Added support for Gin CORS

Kwstubbs · Kwstubbs · commit dafcd5ec984d · 2023-10-25T17:23:10.000-07:00
diff --git a/go/ql/lib/go.qll b/go/ql/lib/go.qll
@@ -41,6 +41,7 @@ import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Fiber
 import semmle.go.frameworks.Gin
+import semmle.go.frameworks.GinCors
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoKit
 import semmle.go.frameworks.GoMicro
diff --git a/go/ql/lib/semmle/go/frameworks/GinCors.qll b/go/ql/lib/semmle/go/frameworks/GinCors.qll
@@ -0,0 +1,80 @@
+/**
+ * Provides classes for working with untrusted flow sources from the `github.com/gin-gonic/gin` package.
+ */
+
+ import go
+
+  module GinCors {
+   /** Gets the package name `github.com/gin-gonic/gin`. */
+   string packagePath() { result = package("github.com/gin-contrib/cors", "") }
+ 
+   /**
+    * Data from a `Context` struct, considered as a source of untrusted flow.
+    */
+     class New extends Function{
+        New() {
+            exists(Function f | f.hasQualifiedName(packagePath(), "New") | this = f)
+        }
+
+   }
+   class Config extends Variable {
+    Config() { this.hasQualifiedName(packagePath(), "Config") }
+
+    // Field getAllowCredentials() {
+    //     result = this.getField("AllowCredentials")
+    // }
+  }
+   class AllowCredentialsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+    GinConfig gc;
+    AllowCredentialsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowCredentials") and
+        w.writesField(base, f, this) and
+        this.getType() instanceof BoolType and
+        (gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() = base.asInstruction() or
+        gc.getV().getAUse() = base)
+      )
+    }
+    GinConfig getConfig() { result =  gc}
+  }
+   class AllowOriginsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+    GinConfig gc;
+    AllowOriginsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
+        w.writesField(base, f, this) and
+        this.asExpr() instanceof SliceLit and
+        (gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() = base.asInstruction() or
+        gc.getV().getAUse() = base)
+      )
+    }
+    GinConfig getConfig() { result = gc}
+  }
+  class AllowAllOriginsWrite extends DataFlow::ExprNode {
+    DataFlow::Node base;
+
+    AllowAllOriginsWrite() {
+      exists(Field f, Write w |
+        f.hasQualifiedName(packagePath(), "Config", "AllowAllOrigins") and
+        w.writesField(base, f, this) and
+        this.getType() instanceof BoolType 
+        //and this.asExpr().(SliceLit).getAnElement().toString().matches("%null%")
+      )
+    }
+    DataFlow::Node getBase() { result = base}
+  }
+
+   class GinConfig extends Variable {
+    SsaWithFields v;
+
+    GinConfig() {
+      this = v.getBaseVariable().getSourceVariable() and
+      exists(Type t | t.hasQualifiedName(packagePath(), "Config") | v.getType() = t)
+    }
+    SsaWithFields getV() { result = v}
+  }
+ 
+ }
+ 
diff --git a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
@@ -69,22 +69,45 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSinkHW(sink, _) }
 }
 
+module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
+
+  additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) {
+    sink = w
+  }
+
+  predicate isSink(DataFlow::Node sink) { isSinkWrite(sink, _) }
+}
+
 /**
  * Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
  * a `HeaderWrite` that writes an `Access-Control-Allow-Origin` header's value.
  */
 module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global<UntrustedToAllowOriginHeaderConfig>;
 
+module UntrustedToAllowOriginConfigFlow = TaintTracking::Global<UntrustedToAllowOriginConfigConfig>;
+
 /**
  * Holds if the provided `allowOriginHW` HeaderWrite's parent ResponseWriter
  * also has another HeaderWrite that sets a `Access-Control-Allow-Credentials`
  * header to `true`.
  */
-predicate allowCredentialsIsSetToTrue(AllowOriginHeaderWrite allowOriginHW) {
+predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOrigin) {
   exists(AllowCredentialsHeaderWrite allowCredentialsHW |
     allowCredentialsHW.getHeaderValue().toLowerCase() = "true"
   |
-    allowOriginHW.getResponseWriter() = allowCredentialsHW.getResponseWriter()
+  allowOrigin.(AllowOriginHeaderWrite).getResponseWriter() = allowCredentialsHW.getResponseWriter()
+  )
+  or
+  exists(GinCors::AllowCredentialsWrite allowCredentialsGin |
+    allowCredentialsGin.toString() = "true" 
+    |
+    //flow only goes in one direction so fix this before PR
+    allowCredentialsGin.getConfig() = allowOrigin.(GinCors::AllowOriginsWrite).getConfig()
+    and
+    not exists(GinCors::AllowAllOriginsWrite allowAllOrigins |
+      allowAllOrigins.toString() = "true" //and DataFlow::localFlow(allowCredentialsGin.getBase(), allowAllOrigins.getBase())
+    )
   )
 }
 
@@ -93,10 +116,12 @@ predicate allowCredentialsIsSetToTrue(AllowOriginHeaderWrite allowOriginHW) {
  * UntrustedFlowSource.
  * The `message` parameter is populated with the warning message to be returned by the query.
  */
-predicate flowsFromUntrustedToAllowOrigin(AllowOriginHeaderWrite allowOriginHW, string message) {
+predicate flowsFromUntrustedToAllowOrigin(DataFlow::ExprNode allowOriginHW, string message) {
   exists(DataFlow::Node sink |
     UntrustedToAllowOriginHeaderFlow::flowTo(sink) and
-    UntrustedToAllowOriginHeaderConfig::isSinkHW(sink, allowOriginHW)
+    UntrustedToAllowOriginHeaderConfig::isSinkHW(sink, allowOriginHW) or
+    UntrustedToAllowOriginConfigFlow::flowTo(sink) and 
+    UntrustedToAllowOriginConfigConfig::isSinkWrite(sink, allowOriginHW)
   |
     message =
       headerAllowOrigin() + " header is set to a user-defined value, and " +
@@ -108,11 +133,17 @@ predicate flowsFromUntrustedToAllowOrigin(AllowOriginHeaderWrite allowOriginHW,
  * Holds if the provided `allowOriginHW` HeaderWrite is for a `Access-Control-Allow-Origin`
  * header and the value is set to `null`.
  */
-predicate allowOriginIsNull(AllowOriginHeaderWrite allowOriginHW, string message) {
-  allowOriginHW.getHeaderValue().toLowerCase() = "null" and
+predicate allowOriginIsNull(DataFlow::ExprNode allowOrigin, string message) {
+  allowOrigin.(AllowOriginHeaderWrite).getHeaderValue().toLowerCase() = "null" and
   message =
-    headerAllowOrigin() + " header is set to `" + allowOriginHW.getHeaderValue() + "`, and " +
+    headerAllowOrigin() + " header is set to `" + allowOrigin.(AllowOriginHeaderWrite).getHeaderValue() + "`, and " +
       headerAllowCredentials() + " is set to `true`"
+  or
+  allowOrigin.(GinCors::AllowOriginsWrite).asExpr().(SliceLit).getAnElement().toString().matches("\"null%\"") and
+  message =
+    headerAllowOrigin() + " header is set to `" + allowOrigin.(GinCors::AllowOriginsWrite).asExpr().(SliceLit).getAnElement().toString() + "`, and " +
+      headerAllowCredentials() + " is set to `true`"
+
 }
 
 /**
@@ -170,26 +201,26 @@ module FromUntrustedFlow = TaintTracking::Global<FromUntrustedConfig>;
 /**
  * Holds if the provided `allowOriginHW` is also destination of a `UntrustedFlowSource`.
  */
-predicate flowsToGuardedByCheckOnUntrusted(AllowOriginHeaderWrite allowOriginHW) {
+predicate flowsToGuardedByCheckOnUntrusted(DataFlow::ExprNode allowOriginHW) {
   exists(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn |
     FromUntrustedFlow::flowTo(sink) and FromUntrustedConfig::isSinkCgn(sink, cgn)
   |
     cgn.dominates(allowOriginHW.getBasicBlock())
   )
 }
 
-from AllowOriginHeaderWrite allowOriginHW, string message
+from DataFlow::ExprNode allowOrigin, string message
 where
-  allowCredentialsIsSetToTrue(allowOriginHW) and
+  allowCredentialsIsSetToTrue(allowOrigin) and
   (
-    flowsFromUntrustedToAllowOrigin(allowOriginHW, message)
+    flowsFromUntrustedToAllowOrigin(allowOrigin, message)
     or
-    allowOriginIsNull(allowOriginHW, message)
+    allowOriginIsNull(allowOrigin, message)
   ) and
-  not flowsToGuardedByCheckOnUntrusted(allowOriginHW) and
+  not flowsToGuardedByCheckOnUntrusted(allowOrigin) and
   not exists(ControlFlow::ConditionGuardNode cgn |
     cgn.ensures(any(AllowedFlag f).getAFlag().getANode(), _)
   |
-    cgn.dominates(allowOriginHW.getBasicBlock())
+    cgn.dominates(allowOrigin.getBasicBlock())
   )
-select allowOriginHW, message
+select allowOrigin, message
diff --git a/go/ql/src/experimental/CWE-942/GinCors.ql b/go/ql/src/experimental/CWE-942/GinCors.ql
@@ -0,0 +1,26 @@
+/**
+ * @name CORS misconfiguration
+ * @description If a CORS policy is configured to accept an origin value obtained from the request data,
+ * 				or is set to `null`, and it allows credential sharing, then the users of the
+ * 				application are vulnerable to the same range of attacks as in XSS (credential stealing, etc.).
+ * @kind problem
+ * @problem.severity warning
+ * @id go/cors-misconfiguration
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-942
+ *       external/cwe/cwe-346
+ */
+
+import go
+
+// from GinCors::New n, GinCors::Config cfg, DataFlow::CallNode c
+// //where n.getACall() = c and c.getArgument(0) = cfg
+// where cfg.getAllowCredentials() = "*"
+// select cfg, "hello"
+
+from GinCors::GinConfig gc
+select gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs(), "test"
+//where s.getAnElement().toString().matches("%https://foo.com%")
+//where a.getBase() = b.getBase()
+//select a.getBase(), b.getBase()
