feat(go): Update local sources and add tests

GeekMasher · GeekMasher · commit 537610682995 · 2024-01-18T14:20:01.000Z
diff --git a/go/lib/ghsl/LocalSources.qll b/go/lib/ghsl/LocalSources.qll
@@ -3,82 +3,36 @@ private import go
 module LocalSources {
   private import semmle.go.dataflow.DataFlow
   private import semmle.go.dataflow.TaintTracking
+  private import semmle.go.dataflow.ExternalFlow as ExternalFlow
   private import semmle.go.Scopes
-  
-  abstract class Range extends DataFlow::Node { }
-
-// ========== Sources ==========
-
-abstract class Sources extends DataFlow::Node { }
-
-// ----------------------------------------------------
-// Used for finding Selections or Calls for Go imports 
-// ----------------------------------------------------
 
-//class UseOfGoImports extends Sources { 
-  //UseOfGoImports () {
-    //exists ( ValueEntity read, 
-             //DataFlow::Package pkg | 
-             //read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
-             //and ( this.toString().regexpMatch("selection of.*")
-              //or this.toString().regexpMatch("call to .*") )
-    //)
-  //}
-//}
-
-// ----------------------------------------------------
-
-class OsCmd extends LocalSources::Range {
-  OsCmd() {
-    exists ( ValueEntity read, 
-      DataFlow::Package pkg | 
-      read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
-      and this.toString() = "selection of Run"
-    ) 
-  }
-}
+  /**
+   * A source of data that is controlled by the local user.
+   */
+  abstract class Range extends DataFlow::Node { }
 
-class OsExec extends LocalSources::Range {
-  OsExec() {
-    exists ( ValueEntity read, 
-             DataFlow::Package pkg | 
-             read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
-             and this.toString() = "selection of Command"
-    )
+  /**
+   * Support for Local Sources
+   */
+  class MaDLocalSource extends Range {
+    MaDLocalSource() { ExternalFlow::sourceNode(this, "local") }
   }
-}
-
-class OsArgs extends LocalSources::Range { 
-  OsArgs() {
-    exists ( ValueEntity read, 
-             DataFlow::Package pkg | 
-             read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
-             and this.toString() = "selection of Args"
-    )
+  
+  class OsCmd extends LocalSources::Range {
+    OsCmd() {
+      exists(ValueEntity read, DataFlow::Package pkg |
+        read.getScope().getEntity(_) = pkg.getScope().getEntity(_) and
+        this.toString() = "selection of Run"
+      )
+    }
   }
-}
 
-// Not currently working (need a test case)
-//class OsGetenv extends Sources, DataFlow::CallNode {
-  //OsGetenv() {
-    //// https://pkg.go.dev/os#Getenv
-    //this.getTarget().hasQualifiedName(package("os", ""), "Getenv")
-    //or
-    //// https://pkg.go.dev/os#Environ
-    //this.getTarget().hasQualifiedName(package("os", ""), "Environ")
-  //}
-//}
-
-  // https://pkg.go.dev/flag
-class Flag extends LocalSources::Range {
-    Flag() {
-      exists ( ValueEntity read, 
-               DataFlow::Package pkg | 
-               read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
-               and 
-               ( this.toString() = "selection of String"
-               or this.toString() = "selection of Parse" )
+  class OsExec extends LocalSources::Range {
+    OsExec() {
+      exists(ValueEntity read, DataFlow::Package pkg |
+        read.getScope().getEntity(_) = pkg.getScope().getEntity(_) and
+        this.toString() = "selection of Command"
       )
     }
+  }
 }
-}
diff --git a/go/test/lib/localsources/cmd/flag.go b/go/test/lib/localsources/cmd/flag.go
@@ -0,0 +1,25 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+)
+
+func main() {
+
+	wordPtr := flag.String("word", "foo", "a string")
+
+	numbPtr := flag.Int("numb", 42, "an int")
+	forkPtr := flag.Bool("fork", false, "a bool")
+
+	var svar string
+	flag.StringVar(&svar, "svar", "bar", "a string var")
+
+	flag.Parse()
+
+	fmt.Println("word:", *wordPtr)
+	fmt.Println("numb:", *numbPtr)
+	fmt.Println("fork:", *forkPtr)
+	fmt.Println("svar:", svar)
+	fmt.Println("tail:", flag.Args())
+}
diff --git a/go/test/lib/localsources/cmd/go_os.go b/go/test/lib/localsources/cmd/go_os.go
@@ -0,0 +1,20 @@
+package main
+
+import (
+	"fmt"
+	"os"
+)
+
+func main() {
+	args := os.Args
+	fmt.Println(args[0], args[1])
+
+	// Environ
+	env := os.Environ()
+	fmt.Println(env[0], env[1])
+
+	// getenv
+	myenv := os.Getenv("HOME")
+	fmt.Println(myenv)
+
+}
diff --git a/go/test/lib/localsources/go.mod b/go/test/lib/localsources/go.mod
@@ -0,0 +1,3 @@
+module github.com/GitHubSecurityLab/CodeQLCommunityPacks
+
+go 1.10
diff --git a/go/test/lib/localsources/local.expected b/go/test/lib/localsources/local.expected
@@ -0,0 +1,7 @@
+| cmd/flag.go:10:13:10:23 | selection of String |
+| cmd/flag.go:10:13:10:50 | call to String |
+| cmd/flag.go:18:2:18:11 | selection of Parse |
+| cmd/flag.go:24:23:24:31 | selection of Args |
+| cmd/go_os.go:9:10:9:16 | selection of Args |
+| cmd/go_os.go:13:9:13:20 | call to Environ |
+| cmd/go_os.go:17:11:17:27 | call to Getenv |
diff --git a/go/test/lib/localsources/local.ql b/go/test/lib/localsources/local.ql
@@ -0,0 +1,7 @@
+import go
+import ghsl.Utils
+import ghsl.LocalSources
+
+query predicate remoteSources(DataFlow::ExprNode node) { node instanceof UntrustedFlowSource }
+
+query predicate localSources(DataFlow::ExprNode node) { node instanceof LocalSources::Range }
diff --git a/go/test/qlpack.yml b/go/test/qlpack.yml
@@ -5,5 +5,6 @@ dependencies:
     codeql/go-queries: '*'
     githubsecuritylab/codeql-go-queries: '*'
     githubsecuritylab/codeql-go-libs: '*'
+    githubsecuritylab/codeql-go-extensions: '*'
 extractor: go
 tests: .

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+module github.com/GitHubSecurityLab/CodeQLCommunityPacks`
	`2`	`+`
	`3`	`+go 1.10`