Revel: add support and tests for Render and Redirect sinks.

Author: smowton

.github/workflows/codeqltest.yml

@@ -65,7 +65,7 @@ jobs:
         echo "Done"
         cd $HOME
         echo "Downloading CodeQL CLI..."
-        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.2.5/codeql.zip -L -o codeql.zip
+        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.3.0/codeql.zip -L -o codeql.zip
         echo "Done"
         echo "Unpacking CodeQL CLI..."
         unzip -q codeql.zip
@@ -98,7 +98,7 @@ jobs:
         echo "Done"
         cd "$HOME"
         echo "Downloading CodeQL CLI..."
-        Invoke-WebRequest -Uri https://github.com/github/codeql-cli-binaries/releases/download/v2.2.5/codeql.zip -OutFile codeql.zip
+        Invoke-WebRequest -Uri https://github.com/github/codeql-cli-binaries/releases/download/v2.3.0/codeql.zip -OutFile codeql.zip
         echo "Done"
         echo "Unpacking CodeQL CLI..."
         Expand-Archive codeql.zip -DestinationPath $HOME

change-notes/2020-10-19-revel.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added basic support for the Revel web framework.

ql/src/semmle/go/frameworks/Revel.qll

@@ -3,6 +3,7 @@
  */
 
 import go
+private import semmle.go.security.OpenUrlRedirectCustomizations
 
 module Revel {
   /** Gets the package name. */
@@ -28,6 +29,23 @@ module Revel {
     }
   }
 
+  /**
+   * Reinstate the usual field propagation rules for fields, which the OpenURLRedirect
+   * query usually excludes, for fields of `Params` other than `Params.Fixed`.
+   */
+  private class PropagateParamsFields extends OpenUrlRedirect::AdditionalStep {
+    PropagateParamsFields() { this = "PropagateParamsFields" }
+
+    override predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(Field f, string field |
+        f.hasQualifiedName(packagePath(), "Params", field) and
+        field != "Fixed"
+      |
+        succ.(Read).readsField(pred, f)
+      )
+    }
+  }
+
   private class ParamsBind extends TaintTracking::FunctionModel, Method {
     ParamsBind() { this.hasQualifiedName(packagePath(), "Params", ["Bind", "BindJSON"]) }
 
@@ -94,4 +112,101 @@ module Revel {
       inp.isReceiver() and outp.isResult(0)
     }
   }
+
+  private string contentTypeFromFilename(DataFlow::Node filename) {
+    if filename.getStringValue().toLowerCase().matches(["%.htm", "%.html"])
+    then result = "text/html"
+    else result = "application/octet-stream"
+    // Actually Revel can figure out a variety of other content-types, but none of our analyses care to
+    // distinguish ones other than text/html.
+  }
+
+  /**
+   * `revel.Controller` methods which set the response content-type to and designate a result in one operation.
+   *
+   * Note these don't actually generate the response, they return a struct which is then returned by the controller
+   * method, but it is very likely if a string is being rendered that it will end up sent to the user.
+   *
+   * The `Render` and `RenderTemplate` methods are excluded for now because both execute HTML templates, and deciding
+   * whether a particular value is exposed unescaped or not requires parsing the template.
+   *
+   * The `RenderError` method can actually return HTML content, but again only via an HTML template if one exists;
+   * we assume it falls back to return plain text as this implies there is probably not an injection opportunity
+   * but there is an information leakage issue.
+   *
+   * The `RenderBinary` method can also return a variety of content-types based on the file extension passed.
+   * We look particularly for html file extensions, since these are the only ones we currently have special rules
+   * for (in particular, detecting XSS vulnerabilities).
+   */
+  private class ControllerRenderMethods extends HTTP::ResponseBody::Range {
+    string contentType;
+
+    ControllerRenderMethods() {
+      exists(Method m, string methodName, DataFlow::CallNode methodCall |
+        m.hasQualifiedName(packagePath(), "Controller", methodName) and
+        methodCall = m.getACall()
+      |
+        exists(int exposedArgument |
+          this = methodCall.getArgument(exposedArgument) and
+          (
+            methodName = "RenderBinary" and
+            contentType = contentTypeFromFilename(methodCall.getArgument(1)) and
+            exposedArgument = 0
+            or
+            methodName = "RenderError" and contentType = "text/plain" and exposedArgument = 0
+            or
+            methodName = "RenderHTML" and contentType = "text/html" and exposedArgument = 0
+            or
+            methodName = "RenderJSON" and contentType = "application/json" and exposedArgument = 0
+            or
+            methodName = "RenderJSONP" and
+            contentType = "application/javascript" and
+            exposedArgument = 1
+            or
+            methodName = "RenderXML" and contentType = "text/xml" and exposedArgument = 0
+          )
+        )
+        or
+        methodName = "RenderText" and
+        contentType = "text/plain" and
+        this = methodCall.getAnArgument()
+      )
+    }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+
+    override string getAContentType() { result = contentType }
+  }
+
+  /**
+   * The `revel.Controller.RenderFileName` method, which instructs Revel to open a file and return its contents.
+   * We extend FileSystemAccess rather than HTTP::ResponseBody as this will usually mean exposing a user-controlled
+   * file rather than the actual contents being user-controlled.
+   */
+  private class IoUtilFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
+    IoUtilFileSystemAccess() {
+      this =
+        any(Method m | m.hasQualifiedName(packagePath(), "Controller", "RenderFileName")).getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() { result = getArgument(0) }
+  }
+
+  /**
+   * The `revel.Controller.Redirect` method.
+   *
+   * For now I assume that in the context `Redirect(url, value)`, where Revel will `Sprintf(url, value)` internally,
+   * it is very likely `url` imposes some mandatory prefix, so `value` isn't truly an open redirect opportunity.
+   */
+  private class ControllerRedirectMethod extends HTTP::Redirect::Range, DataFlow::CallNode {
+    ControllerRedirectMethod() {
+      exists(Method m | m.hasQualifiedName(packagePath(), "Controller", "Redirect") |
+        this = m.getACall()
+      )
+    }
+
+    override DataFlow::Node getUrl() { result = this.getArgument(0) }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+  }
 }

ql/src/semmle/go/security/OpenUrlRedirect.qll

@@ -33,6 +33,9 @@ module OpenUrlRedirect {
       // taint steps that do not include flow through fields
       TaintTracking::localTaintStep(pred, succ) and not TaintTracking::fieldReadStep(pred, succ)
       or
+      // explicit extra taint steps for this query
+      any(AdditionalStep s).hasTaintStep(pred, succ)
+      or
       // propagate to a URL when its host is assigned to
       exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
         w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()

ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll

@@ -34,6 +34,14 @@ module OpenUrlRedirect {
    */
   abstract class BarrierGuard extends DataFlow::BarrierGuard { }
 
+  /**
+   * An additional taint propagation step specific to this query.
+   */
+  bindingset[this]
+  abstract class AdditionalStep extends string {
+    abstract predicate hasTaintStep(DataFlow::Node pred, DataFlow::Node succ);
+  }
+
   /**
    * A source of third-party user input, considered as a flow source for URL redirects.
    */

ql/src/semmle/go/security/ReflectedXssCustomizations.qll

@@ -56,6 +56,8 @@ module ReflectedXss {
   private predicate nonHtmlContentType(HTTP::ResponseBody body) {
     not htmlTypeSpecified(body) and
     (
+      exists(body.getAContentType())
+      or
       exists(body.getAContentTypeNode())
       or
       exists(DataFlow::CallNode call | call.getTarget().hasQualifiedName("fmt", "Fprintf") |

ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go

@@ -0,0 +1,95 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	staticControllers "github.com/revel/modules/static/app/controllers"
+	"github.com/revel/revel"
+	"os"
+	"time"
+)
+
+// Use typical inheritence pattern, per github.com/revel/examples/booking:
+
+// Doesn't really matter which controller is used here since it'll be stubbed--
+// the important thing is we're inheriting a controller from a Revel module, which
+// itself implements revel.Controller.
+type MyApplication struct {
+	staticControllers.Static
+}
+
+// ...then it's common for files to inherit the whole-appliction controller.
+type MyRoute struct {
+	MyApplication
+}
+
+// Implement some request handlers on that Controller exhibiting some common problems:
+
+func (c MyRoute) Handler1() revel.Result {
+	// GOOD: the Render function is likely to properly escape the user-controlled parameter.
+	return c.Render("someviewparam", c.Params.Form.Get("someField"))
+}
+
+func (c MyRoute) Handler2() revel.Result {
+	// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
+	buf := &bytes.Buffer{}
+	buf.WriteString(c.Params.Form.Get("someField"))
+	return c.RenderBinary(buf, "index.html", revel.Inline, time.Now())
+}
+
+func (c MyRoute) Handler3() revel.Result {
+	// GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename
+	// means it will be given a safe content-type.
+	buf := &bytes.Buffer{}
+	buf.WriteString(c.Params.Form.Get("someField"))
+	return c.RenderBinary(buf, "index.txt", revel.Inline, time.Now())
+}
+
+func (c MyRoute) Handler4() revel.Result {
+	// GOOD: the RenderError function either uses an HTML template with probable escaping,
+	// or it uses content-type text/plain.
+	err := errors.New(c.Params.Form.Get("someField"))
+	return c.RenderError(err)
+}
+
+func (c MyRoute) Handler5() revel.Result {
+	// BAD: returning an arbitrary file (but this is detected at the os.Open call, not
+	// due to modelling Revel)
+	f, _ := os.Open(c.Params.Form.Get("someField"))
+	return c.RenderFile(f, revel.Inline)
+}
+
+func (c MyRoute) Handler6() revel.Result {
+	// BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS)
+	return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline)
+}
+
+func (c MyRoute) Handler7() revel.Result {
+	// BAD: straightforward XSS
+	return c.RenderHTML(c.Params.Form.Get("someField"))
+}
+
+func (c MyRoute) Handler8() revel.Result {
+	// GOOD: uses JSON content-type
+	return c.RenderJSON(c.Params.Form.Get("someField"))
+}
+
+func (c MyRoute) Handler9() revel.Result {
+	// GOOD: uses Javascript content-type
+	return c.RenderJSONP("callback", c.Params.Form.Get("someField"))
+}
+
+func (c MyRoute) Handler10() revel.Result {
+	// GOOD: uses text content-type
+	return c.RenderText(c.Params.Form.Get("someField"))
+}
+
+func (c MyRoute) Handler11() revel.Result {
+	// GOOD: uses xml content-type
+	return c.RenderXML(c.Params.Form.Get("someField"))
+}
+
+func (c MyRoute) Handler12() revel.Result {
+	// BAD: open redirect
+	return c.Redirect(c.Params.Form.Get("someField"))
+}

ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.expected

@@ -0,0 +1,13 @@
+edges
+| EndToEnd.go:94:20:94:27 | implicit dereference : Params | EndToEnd.go:94:20:94:27 | implicit dereference : Params |
+| EndToEnd.go:94:20:94:27 | implicit dereference : Params | EndToEnd.go:94:20:94:27 | selection of Params : pointer type |
+| EndToEnd.go:94:20:94:27 | implicit dereference : Params | EndToEnd.go:94:20:94:49 | call to Get |
+| EndToEnd.go:94:20:94:27 | selection of Params : pointer type | EndToEnd.go:94:20:94:27 | implicit dereference : Params |
+| EndToEnd.go:94:20:94:27 | selection of Params : pointer type | EndToEnd.go:94:20:94:27 | selection of Params : pointer type |
+| EndToEnd.go:94:20:94:27 | selection of Params : pointer type | EndToEnd.go:94:20:94:49 | call to Get |
+nodes
+| EndToEnd.go:94:20:94:27 | implicit dereference : Params | semmle.label | implicit dereference : Params |
+| EndToEnd.go:94:20:94:27 | selection of Params : pointer type | semmle.label | selection of Params : pointer type |
+| EndToEnd.go:94:20:94:49 | call to Get | semmle.label | call to Get |
+#select
+| EndToEnd.go:94:20:94:49 | call to Get | EndToEnd.go:94:20:94:27 | selection of Params : pointer type | EndToEnd.go:94:20:94:49 | call to Get | Untrusted URL redirection due to $@. | EndToEnd.go:94:20:94:27 | selection of Params | user-provided value |

ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.qlref

@@ -0,0 +1 @@
+Security/CWE-601/OpenUrlRedirect.ql

ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.expected

@@ -0,0 +1,23 @@
+edges
+| EndToEnd.go:36:18:36:25 | implicit dereference : Params | EndToEnd.go:36:18:36:25 | implicit dereference : Params |
+| EndToEnd.go:36:18:36:25 | implicit dereference : Params | EndToEnd.go:36:18:36:25 | selection of Params : pointer type |
+| EndToEnd.go:36:18:36:25 | implicit dereference : Params | EndToEnd.go:37:24:37:26 | buf |
+| EndToEnd.go:36:18:36:25 | selection of Params : pointer type | EndToEnd.go:36:18:36:25 | implicit dereference : Params |
+| EndToEnd.go:36:18:36:25 | selection of Params : pointer type | EndToEnd.go:36:18:36:25 | selection of Params : pointer type |
+| EndToEnd.go:36:18:36:25 | selection of Params : pointer type | EndToEnd.go:37:24:37:26 | buf |
+| EndToEnd.go:69:22:69:29 | implicit dereference : Params | EndToEnd.go:69:22:69:29 | implicit dereference : Params |
+| EndToEnd.go:69:22:69:29 | implicit dereference : Params | EndToEnd.go:69:22:69:29 | selection of Params : pointer type |
+| EndToEnd.go:69:22:69:29 | implicit dereference : Params | EndToEnd.go:69:22:69:51 | call to Get |
+| EndToEnd.go:69:22:69:29 | selection of Params : pointer type | EndToEnd.go:69:22:69:29 | implicit dereference : Params |
+| EndToEnd.go:69:22:69:29 | selection of Params : pointer type | EndToEnd.go:69:22:69:29 | selection of Params : pointer type |
+| EndToEnd.go:69:22:69:29 | selection of Params : pointer type | EndToEnd.go:69:22:69:51 | call to Get |
+nodes
+| EndToEnd.go:36:18:36:25 | implicit dereference : Params | semmle.label | implicit dereference : Params |
+| EndToEnd.go:36:18:36:25 | selection of Params : pointer type | semmle.label | selection of Params : pointer type |
+| EndToEnd.go:37:24:37:26 | buf | semmle.label | buf |
+| EndToEnd.go:69:22:69:29 | implicit dereference : Params | semmle.label | implicit dereference : Params |
+| EndToEnd.go:69:22:69:29 | selection of Params : pointer type | semmle.label | selection of Params : pointer type |
+| EndToEnd.go:69:22:69:51 | call to Get | semmle.label | call to Get |
+#select
+| EndToEnd.go:37:24:37:26 | buf | EndToEnd.go:36:18:36:25 | selection of Params : pointer type | EndToEnd.go:37:24:37:26 | buf | Cross-site scripting vulnerability due to $@. | EndToEnd.go:36:18:36:25 | selection of Params | user-provided value |
+| EndToEnd.go:69:22:69:51 | call to Get | EndToEnd.go:69:22:69:29 | selection of Params : pointer type | EndToEnd.go:69:22:69:51 | call to Get | Cross-site scripting vulnerability due to $@. | EndToEnd.go:69:22:69:29 | selection of Params | user-provided value |