Model Revel

Author: owen-mc

ql/src/go.qll

@@ -39,6 +39,7 @@ import semmle.go.frameworks.Macaron
 import semmle.go.frameworks.Mux
 import semmle.go.frameworks.NoSQL
 import semmle.go.frameworks.Protobuf
+import semmle.go.frameworks.Revel
 import semmle.go.frameworks.Spew
 import semmle.go.frameworks.SQL
 import semmle.go.frameworks.Stdlib

ql/src/semmle/go/frameworks/Revel.qll

@@ -0,0 +1,97 @@
+/**
+ * Provides classes for working with untrusted flow sources from the `github.com/revel/revel` package.
+ */
+
+import go
+
+module Revel {
+  /** Gets the package name. */
+  bindingset[result]
+  string packagePath() { result = package(["github.com/revel", "github.com/robfig"], "revel") }
+
+  private class ControllerParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode {
+    ControllerParams() {
+      exists(Field f |
+        this.readsField(_, f) and
+        f.hasQualifiedName(packagePath(), "Controller", "Params")
+      )
+    }
+  }
+
+  private class ParamsFixedSanitizer extends TaintTracking::DefaultTaintSanitizer,
+    DataFlow::FieldReadNode {
+    ParamsFixedSanitizer() {
+      exists(Field f |
+        this.readsField(_, f) and
+        f.hasQualifiedName(packagePath(), "Params", "Fixed")
+      )
+    }
+  }
+
+  private class ParamsBind extends TaintTracking::FunctionModel, Method {
+    ParamsBind() { this.hasQualifiedName(packagePath(), "Params", ["Bind", "BindJSON"]) }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isParameter(0)
+    }
+  }
+
+  private class RouteMatchParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode {
+    RouteMatchParams() {
+      exists(Field f |
+        this.readsField(_, f) and
+        f.hasQualifiedName(packagePath(), "RouteMatch", "Params")
+      )
+    }
+  }
+
+  /** An access to an HTTP request field whose value may be controlled by an untrusted user. */
+  private class UserControlledRequestField extends UntrustedFlowSource::Range,
+    DataFlow::FieldReadNode {
+    UserControlledRequestField() {
+      exists(string fieldName |
+        this.getField().hasQualifiedName(packagePath(), "Request", fieldName)
+      |
+        fieldName in ["In", "Header", "URL", "Form", "MultipartForm"]
+      )
+    }
+  }
+
+  private class UserControlledRequestMethod extends UntrustedFlowSource::Range,
+    DataFlow::MethodCallNode {
+    UserControlledRequestMethod() {
+      this
+          .getTarget()
+          .hasQualifiedName(packagePath(), "Request",
+            ["FormValue", "PostFormValue", "GetQuery", "GetForm", "GetMultipartForm", "GetBody"])
+    }
+  }
+
+  private class ServerMultipartFormGetFiles extends TaintTracking::FunctionModel, Method {
+    ServerMultipartFormGetFiles() {
+      this.hasQualifiedName(packagePath(), "ServerMultipartForm", "GetFiles")
+    }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
+    }
+  }
+
+  private class ServerMultipartFormGetValues extends TaintTracking::FunctionModel, Method {
+    ServerMultipartFormGetValues() {
+      this.hasQualifiedName(packagePath(), "ServerMultipartForm", "GetValues")
+    }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult()
+    }
+  }
+
+  private class ServerRequestGet extends TaintTracking::FunctionModel, Method {
+    ServerRequestGet() { this.hasQualifiedName(packagePath(), "ServerRequest", "Get") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isReceiver() and outp.isResult(0)
+    }
+  }
+}

ql/src/semmle/go/frameworks/WebSocket.qll

@@ -271,4 +271,28 @@ module WebSocketReader {
 
     override FunctionOutput getAnOutput() { result.isResult(1) }
   }
+
+  /**
+   * The `ServerWebSocket.MessageReceive` method of the `github.com/revel/revel` package.
+   */
+  private class RevelServerWebSocketMessageReceive extends Range, Method {
+    RevelServerWebSocketMessageReceive() {
+      // func MessageReceive(v interface{}) error
+      this.hasQualifiedName(Revel::packagePath(), "ServerWebSocket", "MessageReceive")
+    }
+
+    override FunctionOutput getAnOutput() { result.isParameter(0) }
+  }
+
+  /**
+   * The `ServerWebSocket.MessageReceiveJSON` method of the `github.com/revel/revel` package.
+   */
+  private class RevelServerWebSocketMessageReceiveJSON extends Range, Method {
+    RevelServerWebSocketMessageReceiveJSON() {
+      // func MessageReceiveJSON(v interface{}) error
+      this.hasQualifiedName(Revel::packagePath(), "ServerWebSocket", "MessageReceiveJSON")
+    }
+
+    override FunctionOutput getAnOutput() { result.isParameter(0) }
+  }
 }

ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go

@@ -0,0 +1,111 @@
+package main
+
+//go:generate depstubber -vendor github.com/revel/revel Controller,Params,Request,Router HTTP_QUERY
+
+import (
+	"io/ioutil"
+	"mime/multipart"
+	"net/url"
+
+	"github.com/revel/revel"
+)
+
+func main() {}
+
+type myAppController struct {
+	*revel.Controller
+	OtherStuff string
+}
+
+type person struct {
+	Name    string `form:"name"`
+	Address string `form:"address"`
+}
+
+func useString(val string) {}
+
+func useFiles(val *multipart.FileHeader) {}
+
+func useJSON(val []byte) {}
+
+func useURLValues(v url.Values) {
+	useString(v["key"][0])
+	useString(v.Get("key"))
+}
+
+func usePerson(p person) {}
+
+func (c myAppController) accessingParamsDirectlyIsUnsafe() {
+	useString(c.Params.Get("key")) // NOT OK
+	useURLValues(c.Params.Values)  // NOT OK
+
+	val4 := ""
+	c.Params.Bind(&val4, "key") // NOT OK
+	useString(val4)
+
+	useString(c.Request.FormValue("key")) // NOT OK
+}
+
+func (c myAppController) accessingFixedIsSafe(mainRouter *revel.Router) {
+	useURLValues(c.Params.Fixed)                          // OK
+	useString(mainRouter.Route(c.Request).FixedParams[0]) // OK
+}
+
+func (c myAppController) accessingRouteIsUnsafe(mainRouter *revel.Router) {
+	useURLValues(c.Params.Route)                     // NOT OK
+	useURLValues(mainRouter.Route(c.Request).Params) // NOT OK
+}
+
+func (c myAppController) accessingParamsQueryIsUnsafe() {
+	useURLValues(c.Params.Query) // NOT OK
+}
+
+func (c myAppController) accessingParamsFormIsUnsafe() {
+	useURLValues(c.Params.Form)               // NOT OK
+	useString(c.Request.PostFormValue("key")) // NOT OK
+}
+
+func (c myAppController) accessingParamsFilesIsUnsafe() {
+	useFiles(c.Params.Files["key"][0]) // NOT OK
+}
+
+func (c myAppController) accessingParamsJSONIsUnsafe() {
+	useJSON(c.Params.JSON) // NOT OK
+
+	var val2 map[string]interface{}
+	c.Params.BindJSON(&val2) // NOT OK
+	useString(val2["name"].(string))
+}
+
+func accessingRequestDirectlyIsUnsafe(c *revel.Controller) {
+	useURLValues(c.Request.GetQuery())          // NOT OK
+	useURLValues(c.Request.Form)                // NOT OK
+	useURLValues(c.Request.MultipartForm.Value) // NOT OK
+
+	form, _ := c.Request.GetForm() // NOT OK
+	useURLValues(form)
+
+	smp1, _ := c.Request.GetMultipartForm() // NOT OK
+	useURLValues(smp1.GetValues())
+
+	smp2, _ := c.Request.GetMultipartForm() // NOT OK
+	useFiles(smp2.GetFiles()["key"][0])
+
+	useFiles(c.Request.MultipartForm.File["key"][0]) // NOT OK
+
+	json, _ := ioutil.ReadAll(c.Request.GetBody()) // NOT OK
+	useJSON(json)
+}
+
+func accessingServerRequest(c *revel.Controller) {
+	query, _ := c.Request.In.Get(revel.HTTP_QUERY) // NOT OK
+	useURLValues(query.(url.Values))
+
+	var message string
+	c.Request.WebSocket.MessageReceive(&message) // NOT OK
+	useString(message)
+
+	var p person
+	c.Request.WebSocket.MessageReceiveJSON(&p) // NOT OK
+	usePerson(p)
+}

ql/test/library-tests/semmle/go/frameworks/Revel/TaintFlows.expected

@@ -0,0 +1,34 @@
+| Revel.go:39:12:39:19 | selection of Params : pointer type | Revel.go:39:12:39:30 | call to Get | 39 |
+| Revel.go:40:15:40:22 | selection of Params : pointer type | Revel.go:32:12:32:22 | index expression | 40 |
+| Revel.go:40:15:40:22 | selection of Params : pointer type | Revel.go:33:12:33:23 | call to Get | 40 |
+| Revel.go:43:2:43:9 | selection of Params : pointer type | Revel.go:44:12:44:15 | val4 | 43 |
+| Revel.go:46:12:46:37 | call to FormValue | Revel.go:46:12:46:37 | call to FormValue | 46 |
+| Revel.go:55:15:55:22 | selection of Params : pointer type | Revel.go:32:12:32:22 | index expression | 55 |
+| Revel.go:55:15:55:22 | selection of Params : pointer type | Revel.go:33:12:33:23 | call to Get | 55 |
+| Revel.go:56:15:56:48 | selection of Params : map type | Revel.go:32:12:32:22 | index expression | 56 |
+| Revel.go:56:15:56:48 | selection of Params : map type | Revel.go:33:12:33:23 | call to Get | 56 |
+| Revel.go:60:15:60:22 | selection of Params : pointer type | Revel.go:32:12:32:22 | index expression | 60 |
+| Revel.go:60:15:60:22 | selection of Params : pointer type | Revel.go:33:12:33:23 | call to Get | 60 |
+| Revel.go:64:15:64:22 | selection of Params : pointer type | Revel.go:32:12:32:22 | index expression | 64 |
+| Revel.go:64:15:64:22 | selection of Params : pointer type | Revel.go:33:12:33:23 | call to Get | 64 |
+| Revel.go:65:12:65:41 | call to PostFormValue | Revel.go:65:12:65:41 | call to PostFormValue | 65 |
+| Revel.go:69:11:69:18 | selection of Params : pointer type | Revel.go:69:11:69:34 | index expression | 69 |
+| Revel.go:73:10:73:17 | selection of Params : pointer type | Revel.go:73:10:73:22 | selection of JSON | 73 |
+| Revel.go:76:2:76:9 | selection of Params : pointer type | Revel.go:77:12:77:32 | type assertion | 76 |
+| Revel.go:81:15:81:34 | call to GetQuery : Values | Revel.go:32:12:32:22 | index expression | 81 |
+| Revel.go:81:15:81:34 | call to GetQuery : Values | Revel.go:33:12:33:23 | call to Get | 81 |
+| Revel.go:82:15:82:28 | selection of Form : Values | Revel.go:32:12:32:22 | index expression | 82 |
+| Revel.go:82:15:82:28 | selection of Form : Values | Revel.go:33:12:33:23 | call to Get | 82 |
+| Revel.go:83:15:83:37 | selection of MultipartForm : pointer type | Revel.go:32:12:32:22 | index expression | 83 |
+| Revel.go:83:15:83:37 | selection of MultipartForm : pointer type | Revel.go:33:12:33:23 | call to Get | 83 |
+| Revel.go:85:13:85:31 | call to GetForm : tuple type | Revel.go:32:12:32:22 | index expression | 85 |
+| Revel.go:85:13:85:31 | call to GetForm : tuple type | Revel.go:33:12:33:23 | call to Get | 85 |
+| Revel.go:88:13:88:40 | call to GetMultipartForm : tuple type | Revel.go:32:12:32:22 | index expression | 88 |
+| Revel.go:88:13:88:40 | call to GetMultipartForm : tuple type | Revel.go:33:12:33:23 | call to Get | 88 |
+| Revel.go:91:13:91:40 | call to GetMultipartForm : tuple type | Revel.go:92:11:92:35 | index expression | 91 |
+| Revel.go:94:11:94:33 | selection of MultipartForm : pointer type | Revel.go:94:11:94:48 | index expression | 94 |
+| Revel.go:96:28:96:46 | call to GetBody : Reader | Revel.go:97:10:97:13 | json | 96 |
+| Revel.go:101:14:101:25 | selection of In : ServerRequest | Revel.go:32:12:32:22 | index expression | 101 |
+| Revel.go:101:14:101:25 | selection of In : ServerRequest | Revel.go:33:12:33:23 | call to Get | 101 |
+| Revel.go:105:37:105:44 | &... : pointer type | Revel.go:106:12:106:18 | message | 105 |
+| Revel.go:109:41:109:42 | &... : pointer type | Revel.go:110:12:110:12 | p | 109 |

ql/test/library-tests/semmle/go/frameworks/Revel/TaintFlows.ql

@@ -0,0 +1,19 @@
+import go
+
+class SinkFunction extends Function {
+  SinkFunction() { this.getName() = ["useFiles", "useJSON", "usePerson", "useString"] }
+}
+
+class TestConfig extends TaintTracking::Configuration {
+  TestConfig() { this = "testconfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(SinkFunction f).getACall().getAnArgument()
+  }
+}
+
+from TaintTracking::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, int i
+where config.hasFlowPath(source, sink) and source.hasLocationInfo(_, i, _, _, _)
+select source, sink, i order by i

ql/test/library-tests/semmle/go/frameworks/Revel/go.mod

@@ -0,0 +1,20 @@
+module codeql-go-tests/frameworks/Revel
+
+go 1.14
+
+require (
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/github/depstubber v0.0.0-20200910105848-4f6b1e61222c // indirect
+	github.com/go-stack/stack v1.8.0 // indirect
+	github.com/inconshreveable/log15 v0.0.0-20200109203555-b30bc20e4fd1 // indirect
+	github.com/mattn/go-colorable v0.1.7 // indirect
+	github.com/revel/config v1.0.0 // indirect
+	github.com/revel/log15 v2.11.20+incompatible // indirect
+	github.com/revel/pathtree v0.0.0-20140121041023-41257a1839e9 // indirect
+	github.com/revel/revel v1.0.0
+	github.com/twinj/uuid v1.0.0 // indirect
+	github.com/xeonx/timeago v1.0.0-rc4 // indirect
+	golang.org/x/net v0.0.0-20200904194848-62affa334b73 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
+	gopkg.in/stack.v0 v0.0.0-20141108040640-9b43fcefddd0 // indirect
+)