Merge branch 'standard-lib-pt-12' into stdlib-339-340-342-346-347

2026-01-29 14:23:03 +01:00 · 2020-09-22 18:42:46 +02:00
parent 1a5d582750 4127cb5cc4
commit 0510404112
7 changed files with 516 additions and 298 deletions
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -38,6 +38,8 @@ import semmle.go.frameworks.stdlib.NetHttpHttputil
 import semmle.go.frameworks.stdlib.NetMail
 import semmle.go.frameworks.stdlib.NetTextproto
 import semmle.go.frameworks.stdlib.Log
+import semmle.go.frameworks.stdlib.Io
+import semmle.go.frameworks.stdlib.IoIoutil
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
@@ -89,255 +91,6 @@ private class CopyFunction extends TaintTracking::FunctionModel {
  }
 }

-/** Provides models of commonly used functions in the `io` package. */
-module Io {
-  private class Copy extends TaintTracking::FunctionModel {
-    Copy() {
-      // func Copy(dst Writer, src Reader) (written int64, err error)
-      // func CopyBuffer(dst Writer, src Reader, buf []byte) (written int64, err error)
-      // func CopyN(dst Writer, src Reader, n int64) (written int64, err error)
-      hasQualifiedName("io", "Copy") or
-      hasQualifiedName("io", "CopyBuffer") or
-      hasQualifiedName("io", "CopyN")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(1) and output.isParameter(0)
-    }
-  }
-
-  private class Pipe extends TaintTracking::FunctionModel {
-    Pipe() {
-      // func Pipe() (*PipeReader, *PipeWriter)
-      hasQualifiedName("io", "Pipe")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isResult(0) and output.isResult(1)
-    }
-  }
-
-  private class ReadAtLeast extends TaintTracking::FunctionModel {
-    ReadAtLeast() {
-      // func ReadAtLeast(r Reader, buf []byte, min int) (n int, err error)
-      // func ReadFull(r Reader, buf []byte) (n int, err error)
-      hasQualifiedName("io", "ReadAtLeast") or
-      hasQualifiedName("io", "ReadFull")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isParameter(1)
-    }
-  }
-
-  private class WriteString extends TaintTracking::FunctionModel {
-    WriteString() {
-      // func WriteString(w Writer, s string) (n int, err error)
-      this.hasQualifiedName("io", "WriteString")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(1) and output.isParameter(0)
-    }
-  }
-
-  private class ByteReaderReadByte extends TaintTracking::FunctionModel, Method {
-    ByteReaderReadByte() {
-      // func ReadByte() (byte, error)
-      this.implements("io", "ByteReader", "ReadByte")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isResult(0)
-    }
-  }
-
-  private class ByteWriterWriteByte extends TaintTracking::FunctionModel, Method {
-    ByteWriterWriteByte() {
-      // func WriteByte(c byte) error
-      this.implements("io", "ByteWriter", "WriteByte")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class ReaderRead extends TaintTracking::FunctionModel, Method {
-    ReaderRead() {
-      // func Read(p []byte) (n int, err error)
-      this.implements("io", "Reader", "Read")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-
-  private class LimitReader extends TaintTracking::FunctionModel {
-    LimitReader() {
-      // func LimitReader(r Reader, n int64) Reader
-      this.hasQualifiedName("io", "LimitReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-    }
-  }
-
-  private class MultiReader extends TaintTracking::FunctionModel {
-    MultiReader() {
-      // func MultiReader(readers ...Reader) Reader
-      this.hasQualifiedName("io", "MultiReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(_) and output.isResult()
-    }
-  }
-
-  private class TeeReader extends TaintTracking::FunctionModel {
-    TeeReader() {
-      // func TeeReader(r Reader, w Writer) Reader
-      this.hasQualifiedName("io", "TeeReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-      or
-      input.isParameter(0) and output.isParameter(1)
-    }
-  }
-
-  private class ReaderAtReadAt extends TaintTracking::FunctionModel, Method {
-    ReaderAtReadAt() {
-      // func ReadAt(p []byte, off int64) (n int, err error)
-      this.implements("io", "ReaderAt", "ReadAt")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-
-  private class ReaderFromReadFrom extends TaintTracking::FunctionModel, Method {
-    ReaderFromReadFrom() {
-      // func ReadFrom(r Reader) (n int64, err error)
-      this.implements("io", "ReaderFrom", "ReadFrom")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class RuneReaderReadRune extends TaintTracking::FunctionModel, Method {
-    RuneReaderReadRune() {
-      // func ReadRune() (r rune, size int, err error)
-      this.implements("io", "RuneReader", "ReadRune")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isResult(0)
-    }
-  }
-
-  private class NewSectionReader extends TaintTracking::FunctionModel {
-    NewSectionReader() {
-      // func NewSectionReader(r ReaderAt, off int64, n int64) *SectionReader
-      this.hasQualifiedName("io", "NewSectionReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-    }
-  }
-
-  private class StringWriterWriteString extends TaintTracking::FunctionModel, Method {
-    StringWriterWriteString() {
-      // func WriteString(s string) (n int, err error)
-      this.implements("io", "StringWriter", "WriteString")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class WriterWrite extends TaintTracking::FunctionModel, Method {
-    WriterWrite() {
-      // func Write(p []byte) (n int, err error)
-      this.implements("io", "Writer", "Write")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class MultiWriter extends TaintTracking::FunctionModel {
-    MultiWriter() {
-      // func MultiWriter(writers ...Writer) Writer
-      hasQualifiedName("io", "MultiWriter")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isResult() and output.isParameter(_)
-    }
-  }
-
-  private class WriterAtWriteAt extends TaintTracking::FunctionModel, Method {
-    WriterAtWriteAt() {
-      // func WriteAt(p []byte, off int64) (n int, err error)
-      this.implements("io", "WriterAt", "WriteAt")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class WriterToWriteTo extends TaintTracking::FunctionModel, Method {
-    WriterToWriteTo() {
-      // func WriteTo(w Writer) (n int64, err error)
-      this.implements("io", "WriterTo", "WriteTo")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-}
-
-/** Provides models of commonly used functions in the `io/ioutil` package. */
-module IoUtil {
-  private class IoUtilFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
-    IoUtilFileSystemAccess() {
-      exists(string fn | getTarget().hasQualifiedName("io/ioutil", fn) |
-        fn = "ReadDir" or
-        fn = "ReadFile" or
-        fn = "TempDir" or
-        fn = "TempFile" or
-        fn = "WriteFile"
-      )
-    }
-
-    override DataFlow::Node getAPathArgument() { result = getAnArgument() }
-  }
-
-  /**
-   * A taint model of the `ioutil.ReadAll` function, recording that it propagates taint
-   * from its first argument to its first result.
-   */
-  private class ReadAll extends TaintTracking::FunctionModel {
-    ReadAll() { hasQualifiedName("io/ioutil", "ReadAll") }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and outp.isResult(0)
-    }
-  }
-}
-
 /** Provides a class for modeling functions which convert strings into integers. */
 module IntegerParser {
  /**
--- a/ql/src/semmle/go/frameworks/stdlib/Io.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/Io.qll
@@ -0,0 +1,109 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `io` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `io` package. */
+module Io {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Copy(dst Writer, src Reader) (written int64, err error)
+      hasQualifiedName("io", "Copy") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func CopyBuffer(dst Writer, src Reader, buf []byte) (written int64, err error)
+      hasQualifiedName("io", "CopyBuffer") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func CopyN(dst Writer, src Reader, n int64) (written int64, err error)
+      hasQualifiedName("io", "CopyN") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func LimitReader(r Reader, n int64) Reader
+      hasQualifiedName("io", "LimitReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func MultiReader(readers ...Reader) Reader
+      hasQualifiedName("io", "MultiReader") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func MultiWriter(writers ...Writer) Writer
+      hasQualifiedName("io", "MultiWriter") and
+      (inp.isResult() and outp.isParameter(_))
+      or
+      // signature: func NewSectionReader(r ReaderAt, off int64, n int64) *SectionReader
+      hasQualifiedName("io", "NewSectionReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Pipe() (*PipeReader, *PipeWriter)
+      hasQualifiedName("io", "Pipe") and
+      (inp.isResult(1) and outp.isResult(0))
+      or
+      // signature: func ReadAtLeast(r Reader, buf []byte, min int) (n int, err error)
+      hasQualifiedName("io", "ReadAtLeast") and
+      (inp.isParameter(0) and outp.isParameter(1))
+      or
+      // signature: func ReadFull(r Reader, buf []byte) (n int, err error)
+      hasQualifiedName("io", "ReadFull") and
+      (inp.isParameter(0) and outp.isParameter(1))
+      or
+      // signature: func TeeReader(r Reader, w Writer) Reader
+      hasQualifiedName("io", "TeeReader") and
+      (
+        inp.isParameter(0) and
+        (outp.isParameter(1) or outp.isResult())
+      )
+      or
+      // signature: func WriteString(w Writer, s string) (n int, err error)
+      hasQualifiedName("io", "WriteString") and
+      (inp.isParameter(1) and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (Reader).Read(p []byte) (n int, err error)
+      this.implements("io", "Reader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (ReaderAt).ReadAt(p []byte, off int64) (n int, err error)
+      this.implements("io", "ReaderAt", "ReadAt") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (ReaderFrom).ReadFrom(r Reader) (n int64, err error)
+      this.implements("io", "ReaderFrom", "ReadFrom") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Writer).Write(p []byte) (n int, err error)
+      this.implements("io", "Writer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (WriterAt).WriteAt(p []byte, off int64) (n int, err error)
+      this.implements("io", "WriterAt", "WriteAt") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (StringWriter).WriteString(s string) (n int, err error)
+      this.implements("io", "StringWriter", "WriteString") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (WriterTo).WriteTo(w Writer) (n int64, err error)
+      this.implements("io", "WriterTo", "WriteTo") and
+      (inp.isReceiver() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/src/semmle/go/frameworks/stdlib/IoIoutil.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/IoIoutil.qll
@@ -0,0 +1,41 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `io/ioutil` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `io/ioutil` package. */
+module IoIoutil {
+  private class IoUtilFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
+    IoUtilFileSystemAccess() {
+      exists(string fn | getTarget().hasQualifiedName("io/ioutil", fn) |
+        fn = "ReadDir" or
+        fn = "ReadFile" or
+        fn = "TempDir" or
+        fn = "TempFile" or
+        fn = "WriteFile"
+      )
+    }
+
+    override DataFlow::Node getAPathArgument() { result = getAnArgument() }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func NopCloser(r io.Reader) io.ReadCloser
+      hasQualifiedName("io/ioutil", "NopCloser") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ReadAll(r io.Reader) ([]byte, error)
+      hasQualifiedName("io/ioutil", "ReadAll") and
+      (inp.isParameter(0) and outp.isResult(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Io.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Io.go
@@ -0,0 +1,305 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import "io"
+
+func TaintStepTest_IoCopy_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader656 := sourceCQL.(io.Reader)
+	var intoWriter414 io.Writer
+	io.Copy(intoWriter414, fromReader656)
+	return intoWriter414
+}
+
+func TaintStepTest_IoCopyBuffer_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader518 := sourceCQL.(io.Reader)
+	var intoWriter650 io.Writer
+	io.CopyBuffer(intoWriter650, fromReader518, nil)
+	return intoWriter650
+}
+
+func TaintStepTest_IoCopyN_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader784 := sourceCQL.(io.Reader)
+	var intoWriter957 io.Writer
+	io.CopyN(intoWriter957, fromReader784, 0)
+	return intoWriter957
+}
+
+func TaintStepTest_IoLimitReader_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader520 := sourceCQL.(io.Reader)
+	intoReader443 := io.LimitReader(fromReader520, 0)
+	return intoReader443
+}
+
+func TaintStepTest_IoMultiReader_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader127 := sourceCQL.(io.Reader)
+	intoReader483 := io.MultiReader(fromReader127)
+	return intoReader483
+}
+
+func TaintStepTest_IoMultiWriter_B0I0O0(sourceCQL interface{}) interface{} {
+	fromWriter989 := sourceCQL.(io.Writer)
+	var intoWriter982 io.Writer
+	intermediateCQL := io.MultiWriter(intoWriter982)
+	link(fromWriter989, intermediateCQL)
+	return intoWriter982
+}
+
+func TaintStepTest_IoNewSectionReader_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReaderAt417 := sourceCQL.(io.ReaderAt)
+	intoSectionReader584 := io.NewSectionReader(fromReaderAt417, 0, 0)
+	return intoSectionReader584
+}
+
+func TaintStepTest_IoPipe_B0I0O0(sourceCQL interface{}) interface{} {
+	fromPipeWriter991 := sourceCQL.(*io.PipeWriter)
+	intoPipeReader881, intermediateCQL := io.Pipe()
+	link(fromPipeWriter991, intermediateCQL)
+	return intoPipeReader881
+}
+
+func TaintStepTest_IoReadAtLeast_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader186 := sourceCQL.(io.Reader)
+	var intoByte284 []byte
+	io.ReadAtLeast(fromReader186, intoByte284, 0)
+	return intoByte284
+}
+
+func TaintStepTest_IoReadFull_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader908 := sourceCQL.(io.Reader)
+	var intoByte137 []byte
+	io.ReadFull(fromReader908, intoByte137)
+	return intoByte137
+}
+
+func TaintStepTest_IoTeeReader_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader494 := sourceCQL.(io.Reader)
+	var intoWriter873 io.Writer
+	io.TeeReader(fromReader494, intoWriter873)
+	return intoWriter873
+}
+
+func TaintStepTest_IoTeeReader_B0I0O1(sourceCQL interface{}) interface{} {
+	fromReader599 := sourceCQL.(io.Reader)
+	intoReader409 := io.TeeReader(fromReader599, nil)
+	return intoReader409
+}
+
+func TaintStepTest_IoWriteString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString246 := sourceCQL.(string)
+	var intoWriter898 io.Writer
+	io.WriteString(intoWriter898, fromString246)
+	return intoWriter898
+}
+
+func TaintStepTest_IoLimitedReaderRead_B0I0O0(sourceCQL interface{}) interface{} {
+	fromLimitedReader598 := sourceCQL.(io.LimitedReader)
+	var intoByte631 []byte
+	fromLimitedReader598.Read(intoByte631)
+	return intoByte631
+}
+
+func TaintStepTest_IoPipeReaderRead_B0I0O0(sourceCQL interface{}) interface{} {
+	fromPipeReader165 := sourceCQL.(io.PipeReader)
+	var intoByte150 []byte
+	fromPipeReader165.Read(intoByte150)
+	return intoByte150
+}
+
+func TaintStepTest_IoPipeWriterWrite_B0I0O0(sourceCQL interface{}) interface{} {
+	fromByte340 := sourceCQL.([]byte)
+	var intoPipeWriter471 io.PipeWriter
+	intoPipeWriter471.Write(fromByte340)
+	return intoPipeWriter471
+}
+
+func TaintStepTest_IoSectionReaderRead_B0I0O0(sourceCQL interface{}) interface{} {
+	fromSectionReader290 := sourceCQL.(io.SectionReader)
+	var intoByte758 []byte
+	fromSectionReader290.Read(intoByte758)
+	return intoByte758
+}
+
+func TaintStepTest_IoSectionReaderReadAt_B0I0O0(sourceCQL interface{}) interface{} {
+	fromSectionReader396 := sourceCQL.(io.SectionReader)
+	var intoByte707 []byte
+	fromSectionReader396.ReadAt(intoByte707, 0)
+	return intoByte707
+}
+
+func TaintStepTest_IoReaderRead_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader912 := sourceCQL.(io.Reader)
+	var intoByte718 []byte
+	fromReader912.Read(intoByte718)
+	return intoByte718
+}
+
+func TaintStepTest_IoReaderAtReadAt_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReaderAt972 := sourceCQL.(io.ReaderAt)
+	var intoByte633 []byte
+	fromReaderAt972.ReadAt(intoByte633, 0)
+	return intoByte633
+}
+
+func TaintStepTest_IoReaderFromReadFrom_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader316 := sourceCQL.(io.Reader)
+	var intoReaderFrom145 io.ReaderFrom
+	intoReaderFrom145.ReadFrom(fromReader316)
+	return intoReaderFrom145
+}
+
+func TaintStepTest_IoWriterWrite_B0I0O0(sourceCQL interface{}) interface{} {
+	fromByte817 := sourceCQL.([]byte)
+	var intoWriter474 io.Writer
+	intoWriter474.Write(fromByte817)
+	return intoWriter474
+}
+
+func TaintStepTest_IoWriterAtWriteAt_B0I0O0(sourceCQL interface{}) interface{} {
+	fromByte832 := sourceCQL.([]byte)
+	var intoWriterAt378 io.WriterAt
+	intoWriterAt378.WriteAt(fromByte832, 0)
+	return intoWriterAt378
+}
+
+func TaintStepTest_IoStringWriterWriteString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString541 := sourceCQL.(string)
+	var intoStringWriter139 io.StringWriter
+	intoStringWriter139.WriteString(fromString541)
+	return intoStringWriter139
+}
+
+func TaintStepTest_IoWriterToWriteTo_B0I0O0(sourceCQL interface{}) interface{} {
+	fromWriterTo814 := sourceCQL.(io.WriterTo)
+	var intoWriter768 io.Writer
+	fromWriterTo814.WriteTo(intoWriter768)
+	return intoWriter768
+}
+
+func RunAllTaints_Io() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_IoCopy_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_IoCopyBuffer_B0I0O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_IoCopyN_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_IoLimitReader_B0I0O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_IoMultiReader_B0I0O0(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_IoMultiWriter_B0I0O0(source)
+		sink(5, out)
+	}
+	{
+		source := newSource(6)
+		out := TaintStepTest_IoNewSectionReader_B0I0O0(source)
+		sink(6, out)
+	}
+	{
+		source := newSource(7)
+		out := TaintStepTest_IoPipe_B0I0O0(source)
+		sink(7, out)
+	}
+	{
+		source := newSource(8)
+		out := TaintStepTest_IoReadAtLeast_B0I0O0(source)
+		sink(8, out)
+	}
+	{
+		source := newSource(9)
+		out := TaintStepTest_IoReadFull_B0I0O0(source)
+		sink(9, out)
+	}
+	{
+		source := newSource(10)
+		out := TaintStepTest_IoTeeReader_B0I0O0(source)
+		sink(10, out)
+	}
+	{
+		source := newSource(11)
+		out := TaintStepTest_IoTeeReader_B0I0O1(source)
+		sink(11, out)
+	}
+	{
+		source := newSource(12)
+		out := TaintStepTest_IoWriteString_B0I0O0(source)
+		sink(12, out)
+	}
+	{
+		source := newSource(13)
+		out := TaintStepTest_IoLimitedReaderRead_B0I0O0(source)
+		sink(13, out)
+	}
+	{
+		source := newSource(14)
+		out := TaintStepTest_IoPipeReaderRead_B0I0O0(source)
+		sink(14, out)
+	}
+	{
+		source := newSource(15)
+		out := TaintStepTest_IoPipeWriterWrite_B0I0O0(source)
+		sink(15, out)
+	}
+	{
+		source := newSource(16)
+		out := TaintStepTest_IoSectionReaderRead_B0I0O0(source)
+		sink(16, out)
+	}
+	{
+		source := newSource(17)
+		out := TaintStepTest_IoSectionReaderReadAt_B0I0O0(source)
+		sink(17, out)
+	}
+	{
+		source := newSource(18)
+		out := TaintStepTest_IoReaderRead_B0I0O0(source)
+		sink(18, out)
+	}
+	{
+		source := newSource(19)
+		out := TaintStepTest_IoReaderAtReadAt_B0I0O0(source)
+		sink(19, out)
+	}
+	{
+		source := newSource(20)
+		out := TaintStepTest_IoReaderFromReadFrom_B0I0O0(source)
+		sink(20, out)
+	}
+	{
+		source := newSource(21)
+		out := TaintStepTest_IoWriterWrite_B0I0O0(source)
+		sink(21, out)
+	}
+	{
+		source := newSource(22)
+		out := TaintStepTest_IoWriterAtWriteAt_B0I0O0(source)
+		sink(22, out)
+	}
+	{
+		source := newSource(23)
+		out := TaintStepTest_IoStringWriterWriteString_B0I0O0(source)
+		sink(23, out)
+	}
+	{
+		source := newSource(24)
+		out := TaintStepTest_IoWriterToWriteTo_B0I0O0(source)
+		sink(24, out)
+	}
+}
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/IoIoutil.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/IoIoutil.go
@@ -0,0 +1,33 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import (
+	"io"
+	"io/ioutil"
+)
+
+func TaintStepTest_IoIoutilNopCloser_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader656 := sourceCQL.(io.Reader)
+	intoReadCloser414 := ioutil.NopCloser(fromReader656)
+	return intoReadCloser414
+}
+
+func TaintStepTest_IoIoutilReadAll_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader518 := sourceCQL.(io.Reader)
+	intoByte650, _ := ioutil.ReadAll(fromReader518)
+	return intoByte650
+}
+
+func RunAllTaints_IoIoutil() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_IoIoutilNopCloser_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_IoIoutilReadAll_B0I0O0(source)
+		sink(1, out)
+	}
+}
--- a/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
@@ -21,7 +21,7 @@
 | io.go:32:19:32:23 | &... | io.go:31:7:31:10 | definition of buf1 |
 | io.go:32:20:32:23 | buf1 | io.go:32:19:32:23 | &... |
 | io.go:34:16:34:21 | reader | io.go:32:3:32:4 | definition of w2 |
-| io.go:38:3:38:3 | definition of r | io.go:38:3:38:19 | ... := ...[1] |
+| io.go:38:6:38:6 | definition of w | io.go:38:3:38:19 | ... := ...[0] |
 | io.go:38:11:38:19 | call to Pipe | io.go:38:3:38:19 | ... := ...[0] |
 | io.go:38:11:38:19 | call to Pipe | io.go:38:3:38:19 | ... := ...[1] |
 | io.go:39:17:39:31 | "some string\\n" | io.go:38:6:38:6 | definition of w |
@@ -34,41 +34,31 @@
 | io.go:60:18:60:21 | &... | io.go:59:7:59:9 | definition of buf |
 | io.go:60:19:60:21 | buf | io.go:60:18:60:21 | &... |
 | io.go:61:21:61:26 | "test" | io.go:60:3:60:3 | definition of w |
-| io.go:65:31:65:43 | "some string" | io.go:65:13:65:44 | call to NewReader |
-| io.go:66:11:66:16 | reader | io.go:66:3:66:27 | ... := ...[0] |
-| io.go:66:11:66:27 | call to ReadByte | io.go:66:3:66:27 | ... := ...[0] |
-| io.go:66:11:66:27 | call to ReadByte | io.go:66:3:66:27 | ... := ...[1] |
-| io.go:68:21:68:21 | t | io.go:67:7:67:13 | definition of bwriter |
-| io.go:72:31:72:43 | "some string" | io.go:72:13:72:44 | call to NewReader |
-| io.go:74:3:74:8 | reader | io.go:73:3:73:5 | definition of buf |
-| io.go:77:31:77:43 | "some string" | io.go:77:13:77:44 | call to NewReader |
-| io.go:79:3:79:8 | reader | io.go:78:3:78:5 | definition of buf |
-| io.go:83:31:83:43 | "some string" | io.go:83:13:83:44 | call to NewReader |
-| io.go:84:24:84:29 | reader | io.go:84:9:84:33 | call to LimitReader |
-| io.go:85:22:85:23 | lr | io.go:85:11:85:19 | selection of Stdout |
-| io.go:89:27:89:36 | "reader1 " | io.go:89:9:89:37 | call to NewReader |
-| io.go:90:27:90:36 | "reader2 " | io.go:90:9:90:37 | call to NewReader |
-| io.go:91:27:91:35 | "reader3" | io.go:91:9:91:36 | call to NewReader |
-| io.go:92:23:92:24 | r1 | io.go:92:8:92:33 | call to MultiReader |
-| io.go:92:27:92:28 | r2 | io.go:92:8:92:33 | call to MultiReader |
-| io.go:92:31:92:32 | r3 | io.go:92:8:92:33 | call to MultiReader |
-| io.go:93:22:93:22 | r | io.go:93:11:93:19 | selection of Stdout |
-| io.go:96:26:96:38 | "some string" | io.go:96:8:96:39 | call to NewReader |
-| io.go:98:23:98:23 | r | io.go:98:10:98:30 | call to TeeReader |
-| io.go:98:23:98:23 | r | io.go:98:26:98:29 | &... |
-| io.go:98:26:98:29 | &... | io.go:97:7:97:9 | definition of buf |
-| io.go:98:27:98:29 | buf | io.go:98:26:98:29 | &... |
-| io.go:100:22:100:24 | tee | io.go:100:11:100:19 | selection of Stdout |
-| io.go:103:26:103:38 | "some string" | io.go:103:8:103:39 | call to NewReader |
-| io.go:104:28:104:28 | r | io.go:104:8:104:36 | call to NewSectionReader |
-| io.go:105:22:105:22 | s | io.go:105:11:105:19 | selection of Stdout |
-| io.go:108:26:108:38 | "some string" | io.go:108:8:108:39 | call to NewReader |
-| io.go:109:16:109:16 | r | io.go:109:3:109:27 | ... := ...[0] |
-| io.go:109:16:109:27 | call to ReadRune | io.go:109:3:109:27 | ... := ...[0] |
-| io.go:109:16:109:27 | call to ReadRune | io.go:109:3:109:27 | ... := ...[1] |
-| io.go:109:16:109:27 | call to ReadRune | io.go:109:3:109:27 | ... := ...[2] |
-| io.go:113:26:113:38 | "some string" | io.go:113:8:113:39 | call to NewReader |
-| io.go:114:3:114:3 | r | io.go:114:13:114:21 | selection of Stdout |
+| io.go:64:31:64:43 | "some string" | io.go:64:13:64:44 | call to NewReader |
+| io.go:66:3:66:8 | reader | io.go:65:3:65:5 | definition of buf |
+| io.go:69:31:69:43 | "some string" | io.go:69:13:69:44 | call to NewReader |
+| io.go:71:3:71:8 | reader | io.go:70:3:70:5 | definition of buf |
+| io.go:75:31:75:43 | "some string" | io.go:75:13:75:44 | call to NewReader |
+| io.go:76:24:76:29 | reader | io.go:76:9:76:33 | call to LimitReader |
+| io.go:77:22:77:23 | lr | io.go:77:11:77:19 | selection of Stdout |
+| io.go:81:27:81:36 | "reader1 " | io.go:81:9:81:37 | call to NewReader |
+| io.go:82:27:82:36 | "reader2 " | io.go:82:9:82:37 | call to NewReader |
+| io.go:83:27:83:35 | "reader3" | io.go:83:9:83:36 | call to NewReader |
+| io.go:84:23:84:24 | r1 | io.go:84:8:84:33 | call to MultiReader |
+| io.go:84:27:84:28 | r2 | io.go:84:8:84:33 | call to MultiReader |
+| io.go:84:31:84:32 | r3 | io.go:84:8:84:33 | call to MultiReader |
+| io.go:85:22:85:22 | r | io.go:85:11:85:19 | selection of Stdout |
+| io.go:88:26:88:38 | "some string" | io.go:88:8:88:39 | call to NewReader |
+| io.go:90:23:90:23 | r | io.go:90:10:90:30 | call to TeeReader |
+| io.go:90:23:90:23 | r | io.go:90:26:90:29 | &... |
+| io.go:90:26:90:29 | &... | io.go:89:7:89:9 | definition of buf |
+| io.go:90:27:90:29 | buf | io.go:90:26:90:29 | &... |
+| io.go:92:22:92:24 | tee | io.go:92:11:92:19 | selection of Stdout |
+| io.go:95:26:95:38 | "some string" | io.go:95:8:95:39 | call to NewReader |
+| io.go:96:28:96:28 | r | io.go:96:8:96:36 | call to NewSectionReader |
+| io.go:97:22:97:22 | s | io.go:97:11:97:19 | selection of Stdout |
+| io.go:100:26:100:38 | "some string" | io.go:100:8:100:39 | call to NewReader |
+| io.go:101:3:101:3 | r | io.go:101:13:101:21 | selection of Stdout |
 | main.go:11:12:11:26 | call to Marshal | main.go:11:2:11:26 | ... := ...[0] |
 | main.go:11:12:11:26 | call to Marshal | main.go:11:2:11:26 | ... := ...[1] |
 | main.go:11:25:11:25 | v | main.go:11:2:11:26 | ... := ...[0] |
--- a/ql/test/library-tests/semmle/go/frameworks/TaintSteps/io.go
+++ b/ql/test/library-tests/semmle/go/frameworks/TaintSteps/io.go
@@ -60,14 +60,6 @@ func io2() {
 		w := io.Writer(&buf)
 		io.WriteString(w, "test")
 	}
-
-	{
-		reader := strings.NewReader("some string")
-		t, _ := reader.ReadByte()
-		var bwriter io.ByteWriter
-		bwriter.WriteByte(t)
-	}
-
 	{
 		reader := strings.NewReader("some string")
 		buf := make([]byte, 512)
@@ -104,11 +96,6 @@ func io2() {
 		s := io.NewSectionReader(r, 5, 17)
 		io.Copy(os.Stdout, s)
 	}
-	{
-		r := strings.NewReader("some string")
-		run, _, _ := r.ReadRune()
-		fmt.Println(run)
-	}
 	{
 		r := strings.NewReader("some string")
 		r.WriteTo(os.Stdout)