github
diff --git a/‎change-notes/2020-12-18-goproxy.md‎
Lines changed: 5 additions & 0 deletions b/‎change-notes/2020-12-18-goproxy.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql‎
Lines changed: 56 additions & 1 deletion b/‎ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql‎
Lines changed: 56 additions & 1 deletion
diff --git a/‎ql/src/go.qll‎
Lines changed: 1 addition & 0 deletions b/‎ql/src/go.qll‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ql/src/semmle/go/concepts/HTTP.qll‎
Lines changed: 40 additions & 1 deletion b/‎ql/src/semmle/go/concepts/HTTP.qll‎
Lines changed: 40 additions & 1 deletion
diff --git a/‎ql/src/semmle/go/frameworks/ElazarlGoproxy.qll‎
Lines changed: 135 additions & 0 deletions b/‎ql/src/semmle/go/frameworks/ElazarlGoproxy.qll‎
Lines changed: 135 additions & 0 deletions
diff --git a/‎ql/src/semmle/go/frameworks/stdlib/NetHttp.qll‎
Lines changed: 26 additions & 4 deletions b/‎ql/src/semmle/go/frameworks/stdlib/NetHttp.qll‎
Lines changed: 26 additions & 4 deletions
diff --git a/‎ql/test/library-tests/semmle/go/concepts/HTTP/Handler.expected‎ b/‎ql/test/library-tests/semmle/go/concepts/HTTP/Handler.expected‎
diff --git a/‎ql/test/library-tests/semmle/go/concepts/HTTP/Handler.ql‎
Lines changed: 18 additions & 0 deletions b/‎ql/test/library-tests/semmle/go/concepts/HTTP/Handler.ql‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎ql/test/library-tests/semmle/go/concepts/HTTP/Header.expected‎
Lines changed: 10 additions & 10 deletions b/‎ql/test/library-tests/semmle/go/concepts/HTTP/Header.expected‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎ql/test/library-tests/semmle/go/concepts/HTTP/RequestBody.expected‎
Lines changed: 2 additions & 2 deletions b/‎ql/test/library-tests/semmle/go/concepts/HTTP/RequestBody.expected‎
Lines changed: 2 additions & 2 deletions
@@ -0,0 +1,5 @@
+lgtm,codescanning
+* Added support for the `github.com/elazarl/goproxy` package.
+* The query "Incomplete regular expression for hostnames" has been improved to recognize some cases
+  when the regexp in question is guarding an HTTP error response, which will lead to fewer false
+  positives.
@@ -30,6 +30,55 @@ predicate isIncompleteHostNameRegexpPattern(string pattern, string hostPart) {
             "(([():|?a-z0-9-]+(\\\\)?[.])?" + commonTLD() + ")" + ".*", 1)
 }
 
+/** Holds if `b` sets the HTTP status code (represented by a pseudo-header named  `status`) */
+predicate writesHttpError(ReachableBasicBlock b) {
+  forex(HTTP::HeaderWrite hw |
+    hw.getHeaderName() = "status" and hw.asInstruction().getBasicBlock() = b
+  |
+    exists(string code | code.matches("4__") or code.matches("5__") |
+      hw.definesHeader("status", code)
+    )
+  )
+}
+
+/** Holds if starting from `block` a status code representing an error is certainly set. */
+predicate onlyErrors(BasicBlock block) {
+  writesHttpError(block)
+  or
+  forex(ReachableBasicBlock pred | pred = block.getAPredecessor() | onlyErrors(pred))
+}
+
+/** Gets a node that refers to a handler that is considered to return an HTTP error. */
+DataFlow::Node getASafeHandler() {
+  exists(Variable v |
+    v.hasQualifiedName(ElazarlGoproxy::packagePath(), ["AlwaysReject", "RejectConnect"])
+  |
+    result = v.getARead()
+  )
+  or
+  exists(Function f |
+    onlyErrors(f.getFuncDecl().(ControlFlow::Root).getExitNode().getBasicBlock())
+  |
+    result = f.getARead()
+  )
+}
+
+/** Holds if `regexp` is used in a check before `handler` is called. */
+predicate regexpGuardsHandler(RegexpPattern regexp, HTTP::RequestHandler handler) {
+  handler.guardedBy(DataFlow::exprNode(regexp.getAUse().asExpr().getParent*()))
+}
+
+/** Holds if `regexp` guards an HTTP error write. */
+predicate regexpGuardsError(RegexpPattern regexp) {
+  exists(ControlFlow::ConditionGuardNode cond, RegexpMatchFunction match, DataFlow::CallNode call |
+    call.getTarget() = match and
+    match.getRegexp(call) = regexp
+  |
+    cond.ensures(match.getResult().getNode(call).getASuccessor*(), true) and
+    cond.dominates(any(ReachableBasicBlock b | writesHttpError(b)))
+  )
+}
+
 class Config extends DataFlow::Configuration {
   Config() { this = "IncompleteHostNameRegexp::Config" }
 
@@ -47,7 +96,13 @@ class Config extends DataFlow::Configuration {
 
   override predicate isSource(DataFlow::Node source) { isSource(source, _) }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof RegexpPattern and
+    forall(HTTP::RequestHandler handler | regexpGuardsHandler(sink, handler) |
+      not handler = getASafeHandler()
+    ) and
+    not regexpGuardsError(sink)
+  }
 }
 
 from Config c, DataFlow::PathNode source, DataFlow::PathNode sink, string hostPart
 
@@ -34,6 +34,7 @@ import semmle.go.frameworks.BeegoOrm
 import semmle.go.frameworks.Chi
 import semmle.go.frameworks.Couchbase
 import semmle.go.frameworks.Echo
+import semmle.go.frameworks.ElazarlGoproxy
 import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.EvanphxJsonPatch
 
@@ -64,10 +64,17 @@ module HTTP {
       /** Gets the (lower-case) name of a header set by this definition. */
       string getHeaderName() { result = this.getName().getStringValue().toLowerCase() }
 
+      /** Gets the value of the header set by this definition. */
+      string getHeaderValue() {
+        result = this.getValue().getStringValue()
+        or
+        result = this.getValue().getIntValue().toString()
+      }
+
       /** Holds if this header write defines the header `header`. */
       predicate definesHeader(string header, string value) {
         header = this.getHeaderName() and
-        value = this.getValue().getStringValue()
+        value = this.getHeaderValue()
       }
 
       /**
@@ -101,6 +108,9 @@ module HTTP {
     /** Gets the (lower-case) name of a header set by this definition. */
     string getHeaderName() { result = self.getHeaderName() }
 
+    /** Gets the value of the header set by this definition. */
+    string getHeaderValue() { result = self.getHeaderValue() }
+
     /** Holds if this header write defines the header `header`. */
     predicate definesHeader(string header, string value) { self.definesHeader(header, value) }
 
@@ -302,4 +312,33 @@ module HTTP {
     /** Gets the response writer that this redirect is sent on, if any. */
     ResponseWriter getResponseWriter() { result = self.getResponseWriter() }
   }
+
+  /** Provides a class for modeling new HTTP handler APIs. */
+  module RequestHandler {
+    /**
+     * An HTTP request handler.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `HTTP::RequestHandler` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets a node that is used in a check that is tested before this handler is run. */
+      abstract predicate guardedBy(DataFlow::Node check);
+    }
+  }
+
+  /**
+   * An HTTP request handler.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `HTTP::RequestHandler::Range` instead.
+   */
+  class RequestHandler extends DataFlow::Node {
+    RequestHandler::Range self;
+
+    RequestHandler() { this = self }
+
+    /** Gets a node that is used in a check that is tested before this handler is run. */
+    predicate guardedBy(DataFlow::Node check) { self.guardedBy(check) }
+  }
 }
@@ -0,0 +1,135 @@
+/**
+ * Provides classes for working with concepts relating to the [github.com/elazarl/goproxy](https://pkg.go.dev/github.com/elazarl/goproxy) package.
+ */
+
+import go
+
+/**
+ * Provides classes for working with concepts relating to the [github.com/elazarl/goproxy](https://pkg.go.dev/github.com/elazarl/goproxy) package.
+ */
+module ElazarlGoproxy {
+  /** Gets the package name. */
+  bindingset[result]
+  string packagePath() { result = package("github.com/elazarl/goproxy", "") }
+
+  private class NewResponse extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
+    NewResponse() { this.getTarget().hasQualifiedName(packagePath(), "NewResponse") }
+
+    override string getHeaderName() { this.definesHeader(result, _) }
+
+    override string getHeaderValue() { this.definesHeader(_, result) }
+
+    override DataFlow::Node getName() { none() }
+
+    override DataFlow::Node getValue() { result = this.getArgument([1, 2]) }
+
+    override predicate definesHeader(string header, string value) {
+      header = "status" and value = this.getArgument(2).getIntValue().toString()
+      or
+      header = "content-type" and value = this.getArgument(1).getStringValue()
+    }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+  }
+
+  /** A body argument to a `NewResponse` call. */
+  private class NewResponseBody extends HTTP::ResponseBody::Range {
+    NewResponse call;
+
+    NewResponseBody() { this = call.getArgument(3) }
+
+    override DataFlow::Node getAContentTypeNode() { result = call.getArgument(1) }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+  }
+
+  private class TextResponse extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
+    TextResponse() { this.getTarget().hasQualifiedName(packagePath(), "TextResponse") }
+
+    override string getHeaderName() { this.definesHeader(result, _) }
+
+    override string getHeaderValue() { this.definesHeader(_, result) }
+
+    override DataFlow::Node getName() { none() }
+
+    override DataFlow::Node getValue() { none() }
+
+    override predicate definesHeader(string header, string value) {
+      header = "status" and value = "200"
+      or
+      header = "content-type" and value = "text/plain"
+    }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+  }
+
+  /** A body argument to a `TextResponse` call. */
+  private class TextResponseBody extends HTTP::ResponseBody::Range, TextResponse {
+    TextResponse call;
+
+    TextResponseBody() { this = call.getArgument(2) }
+
+    override DataFlow::Node getAContentTypeNode() { result = call.getArgument(1) }
+
+    override HTTP::ResponseWriter getResponseWriter() { none() }
+  }
+
+  /** A handler attached to a goproxy proxy type. */
+  private class ProxyHandler extends HTTP::RequestHandler::Range {
+    DataFlow::MethodCallNode handlerReg;
+
+    ProxyHandler() {
+      handlerReg
+          .getTarget()
+          .hasQualifiedName(packagePath(), "ReqProxyConds", ["Do", "DoFunc", "HandleConnect"]) and
+      this = handlerReg.getArgument(0)
+    }
+
+    override predicate guardedBy(DataFlow::Node check) {
+      // note OnResponse is not modeled, as that server responses are not currently considered untrusted input
+      exists(DataFlow::MethodCallNode onreqcall |
+        onreqcall.getTarget().hasQualifiedName(packagePath(), "ProxyHttpServer", "OnRequest")
+      |
+        handlerReg.getReceiver() = onreqcall.getASuccessor*() and
+        check = onreqcall.getArgument(0)
+      )
+    }
+  }
+
+  private class UserControlledRequestData extends UntrustedFlowSource::Range {
+    UserControlledRequestData() {
+      exists(DataFlow::FieldReadNode frn | this = frn |
+        // liberally consider ProxyCtx.UserData to be untrusted; it's a data field set by a request handler
+        frn.getField().hasQualifiedName(packagePath(), "ProxyCtx", "UserData")
+      )
+      or
+      exists(DataFlow::MethodCallNode call | this = call |
+        call.getTarget().hasQualifiedName(packagePath(), "ProxyCtx", "Charset")
+      )
+    }
+  }
+
+  private class ProxyLog extends LoggerCall::Range, DataFlow::MethodCallNode {
+    ProxyLog() { this.getTarget().hasQualifiedName(packagePath(), "ProxyCtx", ["Logf", "Warnf"]) }
+
+    override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // Methods:
+      // signature: func CertStorage.Fetch(hostname string, gen func() (*tls.Certificate, error)) (*tls.Certificate, error)
+      //
+      // `hostname` excluded because if the cert storage or generator function themselves have not
+      // been tainted, `hostname` would be unlikely to fetch user-controlled data
+      this.hasQualifiedName(packagePath(), "CertStorage", "Fetch") and
+      (inp.isReceiver() or inp.isParameter(1)) and
+      outp.isResult(0)
+    }
+
+    override predicate hasTaintFlow(FunctionInput i, FunctionOutput o) { i = inp and o = outp }
+  }
+}
@@ -108,17 +108,25 @@ module NetHttp {
 
     override string getHeaderName() { result = "status" }
 
-    override predicate definesHeader(string header, string value) {
-      header = "status" and value = this.getValue().getIntValue().toString()
-    }
-
     override DataFlow::Node getName() { none() }
 
     override DataFlow::Node getValue() { result = this.getArgument(0) }
 
     override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
   }
 
+  private class ResponseErrorCall extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
+    ResponseErrorCall() { this.getTarget().hasQualifiedName("net/http", "Error") }
+
+    override string getHeaderName() { result = "status" }
+
+    override DataFlow::Node getName() { none() }
+
+    override DataFlow::Node getValue() { result = this.getArgument(2) }
+
+    override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getArgument(0) }
+  }
+
   private class RequestBody extends HTTP::RequestBody::Range, DataFlow::ExprNode {
     RequestBody() {
       exists(Function newRequest |
@@ -227,6 +235,20 @@ module NetHttp {
     }
   }
 
+  private class Handler extends HTTP::RequestHandler::Range {
+    DataFlow::CallNode handlerReg;
+
+    Handler() {
+      exists(Function regFn | regFn = handlerReg.getTarget() |
+        regFn.hasQualifiedName("net/http", ["Handle", "HandleFunc"]) or
+        regFn.(Method).hasQualifiedName("net/http", "ServeMux", ["Handle", "HandleFunc"])
+      ) and
+      this = handlerReg.getArgument(1)
+    }
+
+    override predicate guardedBy(DataFlow::Node check) { check = handlerReg.getArgument(0) }
+  }
+
   private class FunctionModels extends TaintTracking::FunctionModel {
     FunctionInput inp;
     FunctionOutput outp;
 
@@ -0,0 +1,18 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+class HttpHandler extends InlineExpectationsTest {
+  HttpHandler() { this = "httphandler" }
+
+  override string getARelevantTag() { result = "handler" }
+
+  override predicate hasActualResult(string file, int line, string element, string tag, string value) {
+    tag = "handler" and
+    exists(HTTP::RequestHandler h, DataFlow::Node check |
+      element = h.toString() and value = check.toString()
+    |
+      h.hasLocationInfo(file, line, _, _, _) and
+      h.guardedBy(check)
+    )
+  }
+}
@@ -1,10 +1,10 @@
-| main.go:29:2:29:19 | call to WriteHeader | n/a | 418 | status | 418 |
-| main.go:31:2:31:51 | call to Set | "Authorization" | "Basic example:example" | authorization | Basic example:example |
-| main.go:32:2:32:26 | call to Add | "Age" | "342232" | age | 342232 |
-| main.go:34:2:34:55 | call to Add | server | call to Sprintf | n/a | n/a |
-| main.go:35:2:35:45 | call to Set | LOC_HEADER | ...+... | n/a | n/a |
-| main.go:36:2:36:5 | head | "Unknown-Header" | slice literal | n/a | n/a |
-| main.go:48:2:48:43 | call to Add | "Not-A-Response" | "Header" | not-a-response | Header |
-| main.go:49:2:49:42 | call to Set | "Accept" | "nota/response" | accept | nota/response |
-| main.go:50:2:50:11 | selection of Header | "Accept-Charset" | slice literal | n/a | n/a |
-| main.go:57:2:57:42 | call to Set | "This-Makes" | "No sense" | this-makes | No sense |
+| main.go:30:2:30:19 | call to WriteHeader | n/a | 418 | status | 418 |
+| main.go:32:2:32:51 | call to Set | "Authorization" | "Basic example:example" | authorization | Basic example:example |
+| main.go:33:2:33:26 | call to Add | "Age" | "342232" | age | 342232 |
+| main.go:35:2:35:55 | call to Add | server | call to Sprintf | n/a | n/a |
+| main.go:36:2:36:45 | call to Set | LOC_HEADER | ...+... | n/a | n/a |
+| main.go:37:2:37:5 | head | "Unknown-Header" | slice literal | n/a | n/a |
+| main.go:49:2:49:43 | call to Add | "Not-A-Response" | "Header" | not-a-response | Header |
+| main.go:50:2:50:42 | call to Set | "Accept" | "nota/response" | accept | nota/response |
+| main.go:51:2:51:11 | selection of Header | "Accept-Charset" | slice literal | n/a | n/a |
+| main.go:58:2:58:42 | call to Set | "This-Makes" | "No sense" | this-makes | No sense |
@@ -1,2 +1,2 @@
-| main.go:46:57:46:59 | nil |
-| main.go:52:13:52:34 | call to NopCloser |
+| main.go:47:57:47:59 | nil |
+| main.go:53:13:53:34 | call to NopCloser |