Oauth2 state: note bufio.NewScanner is also a sign of probable terminal-interactive use

2026-01-30 06:42:57 +01:00 · 2020-08-17 15:10:02 +01:00
parent 6fee4f382f
commit 3d877fc67d
2 changed files with 38 additions and 8 deletions
--- a/ql/src/experimental/CWE-352/ConstantOauth2State.ql
+++ b/ql/src/experimental/CWE-352/ConstantOauth2State.ql
@@ -65,17 +65,27 @@ predicate resultFlowsToPrinter(DataFlow::CallNode authCodeURLCall) {
  )
 }

+/** Gets dataflow nodes that read the value of os.Stdin */
+DataFlow::Node getAStdinNode() {
+  result = any(ValueEntity v | v.hasQualifiedName("os", "Stdin")).getARead()
+}
+
+/**
+ * Gets a call to a scanner function that reads from os.Stdin, or which creates a scanner
+ * instance wrapping os.Stdin.
+ */
+DataFlow::CallNode getAScannerCall() {
+  result instanceof Fmt::ScannerCall or
+  result.(Fmt::FScannerCall).getReader() = getAStdinNode() or
+  result.(Bufio::NewScannerCall).getReader() = getAStdinNode()
+}
+
 /**
 * Holds if the provided CallNode is within the same root as a call
 * to a scanner that reads from os.Stdin.
 */
-predicate rootContainsCallToStdinScanner(DataFlow::CallNode authCodeURLCall) {
-  exists(Fmt::ScannerCall scannerCall | scannerCall.getRoot() = authCodeURLCall.getRoot())
-  or
-  exists(Fmt::FScannerCall fScannerCall |
-    fScannerCall.getReader() = any(ValueEntity v | v.hasQualifiedName("os", "Stdin")).getARead() and
-    fScannerCall.getRoot() = authCodeURLCall.getRoot()
-  )
+predicate containsCallToStdinScanner(FuncDef funcDef) {
+  exists(DataFlow::CallNode call | call = getAScannerCall() | call.getRoot() = funcDef)
 }

 /**
@@ -86,7 +96,7 @@ predicate rootContainsCallToStdinScanner(DataFlow::CallNode authCodeURLCall) {
 */
 predicate seemsLikeDoneWithinATerminal(DataFlow::CallNode authCodeURLCall) {
  resultFlowsToPrinter(authCodeURLCall) and
-  rootContainsCallToStdinScanner(authCodeURLCall)
+  containsCallToStdinScanner(authCodeURLCall.getRoot())
 }

 from
--- a/ql/src/semmle/go/frameworks/stdlib/Bufio.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/Bufio.qll
@@ -6,6 +6,26 @@ import go

 /** Provides models of commonly used functions in the `bufio` package. */
 module Bufio {
+  /**
+   * The function bufio.NewScanner.
+   */
+  class NewScanner extends Function {
+    NewScanner() { this.hasQualifiedName("bufio", "NewScanner") }
+  }
+
+  /**
+   * A call to bufio.NewScanner.
+   */
+  class NewScannerCall extends DataFlow::CallNode {
+    NewScannerCall() { this.getTarget() instanceof NewScanner }
+
+    /**
+     * Returns the node corresponding to the io.Reader
+     * argument provided in the call.
+     */
+    DataFlow::Node getReader() { result = this.getArgument(0) }
+  }
+
  private class FunctionModels extends TaintTracking::FunctionModel {
    FunctionInput inp;
    FunctionOutput outp;