Merge pull request #434 from owen-mc/model-kubernetes-secret

Model Secret and SecretList from k8s.io/api/core/v1

ql/src/go.qll

@@ -40,6 +40,7 @@ import semmle.go.frameworks.Gin
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoRestfulHttp
 import semmle.go.frameworks.K8sIoApimachineryPkgRuntime
+import semmle.go.frameworks.K8sIoApiCoreV1
 import semmle.go.frameworks.K8sIoClientGo
 import semmle.go.frameworks.Logrus
 import semmle.go.frameworks.Macaron

ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll

@@ -0,0 +1,62 @@
+/** Provides models of commonly used functions in the `k8s.io/api/core/v1` package. */
+
+import go
+
+/**
+ * Provides models of commonly used functions in the `k8s.io/api/core/v1` package.
+ */
+module K8sIoApiCoreV1 {
+  /** Gets the package name. */
+  bindingset[result]
+  string packagePath() { result = package("k8s.io/api", "core/v1") }
+
+  private class SecretDeepCopy extends TaintTracking::FunctionModel, Method {
+    string methodName;
+    FunctionOutput output;
+
+    SecretDeepCopy() {
+      (
+        methodName in ["DeepCopy", "DeepCopyObject"] and output.isResult()
+        or
+        methodName = "DeepCopyInto" and output.isParameter(0)
+      ) and
+      this.hasQualifiedName(packagePath(), ["Secret", "SecretList"], methodName)
+    }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp = outp
+    }
+  }
+
+  private class SecretMarshal extends TaintTracking::FunctionModel, Method,
+    MarshalingFunction::Range {
+    SecretMarshal() { this.hasQualifiedName(packagePath(), ["Secret", "SecretList"], "Marshal") }
+
+    override DataFlow::FunctionInput getAnInput() { result.isReceiver() }
+
+    override DataFlow::FunctionOutput getOutput() { result.isResult(0) }
+
+    override string getFormat() { result = "protobuf" }
+
+    override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) {
+      inp = getAnInput() and outp = getOutput()
+    }
+  }
+
+  private class SecretUnmarshal extends TaintTracking::FunctionModel, Method,
+    UnmarshalingFunction::Range {
+    SecretUnmarshal() {
+      this.hasQualifiedName(packagePath(), ["Secret", "SecretList"], "Unmarshal")
+    }
+
+    override DataFlow::FunctionInput getAnInput() { result.isReceiver() }
+
+    override DataFlow::FunctionOutput getOutput() { result.isParameter(0) }
+
+    override string getFormat() { result = "protobuf" }
+
+    override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) {
+      inp = getAnInput() and outp = getOutput()
+    }
+  }
+}

ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.ql

@@ -0,0 +1,38 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+class SourceFunction extends Function {
+  SourceFunction() { this.getName() = "source" }
+}
+
+class SinkFunction extends Function {
+  SinkFunction() { this.getName() = "sink" }
+}
+
+class TestConfig extends TaintTracking::Configuration {
+  TestConfig() { this = "testconfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = any(SourceFunction f).getACall().getResult(0)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(SinkFunction f).getACall().getArgument(0)
+  }
+}
+
+class K8sIoApiCoreV1Test extends InlineExpectationsTest {
+  K8sIoApiCoreV1Test() { this = "K8sIoApiCoreV1Test" }
+
+  override string getARelevantTag() { result = "KsIoApiCoreV" }
+
+  override predicate hasActualResult(string file, int line, string element, string tag, string value) {
+    exists(TestConfig config, DataFlow::PathNode source, DataFlow::PathNode sink |
+      config.hasFlowPath(source, sink) and
+      sink.hasLocationInfo(file, line, _, _, _) and
+      element = sink.toString() and
+      value = "" and
+      tag = "KsIoApiCoreV"
+    )
+  }
+}

ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/go.mod

@@ -0,0 +1,8 @@
+module codeql-go-tests/frameworks/K8sIoApiCoreV1
+
+go 1.14
+
+require (
+	k8s.io/api v0.20.0
+	k8s.io/apimachinery v0.20.0
+)

ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go

@@ -0,0 +1,96 @@
+package main
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+//go:generate depstubber -vendor k8s.io/api/core/v1 SecretList
+//go:generate depstubber -vendor k8s.io/apimachinery/pkg/runtime ProtobufMarshaller,ProtobufReverseMarshaller
+
+func source() interface{} {
+	return make([]byte, 1, 1)
+}
+
+func sink(...interface{}) {
+}
+
+func main() {
+
+	{
+		// func (in *Secret) DeepCopy() *Secret
+		sink(source().(*corev1.Secret).DeepCopy()) // $KsIoApiCoreV
+	}
+	{
+		// func (in *Secret) DeepCopyInto(out *Secret)
+		var out *corev1.Secret
+		source().(*corev1.Secret).DeepCopyInto(out)
+		sink(out) // $KsIoApiCoreV
+	}
+	{
+		// func (in *Secret) DeepCopyObject() runtime.Object
+		sink(source().(*corev1.Secret).DeepCopyObject()) // $KsIoApiCoreV
+	}
+	{
+		// func (m *Secret) Marshal() (dAtA []byte, err error)
+		sink(source().(*corev1.Secret).Marshal()) // $KsIoApiCoreV
+	}
+	{
+		// func (m *Secret) MarshalTo(dAtA []byte) (int, error)
+		var dAtA []byte
+		source().(*corev1.Secret).MarshalTo(dAtA)
+		sink(dAtA) // $KsIoApiCoreV
+	}
+	{
+		// func (m *Secret) MarshalToSizedBuffer(dAtA []byte) (int, error)
+		var dAtA []byte
+		source().(*corev1.Secret).MarshalToSizedBuffer(dAtA)
+		sink(dAtA) // $KsIoApiCoreV
+	}
+	{
+		// func (m *Secret) Unmarshal(dAtA []byte) error
+		var dAtA []byte
+		source().(*corev1.Secret).Unmarshal(dAtA)
+		sink(dAtA) // $KsIoApiCoreV
+	}
+
+	{
+		// func (in *SecretList) DeepCopy() *SecretList
+		sink(source().(*corev1.SecretList).DeepCopy()) // $KsIoApiCoreV
+	}
+	{
+		// func (in *SecretList) DeepCopyInto(out *SecretList)
+		var out *corev1.SecretList
+		source().(*corev1.SecretList).DeepCopyInto(out)
+		sink(out) // $KsIoApiCoreV
+	}
+	{
+		// func (in *SecretList) DeepCopyObject() runtime.Object
+		sink(source().(*corev1.SecretList).DeepCopyObject()) // $KsIoApiCoreV
+	}
+	{
+		// func (m *SecretList) Marshal() (dAtA []byte, err error)
+		sink(source().(*corev1.SecretList).Marshal()) // $KsIoApiCoreV
+	}
+	{
+		// func (m *SecretList) MarshalTo(dAtA []byte) (int, error)
+		var dAtA []byte
+		source().(*corev1.SecretList).MarshalTo(dAtA)
+		sink(dAtA) // $KsIoApiCoreV
+	}
+	{
+		// func (m *SecretList) MarshalToSizedBuffer(dAtA []byte) (int, error)
+		var dAtA []byte
+		source().(*corev1.SecretList).MarshalToSizedBuffer(dAtA)
+		sink(dAtA) // $KsIoApiCoreV
+	}
+	{
+		// func (m *SecretList) Unmarshal(dAtA []byte) error
+		var dAtA []byte
+		source().(*corev1.SecretList).Unmarshal(dAtA)
+		sink(dAtA) // $KsIoApiCoreV
+	}
+}
+
+func dummy1(runtime.ProtobufMarshaller)        {}
+func dummy2(runtime.ProtobufReverseMarshaller) {}

ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/api/core/v1/stub.go

@@ -0,0 +1,299 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for k8s.io/api/core/v1, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: k8s.io/api/core/v1 (exports: SecretList; functions: )
+
+// Package core is a stub of k8s.io/api/core/v1, generated by depstubber.
+package core
+
+import ()
+
+type Secret struct {
+	TypeMeta   interface{}
+	ObjectMeta interface{}
+	Immutable  *bool
+	Data       map[string][]byte
+	StringData map[string]string
+	Type       SecretType
+}
+
+func (_ Secret) SwaggerDoc() map[string]string {
+	return nil
+}
+
+func (_ *Secret) DeepCopy() *Secret {
+	return nil
+}
+
+func (_ *Secret) DeepCopyInto(_ *Secret) {}
+
+func (_ *Secret) DeepCopyObject() interface{} {
+	return nil
+}
+
+func (_ *Secret) Descriptor() ([]byte, []int) {
+	return nil, nil
+}
+
+func (_ *Secret) GetAnnotations() map[string]string {
+	return nil
+}
+
+func (_ *Secret) GetClusterName() string {
+	return ""
+}
+
+func (_ *Secret) GetCreationTimestamp() interface{} {
+	return nil
+}
+
+func (_ *Secret) GetDeletionGracePeriodSeconds() *int64 {
+	return nil
+}
+
+func (_ *Secret) GetDeletionTimestamp() interface{} {
+	return nil
+}
+
+func (_ *Secret) GetFinalizers() []string {
+	return nil
+}
+
+func (_ *Secret) GetGenerateName() string {
+	return ""
+}
+
+func (_ *Secret) GetGeneration() int64 {
+	return 0
+}
+
+func (_ *Secret) GetLabels() map[string]string {
+	return nil
+}
+
+func (_ *Secret) GetManagedFields() []interface{} {
+	return nil
+}
+
+func (_ *Secret) GetName() string {
+	return ""
+}
+
+func (_ *Secret) GetNamespace() string {
+	return ""
+}
+
+func (_ *Secret) GetObjectKind() interface{} {
+	return nil
+}
+
+func (_ *Secret) GetObjectMeta() interface{} {
+	return nil
+}
+
+func (_ *Secret) GetOwnerReferences() []interface{} {
+	return nil
+}
+
+func (_ *Secret) GetResourceVersion() string {
+	return ""
+}
+
+func (_ *Secret) GetSelfLink() string {
+	return ""
+}
+
+func (_ *Secret) GetUID() interface{} {
+	return nil
+}
+
+func (_ *Secret) GroupVersionKind() interface{} {
+	return nil
+}
+
+func (_ *Secret) Marshal() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Secret) MarshalTo(_ []byte) (int, error) {
+	return 0, nil
+}
+
+func (_ *Secret) MarshalToSizedBuffer(_ []byte) (int, error) {
+	return 0, nil
+}
+
+func (_ *Secret) ProtoMessage() {}
+
+func (_ *Secret) Reset() {}
+
+func (_ *Secret) SetAnnotations(_ map[string]string) {}
+
+func (_ *Secret) SetClusterName(_ string) {}
+
+func (_ *Secret) SetCreationTimestamp(_ interface{}) {}
+
+func (_ *Secret) SetDeletionGracePeriodSeconds(_ *int64) {}
+
+func (_ *Secret) SetDeletionTimestamp(_ interface{}) {}
+
+func (_ *Secret) SetFinalizers(_ []string) {}
+
+func (_ *Secret) SetGenerateName(_ string) {}
+
+func (_ *Secret) SetGeneration(_ int64) {}
+
+func (_ *Secret) SetGroupVersionKind(_ interface{}) {}
+
+func (_ *Secret) SetLabels(_ map[string]string) {}
+
+func (_ *Secret) SetManagedFields(_ []interface{}) {}
+
+func (_ *Secret) SetName(_ string) {}
+
+func (_ *Secret) SetNamespace(_ string) {}
+
+func (_ *Secret) SetOwnerReferences(_ []interface{}) {}
+
+func (_ *Secret) SetResourceVersion(_ string) {}
+
+func (_ *Secret) SetSelfLink(_ string) {}
+
+func (_ *Secret) SetUID(_ interface{}) {}
+
+func (_ *Secret) Size() int {
+	return 0
+}
+
+func (_ *Secret) String() string {
+	return ""
+}
+
+func (_ *Secret) Unmarshal(_ []byte) error {
+	return nil
+}
+
+func (_ *Secret) XXX_DiscardUnknown() {}
+
+func (_ *Secret) XXX_Marshal(_ []byte, _ bool) ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *Secret) XXX_Merge(_ interface{}) {}
+
+func (_ *Secret) XXX_Size() int {
+	return 0
+}
+
+func (_ *Secret) XXX_Unmarshal(_ []byte) error {
+	return nil
+}
+
+type SecretList struct {
+	TypeMeta interface{}
+	ListMeta interface{}
+	Items    []Secret
+}
+
+func (_ SecretList) SwaggerDoc() map[string]string {
+	return nil
+}
+
+func (_ *SecretList) DeepCopy() *SecretList {
+	return nil
+}
+
+func (_ *SecretList) DeepCopyInto(_ *SecretList) {}
+
+func (_ *SecretList) DeepCopyObject() interface{} {
+	return nil
+}
+
+func (_ *SecretList) Descriptor() ([]byte, []int) {
+	return nil, nil
+}
+
+func (_ *SecretList) GetContinue() string {
+	return ""
+}
+
+func (_ *SecretList) GetListMeta() interface{} {
+	return nil
+}
+
+func (_ *SecretList) GetObjectKind() interface{} {
+	return nil
+}
+
+func (_ *SecretList) GetRemainingItemCount() *int64 {
+	return nil
+}
+
+func (_ *SecretList) GetResourceVersion() string {
+	return ""
+}
+
+func (_ *SecretList) GetSelfLink() string {
+	return ""
+}
+
+func (_ *SecretList) GroupVersionKind() interface{} {
+	return nil
+}
+
+func (_ *SecretList) Marshal() ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *SecretList) MarshalTo(_ []byte) (int, error) {
+	return 0, nil
+}
+
+func (_ *SecretList) MarshalToSizedBuffer(_ []byte) (int, error) {
+	return 0, nil
+}
+
+func (_ *SecretList) ProtoMessage() {}
+
+func (_ *SecretList) Reset() {}
+
+func (_ *SecretList) SetContinue(_ string) {}
+
+func (_ *SecretList) SetGroupVersionKind(_ interface{}) {}
+
+func (_ *SecretList) SetRemainingItemCount(_ *int64) {}
+
+func (_ *SecretList) SetResourceVersion(_ string) {}
+
+func (_ *SecretList) SetSelfLink(_ string) {}
+
+func (_ *SecretList) Size() int {
+	return 0
+}
+
+func (_ *SecretList) String() string {
+	return ""
+}
+
+func (_ *SecretList) Unmarshal(_ []byte) error {
+	return nil
+}
+
+func (_ *SecretList) XXX_DiscardUnknown() {}
+
+func (_ *SecretList) XXX_Marshal(_ []byte, _ bool) ([]byte, error) {
+	return nil, nil
+}
+
+func (_ *SecretList) XXX_Merge(_ interface{}) {}
+
+func (_ *SecretList) XXX_Size() int {
+	return 0
+}
+
+func (_ *SecretList) XXX_Unmarshal(_ []byte) error {
+	return nil
+}
+
+type SecretType string

ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/apimachinery/pkg/runtime/stub.go

@@ -0,0 +1,18 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for k8s.io/apimachinery/pkg/runtime, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: k8s.io/apimachinery/pkg/runtime (exports: ProtobufMarshaller,ProtobufReverseMarshaller; functions: )
+
+// Package runtime is a stub of k8s.io/apimachinery/pkg/runtime, generated by depstubber.
+package runtime
+
+import ()
+
+type ProtobufMarshaller interface {
+	MarshalTo(_ []byte) (int, error)
+}
+
+type ProtobufReverseMarshaller interface {
+	MarshalToSizedBuffer(_ []byte) (int, error)
+}

ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/modules.txt

@@ -0,0 +1,6 @@
+# k8s.io/api v0.20.0
+## explicit
+k8s.io/api
+# k8s.io/apimachinery v0.20.0
+## explicit
+k8s.io/apimachinery