Go: New File System Access Sinks

go/ql/lib/go.qll

@@ -64,4 +64,6 @@ import semmle.go.frameworks.XPath
 import semmle.go.frameworks.Yaml
 import semmle.go.frameworks.Zap
 import semmle.go.security.FlowSources
-import semmle.go.security.FileSystemAccess
+import semmle.go.frameworks.Afero
+import semmle.go.frameworks.Iris
+import semmle.go.frameworks.Fiber

go/ql/lib/semmle/go/security/FileSystemAccess.qll → go/ql/lib/semmle/go/frameworks/Afero.qll

@@ -1,132 +1,17 @@
-import go
-
-/**
- * The File system access sinks of `net/http` package
- */
-class HttpServeFile extends FileSystemAccess::Range, DataFlow::CallNode {
-  HttpServeFile() {
-    exists(Function f |
-      f.hasQualifiedName("net/http", "ServeFile") and
-      this = f.getACall()
-    )
-  }
-
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(2) }
-}
-
-/**
- * The File system access sinks of [beego](https://github.com/beego/beego) web framework
- */
-class BeegoFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
-  int pathArg;
-
-  BeegoFileSystemAccess() {
-    exists(Method m |
-      (
-        m.hasQualifiedName(package("github.com/beego/beego", "server/web/context"), "BeegoOutput",
-          "Download") and
-        pathArg = 0
-        or
-        m.hasQualifiedName(package("github.com/beego/beego", "server/web"), "Controller",
-          "SaveToFileWithBuffer") and
-        pathArg = 1
-      ) and
-      this = m.getACall()
-    )
-  }
-
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
-}
-
-/**
- * The File system access sinks of [beego](https://github.com/beego/beego) web framework
- */
-class EchoFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
-  int pathArg;
-
-  EchoFileSystemAccess() {
-    exists(Method m |
-      m.hasQualifiedName(package("github.com/labstack/echo", ""), "Context", ["Attachment", "File"]) and
-      this = m.getACall() and
-      pathArg = 0
-    )
-  }
-
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
-}
-
 /**
- * The File system access sinks of [gin](https://github.com/gin-gonic/gin) web framework
+ * Provides classes for working with sinks and taint propagators
+ * from the `github.com/spf13/afero` package.
  */
-class GinFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
-  int pathArg;
 
-  GinFileSystemAccess() {
-    exists(Method m |
-      (
-        m.hasQualifiedName(package("github.com/gin-gonic/gin", ""), "Context",
-          ["File", "FileAttachment"]) and
-        pathArg = 0
-        or
-        m.hasQualifiedName(package("github.com/gin-gonic/gin", ""), "Context", "SaveUploadedFile") and
-        pathArg = 1
-      ) and
-      this = m.getACall()
-    )
-  }
-
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
-}
-
-/**
- * The File system access sinks of [iris](https://github.com/kataras/iris) web framework
- */
-class IrisFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
-  int pathArg;
-
-  IrisFileSystemAccess() {
-    exists(Method m |
-      (
-        m.hasQualifiedName(package("github.com/kataras/iris", "context"), "Context",
-          ["SendFile", "ServeFile", "SendFileWithRate", "ServeFileWithRate", "UploadFormFiles"]) and
-        pathArg = 0
-        or
-        m.hasQualifiedName(package("github.com/kataras/iris", "context"), "Context", "SaveFormFile") and
-        pathArg = 1
-      ) and
-      this = m.getACall()
-    )
-  }
-
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
-}
-
-/**
- * The File system access sinks of [fiber](https://github.com/gofiber/fiber) web framework
- */
-class FiberSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
-  int pathArg;
-
-  FiberSystemAccess() {
-    exists(Method m |
-      (
-        m.hasQualifiedName(package("github.com/gofiber/fiber", ""), "Ctx", "SendFile") and
-        pathArg = 0
-        or
-        m.hasQualifiedName(package("github.com/gofiber/fiber", ""), "Ctx", "SaveFile") and
-        pathArg = 1
-      ) and
-      this = m.getACall()
-    )
-  }
-
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
-}
+import go
 
 /**
  * Provide File system access sinks of [afero](https://github.com/spf13/afero) framework
  */
 module Afero {
+  /**
+   * Gets all versions of `github.com/spf13/afero`
+   */
   string aferoPackage() { result = package("github.com/spf13/afero", "") }
 
   /**
@@ -207,7 +92,7 @@ module Afero {
   predicate aferoSanitizer(DataFlow::Node n) {
     exists(Function f |
       f.hasQualifiedName(aferoPackage(), ["NewBasePathFs", "NewIOFS"]) and
-      TaintTracking::localTaint(f.getACall(), n)
+      DataFlow::localFlow(f.getACall(), n)
     )
   }
 
@@ -221,7 +106,7 @@ module Afero {
   predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
     exists(StructLit st | st.getType().hasQualifiedName(aferoPackage(), "Afero") |
       n1.asExpr() = st.getAChildExpr().(KeyValueExpr).getAChildExpr() and
-      n2.asExpr() = st.getParent()
+      n2.asExpr() = st
     )
   }
 }

go/ql/lib/semmle/go/frameworks/Beego.qll

@@ -278,21 +278,31 @@ module Beego {
     }
   }
 
+  /**
+   * The File system access sinks
+   */
   private class FsOperations extends FileSystemAccess::Range, DataFlow::CallNode {
+    int pathArg;
+
     FsOperations() {
-      this.getTarget().hasQualifiedName(packagePath(), "Walk")
+      this.getTarget().hasQualifiedName(packagePath(), "Walk") and pathArg = 1
       or
       exists(Method m | this = m.getACall() |
-        m.hasQualifiedName(packagePath(), "FileSystem", "Open") or
-        m.hasQualifiedName(packagePath(), "Controller", "SaveToFile")
+        m.hasQualifiedName(packagePath(), "FileSystem", "Open") and pathArg = 0
+        or
+        m.hasQualifiedName(packagePath(), "Controller", "SaveToFile") and pathArg = 1
+        or
+        m.hasQualifiedName(contextPackagePath(), "BeegoOutput", "Download") and
+        pathArg = 0
+        or
+        // SaveToFileWithBuffer only available in v2
+        m.hasQualifiedName("github.com/beego/beego/v2/server/web", "Controller",
+          "SaveToFileWithBuffer") and
+        pathArg = 1
       )
     }
 
-    override DataFlow::Node getAPathArgument() {
-      this.getTarget().getName() = ["Walk", "SaveToFile"] and result = this.getArgument(1)
-      or
-      this.getTarget().getName() = "Open" and result = this.getArgument(0)
-    }
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
   }
 
   private class RedirectMethods extends Http::Redirect::Range, DataFlow::CallNode {

go/ql/lib/semmle/go/frameworks/Echo.qll

@@ -98,4 +98,21 @@ private module Echo {
 
     override Http::ResponseWriter getResponseWriter() { none() }
   }
+
+  /**
+   * The File system access sinks
+   */
+  class FsOperations extends FileSystemAccess::Range, DataFlow::CallNode {
+    int pathArg;
+
+    FsOperations() {
+      exists(Method m |
+        m.hasQualifiedName(packagePath(), "Context", ["Attachment", "File"]) and
+        this = m.getACall() and
+        pathArg = 0
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
+  }
 }

go/ql/lib/semmle/go/frameworks/Fiber.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides classes for working the `github.com/gofiber/fiber` package.
+ */
+
+import go
+
+private module Gin {
+  /** Gets the package name `github.com/gofiber/fiber`. */
+  string packagePath() { result = package("github.com/gofiber/fiber", "") }
+
+  /** Gets the v2 module path `github.com/gofiber/fiber/v2` */
+  string v2modulePath() { result = "github.com/gofiber/fiber/v2" }
+
+  /**
+   * The File system access sinks
+   */
+  class FsOperations extends FileSystemAccess::Range, DataFlow::CallNode {
+    int pathArg;
+
+    FsOperations() {
+      exists(Method m |
+        (
+          m.hasQualifiedName(packagePath(), "Ctx", ["SendFile", "Download"]) and
+          pathArg = 0
+          or
+          m.hasQualifiedName(packagePath(), "Ctx", "SaveFile") and
+          pathArg = 1
+          or
+          m.hasQualifiedName(v2modulePath(), "Ctx", "SaveFileToStorage") and
+          pathArg = 1
+        ) and
+        this = m.getACall()
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
+  }
+}

go/ql/lib/semmle/go/frameworks/Gin.qll

@@ -53,4 +53,26 @@ private module Gin {
       )
     }
   }
+
+  /**
+   * The File system access sinks
+   */
+  class FsOperations extends FileSystemAccess::Range, DataFlow::CallNode {
+    int pathArg;
+
+    FsOperations() {
+      exists(Method m |
+        (
+          m.hasQualifiedName(packagePath(), "Context", ["File", "FileAttachment"]) and
+          pathArg = 0
+          or
+          m.hasQualifiedName(packagePath(), "Context", "SaveUploadedFile") and
+          pathArg = 1
+        ) and
+        this = m.getACall()
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
+  }
 }

go/ql/lib/semmle/go/frameworks/Iris.qll

@@ -0,0 +1,49 @@
+/**
+ * Provides classes for working the `github.com/kataras/iris` package.
+ */
+
+import go
+
+private module Gin {
+  /** Gets the v1 module path `github.com/gofiber/fiber`. */
+  string v1modulePath() { result = "github.com/kataras/iris" }
+
+  /** Gets the v12 module path `github.com/gofiber/fiber/v12` */
+  string v12modulePath() { result = "github.com/kataras/iris/v12" }
+
+  /** Gets the path for the context package of all versions of beego. */
+  string contextPackagePath() {
+    result = v12contextPackagePath()
+    or
+    result = v1contextPackagePath()
+  }
+
+  /** Gets the path for the context package of beego v12. */
+  string v12contextPackagePath() { result = v12modulePath() + "/context" }
+
+  /** Gets the path for the context package of beego v1. */
+  string v1contextPackagePath() { result = v1modulePath() + "/server/web/context" }
+
+  /**
+   * The File system access sinks
+   */
+  class FsOperations extends FileSystemAccess::Range, DataFlow::CallNode {
+    int pathArg;
+
+    FsOperations() {
+      exists(Method m |
+        (
+          m.hasQualifiedName(contextPackagePath(), "Context",
+            ["SendFile", "ServeFile", "SendFileWithRate", "ServeFileWithRate", "UploadFormFiles"]) and
+          pathArg = 0
+          or
+          m.hasQualifiedName(v12contextPackagePath(), "Context", "SaveFormFile") and
+          pathArg = 1
+        ) and
+        this = m.getACall()
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
+  }
+}

go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll

@@ -288,4 +288,18 @@ module NetHttp {
 
     override predicate guardedBy(DataFlow::Node check) { check = handlerReg.getArgument(0) }
   }
+
+  /**
+   * The File system access sinks
+   */
+  class HttpServeFile extends FileSystemAccess::Range, DataFlow::CallNode {
+    HttpServeFile() {
+      exists(Function f |
+        f.hasQualifiedName("net/http", "ServeFile") and
+        this = f.getACall()
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(2) }
+  }
 }

go/ql/test/library-tests/semmle/go/security/FileSystemAccess/Query.ql → go/ql/test/library-tests/semmle/go/frameworks/Afero/Query.ql

@@ -17,7 +17,7 @@ module FileSystemAccessTest implements TestSig {
       succ.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
         location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
       element = succ.toString() and
-      value = succ.toString() and
+      value = succ.asExpr().(StructLit).getType().getName() and
       tag = "succ"
       or
       pred.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),