From a841077cbe84d36574b0885388bb4e9e85589de1 Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Tue, 5 May 2020 03:25:08 -0700 Subject: [PATCH] Add support for Mux library --- change-notes/2020-05-05-mux-model.md | 3 ++ ql/src/go.qll | 1 + ql/src/semmle/go/frameworks/Mux.qll | 15 ++++++++ .../Mux/UntrustedFlowSources.expected | 2 + .../go/frameworks/Mux/UntrustedFlowSources.ql | 3 ++ .../semmle/go/frameworks/Mux/go.mod | 5 +++ .../semmle/go/frameworks/Mux/mux.go | 37 +++++++++++++++++++ .../Mux/vendor/github.com/gorilla/mux/LICENSE | 27 ++++++++++++++ .../Mux/vendor/github.com/gorilla/mux/stub.go | 16 ++++++++ .../go/frameworks/Mux/vendor/modules.txt | 3 ++ 10 files changed, 112 insertions(+) create mode 100644 change-notes/2020-05-05-mux-model.md create mode 100644 ql/src/semmle/go/frameworks/Mux.qll create mode 100644 ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.expected create mode 100644 ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.ql create mode 100644 ql/test/library-tests/semmle/go/frameworks/Mux/go.mod create mode 100644 ql/test/library-tests/semmle/go/frameworks/Mux/mux.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/LICENSE create mode 100644 ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/stub.go create mode 100644 ql/test/library-tests/semmle/go/frameworks/Mux/vendor/modules.txt diff --git a/change-notes/2020-05-05-mux-model.md b/change-notes/2020-05-05-mux-model.md new file mode 100644 index 00000000000..4ca9d688dd7 --- /dev/null +++ b/change-notes/2020-05-05-mux-model.md @@ -0,0 +1,3 @@ +lgtm,codescanning +* Basic support for the [Mux](https://github.com/gorilla/mux/) HTTP library has been added, which + may lead to more results from the security queries. diff --git a/ql/src/go.qll b/ql/src/go.qll index 36c43aa789d..23457315d48 100644 --- a/ql/src/go.qll +++ b/ql/src/go.qll @@ -27,6 +27,7 @@ import semmle.go.dataflow.SSA import semmle.go.frameworks.Email import semmle.go.frameworks.HTTP import semmle.go.frameworks.Macaron +import semmle.go.frameworks.Mux import semmle.go.frameworks.SystemCommandExecutors import semmle.go.frameworks.SQL import semmle.go.frameworks.XPath diff --git a/ql/src/semmle/go/frameworks/Mux.qll b/ql/src/semmle/go/frameworks/Mux.qll new file mode 100644 index 00000000000..2c2d783f566 --- /dev/null +++ b/ql/src/semmle/go/frameworks/Mux.qll @@ -0,0 +1,15 @@ +/** + * Provides classes for working with concepts in the Mux HTTP middleware library. + */ + +import go + +/** + * Provides classes for working with concepts in the Mux HTTP middleware library. + */ +module Mux { + /** An access to a Mux middleware variable. */ + class RequestVars extends DataFlow::UntrustedFlowSource::Range, DataFlow::CallNode { + RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") } + } +} diff --git a/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.expected b/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.expected new file mode 100644 index 00000000000..84776eef575 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.expected @@ -0,0 +1,2 @@ +| mux.go:15:10:15:20 | call to Vars | +| mux.go:21:13:21:23 | call to Vars | diff --git a/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.ql b/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.ql new file mode 100644 index 00000000000..0715d64f8e2 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/Mux/UntrustedFlowSources.ql @@ -0,0 +1,3 @@ +import go + +select any(UntrustedFlowSource ufs) diff --git a/ql/test/library-tests/semmle/go/frameworks/Mux/go.mod b/ql/test/library-tests/semmle/go/frameworks/Mux/go.mod new file mode 100644 index 00000000000..c173488c7c7 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/Mux/go.mod @@ -0,0 +1,5 @@ +module codeql-go-tests/frameworks/Mux + +go 1.14 + +require github.com/gorilla/mux v1.7.4 diff --git a/ql/test/library-tests/semmle/go/frameworks/Mux/mux.go b/ql/test/library-tests/semmle/go/frameworks/Mux/mux.go new file mode 100644 index 00000000000..9b70a2122aa --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/Mux/mux.go @@ -0,0 +1,37 @@ +package main + +//go:generate depstubber -vendor github.com/gorilla/mux "" Vars + +import ( + "fmt" + "log" + "net/http" + "os/exec" + + "github.com/gorilla/mux" +) + +func ArticlesHandler(w http.ResponseWriter, r *http.Request) { + vars := mux.Vars(r) + w.WriteHeader(http.StatusOK) + fmt.Fprintf(w, "Category: %v\n", vars["category"]) +} + +func CmdHandler(w http.ResponseWriter, r *http.Request) { + cmdName := mux.Vars(r)["cmd"] + + cmd := exec.Command(cmdName) + stdoutStderr, err := cmd.CombinedOutput() + if err != nil { + log.Print(err) + } + fmt.Fprintf(w, "%s\n", stdoutStderr) +} + +func main() { + r := mux.NewRouter() + r.HandleFunc("/run/{cmd}", CmdHandler) + r.HandleFunc("/articles/{category}", ArticlesHandler) + http.Handle("/", r) + log.Fatal(http.ListenAndServe(":8090", nil)) +} diff --git a/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/LICENSE b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/LICENSE new file mode 100644 index 00000000000..6903df6386e --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2012-2018 The Gorilla Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/stub.go b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/stub.go new file mode 100644 index 00000000000..f5087942ae5 --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/github.com/gorilla/mux/stub.go @@ -0,0 +1,16 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gorilla/mux, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gorilla/mux (exports: ; functions: Vars) + +// Package mux is a stub of github.com/gorilla/mux, generated by depstubber. +package mux + +import ( + http "net/http" +) + +func Vars(_ *http.Request) map[string]string { + return nil +} diff --git a/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/modules.txt new file mode 100644 index 00000000000..d96be1fa71b --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/Mux/vendor/modules.txt @@ -0,0 +1,3 @@ +# github.com/gorilla/mux v1.7.4 +## explicit +github.com/gorilla/mux