Skip to content

Commit 93aaa74

Browse files
smowtonsmowton
authored
Merge pull request #451 from sauyon/gokit
Add gokit models
2 parents b76ff0d + 3ed9e66 commit 93aaa74

8 files changed

Lines changed: 116 additions & 0 deletions

File tree

change-notes/2021-01-07-gokit-sources.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
lgtm,codescanning
2+
* Models for gokit request sources have been added as an opt-in feature; import `semmle.go.frameworks.GoKit` in a query to enable these sources.

ql/src/semmle/go/frameworks/GoKit.qll

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
/**
2+
* Provides classes for working with concepts relating to the [github.com/go-kit/kit](https://pkg.go.dev/github.com/go-kit/kit) package.
3+
*
4+
* Note that these models are not included by default; to include them, add `import semmle.go.frameworks.GoKit` to your query or to
5+
* `Customizations.qll`.
6+
*/
7+
8+
import go
9+
10+
/**
11+
* Provides classes for working with concepts relating to the [github.com/go-kit/kit](https://pkg.go.dev/github.com/go-kit/kit) package.
12+
*/
13+
module GoKit {
14+
/** Gets the package name. */
15+
bindingset[result]
16+
string packagePath() { result = package("github.com/go-kit/kit", "") }
17+
18+
/**
19+
* Provides classes for working with concepts relating to the `endpoint` package of the
20+
* [github.com/go-kit/kit](https://pkg.go.dev/github.com/go-kit/kit) package.
21+
*/
22+
module Endpoint {
23+
/** Gets the package name. */
24+
bindingset[result]
25+
string endpointPackagePath() { result = package("github.com/go-kit/kit", "endpoint") }
26+
27+
// gets a function that returns an endpoint
28+
private DataFlow::Node getAnEndpointFactoryResult() {
29+
exists(Function mkFn, FunctionOutput res |
30+
mkFn.getResultType(0).hasQualifiedName(endpointPackagePath(), "Endpoint") and
31+
result = res.getEntryNode(mkFn.getFuncDecl()).getAPredecessor*()
32+
)
33+
}
34+
35+
private FuncDef getAnEndpointFunction() {
36+
exists(Function endpointFn | endpointFn.getFuncDecl() = result |
37+
endpointFn.getARead() = getAnEndpointFactoryResult()
38+
)
39+
or
40+
DataFlow::exprNode(result.(FuncLit)) = getAnEndpointFactoryResult()
41+
}
42+
43+
private class EndpointRequest extends UntrustedFlowSource::Range {
44+
EndpointRequest() { this = DataFlow::parameterNode(getAnEndpointFunction().getParameter(1)) }
45+
}
46+
}
47+
}

ql/test/library-tests/semmle/go/frameworks/GoKit/go.mod

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
module codeql-go-tests/frameworks/GoKit
2+
3+
go 1.15
4+
5+
require github.com/go-kit/kit v0.10.0

ql/test/library-tests/semmle/go/frameworks/GoKit/main.go

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
package main
2+
3+
import (
4+
"context"
5+
"github.com/go-kit/kit/endpoint"
6+
)
7+
8+
type MyService interface {
9+
Lit(string) string
10+
Func(string) string
11+
}
12+
13+
func makeEndpointLit(svc MyService) endpoint.Endpoint {
14+
return func(_ context.Context, request interface{}) (interface{}, error) { // $source=definition of request
15+
return request, nil
16+
}
17+
}
18+
19+
func endpointfn(_ context.Context, request interface{}) (interface{}, error) { // $source=definition of request
20+
return request, nil
21+
}
22+
23+
func makeEndpointFn(svc MyService) endpoint.Endpoint {
24+
return endpointfn
25+
}
26+
27+
func main() {}

ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.expected

Whitespace-only changes.

ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
import go
2+
import semmle.go.frameworks.GoKit
3+
import TestUtilities.InlineExpectationsTest
4+
5+
class UntrustedFlowSourceTest extends InlineExpectationsTest {
6+
UntrustedFlowSourceTest() { this = "untrustedflowsourcetest" }
7+
8+
override string getARelevantTag() { result = "source" }
9+
10+
override predicate hasActualResult(string file, int line, string element, string tag, string value) {
11+
exists(UntrustedFlowSource source |
12+
source.hasLocationInfo(file, line, _, _, _) and
13+
element = source.toString() and
14+
value = source.toString() and
15+
tag = "source"
16+
)
17+
}
18+
}

ql/test/library-tests/semmle/go/frameworks/GoKit/vendor/github.com/go-kit/kit/endpoint/stub.go

Lines changed: 14 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ql/test/library-tests/semmle/go/frameworks/GoKit/vendor/modules.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
# github.com/go-kit/kit v0.10.0
2+
## explicit
3+
github.com/go-kit/kit/endpoint

0 commit comments

Comments
 (0)