Go: convert request-forgery, xpath-injection and credentials sinks to MaD

go/ql/lib/ext/github.com.antchfx.htmlquery.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/antchfx/htmlquery", "", True, "Find", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/htmlquery", "", True, "FindOne", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/htmlquery", "", True, "Query", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/htmlquery", "", True, "QueryAll", "", "", "Argument[1]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.antchfx.jsonquery.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/antchfx/jsonquery", "", True, "Find", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/jsonquery", "", True, "FindOne", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/jsonquery", "", True, "Query", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/jsonquery", "", True, "QueryAll", "", "", "Argument[1]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.antchfx.xmlquery.model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/antchfx/xmlquery", "", True, "Find", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "FindOne", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "FindEach", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "FindEachWithBreak", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "Query", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "", True, "QueryAll", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "Node", True, "SelectElement", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xmlquery", "Node", True, "SelectElements", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.antchfx.xpath.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/antchfx/xpath", "", True, "Compile", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xpath", "", True, "CompileWithNS", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xpath", "", True, "MustCompile", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/antchfx/xpath", "", True, "Select", "", "", "Argument[1]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.appleboy.gin-jwt.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/appleboy/gin-jwt", "GinJWTMiddleware", True, "Key", "", "", "", "credentials-key", "manual"]

go/ql/lib/ext/github.com.christrenkamp.goxpath.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/ChrisTrenkamp/goxpath", "", True, "MustParse", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/ChrisTrenkamp/goxpath", "", True, "Parse", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/ChrisTrenkamp/goxpath", "", True, "ParseExec", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.go-jose.go-jose.model.yml

@@ -0,0 +1,14 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: packageGrouping
+    data:
+      - ["go-jose", "github.com/go-jose/go-jose"]
+      - ["go-jose", "gopkg.in/square/go-jose"]
+      - ["go-jose", "github.com/square/go-jose"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["group:go-jose", "Recipient", True, "Key", "", "", "", "credentials-key", "manual"]
+      - ["group:go-jose", "SigningKey", True, "Key", "", "", "", "credentials-key", "manual"]

go/ql/lib/ext/github.com.go-xmlpath.xmlpath.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/go-xmlpath/xmlpath", "", True, "Compile", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/go-xmlpath/xmlpath", "", True, "MustCompile", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.gogf.gf-jwt.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/gogf/gf-jwt", "GfJWTMiddleware", True, "Key", "", "", "", "credentials-key", "manual"]

go/ql/lib/ext/github.com.jbowtie.gokogiri.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/jbowtie/gokogiri/xpath", "", True, "Compile", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.jbowtie.gokogiri.xml.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/jbowtie/gokogiri/xml", "Node", True, "Search", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/jbowtie/gokogiri/xml", "Node", True, "SearchWithVariables", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/jbowtie/gokogiri/xml", "Node", True, "EvalXPath", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/jbowtie/gokogiri/xml", "Node", True, "EvalXPathAsBoolean", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.kataras.iris.middleware.jwt.model.yml

@@ -4,3 +4,4 @@ extensions:
       extensible: sinkModel
     data:
       - ["github.com/kataras/iris/middleware/jwt", "", True, "NewSigner", "", "", "Argument[1]", "credentials-key", "manual"]
+      - ["github.com/kataras/iris/middleware/jwt", "Signer", True, "Key", "", "", "", "credentials-key", "manual"]

go/ql/lib/ext/github.com.lestrrat-go.libxml2.parser.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/lestrrat-go/libxml2/parser", "Parser", True, "Parse", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/lestrrat-go/libxml2/parser", "Parser", True, "ParseReader", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/lestrrat-go/libxml2/parser", "Parser", True, "ParseString", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.santhosh-tekuri.xpathparser.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/santhosh-tekuri/xpathparser", "", True, "Parse", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["github.com/santhosh-tekuri/xpathparser", "", True, "MustParse", "", "", "Argument[0]", "xpath-injection", "manual"]

go/ql/lib/ext/github.com.valyala.fasthttp.model.yml

@@ -1,4 +1,33 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/valyala/fasthttp", "", True, "Get", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "", True, "GetDeadline", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "", True, "GetTimeout", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "", True, "Post", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "", True, "Dial", "", "", "Argument[0]", "request-forgery[TCP Addr + Port]", "manual"]
+      - ["github.com/valyala/fasthttp", "", True, "DialDualStack", "", "", "Argument[0]", "request-forgery[TCP Addr + Port]", "manual"]
+      - ["github.com/valyala/fasthttp", "", True, "DialDualStackTimeout", "", "", "Argument[0]", "request-forgery[TCP Addr + Port]", "manual"]
+      - ["github.com/valyala/fasthttp", "", True, "DialTimeout", "", "", "Argument[0]", "request-forgery[TCP Addr + Port]", "manual"]
+      - ["github.com/valyala/fasthttp", "Client", True, "Get", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "Client", True, "GetDeadline", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "Client", True, "GetTimeout", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "Client", True, "Post", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "HostClient", True, "Get", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "HostClient", True, "GetDeadline", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "HostClient", True, "GetTimeout", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "HostClient", True, "Post", "", "", "Argument[1]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", True, "SetHost", "", "", "Argument[0]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", True, "SetHostBytes", "", "", "Argument[0]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", True, "SetRequestURI", "", "", "Argument[0]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", True, "SetRequestURIBytes", "", "", "Argument[0]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "Request", True, "SetURI", "", "", "Argument[0]", "request-forgery", "manual"]
+      - ["github.com/valyala/fasthttp", "TCPDialer", True, "Dial", "", "", "Argument[0]", "request-forgery[TCP Addr + Port]", "manual"]
+      - ["github.com/valyala/fasthttp", "TCPDialer", True, "DialDualStack", "", "", "Argument[0]", "request-forgery[TCP Addr + Port]", "manual"]
+      - ["github.com/valyala/fasthttp", "TCPDialer", True, "DialDualStackTimeout", "", "", "Argument[0]", "request-forgery[TCP Addr + Port]", "manual"]
+      - ["github.com/valyala/fasthttp", "TCPDialer", True, "DialTimeout", "", "", "Argument[0]", "request-forgery[TCP Addr + Port]", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
@@ -8,7 +37,6 @@ extensions:
       - ["github.com/valyala/fasthttp", "URI", False, "Update", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
       - ["github.com/valyala/fasthttp", "URI", False, "UpdateBytes", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
       - ["github.com/valyala/fasthttp", "URI", False, "Parse", "", "", "Argument[0..1]", "Argument[receiver]", "taint", "manual"]
-
   - addsTo:
       pack: codeql/go-all
       extensible: sourceModel

go/ql/lib/go.qll

@@ -44,7 +44,6 @@ import semmle.go.frameworks.Fiber
 import semmle.go.frameworks.Gin
 import semmle.go.frameworks.GinCors
 import semmle.go.frameworks.Glog
-import semmle.go.frameworks.Gogf
 import semmle.go.frameworks.GoJose
 import semmle.go.frameworks.GoKit
 import semmle.go.frameworks.GoMicro

go/ql/lib/semmle/go/frameworks/Fasthttp.qll

@@ -213,13 +213,15 @@ module Fasthttp {
     }
 
     /**
+     * DEPRECATED: Use `RequestForgery::Sink` instead.
+     *
      * A function that sends HTTP requests.
      *
      * Get* send a HTTP GET request.
      * Post send a HTTP POST request.
      * These functions first argument is a URL.
      */
-    class RequestForgerySink extends RequestForgery::Sink {
+    deprecated class RequestForgerySink extends RequestForgery::Sink {
       RequestForgerySink() {
         exists(Function f |
           f.hasQualifiedName(packagePath(), ["Get", "GetDeadline", "GetTimeout", "Post"]) and
@@ -233,10 +235,12 @@ module Fasthttp {
     }
 
     /**
+     * DEPRECATED: Use `RequestForgery::Sink` instead.
+     *
      * A function that create initial connection to a TCP address.
      * Following Functions only accept TCP address + Port in their first argument.
      */
-    class RequestForgerySinkDial extends RequestForgery::Sink {
+    deprecated class RequestForgerySinkDial extends RequestForgery::Sink {
       RequestForgerySinkDial() {
         exists(Function f |
           f.hasQualifiedName(packagePath(),
@@ -308,15 +312,19 @@ module Fasthttp {
   }
 
   /**
+   * DEPRECATED
+   *
    * Provide modeling for fasthttp.TCPDialer Type.
    */
-  module TcpDialer {
+  deprecated module TcpDialer {
     /**
+     * DEPRECATED: Use `RequestForgery::Sink` instead.
+     *
      * A method that create initial connection to a TCP address.
      * Provide Methods which can be used as dangerous RequestForgery Sinks.
      * Following Methods only accept TCP address + Port in their first argument.
      */
-    class RequestForgerySinkDial extends RequestForgery::Sink {
+    deprecated class RequestForgerySinkDial extends RequestForgery::Sink {
       RequestForgerySinkDial() {
         exists(Method m |
           m.hasQualifiedName(packagePath(), "TCPDialer",
@@ -332,16 +340,20 @@ module Fasthttp {
   }
 
   /**
+   * DEPRECATED
+   *
    * Provide modeling for fasthttp.Client Type.
    */
-  module Client {
+  deprecated module Client {
     /**
+     * DEPRECATED: Use `RequestForgery::Sink` instead.
+     *
      * A method that sends HTTP requests.
      * Get* send a HTTP GET request.
      * Post send a HTTP POST request.
      * these Functions first arguments is a URL.
      */
-    class RequestForgerySink extends RequestForgery::Sink {
+    deprecated class RequestForgerySink extends RequestForgery::Sink {
       RequestForgerySink() {
         exists(Method m |
           m.hasQualifiedName(packagePath(), "Client", ["Get", "GetDeadline", "GetTimeout", "Post"]) and
@@ -356,16 +368,20 @@ module Fasthttp {
   }
 
   /**
+   * DEPRECATED
+   *
    * Provide modeling for fasthttp.HostClient Type.
    */
-  module HostClient {
+  deprecated module HostClient {
     /**
+     * DEPRECATED: Use `RequestForgery::Sink` instead.
+     *
      * A method that sends HTTP requests.
      * Get* send a HTTP GET request.
      * Post send a HTTP POST request.
      * these Functions first arguments is a URL.
      */
-    class RequestForgerySink extends RequestForgery::Sink {
+    deprecated class RequestForgerySink extends RequestForgery::Sink {
       RequestForgerySink() {
         exists(Method m |
           m.hasQualifiedName(packagePath(), "HostClient",
@@ -434,12 +450,14 @@ module Fasthttp {
     }
 
     /**
+     * DEPRECATED: Use `RequestForgery::Sink` instead.
+     *
      * A method that create the URL and Host parts of a `Request` type.
      *
      * This instance of `Request` type can be used in some functions/methods
      * like `func Do(req *Request, resp *Response) error` that will lead to server side request forgery vulnerability.
      */
-    class RequestForgerySink extends RequestForgery::Sink {
+    deprecated class RequestForgerySink extends RequestForgery::Sink {
       RequestForgerySink() {
         exists(Method m |
           m.hasQualifiedName(packagePath(), "Request",

go/ql/lib/semmle/go/frameworks/Gin.qll

@@ -3,7 +3,6 @@
  */
 
 import go
-private import semmle.go.security.HardcodedCredentials
 
 private module Gin {
   /** Gets the package name `github.com/gin-gonic/gin`. */
@@ -30,13 +29,4 @@ private module Gin {
 
     override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
   }
-
-  private class GinJwtSign extends HardcodedCredentials::Sink {
-    GinJwtSign() {
-      exists(Field f |
-        f.hasQualifiedName(package("github.com/appleboy/gin-jwt", ""), "GinJWTMiddleware", "Key") and
-        f.getAWrite().getRhs() = this
-      )
-    }
-  }
 }

go/ql/lib/semmle/go/frameworks/GoJose.qll

@@ -4,26 +4,8 @@
  */
 
 import go
-private import semmle.go.security.HardcodedCredentials
 
 private module GoJose {
-  private class GoJoseKey extends HardcodedCredentials::Sink {
-    GoJoseKey() {
-      exists(Field f |
-        f.hasQualifiedName(goJosePackage(), ["Recipient", "SigningKey"], "Key") and
-        f.getAWrite().getRhs() = this
-      )
-    }
-  }
-
-  private string goJosePackage() {
-    result =
-      [
-        package("github.com/square/go-jose", ""), package("github.com/go-jose/go-jose", ""),
-        "gopkg.in/square/go-jose.v2"
-      ]
-  }
-
   /**
    * Provides classes and predicates for working with the `gopkg.in/square/go-jose/jwt` and
    * `github.com/go-jose/go-jose/jwt` packages.

go/ql/lib/semmle/go/frameworks/Iris.qll

@@ -3,7 +3,6 @@
  */
 
 import go
-private import semmle.go.security.HardcodedCredentials
 
 private module Iris {
   /** Gets the v1 module path `github.com/kataras/iris`. */
@@ -47,13 +46,4 @@ private module Iris {
 
     override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
   }
-
-  private class IrisJwt extends HardcodedCredentials::Sink {
-    IrisJwt() {
-      exists(Field f |
-        f.hasQualifiedName(package("github.com/kataras/iris", "middleware/jwt"), "Signer", "Key") and
-        f.getAWrite().getRhs() = this
-      )
-    }
-  }
 }