Skip to content

Commit 48966d6

Browse files
GeekMasherGeekMasher
committed
feat: client service support
1 parent 62bad6c commit 48966d6

1 file changed

Lines changed: 52 additions & 0 deletions

File tree

go/ql/lib/semmle/go/frameworks/GoMicro.qll

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
*/
44

55
import go
6+
private import semmle.go.security.RequestForgeryCustomizations
67

78
/**
89
* Module for Go-Micro framework.
@@ -15,6 +16,13 @@ module GoMicro {
1516
GoMicroServerType() { this.hasQualifiedName("go-micro.dev/v4/server", "Server") }
1617
}
1718

19+
/**
20+
* A GoMicro client type.
21+
*/
22+
class GoMicroClientType extends Type {
23+
GoMicroClientType() { this.hasQualifiedName("go-micro.dev/v4/client", "Client") }
24+
}
25+
1826
/**
1927
* A file that is generated by the protobuf compiler.
2028
*/
@@ -84,6 +92,20 @@ module GoMicro {
8492
}
8593
}
8694

95+
/**
96+
* A Client server handler type.
97+
*/
98+
class ClientServiceType extends NamedType {
99+
ClientServiceType() {
100+
exists(ServiceInterfaceType i, TypeEntity te |
101+
this.implements(i) and
102+
this.getName().regexpMatch("(?i).*Service") and
103+
te.getType() = this and
104+
te.getDeclaration().getLocation().getFile() instanceof ProtocGeneratedFile
105+
)
106+
}
107+
}
108+
87109
/**
88110
* A service register handler.
89111
*/
@@ -111,6 +133,36 @@ module GoMicro {
111133
}
112134
}
113135

136+
/**
137+
* A client service function.
138+
*/
139+
class ClientService extends Function {
140+
ClientService() {
141+
exists(ClientServiceType c |
142+
this.getName().regexpMatch("(?i)new" + c.getName()) and
143+
this.getParameterType(0) instanceof StringType and
144+
this.getParameterType(1) instanceof GoMicroClientType and
145+
this.getDeclaration().getLocation().getFile() instanceof ProtocGeneratedFile
146+
)
147+
}
148+
}
149+
150+
/**
151+
* An SSRF sink for the Client service function.
152+
*/
153+
class ClientRequestUrlAsSink extends RequestForgery::Sink {
154+
ClientRequestUrlAsSink() {
155+
exists(DataFlow::CallNode call |
156+
call.getArgument(0) = this and
157+
call.getTarget() instanceof ClientService
158+
)
159+
}
160+
161+
override DataFlow::Node getARequest() { result = this }
162+
163+
override string getKind() { result = "URL" }
164+
}
165+
114166
/**
115167
* A set of remote requests from a service handler.
116168
*/

0 commit comments

Comments
 (0)