Add test for Go-restful

ql/src/semmle/go/frameworks/HTTP.qll

@@ -242,7 +242,7 @@ private module GoRestfulHttp {
   private class GoRestfulSourceMethod extends Method {
     GoRestfulSourceMethod() {
       this
-          .hasQualifiedName("github.com/emicklei/go-restful", "Request",
+          .hasQualifiedName(package("github.com/emicklei/go-restful", ""), "Request",
             ["QueryParameters", "QueryParameter", "BodyParameter", "HeaderParameter",
                 "PathParameter", "PathParameters"])
     }

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/go.mod

@@ -0,0 +1,8 @@
+module gorestfultest
+
+go 1.14
+
+require (
+	github.com/emicklei/go-restful/v3 v3.2.0
+	github.com/json-iterator/go v1.1.10 // indirect
+)

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.expected

@@ -0,0 +1,12 @@
+| gorestful.go:9:15:9:47 | index expression | gorestful.go:9:15:9:44 | call to QueryParameters : slice type | gorestful.go:9:15:9:47 | index expression | This command depends on $@. | gorestful.go:9:15:9:44 | call to QueryParameters | a user-provided value |
+| gorestful.go:10:15:10:43 | call to QueryParameter | gorestful.go:10:15:10:43 | call to QueryParameter | gorestful.go:10:15:10:43 | call to QueryParameter | This command depends on $@. | gorestful.go:10:15:10:43 | call to QueryParameter | a user-provided value |
+| gorestful.go:12:15:12:17 | val | gorestful.go:11:12:11:39 | call to BodyParameter : tuple type | gorestful.go:12:15:12:17 | val | This command depends on $@. | gorestful.go:11:12:11:39 | call to BodyParameter | a user-provided value |
+| gorestful.go:13:15:13:44 | call to HeaderParameter | gorestful.go:13:15:13:44 | call to HeaderParameter | gorestful.go:13:15:13:44 | call to HeaderParameter | This command depends on $@. | gorestful.go:13:15:13:44 | call to HeaderParameter | a user-provided value |
+| gorestful.go:14:15:14:42 | call to PathParameter | gorestful.go:14:15:14:42 | call to PathParameter | gorestful.go:14:15:14:42 | call to PathParameter | This command depends on $@. | gorestful.go:14:15:14:42 | call to PathParameter | a user-provided value |
+| gorestful.go:15:15:15:45 | index expression | gorestful.go:15:15:15:38 | call to PathParameters : map type | gorestful.go:15:15:15:45 | index expression | This command depends on $@. | gorestful.go:15:15:15:38 | call to PathParameters | a user-provided value |
+| gorestful_v2.go:9:15:9:47 | index expression | gorestful_v2.go:9:15:9:44 | call to QueryParameters : slice type | gorestful_v2.go:9:15:9:47 | index expression | This command depends on $@. | gorestful_v2.go:9:15:9:44 | call to QueryParameters | a user-provided value |
+| gorestful_v2.go:10:15:10:43 | call to QueryParameter | gorestful_v2.go:10:15:10:43 | call to QueryParameter | gorestful_v2.go:10:15:10:43 | call to QueryParameter | This command depends on $@. | gorestful_v2.go:10:15:10:43 | call to QueryParameter | a user-provided value |
+| gorestful_v2.go:12:15:12:17 | val | gorestful_v2.go:11:12:11:39 | call to BodyParameter : tuple type | gorestful_v2.go:12:15:12:17 | val | This command depends on $@. | gorestful_v2.go:11:12:11:39 | call to BodyParameter | a user-provided value |
+| gorestful_v2.go:13:15:13:44 | call to HeaderParameter | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | This command depends on $@. | gorestful_v2.go:13:15:13:44 | call to HeaderParameter | a user-provided value |
+| gorestful_v2.go:14:15:14:42 | call to PathParameter | gorestful_v2.go:14:15:14:42 | call to PathParameter | gorestful_v2.go:14:15:14:42 | call to PathParameter | This command depends on $@. | gorestful_v2.go:14:15:14:42 | call to PathParameter | a user-provided value |
+| gorestful_v2.go:15:15:15:45 | index expression | gorestful_v2.go:15:15:15:38 | call to PathParameters : map type | gorestful_v2.go:15:15:15:45 | index expression | This command depends on $@. | gorestful_v2.go:15:15:15:38 | call to PathParameters | a user-provided value |

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.go

@@ -0,0 +1,16 @@
+package gorestfultest
+
+import (
+	restful "github.com/emicklei/go-restful/v3"
+	"os/exec"
+)
+
+func requestHandler(request *restful.Request, response *restful.Response) {
+	exec.Command(request.QueryParameters("xyz")[0]) // BAD
+	exec.Command(request.QueryParameter("xyz"))     // BAD
+	val, _ := request.BodyParameter("xyz")
+	exec.Command(val)                             // BAD
+	exec.Command(request.HeaderParameter("xyz"))  // BAD
+	exec.Command(request.PathParameter("xyz"))    // BAD
+	exec.Command(request.PathParameters()["xyz"]) // BAD
+}

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful.ql

@@ -0,0 +1,7 @@
+import go
+import semmle.go.security.CommandInjection
+
+from CommandInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
+  "a user-provided value"

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/gorestful_v2.go

@@ -0,0 +1,16 @@
+package gorestfultest
+
+import (
+	restful "github.com/emicklei/go-restful"
+	"os/exec"
+)
+
+func requestHandlerV2(request *restful.Request, response *restful.Response) {
+	exec.Command(request.QueryParameters("xyz")[0]) // BAD
+	exec.Command(request.QueryParameter("xyz"))     // BAD
+	val, _ := request.BodyParameter("xyz")
+	exec.Command(val)                             // BAD
+	exec.Command(request.HeaderParameter("xyz"))  // BAD
+	exec.Command(request.PathParameter("xyz"))    // BAD
+	exec.Command(request.PathParameters()["xyz"]) // BAD
+}

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012,2013 Ernest Micklei
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/stub.go

@@ -0,0 +1,54 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/emicklei/go-restful/v3, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/emicklei/go-restful/v3 (exports: Request; functions: )
+
+// Package gorestfulstub is a stub of github.com/emicklei/go-restful, generated by depstubber.
+package gorestfulstub
+
+import (
+	http "net/http"
+)
+
+type Request struct {
+	Request *http.Request
+}
+
+func (_ Request) Attribute(_ string) interface{} {
+	return nil
+}
+
+func (_ Request) SelectedRoutePath() string {
+	return ""
+}
+
+func (_ *Request) BodyParameter(_ string) (string, error) {
+	return "", nil
+}
+
+func (_ *Request) HeaderParameter(_ string) string {
+	return ""
+}
+
+func (_ *Request) PathParameter(_ string) string {
+	return ""
+}
+
+func (_ *Request) PathParameters() map[string]string {
+	return nil
+}
+
+func (_ *Request) QueryParameter(_ string) string {
+	return ""
+}
+
+func (_ *Request) QueryParameters(_ string) []string {
+	return nil
+}
+
+func (_ *Request) ReadEntity(_ interface{}) error {
+	return nil
+}
+
+func (_ *Request) SetAttribute(_ string, _ interface{}) {}

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/github.com/emicklei/go-restful/v3/stub.go

@@ -0,0 +1,54 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/emicklei/go-restful/v3, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/emicklei/go-restful/v3 (exports: Request; functions: )
+
+// Package gorestfulstub is a stub of github.com/emicklei/go-restful/v3, generated by depstubber.
+package gorestfulstub
+
+import (
+	http "net/http"
+)
+
+type Request struct {
+	Request *http.Request
+}
+
+func (_ Request) Attribute(_ string) interface{} {
+	return nil
+}
+
+func (_ Request) SelectedRoutePath() string {
+	return ""
+}
+
+func (_ *Request) BodyParameter(_ string) (string, error) {
+	return "", nil
+}
+
+func (_ *Request) HeaderParameter(_ string) string {
+	return ""
+}
+
+func (_ *Request) PathParameter(_ string) string {
+	return ""
+}
+
+func (_ *Request) PathParameters() map[string]string {
+	return nil
+}
+
+func (_ *Request) QueryParameter(_ string) string {
+	return ""
+}
+
+func (_ *Request) QueryParameters(_ string) []string {
+	return nil
+}
+
+func (_ *Request) ReadEntity(_ interface{}) error {
+	return nil
+}
+
+func (_ *Request) SetAttribute(_ string, _ interface{}) {}

ql/test/library-tests/semmle/go/frameworks/HTTP/Gorestful/vendor/modules.txt

@@ -0,0 +1,6 @@
+# github.com/emicklei/go-restful/v3 v3.2.0
+## explicit
+github.com/emicklei/go-restful/v3
+# github.com/json-iterator/go v1.1.10
+## explicit
+github.com/json-iterator/go