hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Restore reverse-flow models

Browse Source
This commit is contained in:
Chris Smowton
2023-03-17 13:28:32 +00:00
parent de0caf2445
commit 1b7f529949
25 changed files with 763 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
go/ql/lib/semmle/go/frameworks/Email.qll
View File

@@ -67,3 +67,34 @@ module EmailData {
}
}
}
// These models are not implemented using Models-as-Data because they represent reverse flow.
/**
* A taint model of the `Writer.CreatePart` method from `mime/multipart`.
*
* If tainted data is written to the multipart section created by this method, the underlying writer
* should be considered tainted as well.
*/
private class MultipartWriterCreatePartModel extends TaintTracking::FunctionModel, Method {
MultipartWriterCreatePartModel() {
this.hasQualifiedName("mime/multipart", "Writer", "CreatePart")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input.isResult(0) and output.isReceiver()
}
}
/**
* A taint model of the `NewWriter` function from `mime/multipart`.
*
* If tainted data is written to the writer created by this function, the underlying writer
* should be considered tainted as well.
*/
private class MultipartNewWriterModel extends TaintTracking::FunctionModel {
MultipartNewWriterModel() { this.hasQualifiedName("mime/multipart", "NewWriter") }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input.isResult() and output.isParameter(0)
}
}

18
go/ql/lib/semmle/go/frameworks/Stdlib.qll
View File

@@ -3,21 +3,39 @@
*/
import go
import semmle.go.frameworks.stdlib.ArchiveTar
import semmle.go.frameworks.stdlib.ArchiveZip
import semmle.go.frameworks.stdlib.Bufio
import semmle.go.frameworks.stdlib.CompressFlate
import semmle.go.frameworks.stdlib.CompressGzip
import semmle.go.frameworks.stdlib.CompressLzw
import semmle.go.frameworks.stdlib.CompressZlib
import semmle.go.frameworks.stdlib.CryptoTls
import semmle.go.frameworks.stdlib.DatabaseSql
import semmle.go.frameworks.stdlib.EncodingAsn1
import semmle.go.frameworks.stdlib.EncodingCsv
import semmle.go.frameworks.stdlib.EncodingGob
import semmle.go.frameworks.stdlib.EncodingJson
import semmle.go.frameworks.stdlib.EncodingPem
import semmle.go.frameworks.stdlib.EncodingXml
import semmle.go.frameworks.stdlib.Fmt
import semmle.go.frameworks.stdlib.Html
import semmle.go.frameworks.stdlib.HtmlTemplate
import semmle.go.frameworks.stdlib.Io
import semmle.go.frameworks.stdlib.IoFs
import semmle.go.frameworks.stdlib.IoIoutil
import semmle.go.frameworks.stdlib.Log
import semmle.go.frameworks.stdlib.MimeMultipart
import semmle.go.frameworks.stdlib.MimeQuotedprintable
import semmle.go.frameworks.stdlib.Net
import semmle.go.frameworks.stdlib.NetHttp
import semmle.go.frameworks.stdlib.NetHttpHttputil
import semmle.go.frameworks.stdlib.NetTextproto
import semmle.go.frameworks.stdlib.Os
import semmle.go.frameworks.stdlib.Regexp
import semmle.go.frameworks.stdlib.Strconv
import semmle.go.frameworks.stdlib.Syscall
import semmle.go.frameworks.stdlib.TextTabwriter
import semmle.go.frameworks.stdlib.TextTemplate
/** Provides a class for modeling functions which convert strings into integers. */

15
go/ql/lib/semmle/go/frameworks/Yaml.qll
View File

@@ -30,4 +30,19 @@ module Yaml {
override string getFormat() { result = "yaml" }
}
// These models are not implemented using Models-as-Data because they represent reverse flow.
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
this.hasQualifiedName(packagePath(), "NewEncoder") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

24
go/ql/lib/semmle/go/frameworks/stdlib/ArchiveTar.qll Normal file
View File

@@ -0,0 +1,24 @@
/**
* Provides classes modeling security-relevant aspects of the `archive/tar` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `archive/tar` package. */
module ArchiveTar {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer) *Writer
hasQualifiedName("archive/tar", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

47
go/ql/lib/semmle/go/frameworks/stdlib/ArchiveZip.qll Normal file
View File

@@ -0,0 +1,47 @@
/**
* Provides classes modeling security-relevant aspects of the `archive/zip` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `archive/zip` package. */
module ArchiveZip {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer) *Writer
hasQualifiedName("archive/zip", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
private class MethodModels extends TaintTracking::FunctionModel, Method {
FunctionInput inp;
FunctionOutput outp;
MethodModels() {
// signature: func (*Writer) Create(name string) (io.Writer, error)
hasQualifiedName("archive/zip", "Writer", "Create") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*Writer) CreateRaw(fh *FileHeader) (io.Writer, error)
hasQualifiedName("archive/zip", "Writer", "CreateRaw") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*Writer) CreateHeader(fh *FileHeader) (io.Writer, error)
hasQualifiedName("archive/zip", "Writer", "CreateHeader") and
(inp.isResult(0) and outp.isReceiver())
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

24
go/ql/lib/semmle/go/frameworks/stdlib/Bufio.qll
View File

@@ -18,4 +18,28 @@ module Bufio {
*/
FunctionInput getReader() { result.isParameter(0) }
}
// These models are not implemented using Models-as-Data because they represent reverse flow.
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewReadWriter(r *Reader, w *Writer) *ReadWriter
hasQualifiedName("bufio", "NewReadWriter") and
(inp.isResult() and outp.isParameter(1))
or
// signature: func NewWriter(w io.Writer) *Writer
hasQualifiedName("bufio", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
or
// signature: func NewWriterSize(w io.Writer, size int) *Writer
hasQualifiedName("bufio", "NewWriterSize") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

28
go/ql/lib/semmle/go/frameworks/stdlib/CompressFlate.qll Normal file
View File

@@ -0,0 +1,28 @@
/**
* Provides classes modeling security-relevant aspects of the `compress/flate` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `compress/flate` package. */
module CompressFlate {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer, level int) (*Writer, error)
hasQualifiedName("compress/flate", "NewWriter") and
(inp.isResult(0) and outp.isParameter(0))
or
// signature: func NewWriterDict(w io.Writer, level int, dict []byte) (*Writer, error)
hasQualifiedName("compress/flate", "NewWriterDict") and
(inp.isResult(0) and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

28
go/ql/lib/semmle/go/frameworks/stdlib/CompressGzip.qll Normal file
View File

@@ -0,0 +1,28 @@
/**
* Provides classes modeling security-relevant aspects of the `compress/gzip` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `compress/gzip` package. */
module CompressGzip {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer) *Writer
hasQualifiedName("compress/gzip", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
or
// signature: func NewWriterLevel(w io.Writer, level int) (*Writer, error)
hasQualifiedName("compress/gzip", "NewWriterLevel") and
(inp.isResult(0) and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

24
go/ql/lib/semmle/go/frameworks/stdlib/CompressLzw.qll Normal file
View File

@@ -0,0 +1,24 @@
/**
* Provides classes modeling security-relevant aspects of the `compress/lzw` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `compress/lzw` package. */
module CompressLzw {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer, order Order, litWidth int) io.WriteCloser
hasQualifiedName("compress/lzw", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

32
go/ql/lib/semmle/go/frameworks/stdlib/CompressZlib.qll Normal file
View File

@@ -0,0 +1,32 @@
/**
* Provides classes modeling security-relevant aspects of the `compress/zlib` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `compress/zlib` package. */
module CompressZlib {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer) *Writer
hasQualifiedName("compress/zlib", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
or
// signature: func NewWriterLevel(w io.Writer, level int) (*Writer, error)
hasQualifiedName("compress/zlib", "NewWriterLevel") and
(inp.isResult(0) and outp.isParameter(0))
or
// signature: func NewWriterLevelDict(w io.Writer, level int, dict []byte) (*Writer, error)
hasQualifiedName("compress/zlib", "NewWriterLevelDict") and
(inp.isResult(0) and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

28
go/ql/lib/semmle/go/frameworks/stdlib/CryptoTls.qll Normal file
View File

@@ -0,0 +1,28 @@
/**
* Provides classes modeling security-relevant aspects of the `crypto/tls` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `crypto/tls` package. */
module CryptoTls {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func Client(conn net.Conn, config *Config) *Conn
hasQualifiedName("crypto/tls", "Client") and
(inp.isResult() and outp.isParameter(0))
or
// signature: func Server(conn net.Conn, config *Config) *Conn
hasQualifiedName("crypto/tls", "Server") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

24
go/ql/lib/semmle/go/frameworks/stdlib/EncodingCsv.qll Normal file
View File

@@ -0,0 +1,24 @@
/**
* Provides classes modeling security-relevant aspects of the `encoding/csv` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `encoding/csv` package. */
module EncodingCsv {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer) *Writer
hasQualifiedName("encoding/csv", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

24
go/ql/lib/semmle/go/frameworks/stdlib/EncodingGob.qll Normal file
View File

@@ -0,0 +1,24 @@
/**
* Provides classes modeling security-relevant aspects of the `encoding/gob` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `encoding/gob` package. */
module EncodingGob {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewEncoder(w io.Writer) *Encoder
hasQualifiedName("encoding/gob", "NewEncoder") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

16
go/ql/lib/semmle/go/frameworks/stdlib/EncodingJson.qll
View File

@@ -32,4 +32,20 @@ module EncodingJson {
override string getFormat() { result = "JSON" }
}
// These models are not implemented using Models-as-Data because they represent reverse flow.
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewEncoder(w io.Writer) *Encoder
this.hasQualifiedName("encoding/json", "NewEncoder") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

16
go/ql/lib/semmle/go/frameworks/stdlib/EncodingXml.qll
View File

@@ -29,4 +29,20 @@ module EncodingXml {
override string getFormat() { result = "XML" }
}
// These models are not implemented using Models-as-Data because they represent reverse flow.
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewEncoder(w io.Writer) *Encoder
this.hasQualifiedName("encoding/xml", "NewEncoder") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

28
go/ql/lib/semmle/go/frameworks/stdlib/Io.qll Normal file
View File

@@ -0,0 +1,28 @@
/**
* Provides classes modeling security-relevant aspects of the `io` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `io` package. */
module Io {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func MultiWriter(writers ...Writer) Writer
hasQualifiedName("io", "MultiWriter") and
(inp.isResult() and outp.isParameter(_))
or
// signature: func Pipe() (*PipeReader, *PipeWriter)
hasQualifiedName("io", "Pipe") and
(inp.isResult(1) and outp.isResult(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

16
go/ql/lib/semmle/go/frameworks/stdlib/Log.qll
View File

@@ -38,4 +38,20 @@ module Log {
override predicate mayReturnNormally() { none() }
}
// These models are not implemented using Models-as-Data because they represent reverse flow.
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func New(out io.Writer, prefix string, flag int) *Logger
this.hasQualifiedName("log", "New") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

47
go/ql/lib/semmle/go/frameworks/stdlib/MimeMultipart.qll Normal file
View File

@@ -0,0 +1,47 @@
/**
* Provides classes modeling security-relevant aspects of the `mime/multipart` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `mime/multipart` package. */
module MimeMultipart {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer) *Writer
hasQualifiedName("mime/multipart", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
private class MethodModels extends TaintTracking::FunctionModel, Method {
FunctionInput inp;
FunctionOutput outp;
MethodModels() {
// signature: func (*Writer) CreateFormField(fieldname string) (io.Writer, error)
hasQualifiedName("mime/multipart", "Writer", "CreateFormField") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*Writer) CreateFormFile(fieldname string, filename string) (io.Writer, error)
hasQualifiedName("mime/multipart", "Writer", "CreateFormFile") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*Writer) CreatePart(header net/textproto.MIMEHeader) (io.Writer, error)
hasQualifiedName("mime/multipart", "Writer", "CreatePart") and
(inp.isResult(0) and outp.isReceiver())
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

23
go/ql/lib/semmle/go/frameworks/stdlib/MimeQuotedprintable.qll Normal file
View File

@@ -0,0 +1,23 @@
/**
* Provides classes modeling security-relevant aspects of the `mime/quotedprintable` package.
*/
import go
/** Provides models of commonly used functions in the `mime/quotedprintable` package. */
module MimeQuotedprintable {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(w io.Writer) *Writer
hasQualifiedName("mime/quotedprintable", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

79
go/ql/lib/semmle/go/frameworks/stdlib/Net.qll Normal file
View File

@@ -0,0 +1,79 @@
/**
* Provides classes modeling security-relevant aspects of the `net` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `net` package. */
module Net {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func FileConn(f *os.File) (c Conn, err error)
hasQualifiedName("net", "FileConn") and
(inp.isResult(0) and outp.isParameter(0))
or
// signature: func FilePacketConn(f *os.File) (c PacketConn, err error)
hasQualifiedName("net", "FilePacketConn") and
(inp.isResult(0) and outp.isParameter(0))
or
// signature: func Pipe() (Conn, Conn)
hasQualifiedName("net", "Pipe") and
(
inp.isResult(0) and outp.isResult(1)
or
inp.isResult(1) and outp.isResult(0)
)
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
private class MethodModels extends TaintTracking::FunctionModel, Method {
FunctionInput inp;
FunctionOutput outp;
MethodModels() {
// signature: func (*IPConn) SyscallConn() (syscall.RawConn, error)
hasQualifiedName("net", "IPConn", "SyscallConn") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*TCPConn) SyscallConn() (syscall.RawConn, error)
hasQualifiedName("net", "TCPConn", "SyscallConn") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*TCPListener) File() (f *os.File, err error)
hasQualifiedName("net", "TCPListener", "File") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*TCPListener) SyscallConn() (syscall.RawConn, error)
hasQualifiedName("net", "TCPListener", "SyscallConn") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*UDPConn) SyscallConn() (syscall.RawConn, error)
hasQualifiedName("net", "UDPConn", "SyscallConn") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*UnixConn) SyscallConn() (syscall.RawConn, error)
hasQualifiedName("net", "UnixConn", "SyscallConn") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*UnixListener) File() (f *os.File, err error)
hasQualifiedName("net", "UnixListener", "File") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*UnixListener) SyscallConn() (syscall.RawConn, error)
hasQualifiedName("net", "UnixListener", "SyscallConn") and
(inp.isResult(0) and outp.isReceiver())
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

51
go/ql/lib/semmle/go/frameworks/stdlib/NetHttpHttputil.qll Normal file
View File

@@ -0,0 +1,51 @@
/**
* Provides classes modeling security-relevant aspects of the `net/http/httputil` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `net/http/httputil` package. */
module NetHttpHttputil {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewChunkedWriter(w io.Writer) io.WriteCloser
hasQualifiedName("net/http/httputil", "NewChunkedWriter") and
(inp.isResult() and outp.isParameter(0))
or
// signature: func NewClientConn(c net.Conn, r *bufio.Reader) *ClientConn
hasQualifiedName("net/http/httputil", "NewClientConn") and
(inp.isResult() and outp.isParameter(0))
or
// signature: func NewProxyClientConn(c net.Conn, r *bufio.Reader) *ClientConn
hasQualifiedName("net/http/httputil", "NewProxyClientConn") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
private class MethodModels extends TaintTracking::FunctionModel, Method {
FunctionInput inp;
FunctionOutput outp;
MethodModels() {
// signature: func (*ClientConn) Hijack() (c net.Conn, r *bufio.Reader)
hasQualifiedName("net/http/httputil", "ClientConn", "Hijack") and
(inp.isResult(0) and outp.isReceiver())
or
// signature: func (*ServerConn) Hijack() (net.Conn, *bufio.Reader)
hasQualifiedName("net/http/httputil", "ServerConn", "Hijack") and
(inp.isResult(0) and outp.isReceiver())
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

43
go/ql/lib/semmle/go/frameworks/stdlib/NetTextproto.qll Normal file
View File

@@ -0,0 +1,43 @@
/**
* Provides classes modeling security-relevant aspects of the `net/textproto` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `net/textproto` package. */
module NetTextproto {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewConn(conn io.ReadWriteCloser) *Conn
hasQualifiedName("net/textproto", "NewConn") and
(inp.isResult() and outp.isParameter(0))
or
// signature: func NewWriter(w *bufio.Writer) *Writer
hasQualifiedName("net/textproto", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
private class MethodModels extends TaintTracking::FunctionModel, Method {
FunctionInput inp;
FunctionOutput outp;
MethodModels() {
// signature: func (*Writer) DotWriter() io.WriteCloser
hasQualifiedName("net/textproto", "Writer", "DotWriter") and
(inp.isResult() and outp.isReceiver())
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

31
go/ql/lib/semmle/go/frameworks/stdlib/Os.qll
View File

@@ -77,4 +77,35 @@ module Os {
override predicate mayReturnNormally() { none() }
}
// These models are not implemented using Models-as-Data because they represent reverse flow.
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func Pipe() (r *File, w *File, err error)
hasQualifiedName("os", "Pipe") and
(inp.isResult(1) and outp.isResult(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
private class MethodModels extends TaintTracking::FunctionModel, Method {
FunctionInput inp;
FunctionOutput outp;
MethodModels() {
// signature: func (*File) SyscallConn() (syscall.RawConn, error)
hasQualifiedName("os", "File", "SyscallConn") and
(inp.isResult(0) and outp.isReceiver())
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

24
go/ql/lib/semmle/go/frameworks/stdlib/Syscall.qll Normal file
View File

@@ -0,0 +1,24 @@
/**
* Provides classes modeling security-relevant aspects of the `syscall` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `syscall` package. */
module Syscall {
private class MethodModels extends TaintTracking::FunctionModel, Method {
FunctionInput inp;
FunctionOutput outp;
MethodModels() {
// signature: func (Conn) SyscallConn() (RawConn, error)
implements("syscall", "Conn", "SyscallConn") and
(inp.isResult(0) and outp.isReceiver())
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}

42
go/ql/lib/semmle/go/frameworks/stdlib/TextTabwriter.qll Normal file
View File

@@ -0,0 +1,42 @@
/**
* Provides classes modeling security-relevant aspects of the `text/tabwriter` package.
*/
import go
// These models are not implemented using Models-as-Data because they represent reverse flow.
/** Provides models of commonly used functions in the `text/tabwriter` package. */
module TextTabwriter {
private class FunctionModels extends TaintTracking::FunctionModel {
FunctionInput inp;
FunctionOutput outp;
FunctionModels() {
// signature: func NewWriter(output io.Writer, minwidth int, tabwidth int, padding int, padchar byte, flags uint) *Writer
hasQualifiedName("text/tabwriter", "NewWriter") and
(inp.isResult() and outp.isParameter(0))
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
private class MethodModels extends TaintTracking::FunctionModel, Method {
FunctionInput inp;
FunctionOutput outp;
MethodModels() {
// signature: func (*Writer) Init(output io.Writer, minwidth int, tabwidth int, padding int, padchar byte, flags uint) *Writer
hasQualifiedName("text/tabwriter", "Writer", "Init") and
(
inp.isResult() and
outp.isParameter(0)
)
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = inp and output = outp
}
}
}