Merge pull request #17205 from egregius313/egregius313/go/dataflow/mo…

…dels/environment

Go: Add models for environment variables

go/ql/lib/change-notes/2024-08-12-add-environment-models.md

@@ -0,0 +1,11 @@
+---
+category: minorAnalysis
+---
+* Local source models for reading and parsing environment variables have been added for the following libraries:
+  - os
+  - syscall
+  - github.com/caarlos0/env
+  - github.com/gobuffalo/envy
+  - github.com/hashicorp/go-envparse
+  - github.com/joho/godotenv
+  - github.com/kelseyhightower/envconfig

go/ql/lib/ext/github.com.caarlos0.env.model.yml

@@ -0,0 +1,16 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/caarlos0/env", "", False, "Parse", "", "", "Argument[0]", "environment", "manual"]
+      - ["github.com/caarlos0/env", "", False, "ParseAs", "", "", "ReturnValue[0]", "environment", "manual"]
+      - ["github.com/caarlos0/env", "", False, "ParseAsWithOptions", "", "", "ReturnValue[0]", "environment", "manual"]
+      - ["github.com/caarlos0/env", "", False, "ParseWithFuncs", "", "", "Argument[0]", "environment", "manual"]
+      - ["github.com/caarlos0/env", "", False, "ParseWithOptions", "", "", "Argument[0]", "environment", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/caarlos0/env", "", False, "Must", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["github.com/caarlos0/env", "", False, "ToMap", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

go/ql/lib/ext/github.com.gobuffalo.envy.model.yml

@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/gobuffalo/envy", "", False, "Environ", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/gobuffalo/envy", "", False, "Get", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/gobuffalo/envy", "", False, "GoBin", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/gobuffalo/envy", "", False, "GoPath", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/gobuffalo/envy", "", False, "GoPaths", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/gobuffalo/envy", "", False, "Map", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/gobuffalo/envy", "", False, "MustGet", "", "", "ReturnValue[0]", "environment", "manual"]

go/ql/lib/ext/github.com.hashicorp.go-envparse.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/hashicorp/go-envparse", "", False, "Parse", "", "", "ReturnValue", "environment", "manual"]

go/ql/lib/ext/github.com.joho.godotenv.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/joho/godotenv", "", False, "Parse", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "Read", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "Unmarshal", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "UnmarshalBytes", "", "", "ReturnValue", "environment", "manual"]

go/ql/lib/ext/github.com.kelseyhightower.envconfig.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/kelseyhightower/envconfig", "", False, "CheckDisallowed", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "MustProcess", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Process", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usage", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usagef", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usaget", "", "", "Argument[1]", "environment", "manual"]

go/ql/lib/ext/os.model.yml

@@ -46,6 +46,13 @@ extensions:
       pack: codeql/go-all
       extensible: sourceModel
     data:
+      - ["os", "", False, "Environ", "", "", "ReturnValue", "environment", "manual"] # TODO: when sources can have access paths, use .ArrayElement
+      - ["os", "", False, "ExpandEnv", "", "", "ReturnValue", "environment", "manual"]
+      - ["os", "", False, "Getenv", "", "", "ReturnValue", "environment", "manual"]
+      - ["os", "", False, "LookupEnv", "", "", "ReturnValue[0]", "environment", "manual"]
       - ["os", "", False, "Open", "", "", "ReturnValue[0]", "file", "manual"]
       - ["os", "", False, "OpenFile", "", "", "ReturnValue[0]", "file", "manual"]
-      - ["os", "", False, "ReadFile", "", "", "ReturnValue[0]", "file", "manual"]
+      - ["os", "", False, "ReadFile", "", "", "ReturnValue[0]", "file", "manual"]
+      - ["os", "", False, "UserCacheDir", "", "", "ReturnValue[0]", "environment", "manual"]
+      - ["os", "", False, "UserConfigDir", "", "", "ReturnValue[0]", "environment", "manual"]
+      - ["os", "", False, "UserHomeDir", "", "", "ReturnValue[0]", "environment", "manual"]

go/ql/lib/ext/syscall.model.yml

@@ -20,3 +20,9 @@ extensions:
       - ["syscall", "Conn", True, "SyscallConn", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
       - ["syscall", "RawConn", True, "Read", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
       - ["syscall", "RawConn", True, "Write", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["syscall", "", False, "Environ", "", "", "ReturnValue", "environment", "manual"]
+      - ["syscall", "", False, "Getenv", "", "", "ReturnValue[0]", "environment", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/go.mod

@@ -0,0 +1,9 @@
+module test
+
+go 1.22.5
+
+require (
+	github.com/hashicorp/go-envparse v0.1.0
+	github.com/joho/godotenv v1.5.1
+	github.com/kelseyhightower/envconfig v1.4.0
+)

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.expected

@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["environment", true, 0]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.go

@@ -0,0 +1,116 @@
+package test
+
+import (
+	"fmt"
+	"github.com/caarlos0/env"
+	"github.com/gobuffalo/envy"
+	"github.com/hashicorp/go-envparse"
+	"github.com/joho/godotenv"
+	"github.com/kelseyhightower/envconfig"
+	"os"
+	"syscall"
+)
+
+func osEnvironmentVariables() {
+	home := os.Getenv("HOME") // $ source
+
+	port, ok := os.LookupEnv("PORT") // $ source
+	if !ok {
+		port = "3000"
+	}
+
+	for _, e := range os.Environ() { // $ source
+		_ = e
+	}
+
+	fmt.Printf("HOME: %s\n", home)
+	fmt.Printf("PORT: %s\n", port)
+}
+
+type ServerConfig struct {
+	Port int    `envconfig:"PORT"`
+	Host string `envconfig:"HOST"`
+}
+
+func envconfigEnvironmentVariables() {
+	var cfg ServerConfig
+	envconfig.Process("myapp", &cfg) // $ source
+}
+
+func godotenvEnvironmentVariables() {
+	var err error
+	var username, greeting string
+
+	users, err := godotenv.Read("user.env") // $ source
+	if err != nil {
+		return
+	}
+
+	username = users["USERNAME"]
+
+	greetings, err := godotenv.Unmarshal("HELLO=hello") // $ source
+	if err != nil {
+		return
+	}
+
+	greeting = greetings["HELLO"]
+
+	fmt.Printf("%s, %s!\n", greeting, username)
+}
+
+func envparseEnvironmentVariables() {
+	f, err := os.Open("file.txt")
+	if err != nil {
+		return
+	}
+	defer f.Close()
+	envVars, err := envparse.Parse(f) // $ source
+
+	if err != nil {
+		return
+	}
+
+	fmt.Printf("HOME: %s\n", envVars["HOME"])
+}
+
+func caarlos0EnvironmentVariables() {
+	type config struct {
+		Home string `env:"HOME"`
+		Port int    `env:"PORT"`
+	}
+
+	cfg := config{}
+	err := env.Parse(&cfg) // $ source
+
+	fmt.Printf("HOME: %s\n", cfg.Home)
+
+	cfg, err = env.ParseAs[config]() // $ source
+
+	if err != nil {
+		return
+	}
+
+	fmt.Printf("HOME: %s\n", cfg.Home)
+}
+
+func envyEnvironmentVariables() {
+	goPath := envy.GoPath() // $ source
+
+	fmt.Printf("GOPATH: %s\n", goPath)
+
+	homeDir := envy.MustGet("HOME") // $ source
+
+	fmt.Printf("HOME: %s\n", homeDir)
+}
+
+func syscallEnvironmentVariables() {
+	for _, envVar := range syscall.Environ() { // $ source
+		fmt.Println("%s", envVar)
+	}
+
+	home, found := syscall.Getenv("HOME") // $ source
+	if !found {
+		return
+	}
+	fmt.Println("HOME: %s", home)
+}

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ql

@@ -0,0 +1,19 @@
+import go
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SourceTest implements TestSig {
+  string getARelevantTag() { result = "source" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(ThreatModelFlowSource s |
+      s.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = s.toString() and
+      value = "" and
+      tag = "source"
+    )
+  }
+}
+
+import MakeTest<SourceTest>