Improve query scenarios

Author: gagliardetto

ql/src/experimental/CWE-352/ConstantOauth2State.ql

@@ -12,21 +12,19 @@
 import go
 import DataFlow::PathGraph
 
-/*
+/**
  * A method that creates a new URL that will send the user
  * to the oauth2 authorization dialog of the provider.
  */
-
 class AuthCodeURL extends Method {
   AuthCodeURL() { this.hasQualifiedName("golang.org/x/oauth2", "Config", "AuthCodeURL") }
 }
 
-/*
+/**
  * A flow of a constant string value to a call to AuthCodeURL as the
  * `state` parameter.
  */
-
-class ConstantStateFlowConf extends TaintTracking::Configuration {
+class ConstantStateFlowConf extends DataFlow::Configuration {
   ConstantStateFlowConf() { this = "ConstantStateFlowConf" }
 
   predicate isSource(DataFlow::Node source, Literal state) {
@@ -42,7 +40,54 @@ class ConstantStateFlowConf extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
 }
 
-from ConstantStateFlowConf cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+/** A flow to a printer function of the fmt package. */
+class FlowToPrint extends DataFlow::Configuration {
+  FlowToPrint() { this = "FlowToPrint" }
+
+  predicate isSource(DataFlow::Node source, DataFlow::CallNode call) {
+    exists(AuthCodeURL m | call = m.getACall() | source = call.getResult())
+  }
+
+  predicate isSink(DataFlow::Node sink, DataFlow::CallNode call) {
+    exists(Fmt::Printer printer | call = printer.getACall() | sink = call.getArgument(_))
+  }
+
+  override predicate isSource(DataFlow::Node source) { isSource(source, _) }
+
+  override predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
+}
+
+/** Holds if the provided CallNode's result flows to a Printer call as argument. */
+predicate flowsToPrinter(DataFlow::CallNode authCodeURLCall) {
+  exists(FlowToPrint cfg, DataFlow::PathNode source, DataFlow::PathNode sink |
+    cfg.hasFlowPath(source, sink) and
+    cfg.isSource(source.getNode(), authCodeURLCall)
+  )
+}
+
+/**
+ * Holds if the provided CallNode is within the same root as a call
+ * to a scanner that reads from os.Stdin.
+ */
+predicate rootContainsCallToStdinScanner(DataFlow::CallNode authCodeURLCall) {
+  exists(Fmt::ScannerCall scannerCall | scannerCall.getRoot() = authCodeURLCall.getRoot())
+  or
+  exists(Fmt::FScannerCall fScannerCall |
+    fScannerCall.getReader() = any(ValueEntity v | v.hasQualifiedName("os", "Stdin")).getARead() and
+    fScannerCall.getRoot() = authCodeURLCall.getRoot()
+  )
+}
+
+from
+  ConstantStateFlowConf cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+  DataFlow::CallNode sinkCall
+where
+  cfg.hasFlowPath(source, sink) and
+  cfg.isSink(sink.getNode(), sinkCall) and
+  // Exclude cases that seem to be oauth flows done from within a terminal:
+  not (
+    flowsToPrinter(sinkCall) and
+    rootContainsCallToStdinScanner(sinkCall)
+  )
 select sink.getNode(), source, sink, "Using a constant $@ to create oauth2 URLs.", source.getNode(),
   "state string"

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -94,7 +94,7 @@ module Fmt {
   }
 
   /** The `Print` function or one of its variants. */
-  private class Printer extends Function {
+  class Printer extends Function {
     Printer() { this.hasQualifiedName("fmt", ["Print", "Printf", "Println"]) }
   }
 
@@ -131,6 +131,31 @@ module Fmt {
       exists(int i | if getName() = "Sscanf" then i > 1 else i > 0 | output.isParameter(i))
     }
   }
+
+  /** The `Scan` function or one of its variants, all of which read from os.Stdin */
+  class Scanner extends Function {
+    Scanner() { this.hasQualifiedName("fmt", ["Scan", "Scanf", "Scanln"]) }
+  }
+
+  /** A call to a `Scanner`. */
+  class ScannerCall extends DataFlow::CallNode {
+    ScannerCall() { this.getTarget() instanceof Scanner }
+  }
+
+  /**
+   * The `Fscan` function or one of its variants,
+   * all of which read from a specified io.Reader
+   */
+  class FScanner extends Function {
+    FScanner() { this.hasQualifiedName("fmt", ["Fscan", "Fscanf", "Fscanln"]) }
+  }
+
+  /** A call to a `FScanner`. */
+  class FScannerCall extends DataFlow::CallNode {
+    FScannerCall() { this.getTarget() instanceof FScanner }
+
+    DataFlow::Node getReader() { result = this.getArgument(0) }
+  }
 }
 
 /** Provides models of commonly used functions in the `io` package. */

ql/test/experimental/CWE-352/ConstantOauth2State.go

@@ -5,7 +5,10 @@ package main
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"fmt"
+	"log"
 	"net/http"
+	"os"
 
 	"golang.org/x/oauth2"
 )
@@ -93,7 +96,7 @@ func betterWithVariableStateReturned(w http.ResponseWriter) {
 	}
 
 	state := generateStateOauthCookie(w)
-	url := conf.AuthCodeURL(state) // GOOD
+	url := conf.AuthCodeURL(state) // OK, because the state is not a constant.
 	_ = url
 	// ...
 }
@@ -104,3 +107,86 @@ func generateStateOauthCookie(w http.ResponseWriter) string {
 	// TODO: save the state string to cookies or HTML storage.
 	return state
 }
+func okWithMixedVarState(w http.ResponseWriter) {
+	conf := &oauth2.Config{
+		ClientID:     "YOUR_CLIENT_ID",
+		ClientSecret: "YOUR_CLIENT_SECRET",
+		Scopes:       []string{"SCOPE1", "SCOPE2"},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "https://provider.com/o/oauth2/auth",
+			TokenURL: "https://provider.com/o/oauth2/token",
+		},
+	}
+
+	state := fmt.Sprintf("%s-%s", stateStringVar, NewCSRFToken())
+
+	url := conf.AuthCodeURL(state) // OK, because the state is not a constant.
+	_ = url
+	// ...
+}
+
+func NewCSRFToken() string {
+	b := make([]byte, 128)
+	rand.Read(b)
+	randomToken := base64.URLEncoding.EncodeToString(b)
+	return randomToken
+}
+func okWithConstStatePrinter(w http.ResponseWriter) {
+	conf := &oauth2.Config{
+		ClientID:     "YOUR_CLIENT_ID",
+		ClientSecret: "YOUR_CLIENT_SECRET",
+		Scopes:       []string{"SCOPE1", "SCOPE2"},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "https://provider.com/o/oauth2/auth",
+			TokenURL: "https://provider.com/o/oauth2/token",
+		},
+	}
+
+	url := conf.AuthCodeURL(stateStringConst) // OK, because we're supposedly not exposed to the web, but within a terminal.
+	fmt.Printf("Visit the URL for the auth dialog: %v", url)
+	// ...
+
+	var code string
+	if _, err := fmt.Scan(&code); err != nil {
+		log.Fatal(err)
+	}
+	_ = code
+	// ...
+}
+func okWithConstStateFPrinter(w http.ResponseWriter) {
+	conf := &oauth2.Config{
+		ClientID:     "YOUR_CLIENT_ID",
+		ClientSecret: "YOUR_CLIENT_SECRET",
+		Scopes:       []string{"SCOPE1", "SCOPE2"},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "https://provider.com/o/oauth2/auth",
+			TokenURL: "https://provider.com/o/oauth2/token",
+		},
+	}
+
+	url := conf.AuthCodeURL(stateStringConst) // OK, because we're supposedly not exposed to the web, but within a terminal.
+	fmt.Printf("Visit the URL for the auth dialog: %v", url)
+	// ...
+
+	var code string
+	if _, err := fmt.Fscan(os.Stdin, &code); err != nil {
+		log.Fatal(err)
+	}
+	_ = code
+	// ...
+}
+func badWithConstStatePrinter(w http.ResponseWriter) {
+	conf := &oauth2.Config{
+		ClientID:     "YOUR_CLIENT_ID",
+		ClientSecret: "YOUR_CLIENT_SECRET",
+		Scopes:       []string{"SCOPE1", "SCOPE2"},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "https://provider.com/o/oauth2/auth",
+			TokenURL: "https://provider.com/o/oauth2/token",
+		},
+	}
+
+	url := conf.AuthCodeURL(stateStringConst) // BAD
+	fmt.Printf("LOG: URL %v", url)
+	// ...
+}