From 3c024037013231d80261950ab143ba684265ef53 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Tue, 18 Jan 2022 23:36:14 +0000
Subject: [PATCH] Do not use getACall() when we only want direct calls

In both of these locations we do not want calls through interface methods.
---
 ql/lib/semmle/go/security/ExternalAPIs.qll                     | 2 +-
 ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ql/lib/semmle/go/security/ExternalAPIs.qll b/ql/lib/semmle/go/security/ExternalAPIs.qll
index 3b7e96c1064..a1172a66f8d 100644
--- a/ql/lib/semmle/go/security/ExternalAPIs.qll
+++ b/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -74,7 +74,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
     // Not already modeled as a taint step
     not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and
     // Not a call to a known safe external API
-    not call = any(SafeExternalAPIFunction f).getACall()
+    not call.getTarget() instanceof SafeExternalAPIFunction
   }
 
   /** Gets the called API `Function`. */
diff --git a/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll b/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
index c894afb4123..2cbb350461b 100644
--- a/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
+++ b/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
@@ -60,7 +60,7 @@ module InsecureRandomness {
         // Some interfaces in the `crypto` package are the same as interfaces
         // elsewhere, e.g. tls.listener is the same as net.Listener
         not fn.hasQualifiedName(nonCryptoInterface(), _) and
-        this = fn.getACall().getAnArgument()
+        exists(DataFlow::CallNode call | call.getTarget() = fn and this = call.getAnArgument())
       )
     }