Add taint-tracking for text/scanner package.

2026-01-30 14:52:57 +01:00 · 2020-09-06 17:21:06 +02:00
parent 25e4245568
commit 4df363d2ce
3 changed files with 77 additions and 0 deletions
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -14,6 +14,7 @@ import semmle.go.frameworks.stdlib.CompressLzw
 import semmle.go.frameworks.stdlib.CompressZlib
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
+import semmle.go.frameworks.stdlib.TextScanner

 /** A `String()` method. */
 class StringMethod extends TaintTracking::FunctionModel, Method {
--- a/ql/src/semmle/go/frameworks/stdlib/TextScanner.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/TextScanner.qll
@@ -0,0 +1,30 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `text/scanner` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `text/scanner` package. */
+module TextScanner {
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Scanner).Init(src io.Reader) *Scanner
+      this.hasQualifiedName("text/scanner", "Scanner", "Init") and
+      (
+        inp.isParameter(0) and
+        (outp.isReceiver() or outp.isResult())
+      )
+      or
+      // signature: func (*Scanner).TokenText() string
+      this.hasQualifiedName("text/scanner", "Scanner", "TokenText") and
+      (inp.isReceiver() and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/TextScanner.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/TextScanner.go
@@ -0,0 +1,46 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import (
+	"io"
+	"text/scanner"
+)
+
+func TaintStepTest_TextScannerScannerInit_B0I0O0(sourceCQL interface{}) interface{} {
+	fromReader656 := sourceCQL.(io.Reader)
+	var intoScanner414 scanner.Scanner
+	intoScanner414.Init(fromReader656)
+	return intoScanner414
+}
+
+func TaintStepTest_TextScannerScannerInit_B0I0O1(sourceCQL interface{}) interface{} {
+	fromReader518 := sourceCQL.(io.Reader)
+	var mediumObjCQL scanner.Scanner
+	intoScanner650 := mediumObjCQL.Init(fromReader518)
+	return intoScanner650
+}
+
+func TaintStepTest_TextScannerScannerTokenText_B0I0O0(sourceCQL interface{}) interface{} {
+	fromScanner784 := sourceCQL.(scanner.Scanner)
+	intoString957 := fromScanner784.TokenText()
+	return intoString957
+}
+
+func RunAllTaints_TextScanner() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_TextScannerScannerInit_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_TextScannerScannerInit_B0I0O1(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_TextScannerScannerTokenText_B0I0O0(source)
+		sink(2, out)
+	}
+}