Merge pull request #107 from porcupineyhairs/ssrf

Add SSRF query to codeql-go

Author: max-schaefer

ql/src/go.qll

@@ -34,5 +34,6 @@ import semmle.go.frameworks.SQL
 import semmle.go.frameworks.XPath
 import semmle.go.frameworks.Stdlib
 import semmle.go.frameworks.Testing
+import semmle.go.frameworks.Websocket
 import semmle.go.security.FlowSources
 import semmle.go.Util

ql/src/semmle/go/Packages.qll

@@ -24,3 +24,12 @@ class Package extends @package {
   /** Gets a textual representation of this element. */
   string toString() { result = "package " + getPath() }
 }
+
+/**
+ * Gets the Go import string that may identify a package in module `mod` with the given path,
+ * possibly modulo semantic import versioning.
+ */
+bindingset[result, mod, path]
+string package(string mod, string path) {
+  result.regexpMatch("\\Q" + mod + "\\E([/.]v[^/]+)?/\\Q" + path + "\\E")
+}

ql/src/semmle/go/dataflow/BarrierGuardUtil.qll

@@ -0,0 +1,69 @@
+/**
+ * Contains implementations of some commonly used barrier
+ * guards for sanitizing untrusted URLs.
+ */
+
+import go
+
+/**
+ * A call to a function called `isLocalUrl`, `isValidRedirect`, or similar, which is
+ * considered a barrier guard for sanitizing untrusted URLs.
+ */
+class RedirectCheckBarrierGuard extends DataFlow::BarrierGuard, DataFlow::CallNode {
+  RedirectCheckBarrierGuard() {
+    this.getCalleeName().regexpMatch("(?i)(is_?)?(local_?url|valid_?redir(ect)?)")
+  }
+
+  override predicate checks(Expr e, boolean outcome) {
+    // `isLocalUrl(e)` is a barrier for `e` if it evaluates to `true`
+    getAnArgument().asExpr() = e and
+    outcome = true
+  }
+}
+
+/**
+ * An equality check comparing a data-flow node against a constant string, considered as
+ * a barrier guard for sanitizing untrusted URLs.
+ *
+ * Additionally, a check comparing `url.Hostname()` against a constant string is also
+ * considered a barrier guard for `url`.
+ */
+class UrlCheck extends DataFlow::BarrierGuard, DataFlow::EqualityTestNode {
+  DataFlow::Node url;
+
+  UrlCheck() {
+    exists(this.getAnOperand().getStringValue()) and
+    (
+      url = this.getAnOperand()
+      or
+      exists(DataFlow::MethodCallNode mc | mc = this.getAnOperand() |
+        mc.getTarget().getName() = "Hostname" and
+        url = mc.getReceiver()
+      )
+    )
+  }
+
+  override predicate checks(Expr e, boolean outcome) {
+    e = url.asExpr() and outcome = this.getPolarity()
+  }
+}
+
+/**
+ * A call to a regexp match function, considered as a barrier guard for sanitizing untrusted URLs.
+ *
+ * This is overapproximate: we do not attempt to reason about the correctness of the regexp.
+ */
+class RegexpCheck extends DataFlow::BarrierGuard {
+  RegexpMatchFunction matchfn;
+  DataFlow::CallNode call;
+
+  RegexpCheck() {
+    matchfn.getACall() = call and
+    this = matchfn.getResult().getNode(call).getASuccessor*()
+  }
+
+  override predicate checks(Expr e, boolean branch) {
+    e = matchfn.getValue().getNode(call).asExpr() and
+    (branch = false or branch = true)
+  }
+}

ql/src/semmle/go/frameworks/Websocket.qll

@@ -0,0 +1,134 @@
+/** Provides classes for working with WebSocket-related APIs. */
+
+import go
+
+/**
+ * A data-flow node that establishes a new WebSocket connection.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `WebSocketRequestCall::Range` instead.
+ */
+class WebSocketRequestCall extends DataFlow::CallNode {
+  WebSocketRequestCall::Range self;
+
+  WebSocketRequestCall() { this = self }
+
+  /** Gets the URL of the request. */
+  DataFlow::Node getRequestUrl() { result = self.getRequestUrl() }
+}
+
+/** Provides classes for working with WebSocket request functions. */
+module WebSocketRequestCall {
+  /**
+   * A data-flow node that establishes a new WebSocket connection.
+   *
+   * Extend this class to model new APIs. If you want to refine existing
+   * API models, extend `WebSocketRequestCall` instead.
+   */
+  abstract class Range extends DataFlow::CallNode {
+    /** Gets the URL of the request. */
+    abstract DataFlow::Node getRequestUrl();
+  }
+
+  /**
+   * A WebSocket request expression string used in an API function of the
+   * `golang.org/x/net/websocket` package.
+   */
+  private class GolangXNetDialFunc extends Range {
+    GolangXNetDialFunc() {
+      // func Dial(url_, protocol, origin string) (ws *Conn, err error)
+      this.getTarget().hasQualifiedName(package("golang.org/x/net", "websocket"), "Dial")
+    }
+
+    override DataFlow::Node getRequestUrl() { result = this.getArgument(0) }
+  }
+
+  /**
+   * A WebSocket DialConfig expression string used in an API function
+   * of the `golang.org/x/net/websocket` package.
+   */
+  private class GolangXNetDialConfigFunc extends Range {
+    GolangXNetDialConfigFunc() {
+      // func DialConfig(config *Config) (ws *Conn, err error)
+      this.getTarget().hasQualifiedName(package("golang.org/x/net", "websocket"), "DialConfig")
+    }
+
+    override DataFlow::Node getRequestUrl() {
+      exists(DataFlow::CallNode cn |
+        // func NewConfig(server, origin string) (config *Config, err error)
+        cn.getTarget().hasQualifiedName(package("golang.org/x/net", "websocket"), "NewConfig") and
+        this.getArgument(0) = cn.getResult(0).getASuccessor*() and
+        result = cn.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * A WebSocket request expression string used in an API function
+   * of the `github.com/gorilla/websocket` package.
+   */
+  private class GorillaWebsocketDialFunc extends Range {
+    DataFlow::Node url;
+
+    GorillaWebsocketDialFunc() {
+      // func (d *Dialer) Dial(urlStr string, requestHeader http.Header) (*Conn, *http.Response, error)
+      // func (d *Dialer) DialContext(ctx context.Context, urlStr string, requestHeader http.Header) (*Conn, *http.Response, error)
+      exists(string name, Method f |
+        f = this.getTarget() and
+        f.hasQualifiedName(package("github.com/gorilla", "websocket"), "Dialer", name)
+      |
+        name = "Dial" and this.getArgument(0) = url
+        or
+        name = "DialContext" and this.getArgument(1) = url
+      )
+    }
+
+    override DataFlow::Node getRequestUrl() { result = url }
+  }
+
+  /**
+   * A WebSocket request expression string used in an API function
+   * of the `github.com/gobwas/ws` package.
+   */
+  private class GobwasWsDialFunc extends Range {
+    GobwasWsDialFunc() {
+      //  func (d Dialer) Dial(ctx context.Context, urlstr string) (conn net.Conn, br *bufio.Reader, hs Handshake, err error)
+      exists(Method m |
+        m.hasQualifiedName(package("github.com/gobwas", "ws"), "Dialer", "Dial") and
+        m = this.getTarget()
+      )
+      or
+      // func Dial(ctx context.Context, urlstr string) (net.Conn, *bufio.Reader, Handshake, error)
+      this.getTarget().hasQualifiedName(package("github.com/gobwas", "ws"), "Dial")
+    }
+
+    override DataFlow::Node getRequestUrl() { result = this.getArgument(1) }
+  }
+
+  /**
+   * A WebSocket request expression string used in an API function
+   * of the `nhooyr.io/websocket` package.
+   */
+  private class NhooyrWebsocketDialFunc extends Range {
+    NhooyrWebsocketDialFunc() {
+      // func Dial(ctx context.Context, u string, opts *DialOptions) (*Conn, *http.Response, error)
+      this.getTarget().hasQualifiedName(package("nhooyr.io", "websocket"), "Dial")
+    }
+
+    override DataFlow::Node getRequestUrl() { result = this.getArgument(1) }
+  }
+
+  /**
+   * A WebSocket request expression string used in an API function
+   * of the `github.com/sacOO7/gowebsocket` package.
+   */
+  private class SacOO7DialFunc extends Range {
+    SacOO7DialFunc() {
+      // func BuildProxy(Url string) func(*http.Request) (*url.URL, error)
+      // func New(url string) Socket
+      this.getTarget().hasQualifiedName("github.com/sacOO7/gowebsocket", ["New", "BuildProxy"])
+    }
+
+    override DataFlow::Node getRequestUrl() { result = this.getArgument(0) }
+  }
+}

ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll

@@ -7,6 +7,7 @@
 import go
 import UrlConcatenation
 import SafeUrlFlowCustomizations
+import semmle.go.dataflow.BarrierGuardUtil
 
 /**
  * Provides extension points for customizing the taint-tracking configuration for reasoning about
@@ -104,62 +105,22 @@ module OpenUrlRedirect {
 
   /**
    * A call to a function called `isLocalUrl`, `isValidRedirect`, or similar, which is
-   * considered a barrier for purposes of URL redirection.
+   * considered a barrier guard for sanitizing untrusted URLs.
    */
-  class RedirectCheckBarrierGuard extends BarrierGuard, DataFlow::CallNode {
-    RedirectCheckBarrierGuard() {
-      this.getCalleeName().regexpMatch("(?i)(is_?)?(local_?url|valid_?redir(ect)?)")
-    }
-
-    override predicate checks(Expr e, boolean outcome) {
-      // `isLocalUrl(e)` is a barrier for `e` if it evaluates to `true`
-      getAnArgument().asExpr() = e and
-      outcome = true
-    }
-  }
+  class RedirectCheckBarrierGuardAsBarrierGuard extends RedirectCheckBarrierGuard, BarrierGuard { }
 
   /**
-   * A check against a constant value, considered a barrier for redirection.
-   */
-  class EqualityTestGuard extends BarrierGuard, DataFlow::EqualityTestNode {
-    DataFlow::Node url;
-
-    EqualityTestGuard() {
-      exists(this.getAnOperand().getStringValue()) and
-      (
-        url = this.getAnOperand()
-        or
-        exists(DataFlow::MethodCallNode mc | mc = this.getAnOperand() |
-          mc.getTarget().getName() = "Hostname" and
-          url = mc.getReceiver()
-        )
-      )
-    }
-
-    override predicate checks(Expr e, boolean outcome) {
-      e = url.asExpr() and outcome = this.getPolarity()
-    }
-  }
-
-  /**
-   * A call to a regexp match function, considered as a barrier guard for unvalidated URLs.
+   * A call to a regexp match function, considered as a barrier guard for sanitizing untrusted URLs.
    *
    * This is overapproximate: we do not attempt to reason about the correctness of the regexp.
    */
-  class RegexpCheck extends BarrierGuard {
-    RegexpMatchFunction matchfn;
-    DataFlow::CallNode call;
-
-    RegexpCheck() {
-      matchfn.getACall() = call and
-      this = matchfn.getResult().getNode(call).getASuccessor*()
-    }
+  class RegexpCheckAsBarrierGuard extends RegexpCheck, BarrierGuard { }
 
-    override predicate checks(Expr e, boolean branch) {
-      e = matchfn.getValue().getNode(call).asExpr() and
-      (branch = false or branch = true)
-    }
-  }
+  /**
+   * A check against a constant value or the `Hostname` function,
+   * considered a barrier guard for url flow.
+   */
+  class UrlCheckAsBarrierGuard extends UrlCheck, BarrierGuard { }
 }
 
 /** A sink for an open redirect, considered as a sink for safe URL flow. */

ql/src/semmle/go/security/RequestForgeryCustomizations.qll

@@ -5,6 +5,7 @@
 import go
 import UrlConcatenation
 import SafeUrlFlowCustomizations
+import semmle.go.dataflow.BarrierGuardUtil
 
 /** Provides classes and predicates for the request forgery query. */
 module RequestForgery {
@@ -52,13 +53,49 @@ module RequestForgery {
     override string getKind() { result = "URL" }
   }
 
+  /**
+   * The URL of a WebSocket request, viewed as a sink for request forgery.
+   */
+  class WebSocketCallAsSink extends Sink {
+    WebSocketRequestCall request;
+
+    WebSocketCallAsSink() { this = request.getRequestUrl() }
+
+    override DataFlow::Node getARequest() { result = request }
+
+    override string getKind() { result = "WebSocket URL" }
+  }
+
   /**
    * A value that is the result of prepending a string that prevents any value from controlling the
    * host of a URL.
    */
   private class HostnameSanitizer extends SanitizerEdge {
     HostnameSanitizer() { hostnameSanitizingPrefixEdge(this, _) }
   }
+
+  /**
+   * A call to a function called `isLocalUrl`, `isValidRedirect`, or similar, which is
+   * considered a barrier guard.
+   */
+  class RedirectCheckBarrierGuardAsBarrierGuard extends RedirectCheckBarrierGuard, SanitizerGuard {
+  }
+
+  /**
+   * A call to a regexp match function, considered as a barrier guard for sanitizing untrusted URLs.
+   *
+   * This is overapproximate: we do not attempt to reason about the correctness of the regexp.
+   */
+  class RegexpCheckAsBarrierGuard extends RegexpCheck, SanitizerGuard { }
+
+  /**
+   * An equality check comparing a data-flow node against a constant string, considered as
+   * a barrier guard for sanitizing untrusted URLs.
+   *
+   * Additionally, a check comparing `url.Hostname()` against a constant string is also
+   * considered a barrier guard for `url`.
+   */
+  class UrlCheckAsBarrierGuard extends UrlCheck, SanitizerGuard { }
 }
 
 /** A sink for request forgery, considered as a sink for safe URL flow. */

ql/test/library-tests/semmle/go/Packages/packagePredicate.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"fmt"
+
+	_ "PackageName//v//test"      // Not OK
+	_ "PackageName//v/test"       // Not OK
+	_ "PackageName/test"          // OK
+	_ "PackageName/v//test"       // Not OK
+	_ "PackageName/v/asd/v2/test" // Not OK
+	_ "PackageName/v/test"        // Not OK
+
+	_ "PackageName//v2//test" // Not OK
+	_ "PackageName//v2/test"  // Not OK
+	_ "PackageName/v2//test"  // Not OK
+	_ "PackageName/v2/test"   //OK
+)
+
+func main() {
+	pkg.Foo()
+	fmt.Println("")
+}

ql/test/library-tests/semmle/go/Packages/predicate.expected

@@ -0,0 +1,2 @@
+| package PackageName/test | PackageName/test |
+| package PackageName/v2/test | PackageName/v2/test |

ql/test/library-tests/semmle/go/Packages/predicate.ql

@@ -0,0 +1,8 @@
+import go
+
+from Package pkg, string mod, string path
+where
+  packages(pkg, _, package(mod, path), _) and
+  mod = "PackageName" and
+  path = "test"
+select pkg, pkg.getPath()