From 40869480e148ae616da257ddbcebdc1ce0f8add5 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Mon, 12 Oct 2020 10:09:16 +0100
Subject: [PATCH] Extend `context` models to cover its old
 `golang.org/x/net/context` home.

---
 .../2020-10-12-old-context-package.md         |  2 +
 .../semmle/go/frameworks/stdlib/Context.qll   | 18 +++--
 .../go/frameworks/StdlibTaintFlow/Context.go  | 78 +++++++++++++++++++
 .../go/frameworks/StdlibTaintFlow/go.mod      |  7 ++
 .../vendor/golang.org/x/net/context/stub.go   | 36 +++++++++
 .../StdlibTaintFlow/vendor/modules.txt        |  3 +
 6 files changed, 139 insertions(+), 5 deletions(-)
 create mode 100644 change-notes/2020-10-12-old-context-package.md
 create mode 100644 ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/go.mod
 create mode 100644 ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/vendor/golang.org/x/net/context/stub.go
 create mode 100644 ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/vendor/modules.txt

diff --git a/change-notes/2020-10-12-old-context-package.md b/change-notes/2020-10-12-old-context-package.md
new file mode 100644
index 00000000000..3e40ba064f0
--- /dev/null
+++ b/change-notes/2020-10-12-old-context-package.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the `golang.org/x/net/context` package, which was already supported under its modern standard-library name `context`.
diff --git a/ql/src/semmle/go/frameworks/stdlib/Context.qll b/ql/src/semmle/go/frameworks/stdlib/Context.qll
index 5930face02c..e68b808d197 100644
--- a/ql/src/semmle/go/frameworks/stdlib/Context.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/Context.qll
@@ -6,25 +6,33 @@ import go
 
 /** Provides models of commonly used functions in the `context` package. */
 module Context {
+  /**
+   * Gets the package name `context` or `golang.org/x/net/context`.
+   *
+   * The two packages are identical; before Go 1.7 it was only available
+   * under `golang.org/x`; as of Go 1.7 it is included in the standard library.
+   */
+  private string packagePath() { result = ["context", "golang.org/x/net/context"] }
+
   private class FunctionModels extends TaintTracking::FunctionModel {
     FunctionInput inp;
     FunctionOutput outp;
 
     FunctionModels() {
       // signature: func WithCancel(parent Context) (ctx Context, cancel CancelFunc)
-      hasQualifiedName("context", "WithCancel") and
+      hasQualifiedName(packagePath(), "WithCancel") and
       (inp.isParameter(0) and outp.isResult(0))
       or
       // signature: func WithDeadline(parent Context, d time.Time) (Context, CancelFunc)
-      hasQualifiedName("context", "WithDeadline") and
+      hasQualifiedName(packagePath(), "WithDeadline") and
       (inp.isParameter(0) and outp.isResult(0))
       or
       // signature: func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc)
-      hasQualifiedName("context", "WithTimeout") and
+      hasQualifiedName(packagePath(), "WithTimeout") and
       (inp.isParameter(0) and outp.isResult(0))
       or
       // signature: func WithValue(parent Context, key interface{}, val interface{}) Context
-      hasQualifiedName("context", "WithValue") and
+      hasQualifiedName(packagePath(), "WithValue") and
       (inp.isParameter(_) and outp.isResult())
     }
 
@@ -39,7 +47,7 @@ module Context {
 
     MethodModels() {
       // signature: func (Context).Value(key interface{}) interface{}
-      implements("context", "Context", "Value") and
+      implements(packagePath(), "Context", "Value") and
       (inp.isReceiver() and outp.isResult())
     }
 
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Context.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Context.go
index eb7c816d247..5b526f3b8c0 100644
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Context.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Context.go
@@ -4,6 +4,7 @@ package main
 
 import (
 	"context"
+	oldcontext "golang.org/x/net/context"
 	"time"
 )
 
@@ -49,6 +50,48 @@ func TaintStepTest_ContextContextValue_B0I0O0(sourceCQL interface{}) interface{}
 	return intoInterface584
 }
 
+func TaintStepTest_OldContextWithCancel_B0I0O0(sourceCQL interface{}) interface{} {
+	fromContext656 := sourceCQL.(oldcontext.Context)
+	intoContext414, _ := oldcontext.WithCancel(fromContext656)
+	return intoContext414
+}
+
+func TaintStepTest_OldContextWithDeadline_B0I0O0(sourceCQL interface{}) interface{} {
+	fromContext518 := sourceCQL.(oldcontext.Context)
+	intoContext650, _ := oldcontext.WithDeadline(fromContext518, time.Time{})
+	return intoContext650
+}
+
+func TaintStepTest_OldContextWithTimeout_B0I0O0(sourceCQL interface{}) interface{} {
+	fromContext784 := sourceCQL.(oldcontext.Context)
+	intoContext957, _ := oldcontext.WithTimeout(fromContext784, 0)
+	return intoContext957
+}
+
+func TaintStepTest_OldContextWithValue_B0I0O0(sourceCQL interface{}) interface{} {
+	fromContext520 := sourceCQL.(oldcontext.Context)
+	intoContext443 := oldcontext.WithValue(fromContext520, nil, nil)
+	return intoContext443
+}
+
+func TaintStepTest_OldContextWithValue_B0I1O0(sourceCQL interface{}) interface{} {
+	fromInterface127 := sourceCQL.(interface{})
+	intoContext483 := oldcontext.WithValue(nil, fromInterface127, nil)
+	return intoContext483
+}
+
+func TaintStepTest_OldContextWithValue_B0I2O0(sourceCQL interface{}) interface{} {
+	fromInterface989 := sourceCQL.(interface{})
+	intoContext982 := oldcontext.WithValue(nil, nil, fromInterface989)
+	return intoContext982
+}
+
+func TaintStepTest_OldContextContextValue_B0I0O0(sourceCQL interface{}) interface{} {
+	fromContext417 := sourceCQL.(oldcontext.Context)
+	intoInterface584 := fromContext417.Value(nil)
+	return intoInterface584
+}
+
 func RunAllTaints_Context() {
 	{
 		source := newSource(0)
@@ -85,4 +128,39 @@ func RunAllTaints_Context() {
 		out := TaintStepTest_ContextContextValue_B0I0O0(source)
 		sink(6, out)
 	}
+	{
+		source := newSource(7)
+		out := TaintStepTest_OldContextWithCancel_B0I0O0(source)
+		sink(7, out)
+	}
+	{
+		source := newSource(8)
+		out := TaintStepTest_OldContextWithDeadline_B0I0O0(source)
+		sink(8, out)
+	}
+	{
+		source := newSource(9)
+		out := TaintStepTest_OldContextWithTimeout_B0I0O0(source)
+		sink(9, out)
+	}
+	{
+		source := newSource(10)
+		out := TaintStepTest_OldContextWithValue_B0I0O0(source)
+		sink(10, out)
+	}
+	{
+		source := newSource(11)
+		out := TaintStepTest_OldContextWithValue_B0I1O0(source)
+		sink(11, out)
+	}
+	{
+		source := newSource(12)
+		out := TaintStepTest_OldContextWithValue_B0I2O0(source)
+		sink(12, out)
+	}
+	{
+		source := newSource(13)
+		out := TaintStepTest_OldContextContextValue_B0I0O0(source)
+		sink(13, out)
+	}
 }
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/go.mod b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/go.mod
new file mode 100644
index 00000000000..e3de230e2bf
--- /dev/null
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/go.mod
@@ -0,0 +1,7 @@
+module example.com/m
+
+go 1.14
+
+require (
+	golang.org/x/net v0.0.0-20201010224723-4f7140c49acb
+)
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/vendor/golang.org/x/net/context/stub.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/vendor/golang.org/x/net/context/stub.go
new file mode 100644
index 00000000000..de959db0eeb
--- /dev/null
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/vendor/golang.org/x/net/context/stub.go
@@ -0,0 +1,36 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for golang.org/x/net/context, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: golang.org/x/net/context (exports: Context; functions: WithCancel,WithDeadline,WithTimeout,WithValue)
+
+// Package context is a stub of golang.org/x/net/context, generated by depstubber.
+package context
+
+import (
+	context "context"
+	time "time"
+)
+
+type Context interface {
+	Deadline() (time.Time, bool)
+	Done() <-chan struct{}
+	Err() error
+	Value(_ interface{}) interface{}
+}
+
+func WithCancel(_ context.Context) (context.Context, context.CancelFunc) {
+	return nil, nil
+}
+
+func WithDeadline(_ context.Context, _ time.Time) (context.Context, context.CancelFunc) {
+	return nil, nil
+}
+
+func WithTimeout(_ context.Context, _ time.Duration) (context.Context, context.CancelFunc) {
+	return nil, nil
+}
+
+func WithValue(_ context.Context, _ interface{}, _ interface{}) context.Context {
+	return nil
+}
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/vendor/modules.txt b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/vendor/modules.txt
new file mode 100644
index 00000000000..fe5007e8ae1
--- /dev/null
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/vendor/modules.txt
@@ -0,0 +1,3 @@
+# golang.org/x/net v0.0.0-20201010224723-4f7140c49acb
+## explicit
+golang.org/x/net