Golang : Add Query To Detect PAM Authorization Bugs

[porcupineyhairs]

Using merely pam_authneticate call to grant access to a user can cause security issue. The pam_authenticate call only checks if the username and the password match. It does not check if the account is expired. Hence, a user with an expired login or an expired password can still login.

This issue is fairly common and was recently found in gogs/gogs and go-gitea/gitea. In this case, the bugs were assigned CVE-2022-0871 and CVE-2022-0905 respectively.

This PR aims to detect instances were an initiated PAM Transaction invokes the Authenticate method but does not invoke a call to the AcctMgmt method. Due to the nature of the query, I don't expect that may FP's or FN's. There could some unwanted alerts due to test code but to avoid that I filter out all file paths which have test in them.

With this PR, I submit two queries, one using local data flow and the other using global taint flow. The global taint flow one should be more precise but may have a performance penalty while the other local flow one may lead to FN's but should be faster to execute.

A quick run of both these queries on roughly 17 projects can be found in the LGTM runs below.

• global taint flow
• local data flow

All of the results appear to be correct. The runs also includes two projects procupineyhairs/gogs_pam and porcupineyhairs/gitea_pam. These are vulnerable versions of the projects mentioned above. The alerts show a valid detection of the CVE. No alerts for the gogs and gitea projects shows detection of the patch correcting the bug.

I am also working on two more PR's for C and Python respectively which detect the same underlying issue.

[smowton]

Is there an assosciated bounty app?

[porcupineyhairs]

@smowton I have created a PR with the requested changes.

I am closing this one now.

Superseded by github/codeql#9377