Convert existing credentials sinks to MaD

I checked that the tests failed when I removed the classes and passed again when I add the MaD models.
2025-12-17 01:03:14 +01:00 · 2024-07-25 10:27:37 +01:00
parent 93c9910e6f
commit 78b66abad3
9 changed files with 27 additions and 56 deletions
--- a/go/ql/lib/ext/github.com.appleboy.gin-jwt.model.yml
+++ b/go/ql/lib/ext/github.com.appleboy.gin-jwt.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/appleboy/gin-jwt", "GinJWTMiddleware", True, "Key", "", "", "", "credentials-key", "manual"]
--- a/go/ql/lib/ext/github.com.go-jose.go-jose.model.yml
+++ b/go/ql/lib/ext/github.com.go-jose.go-jose.model.yml
@@ -0,0 +1,14 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["go-jose", "github.com/go-jose/go-jose"]
+      - ["go-jose", "gopkg.in/square/go-jose"]
+      - ["go-jose", "github.com/square/go-jose"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:go-jose", "Recipient", True, "Key", "", "", "", "credentials-key", "manual"]
+      - ["group:go-jose", "SigningKey", True, "Key", "", "", "", "credentials-key", "manual"]
--- a/go/ql/lib/ext/github.com.gogf.gf-jwt.model.yml
+++ b/go/ql/lib/ext/github.com.gogf.gf-jwt.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/gogf/gf-jwt", "GfJWTMiddleware", True, "Key", "", "", "", "credentials-key", "manual"]
--- a/go/ql/lib/ext/github.com.kataras.iris.middleware.jwt.model.yml
+++ b/go/ql/lib/ext/github.com.kataras.iris.middleware.jwt.model.yml
@@ -4,3 +4,4 @@ extensions:
      extensible: sinkModel
    data:
      - ["github.com/kataras/iris/middleware/jwt", "", True, "NewSigner", "", "", "Argument[1]", "credentials-key", "manual"]
+      - ["github.com/kataras/iris/middleware/jwt", "Signer", True, "Key", "", "", "", "credentials-key", "manual"]
--- a/go/ql/lib/go.qll
+++ b/go/ql/lib/go.qll
@@ -44,7 +44,6 @@ import semmle.go.frameworks.Fiber
 import semmle.go.frameworks.Gin
 import semmle.go.frameworks.GinCors
 import semmle.go.frameworks.Glog
-import semmle.go.frameworks.Gogf
 import semmle.go.frameworks.GoJose
 import semmle.go.frameworks.GoKit
 import semmle.go.frameworks.GoMicro
--- a/go/ql/lib/semmle/go/frameworks/Gin.qll
+++ b/go/ql/lib/semmle/go/frameworks/Gin.qll
@@ -3,7 +3,6 @@
 */

 import go
-private import semmle.go.security.HardcodedCredentials

 private module Gin {
  /** Gets the package name `github.com/gin-gonic/gin`. */
@@ -30,13 +29,4 @@ private module Gin {

    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
  }
-
-  private class GinJwtSign extends HardcodedCredentials::Sink {
-    GinJwtSign() {
-      exists(Field f |
-        f.hasQualifiedName(package("github.com/appleboy/gin-jwt", ""), "GinJWTMiddleware", "Key") and
-        f.getAWrite().getRhs() = this
-      )
-    }
-  }
 }
--- a/go/ql/lib/semmle/go/frameworks/GoJose.qll
+++ b/go/ql/lib/semmle/go/frameworks/GoJose.qll
@@ -4,26 +4,8 @@
 */

 import go
-private import semmle.go.security.HardcodedCredentials

 private module GoJose {
-  private class GoJoseKey extends HardcodedCredentials::Sink {
-    GoJoseKey() {
-      exists(Field f |
-        f.hasQualifiedName(goJosePackage(), ["Recipient", "SigningKey"], "Key") and
-        f.getAWrite().getRhs() = this
-      )
-    }
-  }
-
-  private string goJosePackage() {
-    result =
-      [
-        package("github.com/square/go-jose", ""), package("github.com/go-jose/go-jose", ""),
-        "gopkg.in/square/go-jose.v2"
-      ]
-  }
-
  /**
   * Provides classes and predicates for working with the `gopkg.in/square/go-jose/jwt` and
   * `github.com/go-jose/go-jose/jwt` packages.
--- a/go/ql/lib/semmle/go/frameworks/Gogf.qll
+++ b/go/ql/lib/semmle/go/frameworks/Gogf.qll
@@ -1,17 +0,0 @@
-/**
- * Provides classes for working the `github.com/gogf` package.
- */
-
-import go
-private import semmle.go.security.HardcodedCredentials
-
-private module Gogf {
-  private class GogfJwtSign extends HardcodedCredentials::Sink {
-    GogfJwtSign() {
-      exists(Field f |
-        f.hasQualifiedName(package("github.com/gogf/gf-jwt", ""), "GfJWTMiddleware", "Key") and
-        f.getAWrite().getRhs() = this
-      )
-    }
-  }
-}
--- a/go/ql/lib/semmle/go/frameworks/Iris.qll
+++ b/go/ql/lib/semmle/go/frameworks/Iris.qll
@@ -3,7 +3,6 @@
 */

 import go
-private import semmle.go.security.HardcodedCredentials

 private module Iris {
  /** Gets the v1 module path `github.com/kataras/iris`. */
@@ -47,13 +46,4 @@ private module Iris {

    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
  }
-
-  private class IrisJwt extends HardcodedCredentials::Sink {
-    IrisJwt() {
-      exists(Field f |
-        f.hasQualifiedName(package("github.com/kataras/iris", "middleware/jwt"), "Signer", "Key") and
-        f.getAWrite().getRhs() = this
-      )
-    }
-  }
 }