Go Environment variable (parsing) models and tests

go/ql/lib/ext/github.com.hashicorp.go-envparse.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/hashicorp/go-envparse", "", False, "Parse", "", "", "ReturnValue", "environment", "manual"]

go/ql/lib/ext/github.com.joho.godotenv.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/joho/godotenv", "", False, "Parse", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "Read", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "Unmarshal", "", "", "ReturnValue", "environment", "manual"]
+      - ["github.com/joho/godotenv", "", False, "UnmarshalBytes", "", "", "ReturnValue", "environment", "manual"]

go/ql/lib/ext/github.com.kelseyhightower.envconfig.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/kelseyhightower/envconfig", "", False, "CheckDisallowed", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "MustProcess", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Process", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usage", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usagef", "", "", "Argument[1]", "environment", "manual"]
+      - ["github.com/kelseyhightower/envconfig", "", False, "Usaget", "", "", "Argument[1]", "environment", "manual"]

go/ql/lib/ext/os.model.yml

@@ -46,6 +46,9 @@ extensions:
       pack: codeql/go-all
       extensible: sourceModel
     data:
+      - ["os", "", False, "Environ", "", "", "ReturnValue", "environment", "manual"]
+      - ["os", "", False, "Getenv", "", "", "ReturnValue", "environment", "manual"]
+      - ["os", "", False, "LookupEnv", "", "", "ReturnValue[0]", "environment", "manual"]
       - ["os", "", False, "Open", "", "", "ReturnValue[0]", "file", "manual"]
       - ["os", "", False, "OpenFile", "", "", "ReturnValue[0]", "file", "manual"]
-      - ["os", "", False, "ReadFile", "", "", "ReturnValue[0]", "file", "manual"]
+      - ["os", "", False, "ReadFile", "", "", "ReturnValue[0]", "file", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/go.mod

@@ -0,0 +1,9 @@
+module test
+
+go 1.22.5
+
+require (
+	github.com/hashicorp/go-envparse v0.1.0
+	github.com/joho/godotenv v1.5.1
+	github.com/kelseyhightower/envconfig v1.4.0
+)

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.expected

@@ -0,0 +1,6 @@
+| test.go:12:10:12:26 | call to Getenv |
+| test.go:14:2:14:33 | ... := ...[0] |
+| test.go:19:20:19:31 | call to Environ |
+| test.go:34:29:34:32 | &... |
+| test.go:41:2:41:40 | ... := ...[0] |
+| test.go:48:2:48:52 | ... := ...[0] |

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["environment", true, 0]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.go

@@ -0,0 +1,67 @@
+package test
+
+import (
+	"fmt"
+	"github.com/hashicorp/go-envparse"
+	"github.com/joho/godotenv"
+	"github.com/kelseyhightower/envconfig"
+	"os"
+)
+
+func osEnvironmentVariables() {
+	home := os.Getenv("HOME")
+
+	port, ok := os.LookupEnv("PORT")
+	if !ok {
+		port = "3000"
+	}
+
+	for _, e := range os.Environ() {
+		_ = e
+	}
+
+	fmt.Printf("HOME: %s\n", home)
+	fmt.Printf("PORT: %s\n", port)
+}
+
+type ServerConfig struct {
+	Port int    `envconfig:"PORT"`
+	Host string `envconfig:"HOST"`
+}
+
+func envconfigEnvironmentVariables() {
+	var cfg ServerConfig
+	envconfig.Process("myapp", &cfg)
+}
+
+func godotenvEnvironmentVariables() {
+	var err error
+	var username, greeting string
+
+	users, err := godotenv.Read("user.env")
+	if err != nil {
+		return
+	}
+
+	username := users["USERNAME"]
+
+	greetings, err := godotenv.Unmarshal("HELLO=hello")
+	if err != nil {
+		return
+	}
+
+	greeting := greetings["HELLO"]
+
+	fmt.Printf("%s, %s!\n", greeting, username)
+}
+
+func envparseEnvironmentVariables() {
+	f := os.Open("file.txt")
+	envVars, ok := envparse.Parse(f)
+
+	if !ok {
+		return
+	}
+
+	fmt.Printf("HOME: %s\n", envVars["HOME"])
+}

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/test.ql

@@ -0,0 +1,5 @@
+import go
+
+from DataFlow::Node source
+where source instanceof ThreatModelFlowSource
+select source

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/vendor/github.com/hashicorp/go-envparse/stub.go

@@ -0,0 +1,7 @@
+package envparse
+
+import "io"
+
+func Parse(r io.Reader) (map[string]string, error) {
+	return nil, nil
+}

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/vendor/github.com/joho/godotenv/stub.go

@@ -0,0 +1,37 @@
+package godotenv
+
+func Exec(filenames []string, cmd string, cmdArgs []string, overload bool) error {
+	return nil
+}
+
+func Load(filenames ...string) (err error) {
+	return nil
+}
+
+func Marshal(envMap map[string]string) (string, error) {
+	return "", nil
+}
+
+func Overload(filenames ...string) (err error) {
+	return nil
+}
+
+func Parse(r io.Reader) (map[string]string, error) {
+	return nil, nil
+}
+
+func Read(filenames ...string) (envMap map[string]string, err error) {
+	return nil, nil
+}
+
+func Unmarshal(str string) (envMap map[string]string, err error) {
+	return nil, nil
+}
+
+func UnmarshalBytes(src []byte) (map[string]string, error) {
+	return nil, nil
+}
+
+func Write(envMap map[string]string, filename string) error {
+	return nil
+}

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/vendor/github.com/kelseyhightower/envconfig/stub.go

@@ -0,0 +1,30 @@
+package envconfig
+
+import (
+	"io"
+	"text/template"
+)
+
+func CheckDisallowed(prefix string, cfg interface{}) error {
+	return nil
+}
+
+func MustProcess(prefix string, cfg interface{}) {
+
+}
+
+func Process(prefix string, cfg interface{}) error {
+	return nil
+}
+
+func Usage(prefix string, spec interface{}) error {
+	return nil
+}
+
+func Usagef(prefix string, spec interface{}, out io.Writer, format string) error {
+	return nil
+}
+
+func Usaget(prefix string, spec interface{}, out io.Writer, tmpl *template.Template) error {
+	return nil
+}

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/environment/vendor/modules.txt

@@ -0,0 +1,9 @@
+# github.com/hashicorp/go-envparse v0.1.0
+## explicit
+github.com/hashicorp/go-envparse
+# github.com/joho/godotenv v1.5.1
+## explicit
+github.com/joho/godotenv
+# github.com/kelseyhightower/envconfig v1.4.0
+## explicit
+github.com/kelseyhightower/envconfig