Include changes from review

go/ql/src/experimental/CWE-134/DsnInjectionCustomizations.qll

@@ -27,7 +27,7 @@ private class DecodeFunctionModel extends TaintTracking::FunctionModel {
   DecodeFunctionModel() {
     // This matches any function with a name like `Decode`,`Unmarshal` or `Parse`.
     // This is done to allow taints stored in encoded forms, such as in toml or json to flow freely.
-    this.getName().matches("(?i).*(parse|decode|unmarshal).*")
+    this.getName().regexpMatch("(?i).*(parse|decode|unmarshal).*")
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -38,9 +38,6 @@ private class DecodeFunctionModel extends TaintTracking::FunctionModel {
 
 /** A model of `flag.Parse`, propagating tainted input passed via CLI flags to `Parse`'s result. */
 private class FlagSetFunctionModel extends TaintTracking::FunctionModel {
-  FunctionInput inp;
-  FunctionOutput outp;
-
   FlagSetFunctionModel() { this.hasQualifiedName("flag", "Parse") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

go/ql/test/experimental/CWE-134/Dsn.go

@@ -51,6 +51,24 @@ func bad2(w http.ResponseWriter, req *http.Request) interface{} {
 	return db
 }
 
+type Config struct {
+	dsn string
+}
+
+func NewConfig() *Config            { return &Config{dsn: ""} }
+func (Config) Parse([]string) error { return nil }
+
+func RegexFuncModelTest(w http.ResponseWriter, req *http.Request) (interface{}, error) {
+	cfg := NewConfig()
+	err := cfg.Parse(os.Args[1:]) // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
+	if err != nil {
+		return nil, err
+	}
+	dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, cfg.dsn)
+	db, _ := sql.Open("mysql", dbDSN)
+	return db, nil
+}
+
 func main() {
 	bad2(nil, nil)
 	good()

go/ql/test/experimental/CWE-134/DsnInjectionLocal.expected

@@ -1,8 +1,27 @@
 edges
 | Dsn.go:26:11:26:17 | selection of Args | Dsn.go:29:29:29:33 | dbDSN |
+| Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:63:9:63:11 | cfg [pointer] |
+| Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:67:102:67:104 | cfg [pointer] |
+| Dsn.go:63:9:63:11 | cfg [pointer] | Dsn.go:63:9:63:11 | implicit dereference |
+| Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:62:2:62:4 | definition of cfg [pointer] |
+| Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:63:9:63:11 | implicit dereference |
+| Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:68:29:68:33 | dbDSN |
+| Dsn.go:63:19:63:25 | selection of Args | Dsn.go:63:9:63:11 | implicit dereference |
+| Dsn.go:63:19:63:25 | selection of Args | Dsn.go:68:29:68:33 | dbDSN |
+| Dsn.go:67:102:67:104 | cfg [pointer] | Dsn.go:67:102:67:104 | implicit dereference |
+| Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:63:9:63:11 | implicit dereference |
+| Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:68:29:68:33 | dbDSN |
 nodes
 | Dsn.go:26:11:26:17 | selection of Args | semmle.label | selection of Args |
 | Dsn.go:29:29:29:33 | dbDSN | semmle.label | dbDSN |
+| Dsn.go:62:2:62:4 | definition of cfg [pointer] | semmle.label | definition of cfg [pointer] |
+| Dsn.go:63:9:63:11 | cfg [pointer] | semmle.label | cfg [pointer] |
+| Dsn.go:63:9:63:11 | implicit dereference | semmle.label | implicit dereference |
+| Dsn.go:63:19:63:25 | selection of Args | semmle.label | selection of Args |
+| Dsn.go:67:102:67:104 | cfg [pointer] | semmle.label | cfg [pointer] |
+| Dsn.go:67:102:67:104 | implicit dereference | semmle.label | implicit dereference |
+| Dsn.go:68:29:68:33 | dbDSN | semmle.label | dbDSN |
 subpaths
 #select
 | Dsn.go:29:29:29:33 | dbDSN | Dsn.go:26:11:26:17 | selection of Args | Dsn.go:29:29:29:33 | dbDSN | This query depends on a $@. | Dsn.go:26:11:26:17 | selection of Args | user-provided value |
+| Dsn.go:68:29:68:33 | dbDSN | Dsn.go:63:19:63:25 | selection of Args | Dsn.go:68:29:68:33 | dbDSN | This query depends on a $@. | Dsn.go:63:19:63:25 | selection of Args | user-provided value |