Merge pull request #16960 from owen-mc/go/mad-sources-fasthttp

Go: Convert fasthttp sources to MaD

go/ql/lib/ext/github.com.valyala.fasthttp.model.yml

@@ -8,3 +8,58 @@ extensions:
  - ["github.com/valyala/fasthttp", "URI", False, "Update", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
  - ["github.com/valyala/fasthttp", "URI", False, "UpdateBytes", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
  - ["github.com/valyala/fasthttp", "URI", False, "Parse", "", "", "Argument[0..1]", "Argument[receiver]", "taint", "manual"]
+
+ - addsTo:
+ pack: codeql/go-all
+ extensible: sourceModel
+ data:
+ - ["github.com/valyala/fasthttp", "Args", True, "Peek", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Args", True, "PeekBytes", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Args", True, "PeekMulti", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Args", True, "PeekMultiBytes", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Args", True, "QueryString", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Args", True, "String", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "URI", True, "FullURI", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "URI", True, "LastPathSegment", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "URI", True, "Path", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "URI", True, "PathOriginal", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "URI", True, "QueryString", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "URI", True, "String", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "Body", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "BodyGunzip", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "BodyInflate", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "BodyStream", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "BodyUnbrotli", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "BodyUncompressed", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "ContinueReadBody", "", "", "Argument[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "ContinueReadBodyStream", "", "", "Argument[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "Host", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "ReadBody", "", "", "Argument[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "ReadLimitBody", "", "", "Argument[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "Request", True, "RequestURI", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestCtx", True, "Host", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestCtx", True, "Path", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestCtx", True, "PostBody", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestCtx", True, "Referer", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestCtx", True, "RequestBodyStream", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestCtx", True, "RequestURI", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestCtx", True, "String", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestCtx", True, "UserAgent", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "ContentEncoding", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "ContentType", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "Cookie", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "CookieBytes", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "Header", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "Host", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "MultipartFormBoundary", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "Peek", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "PeekAll", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "PeekBytes", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "PeekKeys", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "PeekTrailerKeys", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "RawHeaders", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "Referer", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "RequestURI", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "String", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "TrailerHeader", "", "", "ReturnValue[0]", "remote", "manual"]
+ - ["github.com/valyala/fasthttp", "RequestHeader", True, "UserAgent", "", "", "ReturnValue[0]", "remote", "manual"]

go/ql/lib/semmle/go/frameworks/Fasthttp.qll

@@ -252,18 +252,22 @@ module Fasthttp {
  }
 
  /**
+ * DEPRECATED
+ *
  * Provide modeling for fasthttp.URI Type.
  */
- module URI {
+ deprecated module URI {
  /**
- * DEPRECATED: Use `RemoteFlowSource` instead.
+ * DEPRECATED: Use `RemoteFlowSource::Range` instead.
  */
  deprecated class UntrustedFlowSource = RemoteFlowSource;
 
  /**
+ * DEPRECATED: Use `RemoteFlowSource::Range` instead.
+ *
  * The methods as Remote user controllable source which are part of the incoming URL.
  */
- class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
+ deprecated class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
  RemoteFlowSource() {
  exists(Method m |
  m.hasQualifiedName(packagePath(), "URI",
@@ -275,20 +279,24 @@ module Fasthttp {
  }
 
  /**
+ * DEPRECATED
+ *
  * Provide modeling for fasthttp.Args Type.
  */
- module Args {
+ deprecated module Args {
  /**
- * DEPRECATED: Use `RemoteFlowSource` instead.
+ * DEPRECATED: Use `RemoteFlowSource::Range` instead.
  */
  deprecated class UntrustedFlowSource = RemoteFlowSource;
 
  /**
+ * DEPRECATED: Use `RemoteFlowSource::Range` instead.
+ *
  * The methods as Remote user controllable source which are part of the incoming URL Parameters.
  *
  * When support for lambdas has been implemented we should model "VisitAll".
  */
- class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
+ deprecated class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
  RemoteFlowSource() {
  exists(Method m |
  m.hasQualifiedName(packagePath(), "Args",
@@ -397,14 +405,16 @@ module Fasthttp {
  */
  module Request {
  /**
- * DEPRECATED: Use `RemoteFlowSource` instead.
+ * DEPRECATED: Use `RemoteFlowSource::range` instead.
  */
  deprecated class UntrustedFlowSource = RemoteFlowSource;
 
  /**
+ * DEPRECATED: Use `RemoteFlowSource::range` instead.
+ *
  * The methods as Remote user controllable source which can be many part of request.
  */
- class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
+ deprecated class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
  RemoteFlowSource() {
  exists(Method m |
  m.hasQualifiedName(packagePath(), "Request",
@@ -484,11 +494,13 @@ module Fasthttp {
  deprecated class UntrustedFlowSource = RemoteFlowSource;
 
  /**
+ * DEPRECATED: Use `RemoteFlowSource` instead.
+ *
  * The methods as Remote user controllable source which are generally related to HTTP request.
  *
  * When support for lambdas has been implemented we should model "VisitAll", "VisitAllCookie", "VisitAllInOrder", "VisitAllTrailer".
  */
- class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
+ deprecated class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
  RemoteFlowSource() {
  exists(Method m |
  m.hasQualifiedName(packagePath(), "RequestCtx",
@@ -503,20 +515,24 @@ module Fasthttp {
  }
 
  /**
+ * DEPRECATED
+ *
  * Provide Methods of fasthttp.RequestHeader which mostly used as remote user controlled sources.
  */
- module RequestHeader {
+ deprecated module RequestHeader {
  /**
- * DEPRECATED: Use `RemoteFlowSource` instead.
+ * DEPRECATED: Use `RemoteFlowSource::Range` instead.
  */
  deprecated class UntrustedFlowSource = RemoteFlowSource;
 
  /**
+ * DEPRECATED: Use `RemoteFlowSource::Range` instead.
+ *
  * The methods as Remote user controllable source which are mostly related to HTTP Request Headers.
  *
  * When support for lambdas has been implemented we should model "VisitAll", "VisitAllCookie", "VisitAllInOrder", "VisitAllTrailer".
  */
- class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
+ deprecated class RemoteFlowSource extends RemoteFlowSource::Range instanceof DataFlow::Node {
  RemoteFlowSource() {
  exists(Method m |
  m.hasQualifiedName(packagePath(), "RequestHeader",

go/ql/test/experimental/CWE-090/LDAPInjection.expected

@@ -1,18 +1,18 @@
 edges
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:59:3:59:11 | untrusted | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:61:3:61:51 | ...+... | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:3:62:33 | slice literal | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:24:62:32 | untrusted | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:66:3:66:11 | untrusted | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:68:3:68:51 | ...+... | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:3:69:33 | slice literal | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:24:69:32 | untrusted | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:73:3:73:11 | untrusted | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:75:3:75:51 | ...+... | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:3:76:33 | slice literal | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:24:76:32 | untrusted | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:80:22:80:30 | untrusted | provenance | Src:MaD:735 |
-| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:81:25:81:33 | untrusted | provenance | Src:MaD:735 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:59:3:59:11 | untrusted | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:61:3:61:51 | ...+... | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:3:62:33 | slice literal | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:62:24:62:32 | untrusted | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:66:3:66:11 | untrusted | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:68:3:68:51 | ...+... | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:3:69:33 | slice literal | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:69:24:69:32 | untrusted | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:73:3:73:11 | untrusted | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:75:3:75:51 | ...+... | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:3:76:33 | slice literal | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:76:24:76:32 | untrusted | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:80:22:80:30 | untrusted | provenance | Src:MaD:785 |
+| LDAPInjection.go:57:15:57:29 | call to UserAgent | LDAPInjection.go:81:25:81:33 | untrusted | provenance | Src:MaD:785 |
 | LDAPInjection.go:62:3:62:33 | slice literal [array] | LDAPInjection.go:62:3:62:33 | slice literal | provenance | |
 | LDAPInjection.go:62:24:62:32 | untrusted | LDAPInjection.go:62:3:62:33 | slice literal [array] | provenance | |
 | LDAPInjection.go:69:3:69:33 | slice literal [array] | LDAPInjection.go:69:3:69:33 | slice literal | provenance | |

go/ql/test/experimental/CWE-203/Timing.expected

@@ -1,9 +1,9 @@
 edges
-| timing.go:15:18:15:27 | selection of Header | timing.go:15:18:15:45 | call to Get | provenance | Src:MaD:741 MaD:716 |
+| timing.go:15:18:15:27 | selection of Header | timing.go:15:18:15:45 | call to Get | provenance | Src:MaD:791 MaD:766 |
 | timing.go:15:18:15:45 | call to Get | timing.go:17:31:17:42 | headerSecret | provenance | |
-| timing.go:28:18:28:27 | selection of Header | timing.go:28:18:28:45 | call to Get | provenance | Src:MaD:741 MaD:716 |
+| timing.go:28:18:28:27 | selection of Header | timing.go:28:18:28:45 | call to Get | provenance | Src:MaD:791 MaD:766 |
 | timing.go:28:18:28:45 | call to Get | timing.go:30:47:30:58 | headerSecret | provenance | |
-| timing.go:41:18:41:27 | selection of Header | timing.go:41:18:41:45 | call to Get | provenance | Src:MaD:741 MaD:716 |
+| timing.go:41:18:41:27 | selection of Header | timing.go:41:18:41:45 | call to Get | provenance | Src:MaD:791 MaD:766 |
 | timing.go:41:18:41:45 | call to Get | timing.go:42:25:42:36 | headerSecret | provenance | |
 nodes
 | timing.go:15:18:15:27 | selection of Header | semmle.label | selection of Header |

go/ql/test/experimental/CWE-287/ImproperLdapAuth.expected

@@ -1,5 +1,5 @@
 edges
-| ImproperLdapAuth.go:18:18:18:24 | selection of URL | ImproperLdapAuth.go:18:18:18:32 | call to Query | provenance | Src:MaD:743 MaD:804 |
+| ImproperLdapAuth.go:18:18:18:24 | selection of URL | ImproperLdapAuth.go:18:18:18:32 | call to Query | provenance | Src:MaD:793 MaD:854 |
 | ImproperLdapAuth.go:18:18:18:32 | call to Query | ImproperLdapAuth.go:28:23:28:34 | bindPassword | provenance | |
 | ImproperLdapAuth.go:87:18:87:19 | "" | ImproperLdapAuth.go:97:23:97:34 | bindPassword | provenance | |
 nodes

go/ql/test/experimental/CWE-369/DivideByZero.expected

@@ -1,24 +1,24 @@
 edges
-| DivideByZero.go:10:12:10:16 | selection of URL | DivideByZero.go:10:12:10:24 | call to Query | provenance | Src:MaD:743 MaD:804 |
+| DivideByZero.go:10:12:10:16 | selection of URL | DivideByZero.go:10:12:10:24 | call to Query | provenance | Src:MaD:793 MaD:854 |
 | DivideByZero.go:10:12:10:24 | call to Query | DivideByZero.go:11:27:11:32 | param1 | provenance | |
 | DivideByZero.go:11:2:11:33 | ... := ...[0] | DivideByZero.go:12:16:12:20 | value | provenance | |
 | DivideByZero.go:11:27:11:32 | param1 | DivideByZero.go:11:2:11:33 | ... := ...[0] | provenance | Config |
-| DivideByZero.go:17:12:17:16 | selection of URL | DivideByZero.go:17:12:17:24 | call to Query | provenance | Src:MaD:743 MaD:804 |
+| DivideByZero.go:17:12:17:16 | selection of URL | DivideByZero.go:17:12:17:24 | call to Query | provenance | Src:MaD:793 MaD:854 |
 | DivideByZero.go:17:12:17:24 | call to Query | DivideByZero.go:18:11:18:24 | type conversion | provenance | |
 | DivideByZero.go:18:11:18:24 | type conversion | DivideByZero.go:19:16:19:20 | value | provenance | |
-| DivideByZero.go:24:12:24:16 | selection of URL | DivideByZero.go:24:12:24:24 | call to Query | provenance | Src:MaD:743 MaD:804 |
+| DivideByZero.go:24:12:24:16 | selection of URL | DivideByZero.go:24:12:24:24 | call to Query | provenance | Src:MaD:793 MaD:854 |
 | DivideByZero.go:24:12:24:24 | call to Query | DivideByZero.go:25:31:25:36 | param1 | provenance | |
 | DivideByZero.go:25:2:25:45 | ... := ...[0] | DivideByZero.go:26:16:26:20 | value | provenance | |
 | DivideByZero.go:25:31:25:36 | param1 | DivideByZero.go:25:2:25:45 | ... := ...[0] | provenance | Config |
-| DivideByZero.go:31:12:31:16 | selection of URL | DivideByZero.go:31:12:31:24 | call to Query | provenance | Src:MaD:743 MaD:804 |
+| DivideByZero.go:31:12:31:16 | selection of URL | DivideByZero.go:31:12:31:24 | call to Query | provenance | Src:MaD:793 MaD:854 |
 | DivideByZero.go:31:12:31:24 | call to Query | DivideByZero.go:32:33:32:38 | param1 | provenance | |
 | DivideByZero.go:32:2:32:43 | ... := ...[0] | DivideByZero.go:33:16:33:20 | value | provenance | |
 | DivideByZero.go:32:33:32:38 | param1 | DivideByZero.go:32:2:32:43 | ... := ...[0] | provenance | Config |
-| DivideByZero.go:38:12:38:16 | selection of URL | DivideByZero.go:38:12:38:24 | call to Query | provenance | Src:MaD:743 MaD:804 |
+| DivideByZero.go:38:12:38:16 | selection of URL | DivideByZero.go:38:12:38:24 | call to Query | provenance | Src:MaD:793 MaD:854 |
 | DivideByZero.go:38:12:38:24 | call to Query | DivideByZero.go:39:32:39:37 | param1 | provenance | |
 | DivideByZero.go:39:2:39:46 | ... := ...[0] | DivideByZero.go:40:16:40:20 | value | provenance | |
 | DivideByZero.go:39:32:39:37 | param1 | DivideByZero.go:39:2:39:46 | ... := ...[0] | provenance | Config |
-| DivideByZero.go:54:12:54:16 | selection of URL | DivideByZero.go:54:12:54:24 | call to Query | provenance | Src:MaD:743 MaD:804 |
+| DivideByZero.go:54:12:54:16 | selection of URL | DivideByZero.go:54:12:54:24 | call to Query | provenance | Src:MaD:793 MaD:854 |
 | DivideByZero.go:54:12:54:24 | call to Query | DivideByZero.go:55:11:55:24 | type conversion | provenance | |
 | DivideByZero.go:55:11:55:24 | type conversion | DivideByZero.go:57:17:57:21 | value | provenance | |
 nodes