feat: client service support

This commit is contained in:
Mathew Payne
2023-06-30 12:44:09 +01:00
parent 62bad6c02f
commit 48966d65dd

View File

@@ -3,6 +3,7 @@
*/
import go
private import semmle.go.security.RequestForgeryCustomizations
/**
* Module for Go-Micro framework.
@@ -15,6 +16,13 @@ module GoMicro {
GoMicroServerType() { this.hasQualifiedName("go-micro.dev/v4/server", "Server") }
}
/**
* A GoMicro client type.
*/
class GoMicroClientType extends Type {
GoMicroClientType() { this.hasQualifiedName("go-micro.dev/v4/client", "Client") }
}
/**
* A file that is generated by the protobuf compiler.
*/
@@ -84,6 +92,20 @@ module GoMicro {
}
}
/**
* A Client server handler type.
*/
class ClientServiceType extends NamedType {
ClientServiceType() {
exists(ServiceInterfaceType i, TypeEntity te |
this.implements(i) and
this.getName().regexpMatch("(?i).*Service") and
te.getType() = this and
te.getDeclaration().getLocation().getFile() instanceof ProtocGeneratedFile
)
}
}
/**
* A service register handler.
*/
@@ -111,6 +133,36 @@ module GoMicro {
}
}
/**
* A client service function.
*/
class ClientService extends Function {
ClientService() {
exists(ClientServiceType c |
this.getName().regexpMatch("(?i)new" + c.getName()) and
this.getParameterType(0) instanceof StringType and
this.getParameterType(1) instanceof GoMicroClientType and
this.getDeclaration().getLocation().getFile() instanceof ProtocGeneratedFile
)
}
}
/**
* An SSRF sink for the Client service function.
*/
class ClientRequestUrlAsSink extends RequestForgery::Sink {
ClientRequestUrlAsSink() {
exists(DataFlow::CallNode call |
call.getArgument(0) = this and
call.getTarget() instanceof ClientService
)
}
override DataFlow::Node getARequest() { result = this }
override string getKind() { result = "URL" }
}
/**
* A set of remote requests from a service handler.
*/