Read(_ []byte) (int, error) {
return 0, nil
}
func (_ ReadSeeker) ReadByte() (byte, error) {
return 0, nil
}
func (_ ReadSeeker) ReadSeeker(_ bool, _ []byte) (*ReadSeeker, error) {
return nil, nil
}
func (_ ReadSeeker) Reset(_ io.Reader) {}
func (_ ReadSeeker) Skip(_ int64) error {
return nil
}
func (_ ReadSeeker) SkippableCB(_ byte, _ func(io.Reader) error) error {
return nil
}
func (_ *ReadSeeker) ReadAt(_ []byte, _ int64) (int, error) {
return 0, nil
}
func (_ *ReadSeeker) Seek(_ int64, _ int) (int64, error) {
return 0, nil
}
type Reader struct{}
func (_ *Reader) DecodeConcurrent(_ io.Writer, _ int) (int64, error) {
return 0, nil
}
func (_ *Reader) Read(_ []byte) (int, error) {
return 0, nil
}
func (_ *Reader) ReadByte() (byte, error) {
return 0, nil
}
func (_ *Reader) ReadSeeker(_ bool, _ []byte) (*ReadSeeker, error) {
return nil, nil
}
func (_ *Reader) Reset(_ io.Reader) {}
func (_ *Reader) Skip(_ int64) error {
return nil
}
func (_ *Reader) SkippableCB(_ byte, _ func(io.Reader) error) error {
return nil
}
type ReaderOption func(*Reader) error

16
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/klauspost/compress/snappy/stub.go generated vendored Normal file
View File

@@ -0,0 +1,16 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/klauspost/compress/snappy, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/klauspost/compress/snappy (exports: ; functions: NewReader)
// Package snappy is a stub of github.com/klauspost/compress/snappy, generated by depstubber.
package snappy
import (
io "io"
)
func NewReader(_ io.Reader) interface{} {
return nil
}

117
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/klauspost/compress/zip/stub.go generated vendored Normal file
View File

@@ -0,0 +1,117 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/klauspost/compress/zip, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/klauspost/compress/zip (exports: FileHeader,File,Reader,ReadCloser; functions: NewReader,OpenReader)
// Package zip is a stub of github.com/klauspost/compress/zip, generated by depstubber.
package zip
import (
io "io"
fs "io/fs"
time "time"
)
type Decompressor func(io.Reader) io.ReadCloser
type File struct {
FileHeader FileHeader
}
func (_ *File) DataOffset() (int64, error) {
return 0, nil
}
func (_ *File) FileInfo() fs.FileInfo {
return nil
}
func (_ *File) ModTime() time.Time {
return time.Time{}
}
func (_ *File) Mode() fs.FileMode {
return 0
}
func (_ *File) Open() (io.ReadCloser, error) {
return nil, nil
}
func (_ *File) OpenRaw() (io.Reader, error) {
return nil, nil
}
func (_ *File) SetModTime(_ time.Time) {}
func (_ *File) SetMode(_ fs.FileMode) {}
type FileHeader struct {
Name string
Comment string
NonUTF8 bool
CreatorVersion uint16
ReaderVersion uint16
Flags uint16
Method uint16
Modified time.Time
ModifiedTime uint16
ModifiedDate uint16
CRC32 uint32
CompressedSize uint32
UncompressedSize uint32
CompressedSize64 uint64
UncompressedSize64 uint64
Extra []byte
ExternalAttrs uint32
}
func (_ *FileHeader) FileInfo() fs.FileInfo {
return nil
}
func (_ *FileHeader) ModTime() time.Time {
return time.Time{}
}
func (_ *FileHeader) Mode() fs.FileMode {
return 0
}
func (_ *FileHeader) SetModTime(_ time.Time) {}
func (_ *FileHeader) SetMode(_ fs.FileMode) {}
func NewReader(_ io.ReaderAt, _ int64) (*Reader, error) {
return nil, nil
}
func OpenReader(_ string) (*ReadCloser, error) {
return nil, nil
}
type ReadCloser struct {
Reader Reader
}
func (_ *ReadCloser) Close() error {
return nil
}
func (_ *ReadCloser) Open(_ string) (fs.File, error) {
return nil, nil
}
func (_ *ReadCloser) RegisterDecompressor(_ uint16, _ Decompressor) {}
type Reader struct {
File []*File
Comment string
}
func (_ *Reader) Open(_ string) (fs.File, error) {
return nil, nil
}
func (_ *Reader) RegisterDecompressor(_ uint16, _ Decompressor) {}

16
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/klauspost/compress/zlib/stub.go generated vendored Normal file
View File

@@ -0,0 +1,16 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/klauspost/compress/zlib, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/klauspost/compress/zlib (exports: ; functions: NewReader)
// Package zlib is a stub of github.com/klauspost/compress/zlib, generated by depstubber.
package zlib
import (
io "io"
)
func NewReader(_ io.Reader) (io.ReadCloser, error) {
return nil, nil
}

42
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/klauspost/compress/zstd/stub.go generated vendored Normal file
View File

@@ -0,0 +1,42 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/klauspost/compress/zstd, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/klauspost/compress/zstd (exports: Decoder; functions: NewReader)
// Package zstd is a stub of github.com/klauspost/compress/zstd, generated by depstubber.
package zstd
import (
io "io"
)
type DOption func(interface{}) error
type Decoder struct{}
func (_ *Decoder) Close() {}
func (_ *Decoder) DecodeAll(_ []byte, _ []byte) ([]byte, error) {
return nil, nil
}
func (_ *Decoder) IOReadCloser() io.ReadCloser {
return nil
}
func (_ *Decoder) Read(_ []byte) (int, error) {
return 0, nil
}
func (_ *Decoder) Reset(_ io.Reader) error {
return nil
}
func (_ *Decoder) WriteTo(_ io.Writer) (int64, error) {
return 0, nil
}
func NewReader(_ io.Reader, _ ...DOption) (*Decoder, error) {
return nil, nil
}

47
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/klauspost/pgzip/stub.go generated vendored Normal file
View File

@@ -0,0 +1,47 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/klauspost/pgzip, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/klauspost/pgzip (exports: Reader; functions: NewReader)
// Package pgzip is a stub of github.com/klauspost/pgzip, generated by depstubber.
package pgzip
import (
io "io"
time "time"
)
type Header struct {
Comment string
Extra []byte
ModTime time.Time
Name string
OS byte
}
func NewReader(_ io.Reader) (*Reader, error) {
return nil, nil
}
type Reader struct {
Header Header
}
func (_ *Reader) Close() error {
return nil
}
func (_ *Reader) Multistream(_ bool) {}
func (_ *Reader) Read(_ []byte) (int, error) {
return 0, nil
}
func (_ *Reader) Reset(_ io.Reader) error {
return nil
}
func (_ *Reader) WriteTo(_ io.Writer) (int64, error) {
return 0, nil
}

45
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/github.com/ulikunitz/xz/stub.go generated vendored Normal file
View File

@@ -0,0 +1,45 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/ulikunitz/xz, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/ulikunitz/xz (exports: Reader; functions: NewReader)
// Package xz is a stub of github.com/ulikunitz/xz, generated by depstubber.
package xz
import (
io "io"
)
func NewReader(_ io.Reader) (*Reader, error) {
return nil, nil
}
type Reader struct {
ReaderConfig ReaderConfig
}
func (_ Reader) NewReader(_ io.Reader) (*Reader, error) {
return nil, nil
}
func (_ *Reader) Read(_ []byte) (int, error) {
return 0, nil
}
func (_ *Reader) Verify() error {
return nil
}
type ReaderConfig struct {
DictCap int
SingleStream bool
}
func (_ ReaderConfig) NewReader(_ io.Reader) (*Reader, error) {
return nil, nil
}
func (_ *ReaderConfig) Verify() error {
return nil
}

18
go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/modules.txt vendored Normal file
View File

@@ -0,0 +1,18 @@
# github.com/DataDog/zstd v1.5.5
## explicit
github.com/DataDog/zstd
# github.com/dsnet/compress v0.0.1
## explicit
github.com/dsnet/compress
# github.com/golang/snappy v0.0.4
## explicit
github.com/golang/snappy
# github.com/klauspost/compress v1.16.6
## explicit
github.com/klauspost/compress
# github.com/klauspost/pgzip v1.2.6
## explicit
github.com/klauspost/pgzip
# github.com/ulikunitz/xz v0.5.11
## explicit
github.com/ulikunitz/xz