From 4df363d2ce32f4ac22c256ab2caed481d43bad25 Mon Sep 17 00:00:00 2001 From: Slavomir Date: Sun, 6 Sep 2020 17:21:06 +0200 Subject: [PATCH] Add taint-tracking for `text/scanner` package. --- ql/src/semmle/go/frameworks/Stdlib.qll | 1 + .../go/frameworks/stdlib/TextScanner.qll | 30 ++++++++++++ .../frameworks/StdlibTaintFlow/TextScanner.go | 46 +++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 ql/src/semmle/go/frameworks/stdlib/TextScanner.qll create mode 100644 ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/TextScanner.go diff --git a/ql/src/semmle/go/frameworks/Stdlib.qll b/ql/src/semmle/go/frameworks/Stdlib.qll index 919cb1b14ce..d1870d37660 100644 --- a/ql/src/semmle/go/frameworks/Stdlib.qll +++ b/ql/src/semmle/go/frameworks/Stdlib.qll @@ -14,6 +14,7 @@ import semmle.go.frameworks.stdlib.CompressLzw import semmle.go.frameworks.stdlib.CompressZlib import semmle.go.frameworks.stdlib.Path import semmle.go.frameworks.stdlib.PathFilepath +import semmle.go.frameworks.stdlib.TextScanner /** A `String()` method. */ class StringMethod extends TaintTracking::FunctionModel, Method { diff --git a/ql/src/semmle/go/frameworks/stdlib/TextScanner.qll b/ql/src/semmle/go/frameworks/stdlib/TextScanner.qll new file mode 100644 index 00000000000..b3e1e995186 --- /dev/null +++ b/ql/src/semmle/go/frameworks/stdlib/TextScanner.qll @@ -0,0 +1,30 @@ +/** + * Provides classes modeling security-relevant aspects of the `text/scanner` package. + */ + +import go + +/** Provides models of commonly used functions in the `text/scanner` package. */ +module TextScanner { + private class MethodModels extends TaintTracking::FunctionModel, Method { + FunctionInput inp; + FunctionOutput outp; + + MethodModels() { + // signature: func (*Scanner).Init(src io.Reader) *Scanner + this.hasQualifiedName("text/scanner", "Scanner", "Init") and + ( + inp.isParameter(0) and + (outp.isReceiver() or outp.isResult()) + ) + or + // signature: func (*Scanner).TokenText() string + this.hasQualifiedName("text/scanner", "Scanner", "TokenText") and + (inp.isReceiver() and outp.isResult()) + } + + override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { + input = inp and output = outp + } + } +} diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/TextScanner.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/TextScanner.go new file mode 100644 index 00000000000..875bc8e885e --- /dev/null +++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/TextScanner.go @@ -0,0 +1,46 @@ +// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT. + +package main + +import ( + "io" + "text/scanner" +) + +func TaintStepTest_TextScannerScannerInit_B0I0O0(sourceCQL interface{}) interface{} { + fromReader656 := sourceCQL.(io.Reader) + var intoScanner414 scanner.Scanner + intoScanner414.Init(fromReader656) + return intoScanner414 +} + +func TaintStepTest_TextScannerScannerInit_B0I0O1(sourceCQL interface{}) interface{} { + fromReader518 := sourceCQL.(io.Reader) + var mediumObjCQL scanner.Scanner + intoScanner650 := mediumObjCQL.Init(fromReader518) + return intoScanner650 +} + +func TaintStepTest_TextScannerScannerTokenText_B0I0O0(sourceCQL interface{}) interface{} { + fromScanner784 := sourceCQL.(scanner.Scanner) + intoString957 := fromScanner784.TokenText() + return intoString957 +} + +func RunAllTaints_TextScanner() { + { + source := newSource(0) + out := TaintStepTest_TextScannerScannerInit_B0I0O0(source) + sink(0, out) + } + { + source := newSource(1) + out := TaintStepTest_TextScannerScannerInit_B0I0O1(source) + sink(1, out) + } + { + source := newSource(2) + out := TaintStepTest_TextScannerScannerTokenText_B0I0O0(source) + sink(2, out) + } +}