Skip to content

codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~50 tests) #187

New issue
New issue
Closed
Closed
codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~50 tests)#187
Labels
All For OneSubmissions to the All for One, One for All bounty
@gagliardetto

Description

@gagliardetto
gagliardetto
opened on Sep 24, 2020

CVE ID(s)

No CVE IDs for now.

Report

Many CodeQL queries use taint-flow tracking in their logic. That allows them to track the movement (step by step) of data in the code from one point (a source) to another (a sink).

But taint-tracking is only as good as the number of taint-tracking models we have (i.e. the steps).

We could miss an XSS or SQL-injection in a widely-used app just because of a missing taint-tracking model.

For that reason, I decided to expand the base of models that existing and new queries will stand upon.

To do that, I built a graphical tool to speed up the process of creating the models: https://github.com/gagliardetto/codebox

(Here's what the (web) interface looks like:)

codebox_screenshot

After 25 PRs into codeql-go (all merged), now the Go standard library taint-tracking covers 63 packages, with 554 models and 733 tests.

Previously, that was ~13 packages, ~103 models, and ~50 tests.

See github/codeql-go#167 (comment) for the complete list of PRs and packages covered in them.

Added libraries and tests:

Taint models: https://github.com/github/codeql-go/tree/main/ql/src/semmle/go/frameworks/stdlib

Tests: https://github.com/github/codeql-go/tree/main/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow

Imports: https://github.com/github/codeql-go/blob/main/ql/src/semmle/go/frameworks/Stdlib.qll#L6-L65

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

No, I'm not planning to discuss this vulnerability submission publicly.

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

To have a complete assessment of the impact of the new models, we would need to run the complete suite of codelq queries on all the Go projects known to lgtm.com. That's a challenge.

Until that can be done, @smowton kindly run some partial lgtm.com-compare for the reflected-XSS query with a few batches of the new models: See github/codeql-go#347 (comment) for the new results that were found:

screenshot_comment

And that's the result improvement for just for one query.

Metadata

Metadata

Assignees

No one assigned

    Labels

    All For OneSubmissions to the All for One, One for All bounty

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions