Handle gRPC requests as tainted sources (#43)

Author: picatz

README.md

@@ -23,7 +23,8 @@ sources reach the given sinks.
 cg, _ := callgraph.New(mainFn, buildSSA.SrcFuncs...)
 
 sources := taint.NewSources(
-	"*net/http.Request",
+        "*net/http.Request",
+        "google.golang.org/protobuf/proto.Message", // gRPC request types
 )
 
 sinks := taint.NewSinks(

check.go

@@ -1,6 +1,8 @@
 package taint
 
 import (
+	"go/types"
+
 	"golang.org/x/tools/go/callgraph"
 	"golang.org/x/tools/go/ssa"
 
@@ -176,11 +178,18 @@ func checkSSAValue(path callgraphutil.Path, sources Sources, v ssa.Value, visite
 	// (just one step?) to identify what actual value the caller used.
 	case *ssa.Parameter:
 		// Check if the parameter's type is a source.
-		paramTypeStr := value.Type().String()
+		paramType := value.Type()
+		paramTypeStr := paramType.String()
 		if src, ok := sources.includes(paramTypeStr); ok {
 			return true, src, value
 		}
 
+		// Check if the parameter type implements proto.Message when the
+		// caller provided it as a potential source.
+		if ok, src := protoMessageSource(sources, paramType); ok {
+			return true, src, value
+		}
+
 		// Check the parameter's referrers.
 		refs := value.Referrers()
 		if refs != nil {
@@ -379,6 +388,9 @@ func checkSSAValue(path callgraphutil.Path, sources Sources, v ssa.Value, visite
 		if src, ok := sources.includes(value.X.Type().String()); ok {
 			return true, src, value
 		}
+		if ok, src := protoMessageSource(sources, value.X.Type()); ok {
+			return true, src, value
+		}
 
 		tainted, src, tv := checkSSAValue(path, sources, value.X, visited)
 		if tainted {
@@ -597,3 +609,42 @@ func checkSSAInstruction(path callgraphutil.Path, sources Sources, i ssa.Instruc
 	}
 	return false, "", nil
 }
+
+// protoMessageSource checks if the given type implements proto.Message when that
+// type is present in the provided sources list. It returns true with the source
+// string if so.
+func protoMessageSource(sources Sources, t types.Type) (bool, string) {
+	if src, ok := sources.includes("google.golang.org/protobuf/proto.Message"); ok {
+		if hasProtoMessageMethod(t) {
+			return true, src
+		}
+	}
+	return false, ""
+}
+
+// hasProtoMessageMethod reports if the given type implements a ProtoMessage method
+// with no parameters and no results, which is used to identify protobuf message
+// types commonly used with gRPC services.
+func hasProtoMessageMethod(t types.Type) bool {
+	if ptr, ok := t.(*types.Pointer); ok {
+		t = ptr.Elem()
+	}
+
+	named, ok := t.(*types.Named)
+	if !ok {
+		return false
+	}
+
+	for i := 0; i < named.NumMethods(); i++ {
+		m := named.Method(i)
+		if m.Name() != "ProtoMessage" {
+			continue
+		}
+		if sig, ok := m.Type().(*types.Signature); ok {
+			if sig.Params().Len() == 0 && sig.Results().Len() == 0 {
+				return true
+			}
+		}
+	}
+	return false
+}

log/injection/injection.go

@@ -14,6 +14,7 @@ import (
 
 var userControlledValues = taint.NewSources(
 	"*net/http.Request",
+	"google.golang.org/protobuf/proto.Message",
 )
 
 var injectableLogFunctions = taint.NewSinks(

log/injection/injection_test.go

@@ -55,3 +55,7 @@ func TestK(t *testing.T) {
 func TestL(t *testing.T) {
 	analysistest.Run(t, testdata, Analyzer, "l")
 }
+
+func TestGRPC(t *testing.T) {
+	analysistest.Run(t, testdata, Analyzer, "grpc")
+}

log/injection/testdata/src/grpc/main.go

@@ -0,0 +1,21 @@
+package main
+
+import (
+	"context"
+	"log"
+)
+
+type Request struct{ Msg string }
+
+func (*Request) ProtoMessage() {}
+
+type Server struct{}
+
+func (s *Server) Handle(ctx context.Context, req *Request) {
+	log.Println(req.Msg) // want "potential log injection"
+}
+
+func main() {
+	srv := &Server{}
+	srv.Handle(context.Background(), &Request{})
+}

sql/injection/injection.go

@@ -39,6 +39,7 @@ var userControlledValues = taint.NewSources(
 	//
 	// Types (and fields)
 	"*net/http.Request",
+	"google.golang.org/protobuf/proto.Message",
 	//
 	// "google.golang.org/grpc/metadata.MD", ?
 	//

sql/injection/injection_test.go

@@ -101,3 +101,7 @@ func TestU(t *testing.T) {
 func TestV(t *testing.T) {
 	analysistest.Run(t, testdata, Analyzer, "v")
 }
+
+func TestGRPC(t *testing.T) {
+	analysistest.Run(t, testdata, Analyzer, "grpc")
+}

sql/injection/testdata/src/grpc/main.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"context"
+	"database/sql"
+)
+
+type Request struct{ Query string }
+
+func (*Request) ProtoMessage() {}
+
+type Server struct{}
+
+func (s *Server) Handle(ctx context.Context, db *sql.DB, req *Request) {
+	db.Query(req.Query) // want "potential sql injection"
+}
+
+func main() {
+	db, _ := sql.Open("sqlite3", ":memory:")
+	srv := &Server{}
+	srv.Handle(context.Background(), db, &Request{})
+}