Merge pull request #18493 from egregius313/egregius313/go/mad/database/mongodb

Go: `database` local sources for MongoDB

Author: egregius313

go/ql/lib/change-notes/2025-01-14-mongodb-models.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added `database` source models for database methods from the `go.mongodb.org/mongo-driver/mongo` package.
+

go/ql/lib/ext/go.mongodb.org.mongo-driver.mongo.model.yml

@@ -1,4 +1,19 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["go.mongodb.org/mongo-driver/mongo", "Client", True, "Watch", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Aggregate", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Distinct", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Find", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOne", "", "", "ReturnValue", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndDelete", "", "", "ReturnValue", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndReplace", "", "", "ReturnValue", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "FindOneAndUpdate", "", "", "ReturnValue", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Watch", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Database", True, "Aggregate", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Database", True, "Watch", "", "", "ReturnValue[0]", "database", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: sinkModel
@@ -17,3 +32,12 @@ extensions:
       - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "UpdateMany", "", "", "Argument[1]", "nosql-injection", "manual"]
       - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "UpdateOne", "", "", "Argument[1]", "nosql-injection", "manual"]
       - ["go.mongodb.org/mongo-driver/mongo", "Collection", True, "Watch", "", "", "Argument[1]", "nosql-injection", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["go.mongodb.org/mongo-driver/mongo", "ChangeStream", True, "Decode", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Cursor", True, "All", "", "", "Argument[receiver]", "Argument[1]", "taint", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "Cursor", True, "Decode", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "SingleResult", True, "Decode", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
+      - ["go.mongodb.org/mongo-driver/mongo", "SingleResult", True, "Raw", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/go.mod

@@ -5,4 +5,5 @@ go 1.22.5
 require (
 	gorm.io/gorm v1.23.0
 	github.com/jmoiron/sqlx v1.4.0
+	go.mongodb.org/mongo-driver/mongo v1.17.2
 )

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_mongo_driver_mongo.go

@@ -0,0 +1,121 @@
+package test
+
+//go:generate depstubber -vendor go.mongodb.org/mongo-driver/mongo Client,Collection,Database
+
+import (
+	"context"
+
+	"go.mongodb.org/mongo-driver/mongo"
+)
+
+func test_mongo_driver_mongo_collection(coll *mongo.Collection, ctx context.Context, pipeline any) {
+	cursor, err := coll.Aggregate(ctx, pipeline) // $ source
+	if err != nil {
+		return
+	}
+
+	var users []User
+
+	err = cursor.All(ctx, &users)
+
+	sink(users) // $ hasTaintFlow="users"
+
+	distinct, err := coll.Distinct(ctx, "name", nil) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(distinct) // $ hasTaintFlow="distinct"
+
+	cursor2, err := coll.Find(ctx, nil) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(cursor2) // $ hasTaintFlow="cursor2"
+
+	var user1, user2, user3, user4 User
+
+	single1 := coll.FindOne(ctx, nil) // $ source
+	if err != nil {
+		return
+	}
+
+	single1.Decode(&user1)
+
+	sink(user1) // $ hasTaintFlow="user1"
+
+	single2 := coll.FindOneAndDelete(ctx, nil) // $ source
+	if err != nil {
+		return
+	}
+
+	single2.Decode(&user2)
+
+	sink(user2) // $ hasTaintFlow="user2"
+
+	single3 := coll.FindOneAndReplace(ctx, nil, nil) // $ source
+	if err != nil {
+		return
+	}
+
+	single3.Decode(&user3)
+
+	sink(user3) // $ hasTaintFlow="user3"
+
+	single4 := coll.FindOneAndUpdate(ctx, nil, nil) // $ source
+	if err != nil {
+		return
+	}
+
+	single4.Decode(&user4)
+
+	sink(user4) // $ hasTaintFlow="user4"
+
+	changeStream, err := coll.Watch(ctx, pipeline) // $ source
+	if err != nil {
+		return
+	}
+
+	for changeStream.Next(ctx) {
+		var userCs User
+		changeStream.Decode(&userCs)
+		sink(userCs) // $ hasTaintFlow="userCs"
+	}
+}
+
+func test_mongo_driver_mongo_database(db *mongo.Database, ctx context.Context, pipeline any) {
+	agg, err := db.Aggregate(ctx, pipeline) // $ source
+
+	if err != nil {
+		return
+	}
+
+	var user User
+	agg.Decode(&user)
+	sink(user) // $ hasTaintFlow="user"
+
+	changeStream, err := db.Watch(ctx, pipeline) // $ source
+	if err != nil {
+		return
+	}
+
+	for changeStream.Next(ctx) {
+		var userCs User
+		changeStream.Decode(&userCs)
+		sink(userCs) // $ hasTaintFlow="userCs"
+	}
+}
+
+func test_mongo_driver_mongo_Client(client *mongo.Client, ctx context.Context) {
+	changestream, err := client.Watch(ctx, nil) // $ source
+	if err != nil {
+		return
+	}
+
+	for changestream.Next(ctx) {
+		var user User
+		changestream.Decode(&user)
+		sink(user) // $ hasTaintFlow="user"
+	}
+}