Add tests for data flow through ranged for loops

Including the case where the type of the domain is a named type rather than an array type or map type or whatever.
2025-12-17 01:03:14 +01:00 · 2024-05-16 00:32:30 +01:00
parent 145873f562
commit 1af3374322
7 changed files with 168 additions and 96 deletions
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.expected
@@ -10,27 +10,35 @@ invalidModelRow
 | test.go:79:10:79:15 | taint6 | qltest |
 | test.go:82:10:82:15 | taint7 | qltest |
 | test.go:85:10:85:18 | index expression | qltest |
-| test.go:89:10:89:15 | taint9 | qltest |
-| test.go:92:10:92:33 | call to GetElement | qltest |
-| test.go:93:10:93:18 | <-... | qltest |
-| test.go:97:10:97:16 | taint11 | qltest |
-| test.go:100:10:100:32 | call to GetMapKey | qltest |
-| test.go:102:11:102:11 | k | qltest |
-| test.go:105:11:105:11 | k | qltest |
-| test.go:110:10:110:16 | taint13 | qltest |
-| test.go:113:10:113:20 | index expression | qltest |
-| test.go:117:10:117:16 | taint15 | qltest |
-| test.go:121:10:121:17 | index expression | qltest |
-| test.go:127:10:127:18 | index expression | qltest |
-| test.go:132:10:132:16 | taint16 | qltest |
-| test.go:136:10:136:13 | selection of F | qltest |
-| test.go:139:10:139:17 | call to Get | qltest |
-| test.go:143:10:143:17 | call to Get | qltest |
-| test.go:148:10:148:17 | call to Get | qltest |
-| test.go:152:10:152:14 | selection of F | qltest |
-| test.go:155:10:155:32 | call to GetThroughPointer | qltest |
-| test.go:159:10:159:32 | call to GetThroughPointer | qltest |
-| test.go:164:10:164:32 | call to GetThroughPointer | qltest |
-| test.go:170:17:170:20 | arg1 | qltest |
-| test.go:170:23:170:26 | arg2 | qltest |
-| test.go:170:29:170:32 | arg3 | qltest |
+| test.go:87:11:87:11 | x | qltest |
+| test.go:90:11:90:11 | x | qltest |
+| test.go:95:10:95:15 | taint9 | qltest |
+| test.go:98:10:98:33 | call to GetElement | qltest |
+| test.go:99:10:99:18 | <-... | qltest |
+| test.go:101:11:101:11 | e | qltest |
+| test.go:104:11:104:11 | e | qltest |
+| test.go:109:10:109:16 | taint11 | qltest |
+| test.go:112:10:112:32 | call to GetMapKey | qltest |
+| test.go:114:11:114:11 | k | qltest |
+| test.go:117:11:117:11 | k | qltest |
+| test.go:120:11:120:11 | k | qltest |
+| test.go:123:11:123:11 | k | qltest |
+| test.go:128:10:128:16 | taint13 | qltest |
+| test.go:131:10:131:20 | index expression | qltest |
+| test.go:133:11:133:11 | v | qltest |
+| test.go:136:11:136:11 | v | qltest |
+| test.go:141:10:141:16 | taint15 | qltest |
+| test.go:145:10:145:17 | index expression | qltest |
+| test.go:151:10:151:18 | index expression | qltest |
+| test.go:156:10:156:16 | taint16 | qltest |
+| test.go:160:10:160:13 | selection of F | qltest |
+| test.go:163:10:163:17 | call to Get | qltest |
+| test.go:167:10:167:17 | call to Get | qltest |
+| test.go:172:10:172:17 | call to Get | qltest |
+| test.go:176:10:176:14 | selection of F | qltest |
+| test.go:179:10:179:32 | call to GetThroughPointer | qltest |
+| test.go:183:10:183:32 | call to GetThroughPointer | qltest |
+| test.go:188:10:188:32 | call to GetThroughPointer | qltest |
+| test.go:194:17:194:20 | arg1 | qltest |
+| test.go:194:23:194:26 | arg2 | qltest |
+| test.go:194:29:194:32 | arg3 | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected
@@ -9,15 +9,15 @@ invalidModelRow
 | test.go:41:2:41:21 | ... = ...[1] | qltest-w-subtypes |
 | test.go:42:2:42:22 | ... = ...[1] | qltest-w-subtypes |
 | test.go:58:9:58:16 | call to Src1 | qltest |
-| test.go:91:46:91:53 | call to Src1 | qltest |
-| test.go:95:35:95:42 | call to Src1 | qltest |
-| test.go:99:42:99:49 | call to Src1 | qltest |
-| test.go:130:8:130:15 | call to Src1 | qltest |
-| test.go:135:9:135:16 | call to Src1 | qltest |
-| test.go:138:15:138:22 | call to Src1 | qltest |
-| test.go:142:9:142:16 | call to Src1 | qltest |
-| test.go:146:9:146:16 | call to Src1 | qltest |
-| test.go:151:24:151:31 | call to Src1 | qltest |
-| test.go:154:17:154:24 | call to Src1 | qltest |
-| test.go:158:24:158:31 | call to Src1 | qltest |
-| test.go:162:24:162:31 | call to Src1 | qltest |
+| test.go:97:46:97:53 | call to Src1 | qltest |
+| test.go:107:35:107:42 | call to Src1 | qltest |
+| test.go:111:42:111:49 | call to Src1 | qltest |
+| test.go:154:8:154:15 | call to Src1 | qltest |
+| test.go:159:9:159:16 | call to Src1 | qltest |
+| test.go:162:15:162:22 | call to Src1 | qltest |
+| test.go:166:9:166:16 | call to Src1 | qltest |
+| test.go:170:9:170:16 | call to Src1 | qltest |
+| test.go:175:24:175:31 | call to Src1 | qltest |
+| test.go:178:17:178:24 | call to Src1 | qltest |
+| test.go:182:24:182:31 | call to Src1 | qltest |
+| test.go:186:24:186:31 | call to Src1 | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go
@@ -83,6 +83,12 @@ func simpleflow() {

 	taint8 := test.StepArgResArrayContent(src)
 	b.Sink1(taint8[0]) // $ hasTaintFlow="index expression"
+	for _, x := range taint8 {
+		b.Sink1(x) // $ hasTaintFlow="x"
+	}
+	for _, x := range arraytype(taint8) {
+		b.Sink1(x) // $ hasTaintFlow="x"
+	}

 	srcArray := []interface{}{nil, src}
 	taint9 := test.StepArgArrayContentRes(srcArray)
@@ -91,6 +97,12 @@ func simpleflow() {
 	taint10 := test.StepArgResCollectionContent(a.Src1()).(chan interface{})
 	b.Sink1(test.GetElement(taint10)) // $ hasTaintFlow="call to GetElement"
 	b.Sink1(<-taint10)                // $ hasTaintFlow="<-..."
+	for e := range taint10 {
+		b.Sink1(e) // $ MISSING: hasTaintFlow="e"
+	}
+	for e := range channeltype(taint10) {
+		b.Sink1(e) // $ MISSING: hasTaintFlow="e"
+	}

 	srcCollection := test.SetElement(a.Src1())
 	taint11 := test.StepArgCollectionContentRes(srcCollection)
@@ -104,6 +116,12 @@ func simpleflow() {
 	for k := range taint12 {
 		b.Sink1(k) // $ hasTaintFlow="k"
 	}
+	for k, _ := range mapstringstringtype(taint12) {
+		b.Sink1(k) // $ MISSING: hasTaintFlow="k"
+	}
+	for k := range mapstringstringtype(taint12) {
+		b.Sink1(k) // $ MISSING: hasTaintFlow="k"
+	}

 	srcMap13 := map[string]string{src.(string): ""}
 	taint13 := test.StepArgMapKeyContentRes(srcMap13)
@@ -111,6 +129,12 @@ func simpleflow() {

 	taint14 := test.StepArgResMapValueContent(src).(map[string]string)
 	b.Sink1(taint14[""]) // $ hasTaintFlow="index expression"
+	for _, v := range taint14 {
+		b.Sink1(v) // $ hasTaintFlow="v"
+	}
+	for _, v := range mapstringstringtype(taint14) {
+		b.Sink1(v) // $ MISSING: hasTaintFlow="v"
+	}

 	srcMap15 := map[string]string{"": src.(string)}
 	taint15 := test.StepArgMapValueContentRes(srcMap15)
@@ -169,3 +193,7 @@ func simpleflow() {
 	arg4 := src
 	b.SinkManyArgs(arg1, arg2, arg3, arg4) // $ hasTaintFlow="arg1" hasTaintFlow="arg2" hasTaintFlow="arg3"
 }
+
+type mapstringstringtype map[string]string
+type arraytype []interface{}
+type channeltype chan interface{}
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected
@@ -10,33 +10,41 @@ invalidModelRow
 | test.go:79:10:79:15 | taint6 | qltest |
 | test.go:82:10:82:15 | taint7 | qltest |
 | test.go:85:10:85:18 | index expression | qltest |
-| test.go:89:10:89:15 | taint9 | qltest |
-| test.go:92:10:92:33 | call to GetElement | qltest |
-| test.go:93:10:93:18 | <-... | qltest |
-| test.go:97:10:97:16 | taint11 | qltest |
-| test.go:100:10:100:32 | call to GetMapKey | qltest |
-| test.go:102:11:102:11 | k | qltest |
-| test.go:105:11:105:11 | k | qltest |
-| test.go:110:10:110:16 | taint13 | qltest |
-| test.go:113:10:113:20 | index expression | qltest |
-| test.go:117:10:117:16 | taint15 | qltest |
-| test.go:121:10:121:17 | index expression | qltest |
-| test.go:127:10:127:18 | index expression | qltest |
-| test.go:132:10:132:16 | taint16 | qltest |
-| test.go:136:10:136:13 | selection of F | qltest |
-| test.go:139:10:139:17 | call to Get | qltest |
-| test.go:143:10:143:17 | call to Get | qltest |
-| test.go:148:10:148:17 | call to Get | qltest |
-| test.go:152:10:152:14 | selection of F | qltest |
-| test.go:155:10:155:32 | call to GetThroughPointer | qltest |
-| test.go:159:10:159:32 | call to GetThroughPointer | qltest |
-| test.go:164:10:164:32 | call to GetThroughPointer | qltest |
-| test.go:170:17:170:20 | arg1 | qltest |
-| test.go:170:23:170:26 | arg2 | qltest |
-| test.go:170:29:170:32 | arg3 | qltest |
-| test.go:173:10:173:26 | call to max | qltest |
-| test.go:174:10:174:26 | call to max | qltest |
-| test.go:175:10:175:26 | call to max | qltest |
-| test.go:176:10:176:26 | call to min | qltest |
-| test.go:177:10:177:26 | call to min | qltest |
-| test.go:178:10:178:26 | call to min | qltest |
+| test.go:87:11:87:11 | x | qltest |
+| test.go:90:11:90:11 | x | qltest |
+| test.go:95:10:95:15 | taint9 | qltest |
+| test.go:98:10:98:33 | call to GetElement | qltest |
+| test.go:99:10:99:18 | <-... | qltest |
+| test.go:101:11:101:11 | e | qltest |
+| test.go:104:11:104:11 | e | qltest |
+| test.go:109:10:109:16 | taint11 | qltest |
+| test.go:112:10:112:32 | call to GetMapKey | qltest |
+| test.go:114:11:114:11 | k | qltest |
+| test.go:117:11:117:11 | k | qltest |
+| test.go:120:11:120:11 | k | qltest |
+| test.go:123:11:123:11 | k | qltest |
+| test.go:128:10:128:16 | taint13 | qltest |
+| test.go:131:10:131:20 | index expression | qltest |
+| test.go:133:11:133:11 | v | qltest |
+| test.go:136:11:136:11 | v | qltest |
+| test.go:141:10:141:16 | taint15 | qltest |
+| test.go:145:10:145:17 | index expression | qltest |
+| test.go:151:10:151:18 | index expression | qltest |
+| test.go:156:10:156:16 | taint16 | qltest |
+| test.go:160:10:160:13 | selection of F | qltest |
+| test.go:163:10:163:17 | call to Get | qltest |
+| test.go:167:10:167:17 | call to Get | qltest |
+| test.go:172:10:172:17 | call to Get | qltest |
+| test.go:176:10:176:14 | selection of F | qltest |
+| test.go:179:10:179:32 | call to GetThroughPointer | qltest |
+| test.go:183:10:183:32 | call to GetThroughPointer | qltest |
+| test.go:188:10:188:32 | call to GetThroughPointer | qltest |
+| test.go:194:17:194:20 | arg1 | qltest |
+| test.go:194:23:194:26 | arg2 | qltest |
+| test.go:194:29:194:32 | arg3 | qltest |
+| test.go:197:10:197:26 | call to max | qltest |
+| test.go:198:10:198:26 | call to max | qltest |
+| test.go:199:10:199:26 | call to max | qltest |
+| test.go:200:10:200:26 | call to min | qltest |
+| test.go:201:10:201:26 | call to min | qltest |
+| test.go:202:10:202:26 | call to min | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected
@@ -9,15 +9,15 @@ invalidModelRow
 | test.go:41:2:41:21 | ... = ...[1] | qltest-w-subtypes |
 | test.go:42:2:42:22 | ... = ...[1] | qltest-w-subtypes |
 | test.go:58:9:58:16 | call to Src1 | qltest |
-| test.go:91:46:91:53 | call to Src1 | qltest |
-| test.go:95:35:95:42 | call to Src1 | qltest |
-| test.go:99:42:99:49 | call to Src1 | qltest |
-| test.go:130:8:130:15 | call to Src1 | qltest |
-| test.go:135:9:135:16 | call to Src1 | qltest |
-| test.go:138:15:138:22 | call to Src1 | qltest |
-| test.go:142:9:142:16 | call to Src1 | qltest |
-| test.go:146:9:146:16 | call to Src1 | qltest |
-| test.go:151:24:151:31 | call to Src1 | qltest |
-| test.go:154:17:154:24 | call to Src1 | qltest |
-| test.go:158:24:158:31 | call to Src1 | qltest |
-| test.go:162:24:162:31 | call to Src1 | qltest |
+| test.go:97:46:97:53 | call to Src1 | qltest |
+| test.go:107:35:107:42 | call to Src1 | qltest |
+| test.go:111:42:111:49 | call to Src1 | qltest |
+| test.go:154:8:154:15 | call to Src1 | qltest |
+| test.go:159:9:159:16 | call to Src1 | qltest |
+| test.go:162:15:162:22 | call to Src1 | qltest |
+| test.go:166:9:166:16 | call to Src1 | qltest |
+| test.go:170:9:170:16 | call to Src1 | qltest |
+| test.go:175:24:175:31 | call to Src1 | qltest |
+| test.go:178:17:178:24 | call to Src1 | qltest |
+| test.go:182:24:182:31 | call to Src1 | qltest |
+| test.go:186:24:186:31 | call to Src1 | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/steps.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/steps.expected
@@ -14,21 +14,21 @@ invalidModelRow
 | test.go:74:13:74:25 | type assertion | test.go:74:12:74:40 | call to StepQualRes |
 | test.go:78:3:78:15 | type assertion | test.go:77:6:77:11 | definition of taint6 |
 | test.go:81:34:81:36 | src | test.go:81:12:81:37 | call to StepArgResNoQual |
-| test.go:173:14:173:19 | srcInt | test.go:173:10:173:26 | call to max |
-| test.go:173:22:173:22 | 0 | test.go:173:10:173:26 | call to max |
-| test.go:173:25:173:25 | 1 | test.go:173:10:173:26 | call to max |
-| test.go:174:14:174:14 | 0 | test.go:174:10:174:26 | call to max |
-| test.go:174:17:174:22 | srcInt | test.go:174:10:174:26 | call to max |
-| test.go:174:25:174:25 | 1 | test.go:174:10:174:26 | call to max |
-| test.go:175:14:175:14 | 0 | test.go:175:10:175:26 | call to max |
-| test.go:175:17:175:17 | 1 | test.go:175:10:175:26 | call to max |
-| test.go:175:20:175:25 | srcInt | test.go:175:10:175:26 | call to max |
-| test.go:176:14:176:19 | srcInt | test.go:176:10:176:26 | call to min |
-| test.go:176:22:176:22 | 0 | test.go:176:10:176:26 | call to min |
-| test.go:176:25:176:25 | 1 | test.go:176:10:176:26 | call to min |
-| test.go:177:14:177:14 | 0 | test.go:177:10:177:26 | call to min |
-| test.go:177:17:177:22 | srcInt | test.go:177:10:177:26 | call to min |
-| test.go:177:25:177:25 | 1 | test.go:177:10:177:26 | call to min |
-| test.go:178:14:178:14 | 0 | test.go:178:10:178:26 | call to min |
-| test.go:178:17:178:17 | 1 | test.go:178:10:178:26 | call to min |
-| test.go:178:20:178:25 | srcInt | test.go:178:10:178:26 | call to min |
+| test.go:197:14:197:19 | srcInt | test.go:197:10:197:26 | call to max |
+| test.go:197:22:197:22 | 0 | test.go:197:10:197:26 | call to max |
+| test.go:197:25:197:25 | 1 | test.go:197:10:197:26 | call to max |
+| test.go:198:14:198:14 | 0 | test.go:198:10:198:26 | call to max |
+| test.go:198:17:198:22 | srcInt | test.go:198:10:198:26 | call to max |
+| test.go:198:25:198:25 | 1 | test.go:198:10:198:26 | call to max |
+| test.go:199:14:199:14 | 0 | test.go:199:10:199:26 | call to max |
+| test.go:199:17:199:17 | 1 | test.go:199:10:199:26 | call to max |
+| test.go:199:20:199:25 | srcInt | test.go:199:10:199:26 | call to max |
+| test.go:200:14:200:19 | srcInt | test.go:200:10:200:26 | call to min |
+| test.go:200:22:200:22 | 0 | test.go:200:10:200:26 | call to min |
+| test.go:200:25:200:25 | 1 | test.go:200:10:200:26 | call to min |
+| test.go:201:14:201:14 | 0 | test.go:201:10:201:26 | call to min |
+| test.go:201:17:201:22 | srcInt | test.go:201:10:201:26 | call to min |
+| test.go:201:25:201:25 | 1 | test.go:201:10:201:26 | call to min |
+| test.go:202:14:202:14 | 0 | test.go:202:10:202:26 | call to min |
+| test.go:202:17:202:17 | 1 | test.go:202:10:202:26 | call to min |
+| test.go:202:20:202:25 | srcInt | test.go:202:10:202:26 | call to min |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go
@@ -83,6 +83,12 @@ func simpleflow() {

 	taint8 := test.StepArgResArrayContent(src)
 	b.Sink1(taint8[0]) // $ hasValueFlow="index expression"
+	for _, x := range taint8 {
+		b.Sink1(x) // $ hasValueFlow="x"
+	}
+	for _, x := range arraytype(taint8) {
+		b.Sink1(x) // $ MISSING: hasValueFlow="x"
+	}

 	srcArray := []interface{}{nil, src}
 	taint9 := test.StepArgArrayContentRes(srcArray)
@@ -91,6 +97,12 @@ func simpleflow() {
 	taint10 := test.StepArgResCollectionContent(a.Src1()).(chan interface{})
 	b.Sink1(test.GetElement(taint10)) // $ hasValueFlow="call to GetElement"
 	b.Sink1(<-taint10)                // $ hasValueFlow="<-..."
+	for e := range taint10 {
+		b.Sink1(e) // $ MISSING: hasValueFlow="e"
+	}
+	for e := range channeltype(taint10) {
+		b.Sink1(e) // $ MISSING: hasValueFlow="e"
+	}

 	srcCollection := test.SetElement(a.Src1())
 	taint11 := test.StepArgCollectionContentRes(srcCollection)
@@ -104,6 +116,12 @@ func simpleflow() {
 	for k := range taint12 {
 		b.Sink1(k) // $ hasValueFlow="k"
 	}
+	for k, _ := range mapstringstringtype(taint12) {
+		b.Sink1(k) // $ MISSING: hasValueFlow="k"
+	}
+	for k := range mapstringstringtype(taint12) {
+		b.Sink1(k) // $ MISSING: hasValueFlow="k"
+	}

 	srcMap13 := map[string]string{src.(string): ""}
 	taint13 := test.StepArgMapKeyContentRes(srcMap13)
@@ -111,6 +129,12 @@ func simpleflow() {

 	taint14 := test.StepArgResMapValueContent(src).(map[string]string)
 	b.Sink1(taint14[""]) // $ hasValueFlow="index expression"
+	for _, v := range taint14 {
+		b.Sink1(v) // $ hasValueFlow="v"
+	}
+	for _, v := range mapstringstringtype(taint14) {
+		b.Sink1(v) // $ MISSING: hasValueFlow="v"
+	}

 	srcMap15 := map[string]string{"": src.(string)}
 	taint15 := test.StepArgMapValueContentRes(srcMap15)
@@ -177,3 +201,7 @@ func simpleflow() {
 	b.Sink1(min(0, srcInt, 1)) // $ hasValueFlow="call to min"
 	b.Sink1(min(0, 1, srcInt)) // $ hasValueFlow="call to min"
 }
+
+type mapstringstringtype map[string]string
+type arraytype []interface{}
+type channeltype chan interface{}