diff --git a/go/ql/lib/change-notes/2024-05-24-function-classes-deprecated.md b/go/ql/lib/change-notes/2024-05-24-function-classes-deprecated.md new file mode 100644 index 000000000000..25584b1dfdeb --- /dev/null +++ b/go/ql/lib/change-notes/2024-05-24-function-classes-deprecated.md @@ -0,0 +1,4 @@ +--- +category: deprecated +--- +* The following classes have been deprecated: `Url::JoinPath` and `Url::JoinPathMethod` in `Stdlib`; `Zap::FieldsFunction` in `Zap`. Use a locally defined class instead. diff --git a/go/ql/lib/ext/database.sql.model.yml b/go/ql/lib/ext/database.sql.model.yml index bb4dc1a612d5..0db0bf08f95b 100644 --- a/go/ql/lib/ext/database.sql.model.yml +++ b/go/ql/lib/ext/database.sql.model.yml @@ -7,6 +7,8 @@ extensions: - ["database/sql", "Conn", True, "PrepareContext", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"] - ["database/sql", "DB", True, "Prepare", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] - ["database/sql", "DB", True, "PrepareContext", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"] + - ["database/sql", "Row", True, "Scan", "", "", "Argument[-1]", "Argument[0].ArrayElement", "taint", "manual"] + - ["database/sql", "Rows", True, "Scan", "", "", "Argument[-1]", "Argument[0].ArrayElement", "taint", "manual"] - ["database/sql", "Scanner", True, "Scan", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["database/sql", "Tx", True, "Prepare", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] - ["database/sql", "Tx", True, "PrepareContext", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"] diff --git a/go/ql/lib/ext/errors.model.yml b/go/ql/lib/ext/errors.model.yml index a94c8e558ff4..a656a94c6172 100644 --- a/go/ql/lib/ext/errors.model.yml +++ b/go/ql/lib/ext/errors.model.yml @@ -4,5 +4,6 @@ extensions: extensible: summaryModel data: - ["errors", "", False, "As", "", "", "Argument[0]", "Argument[1]", "taint", "manual"] + - ["errors", "", False, "Join", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["errors", "", False, "New", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["errors", "", False, "Unwrap", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] diff --git a/go/ql/lib/ext/fmt.model.yml b/go/ql/lib/ext/fmt.model.yml index 5421368bbca3..b15261df24e3 100644 --- a/go/ql/lib/ext/fmt.model.yml +++ b/go/ql/lib/ext/fmt.model.yml @@ -15,7 +15,19 @@ extensions: - ["fmt", "", True, "Appendf", "", "", "Argument[2].ArrayElement", "ReturnValue", "taint", "manual"] - ["fmt", "", True, "Appendln", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["fmt", "", True, "Appendln", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"] + - ["fmt", "", True, "Errorf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["fmt", "", True, "Errorf", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"] + - ["fmt", "", True, "Fprint", "", "", "Argument[1].ArrayElement", "Argument[0]", "taint", "manual"] + - ["fmt", "", True, "Fprintf", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] + - ["fmt", "", True, "Fprintf", "", "", "Argument[2].ArrayElement", "Argument[0]", "taint", "manual"] + - ["fmt", "", True, "Fprintln", "", "", "Argument[1].ArrayElement", "Argument[0]", "taint", "manual"] + - ["fmt", "", True, "Fscan", "", "", "Argument[0]", "Argument[1].ArrayElement", "taint", "manual"] + - ["fmt", "", True, "Fscanf", "", "", "Argument[0..1]", "Argument[2].ArrayElement", "taint", "manual"] + - ["fmt", "", True, "Fscanln", "", "", "Argument[0]", "Argument[1].ArrayElement", "taint", "manual"] - ["fmt", "", True, "Sprint", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["fmt", "", True, "Sprintf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["fmt", "", True, "Sprintf", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"] - ["fmt", "", True, "Sprintln", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] + - ["fmt", "", True, "Sscan", "", "", "Argument[0]", "Argument[1].ArrayElement", "taint", "manual"] + - ["fmt", "", True, "Sscanf", "", "", "Argument[0..1]", "Argument[2].ArrayElement", "taint", "manual"] + - ["fmt", "", True, "Sscanln", "", "", "Argument[0]", "Argument[1].ArrayElement", "taint", "manual"] diff --git a/go/ql/lib/ext/github.com.astaxie.beego.utils.model.yml b/go/ql/lib/ext/github.com.astaxie.beego.utils.model.yml index 7c7e8dd74289..8256dec102d6 100644 --- a/go/ql/lib/ext/github.com.astaxie.beego.utils.model.yml +++ b/go/ql/lib/ext/github.com.astaxie.beego.utils.model.yml @@ -3,6 +3,7 @@ extensions: pack: codeql/go-all extensible: summaryModel data: + - ["github.com/astaxie/beego/utils", "", False, "GetDisplayString", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["github.com/astaxie/beego/utils", "", False, "SliceChunk", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["github.com/astaxie/beego/utils", "", False, "SliceDiff", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["github.com/astaxie/beego/utils", "", False, "SliceFilter", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] @@ -16,6 +17,7 @@ extensions: - ["github.com/astaxie/beego/utils", "BeeMap", True, "Get", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["github.com/astaxie/beego/utils", "BeeMap", True, "Items", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["github.com/astaxie/beego/utils", "BeeMap", True, "Set", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"] + - ["github.com/beego/beego/core/utils", "", False, "GetDisplayString", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["github.com/beego/beego/core/utils", "", False, "SliceChunk", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["github.com/beego/beego/core/utils", "", False, "SliceDiff", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["github.com/beego/beego/core/utils", "", False, "SliceFilter", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] diff --git a/go/ql/lib/ext/github.com.davecgh.go-spew.spew.yml b/go/ql/lib/ext/github.com.davecgh.go-spew.spew.yml new file mode 100644 index 000000000000..57d3efdb09ab --- /dev/null +++ b/go/ql/lib/ext/github.com.davecgh.go-spew.spew.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: codeql/go-all + extensible: summaryModel + data: + - ["github.com/davecgh/go-spew/spew", "", False, "Sdump", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] + - ["github.com/davecgh/go-spew/spew", "", False, "Sprint", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] + - ["github.com/davecgh/go-spew/spew", "", False, "Sprintf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["github.com/davecgh/go-spew/spew", "", False, "Sprintf", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"] + - ["github.com/davecgh/go-spew/spew", "", False, "Sprintln", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] diff --git a/go/ql/lib/ext/go.uber.org.zap.model.yml b/go/ql/lib/ext/go.uber.org.zap.model.yml index 2ca7f7e8a804..c8af39529001 100644 --- a/go/ql/lib/ext/go.uber.org.zap.model.yml +++ b/go/ql/lib/ext/go.uber.org.zap.model.yml @@ -9,6 +9,7 @@ extensions: - ["go.uber.org/zap", "", False, "ByteStrings", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"] - ["go.uber.org/zap", "", False, "Error", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["go.uber.org/zap", "", False, "Errors", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"] + - ["go.uber.org/zap", "", False, "Fields", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["go.uber.org/zap", "", False, "NamedError", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"] - ["go.uber.org/zap", "", False, "Reflect", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"] - ["go.uber.org/zap", "", False, "String", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"] diff --git a/go/ql/lib/ext/html.template.model.yml b/go/ql/lib/ext/html.template.model.yml index 0ee840c4eaed..fd21deb8c783 100644 --- a/go/ql/lib/ext/html.template.model.yml +++ b/go/ql/lib/ext/html.template.model.yml @@ -4,8 +4,11 @@ extensions: extensible: summaryModel data: - ["html/template", "", False, "HTMLEscape", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] + - ["html/template", "", False, "HTMLEscaper", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["html/template", "", False, "HTMLEscapeString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["html/template", "", False, "JSEscape", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] + - ["html/template", "", False, "JSEscaper", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["html/template", "", False, "JSEscapeString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["html/template", "", False, "URLQueryEscaper", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["html/template", "Template", True, "Execute", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] - ["html/template", "Template", True, "ExecuteTemplate", "", "", "Argument[2]", "Argument[0]", "taint", "manual"] diff --git a/go/ql/lib/ext/io.model.yml b/go/ql/lib/ext/io.model.yml index 1da83059617d..3fe98a4cf136 100644 --- a/go/ql/lib/ext/io.model.yml +++ b/go/ql/lib/ext/io.model.yml @@ -7,6 +7,7 @@ extensions: - ["io", "", False, "CopyBuffer", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] - ["io", "", False, "CopyN", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] - ["io", "", False, "LimitReader", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["io", "", False, "MultiReader", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["io", "", False, "NewSectionReader", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["io", "", False, "NopCloser", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["io", "", False, "ReadAll", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] diff --git a/go/ql/lib/ext/log.model.yml b/go/ql/lib/ext/log.model.yml index fe1dd40394de..a7ca65292693 100644 --- a/go/ql/lib/ext/log.model.yml +++ b/go/ql/lib/ext/log.model.yml @@ -3,6 +3,18 @@ extensions: pack: codeql/go-all extensible: summaryModel data: + - ["log", "Logger", True, "Fatal", "", "", "Argument[0].ArrayElement", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Fatalf", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Fatalf", "", "", "Argument[1].ArrayElement", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Fatalln", "", "", "Argument[0].ArrayElement", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Panic", "", "", "Argument[0].ArrayElement", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Panicf", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Panicf", "", "", "Argument[1].ArrayElement", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Panicln", "", "", "Argument[0].ArrayElement", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Print", "", "", "Argument[0].ArrayElement", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Printf", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Printf", "", "", "Argument[1].ArrayElement", "Argument[-1]", "taint", "manual"] + - ["log", "Logger", True, "Println", "", "", "Argument[0].ArrayElement", "Argument[-1]", "taint", "manual"] - ["log", "Logger", True, "SetOutput", "", "", "Argument[-1]", "Argument[0]", "taint", "manual"] - ["log", "Logger", True, "SetPrefix", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] - ["log", "Logger", True, "Writer", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] diff --git a/go/ql/lib/ext/net.textproto.model.yml b/go/ql/lib/ext/net.textproto.model.yml index 0ff47eeebdb1..340f60155fda 100644 --- a/go/ql/lib/ext/net.textproto.model.yml +++ b/go/ql/lib/ext/net.textproto.model.yml @@ -22,3 +22,5 @@ extensions: - ["net/textproto", "Reader", True, "ReadLineBytes", "", "", "Argument[-1]", "ReturnValue[0]", "taint", "manual"] - ["net/textproto", "Reader", True, "ReadMIMEHeader", "", "", "Argument[-1]", "ReturnValue[0]", "taint", "manual"] - ["net/textproto", "Reader", True, "ReadResponse", "", "", "Argument[-1]", "ReturnValue[1]", "taint", "manual"] + - ["net/textproto", "Writer", True, "PrintfLine", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"] + - ["net/textproto", "Writer", True, "PrintfLine", "", "", "Argument[1].ArrayElement", "Argument[-1]", "taint", "manual"] diff --git a/go/ql/lib/ext/net.url.model.yml b/go/ql/lib/ext/net.url.model.yml index deba3d5b39ef..36aabe22829e 100644 --- a/go/ql/lib/ext/net.url.model.yml +++ b/go/ql/lib/ext/net.url.model.yml @@ -3,6 +3,8 @@ extensions: pack: codeql/go-all extensible: summaryModel data: + - ["net/url", "", False, "JoinPath", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] + - ["net/url", "", False, "JoinPath", "", "", "Argument[1].ArrayElement", "ReturnValue[0]", "taint", "manual"] - ["net/url", "", False, "Parse", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] - ["net/url", "", False, "ParseQuery", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] - ["net/url", "", False, "ParseRequestURI", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] @@ -14,6 +16,8 @@ extensions: - ["net/url", "", False, "UserPassword", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"] - ["net/url", "URL", True, "EscapedPath", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] - ["net/url", "URL", True, "Hostname", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["net/url", "URL", True, "JoinPath", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"] + - ["net/url", "URL", True, "JoinPath", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["net/url", "URL", True, "MarshalBinary", "", "", "Argument[-1]", "ReturnValue[0]", "taint", "manual"] - ["net/url", "URL", True, "Parse", "", "", "Argument[-1]", "ReturnValue[0]", "taint", "manual"] - ["net/url", "URL", True, "Parse", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] diff --git a/go/ql/lib/ext/path.filepath.model.yml b/go/ql/lib/ext/path.filepath.model.yml index 15bcb7d386d8..3c1a12fdd2f9 100644 --- a/go/ql/lib/ext/path.filepath.model.yml +++ b/go/ql/lib/ext/path.filepath.model.yml @@ -11,6 +11,7 @@ extensions: - ["path/filepath", "", False, "Ext", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["path/filepath", "", False, "FromSlash", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["path/filepath", "", False, "Glob", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"] + - ["path/filepath", "", False, "Join", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["path/filepath", "", False, "Rel", "", "", "Argument[0..1]", "ReturnValue[0]", "taint", "manual"] - ["path/filepath", "", False, "Split", "", "", "Argument[0]", "ReturnValue[0..1]", "taint", "manual"] - ["path/filepath", "", False, "SplitList", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] diff --git a/go/ql/lib/ext/path.model.yml b/go/ql/lib/ext/path.model.yml index 5a494b24d7ca..34612768ede0 100644 --- a/go/ql/lib/ext/path.model.yml +++ b/go/ql/lib/ext/path.model.yml @@ -7,4 +7,5 @@ extensions: - ["path", "", False, "Clean", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["path", "", False, "Dir", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["path", "", False, "Ext", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["path", "", False, "Join", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["path", "", False, "Split", "", "", "Argument[0]", "ReturnValue[0..1]", "taint", "manual"] diff --git a/go/ql/lib/ext/reflect.model.yml b/go/ql/lib/ext/reflect.model.yml index 1299b3a61f0d..7a002a63f84b 100644 --- a/go/ql/lib/ext/reflect.model.yml +++ b/go/ql/lib/ext/reflect.model.yml @@ -3,6 +3,8 @@ extensions: pack: codeql/go-all extensible: summaryModel data: + - ["reflect", "", False, "Append", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["reflect", "", False, "Append", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"] - ["reflect", "", False, "AppendSlice", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"] - ["reflect", "", False, "Copy", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] - ["reflect", "", False, "Indirect", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] diff --git a/go/ql/lib/ext/strings.model.yml b/go/ql/lib/ext/strings.model.yml index 2757277a0f08..62aa68eba5f4 100644 --- a/go/ql/lib/ext/strings.model.yml +++ b/go/ql/lib/ext/strings.model.yml @@ -8,6 +8,7 @@ extensions: - ["strings", "", False, "Join", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"] - ["strings", "", False, "Map", "", "", "Argument[1]", "ReturnValue", "taint", "manual"] - ["strings", "", False, "NewReader", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["strings", "", False, "NewReplacer", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["strings", "", False, "Repeat", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["strings", "", False, "Replace", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["strings", "", False, "Replace", "", "", "Argument[2]", "ReturnValue", "taint", "manual"] diff --git a/go/ql/lib/ext/text.template.model.yml b/go/ql/lib/ext/text.template.model.yml index 669af3a8854f..1e10ca2e7948 100644 --- a/go/ql/lib/ext/text.template.model.yml +++ b/go/ql/lib/ext/text.template.model.yml @@ -4,8 +4,11 @@ extensions: extensible: summaryModel data: - ["text/template", "", False, "HTMLEscape", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] + - ["text/template", "", False, "HTMLEscaper", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["text/template", "", False, "HTMLEscapeString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] - ["text/template", "", False, "JSEscape", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] + - ["text/template", "", False, "JSEscaper", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["text/template", "", False, "JSEscapeString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["text/template", "", False, "URLQueryEscaper", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"] - ["text/template", "Template", True, "Execute", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] - ["text/template", "Template", True, "ExecuteTemplate", "", "", "Argument[2]", "Argument[0]", "taint", "manual"] diff --git a/go/ql/lib/semmle/go/frameworks/Beego.qll b/go/ql/lib/semmle/go/frameworks/Beego.qll index a59e67613cef..02bc39503c37 100644 --- a/go/ql/lib/semmle/go/frameworks/Beego.qll +++ b/go/ql/lib/semmle/go/frameworks/Beego.qll @@ -7,7 +7,6 @@ import go import semmle.go.security.Xss private import semmle.go.security.SafeUrlFlowCustomizations -// Some TaintTracking::FunctionModel subclasses remain because varargs functions don't work with Models-as-Data sumamries yet. /** * Provides classes for working with remote flow sources, sinks and taint propagators * from the [Beego](https://github.com/beego/beego) package. @@ -327,13 +326,4 @@ module Beego { override Http::ResponseWriter getResponseWriter() { none() } } - - private class UtilsTaintPropagators extends TaintTracking::FunctionModel { - UtilsTaintPropagators() { this.hasQualifiedName(utilsPackagePath(), "GetDisplayString") } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input.isParameter(_) and - output.isResult(0) - } - } } diff --git a/go/ql/lib/semmle/go/frameworks/Spew.qll b/go/ql/lib/semmle/go/frameworks/Spew.qll index b12bd0fed815..54b2ba20c53a 100644 --- a/go/ql/lib/semmle/go/frameworks/Spew.qll +++ b/go/ql/lib/semmle/go/frameworks/Spew.qll @@ -42,14 +42,4 @@ module Spew { result = this.getSyntacticArgument(any(int i | i >= target.getFirstPrintedArg())) } } - - // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. - /** The `Sprint` function or one of its variants. */ - class Sprinter extends TaintTracking::FunctionModel { - Sprinter() { this.hasQualifiedName(packagePath(), ["Sdump", "Sprint", "Sprintln", "Sprintf"]) } - - override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - inp.isParameter(_) and outp.isResult() - } - } } diff --git a/go/ql/lib/semmle/go/frameworks/Stdlib.qll b/go/ql/lib/semmle/go/frameworks/Stdlib.qll index 5b33522e066a..4ee0db0eb2f6 100644 --- a/go/ql/lib/semmle/go/frameworks/Stdlib.qll +++ b/go/ql/lib/semmle/go/frameworks/Stdlib.qll @@ -18,7 +18,6 @@ import semmle.go.frameworks.stdlib.EncodingGob import semmle.go.frameworks.stdlib.EncodingJson import semmle.go.frameworks.stdlib.EncodingPem import semmle.go.frameworks.stdlib.EncodingXml -import semmle.go.frameworks.stdlib.Errors import semmle.go.frameworks.stdlib.Fmt import semmle.go.frameworks.stdlib.Html import semmle.go.frameworks.stdlib.HtmlTemplate @@ -33,12 +32,8 @@ import semmle.go.frameworks.stdlib.NetHttp import semmle.go.frameworks.stdlib.NetHttpHttputil import semmle.go.frameworks.stdlib.NetTextproto import semmle.go.frameworks.stdlib.Os -import semmle.go.frameworks.stdlib.Path -import semmle.go.frameworks.stdlib.PathFilepath -import semmle.go.frameworks.stdlib.Reflect import semmle.go.frameworks.stdlib.Regexp import semmle.go.frameworks.stdlib.Strconv -import semmle.go.frameworks.stdlib.Strings import semmle.go.frameworks.stdlib.Syscall import semmle.go.frameworks.stdlib.TextTabwriter import semmle.go.frameworks.stdlib.TextTemplate @@ -97,24 +92,22 @@ module IntegerParser { /** Provides models of commonly used functions in the `net/url` package. */ module Url { - // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. - /** The `JoinPath` function. */ - class JoinPath extends TaintTracking::FunctionModel { + /** + * DEPRECATED: Use a locally defined class instead. + * + * The `JoinPath` function. + */ + class JoinPath extends Function { JoinPath() { this.hasQualifiedName("net/url", "JoinPath") } - - override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - inp.isParameter(_) and outp.isResult(0) - } } - /** The method `URL.JoinPath`. */ - class JoinPathMethod extends TaintTracking::FunctionModel, Method { + /** + * DEPRECATED: Use a locally defined class instead. + * + * The method `URL.JoinPath`. + */ + class JoinPathMethod extends Method { JoinPathMethod() { this.hasQualifiedName("net/url", "URL", "JoinPath") } - - override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - (inp.isReceiver() or inp.isParameter(_)) and - outp.isResult(0) - } } /** A method that returns a part of a URL. */ diff --git a/go/ql/lib/semmle/go/frameworks/Zap.qll b/go/ql/lib/semmle/go/frameworks/Zap.qll index 359f9aba4107..57867fd5a458 100644 --- a/go/ql/lib/semmle/go/frameworks/Zap.qll +++ b/go/ql/lib/semmle/go/frameworks/Zap.qll @@ -46,14 +46,13 @@ module Zap { override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() } } - // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. - /** The function `Fields` that creates an `Option` that can be added to the logger out of `Field`s. */ - class FieldsFunction extends TaintTracking::FunctionModel { + /** + * DEPRECATED: Use a locally defined class instead. + * + * The function `Fields` that creates an `Option` that can be added to the logger out of `Field`s. + */ + deprecated class FieldsFunction extends Function { FieldsFunction() { this.hasQualifiedName(packagePath(), "Fields") } - - override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - inp.isParameter(_) and outp.isResult() - } } /** A Zap logging function which always panics. */ diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll b/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll index 845225af5bd2..aec4ee16b656 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/DatabaseSql.qll @@ -107,24 +107,4 @@ module DatabaseSql { ) } } - - // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. - private class SqlMethodModels extends TaintTracking::FunctionModel, Method { - FunctionInput inp; - FunctionOutput outp; - - SqlMethodModels() { - // signature: func (*Row) Scan(dest ...interface{}) error - this.hasQualifiedName("database/sql", "Row", "Scan") and - (inp.isReceiver() and outp.isParameter(_)) - or - // signature: func (*Rows) Scan(dest ...interface{}) error - this.hasQualifiedName("database/sql", "Rows", "Scan") and - (inp.isReceiver() and outp.isParameter(_)) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } } diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Errors.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Errors.qll deleted file mode 100644 index 133a69795b81..000000000000 --- a/go/ql/lib/semmle/go/frameworks/stdlib/Errors.qll +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Provides classes modeling security-relevant aspects of the `errors` package. - */ - -import go - -/** Provides models of commonly used functions in the `errors` package. */ -module Errors { - // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. - private class FunctionModels extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - FunctionModels() { - // signature: func Join(errs ...error) error - this.hasQualifiedName("errors", "Join") and - (inp.isParameter(_) and outp.isResult()) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } -} diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll index 555fd155364e..e2629c575b42 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll @@ -4,7 +4,6 @@ import go -// Some TaintTracking::FunctionModel subclasses remain because varargs functions don't work with Models-as-Data sumamries yet. /** Provides models of commonly used functions in the `fmt` package. */ module Fmt { /** @@ -44,24 +43,6 @@ module Fmt { override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() } } - /** The `Fprint` function or one of its variants. */ - private class Fprinter extends TaintTracking::FunctionModel { - Fprinter() { - // signature: func Fprint(w io.Writer, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Fprint") - or - // signature: func Fprintf(w io.Writer, format string, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Fprintf") - or - // signature: func Fprintln(w io.Writer, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Fprintln") - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input.isParameter(any(int i | i > 0)) and output.isParameter(0) - } - } - private class FmtStringFormatter extends StringOps::Formatting::Range { int argOffset; @@ -79,30 +60,6 @@ module Fmt { override int getFormatStringIndex() { result = argOffset } } - /** The `Sscan` function or one of its variants. */ - private class Sscanner extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - Sscanner() { - // signature: func Sscan(str string, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Sscan") and - (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1))) - or - // signature: func Sscanf(str string, format string, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Sscanf") and - (inp.isParameter([0, 1]) and outp.isParameter(any(int i | i >= 2))) - or - // signature: func Sscanln(str string, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Sscanln") and - (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1))) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } - /** The `Scan` function or one of its variants, all of which read from `os.Stdin`. */ class Scanner extends Function { Scanner() { this.hasQualifiedName("fmt", ["Scan", "Scanf", "Scanln"]) } @@ -121,31 +78,4 @@ module Fmt { */ FunctionInput getReader() { result.isParameter(0) } } - - private class FunctionModels extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - FunctionModels() { - // signature: func Errorf(format string, a ...interface{}) error - this.hasQualifiedName("fmt", "Errorf") and - (inp.isParameter(_) and outp.isResult()) - or - // signature: func Fscan(r io.Reader, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Fscan") and - (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1))) - or - // signature: func Fscanf(r io.Reader, format string, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Fscanf") and - (inp.isParameter([0, 1]) and outp.isParameter(any(int i | i >= 2))) - or - // signature: func Fscanln(r io.Reader, a ...interface{}) (n int, err error) - this.hasQualifiedName("fmt", "Fscanln") and - (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1))) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } } diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/HtmlTemplate.qll b/go/ql/lib/semmle/go/frameworks/stdlib/HtmlTemplate.qll index 19d6dfd0c552..38677a158117 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/HtmlTemplate.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/HtmlTemplate.qll @@ -24,30 +24,6 @@ module HtmlTemplate { override string kind() { result = kind } } - // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. - private class FunctionModels extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - FunctionModels() { - // signature: func HTMLEscaper(args ...interface{}) string - this.hasQualifiedName("html/template", "HTMLEscaper") and - (inp.isParameter(_) and outp.isResult()) - or - // signature: func JSEscaper(args ...interface{}) string - this.hasQualifiedName("html/template", "JSEscaper") and - (inp.isParameter(_) and outp.isResult()) - or - // signature: func URLQueryEscaper(args ...interface{}) string - this.hasQualifiedName("html/template", "URLQueryEscaper") and - (inp.isParameter(_) and outp.isResult()) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } - private newtype TTemplateStmt = MkTemplateStmt(HTML::TextNode parent, int idx, string text) { text = parent.getText().regexpFind("(?s)\\{\\{.*?\\}\\}", idx, _) diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Io.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Io.qll index f44ca36ff850..8ac913896813 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/Io.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/Io.qll @@ -4,7 +4,7 @@ import go -// These models are not implemented using Models-as-Data because they represent reverse flow, or are variadic. +// These models are not implemented using Models-as-Data because they represent reverse flow. /** Provides models of commonly used functions in the `io` package. */ module Io { private class FunctionModels extends TaintTracking::FunctionModel { @@ -12,10 +12,6 @@ module Io { FunctionOutput outp; FunctionModels() { - // signature: func MultiReader(readers ...Reader) Reader - this.hasQualifiedName("io", "MultiReader") and - (inp.isParameter(_) and outp.isResult()) - or // signature: func MultiWriter(writers ...Writer) Writer this.hasQualifiedName("io", "MultiWriter") and (inp.isResult() and outp.isParameter(_)) diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll index 67b3e80cb360..f53cfbd5ed08 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll @@ -64,52 +64,4 @@ module Log { input = inp and output = outp } } - - // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. - private class MethodModels extends TaintTracking::FunctionModel, Method { - FunctionInput inp; - FunctionOutput outp; - - MethodModels() { - // signature: func (*Logger) Fatal(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Fatal") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Fatalf(format string, v ...interface{}) - this.hasQualifiedName("log", "Logger", "Fatalf") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Fatalln(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Fatalln") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Panic(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Panic") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Panicf(format string, v ...interface{}) - this.hasQualifiedName("log", "Logger", "Panicf") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Panicln(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Panicln") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Print(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Print") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Printf(format string, v ...interface{}) - this.hasQualifiedName("log", "Logger", "Printf") and - (inp.isParameter(_) and outp.isReceiver()) - or - // signature: func (*Logger) Println(v ...interface{}) - this.hasQualifiedName("log", "Logger", "Println") and - (inp.isParameter(_) and outp.isReceiver()) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } } diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/NetTextproto.qll b/go/ql/lib/semmle/go/frameworks/stdlib/NetTextproto.qll index 9e19e719ce51..e6e6f8950555 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/NetTextproto.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/NetTextproto.qll @@ -26,6 +26,7 @@ module NetTextproto { } } + // These models are not implemented using Models-as-Data because they represent reverse flow. private class MethodModels extends TaintTracking::FunctionModel, Method { FunctionInput inp; FunctionOutput outp; @@ -34,10 +35,6 @@ module NetTextproto { // signature: func (*Writer) DotWriter() io.WriteCloser this.hasQualifiedName("net/textproto", "Writer", "DotWriter") and (inp.isResult() and outp.isReceiver()) - or - // signature: func (*Writer) PrintfLine(format string, args ...interface{}) error - this.hasQualifiedName("net/textproto", "Writer", "PrintfLine") and - (inp.isParameter(_) and outp.isReceiver()) } override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Path.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Path.qll deleted file mode 100644 index 98215ecd00a2..000000000000 --- a/go/ql/lib/semmle/go/frameworks/stdlib/Path.qll +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Provides classes modeling security-relevant aspects of the `path` package. - */ - -import go - -// These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. -/** Provides models of commonly used functions in the `path` package. */ -module Path { - private class FunctionModels extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - FunctionModels() { - // signature: func Join(elem ...string) string - this.hasQualifiedName("path", "Join") and - (inp.isParameter(_) and outp.isResult()) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } -} diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/PathFilepath.qll b/go/ql/lib/semmle/go/frameworks/stdlib/PathFilepath.qll deleted file mode 100644 index 379c141fb2a6..000000000000 --- a/go/ql/lib/semmle/go/frameworks/stdlib/PathFilepath.qll +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Provides classes modeling security-relevant aspects of the `path/filepath` package. - */ - -import go - -// These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. -/** Provides models of commonly used functions in the `path/filepath` package. */ -module PathFilepath { - private class FunctionModels extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - FunctionModels() { - // signature: func Join(elem ...string) string - this.hasQualifiedName("path/filepath", "Join") and - (inp.isParameter(_) and outp.isResult()) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } -} diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Reflect.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Reflect.qll deleted file mode 100644 index 62c09ef0c5e4..000000000000 --- a/go/ql/lib/semmle/go/frameworks/stdlib/Reflect.qll +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Provides classes modeling security-relevant aspects of the `reflect` package. - */ - -import go - -// These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. -/** Provides models of commonly used functions in the `reflect` package. */ -module Reflect { - private class FunctionModels extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - FunctionModels() { - // signature: func Append(s Value, x ...Value) Value - this.hasQualifiedName("reflect", "Append") and - (inp.isParameter(_) and outp.isResult()) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } -} diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Strings.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Strings.qll deleted file mode 100644 index 96b07f5de340..000000000000 --- a/go/ql/lib/semmle/go/frameworks/stdlib/Strings.qll +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Provides classes modeling security-relevant aspects of the `strings` package. - */ - -import go - -// These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. -/** Provides models of commonly used functions in the `strings` package. */ -module Strings { - private class FunctionModels extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - FunctionModels() { - // signature: func NewReplacer(oldnew ...string) *Replacer - this.hasQualifiedName("strings", "NewReplacer") and - (inp.isParameter(_) and outp.isResult()) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } -} diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/TextTabwriter.qll b/go/ql/lib/semmle/go/frameworks/stdlib/TextTabwriter.qll index 964afecb4e6c..2598074a5405 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/TextTabwriter.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/TextTabwriter.qll @@ -29,10 +29,7 @@ module TextTabwriter { MethodModels() { // signature: func (*Writer) Init(output io.Writer, minwidth int, tabwidth int, padding int, padchar byte, flags uint) *Writer this.hasQualifiedName("text/tabwriter", "Writer", "Init") and - ( - inp.isResult() and - outp.isParameter(0) - ) + (inp.isResult() and outp.isParameter(0)) } override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/TextTemplate.qll b/go/ql/lib/semmle/go/frameworks/stdlib/TextTemplate.qll index 4ef4da058395..f0ddbdc203e6 100644 --- a/go/ql/lib/semmle/go/frameworks/stdlib/TextTemplate.qll +++ b/go/ql/lib/semmle/go/frameworks/stdlib/TextTemplate.qll @@ -43,28 +43,4 @@ module TextTemplate { override DataFlow::Node getADataArgument() { result = this.getArgument(dataArg) } } - - // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet. - private class FunctionModels extends TaintTracking::FunctionModel { - FunctionInput inp; - FunctionOutput outp; - - FunctionModels() { - // signature: func HTMLEscaper(args ...interface{}) string - this.hasQualifiedName("text/template", "HTMLEscaper") and - (inp.isParameter(_) and outp.isResult()) - or - // signature: func JSEscaper(args ...interface{}) string - this.hasQualifiedName("text/template", "JSEscaper") and - (inp.isParameter(_) and outp.isResult()) - or - // signature: func URLQueryEscaper(args ...interface{}) string - this.hasQualifiedName("text/template", "URLQueryEscaper") and - (inp.isParameter(_) and outp.isResult()) - } - - override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { - input = inp and output = outp - } - } } diff --git a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected index 1397e71759d2..f35755aeb438 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected @@ -69,18 +69,14 @@ | url.go:57:16:57:39 | call to JoinPath | url.go:57:2:57:39 | ... := ...[0] | | url.go:57:16:57:39 | call to JoinPath | url.go:57:2:57:39 | ... := ...[1] | | url.go:57:29:57:29 | q | url.go:57:2:57:39 | ... := ...[0] | -| url.go:57:32:57:38 | "clean" | url.go:57:2:57:39 | ... := ...[0] | | url.go:58:16:58:45 | call to JoinPath | url.go:58:2:58:45 | ... := ...[0] | | url.go:58:16:58:45 | call to JoinPath | url.go:58:2:58:45 | ... := ...[1] | | url.go:58:29:58:35 | "clean" | url.go:58:2:58:45 | ... := ...[0] | -| url.go:58:38:58:44 | joined1 | url.go:58:2:58:45 | ... := ...[0] | | url.go:59:14:59:31 | call to Parse | url.go:59:2:59:31 | ... := ...[0] | | url.go:59:14:59:31 | call to Parse | url.go:59:2:59:31 | ... := ...[1] | | url.go:59:24:59:30 | joined2 | url.go:59:2:59:31 | ... := ...[0] | | url.go:60:15:60:19 | asUrl | url.go:60:15:60:37 | call to JoinPath | -| url.go:60:30:60:36 | "clean" | url.go:60:15:60:37 | call to JoinPath | | url.go:65:17:65:48 | call to Parse | url.go:65:2:65:48 | ... := ...[0] | | url.go:65:17:65:48 | call to Parse | url.go:65:2:65:48 | ... := ...[1] | | url.go:65:27:65:47 | "http://harmless.org" | url.go:65:2:65:48 | ... := ...[0] | | url.go:66:9:66:16 | cleanUrl | url.go:66:9:66:28 | call to JoinPath | -| url.go:66:27:66:27 | q | url.go:66:9:66:28 | call to JoinPath | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.expected b/go/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.expected index e69de29bb2d1..dcd41d7a1593 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.expected @@ -0,0 +1,5 @@ +| test.go:45:19:45:42 | comment | Missing result:hasTaintFlow="str1" | +| test.go:48:19:48:42 | comment | Missing result:hasTaintFlow="str2" | +| test.go:51:19:51:42 | comment | Missing result:hasTaintFlow="str3" | +| test.go:54:19:54:42 | comment | Missing result:hasTaintFlow="str4" | +| test.go:57:19:57:42 | comment | Missing result:hasTaintFlow="str5" | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/StdlibTaintFlow.expected b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/StdlibTaintFlow.expected index e69de29bb2d1..d7b0ba6a73dd 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/StdlibTaintFlow.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/StdlibTaintFlow.expected @@ -0,0 +1,10 @@ +| DatabaseSql.go:99:13:99:24 | call to newSource | No flow to its sink | +| DatabaseSql.go:104:13:104:24 | call to newSource | No flow to its sink | +| Fmt.go:241:13:241:24 | call to newSource | No flow to its sink | +| Fmt.go:246:13:246:24 | call to newSource | No flow to its sink | +| Fmt.go:251:13:251:24 | call to newSource | No flow to its sink | +| Fmt.go:256:13:256:24 | call to newSource | No flow to its sink | +| Fmt.go:281:13:281:25 | call to newSource | No flow to its sink | +| Fmt.go:286:13:286:25 | call to newSource | No flow to its sink | +| Fmt.go:291:13:291:25 | call to newSource | No flow to its sink | +| Fmt.go:296:13:296:25 | call to newSource | No flow to its sink | diff --git a/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected b/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected index 64520842d762..81b40ec54ce4 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected +++ b/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected @@ -24,7 +24,6 @@ | io.go:39:6:39:6 | definition of w | io.go:39:3:39:19 | ... := ...[0] | | io.go:39:11:39:19 | call to Pipe | io.go:39:3:39:19 | ... := ...[0] | | io.go:39:11:39:19 | call to Pipe | io.go:39:3:39:19 | ... := ...[1] | -| io.go:40:17:40:31 | "some string\\n" | io.go:39:6:39:6 | definition of w | | io.go:43:16:43:16 | r | io.go:42:3:42:5 | definition of buf | | io.go:44:13:44:15 | buf | io.go:44:13:44:24 | call to String | | io.go:48:31:48:43 | "some string" | io.go:48:13:48:44 | call to NewReader | @@ -44,9 +43,6 @@ | io.go:82:27:82:36 | "reader1 " | io.go:82:9:82:37 | call to NewReader | | io.go:83:27:83:36 | "reader2 " | io.go:83:9:83:37 | call to NewReader | | io.go:84:27:84:35 | "reader3" | io.go:84:9:84:36 | call to NewReader | -| io.go:85:23:85:24 | r1 | io.go:85:8:85:33 | call to MultiReader | -| io.go:85:27:85:28 | r2 | io.go:85:8:85:33 | call to MultiReader | -| io.go:85:31:85:32 | r3 | io.go:85:8:85:33 | call to MultiReader | | io.go:86:22:86:22 | r | io.go:86:11:86:19 | selection of Stdout | | io.go:89:26:89:38 | "some string" | io.go:89:8:89:39 | call to NewReader | | io.go:91:23:91:23 | r | io.go:91:10:91:30 | call to TeeReader | diff --git a/go/ql/test/query-tests/Security/CWE-022/ZipSlip.expected b/go/ql/test/query-tests/Security/CWE-022/ZipSlip.expected index 3e46b5727ccd..82b52852f43c 100644 --- a/go/ql/test/query-tests/Security/CWE-022/ZipSlip.expected +++ b/go/ql/test/query-tests/Security/CWE-022/ZipSlip.expected @@ -1,18 +1,28 @@ edges | UnsafeUnzipSymlinkGood.go:52:24:52:32 | definition of candidate | UnsafeUnzipSymlinkGood.go:61:53:61:61 | candidate | provenance | | -| UnsafeUnzipSymlinkGood.go:61:53:61:61 | candidate | UnsafeUnzipSymlinkGood.go:61:31:61:62 | call to Join | provenance | FunctionModel | +| UnsafeUnzipSymlinkGood.go:61:31:61:62 | []type{args} [array] | UnsafeUnzipSymlinkGood.go:61:31:61:62 | call to Join | provenance | MaD:795 | +| UnsafeUnzipSymlinkGood.go:61:53:61:61 | candidate | UnsafeUnzipSymlinkGood.go:61:31:61:62 | []type{args} [array] | provenance | | | UnsafeUnzipSymlinkGood.go:72:3:72:25 | ... := ...[0] | UnsafeUnzipSymlinkGood.go:76:24:76:38 | selection of Linkname | provenance | | | UnsafeUnzipSymlinkGood.go:72:3:72:25 | ... := ...[0] | UnsafeUnzipSymlinkGood.go:76:70:76:80 | selection of Name | provenance | | | UnsafeUnzipSymlinkGood.go:76:24:76:38 | selection of Linkname | UnsafeUnzipSymlinkGood.go:52:24:52:32 | definition of candidate | provenance | | | UnsafeUnzipSymlinkGood.go:76:70:76:80 | selection of Name | UnsafeUnzipSymlinkGood.go:52:24:52:32 | definition of candidate | provenance | | | ZipSlip.go:11:2:15:2 | range statement[1] | ZipSlip.go:12:24:12:29 | selection of Name | provenance | | | ZipSlip.go:12:3:12:30 | ... := ...[0] | ZipSlip.go:14:20:14:20 | p | provenance | | -| ZipSlip.go:12:24:12:29 | selection of Name | ZipSlip.go:12:3:12:30 | ... := ...[0] | provenance | MaD:747 | +| ZipSlip.go:12:24:12:29 | selection of Name | ZipSlip.go:12:3:12:30 | ... := ...[0] | provenance | MaD:787 | | tarslip.go:15:2:15:30 | ... := ...[0] | tarslip.go:16:23:16:33 | selection of Name | provenance | | -| tarslip.go:16:23:16:33 | selection of Name | tarslip.go:16:14:16:34 | call to Dir | provenance | MaD:762 | +| tarslip.go:16:23:16:33 | selection of Name | tarslip.go:16:14:16:34 | call to Dir | provenance | MaD:803 | +| tarslip.go:31:2:31:30 | ... := ...[0] | tarslip.go:35:23:35:33 | selection of Name | provenance | | +| tarslip.go:35:23:35:33 | selection of Name | tarslip.go:35:14:35:34 | call to Dir | provenance | MaD:803 | +| tarslip.go:50:2:50:30 | ... := ...[0] | tarslip.go:54:23:54:33 | selection of Name | provenance | | +| tarslip.go:54:23:54:33 | selection of Name | tarslip.go:54:14:54:34 | call to Dir | provenance | MaD:803 | +| tarslip.go:67:2:67:30 | ... := ...[0] | tarslip.go:71:23:71:33 | selection of Name | provenance | | +| tarslip.go:71:23:71:33 | selection of Name | tarslip.go:71:14:71:34 | call to Dir | provenance | MaD:803 | +| tarslip.go:85:2:85:30 | ... := ...[0] | tarslip.go:89:23:89:33 | selection of Name | provenance | | +| tarslip.go:89:23:89:33 | selection of Name | tarslip.go:89:14:89:34 | call to Dir | provenance | MaD:803 | | tst.go:23:2:43:2 | range statement[1] | tst.go:29:20:29:23 | path | provenance | | nodes | UnsafeUnzipSymlinkGood.go:52:24:52:32 | definition of candidate | semmle.label | definition of candidate | +| UnsafeUnzipSymlinkGood.go:61:31:61:62 | []type{args} [array] | semmle.label | []type{args} [array] | | UnsafeUnzipSymlinkGood.go:61:31:61:62 | call to Join | semmle.label | call to Join | | UnsafeUnzipSymlinkGood.go:61:53:61:61 | candidate | semmle.label | candidate | | UnsafeUnzipSymlinkGood.go:72:3:72:25 | ... := ...[0] | semmle.label | ... := ...[0] | @@ -25,6 +35,18 @@ nodes | tarslip.go:15:2:15:30 | ... := ...[0] | semmle.label | ... := ...[0] | | tarslip.go:16:14:16:34 | call to Dir | semmle.label | call to Dir | | tarslip.go:16:23:16:33 | selection of Name | semmle.label | selection of Name | +| tarslip.go:31:2:31:30 | ... := ...[0] | semmle.label | ... := ...[0] | +| tarslip.go:35:14:35:34 | call to Dir | semmle.label | call to Dir | +| tarslip.go:35:23:35:33 | selection of Name | semmle.label | selection of Name | +| tarslip.go:50:2:50:30 | ... := ...[0] | semmle.label | ... := ...[0] | +| tarslip.go:54:14:54:34 | call to Dir | semmle.label | call to Dir | +| tarslip.go:54:23:54:33 | selection of Name | semmle.label | selection of Name | +| tarslip.go:67:2:67:30 | ... := ...[0] | semmle.label | ... := ...[0] | +| tarslip.go:71:14:71:34 | call to Dir | semmle.label | call to Dir | +| tarslip.go:71:23:71:33 | selection of Name | semmle.label | selection of Name | +| tarslip.go:85:2:85:30 | ... := ...[0] | semmle.label | ... := ...[0] | +| tarslip.go:89:14:89:34 | call to Dir | semmle.label | call to Dir | +| tarslip.go:89:23:89:33 | selection of Name | semmle.label | selection of Name | | tst.go:23:2:43:2 | range statement[1] | semmle.label | range statement[1] | | tst.go:29:20:29:23 | path | semmle.label | path | subpaths @@ -32,4 +54,8 @@ subpaths | UnsafeUnzipSymlinkGood.go:72:3:72:25 | ... := ...[0] | UnsafeUnzipSymlinkGood.go:72:3:72:25 | ... := ...[0] | UnsafeUnzipSymlinkGood.go:61:31:61:62 | call to Join | Unsanitized archive entry, which may contain '..', is used in a $@. | UnsafeUnzipSymlinkGood.go:61:31:61:62 | call to Join | file system operation | | ZipSlip.go:11:2:15:2 | range statement[1] | ZipSlip.go:11:2:15:2 | range statement[1] | ZipSlip.go:14:20:14:20 | p | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlip.go:14:20:14:20 | p | file system operation | | tarslip.go:15:2:15:30 | ... := ...[0] | tarslip.go:15:2:15:30 | ... := ...[0] | tarslip.go:16:14:16:34 | call to Dir | Unsanitized archive entry, which may contain '..', is used in a $@. | tarslip.go:16:14:16:34 | call to Dir | file system operation | +| tarslip.go:31:2:31:30 | ... := ...[0] | tarslip.go:31:2:31:30 | ... := ...[0] | tarslip.go:35:14:35:34 | call to Dir | Unsanitized archive entry, which may contain '..', is used in a $@. | tarslip.go:35:14:35:34 | call to Dir | file system operation | +| tarslip.go:50:2:50:30 | ... := ...[0] | tarslip.go:50:2:50:30 | ... := ...[0] | tarslip.go:54:14:54:34 | call to Dir | Unsanitized archive entry, which may contain '..', is used in a $@. | tarslip.go:54:14:54:34 | call to Dir | file system operation | +| tarslip.go:67:2:67:30 | ... := ...[0] | tarslip.go:67:2:67:30 | ... := ...[0] | tarslip.go:71:14:71:34 | call to Dir | Unsanitized archive entry, which may contain '..', is used in a $@. | tarslip.go:71:14:71:34 | call to Dir | file system operation | +| tarslip.go:85:2:85:30 | ... := ...[0] | tarslip.go:85:2:85:30 | ... := ...[0] | tarslip.go:89:14:89:34 | call to Dir | Unsanitized archive entry, which may contain '..', is used in a $@. | tarslip.go:89:14:89:34 | call to Dir | file system operation | | tst.go:23:2:43:2 | range statement[1] | tst.go:23:2:43:2 | range statement[1] | tst.go:29:20:29:23 | path | Unsanitized archive entry, which may contain '..', is used in a $@. | tst.go:29:20:29:23 | path | file system operation | diff --git a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected index fa97b5b423e9..e217064d1dfc 100644 --- a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected +++ b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected @@ -1,13 +1,4 @@ edges -| StoredCommand.go:11:2:11:27 | ... := ...[0] | StoredCommand.go:13:2:13:5 | rows | provenance | | -| StoredCommand.go:13:2:13:5 | rows | StoredCommand.go:13:12:13:19 | &... | provenance | FunctionModel | -| StoredCommand.go:13:12:13:19 | &... | StoredCommand.go:13:12:13:19 | &... | provenance | | -| StoredCommand.go:13:12:13:19 | &... | StoredCommand.go:14:22:14:28 | cmdName | provenance | | nodes -| StoredCommand.go:11:2:11:27 | ... := ...[0] | semmle.label | ... := ...[0] | -| StoredCommand.go:13:2:13:5 | rows | semmle.label | rows | -| StoredCommand.go:13:12:13:19 | &... | semmle.label | &... | -| StoredCommand.go:14:22:14:28 | cmdName | semmle.label | cmdName | subpaths #select -| StoredCommand.go:14:22:14:28 | cmdName | StoredCommand.go:11:2:11:27 | ... := ...[0] | StoredCommand.go:14:22:14:28 | cmdName | This command depends on a $@. | StoredCommand.go:11:2:11:27 | ... := ...[0] | stored value | diff --git a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected index dfbfac29d867..2caac58319a2 100644 --- a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected +++ b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected @@ -1,21 +1,12 @@ edges | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance | | -| stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | | -| stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... | provenance | FunctionModel | -| stored.go:25:29:25:33 | &... | stored.go:25:29:25:33 | &... | provenance | | -| stored.go:25:29:25:33 | &... | stored.go:30:22:30:25 | name | provenance | | | stored.go:59:30:59:33 | definition of path | stored.go:61:22:61:25 | path | provenance | | nodes | StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name | | StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... | -| stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] | -| stored.go:25:14:25:17 | rows | semmle.label | rows | -| stored.go:25:29:25:33 | &... | semmle.label | &... | -| stored.go:30:22:30:25 | name | semmle.label | name | | stored.go:59:30:59:33 | definition of path | semmle.label | definition of path | | stored.go:61:22:61:25 | path | semmle.label | path | subpaths #select | StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value | -| stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value | | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | definition of path | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | definition of path | stored value |