-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathConcepts.qll
More file actions
608 lines (528 loc) · 19.9 KB
/
Concepts.qll
File metadata and controls
608 lines (528 loc) · 19.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
/**
* Provides abstract classes representing generic concepts such as file system
* access or system command execution, for which individual framework libraries
* provide concrete subclasses.
*/
overlay[local?]
module;
import go
import semmle.go.dataflow.FunctionInputsAndOutputs
import semmle.go.concepts.HTTP
import semmle.go.concepts.GeneratedFile
private import codeql.concepts.ConceptsShared
private import semmle.go.dataflow.internal.DataFlowImplSpecific
private module ConceptsShared = ConceptsMake<Location, GoDataFlow>;
/**
* A data-flow node that executes an operating system command,
* for instance by spawning a new process.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `SystemCommandExecution::Range` instead.
*/
class SystemCommandExecution extends DataFlow::Node instanceof SystemCommandExecution::Range {
/** Gets the argument that specifies the command to be executed. */
DataFlow::Node getCommandName() { result = super.getCommandName() }
/** Holds if this node is sanitized whenever it follows `--` in an argument list. */
predicate doubleDashIsSanitizing() { super.doubleDashIsSanitizing() }
}
/** Provides a class for modeling new system-command execution APIs. */
module SystemCommandExecution {
/**
* A data-flow node that executes an operating system command,
* for instance by spawning a new process.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `SystemCommandExecution` instead.
*/
abstract class Range extends DataFlow::Node {
/** Gets the argument that specifies the command to be executed. */
abstract DataFlow::Node getCommandName();
/** Holds if this node is sanitized whenever it follows `--` in an argument list. */
predicate doubleDashIsSanitizing() { none() }
}
}
/**
* An instantiation of a template; that is, a call which fills out a template with data.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `TemplateInstantiation::Range` instead.
*/
class TemplateInstantiation extends DataFlow::Node instanceof TemplateInstantiation::Range {
/**
* Gets the argument to this template instantiation that is the template being
* instantiated.
*/
DataFlow::Node getTemplateArgument() { result = super.getTemplateArgument() }
/**
* Gets an argument to this template instantiation that is data being inserted
* into the template.
*/
DataFlow::Node getADataArgument() { result = super.getADataArgument() }
}
/** Provides a class for modeling new template-instantiation APIs. */
module TemplateInstantiation {
/**
* An instantiation of a template; that is, a call which fills out a template with data.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `TemplateInstantiation` instead.
*/
abstract class Range extends DataFlow::Node {
/**
* Gets the argument to this template instantiation that is the template being
* instantiated.
*/
abstract DataFlow::Node getTemplateArgument();
/**
* Gets an argument to this template instantiation that is data being inserted
* into the template.
*/
abstract DataFlow::Node getADataArgument();
}
}
/**
* A data-flow node that performs a file system access, including reading and writing data,
* creating and deleting files and folders, checking and updating permissions, and so on.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `FileSystemAccess::Range` instead.
*/
class FileSystemAccess extends DataFlow::Node instanceof FileSystemAccess::Range {
/** Gets an argument to this file system access that is interpreted as a path. */
DataFlow::Node getAPathArgument() { result = super.getAPathArgument() }
}
/** Provides a class for modeling new file-system access APIs. */
module FileSystemAccess {
/**
* A data-flow node that performs a file system access, including reading and writing data,
* creating and deleting files and folders, checking and updating permissions, and so on.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `FileSystemAccess` instead.
*/
abstract class Range extends DataFlow::Node {
/** Gets an argument to this file system access that is interpreted as a path. */
abstract DataFlow::Node getAPathArgument();
}
}
private class ExternalFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
DataFlow::ArgumentNode pathArgument;
ExternalFileSystemAccess() {
sinkNode(pathArgument, "path-injection") and
this = pathArgument.getCall()
}
override DataFlow::Node getAPathArgument() {
result = pathArgument.getACorrespondingSyntacticArgument()
}
}
/** A function that escapes meta-characters to prevent injection attacks. */
class EscapeFunction extends Function instanceof EscapeFunction::Range {
/**
* Gets the context that this function escapes for.
*
* Currently, this can be "js", "html", or "url".
*/
string kind() { result = super.kind() }
}
/** Provides a class for modeling new escape-function APIs. */
module EscapeFunction {
/**
* A function that escapes meta-characters to prevent injection attacks.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `EscapeFunction' instead.
*/
abstract class Range extends Function {
/**
* Gets the context that this function escapes for.
*
* Currently, this can be `js', `html', or `url'.
*/
abstract string kind();
}
}
/**
* A function that escapes a string so it can be safely included in a
* JavaScript string literal.
*/
class JsEscapeFunction extends EscapeFunction {
JsEscapeFunction() { super.kind() = "js" }
}
/**
* A function that escapes a string so it can be safely included in an
* the body of an HTML element, for example, replacing `{}` in
* `<p>{}</p>`.
*/
class HtmlEscapeFunction extends EscapeFunction {
HtmlEscapeFunction() { super.kind() = "html" }
}
/**
* A function that escapes a string so it can be safely included as part
* of a URL.
*/
class UrlEscapeFunction extends EscapeFunction {
UrlEscapeFunction() { super.kind() = "url" }
}
/**
* A node whose value is interpreted as a part of a regular expression.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `RegexpPattern::Range` instead.
*/
class RegexpPattern extends DataFlow::Node instanceof RegexpPattern::Range {
/**
* Gets the node where this pattern is parsed as a part of a regular
* expression.
*/
DataFlow::Node getAParse() { result = super.getAParse() }
/**
* Gets this regexp pattern as a string.
*/
string getPattern() { result = super.getPattern() }
/**
* Gets a use of this pattern, either as itself in an argument to a function or as a compiled
* regexp object.
*/
DataFlow::Node getAUse() { result = super.getAUse() }
}
/** Provides a class for modeling new regular-expression APIs. */
module RegexpPattern {
/**
* A node whose value is interpreted as a part of a regular expression.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `RegexpPattern' instead.
*/
abstract class Range extends DataFlow::Node {
/**
* Gets a node where the pattern of this node is parsed as a part of
* a regular expression.
*/
abstract DataFlow::Node getAParse();
/**
* Gets this regexp pattern as a string.
*/
abstract string getPattern();
/**
* Gets a use of this pattern, either as itself in an argument to a function or as a compiled
* regexp object.
*/
abstract DataFlow::Node getAUse();
}
}
/**
* A function that matches a regexp with a string or byte slice.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `RegexpMatchFunction::Range` instead.
*/
class RegexpMatchFunction extends Function instanceof RegexpMatchFunction::Range {
/**
* Gets the function input that is the regexp being matched.
*/
FunctionInput getRegexpArg() { result = super.getRegexpArg() }
/**
* Gets the regexp pattern that is used in the call to this function `call`.
*/
RegexpPattern getRegexp(DataFlow::CallNode call) {
result.getAUse() = this.getRegexpArg().getNode(call)
}
/**
* Gets the function input that is the string being matched against.
*/
FunctionInput getValue() { result = super.getValue() }
/**
* Gets the function output that is the Boolean result of the match function.
*/
FunctionOutput getResult() { result = super.getResult() }
}
/** Provides a class for modeling new regular-expression matcher APIs. */
module RegexpMatchFunction {
/**
* A function that matches a regexp with a string or byte slice.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `RegexpPattern' instead.
*/
abstract class Range extends Function {
/**
* Gets the function input that is the regexp being matched.
*/
abstract FunctionInput getRegexpArg();
/**
* Gets the function input that is the string being matched against.
*/
abstract FunctionInput getValue();
/**
* Gets the Boolean result of the match function.
*/
abstract FunctionOutput getResult();
}
}
/**
* A function that uses a regexp to replace parts of a string or byte slice.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `RegexpReplaceFunction::Range` instead.
*/
class RegexpReplaceFunction extends Function instanceof RegexpReplaceFunction::Range {
/**
* Gets the function input that is the regexp that matches text to replace.
*/
FunctionInput getRegexpArg() { result = super.getRegexpArg() }
/**
* Gets the regexp pattern that is used to match patterns to replace in the call to this function
* `call`.
*/
RegexpPattern getRegexp(DataFlow::CallNode call) {
result.getAUse() = call.(DataFlow::MethodCallNode).getReceiver()
}
/**
* Gets the function input corresponding to the source value, that is, the value that is having
* its contents replaced.
*/
FunctionInput getSource() { result = super.getSource() }
/**
* Gets the function output corresponding to the result, that is, the value after replacement has
* occurred.
*/
FunctionOutput getResult() { result = super.getResult() }
}
/** Provides a class for modeling new regular-expression replacer APIs. */
module RegexpReplaceFunction {
/**
* A function that uses a regexp to replace parts of a string or byte slice.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `RegexpReplaceFunction' instead.
*/
abstract class Range extends Function {
/**
* Gets the function input that is the regexp that matches text to replace.
*/
abstract FunctionInput getRegexpArg();
/**
* Gets the function input corresponding to the source value, that is, the value that is having
* its contents replaced.
*/
abstract FunctionInput getSource();
/**
* Gets the function output corresponding to the result, that is, the value after replacement
* has occurred.
*/
abstract FunctionOutput getResult();
}
}
/**
* A call to a logging mechanism.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `LoggerCall::Range` instead.
*/
class LoggerCall extends DataFlow::Node instanceof LoggerCall::Range {
/** Gets a node that is a part of the logged message. */
DataFlow::Node getAMessageComponent() { result = super.getAMessageComponent() }
/**
* Gets a node whose value is a part of the logged message.
*
* Components corresponding to the format specifier "%T" are excluded as
* their type is logged rather than their value.
*/
DataFlow::Node getAValueFormattedMessageComponent() {
result = this.getAMessageComponent() and
not exists(string formatSpecifier |
result = this.(StringOps::Formatting::StringFormatCall).getOperand(_, formatSpecifier) and
// We already know that `formatSpecifier` starts with `%`, so we check
// that it ends with `T` to confirm that it is `%T` or possibly some
// variation on it.
formatSpecifier.matches("%T")
)
}
}
/** Provides a class for modeling new logging APIs. */
module LoggerCall {
/**
* A call to a logging mechanism.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `LoggerCall` instead.
*/
abstract class Range extends DataFlow::Node {
/** Gets a node that is a part of the logged message. */
abstract DataFlow::Node getAMessageComponent();
}
}
private class ExternalLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
DataFlow::ArgumentNode messageComponent;
ExternalLoggerCall() {
sinkNode(messageComponent, "log-injection") and
this = messageComponent.getCall()
}
override DataFlow::Node getAMessageComponent() {
not messageComponent instanceof DataFlow::ImplicitVarargsSlice and
result = messageComponent
or
messageComponent instanceof DataFlow::ImplicitVarargsSlice and
result = this.getAnImplicitVarargsArgument()
}
}
/**
* A call to an interface that looks like a logger. It is common to use a
* locally-defined interface for logging to make it easy to changing logging
* library.
*/
private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
HeuristicLoggerCall() {
exists(Method m, string tp, string logFunctionPrefix, string name |
m = this.getTarget() and
m.hasQualifiedName(_, tp, name) and
m.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
|
tp.regexpMatch(".*[lL]ogger") and
logFunctionPrefix =
[
"Debug", "Error", "Fatal", "Info", "Log", "Output", "Panic", "Print", "Trace", "Warn",
"With"
] and
name.matches(logFunctionPrefix + "%")
)
}
override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
}
/**
* A function that encodes data into a binary or textual format.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `MarshalingFunction::Range` instead.
*/
class MarshalingFunction extends Function instanceof MarshalingFunction::Range {
/** Gets an input that is encoded by this function. */
FunctionInput getAnInput() { result = super.getAnInput() }
/** Gets the output that contains the encoded data produced by this function. */
FunctionOutput getOutput() { result = super.getOutput() }
/** Gets an identifier for the format this function encodes into, such as "JSON". */
string getFormat() { result = super.getFormat() }
}
/** Provides a class for modeling new marshaling APIs. */
module MarshalingFunction {
/**
* A function that encodes data into a binary or textual format.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `MarshalingFunction` instead.
*/
abstract class Range extends Function {
/** Gets an input that is encoded by this function. */
abstract FunctionInput getAnInput();
/** Gets the output that contains the encoded data produced by this function. */
abstract FunctionOutput getOutput();
/** Gets an identifier for the format this function encodes into, such as "JSON". */
abstract string getFormat();
}
}
/**
* A function that decodes data from a binary or textual format.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `UnmarshalingFunction::Range` instead.
*/
class UnmarshalingFunction extends Function instanceof UnmarshalingFunction::Range {
/** Gets an input that is decoded by this function. */
FunctionInput getAnInput() { result = super.getAnInput() }
/** Gets the output that contains the decoded data produced by this function. */
FunctionOutput getOutput() { result = super.getOutput() }
/** Gets an identifier for the format this function decodes from, such as "JSON". */
string getFormat() { result = super.getFormat() }
}
/** Provides a class for modeling new unmarshaling APIs. */
module UnmarshalingFunction {
/**
* A function that decodes data from a binary or textual format.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `UnmarshalingFunction` instead.
*/
abstract class Range extends Function {
/** Gets an input that is decoded by this function. */
abstract FunctionInput getAnInput();
/** Gets the output that contains the decoded data produced by this function. */
abstract FunctionOutput getOutput();
/** Gets an identifier for the format this function decodes from, such as "JSON". */
abstract string getFormat();
}
}
/**
* Provides models for cryptographic things.
*/
module Cryptography {
private import ConceptsShared::Cryptography as SC
/**
* A data-flow node that is an application of a cryptographic algorithm. For example,
* encryption, decryption, signature-validation.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `CryptographicOperation::Range` instead.
*/
class CryptographicOperation extends SC::CryptographicOperation { }
class EncryptionAlgorithm = SC::EncryptionAlgorithm;
class HashingAlgorithm = SC::HashingAlgorithm;
class PasswordHashingAlgorithm = SC::PasswordHashingAlgorithm;
module CryptographicOperation = SC::CryptographicOperation;
class BlockMode = SC::BlockMode;
class CryptographicAlgorithm = SC::CryptographicAlgorithm;
/** A data flow node that initializes a hash algorithm. */
abstract class HashAlgorithmInit extends DataFlow::Node {
/** Gets the hash algorithm being initialized. */
abstract HashingAlgorithm getAlgorithm();
}
/** A data flow node that is an application of a hash algorithm. */
abstract class HashOperation extends CryptographicOperation::Range {
override BlockMode getBlockMode() { none() }
}
/** A data flow node that initializes an encryption algorithm. */
abstract class EncryptionAlgorithmInit extends DataFlow::Node {
/** Gets the encryption algorithm being initialized. */
abstract EncryptionAlgorithm getAlgorithm();
}
/**
* A data flow node that initializes a block cipher mode of operation, and
* may also propagate taint for encryption algorithms.
*/
abstract class BlockModeInit extends DataFlow::CallNode {
/** Gets the block cipher mode of operation being initialized. */
abstract BlockMode getMode();
/** Gets a step propagating the encryption algorithm through this call. */
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
}
/**
* A data flow node that is an application of an encryption algorithm, where
* the encryption algorithm and the block cipher mode of operation (if there
* is one) have been initialized separately.
*/
abstract class EncryptionOperation extends CryptographicOperation::Range {
DataFlow::Node encryptionFlowTarget;
DataFlow::Node inputNode;
override DataFlow::Node getInitialization() {
EncryptionFlow::flow(result, encryptionFlowTarget)
}
override EncryptionAlgorithm getAlgorithm() {
result = this.getInitialization().(EncryptionAlgorithmInit).getAlgorithm()
}
override DataFlow::Node getAnInput() { result = inputNode }
override BlockMode getBlockMode() {
result = this.getInitialization().(BlockModeInit).getMode()
}
}
/**
* An `EncryptionOperation` which is a method call where the encryption
* algorithm and block cipher mode of operation (if there is one) flow to the
* receiver and the input is an argument.
*/
abstract class EncryptionMethodCall extends EncryptionOperation instanceof DataFlow::CallNode {
int inputArg;
EncryptionMethodCall() {
encryptionFlowTarget = super.getReceiver() and
inputNode = super.getArgument(inputArg)
}
}
}