Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~50 tests) #187

Closed
1 task done
gagliardetto opened this issue Sep 24, 2020 · 9 comments
Closed
1 task done

codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~50 tests) #187

gagliardetto opened this issue Sep 24, 2020 · 9 comments
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@gagliardetto
Copy link
Contributor

gagliardetto commented Sep 24, 2020
edited
Loading

CVE ID(s)

No CVE IDs for now.

Report

Many CodeQL queries use taint-flow tracking in their logic. That allows them to track the movement (step by step) of data in the code from one point (a source) to another (a sink).

But taint-tracking is only as good as the number of taint-tracking models we have (i.e. the steps).

We could miss an XSS or SQL-injection in a widely-used app just because of a missing taint-tracking model.

For that reason, I decided to expand the base of models that existing and new queries will stand upon.

To do that, I built a graphical tool to speed up the process of creating the models: https://github.com/gagliardetto/codebox

(Here's what the (web) interface looks like:)

codebox_screenshot

After 25 PRs into codeql-go (all merged), now the Go standard library taint-tracking covers 63 packages, with 554 models and 733 tests.

Previously, that was ~13 packages, ~103 models, and ~50 tests.

See github/codeql-go#167 (comment) for the complete list of PRs and packages covered in them.

Added libraries and tests:

Taint models: https://github.com/github/codeql-go/tree/main/ql/src/semmle/go/frameworks/stdlib

Tests: https://github.com/github/codeql-go/tree/main/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow

Imports: https://github.com/github/codeql-go/blob/main/ql/src/semmle/go/frameworks/Stdlib.qll#L6-L65

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

No, I'm not planning to discuss this vulnerability submission publicly.

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

To have a complete assessment of the impact of the new models, we would need to run the complete suite of codelq queries on all the Go projects known to lgtm.com. That's a challenge.

Until that can be done, @smowton kindly run some partial lgtm.com-compare for the reflected-XSS query with a few batches of the new models: See github/codeql-go#347 (comment) for the new results that were found:

screenshot_comment

And that's the result improvement for just for one query.
@gagliardetto gagliardetto added the All For One Submissions to the All for One, One for All bounty label Sep 24, 2020
@gagliardetto gagliardetto changed the title codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~25 tests) codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~50 tests) Sep 24, 2020
@JLLeitschuh
Copy link

That's pretty impressive! 👏

@gagliardetto
Copy link
Contributor Author

Thanks @JLLeitschuh ! That's just the beginning. I've got some more automation designs of this kind.

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@kevinbackhouse
Copy link
Contributor

Awesome work @gagliardetto! I have just completed the SecLab review and will pass it onto the next stage.

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@gagliardetto
Copy link
Contributor Author

Thank you @kevinbackhouse !

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@xcorail xcorail closed this as completed Dec 4, 2020
@gagliardetto gagliardetto mentioned this issue Apr 7, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JLLeitschuh @kevinbackhouse @xcorail @gagliardetto @ghsecuritylab