Go: Add flow sources for AWS Lambda function handlers

Author: atorralba

go/ql/lib/change-notes/2024-01-18-aws-lambda-sources.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Support for flow sources in [AWS Lambda function handlers](https://docs.aws.amazon.com/lambda/latest/dg/golang-handler.html) has been added.

go/ql/lib/semmle/go/frameworks/AwsLambda.qll

@@ -0,0 +1,59 @@
+/**
+ * Provides classes for working with untrusted flow sources, sinks and taint propagators
+ * from the `github.com/aws/aws-lambda-go/lambda` package.
+ */
+
+import go
+
+/** A source of input data in an AWS Lambda. */
+private class LambdaInput extends UntrustedFlowSource::Range {
+  LambdaInput() {
+    exists(Parameter p | p = this.asParameter() |
+      p = any(HandlerFunction hf).getAParameter() and
+      not p.getType().hasQualifiedName("context", "Context") and
+      not p instanceof ReceiverVariable
+    )
+  }
+}
+
+private class HandlerFunction extends FuncDef {
+  HandlerFunction() {
+    exists(StartOrNewHandlerFunction f, Expr e |
+      f.getACall().getArgument(f.getHandlerArgPos()).asExpr() = e
+    |
+      this = e.(FunctionName).getTarget().getFuncDecl() or
+      this = e.(FuncLit)
+    )
+    or
+    this = any(Method m | m.implements(awsLambdaPkg(), "Handler", "Invoke")).getFuncDecl()
+    or
+    exists(ConversionExpr ce |
+      ce.getTypeExpr().getType() instanceof HandlerImpl and
+      this = ce.getOperand().(FunctionName).getTarget().getFuncDecl()
+    )
+  }
+}
+
+private class StartOrNewHandlerFunction extends Function {
+  int handlerArgPos;
+
+  StartOrNewHandlerFunction() {
+    this.hasQualifiedName(awsLambdaPkg(),
+      [
+        "Start", "StartHandler", "StartHandlerFunc", "StartWithOptions", "NewHandler",
+        "NewHandlerWithOptions"
+      ]) and
+    handlerArgPos = 0
+    or
+    this.hasQualifiedName(awsLambdaPkg(), "StartHandlerWithContext") and
+    handlerArgPos = 1
+  }
+
+  int getHandlerArgPos() { result = handlerArgPos }
+}
+
+private class HandlerImpl extends Type {
+  HandlerImpl() { this.implements(awsLambdaPkg(), "Handler") }
+}
+
+private string awsLambdaPkg() { result = "github.com/aws/aws-lambda-go/lambda" }

go/ql/test/library-tests/semmle/go/frameworks/AwsLambda/go.mod

@@ -0,0 +1,5 @@
+module AwsLambda
+
+go 1.21
+
+require github.com/aws/aws-lambda-go v1.44.0

go/ql/test/library-tests/semmle/go/frameworks/AwsLambda/test.expected

@@ -0,0 +1,204 @@
+package test
+
+//go:generate depstubber -vendor github.com/aws/aws-lambda-go/lambda Handler,HandlerFunc,Option Start,StartHandler,StartHandlerFunc,StartHandlerWithContext,NewHandler
+// FIXME: ^ this currently fails for generic types and functions, like HandlerFunc or StartHandlerFunc. Stubs have been manually created for now.
+
+import (
+	"context"
+
+	"github.com/aws/aws-lambda-go/lambda"
+)
+
+type Event struct {
+	Name string `json:""`
+	Age  int    `json:""`
+}
+
+type Response struct {
+	Message string `json:""`
+}
+
+func sink(sink interface{}) {}
+
+// func (TIn)
+func Handler0(event *Event) {
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+}
+
+// func (TIn) error
+func Handler1(event *Event) error {
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+	return nil
+}
+
+// func (TIn) (TOut, error)
+func Handler2(event *Event) (*Response, error) {
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+	return &Response{Message: ""}, nil
+}
+
+// func (context.Context)
+func Handler3(ctx context.Context) {
+	sink(ctx) // safe
+}
+
+// func (context.Context) error
+func Handler4(ctx context.Context) error {
+	sink(ctx) // safe
+	return nil
+}
+
+// func (context.Context) (TOut, error)
+func Handler5(ctx context.Context) (*Response, error) {
+	sink(ctx) // safe
+	return &Response{Message: ""}, nil
+}
+
+// func (context.Context, TIn)
+func Handler6(ctx context.Context, event Event) {
+	sink(ctx)        // safe
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+}
+
+// func (context.Context, TIn) error
+func Handler7(ctx context.Context, event Event) error {
+	sink(ctx)        // safe
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+	return nil
+}
+
+// func (context.Context, TIn) (TOut, error)
+func Handler8(ctx context.Context, event Event) (*Response, error) {
+	sink(ctx)        // safe
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+	return &Response{Message: ""}, nil
+}
+
+type MyHandlerFunc func(context.Context, []byte) ([]byte, error)
+
+func (f MyHandlerFunc) Invoke(ctx context.Context, payload []byte) ([]byte, error) {
+	return f(ctx, payload)
+}
+
+func Handler9(ctx context.Context, payload []byte) ([]byte, error) {
+	sink(payload) // $ hasTaintFlow="payload"
+	return payload, nil
+}
+
+type Handler10 struct{}
+
+func (h *Handler10) Invoke(ctx context.Context, payload []byte) ([]byte, error) {
+	sink(payload) // $ hasTaintFlow="payload"
+	return payload, nil
+}
+
+func Handler11(ctx context.Context, event Event) (*Response, error) {
+	sink(ctx)        // safe
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+	return &Response{Message: ""}, nil
+}
+
+func Handler12(ctx context.Context, payload []byte) ([]byte, error) {
+	sink(payload) // $ hasTaintFlow="payload"
+	return payload, nil
+}
+
+type Handler13 struct{}
+
+func (h *Handler13) Invoke(ctx context.Context, payload []byte) ([]byte, error) {
+	sink(payload) // $ hasTaintFlow="payload"
+	return payload, nil
+}
+
+func Handler14(ctx context.Context, event Event) (*Response, error) {
+	sink(ctx)        // safe
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+	return &Response{Message: ""}, nil
+}
+
+func Handler15(ctx context.Context, event Event) (*Response, error) {
+	sink(ctx)        // safe
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+	return &Response{Message: ""}, nil
+}
+
+func Handler16(ctx context.Context, event Event) (*Response, error) {
+	sink(ctx)        // safe
+	sink(event.Name) // $ hasTaintFlow="selection of Name"
+	sink(event.Age)  // $ hasTaintFlow="selection of Age"
+	sink(event)      // $ hasTaintFlow="event"
+	return &Response{Message: ""}, nil
+}
+
+func main() {
+	lambda.Start(Handler0)
+	lambda.Start(Handler1)
+	lambda.Start(Handler2)
+	lambda.Start(Handler3)
+	lambda.Start(Handler4)
+	lambda.Start(Handler5)
+	lambda.Start(Handler6)
+	lambda.Start(Handler7)
+	lambda.Start(Handler8)
+	lambda.Start(func(ctx context.Context, event Event) (*Response, error) {
+		sink(ctx)        // safe
+		sink(event.Name) // $ hasTaintFlow="selection of Name"
+		sink(event.Age)  // $ hasTaintFlow="selection of Age"
+		sink(event)      // $ hasTaintFlow="event"
+		return &Response{Message: ""}, nil
+	})
+	lambda.StartHandler(MyHandlerFunc(Handler9))
+	lambda.StartHandler(&Handler10{})
+	lambda.StartHandlerFunc(Handler11)
+	lambda.StartHandlerFunc(func(ctx context.Context, event Event) (*Response, error) {
+		sink(ctx)        // safe
+		sink(event.Name) // $ hasTaintFlow="selection of Name"
+		sink(event.Age)  // $ hasTaintFlow="selection of Age"
+		sink(event)      // $ hasTaintFlow="event"
+		return &Response{Message: ""}, nil
+	})
+	lambda.StartHandlerWithContext(context.Background(), MyHandlerFunc(Handler12))
+	lambda.StartHandlerWithContext(context.Background(), &Handler13{})
+	lambda.StartWithOptions(Handler14)
+	lambda.StartWithOptions(func(ctx context.Context, event Event) (*Response, error) {
+		sink(ctx)        // safe
+		sink(event.Name) // $ hasTaintFlow="selection of Name"
+		sink(event.Age)  // $ hasTaintFlow="selection of Age"
+		sink(event)      // $ hasTaintFlow="event"
+		return &Response{Message: ""}, nil
+	})
+	lambda.NewHandler(Handler15)
+	lambda.NewHandler(func(ctx context.Context, event Event) (*Response, error) {
+		sink(ctx)        // safe
+		sink(event.Name) // $ hasTaintFlow="selection of Name"
+		sink(event.Age)  // $ hasTaintFlow="selection of Age"
+		sink(event)      // $ hasTaintFlow="event"
+		return &Response{Message: ""}, nil
+	})
+	lambda.NewHandlerWithOptions(Handler16)
+	lambda.NewHandlerWithOptions(func(ctx context.Context, event Event) (*Response, error) {
+		sink(ctx)        // safe
+		sink(event.Name) // $ hasTaintFlow="selection of Name"
+		sink(event.Age)  // $ hasTaintFlow="selection of Age"
+		sink(event)      // $ hasTaintFlow="event"
+		return &Response{Message: ""}, nil
+	})
+}

go/ql/test/library-tests/semmle/go/frameworks/AwsLambda/test.go

@@ -0,0 +1,13 @@
+import go
+import semmle.go.frameworks.AwsLambda
+import TestUtilities.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
+  }
+}
+
+import TaintFlowTest<Config>

go/ql/test/library-tests/semmle/go/frameworks/AwsLambda/test.ql

@@ -0,0 +1,3 @@
+# github.com/aws/aws-lambda-go v1.44.0
+## explicit
+github.com/aws/aws-lambda-go