Add missing tests for CertStorage

go/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/main.go

@@ -3,6 +3,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net/http"
 
@@ -23,6 +24,25 @@ func handler1(r *http.Request, ctx *goproxy.ProxyCtx) (*http.Request, *http.Resp
 	return r, goproxy.TextResponse(r, "Hello!") // $ headerwrite=status:200 headerwrite=content-type:text/plain
 }
 
+func taintedCertStorage() *goproxy.CertStorage {
+	return nil
+}
+
+func taintedFunction() func() (*tls.Certificate, error) {
+	return nil
+}
+
+func sink(_ *tls.Certificate) { }
+
+func testCertStorageFetch() {
+	cert, _ := (*taintedCertStorage()).Fetch("myhostname.org", nil)
+	sink(cert) // $ taintflow
+
+	var storage goproxy.CertStorage
+	cert2, _ := storage.Fetch("myhostname.org", taintedFunction())
+	sink(cert2) // $ taintflow
+}
+
 func main() {
 
 }

go/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql

@@ -47,3 +47,32 @@ class LoggerTest extends InlineExpectationsTest {
     )
   }
 }
+
+class Config extends TaintTracking::Configuration {
+  Config() { this = "goproxy config" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n = any(DataFlow::CallNode c | c.getCalleeName().matches("tainted%")).getResult()
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n = any(DataFlow::CallNode cn | cn.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+class TaintFlow extends InlineExpectationsTest {
+  TaintFlow() { this = "goproxy flow" }
+
+  override string getARelevantTag() { result = "taintflow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "taintflow" and
+    value = "" and
+    element = "" and
+    exists(Config c, DataFlow::Node fromNode, DataFlow::Node toNode |
+      toNode.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      c.hasFlow(fromNode, toNode)
+    )
+  }
+}