Add web framework: github.com/gofiber/fiber

[gagliardetto]

Part of github/securitylab#335

CodeQL Module Summary for Fiber:

Packages:

• github.com/gofiber/fiber@v1.14.6
• github.com/gofiber/utils@v0.1.0

Model kind TaintTracking:

• FUNCS:
  • func github.com/gofiber/fiber.NewError(code int, message ...string) *github.com/gofiber/fiber.Error
  • func github.com/gofiber/utils.GetBytes(s string) []byte
  • func github.com/gofiber/utils.GetString(b []byte) string
  • func github.com/gofiber/utils.ImmutableString(s string) string
  • func github.com/gofiber/utils.SafeBytes(b []byte) []byte
  • func github.com/gofiber/utils.SafeString(s string) string
  • func github.com/gofiber/utils.ToLower(b string) string
  • func github.com/gofiber/utils.ToLowerBytes(b []byte) []byte
  • func github.com/gofiber/utils.ToUpper(b string) string
  • func github.com/gofiber/utils.ToUpperBytes(b []byte) []byte
  • func github.com/gofiber/utils.Trim(s string, cutset byte) string
  • func github.com/gofiber/utils.TrimBytes(b []byte, cutset byte) []byte
  • func github.com/gofiber/utils.TrimLeft(s string, cutset byte) string
  • func github.com/gofiber/utils.TrimLeftBytes(b []byte, cutset byte) []byte
  • func github.com/gofiber/utils.TrimRight(s string, cutset byte) string
  • func github.com/gofiber/utils.TrimRightBytes(b []byte, cutset byte) []byte
  • func github.com/gofiber/utils.UnsafeBytes(s string) (bs []byte)
  • func github.com/gofiber/utils.UnsafeString(b []byte) string

---

Model kind HTTP::Redirect:

• FUNCS:
  • func (*github.com/gofiber/fiber.Ctx).Redirect(location string, status ...int)

---

Model kind HTTP::HeaderWrite:

• FUNCS:
  • func (*github.com/gofiber/fiber.Ctx).Append(field string, values ...string)
  • func (*github.com/gofiber/fiber.Ctx).Set(key string, val string)

---

Model kind HTTP::ResponseBody:

• FUNCS:
  • func (*github.com/gofiber/fiber.Ctx).Format(body interface{})
  • func (*github.com/gofiber/fiber.Ctx).JSON(data interface{}) error
  • func (*github.com/gofiber/fiber.Ctx).JSONP(data interface{}, callback ...string) error
  • func (*github.com/gofiber/fiber.Ctx).Send(bodies ...interface{})
  • func (*github.com/gofiber/fiber.Ctx).SendBytes(body []byte)
  • func (*github.com/gofiber/fiber.Ctx).SendStream(stream io.Reader, size ...int)
  • func (*github.com/gofiber/fiber.Ctx).SendString(body string)
  • func (*github.com/gofiber/fiber.Ctx).Write(bodies ...interface{})

---

Model kind UntrustedFlowSource:

• FUNCS:
  • func (*github.com/gofiber/fiber.Ctx).BaseURL() string
  • func (*github.com/gofiber/fiber.Ctx).Body() string
  • func (*github.com/gofiber/fiber.Ctx).BodyParser(out interface{}) error
  • func (*github.com/gofiber/fiber.Ctx).Cookies(key string, defaultValue ...string) string
  • func (*github.com/gofiber/fiber.Ctx).FormFile(key string) (*mime/multipart.FileHeader, error)
  • func (*github.com/gofiber/fiber.Ctx).FormValue(key string) (value string)
  • func (*github.com/gofiber/fiber.Ctx).Get(key string, defaultValue ...string) string
  • func (*github.com/gofiber/fiber.Ctx).Hostname() string
  • func (*github.com/gofiber/fiber.Ctx).Method(override ...string) string
  • func (*github.com/gofiber/fiber.Ctx).MultipartForm() (*mime/multipart.Form, error)
  • func (*github.com/gofiber/fiber.Ctx).OriginalURL() string
  • func (*github.com/gofiber/fiber.Ctx).Params(key string, defaultValue ...string) string
  • func (*github.com/gofiber/fiber.Ctx).Path(override ...string) string
  • func (*github.com/gofiber/fiber.Ctx).Protocol() string
  • func (*github.com/gofiber/fiber.Ctx).Query(key string, defaultValue ...string) string
  • func (*github.com/gofiber/fiber.Ctx).QueryParser(out interface{}) error
  • func (*github.com/gofiber/fiber.Ctx).Range(size int) (rangeData github.com/gofiber/fiber.Range, err error)
  • func (*github.com/gofiber/fiber.Ctx).Subdomains(offset ...int) []string
• STRUCTS:
  • github.com/gofiber/fiber.Cookie
  • github.com/gofiber/fiber.Error

[sauyon]

I think these are fine to go into non-experimental. Also, I think we should save the spec files for these somewhere in case we want to regenerate them for some reason. @smowton do you know if there's a problem with including them inside ql/src?

[smowton]

Similar to the FastHTTP PR, Protocol is very likely safe because the framework will have determined it is http or https by the time your code is reached.

Before we make this non-experimental we should evaluate the results on all projects -- @sauyon would you mind kicking off XSS and OpenRedirect restricted to the sinks/sources specified in this package and see what we get? Same goes for FastHTTP.

[gagliardetto]

I think we should save the spec files for these somewhere in case we want to regenerate them for some reason.

Should I include the spec in each PR?

[sauyon]

Yes, I think it would make sense to have.

[gagliardetto]

I added the specs.

To use them, run:

make run-linux spec=/path/to/codemill-specs/web-frameworks/FastHTTP.json dir=generated http=true gen=true

or

GOPACKAGESDEBUG=true GO111MODULE=on GOOS=linux GOARCH=amd64 go run main.go --spec=/path/to/codemill-specs/web-frameworks/FastHTTP.json --dir=generated --http=true --gen=true --summary=true

or a variation of that.

[gagliardetto]

Before we make this non-experimental we should evaluate the results on all projects -- @sauyon would you mind kicking off XSS and OpenRedirect restricted to the sinks/sources specified in this package and see what we get? Same goes for FastHTTP.

Any news on that front?

[gagliardetto]

Hey, any news here?

[sauyon]

Stuck in limbo waiting for a change to LGTM which may or may not happen.

On that note: are you intending to make the changes that @smowton recommended?

[gagliardetto]

On that note: are you intending to make the changes that @smowton recommended?

Are the suggested changes necessary for the LGTM compare?

For the time being (if those changes aren't immediately necessary) I'll stand by and wait to have some clarity about the next steps in the evolution of the bug bounty program 🤔

This "little" project is taking waaay much longer to complete that I expected 😰

[sauyon]

The LGTM runs looks fine to me; let me know if you'd prefer that we finished up these frameworks ourselves.

[gagliardetto]

let me know if you'd prefer that we finished up these frameworks ourselves.

I'd like to wait a few more weeks before jumping ship.

[smowton]

It think if you address the comment

Similar to the FastHTTP PR, Protocol is very likely safe because the framework will have determined it is http or https by the time your code is reached.

Then this is likely good to go

[gagliardetto]

Awesome! I'll fix that today

[gagliardetto]

Similar to the FastHTTP PR, Protocol is very likely safe because the framework will have determined it is http or https by the time your code is reached.

The protocol is just syntactic sugar for the client (so that it knows what to use to connect to the server).

A client can specify any protocol and the server will accept it because it doesn't care (in many cases).

Example:

Server:

package main

import (
	"fmt"
	"log"

	"github.com/valyala/fasthttp"
)

func main() {
	listenAddr := "127.0.0.1:8087"

	requestHandler := func(ctx *fasthttp.RequestCtx) {
		fmt.Fprintf(ctx, "Hello, world! Request protocol is %q", ctx.Request.Header.Protocol())
	}

	if err := fasthttp.ListenAndServe(listenAddr, requestHandler); err != nil {
		log.Fatalf("error in ListenAndServe: %s", err)
	}
}

and let's send a request with the DONUT/123 protocol:

printf "HELLO whatever DONUT/123\r\n\r\n" | nc 127.0.0.1 8087

which outputs:

As for the argument "Everyone uses a load balancer in front of their services", I could assume that about any vulnerability and mitigation.

[gagliardetto]

Should be OK now. @smowton @sauyon

[gagliardetto]

🥳 🎊