Merge pull request github#375 from owen-mc/spew

owen-mc · web-flow · commit f49ff279b805 · 2020-10-16T13:20:13.000+01:00
Model Spew logging framework
diff --git a/change-notes/2020-10-14-spew.md b/change-notes/2020-10-14-spew.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Spew deep pretty-printing framework. This may cause the `go/clear-text-logging` query to return more results when sensitive data is exposed using this library.
diff --git a/ql/src/go.qll b/ql/src/go.qll
@@ -39,6 +39,7 @@ import semmle.go.frameworks.Macaron
 import semmle.go.frameworks.Mux
 import semmle.go.frameworks.NoSQL
 import semmle.go.frameworks.Protobuf
+import semmle.go.frameworks.Spew
 import semmle.go.frameworks.SQL
 import semmle.go.frameworks.Stdlib
 import semmle.go.frameworks.SystemCommandExecutors
diff --git a/ql/src/semmle/go/frameworks/Spew.qll b/ql/src/semmle/go/frameworks/Spew.qll
@@ -0,0 +1,39 @@
+/**
+ * Provides models of commonly used functions in the `github.com/davecgh/go-spew/spew` package.
+ */
+
+import go
+
+/**
+ * Provides models of commonly used functions in the `github.com/davecgh/go-spew/spew` package.
+ */
+module Spew {
+  private string packagePath() { result = "github.com/davecgh/go-spew/spew" }
+
+  private class SpewCall extends LoggerCall::Range, DataFlow::CallNode {
+    int firstPrintedArg;
+
+    SpewCall() {
+      exists(string fn |
+        fn in ["Dump", "Errorf", "Print", "Printf", "Println"] and firstPrintedArg = 0
+        or
+        fn in ["Fdump", "Fprint", "Fprintf", "Fprintln"] and firstPrintedArg = 1
+      |
+        this.getTarget().hasQualifiedName(packagePath(), fn)
+      )
+    }
+
+    override DataFlow::Node getAMessageComponent() {
+      result = this.getArgument(any(int i | i >= firstPrintedArg))
+    }
+  }
+
+  /** The `Sprint` function or one of its variants. */
+  class Sprinter extends TaintTracking::FunctionModel {
+    Sprinter() { hasQualifiedName(packagePath(), ["Sdump", "Sprint", "Sprintln", "Sprintf"]) }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isParameter(_) and outp.isResult()
+    }
+  }
+}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.expected b/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.expected
@@ -0,0 +1,17 @@
+| test.go:26:16:26:35 | call to getUntrustedString : string | test.go:33:14:33:23 | sUntrusted |
+| test.go:26:16:26:35 | call to getUntrustedString : string | test.go:35:14:35:23 | sUntrusted |
+| test.go:26:16:26:35 | call to getUntrustedString : string | test.go:41:18:41:27 | sUntrusted |
+| test.go:26:16:26:35 | call to getUntrustedString : string | test.go:51:13:51:16 | str3 |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:30:12:30:21 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:31:13:31:22 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:32:15:32:24 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:34:17:34:26 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:36:17:36:26 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:38:16:38:25 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:39:17:39:26 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:40:19:40:28 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:42:21:42:30 | pUntrusted |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:45:13:45:16 | str1 |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:48:13:48:16 | str2 |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:54:13:54:16 | str4 |
+| test.go:28:16:28:35 | call to getUntrustedStruct : Person | test.go:57:13:57:16 | str5 |
diff --git a/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.ql b/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.ql
@@ -0,0 +1,28 @@
+import go
+
+class UntrustedFunction extends Function {
+  UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedStruct"] }
+}
+
+class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
+  UntrustedSource() { this = any(UntrustedFunction f).getACall() }
+}
+
+class SinkFunction extends Function {
+  SinkFunction() { this.getName() = "sinkString" }
+}
+
+class TestConfig extends TaintTracking::Configuration {
+  TestConfig() { this = "testconfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(SinkFunction f).getACall().getAnArgument() or
+    sink = any(LoggerCall log).getAMessageComponent()
+  }
+}
+
+from TaintTracking::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select source, sink
diff --git a/ql/test/library-tests/semmle/go/frameworks/Spew/go.mod b/ql/test/library-tests/semmle/go/frameworks/Spew/go.mod
@@ -0,0 +1,8 @@
+module codeql-go-tests/frameworks/Spew
+
+go 1.14
+
+require (
+	github.com/davecgh/go-spew v1.1.1
+	github.com/github/depstubber v0.0.0-20200916130315-f3217697abd4 // indirect
+)
diff --git a/ql/test/library-tests/semmle/go/frameworks/Spew/test.go b/ql/test/library-tests/semmle/go/frameworks/Spew/test.go
@@ -0,0 +1,58 @@
+package main
+
+//go:generate depstubber -vendor github.com/davecgh/go-spew/spew "" Dump,Print,Println,Fdump,Fprint,Fprintln,Errorf,Fprintf,Printf,Sdump,Sprint,Sprintf,Sprintln
+
+import (
+	"io"
+
+	"github.com/davecgh/go-spew/spew"
+)
+
+func main() {}
+
+type Person struct {
+	Name    string
+	Address string
+}
+
+func getUntrustedString() string { return "%v" }
+
+func getUntrustedStruct() Person { return Person{} }
+
+func sinkString(s string) {}
+
+func testSpew(w io.Writer) {
+	s := "%v"
+	sUntrusted := getUntrustedString()
+	p := Person{}
+	pUntrusted := getUntrustedStruct()
+
+	spew.Dump(pUntrusted)      // NOT OK
+	spew.Print(pUntrusted)     // NOT OK
+	spew.Println(pUntrusted)   // NOT OK
+	spew.Errorf(sUntrusted, p) // NOT OK
+	spew.Errorf(s, pUntrusted) // NOT OK
+	spew.Printf(sUntrusted, p) // NOT OK
+	spew.Printf(s, pUntrusted) // NOT OK
+
+	spew.Fdump(w, pUntrusted)      // NOT OK
+	spew.Fprint(w, pUntrusted)     // NOT OK
+	spew.Fprintln(w, pUntrusted)   // NOT OK
+	spew.Fprintf(w, sUntrusted, p) // NOT OK
+	spew.Fprintf(w, s, pUntrusted) // NOT OK
+
+	str1 := spew.Sdump(pUntrusted)
+	sinkString(str1) // NOT OK
+
+	str2 := spew.Sprint(pUntrusted)
+	sinkString(str2) // NOT OK
+
+	str3 := spew.Sprintf(sUntrusted, p)
+	sinkString(str3) // NOT OK
+
+	str4 := spew.Sprintf(s, pUntrusted)
+	sinkString(str4) // NOT OK
+
+	str5 := spew.Sprintln(pUntrusted)
+	sinkString(str5) // NOT OK
+}
diff --git a/ql/test/library-tests/semmle/go/frameworks/Spew/vendor/github.com/davecgh/go-spew/spew/stub.go b/ql/test/library-tests/semmle/go/frameworks/Spew/vendor/github.com/davecgh/go-spew/spew/stub.go
diff --git a/ql/test/library-tests/semmle/go/frameworks/Spew/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/Spew/vendor/modules.txt
@@ -0,0 +1,6 @@
+# github.com/davecgh/go-spew v1.1.1
+## explicit
+github.com/davecgh/go-spew
+# github.com/github/depstubber v0.0.0-20200916130315-f3217697abd4
+## explicit
+github.com/github/depstubber

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Added support for the Spew deep pretty-printing framework. This may cause the `go/clear-text-logging` query to return more results when sensitive data is exposed using this library.