Merge pull request #3 from GitHubSecurityLab/go_packs

Combine GoLang QLPacks

Author: Alvaro Muñoz

.github/workflows/build.yml

@@ -12,13 +12,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # language: [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
-        language: [ 'java' ]
+        language: [ 'java', 'go' ]
 
     steps:
       - uses: actions/checkout@v3
-        # with:
-        #   submodules: true
 
       # Conditionally run actions based on files modified by PR, feature branch or pushed commits
       - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
@@ -75,7 +72,6 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # language: [ 'csharp', 'java', 'javascript' ]
         language: [ 'java' ]
 
     steps:
@@ -104,8 +100,36 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          codeql pack install "${{ matrix.language }}/ext/"
-          codeql pack install "${{ matrix.language }}/ext-library-sources/"
-          codeql pack create "${{ matrix.language }}/ext/"
-          codeql pack create "${{ matrix.language }}/ext-library-sources/"
+          gh extension install github/gh-codeql
+          gh codeql pack install "${{ matrix.language }}/ext/"
+          gh codeql pack create "${{ matrix.language }}/ext/"
+
+  library-sources:
+    runs-on: ubuntu-latest
+    
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+        id: changes
+        with:
+          filters: |
+            src:
+              - '${{ matrix.language }}/ext-library-sources/**'
+
+      - name: Install CodeQL
+        if: steps.changes.outputs.src == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh extension install github/gh-codeql
+          gh codeql pack install "${{ matrix.language }}/ext-library-sources/"
+          gh codeql pack create "${{ matrix.language }}/ext-library-sources/"
 

codeql-workspace.yml

@@ -1,2 +1,3 @@
 provide:
 - java/**/qlpack.yml
+- go/**/qlpack.yml

go/ext/codeql-pack.lock.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

go/ext/generated/.gitkeep

@@ -0,0 +1,10 @@
+library: true
+name: githubsecuritylab/codeql-go-extensions
+version: 0.0.1
+extensionTargets:
+  codeql/go-all: '*'
+  codeql/go-queries: '*'
+  githubsecuritylab/codeql-go-queries: '*'
+dataExtensions:
+  - manual/*.yml
+  - generated/*.yml

go/ext/manual/.gitkeep

@@ -0,0 +1,16 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/dataflow:
+    version: 0.0.3
+  codeql/go-all:
+    version: 0.6.4
+  codeql/mad:
+    version: 0.1.4
+  codeql/ssa:
+    version: 0.1.4
+  codeql/tutorial:
+    version: 0.1.4
+  codeql/util:
+    version: 0.1.4
+compiled: false

go/ext/qlpack.yml

@@ -0,0 +1,84 @@
+private import go
+
+module LocalSources {
+  private import semmle.go.dataflow.DataFlow
+  private import semmle.go.dataflow.TaintTracking
+  private import semmle.go.Scopes
+  
+  abstract class Range extends DataFlow::Node { }
+
+// ========== Sources ==========
+
+abstract class Sources extends DataFlow::Node { }
+
+// ----------------------------------------------------
+// Used for finding Selections or Calls for Go imports 
+// ----------------------------------------------------
+
+//class UseOfGoImports extends Sources { 
+  //UseOfGoImports () {
+    //exists ( ValueEntity read, 
+             //DataFlow::Package pkg | 
+             //read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
+             //and ( this.toString().regexpMatch("selection of.*")
+              //or this.toString().regexpMatch("call to .*") )
+    //)
+  //}
+//}
+
+// ----------------------------------------------------
+
+class OsCmd extends LocalSources::Range {
+  OsCmd() {
+    exists ( ValueEntity read, 
+      DataFlow::Package pkg | 
+      read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
+      and this.toString() = "selection of Run"
+    ) 
+  }
+}
+
+class OsExec extends LocalSources::Range {
+  OsExec() {
+    exists ( ValueEntity read, 
+             DataFlow::Package pkg | 
+             read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
+             and this.toString() = "selection of Command"
+    )
+  }
+}
+
+class OsArgs extends LocalSources::Range { 
+  OsArgs() {
+    exists ( ValueEntity read, 
+             DataFlow::Package pkg | 
+             read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
+             and this.toString() = "selection of Args"
+    )
+  }
+}
+
+// Not currently working (need a test case)
+//class OsGetenv extends Sources, DataFlow::CallNode {
+  //OsGetenv() {
+    //// https://pkg.go.dev/os#Getenv
+    //this.getTarget().hasQualifiedName(package("os", ""), "Getenv")
+    //or
+    //// https://pkg.go.dev/os#Environ
+    //this.getTarget().hasQualifiedName(package("os", ""), "Environ")
+  //}
+//}
+
+  // https://pkg.go.dev/flag
+class Flag extends LocalSources::Range {
+    Flag() {
+      exists ( ValueEntity read, 
+               DataFlow::Package pkg | 
+               read.getScope().getEntity(_) = pkg.getScope().getEntity(_)
+               and 
+               ( this.toString() = "selection of String"
+               or this.toString() = "selection of Parse" )
+      )
+    }
+}
+}

go/lib/ResearchMode.qll

@@ -0,0 +1,17 @@
+import go
+import semmle.go.frameworks.stdlib.Fmt
+
+class DynamicStrings extends DataFlow::Node {
+    DynamicStrings() {
+        // fmt format string
+        exists(Fmt::Sprinter formatter |
+            this = formatter.getACall()
+        )
+        or
+        // binary expression
+        exists(BinaryExpr expr |
+            this.asExpr() = expr.getLeftOperand() and
+            expr.getOperator() = "+"
+        )
+    }
+}

go/lib/applications/.gitkeep

@@ -0,0 +1,5 @@
+library: true 
+name: githubsecuritylab/codeql-go-libs
+version: 0.0.1
+dependencies:
+  codeql/go-all: '*'

go/lib/codeql-pack.lock.yml

@@ -0,0 +1,40 @@
+/**
+ * @name Command built from user-controlled sources
+ * @description Building a system command from user-controlled sources is vulnerable to insertion of
+ *              malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id go/injection
+ * @tags security
+ *       external/cwe/cwe-078
+ *       audit
+ */
+
+import go
+import semmle.go.security.CommandInjection
+import semmle.go.frameworks.SystemCommandExecutors
+
+/**
+ * A system-command execution via any argument passed to a command interpreter
+ */
+class ArgumentInjectionSink extends SystemCommandExecution::Range, DataFlow::CallNode {
+  ArgumentInjectionSink() { this instanceof SystemCommandExecution }
+
+  override DataFlow::Node getCommandName() { result = this.getAnArgument() }
+}
+
+module Flow =
+  DataFlow::MergePathGraph<CommandInjection::Flow::PathNode,
+    CommandInjection::DoubleDashSanitizingFlow::PathNode, CommandInjection::Flow::PathGraph,
+    CommandInjection::DoubleDashSanitizingFlow::PathGraph>;
+
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where
+  CommandInjection::Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
+  CommandInjection::DoubleDashSanitizingFlow::flowPath(source.asPathNode2(), sink.asPathNode2())
+select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(),
+  "user-provided value"

go/lib/frameworks/.gitkeep

@@ -0,0 +1,3 @@
+# Audit - SQL Injection using format strings
+
+This query checks for SQL injection vulnerabilities in the code. It looks for the use of format strings in SQL queries. Format strings are a common source of SQL injection vulnerabilities.

go/lib/github/LocalSources.qll

@@ -0,0 +1,34 @@
+/**
+ * @name Audit - SQL Injection using format strings
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 2.5
+ * @sub-severity low
+ * @precision very-low
+ * @id go/audit/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ *       audit
+ */
+import go
+import semmle.go.security.SqlInjection
+import DataFlow::PathGraph
+import github.Utils
+
+/**
+ * A taint-tracking configuration for detecting SQL injection vulnerabilities.
+ */
+class SqlInjectionAudit extends TaintTracking::Configuration {
+  SqlInjectionAudit() { this = "SqlInjectionAudit" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
+}
+
+from SqlInjectionAudit config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
+  "a user-provided value"

go/lib/github/Utils.qll

@@ -0,0 +1,17 @@
+/**
+ * @name External dependencies
+ * @description Count the number of dependencies that a Java project has on external packages.
+ * @kind treemap
+ * @id githubsecuritylab/external-dependencies
+ * @metricType externalDependency
+ * @tags audit
+ */
+
+import go
+import semmle.go.dependencies.Dependencies
+
+from Dependency d, int nimports, string name
+where
+  nimports = strictsum(ImportSpec is | is = d.getAnImport() | 1) and
+  exists(string p, string v | d.info(p, v) and name = p + v)
+select name, nimports order by nimports desc

go/lib/qlpack.yml

@@ -0,0 +1,13 @@
+/**
+ * @name Files
+ * @description List of all files in the repository
+ * @kind table
+ * @id githubsecuritylab/files
+ * @tags audit
+ */
+
+import go
+
+from File f
+where f.getExtension() = "go" and not f.getRelativePath().matches("%/test/%")
+select f.getRelativePath()

go/src/CVEs/.gitkeep

@@ -0,0 +1,14 @@
+/**
+ * @name Attack Surface
+ * @description Application attack surface
+ * @kind table
+ * @id githubsecuritylab/attack-surface
+ * @tags audit
+ */
+
+import semmle.go.security.FlowSources
+
+from UntrustedFlowSource source
+where not source.getFile().getRelativePath().matches("%/test/%")
+select source, "remote", source.getFile().getRelativePath(), source.getStartLine(),
+  source.getEndLine(), source.getStartColumn(), source.getEndColumn()

go/src/audit/CWE-078/ArgumentInjection.ql

@@ -0,0 +1,34 @@
+/**
+ * @name Backwards Partial Dataflow
+ * @description Backwards Partial Dataflow
+ * @kind table
+ * @id githubsecuritylab/backwards-partial-dataflow
+ * @tags template
+ */
+
+import go
+import semmle.go.dataflow.TaintTracking
+import PartialFlow::PartialPathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { none() }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Define the sink to run the backwards partial dataflow from. Eg:
+    // exists(DataFlow::CallNode call |
+    //   call.getTarget().hasQualifiedName(_, "sink") and
+    //   call.getArgument(0) = sink
+    //   )
+    none()
+  }
+}
+
+private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+
+from PartialFlow::PartialPathNode n, int dist
+where PartialFlow::partialFlowRev(n, _, dist)
+select dist, n