Merge pull request #330 from smowton/smowton/admin/standard-lib-pt-21-with-sanitiser

Move `strconv` and `strings` packages' taint-tracking to stdlib, and expand them + sanitise substrings of the HTTP Authorization header
2026-01-30 06:42:57 +01:00 · 2020-09-14 11:25:57 +01:00
parent b8d36b936e b9b306aade
commit 362d210bc5
9 changed files with 942 additions and 100 deletions
--- a/ql/src/Security/CWE-681/IncorrectIntegerConversion.ql
+++ b/ql/src/Security/CWE-681/IncorrectIntegerConversion.ql
@@ -101,7 +101,7 @@ class ConversionWithoutBoundsCheckConfig extends TaintTracking::Configuration {
        // If we are reading a variable, check if it is
        // `strconv.IntSize`, and use 0 if it is.
        exists(DataFlow::Node rawBitSize | rawBitSize = ip.getTargetBitSizeInput().getNode(c) |
-          if rawBitSize = any(StrConv::IntSize intSize).getARead()
+          if rawBitSize = any(Strconv::IntSize intSize).getARead()
          then apparentBitSize = 0
          else apparentBitSize = rawBitSize.getIntValue()
        )
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -18,6 +18,8 @@ import semmle.go.frameworks.stdlib.MimeQuotedprintable
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
+import semmle.go.frameworks.stdlib.Strconv
+import semmle.go.frameworks.stdlib.Strings
 import semmle.go.frameworks.stdlib.TextScanner
 import semmle.go.frameworks.stdlib.TextTabwriter
 import semmle.go.frameworks.stdlib.TextTemplate
@@ -483,105 +485,6 @@ module IntegerParser {
  }
 }

-/**
- * Provides classes for some functions in the `strconv` package for
- * converting strings to numbers.
- */
-module StrConv {
-  /** The `Atoi` function. */
-  class Atoi extends IntegerParser::Range {
-    Atoi() { this.hasQualifiedName("strconv", "Atoi") }
-
-    override int getTargetBitSize() { result = 0 }
-  }
-
-  /** The `ParseInt` function. */
-  class ParseInt extends IntegerParser::Range {
-    ParseInt() { this.hasQualifiedName("strconv", "ParseInt") }
-
-    override FunctionInput getTargetBitSizeInput() { result.isParameter(2) }
-  }
-
-  /** The `ParseUint` function. */
-  class ParseUint extends IntegerParser::Range {
-    ParseUint() { this.hasQualifiedName("strconv", "ParseUint") }
-
-    override FunctionInput getTargetBitSizeInput() { result.isParameter(2) }
-  }
-
-  /**
-   * The `IntSize` constant, that gives the size in bits of an `int` or
-   * `uint` value on the current architecture (32 or 64).
-   */
-  class IntSize extends DeclaredConstant {
-    IntSize() { this.hasQualifiedName("strconv", "IntSize") }
-  }
-}
-
-/** Provides models of commonly used functions in the `strings` package. */
-module Strings {
-  /** The `Join` function. */
-  class Join extends TaintTracking::FunctionModel {
-    Join() { hasQualifiedName("strings", "Join") }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter([0 .. 1]) and outp.isResult()
-    }
-  }
-
-  /** The `Repeat` function. */
-  class Repeat extends TaintTracking::FunctionModel {
-    Repeat() { hasQualifiedName("strings", "Repeat") }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and outp.isResult()
-    }
-  }
-
-  /** The `Replace` or `ReplaceAll` function. */
-  class Replacer extends TaintTracking::FunctionModel {
-    Replacer() {
-      hasQualifiedName("strings", "Replace") or hasQualifiedName("strings", "ReplaceAll")
-    }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      (inp.isParameter(0) or inp.isParameter(2)) and
-      outp.isResult()
-    }
-  }
-
-  /** The `Split` function or one of its variants. */
-  class Splitter extends TaintTracking::FunctionModel {
-    Splitter() {
-      exists(string split | split.matches("Split%") | hasQualifiedName("strings", split))
-    }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and outp.isResult()
-    }
-  }
-
-  /** One of the case-converting functions in the `strings` package. */
-  class CaseConverter extends TaintTracking::FunctionModel {
-    CaseConverter() {
-      exists(string conv | conv.matches("To%") | hasQualifiedName("strings", conv))
-    }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(getNumParameter() - 1) and outp.isResult()
-    }
-  }
-
-  /** The `Trim` function or one of its variants. */
-  class Trimmer extends TaintTracking::FunctionModel {
-    Trimmer() { exists(string split | split.matches("Trim%") | hasQualifiedName("strings", split)) }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and outp.isResult()
-    }
-  }
-}
-
 /** Provides models of commonly used functions in the `net/url` package. */
 module URL {
  /** The `PathEscape` or `QueryEscape` function. */
--- a/ql/src/semmle/go/frameworks/stdlib/Strconv.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/Strconv.qll
@@ -0,0 +1,80 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `strconv` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `strconv` package. */
+module Strconv {
+  /** The `Atoi` function. */
+  class Atoi extends IntegerParser::Range {
+    Atoi() { this.hasQualifiedName("strconv", "Atoi") }
+
+    override int getTargetBitSize() { result = 0 }
+  }
+
+  /** The `ParseInt` function. */
+  class ParseInt extends IntegerParser::Range {
+    ParseInt() { this.hasQualifiedName("strconv", "ParseInt") }
+
+    override FunctionInput getTargetBitSizeInput() { result.isParameter(2) }
+  }
+
+  /** The `ParseUint` function. */
+  class ParseUint extends IntegerParser::Range {
+    ParseUint() { this.hasQualifiedName("strconv", "ParseUint") }
+
+    override FunctionInput getTargetBitSizeInput() { result.isParameter(2) }
+  }
+
+  /**
+   * The `IntSize` constant, that gives the size in bits of an `int` or
+   * `uint` value on the current architecture (32 or 64).
+   */
+  class IntSize extends DeclaredConstant {
+    IntSize() { this.hasQualifiedName("strconv", "IntSize") }
+  }
+
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func AppendQuote(dst []byte, s string) []byte
+      hasQualifiedName("strconv", "AppendQuote") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func AppendQuoteToASCII(dst []byte, s string) []byte
+      hasQualifiedName("strconv", "AppendQuoteToASCII") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func AppendQuoteToGraphic(dst []byte, s string) []byte
+      hasQualifiedName("strconv", "AppendQuoteToGraphic") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Quote(s string) string
+      hasQualifiedName("strconv", "Quote") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func QuoteToASCII(s string) string
+      hasQualifiedName("strconv", "QuoteToASCII") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func QuoteToGraphic(s string) string
+      hasQualifiedName("strconv", "QuoteToGraphic") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Unquote(s string) (string, error)
+      hasQualifiedName("strconv", "Unquote") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func UnquoteChar(s string, quote byte) (value rune, multibyte bool, tail string, err error)
+      hasQualifiedName("strconv", "UnquoteChar") and
+      (inp.isParameter(0) and outp.isResult(2))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/src/semmle/go/frameworks/stdlib/Strings.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/Strings.qll
@@ -0,0 +1,186 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `strings` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `strings` package. */
+module Strings {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Fields(s string) []string
+      hasQualifiedName("strings", "Fields") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func FieldsFunc(s string, f func(rune) bool) []string
+      hasQualifiedName("strings", "FieldsFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Join(elems []string, sep string) string
+      hasQualifiedName("strings", "Join") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Map(mapping func(rune) rune, s string) string
+      hasQualifiedName("strings", "Map") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func NewReader(s string) *Reader
+      hasQualifiedName("strings", "NewReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func NewReplacer(oldnew ...string) *Replacer
+      hasQualifiedName("strings", "NewReplacer") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Repeat(s string, count int) string
+      hasQualifiedName("strings", "Repeat") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Replace(s string, old string, new string, n int) string
+      hasQualifiedName("strings", "Replace") and
+      (inp.isParameter([0, 2]) and outp.isResult())
+      or
+      // signature: func ReplaceAll(s string, old string, new string) string
+      hasQualifiedName("strings", "ReplaceAll") and
+      (inp.isParameter([0, 2]) and outp.isResult())
+      or
+      // signature: func Split(s string, sep string) []string
+      hasQualifiedName("strings", "Split") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitAfter(s string, sep string) []string
+      hasQualifiedName("strings", "SplitAfter") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitAfterN(s string, sep string, n int) []string
+      hasQualifiedName("strings", "SplitAfterN") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func SplitN(s string, sep string, n int) []string
+      hasQualifiedName("strings", "SplitN") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Title(s string) string
+      hasQualifiedName("strings", "Title") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToLower(s string) string
+      hasQualifiedName("strings", "ToLower") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToLowerSpecial(c unicode.SpecialCase, s string) string
+      hasQualifiedName("strings", "ToLowerSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToTitle(s string) string
+      hasQualifiedName("strings", "ToTitle") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToTitleSpecial(c unicode.SpecialCase, s string) string
+      hasQualifiedName("strings", "ToTitleSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToUpper(s string) string
+      hasQualifiedName("strings", "ToUpper") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ToUpperSpecial(c unicode.SpecialCase, s string) string
+      hasQualifiedName("strings", "ToUpperSpecial") and
+      (inp.isParameter(1) and outp.isResult())
+      or
+      // signature: func ToValidUTF8(s string, replacement string) string
+      hasQualifiedName("strings", "ToValidUTF8") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Trim(s string, cutset string) string
+      hasQualifiedName("strings", "Trim") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimFunc(s string, f func(rune) bool) string
+      hasQualifiedName("strings", "TrimFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimLeft(s string, cutset string) string
+      hasQualifiedName("strings", "TrimLeft") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimLeftFunc(s string, f func(rune) bool) string
+      hasQualifiedName("strings", "TrimLeftFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimPrefix(s string, prefix string) string
+      hasQualifiedName("strings", "TrimPrefix") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimRight(s string, cutset string) string
+      hasQualifiedName("strings", "TrimRight") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimRightFunc(s string, f func(rune) bool) string
+      hasQualifiedName("strings", "TrimRightFunc") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimSpace(s string) string
+      hasQualifiedName("strings", "TrimSpace") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func TrimSuffix(s string, suffix string) string
+      hasQualifiedName("strings", "TrimSuffix") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Builder).String() string
+      this.hasQualifiedName("strings", "Builder", "String") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Builder).Write(p []byte) (int, error)
+      this.hasQualifiedName("strings", "Builder", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Builder).WriteString(s string) (int, error)
+      this.hasQualifiedName("strings", "Builder", "WriteString") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Reader).Read(b []byte) (n int, err error)
+      this.hasQualifiedName("strings", "Reader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Reader).ReadAt(b []byte, off int64) (n int, err error)
+      this.hasQualifiedName("strings", "Reader", "ReadAt") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Reader).Reset(s string)
+      this.hasQualifiedName("strings", "Reader", "Reset") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*Reader).WriteTo(w io.Writer) (n int64, err error)
+      this.hasQualifiedName("strings", "Reader", "WriteTo") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*Replacer).Replace(s string) string
+      this.hasQualifiedName("strings", "Replacer", "Replace") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func (*Replacer).WriteString(w io.Writer, s string) (n int, err error)
+      this.hasQualifiedName("strings", "Replacer", "WriteString") and
+      (inp.isParameter(1) and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
+++ b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
@@ -183,4 +183,22 @@ module CleartextLogging {

    override string describe() { result = "HTTP request headers" }
  }
+
+  /**
+   * The first element of a split by ' '  or ':', often sanitizing a username/password pair
+   * or the "Method value" syntax used in the HTTP Authorization header.
+   */
+  private class NonSensitiveAuthorizationElement extends Barrier, DataFlow::ElementReadNode {
+    NonSensitiveAuthorizationElement() {
+      exists(DataFlow::CallNode splitCall, DataFlow::Node splitAlias |
+        splitCall
+            .getTarget()
+            .hasQualifiedName("strings", ["Split", "SplitN", "SplitAfter", "SplitAfterN"]) and
+        splitCall.getArgument(1).getStringValue() = [" ", ":"] and
+        DataFlow::localFlow(splitCall.getResult(), splitAlias) and
+        this.getBase() = splitAlias
+      ) and
+      this.getIndex().getIntValue() = 0
+    }
+  }
 }
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Strconv.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Strconv.go
@@ -0,0 +1,129 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import "strconv"
+
+func TaintStepTest_StrconvAppendQuote_B0I0O0(sourceCQL interface{}) interface{} {
+	fromByte656 := sourceCQL.([]byte)
+	intoByte414 := strconv.AppendQuote(fromByte656, "")
+	return intoByte414
+}
+
+func TaintStepTest_StrconvAppendQuote_B0I1O0(sourceCQL interface{}) interface{} {
+	fromString518 := sourceCQL.(string)
+	intoByte650 := strconv.AppendQuote(nil, fromString518)
+	return intoByte650
+}
+
+func TaintStepTest_StrconvAppendQuoteToASCII_B0I0O0(sourceCQL interface{}) interface{} {
+	fromByte784 := sourceCQL.([]byte)
+	intoByte957 := strconv.AppendQuoteToASCII(fromByte784, "")
+	return intoByte957
+}
+
+func TaintStepTest_StrconvAppendQuoteToASCII_B0I1O0(sourceCQL interface{}) interface{} {
+	fromString520 := sourceCQL.(string)
+	intoByte443 := strconv.AppendQuoteToASCII(nil, fromString520)
+	return intoByte443
+}
+
+func TaintStepTest_StrconvAppendQuoteToGraphic_B0I0O0(sourceCQL interface{}) interface{} {
+	fromByte127 := sourceCQL.([]byte)
+	intoByte483 := strconv.AppendQuoteToGraphic(fromByte127, "")
+	return intoByte483
+}
+
+func TaintStepTest_StrconvAppendQuoteToGraphic_B0I1O0(sourceCQL interface{}) interface{} {
+	fromString989 := sourceCQL.(string)
+	intoByte982 := strconv.AppendQuoteToGraphic(nil, fromString989)
+	return intoByte982
+}
+
+func TaintStepTest_StrconvQuote_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString417 := sourceCQL.(string)
+	intoString584 := strconv.Quote(fromString417)
+	return intoString584
+}
+
+func TaintStepTest_StrconvQuoteToASCII_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString991 := sourceCQL.(string)
+	intoString881 := strconv.QuoteToASCII(fromString991)
+	return intoString881
+}
+
+func TaintStepTest_StrconvQuoteToGraphic_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString186 := sourceCQL.(string)
+	intoString284 := strconv.QuoteToGraphic(fromString186)
+	return intoString284
+}
+
+func TaintStepTest_StrconvUnquote_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString908 := sourceCQL.(string)
+	intoString137, _ := strconv.Unquote(fromString908)
+	return intoString137
+}
+
+func TaintStepTest_StrconvUnquoteChar_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString494 := sourceCQL.(string)
+	_, _, intoString873, _ := strconv.UnquoteChar(fromString494, 0)
+	return intoString873
+}
+
+func RunAllTaints_Strconv() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_StrconvAppendQuote_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_StrconvAppendQuote_B0I1O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_StrconvAppendQuoteToASCII_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_StrconvAppendQuoteToASCII_B0I1O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_StrconvAppendQuoteToGraphic_B0I0O0(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_StrconvAppendQuoteToGraphic_B0I1O0(source)
+		sink(5, out)
+	}
+	{
+		source := newSource(6)
+		out := TaintStepTest_StrconvQuote_B0I0O0(source)
+		sink(6, out)
+	}
+	{
+		source := newSource(7)
+		out := TaintStepTest_StrconvQuoteToASCII_B0I0O0(source)
+		sink(7, out)
+	}
+	{
+		source := newSource(8)
+		out := TaintStepTest_StrconvQuoteToGraphic_B0I0O0(source)
+		sink(8, out)
+	}
+	{
+		source := newSource(9)
+		out := TaintStepTest_StrconvUnquote_B0I0O0(source)
+		sink(9, out)
+	}
+	{
+		source := newSource(10)
+		out := TaintStepTest_StrconvUnquoteChar_B0I0O0(source)
+		sink(10, out)
+	}
+}
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Strings.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Strings.go
@@ -0,0 +1,493 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import (
+	"io"
+	"strings"
+)
+
+func TaintStepTest_StringsFields_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString656 := sourceCQL.(string)
+	intoString414 := strings.Fields(fromString656)
+	return intoString414
+}
+
+func TaintStepTest_StringsFieldsFunc_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString518 := sourceCQL.(string)
+	intoString650 := strings.FieldsFunc(fromString518, nil)
+	return intoString650
+}
+
+func TaintStepTest_StringsJoin_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString784 := sourceCQL.([]string)
+	intoString957 := strings.Join(fromString784, "")
+	return intoString957
+}
+
+func TaintStepTest_StringsJoin_B0I1O0(sourceCQL interface{}) interface{} {
+	fromString520 := sourceCQL.(string)
+	intoString443 := strings.Join(nil, fromString520)
+	return intoString443
+}
+
+func TaintStepTest_StringsMap_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString127 := sourceCQL.(string)
+	intoString483 := strings.Map(nil, fromString127)
+	return intoString483
+}
+
+func TaintStepTest_StringsNewReader_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString989 := sourceCQL.(string)
+	intoReader982 := strings.NewReader(fromString989)
+	return intoReader982
+}
+
+func TaintStepTest_StringsNewReplacer_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString417 := sourceCQL.(string)
+	intoReplacer584 := strings.NewReplacer(fromString417)
+	return intoReplacer584
+}
+
+func TaintStepTest_StringsRepeat_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString991 := sourceCQL.(string)
+	intoString881 := strings.Repeat(fromString991, 0)
+	return intoString881
+}
+
+func TaintStepTest_StringsReplace_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString186 := sourceCQL.(string)
+	intoString284 := strings.Replace(fromString186, "", "", 0)
+	return intoString284
+}
+
+func TaintStepTest_StringsReplace_B0I1O0(sourceCQL interface{}) interface{} {
+	fromString908 := sourceCQL.(string)
+	intoString137 := strings.Replace("", "", fromString908, 0)
+	return intoString137
+}
+
+func TaintStepTest_StringsReplaceAll_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString494 := sourceCQL.(string)
+	intoString873 := strings.ReplaceAll(fromString494, "", "")
+	return intoString873
+}
+
+func TaintStepTest_StringsReplaceAll_B0I1O0(sourceCQL interface{}) interface{} {
+	fromString599 := sourceCQL.(string)
+	intoString409 := strings.ReplaceAll("", "", fromString599)
+	return intoString409
+}
+
+func TaintStepTest_StringsSplit_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString246 := sourceCQL.(string)
+	intoString898 := strings.Split(fromString246, "")
+	return intoString898
+}
+
+func TaintStepTest_StringsSplitAfter_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString598 := sourceCQL.(string)
+	intoString631 := strings.SplitAfter(fromString598, "")
+	return intoString631
+}
+
+func TaintStepTest_StringsSplitAfterN_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString165 := sourceCQL.(string)
+	intoString150 := strings.SplitAfterN(fromString165, "", 0)
+	return intoString150
+}
+
+func TaintStepTest_StringsSplitN_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString340 := sourceCQL.(string)
+	intoString471 := strings.SplitN(fromString340, "", 0)
+	return intoString471
+}
+
+func TaintStepTest_StringsTitle_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString290 := sourceCQL.(string)
+	intoString758 := strings.Title(fromString290)
+	return intoString758
+}
+
+func TaintStepTest_StringsToLower_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString396 := sourceCQL.(string)
+	intoString707 := strings.ToLower(fromString396)
+	return intoString707
+}
+
+func TaintStepTest_StringsToLowerSpecial_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString912 := sourceCQL.(string)
+	intoString718 := strings.ToLowerSpecial(nil, fromString912)
+	return intoString718
+}
+
+func TaintStepTest_StringsToTitle_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString972 := sourceCQL.(string)
+	intoString633 := strings.ToTitle(fromString972)
+	return intoString633
+}
+
+func TaintStepTest_StringsToTitleSpecial_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString316 := sourceCQL.(string)
+	intoString145 := strings.ToTitleSpecial(nil, fromString316)
+	return intoString145
+}
+
+func TaintStepTest_StringsToUpper_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString817 := sourceCQL.(string)
+	intoString474 := strings.ToUpper(fromString817)
+	return intoString474
+}
+
+func TaintStepTest_StringsToUpperSpecial_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString832 := sourceCQL.(string)
+	intoString378 := strings.ToUpperSpecial(nil, fromString832)
+	return intoString378
+}
+
+func TaintStepTest_StringsToValidUTF8_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString541 := sourceCQL.(string)
+	intoString139 := strings.ToValidUTF8(fromString541, "")
+	return intoString139
+}
+
+func TaintStepTest_StringsToValidUTF8_B0I1O0(sourceCQL interface{}) interface{} {
+	fromString814 := sourceCQL.(string)
+	intoString768 := strings.ToValidUTF8("", fromString814)
+	return intoString768
+}
+
+func TaintStepTest_StringsTrim_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString468 := sourceCQL.(string)
+	intoString736 := strings.Trim(fromString468, "")
+	return intoString736
+}
+
+func TaintStepTest_StringsTrimFunc_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString516 := sourceCQL.(string)
+	intoString246 := strings.TrimFunc(fromString516, nil)
+	return intoString246
+}
+
+func TaintStepTest_StringsTrimLeft_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString679 := sourceCQL.(string)
+	intoString736 := strings.TrimLeft(fromString679, "")
+	return intoString736
+}
+
+func TaintStepTest_StringsTrimLeftFunc_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString839 := sourceCQL.(string)
+	intoString273 := strings.TrimLeftFunc(fromString839, nil)
+	return intoString273
+}
+
+func TaintStepTest_StringsTrimPrefix_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString982 := sourceCQL.(string)
+	intoString458 := strings.TrimPrefix(fromString982, "")
+	return intoString458
+}
+
+func TaintStepTest_StringsTrimRight_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString506 := sourceCQL.(string)
+	intoString213 := strings.TrimRight(fromString506, "")
+	return intoString213
+}
+
+func TaintStepTest_StringsTrimRightFunc_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString468 := sourceCQL.(string)
+	intoString219 := strings.TrimRightFunc(fromString468, nil)
+	return intoString219
+}
+
+func TaintStepTest_StringsTrimSpace_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString265 := sourceCQL.(string)
+	intoString971 := strings.TrimSpace(fromString265)
+	return intoString971
+}
+
+func TaintStepTest_StringsTrimSuffix_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString320 := sourceCQL.(string)
+	intoString545 := strings.TrimSuffix(fromString320, "")
+	return intoString545
+}
+
+func TaintStepTest_StringsBuilderString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromBuilder566 := sourceCQL.(strings.Builder)
+	intoString497 := fromBuilder566.String()
+	return intoString497
+}
+
+func TaintStepTest_StringsBuilderWrite_B0I0O0(sourceCQL interface{}) interface{} {
+	fromByte274 := sourceCQL.([]byte)
+	var intoBuilder783 strings.Builder
+	intoBuilder783.Write(fromByte274)
+	return intoBuilder783
+}
+
+func TaintStepTest_StringsBuilderWriteString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString905 := sourceCQL.(string)
+	var intoBuilder389 strings.Builder
+	intoBuilder389.WriteString(fromString905)
+	return intoBuilder389
+}
+
+func TaintStepTest_StringsReaderRead_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader198 := sourceCQL.(strings.Reader)
+	var intoByte477 []byte
+	fromReader198.Read(intoByte477)
+	return intoByte477
+}
+
+func TaintStepTest_StringsReaderReadAt_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader544 := sourceCQL.(strings.Reader)
+	var intoByte382 []byte
+	fromReader544.ReadAt(intoByte382, 0)
+	return intoByte382
+}
+
+func TaintStepTest_StringsReaderReset_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString715 := sourceCQL.(string)
+	var intoReader179 strings.Reader
+	intoReader179.Reset(fromString715)
+	return intoReader179
+}
+
+func TaintStepTest_StringsReaderWriteTo_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader366 := sourceCQL.(strings.Reader)
+	var intoWriter648 io.Writer
+	fromReader366.WriteTo(intoWriter648)
+	return intoWriter648
+}
+
+func TaintStepTest_StringsReplacerReplace_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString544 := sourceCQL.(string)
+	var mediumObjCQL strings.Replacer
+	intoString484 := mediumObjCQL.Replace(fromString544)
+	return intoString484
+}
+
+func TaintStepTest_StringsReplacerWriteString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString824 := sourceCQL.(string)
+	var intoWriter754 io.Writer
+	var mediumObjCQL strings.Replacer
+	mediumObjCQL.WriteString(intoWriter754, fromString824)
+	return intoWriter754
+}
+
+func RunAllTaints_Strings() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_StringsFields_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_StringsFieldsFunc_B0I0O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_StringsJoin_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_StringsJoin_B0I1O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_StringsMap_B0I0O0(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_StringsNewReader_B0I0O0(source)
+		sink(5, out)
+	}
+	{
+		source := newSource(6)
+		out := TaintStepTest_StringsNewReplacer_B0I0O0(source)
+		sink(6, out)
+	}
+	{
+		source := newSource(7)
+		out := TaintStepTest_StringsRepeat_B0I0O0(source)
+		sink(7, out)
+	}
+	{
+		source := newSource(8)
+		out := TaintStepTest_StringsReplace_B0I0O0(source)
+		sink(8, out)
+	}
+	{
+		source := newSource(9)
+		out := TaintStepTest_StringsReplace_B0I1O0(source)
+		sink(9, out)
+	}
+	{
+		source := newSource(10)
+		out := TaintStepTest_StringsReplaceAll_B0I0O0(source)
+		sink(10, out)
+	}
+	{
+		source := newSource(11)
+		out := TaintStepTest_StringsReplaceAll_B0I1O0(source)
+		sink(11, out)
+	}
+	{
+		source := newSource(12)
+		out := TaintStepTest_StringsSplit_B0I0O0(source)
+		sink(12, out)
+	}
+	{
+		source := newSource(13)
+		out := TaintStepTest_StringsSplitAfter_B0I0O0(source)
+		sink(13, out)
+	}
+	{
+		source := newSource(14)
+		out := TaintStepTest_StringsSplitAfterN_B0I0O0(source)
+		sink(14, out)
+	}
+	{
+		source := newSource(15)
+		out := TaintStepTest_StringsSplitN_B0I0O0(source)
+		sink(15, out)
+	}
+	{
+		source := newSource(16)
+		out := TaintStepTest_StringsTitle_B0I0O0(source)
+		sink(16, out)
+	}
+	{
+		source := newSource(17)
+		out := TaintStepTest_StringsToLower_B0I0O0(source)
+		sink(17, out)
+	}
+	{
+		source := newSource(18)
+		out := TaintStepTest_StringsToLowerSpecial_B0I0O0(source)
+		sink(18, out)
+	}
+	{
+		source := newSource(19)
+		out := TaintStepTest_StringsToTitle_B0I0O0(source)
+		sink(19, out)
+	}
+	{
+		source := newSource(20)
+		out := TaintStepTest_StringsToTitleSpecial_B0I0O0(source)
+		sink(20, out)
+	}
+	{
+		source := newSource(21)
+		out := TaintStepTest_StringsToUpper_B0I0O0(source)
+		sink(21, out)
+	}
+	{
+		source := newSource(22)
+		out := TaintStepTest_StringsToUpperSpecial_B0I0O0(source)
+		sink(22, out)
+	}
+	{
+		source := newSource(23)
+		out := TaintStepTest_StringsToValidUTF8_B0I0O0(source)
+		sink(23, out)
+	}
+	{
+		source := newSource(24)
+		out := TaintStepTest_StringsToValidUTF8_B0I1O0(source)
+		sink(24, out)
+	}
+	{
+		source := newSource(25)
+		out := TaintStepTest_StringsTrim_B0I0O0(source)
+		sink(25, out)
+	}
+	{
+		source := newSource(26)
+		out := TaintStepTest_StringsTrimFunc_B0I0O0(source)
+		sink(26, out)
+	}
+	{
+		source := newSource(27)
+		out := TaintStepTest_StringsTrimLeft_B0I0O0(source)
+		sink(27, out)
+	}
+	{
+		source := newSource(28)
+		out := TaintStepTest_StringsTrimLeftFunc_B0I0O0(source)
+		sink(28, out)
+	}
+	{
+		source := newSource(29)
+		out := TaintStepTest_StringsTrimPrefix_B0I0O0(source)
+		sink(29, out)
+	}
+	{
+		source := newSource(30)
+		out := TaintStepTest_StringsTrimRight_B0I0O0(source)
+		sink(30, out)
+	}
+	{
+		source := newSource(31)
+		out := TaintStepTest_StringsTrimRightFunc_B0I0O0(source)
+		sink(31, out)
+	}
+	{
+		source := newSource(32)
+		out := TaintStepTest_StringsTrimSpace_B0I0O0(source)
+		sink(32, out)
+	}
+	{
+		source := newSource(33)
+		out := TaintStepTest_StringsTrimSuffix_B0I0O0(source)
+		sink(33, out)
+	}
+	{
+		source := newSource(34)
+		out := TaintStepTest_StringsBuilderString_B0I0O0(source)
+		sink(34, out)
+	}
+	{
+		source := newSource(35)
+		out := TaintStepTest_StringsBuilderWrite_B0I0O0(source)
+		sink(35, out)
+	}
+	{
+		source := newSource(36)
+		out := TaintStepTest_StringsBuilderWriteString_B0I0O0(source)
+		sink(36, out)
+	}
+	{
+		source := newSource(37)
+		out := TaintStepTest_StringsReaderRead_B0I0O0(source)
+		sink(37, out)
+	}
+	{
+		source := newSource(38)
+		out := TaintStepTest_StringsReaderReadAt_B0I0O0(source)
+		sink(38, out)
+	}
+	{
+		source := newSource(39)
+		out := TaintStepTest_StringsReaderReset_B0I0O0(source)
+		sink(39, out)
+	}
+	{
+		source := newSource(40)
+		out := TaintStepTest_StringsReaderWriteTo_B0I0O0(source)
+		sink(40, out)
+	}
+	{
+		source := newSource(41)
+		out := TaintStepTest_StringsReplacerReplace_B0I0O0(source)
+		sink(41, out)
+	}
+	{
+		source := newSource(42)
+		out := TaintStepTest_StringsReplacerWriteString_B0I0O0(source)
+		sink(42, out)
+	}
+}
--- a/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
+++ b/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
@@ -5,6 +5,7 @@
 | crypto.go:11:18:11:57 | call to Open | crypto.go:11:2:11:57 | ... := ...[0] |
 | crypto.go:11:18:11:57 | call to Open | crypto.go:11:2:11:57 | ... := ...[1] |
 | crypto.go:11:42:11:51 | ciphertext | crypto.go:11:2:11:57 | ... := ...[0] |
+| io.go:13:31:13:43 | "some string" | io.go:13:13:13:44 | call to NewReader |
 | io.go:15:3:15:3 | definition of w | io.go:15:23:15:27 | &... |
 | io.go:15:3:15:3 | definition of w | io.go:15:30:15:34 | &... |
 | io.go:15:23:15:27 | &... | io.go:14:7:14:10 | definition of buf1 |
@@ -12,9 +13,11 @@
 | io.go:15:30:15:34 | &... | io.go:14:13:14:16 | definition of buf2 |
 | io.go:15:31:15:34 | buf2 | io.go:15:30:15:34 | &... |
 | io.go:17:14:17:19 | reader | io.go:15:3:15:3 | definition of w |
+| io.go:21:31:21:43 | "some string" | io.go:21:13:21:44 | call to NewReader |
 | io.go:24:19:24:23 | &... | io.go:22:7:22:10 | definition of buf1 |
 | io.go:24:20:24:23 | buf1 | io.go:24:19:24:23 | &... |
 | io.go:26:21:26:26 | reader | io.go:24:3:24:4 | definition of w2 |
+| io.go:30:31:30:43 | "some string" | io.go:30:13:30:44 | call to NewReader |
 | io.go:32:19:32:23 | &... | io.go:31:7:31:10 | definition of buf1 |
 | io.go:32:20:32:23 | buf1 | io.go:32:19:32:23 | &... |
 | io.go:34:16:34:21 | reader | io.go:32:3:32:4 | definition of w2 |
@@ -24,34 +27,47 @@
 | io.go:39:17:39:31 | "some string\\n" | io.go:38:6:38:6 | definition of w |
 | io.go:42:16:42:16 | r | io.go:41:3:41:5 | definition of buf |
 | io.go:43:13:43:15 | buf | io.go:43:13:43:24 | call to String |
+| io.go:47:31:47:43 | "some string" | io.go:47:13:47:44 | call to NewReader |
 | io.go:49:18:49:23 | reader | io.go:48:3:48:5 | definition of buf |
+| io.go:53:31:53:43 | "some string" | io.go:53:13:53:44 | call to NewReader |
 | io.go:55:15:55:20 | reader | io.go:54:3:54:5 | definition of buf |
 | io.go:60:18:60:21 | &... | io.go:59:7:59:9 | definition of buf |
 | io.go:60:19:60:21 | buf | io.go:60:18:60:21 | &... |
 | io.go:61:21:61:26 | "test" | io.go:60:3:60:3 | definition of w |
+| io.go:65:31:65:43 | "some string" | io.go:65:13:65:44 | call to NewReader |
 | io.go:66:11:66:16 | reader | io.go:66:3:66:27 | ... := ...[0] |
 | io.go:66:11:66:27 | call to ReadByte | io.go:66:3:66:27 | ... := ...[0] |
 | io.go:66:11:66:27 | call to ReadByte | io.go:66:3:66:27 | ... := ...[1] |
 | io.go:68:21:68:21 | t | io.go:67:7:67:13 | definition of bwriter |
+| io.go:72:31:72:43 | "some string" | io.go:72:13:72:44 | call to NewReader |
 | io.go:74:3:74:8 | reader | io.go:73:3:73:5 | definition of buf |
+| io.go:77:31:77:43 | "some string" | io.go:77:13:77:44 | call to NewReader |
 | io.go:79:3:79:8 | reader | io.go:78:3:78:5 | definition of buf |
+| io.go:83:31:83:43 | "some string" | io.go:83:13:83:44 | call to NewReader |
 | io.go:84:24:84:29 | reader | io.go:84:9:84:33 | call to LimitReader |
 | io.go:85:22:85:23 | lr | io.go:85:11:85:19 | selection of Stdout |
+| io.go:89:27:89:36 | "reader1 " | io.go:89:9:89:37 | call to NewReader |
+| io.go:90:27:90:36 | "reader2 " | io.go:90:9:90:37 | call to NewReader |
+| io.go:91:27:91:35 | "reader3" | io.go:91:9:91:36 | call to NewReader |
 | io.go:92:23:92:24 | r1 | io.go:92:8:92:33 | call to MultiReader |
 | io.go:92:27:92:28 | r2 | io.go:92:8:92:33 | call to MultiReader |
 | io.go:92:31:92:32 | r3 | io.go:92:8:92:33 | call to MultiReader |
 | io.go:93:22:93:22 | r | io.go:93:11:93:19 | selection of Stdout |
+| io.go:96:26:96:38 | "some string" | io.go:96:8:96:39 | call to NewReader |
 | io.go:98:23:98:23 | r | io.go:98:10:98:30 | call to TeeReader |
 | io.go:98:23:98:23 | r | io.go:98:26:98:29 | &... |
 | io.go:98:26:98:29 | &... | io.go:97:7:97:9 | definition of buf |
 | io.go:98:27:98:29 | buf | io.go:98:26:98:29 | &... |
 | io.go:100:22:100:24 | tee | io.go:100:11:100:19 | selection of Stdout |
+| io.go:103:26:103:38 | "some string" | io.go:103:8:103:39 | call to NewReader |
 | io.go:104:28:104:28 | r | io.go:104:8:104:36 | call to NewSectionReader |
 | io.go:105:22:105:22 | s | io.go:105:11:105:19 | selection of Stdout |
+| io.go:108:26:108:38 | "some string" | io.go:108:8:108:39 | call to NewReader |
 | io.go:109:16:109:16 | r | io.go:109:3:109:27 | ... := ...[0] |
 | io.go:109:16:109:27 | call to ReadRune | io.go:109:3:109:27 | ... := ...[0] |
 | io.go:109:16:109:27 | call to ReadRune | io.go:109:3:109:27 | ... := ...[1] |
 | io.go:109:16:109:27 | call to ReadRune | io.go:109:3:109:27 | ... := ...[2] |
+| io.go:113:26:113:38 | "some string" | io.go:113:8:113:39 | call to NewReader |
 | io.go:114:3:114:3 | r | io.go:114:13:114:21 | selection of Stdout |
 | main.go:11:12:11:26 | call to Marshal | main.go:11:2:11:26 | ... := ...[0] |
 | main.go:11:12:11:26 | call to Marshal | main.go:11:2:11:26 | ... := ...[1] |
--- a/ql/test/query-tests/Security/CWE-312/CleartextLoggingGood.go
+++ b/ql/test/query-tests/Security/CWE-312/CleartextLoggingGood.go
@@ -3,6 +3,7 @@ package main
 import (
 	"log"
 	"net/http"
+	"strings"
 )

 func serve1() {
@@ -18,3 +19,19 @@ func serve1() {
 	})
 	http.ListenAndServe(":80", nil)
 }
+
+func serveauth() {
+	http.HandleFunc("/register", func(w http.ResponseWriter, r *http.Request) {
+		authhdr := r.Header.Get("authorization")
+		fields := strings.Split(authhdr, " ")
+
+		log.Printf("Auth method is %s.\n", fields[0])
+
+		tokenparts := strings.Split(fields[1], ":")
+		log.Printf("Username is %s.\n", tokenparts[0])
+
+		// ...
+		use(tokenparts[1])
+	})
+	http.ListenAndServe(":80", nil)
+}