Implement stdin models

egregius313 · egregius313 · commit e18389718c87 · 2024-10-01T15:56:31.000-04:00
Unfortunately due to how variable and varargs work, these are better
done in QL
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll
@@ -112,6 +112,15 @@ module Fmt {
     Scanner() { this.hasQualifiedName("fmt", ["Scan", "Scanf", "Scanln"]) }
   }
 
+  private class ScannerSource extends SourceNode {
+    ScannerSource() {
+      // All of the arguments which are sources are varargs.
+      this.asExpr() = any(Scanner s).getACall().getAnImplicitVarargsArgument().asExpr()
+    }
+
+    override string getThreatModel() { result = "stdin" }
+  }
+
   /**
    * The `Fscan` function or one of its variants,
    * all of which read from a specified `io.Reader`.
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Os.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Os.qll
@@ -43,4 +43,14 @@ module Os {
       input = inp and output = outp
     }
   }
+
+  private class Stdin extends SourceNode {
+    Stdin() {
+      exists(Variable osStdin | osStdin.hasQualifiedName("os", "Stdin") |
+        this.asExpr() = osStdin.getARead().asExpr()
+      )
+    }
+
+    override string getThreatModel() { result = "stdin" }
+  }
 }
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/go.mod b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/go.mod
@@ -0,0 +1,3 @@
+module test
+
+go 1.22.6
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["stdin", true, 0]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ql b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ql
@@ -0,0 +1,19 @@
+import go
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SourceTest implements TestSig {
+  string getARelevantTag() { result = "source" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(ThreatModelFlowSource s |
+      s.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = s.toString() and
+      value = "" and
+      tag = "source"
+    )
+  }
+}
+
+import MakeTest<SourceTest>
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.expected b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.expected
@@ -0,0 +1,2 @@
+testFailures
+invalidModelRow
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["stdin", true, 0]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.go
@@ -0,0 +1,48 @@
+package test
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+)
+
+func sink(string) {
+
+}
+
+func readStdinBuffer() {
+	buf := make([]byte, 1024)
+	n, err := os.Stdin.Read(buf) // $source
+	if err != nil {
+		return
+	}
+	sink(string(buf[:n])) // $hasTaintFlow="type conversion"
+}
+
+func readStdinBuffReader() {
+	buf := make([]byte, 1024)
+	r := bufio.NewReader(os.Stdin) // $source
+	n, err := r.Read(buf)
+	if err != nil {
+		return
+	}
+	sink(string(buf[:n])) // $hasTaintFlow="type conversion"
+}
+
+func scan() {
+	var username, email string
+	fmt.Scan(&username, &email) // $source
+	sink(username)              // $hasTaintFlow="username"
+}
+
+func scanf() {
+	var s string
+	fmt.Scanf("%s", &s) // $source
+	sink(s)             // $hasTaintFlow="s"
+}
+
+func scanl() {
+	var s string
+	fmt.Scanln(&s) // $source
+	sink(s)        // $hasTaintFlow="s"
+}
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.ql b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.ql
@@ -0,0 +1,15 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import experimental.frameworks.CleverGo
+import TestUtilities.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(CallExpr c | c.getTarget().getName() = "sink").getArgument(0)
+  }
+}
+
+import TaintFlowTest<Config>

Original file line number	Diff line number	Diff line change
`@@ -43,4 +43,14 @@ module Os {`
`43`	`43`	`input = inp and output = outp`
`44`	`44`	`}`
`45`	`45`	`}`
	`46`	`+`
	`47`	`+ private class Stdin extends SourceNode {`
	`48`	`+ Stdin() {`
	`49`	`+ exists(Variable osStdin \| osStdin.hasQualifiedName("os", "Stdin") \|`
	`50`	`+ this.asExpr() = osStdin.getARead().asExpr()`
	`51`	`+ )`
	`52`	`+ }`
	`53`	`+`
	`54`	`+ override string getThreatModel() { result = "stdin" }`
	`55`	`+ }`
`46`	`56`	`}`