hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18511 from owen-mc/go/docs/data-flow

Browse Source 
Update documentation on data flow in Go (and some small fixes for java)
This commit is contained in:
Owen Mansel-Chan
2025-02-03 11:11:04 +00:00
committed by GitHub
parent ed3ad1a226 da86668cfd
commit a3de138ec2
13 changed files with 414 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst
View File

@@ -172,7 +172,7 @@ Global data flow tracks data flow throughout the entire program, and is therefor
Using global data flow
~~~~~~~~~~~~~~~~~~~~~~
The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>`` as follows:
We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
@@ -314,7 +314,7 @@ Exercise 2: Write a query that finds all hard-coded strings used to create a ``h
Exercise 3: Write a class that represents flow sources from ``getenv``. (`Answer <#exercise-3>`__)
Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from ``getenv`` to ``gethostbyname``. (`Answer <#exercise-4>`__)
Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from ``getenv`` to ``gethostbyname``. (`Answer <#exercise-4>`__)
Answers
-------

15
docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst
View File

@@ -65,8 +65,7 @@ Local taint tracking extends local data flow by including non-value-preserving f
.. code-block:: csharp
var temp = x;
var y = temp + ", " + temp;
var y = "Hello " + x;
If ``x`` is a tainted string then ``y`` is also tainted.
@@ -104,7 +103,7 @@ Unfortunately this will only give the expression in the argument, not the values
and DataFlow::localFlow(DataFlow::exprNode(src), DataFlow::exprNode(call.getArgument(0)))
select src
Then we can make the source more specific, for example an access to a public parameter. This query finds instances where a public parameter is used to open a file:
To restrict sources to only an access to a public parameter, rather than arbitrary expressions, we can modify this query as follows:
.. code-block:: ql
@@ -117,7 +116,7 @@ Then we can make the source more specific, for example an access to a public par
and call.getEnclosingCallable().(Member).isPublic()
select p, "Opening a file from a public method."
This query finds calls to ``String.Format`` where the format string isn't hard-coded:
The following query finds calls to ``String.Format`` where the format string isn't hard-coded:
.. code-block:: ql
@@ -148,7 +147,7 @@ Global data flow tracks data flow throughout the entire program, and is therefor
Using global data flow
~~~~~~~~~~~~~~~~~~~~~~
The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
@@ -170,8 +169,8 @@ These predicates are defined in the configuration:
- ``isSource`` - defines where data may flow from.
- ``isSink`` - defines where data may flow to.
- ``isBarrier`` - optionally, restricts the data flow.
- ``isAdditionalFlowStep`` - optionally, adds additional flow steps.
- ``isBarrier`` - optional, defines where data flow is blocked.
- ``isAdditionalFlowStep`` - optional, adds additional flow steps.
The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``:
@@ -288,7 +287,7 @@ Exercise 2: Find all hard-coded strings passed to ``System.Uri``, using global d
Exercise 3: Define a class that represents flow sources from ``System.Environment.GetEnvironmentVariable``. (`Answer <#exercise-3>`__)
Exercise 4: Using the answers from 2 and 3, write a query to find all global data flow from ``System.Environment.GetEnvironmentVariable`` to ``System.Uri``. (`Answer <#exercise-4>`__)
Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from ``System.Environment.GetEnvironmentVariable`` to ``System.Uri``. (`Answer <#exercise-4>`__)
Extending library data flow
---------------------------

369
docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst Normal file
View File

@@ -0,0 +1,369 @@
.. _analyzing-data-flow-in-go:
Analyzing data flow in Go
=========================
You can use CodeQL to track the flow of data through a Go program to its use.
About this article
------------------
This article describes how data flow analysis is implemented in the CodeQL libraries for Go and includes examples to help you write your own data flow queries.
The following sections describe how to use the libraries for local data flow, global data flow, and taint tracking.
For a more general introduction to modeling data flow, see ":ref:`About data flow analysis <about-data-flow-analysis>`."
.. include:: ../reusables/new-data-flow-api.rst
Local data flow
---------------
Local data flow is data flow within a single method or callable. Local data flow is usually easier, faster, and more precise than global data flow, and is sufficient for many queries.
Using local data flow
~~~~~~~~~~~~~~~~~~~~~
The ``DataFlow`` module defines the class ``Node`` denoting any element that data can flow through.
The ``Node`` class has a number of useful subclasses, such as ``ExprNode`` for expressions, ``ParameterNode`` for parameters, and ``InstructionNode`` for control-flow nodes.
You can map between data flow nodes and expressions/control-flow nodes/parameters using the member predicates ``asExpr``, ``asParameter`` and ``asInstruction``:
.. code-block:: ql
class Node {
/** Gets the expression corresponding to this node, if any. */
Expr asExpr() { ... }
/** Gets the parameter corresponding to this node, if any. */
Parameter asParameter() { ... }
/** Gets the IR instruction corresponding to this node, if any. */
IR::Instruction asInstruction() { ... }
...
}
or using the predicates ``exprNode``, ``parameterNode`` and ``instructionNode``:
.. code-block:: ql
/**
* Gets the `Node` corresponding to `e`.
*/
ExprNode exprNode(Expr e) { ... }
/**
* Gets the `Node` corresponding to the value of `p` at function entry.
*/
ParameterNode parameterNode(Parameter p) { ... }
/**
* Gets the `Node` corresponding to `insn`.
*/
InstructionNode instructionNode(IR::Instruction insn) { ... }
The predicate ``localFlowStep(Node nodeFrom, Node nodeTo)`` holds if there is an immediate data flow edge from the node ``nodeFrom`` to the node ``nodeTo``. You can apply the predicate recursively by using the ``+`` and ``*`` operators, or by using the predefined recursive predicate ``localFlow``, which is equivalent to ``localFlowStep*``.
For example, you can find flow from a parameter ``source`` to an expression ``sink`` in zero or more local steps:
.. code-block:: ql
DataFlow::localFlow(DataFlow::parameterNode(source), DataFlow::exprNode(sink))
Using local taint tracking
~~~~~~~~~~~~~~~~~~~~~~~~~~
Local taint tracking extends local data flow by including non-value-preserving flow steps. For example:
.. code-block:: go
y := "Hello " + x;
If ``x`` is a tainted string then ``y`` is also tainted.
The local taint tracking library is in the module ``TaintTracking``. Like local data flow, a predicate ``localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo)`` holds if there is an immediate taint propagation edge from the node ``nodeFrom`` to the node ``nodeTo``. You can apply the predicate recursively by using the ``+`` and ``*`` operators, or by using the predefined recursive predicate ``localTaint``, which is equivalent to ``localTaintStep*``.
For example, you can find taint propagation from a parameter ``source`` to an expression ``sink`` in zero or more local steps:
.. code-block:: ql
TaintTracking::localTaint(DataFlow::parameterNode(source), DataFlow::exprNode(sink))
Examples
~~~~~~~~
This query finds the filename passed to ``os.Open(..)``:
.. code-block:: ql
import go
from Function osOpen, CallExpr call
where
osOpen.hasQualifiedName("os", "Open") and
call.getTarget() = osOpen
select call.getArgument(0)
Unfortunately, this only gives the expression in the argument, not the values which could be passed to it. So we use local data flow to find all expressions that flow into the argument:
.. code-block:: ql
import go
from Function osOpen, CallExpr call, Expr src
where
osOpen.hasQualifiedName("os", "Open") and
call.getTarget() = osOpen and
DataFlow::localFlow(DataFlow::exprNode(src), DataFlow::exprNode(call.getArgument(0)))
select src
To restrict sources to only parameters, rather than arbitrary expressions, we can modify this query as follows:
.. code-block:: ql
import go
from Function osOpen, CallExpr call, Parameter p
where
osOpen.hasQualifiedName("os", "Open") and
call.getTarget() = osOpen and
DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(call.getArgument(0)))
select p
The following query finds calls to formatting functions where the format string is not hard-coded.
Note that `StringOps::Formatting::Range <https://codeql.github.com/codeql-standard-libraries/go/semmle/go/StringOps.qll/type.StringOps$StringOps$Formatting$Range.html>`_ is a class that represents all functions which have a format string, and its member predicate `getFormatStringIndex` gives the index of the argument which is the format string.
.. code-block:: ql
import go
from StringOps::Formatting::Range format, CallExpr call, Expr formatString
where
call.getTarget() = format and
formatString = call.getArgument(format.getFormatStringIndex()) and
not exists(DataFlow::Node source, DataFlow::Node sink |
DataFlow::localFlow(source, sink) and
source.asExpr() instanceof StringLit and
sink.asExpr() = formatString
)
select call, "Argument to String format method isn't hard-coded."
Exercises
~~~~~~~~~
Exercise 1: Write a query that finds all hard-coded strings used to create a ``url.URL``, using local data flow. (`Answer <#exercise-1>`__)
Global data flow
----------------
Global data flow tracks data flow throughout the entire program, and is therefore more powerful than local data flow. However, global data flow is less precise than local data flow, and the analysis typically requires significantly more time and memory to perform.
.. pull-quote:: Note
.. include:: ../reusables/path-problem.rst
Using global data flow
~~~~~~~~~~~~~~~~~~~~~~
We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
import go
module MyFlowConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
...
}
predicate isSink(DataFlow::Node sink) {
...
}
}
module MyFlow = DataFlow::Global<MyFlowConfiguration>;
These predicates are defined in the configuration:
- ``isSource`` - defines where data may flow from.
- ``isSink`` - defines where data may flow to.
- ``isBarrier`` - optional, defines where data flow is blocked.
- ``isAdditionalFlowStep`` - optional, adds additional flow steps.
The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``:
.. code-block:: ql
from DataFlow::Node source, DataFlow::Node sink
where MyFlow::flow(source, sink)
select source, "Data flow to $@.", sink, sink.toString()
Using global taint tracking
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Global taint tracking is to global data flow what local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. The global taint tracking library is used by applying the module ``TaintTracking::Global<ConfigSig>`` to your configuration instead of ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
import go
module MyFlowConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
...
}
predicate isSink(DataFlow::Node sink) {
...
}
}
module MyFlow = TaintTracking::Global<MyFlowConfiguration>;
The resulting module has an identical signature to the one obtained from ``DataFlow::Global<ConfigSig>``.
Flow sources
~~~~~~~~~~~~
The data flow library contains some predefined flow sources. The class ``RemoteFlowSource`` (defined in ``semmle.code.java.dataflow.FlowSources``) represents data flow sources that may be controlled by a remote user, which is useful for finding security problems.
Examples
~~~~~~~~
This query shows a taint-tracking configuration that uses remote user input as data sources.
.. code-block:: ql
import go
module MyFlowConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource
}
...
}
module MyTaintFlow = TaintTracking::Global<MyFlowConfiguration>;
Exercises
~~~~~~~~~
Exercise 2: Write a query that finds all hard-coded strings used to create a ``url.URL``, using global data flow. (`Answer <#exercise-2>`__)
Exercise 3: Write a class that represents flow sources from ``os.Getenv(..)``. (`Answer <#exercise-3>`__)
Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from ``os.Getenv`` to ``url.URL``. (`Answer <#exercise-4>`__)
Answers
-------
Exercise 1
~~~~~~~~~~
.. code-block:: ql
import go
from Function urlParse, Expr arg, StringLit rawURL, CallExpr call
where
(
urlParse.hasQualifiedName("url", "Parse") or
urlParse.hasQualifiedName("url", "ParseRequestURI")
) and
call.getTarget() = urlParse and
arg = call.getArgument(0) and
DataFlow::localFlow(DataFlow::exprNode(rawURL), DataFlow::exprNode(arg))
select call.getArgument(0)
Exercise 2
~~~~~~~~~~
.. code-block:: ql
import go
module LiteralToURLConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.asExpr() instanceof StringLit
}
predicate isSink(DataFlow::Node sink) {
exists(Function urlParse, CallExpr call |
(
urlParse.hasQualifiedName("url", "Parse") or
urlParse.hasQualifiedName("url", "ParseRequestURI")
) and
call.getTarget() = urlParse and
sink.asExpr() = call.getArgument(0)
)
}
}
module LiteralToURLFlow = DataFlow::Global<LiteralToURLConfig>;
from DataFlow::Node src, DataFlow::Node sink
where LiteralToURLFlow::flow(src, sink)
select src, "This string constructs a URL $@.", sink, "here"
Exercise 3
~~~~~~~~~~
.. code-block:: ql
import go
class GetenvSource extends CallExpr {
GetenvSource() {
exists(Function m | m = this.getTarget() |
m.hasQualifiedName("os", "Getenv")
)
}
}
Exercise 4
~~~~~~~~~~
.. code-block:: ql
import go
class GetenvSource extends CallExpr {
GetenvSource() {
exists(Function m | m = this.getTarget() |
m.hasQualifiedName("os", "Getenv")
)
}
}
module GetenvToURLConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof GetenvSource
}
predicate isSink(DataFlow::Node sink) {
exists(Function urlParse, CallExpr call |
(
urlParse.hasQualifiedName("url", "Parse") or
urlParse.hasQualifiedName("url", "ParseRequestURI")
) and
call.getTarget() = urlParse and
sink.asExpr() = call.getArgument(0)
)
}
}
}
module GetenvToURLFlow = DataFlow::Global<GetenvToURLConfig>;
from DataFlow::Node src, DataFlow::Node sink
where GetenvToURLFlow::flow(src, sink)
select src, "This environment variable constructs a URL $@.", sink, "here"
Further reading
---------------
- `Exploring data flow with path queries <https://docs.github.com/en/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/exploring-data-flow-with-path-queries>`__ in the GitHub documentation.
.. include:: ../reusables/go-further-reading.rst
.. include:: ../reusables/codeql-ref-tools-further-reading.rst

34
docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst
View File

@@ -74,8 +74,7 @@ Local taint tracking extends local data flow by including non-value-preserving f
.. code-block:: java
String temp = x;
String y = temp + ", " + temp;
String y = "Hello " + x;
If ``x`` is a tainted string then ``y`` is also tainted.
@@ -97,7 +96,7 @@ For example, you can find taint propagation from a parameter ``source`` to an ex
Examples
~~~~~~~~
This query finds the filename passed to ``new FileReader(..)``.
This query finds the filename passed to ``new FileReader(..)``:
.. code-block:: ql
@@ -123,7 +122,7 @@ Unfortunately, this only gives the expression in the argument, not the values wh
DataFlow::localFlow(DataFlow::exprNode(src), DataFlow::exprNode(call.getArgument(0)))
select src
Then we can make the source more specific, for example an access to a public parameter. This query finds where a public parameter is passed to ``new FileReader(..)``:
To restrict sources to only an access to a public parameter, rather than arbitrary expressions, we can modify this query as follows:
.. code-block:: ql
@@ -137,7 +136,7 @@ Then we can make the source more specific, for example an access to a public par
DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(call.getArgument(0)))
select p
This query finds calls to formatting functions where the format string is not hard-coded.
The following query finds calls to formatting functions where the format string is not hard-coded.
.. code-block:: ql
@@ -145,7 +144,7 @@ This query finds calls to formatting functions where the format string is not ha
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.StringFormat
from StringFormatMethod format, MethodAccess call, Expr formatString
from StringFormatMethod format, MethodCall call, Expr formatString
where
call.getMethod() = format and
call.getArgument(format.getFormatStringIndex()) = formatString and
@@ -173,10 +172,11 @@ Global data flow tracks data flow throughout the entire program, and is therefor
Using global data flow
~~~~~~~~~~~~~~~~~~~~~~
You use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
import java
import semmle.code.java.dataflow.DataFlow
module MyFlowConfiguration implements DataFlow::ConfigSig {
@@ -193,10 +193,10 @@ You use the global data flow library by implementing the signature ``DataFlow::C
These predicates are defined in the configuration:
- ``isSource``defines where data may flow from
- ``isSink``defines where data may flow to
- ``isBarrier``optional, restricts the data flow
- ``isAdditionalFlowStep``optional, adds additional flow steps
- ``isSource`` - defines where data may flow from.
- ``isSink`` - defines where data may flow to.
- ``isBarrier`` - optional, defines where data flow is blocked.
- ``isAdditionalFlowStep`` - optional, adds additional flow steps.
The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``:
@@ -209,10 +209,11 @@ The data flow analysis is performed using the predicate ``flow(DataFlow::Node so
Using global taint tracking
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Global taint tracking is to global data flow as local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. You use the global taint tracking library by applying the module ``TaintTracking::Global<ConfigSig>`` to your configuration instead of ``DataFlow::Global<ConfigSig>``:
Global taint tracking is to global data flow what local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. You use the global taint tracking library by applying the module ``TaintTracking::Global<ConfigSig>`` to your configuration instead of ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
import java
import semmle.code.java.dataflow.TaintTracking
module MyFlowConfiguration implements DataFlow::ConfigSig {
@@ -261,7 +262,7 @@ Exercise 2: Write a query that finds all hard-coded strings used to create a ``j
Exercise 3: Write a class that represents flow sources from ``java.lang.System.getenv(..)``. (`Answer <#exercise-3>`__)
Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from ``getenv`` to ``java.net.URL``. (`Answer <#exercise-4>`__)
Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from ``getenv`` to ``java.net.URL``. (`Answer <#exercise-4>`__)
Answers
-------
@@ -271,6 +272,7 @@ Exercise 1
.. code-block:: ql
import java
import semmle.code.java.dataflow.DataFlow
from Constructor url, Call call, StringLiteral src
@@ -285,6 +287,7 @@ Exercise 2
.. code-block:: ql
import java
import semmle.code.java.dataflow.DataFlow
module LiteralToURLConfig implements DataFlow::ConfigSig {
@@ -313,7 +316,7 @@ Exercise 3
import java
class GetenvSource extends MethodAccess {
class GetenvSource extends MethodCall {
GetenvSource() {
exists(Method m | m = this.getMethod() |
m.hasName("getenv") and
@@ -327,11 +330,12 @@ Exercise 4
.. code-block:: ql
import java
import semmle.code.java.dataflow.DataFlow
class GetenvSource extends DataFlow::ExprNode {
GetenvSource() {
exists(Method m | m = this.asExpr().(MethodAccess).getMethod() |
exists(Method m | m = this.asExpr().(MethodCall).getMethod() |
m.hasName("getenv") and
m.getDeclaringType() instanceof TypeSystem
)

2
docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst
View File

@@ -455,7 +455,7 @@ using global data flow. (`Answer <#exercise-2>`__).
Exercise 3: Write a class which represents flow sources from the array elements of the result of a call, for example the expression ``myObject.myMethod(myArgument)[myIndex]``.
Hint: array indices are properties with numeric names; you can use regular expression matching to check this. (`Answer <#exercise-3>`__)
Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from array elements of the result of a call to the ``tagName`` argument to the
Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from array elements of the result of a call to the ``tagName`` argument to the
``createElement`` function. (`Answer <#exercise-4>`__)
Answers

9
docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst
View File

@@ -62,8 +62,7 @@ Local taint tracking extends local data flow by including non-value-preserving f
.. code-block:: python
temp = x
y = temp + ", " + temp
y = "Hello " + x
If ``x`` is a tainted string then ``y`` is also tainted.
@@ -206,7 +205,7 @@ Global data flow tracks data flow throughout the entire program, and is therefor
Using global data flow
~~~~~~~~~~~~~~~~~~~~~~
The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
@@ -228,8 +227,8 @@ These predicates are defined in the configuration:
- ``isSource`` - defines where data may flow from.
- ``isSink`` - defines where data may flow to.
- ``isBarrier`` - optionally, restricts the data flow.
- ``isAdditionalFlowStep`` - optionally, adds additional flow steps.
- ``isBarrier`` - optional, defines where data flow is blocked.
- ``isAdditionalFlowStep`` - optional, adds additional flow steps.
The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``:

9
docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst
View File

@@ -74,8 +74,7 @@ For example:
.. code-block:: ruby
temp = x
y = temp + ", " + temp
y = "Hello " + x
If ``x`` is a tainted string then ``y`` is also tainted.
@@ -226,7 +225,7 @@ However, global data flow is less precise than local data flow, and the analysis
Using global data flow
~~~~~~~~~~~~~~~~~~~~~~
You can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
@@ -248,8 +247,8 @@ These predicates are defined in the configuration:
- ``isSource`` - defines where data may flow from.
- ``isSink`` - defines where data may flow to.
- ``isBarrier`` - optionally, restricts the data flow.
- ``isAdditionalFlowStep`` - optionally, adds additional flow steps.
- ``isBarrier`` - optional, defines where data flow is blocked.
- ``isAdditionalFlowStep`` - optional, adds additional flow steps.
The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``:

9
docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst
View File

@@ -72,8 +72,7 @@ For example:
.. code-block:: swift
temp = x
y = temp + ", " + temp
y = "Hello " + x
If ``x`` is a tainted string then ``y`` is also tainted.
@@ -163,7 +162,7 @@ However, global data flow is less precise than local data flow, and the analysis
Using global data flow
~~~~~~~~~~~~~~~~~~~~~~
You can use the global data flow library by implementing the module ``DataFlow::ConfigSig``:
We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
@@ -185,8 +184,8 @@ These predicates are defined in the configuration:
- ``isSource`` - defines where data may flow from.
- ``isSink`` - defines where data may flow to.
- ``isBarrier`` - optionally, restricts the data flow.
- ``isAdditionalFlowStep`` - optionally, adds additional flow steps.
- ``isBarrier`` - optional, defines where data flow is blocked.
- ``isAdditionalFlowStep`` - optional, adds additional flow steps.
The last line (``module MyDataFlow = ...``) instantiates the parameterized module for data flow analysis by passing the configuration to the parameterized module. Data flow analysis can then be performed using ``MyDataFlow::flow(DataFlow::Node source, DataFlow::Node sink)``:

5
docs/codeql/codeql-language-guides/codeql-for-go.rst
View File

@@ -11,7 +11,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
basic-query-for-go-code
codeql-library-for-go
abstract-syntax-tree-classes-for-working-with-go-programs
modeling-data-flow-in-go-libraries
analyzing-data-flow-in-go
customizing-library-models-for-go
- :doc:`Basic query for Go code <basic-query-for-go-code>`: Learn to write and run a simple CodeQL query.
@@ -22,7 +22,6 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
- :doc:`Abstract syntax tree classes for working with Go programs <abstract-syntax-tree-classes-for-working-with-go-programs>`: CodeQL has a large selection of classes for representing the abstract syntax tree of Go programs.
- :doc:`Modeling data flow in Go libraries <modeling-data-flow-in-go-libraries>`: When analyzing a Go program, CodeQL does not examine the source code for external packages.
To track the flow of untrusted data through a library, you can create a model of the library.
- :doc:`Analyzing data flow in Go <analyzing-data-flow-in-go>`: You can use CodeQL to track the flow of data through a Go program to its use.
- :doc:`Customizing library models for Go <customizing-library-models-for-go>`: You can model frameworks and libraries that your codebase depends on using data extensions and publish them as CodeQL model packs.

124
docs/codeql/codeql-language-guides/modeling-data-flow-in-go-libraries.rst
View File

@@ -1,124 +0,0 @@
.. _modeling-data-flow-in-go-libraries:
Modeling data flow in Go libraries
==================================
When analyzing a Go program, CodeQL does not examine the source code for
external packages. To track the flow of untrusted data through a library, you
can create a model of the library.
You can find existing models in the ``go/ql/lib/semmle/go/frameworks/`` folder of the
`CodeQL repository <https://github.com/github/codeql/tree/main/go/ql/lib/semmle/go/frameworks>`__.
To add a new model, you should make a new file in that folder, named after the library.
Sources
-------
To mark a source of data that is controlled by an untrusted user, we
create a class extending ``RemoteFlowSource::Range``. Inheritance and
the characteristic predicate of the class should be used to specify
exactly the dataflow node that introduces the data. Here is a short
example from ``Mux.qll``.
.. code-block:: ql
class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode {
RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") }
}
This has the effect that all calls to `the function Vars from the
package mux <https://github.com/gorilla/mux>`__ are
treated as sources of untrusted data.
Flow propagation
----------------
By default, we assume that all functions in libraries do not have
any data flow. To indicate that a particular function does have data flow,
create a class extending ``TaintTracking::FunctionModel`` (or
``DataFlow::FunctionModel`` if the untrusted user data is passed on
without being modified).
Inheritance and the characteristic predicate of the class should specify
the function. The class should also have a member predicate with the signature
``override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp)``
(or
``override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp)``
if extending ``DataFlow::FunctionModel``). The body should constrain
``inp`` and ``outp``.
``FunctionInput`` is an abstract representation of the inputs to a
function. The options are:
* the receiver (``inp.isReceiver()``)
* one of the parameters (``inp.isParameter(i)``)
* one of the results (``inp.isResult(i)``, or ``inp.isResult`` if there is only one result)
Note that it may seem strange that the result of a function could be
considered as a function input, but it is needed in some cases. For
instance, the function ``bufio.NewWriter`` returns a writer ``bw`` that
buffers write operations to an underlying writer ``w``. If tainted data
is written to ``bw``, then it makes sense to propagate that taint back
to the underlying writer ``w``, which can be modeled by saying that
``bufio.NewWriter`` propagates taint from its result to its first
argument.
Similarly, ``FunctionOutput`` is an abstract representation of the
outputs to a function. The options are:
* the receiver (``outp.isReceiver()``)
* one of the parameters (``outp.isParameter(i)``)
* one of the results (``outp.isResult(i)``, or ``outp.isResult`` if there is only one result)
Here is an example from ``Gin.qll``, which has been slightly simplified.
.. code-block:: ql
private class ParamsGet extends TaintTracking::FunctionModel, Method {
ParamsGet() { this.hasQualifiedName("github.com/gin-gonic/gin", "Params", "Get") }
override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
inp.isReceiver() and outp.isResult(0)
}
}
This has the effect that calls to the ``Get`` method with receiver type
``Params`` from the ``gin-gonic/gin`` package allow taint to flow from
the receiver to the first result. In other words, if ``p`` has type
``Params`` and taint can flow to it, then after the line
``x := p.Get("foo")`` taint can also flow to ``x``.
Sanitizers
----------
It is not necessary to indicate that library functions are sanitizers.
Their bodies are not analyzed, so it is assumed that data does not
flow through them.
Sinks
-----
Data-flow sinks are specified by queries rather than by library models.
However, you can use library models to indicate when functions belong to
special categories. Queries can then use these categories when specifying
sinks. Classes representing these special categories are contained in
``go/ql/lib/semmle/go/Concepts.qll`` in the `CodeQL repository
<https://github.com/github/codeql/blob/main/go/ql/lib/semmle/go/Concepts.qll>`__.
``Concepts.qll`` includes classes for logger mechanisms,
HTTP response writers, HTTP redirects, and marshaling and unmarshaling
functions.
Here is a short example from ``Stdlib.qll``, which has been slightly simplified.
.. code-block:: ql
private class PrintfCall extends LoggerCall::Range, DataFlow::CallNode {
PrintfCall() { this.getTarget().hasQualifiedName("fmt", ["Print", "Printf", "Println"]) }
override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() }
}
This has the effect that any call to ``Print``, ``Printf``, or
``Println`` in the package ``fmt`` is recognized as a logger call.
Any query that uses logger calls as a sink will then identify when tainted data
has been passed as an argument to ``Print``, ``Printf``, or ``Println``.

1
docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst
View File

@@ -18,6 +18,7 @@ See the following tutorials for more information about analyzing data flow in sp
- ":ref:`Analyzing data flow in C/C++ <analyzing-data-flow-in-cpp>`"
- ":ref:`Analyzing data flow in C# <analyzing-data-flow-in-csharp>`"
- ":ref:`Analyzing data flow in Go <analyzing-data-flow-in-go>`"
- ":ref:`Analyzing data flow in Java/Kotlin <analyzing-data-flow-in-java>`"
- ":ref:`Analyzing data flow in JavaScript/TypeScript <analyzing-data-flow-in-javascript-and-typescript>`"
- ":ref:`Analyzing data flow in Python <analyzing-data-flow-in-python>`"

1
docs/codeql/writing-codeql-queries/creating-path-queries.rst
View File

@@ -28,6 +28,7 @@ For more language-specific information on analyzing data flow, see:
- ":ref:`Analyzing data flow in C/C++ <analyzing-data-flow-in-cpp>`"
- ":ref:`Analyzing data flow in C# <analyzing-data-flow-in-csharp>`"
- ":ref:`Analyzing data flow in Go <analyzing-data-flow-in-go>`"
- ":ref:`Analyzing data flow in Java/Kotlin <analyzing-data-flow-in-java>`"
- ":ref:`Analyzing data flow in JavaScript/TypeScript <analyzing-data-flow-in-javascript-and-typescript>`"
- ":ref:`Analyzing data flow in Python <analyzing-data-flow-in-python>`"

122
go/docs/language/learn-ql/go/library-modeling-go.rst
View File

@@ -1,122 +0,0 @@
Modeling data flow in Go libraries
==================================
When analyzing a Go program, CodeQL does not examine the source code for
external packages. To track the flow of untrusted data through a library, you
can create a model of the library.
You can find existing models in the ``go/ql/lib/semmle/go/frameworks/`` folder of the
`CodeQL repository <https://github.com/github/codeql/tree/main/go/ql/lib/semmle/go/frameworks>`__.
To add a new model, you should make a new file in that folder, named after the library.
Sources
-------
To mark a source of data that is controlled by an untrusted user, we
create a class extending ``RemoteFlowSource::Range``. Inheritance and
the characteristic predicate of the class should be used to specify
exactly the dataflow node that introduces the data. Here is a short
example from ``Mux.qll``.
.. code-block:: ql
class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode {
RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") }
}
This has the effect that all calls to `the function Vars from the
package mux <http://www.gorillatoolkit.org/pkg/mux#Vars>`__ are
treated as sources of untrusted data.
Flow propagation
----------------
By default, we assume that all functions in libraries do not have
any data flow. To indicate that a particular function does have data flow,
create a class extending ``TaintTracking::FunctionModel`` (or
``DataFlow::FunctionModel`` if the untrusted user data is passed on
without being modified).
Inheritance and the characteristic predicate of the class should specify
the function. The class should also have a member predicate with the signature
``override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp)``
(or
``override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp)``
if extending ``DataFlow::FunctionModel``). The body should constrain
``inp`` and ``outp``.
``FunctionInput`` is an abstract representation of the inputs to a
function. The options are:
* the receiver (``inp.isReceiver()``)
* one of the parameters (``inp.isParameter(i)``)
* one of the results (``inp.isResult(i)``, or ``inp.isResult`` if there is only one result)
Note that it may seem strange that the result of a function could be
considered as a function input, but it is needed in some cases. For
instance, the function ``bufio.NewWriter`` returns a writer ``bw`` that
buffers write operations to an underlying writer ``w``. If tainted data
is written to ``bw``, then it makes sense to propagate that taint back
to the underlying writer ``w``, which can be modeled by saying that
``bufio.NewWriter`` propagates taint from its result to its first
argument.
Similarly, ``FunctionOutput`` is an abstract representation of the
outputs to a function. The options are:
* the receiver (``outp.isReceiver()``)
* one of the parameters (``outp.isParameter(i)``)
* one of the results (``outp.isResult(i)``, or ``outp.isResult`` if there is only one result)
Here is an example from ``Gin.qll``, which has been slightly simplified.
.. code-block:: ql
private class ParamsGet extends TaintTracking::FunctionModel, Method {
ParamsGet() { this.hasQualifiedName("github.com/gin-gonic/gin", "Params", "Get") }
override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
inp.isReceiver() and outp.isResult(0)
}
}
This has the effect that calls to the ``Get`` method with receiver type
``Params`` from the ``gin-gonic/gin`` package allow taint to flow from
the receiver to the first result. In other words, if ``p`` has type
``Params`` and taint can flow to it, then after the line
``x := p.Get("foo")`` taint can also flow to ``x``.
Sanitizers
----------
It is not necessary to indicate that library functions are sanitizers.
Their bodies are not analyzed, so it is assumed that data does not
flow through them.
Sinks
-----
Data-flow sinks are specified by queries rather than by library models.
However, you can use library models to indicate when functions belong to
special categories. Queries can then use these categories when specifying
sinks. Classes representing these special categories are contained in
``go/ql/lib/semmle/go/Concepts.qll`` in the `CodeQL for Go repository
<https://github.com/github/codeql/blob/main/go/ql/lib/semmle/go/Concepts.qll>`__.
``Concepts.qll`` includes classes for logger mechanisms,
HTTP response writers, HTTP redirects, and marshaling and unmarshaling
functions.
Here is a short example from ``Stdlib.qll``, which has been slightly simplified.
.. code-block:: ql
private class PrintfCall extends LoggerCall::Range, DataFlow::CallNode {
PrintfCall() { this.getTarget().hasQualifiedName("fmt", ["Print", "Printf", "Println"]) }
override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() }
}
This has the effect that any call to ``Print``, ``Printf``, or
``Println`` in the package ``fmt`` is recognized as a logger call.
Any query that uses logger calls as a sink will then identify when tainted data
has been passed as an argument to ``Print``, ``Printf``, or ``Println``.