Improve style of library models

2026-05-03 12:45:27 +02:00 · 2020-07-24 09:35:17 +01:00
parent bb2d5ea6b5
commit b96546b0f8
7 changed files with 72 additions and 103 deletions
--- a/ql/src/go.qll
+++ b/ql/src/go.qll
@@ -26,6 +26,7 @@ import semmle.go.dataflow.GlobalValueNumbering
 import semmle.go.dataflow.SSA
 import semmle.go.dataflow.TaintTracking
 import semmle.go.frameworks.Email
+import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.HTTP
 import semmle.go.frameworks.Macaron
@@ -37,7 +38,4 @@ import semmle.go.frameworks.SystemCommandExecutors
 import semmle.go.frameworks.Testing
 import semmle.go.frameworks.WebSocket
 import semmle.go.frameworks.XPath
-import semmle.go.frameworks.thirdpartlib.HTTP
-import semmle.go.frameworks.thirdpartlib.SQL
-import semmle.go.frameworks.thirdpartlib.Encoding
 import semmle.go.security.FlowSources
--- a/ql/src/semmle/go/frameworks/Encoding.qll
+++ b/ql/src/semmle/go/frameworks/Encoding.qll
@@ -0,0 +1,23 @@
+/**
+ * Provides classes modelling taint propagation through the `json-iterator` package.
+ */
+
+import go
+
+/** Models json-iterator's Unmarshal function, propagating taint from the JSON input to the decoded object. */
+private class JsonIteratorUnmarshalFunction extends TaintTracking::FunctionModel,
+  UnmarshalingFunction::Range {
+  JsonIteratorUnmarshalFunction() {
+    this.hasQualifiedName("github.com/json-iterator/go", "Unmarshal")
+  }
+
+  override DataFlow::FunctionInput getAnInput() { result.isParameter(0) }
+
+  override DataFlow::FunctionOutput getOutput() { result.isParameter(1) }
+
+  override string getFormat() { result = "JSON" }
+
+  override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) {
+    inp = getAnInput() and outp = getOutput()
+  }
+}
--- a/ql/src/semmle/go/frameworks/HTTP.qll
+++ b/ql/src/semmle/go/frameworks/HTTP.qll
@@ -232,3 +232,26 @@ private module StdlibHttp {
  }
 }

+/**
+ * Provides models of the go-restful library (https://github.com/emicklei/go-restful).
+ */
+private module GoRestfulHttp {
+  /**
+   * A model for methods defined on go-restful's `Request` object that may return user-controlled data.
+   */
+  private class GoRestfulSourceMethod extends Method {
+    GoRestfulSourceMethod() {
+      this
+          .hasQualifiedName("github.com/emicklei/go-restful", "Request",
+            ["QueryParameters", "QueryParameter", "BodyParameter", "HeaderParameter",
+                "PathParameter", "PathParameters"])
+    }
+  }
+
+  /**
+   * A model of go-restful's `Request` object as a source of user-controlled data.
+   */
+  private class GoRestfulSource extends UntrustedFlowSource::Range {
+    GoRestfulSource() { this = any(GoRestfulSourceMethod g).getACall() }
+  }
+}
--- a/ql/src/semmle/go/frameworks/SQL.qll
+++ b/ql/src/semmle/go/frameworks/SQL.qll
@@ -160,4 +160,29 @@ module SQL {
      }
    }
  }
+
+  /** A model for sinks of github.com/jinzhu/gorm. */
+  private class GormSink extends SQL::QueryString::Range {
+    GormSink() {
+      exists(Method meth, string name |
+        meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and
+        this = meth.getACall().getArgument(0) and
+        name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"]
+      )
+    }
+  }
+
+  /** A model for sinks of github.com/jmoiron/sqlx. */
+  private class SqlxSink extends SQL::QueryString::Range {
+    SqlxSink() {
+      exists(Method meth, string name, int n |
+        meth.hasQualifiedName("github.com/jmoiron/sqlx", ["DB", "Tx"], name) and
+        this = meth.getACall().getArgument(n)
+      |
+        name = ["Select", "Get"] and n = 1
+        or
+        name = ["MustExec", "Queryx", "NamedExec", "NamedQuery"] and n = 0
+      )
+    }
+  }
 }
--- a/ql/src/semmle/go/frameworks/thirdpartlib/Encoding.qll
+++ b/ql/src/semmle/go/frameworks/thirdpartlib/Encoding.qll
@@ -1,25 +0,0 @@
-/**
- * Provides classes modeling security-relevant aspects of the third-part libraries.
- */
-
-import go
-
-module ThirdPartEncodingJson {
-    /** Provides models of some functions in the `github.com/json-iterator/go` package. */
-    class JsoniterUnmarshalingFunction extends TaintTracking::FunctionModel, UnmarshalingFunction::Range {
-
-        JsoniterUnmarshalingFunction() {
-            this.hasQualifiedName("github.com/json-iterator/go", "Unmarshal")
-        }
-
-        override DataFlow::FunctionInput getAnInput() { result.isParameter(0) }
-        override DataFlow::FunctionOutput getOutput() { result.isParameter(1) }
-
-        override string getFormat() { result = "JSON" }
-
-        override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) {
-            inp = getAnInput() and outp = getOutput()
-        }
-    }
-}
-
--- a/ql/src/semmle/go/frameworks/thirdpartlib/HTTP.qll
+++ b/ql/src/semmle/go/frameworks/thirdpartlib/HTTP.qll
@@ -1,27 +0,0 @@
-/**
- * Provides classes for working with HTTP-related concepts such as requests and responses.
- */
-
-import go
-
-module ThirdPartHttpLib {
-  /**
-   * Source from go-resultful
-   * Document: https://github.com/emicklei/go-restful
-   */
-  class GoRestfulSource extends DataFlow::Node, UntrustedFlowSource::Range {
-    GoRestfulSource() {
-      exists(
-	Method meth, string name |
-	meth.hasQualifiedName("github.com/emicklei/go-restful", "Request", name) and
-	asExpr() = meth.getACall().asExpr() and
-	(
-	  name = "QueryParameters" or name = "QueryParameter" or
-	  name = "BodyParamater" or name = "HeaderParameter" or
-	  name = "PathParameter" or name = "PathParameters"
-	)
-      )
-    }
-  }
-}
-
--- a/ql/src/semmle/go/frameworks/thirdpartlib/SQL.qll
+++ b/ql/src/semmle/go/frameworks/thirdpartlib/SQL.qll
@@ -1,48 +0,0 @@
-/**
- * Provides classes for working with SQL-related concepts such as queries.
- */
-
-import go
-
-module ThirdPartSQL {
-
-  /** Sinks of github.com/jinzhu/gorm */
-  class GormSink extends DataFlow::Node, SQL::QueryString::Range {
-    GormSink() {
-      exists(
-        Method meth, string name | 
-        meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and
-	asExpr() = meth.getACall().getArgument(0).asExpr() and
-	(
-          name = "Where" or name = "Raw" or name = "Order" or name = "Not" or name = "Or" or
-	  name = "Select" or name = "Table" or name = "Group" or name = "Having" or name = "Joins"
-	)
-      )
-    }
-  }
-    
-  /** Sinks of github.com/jmoiron/sqlx */
-  class SqlxSink extends DataFlow::Node, SQL::QueryString::Range {
-    SqlxSink() {
-      exists(
-	Method meth, string name, int n |
-	(
-	  meth.hasQualifiedName("github.com/jmoiron/sqlx", "DB", name) or 
-	  meth.hasQualifiedName("github.com/jmoiron/sqlx", "Tx", name) 
-	) and this = meth.getACall().getArgument(n) |
-	(
-	  (name = "Select" or name = "Get") and n = 1
-	)
-	or
-	(
-	  (
-	    name = "MustExec" or name = "Queryx" or
-	    name = "NamedExec" or name = "NamedQuery" 
-	  )
-	  and n = 0
-        )
-      )
-    }
-  }
-
-}