Merge pull request #189 from sauyon/use-taint-split

Use split taint predicates to emulate taint
2026-05-02 04:05:14 +02:00 · 2019-11-22 17:51:09 +00:00
parent 50b48e1c9e 4ea45dbf34
commit 26a656b838
4 changed files with 10 additions and 27 deletions
--- a/ql/src/semmle/go/dataflow/TaintTracking.qll
+++ b/ql/src/semmle/go/dataflow/TaintTracking.qll
@@ -111,7 +111,9 @@ module TaintTracking {

  /** Holds if taint flows from `pred` to `succ` via string concatenation. */
  predicate stringConcatStep(DataFlow::Node pred, DataFlow::Node succ) {
-    succ.asExpr().(AddExpr).getAnOperand() = pred.asExpr()
+    exists(DataFlow::BinaryOperationNode conc | conc.getOperator() = "+" |
+      succ = conc and conc.getAnOperand() = pred
+    )
  }

  /** Holds if taint flows from `pred` to `succ` via a slice operation. */
@@ -132,7 +134,7 @@ module TaintTracking {
  /**
   * Holds if taint flows from `pred` to `succ` in one step.
   */
-  private predicate taintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate taintStep(DataFlow::Node pred, DataFlow::Node succ) {
    referenceStep(pred, succ) or
    fieldReadStep(pred, succ) or
    arrayStep(pred, succ) or
--- a/ql/src/semmle/go/security/CleartextLogging.qll
+++ b/ql/src/semmle/go/security/CleartextLogging.qll
@@ -34,19 +34,8 @@ module CleartextLogging {
      // A taint propagating data-flow edge through structs: a tainted write taints the entire struct.
      exists(Write write | write.writesField(trg.getASuccessor*(), _, src))
      or
-      trg.(DataFlow::BinaryOperationNode).getOperator() = "+" and
-      src = trg.(DataFlow::BinaryOperationNode).getAnOperand()
-      or
-      // Allow flow through functions that are considered for taint flow.
-      exists(
-        TaintTracking::FunctionModel m, DataFlow::CallNode c, DataFlow::FunctionInput inp,
-        DataFlow::FunctionOutput outp
-      |
-        c = m.getACall() and
-        m.hasTaintFlow(inp, outp) and
-        src = inp.getNode(c) and
-        trg = outp.getNode(c)
-      )
+      // taint steps that do not include flow through fields
+      TaintTracking::taintStep(src, trg) and not TaintTracking::fieldReadStep(src, trg)
    }
  }
 }
--- a/ql/src/semmle/go/security/OpenUrlRedirect.qll
+++ b/ql/src/semmle/go/security/OpenUrlRedirect.qll
@@ -35,18 +35,8 @@ module OpenUrlRedirect {
        var.getType().hasQualifiedName("net/url", "URL")
      )
      or
-      StringConcatenation::taintStep(pred, succ)
-      or
-      // Allow flow through functions that are considered for taint flow.
-      exists(
-        TaintTracking::FunctionModel m, DataFlow::CallNode c, DataFlow::FunctionInput inp,
-        DataFlow::FunctionOutput outp
-      |
-        c = m.getACall() and
-        m.hasTaintFlow(inp, outp) and
-        pred = inp.getNode(c) and
-        succ = outp.getNode(c)
-      )
+      // taint steps that do not include flow through fields
+      TaintTracking::taintStep(pred, succ) and not TaintTracking::fieldReadStep(pred, succ)
    }

    override predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
--- a/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
+++ b/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
@@ -1,5 +1,7 @@
 | main.go:10:22:10:22 | x | main.go:10:22:10:27 | ...+... |
 | main.go:10:24:10:27 | call to fn | main.go:10:22:10:27 | ...+... |
+| main.go:17:3:17:5 | acc | main.go:17:3:17:7 | rhs of increment statement |
+| main.go:17:3:17:7 | 1 | main.go:17:3:17:7 | rhs of increment statement |
 | main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[0] |
 | main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[1] |
 | strings.go:9:24:9:24 | s | strings.go:9:8:9:38 | call to Replace |