Add support for Mux library

2026-01-29 06:12:58 +01:00 · 2020-05-05 03:25:08 -07:00
parent b1899374b9
commit a841077cbe
10 changed files with 112 additions and 0 deletions
--- a/change-notes/2020-05-05-mux-model.md
+++ b/change-notes/2020-05-05-mux-model.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Basic support for the [Mux](https://github.com/gorilla/mux/) HTTP library has been added, which
+  may lead to more results from the security queries.
--- a/ql/src/go.qll
+++ b/ql/src/go.qll
@@ -27,6 +27,7 @@ import semmle.go.dataflow.SSA
 import semmle.go.frameworks.Email
 import semmle.go.frameworks.HTTP
 import semmle.go.frameworks.Macaron
+import semmle.go.frameworks.Mux
 import semmle.go.frameworks.SystemCommandExecutors
 import semmle.go.frameworks.SQL
 import semmle.go.frameworks.XPath
--- a/ql/src/semmle/go/frameworks/Mux.qll
+++ b/ql/src/semmle/go/frameworks/Mux.qll
@@ -0,0 +1,15 @@
+/**
+ * Provides classes for working with concepts in the Mux HTTP middleware library.
+ */
+
+import go
+
+/**
+ * Provides classes for working with concepts in the Mux HTTP middleware library.
+ */
+module Mux {
+  /** An access to a Mux middleware variable. */
+  class RequestVars extends DataFlow::UntrustedFlowSource::Range, DataFlow::CallNode {
+    RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") }
+  }
+}
--- a/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.expected
@@ -0,0 +1,2 @@
+| mux.go:15:10:15:20 | call to Vars |
+| mux.go:21:13:21:23 | call to Vars |
--- a/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.ql
+++ b/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.ql
@@ -0,0 +1,3 @@
+import go
+
+select any(UntrustedFlowSource ufs)
--- a/ql/test/library-tests/semmle/go/frameworks/Mux/go.mod
+++ b/ql/test/library-tests/semmle/go/frameworks/Mux/go.mod
@@ -0,0 +1,5 @@
+module codeql-go-tests/frameworks/Mux
+
+go 1.14
+
+require github.com/gorilla/mux v1.7.4
--- a/ql/test/library-tests/semmle/go/frameworks/Mux/mux.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Mux/mux.go
@@ -0,0 +1,37 @@
+package main
+
+//go:generate depstubber -vendor github.com/gorilla/mux "" Vars
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"os/exec"
+
+	"github.com/gorilla/mux"
+)
+
+func ArticlesHandler(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprintf(w, "Category: %v\n", vars["category"])
+}
+
+func CmdHandler(w http.ResponseWriter, r *http.Request) {
+	cmdName := mux.Vars(r)["cmd"]
+
+	cmd := exec.Command(cmdName)
+	stdoutStderr, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Print(err)
+	}
+	fmt.Fprintf(w, "%s\n", stdoutStderr)
+}
+
+func main() {
+	r := mux.NewRouter()
+	r.HandleFunc("/run/{cmd}", CmdHandler)
+	r.HandleFunc("/articles/{category}", ArticlesHandler)
+	http.Handle("/", r)
+	log.Fatal(http.ListenAndServe(":8090", nil))
+}
--- a/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/LICENSE
+++ b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2012-2018 The Gorilla Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+	 * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+	 * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+	 * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/stub.go
+++ b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/stub.go
@@ -0,0 +1,16 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/gorilla/mux, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/gorilla/mux (exports: ; functions: Vars)
+
+// Package mux is a stub of github.com/gorilla/mux, generated by depstubber.
+package mux
+
+import (
+	http "net/http"
+)
+
+func Vars(_ *http.Request) map[string]string {
+	return nil
+}
--- a/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/modules.txt
+++ b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/modules.txt
@@ -0,0 +1,3 @@
+# github.com/gorilla/mux v1.7.4
+## explicit
+github.com/gorilla/mux