Add taint models for go 1.19's new fmt.Append functions

2026-04-27 01:35:13 +02:00 · 2022-08-18 18:36:28 +01:00
parent d2055283de
commit 6068f63e9e
3 changed files with 92 additions and 14 deletions
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll
@@ -6,24 +6,20 @@ import go

 /** Provides models of commonly used functions in the `fmt` package. */
 module Fmt {
-  /** The `Sprint` function or one of its variants. */
-  class Sprinter extends TaintTracking::FunctionModel {
-    Sprinter() {
-      // signature: func Sprint(a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprint")
-      or
-      // signature: func Sprintf(format string, a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprintf")
-      or
-      // signature: func Sprintln(a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprintln")
-    }
+  /** The `Sprint` or `Append` functions or one of their variants. */
+  class AppenderOrSprinter extends TaintTracking::FunctionModel {
+    AppenderOrSprinter() { this.hasQualifiedName("fmt", ["Append", "Sprint"] + ["", "f", "ln"]) }

    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
      inp.isParameter(_) and outp.isResult()
    }
  }

+  /** The `Sprint` function or one of its variants. */
+  class Sprinter extends AppenderOrSprinter {
+    Sprinter() { this.getName().matches("Sprint%") }
+  }
+
  /** The `Print` function or one of its variants. */
  class Printer extends Function {
    Printer() { this.hasQualifiedName("fmt", ["Print", "Printf", "Println"]) }
--- a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
+++ b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
@@ -106,7 +106,7 @@ class PrivateUrlFlowsToAuthCodeUrlCall extends DataFlow::Configuration {
    TaintTracking::referenceStep(pred, succ)
    or
    // Propagate across Sprintf and similar calls
-    any(Fmt::Sprinter s).taintStep(pred, succ)
+    any(Fmt::AppenderOrSprinter s).taintStep(pred, succ)
  }

  predicate isSink(DataFlow::Node sink, DataFlow::CallNode call) {
--- a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Fmt.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Fmt.go
@@ -1,4 +1,5 @@
-// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+// Code generated by https://github.com/gagliardetto/codebox, with manual additions for
+// go 1.19's new Append[f, ln] functions.

 package main

@@ -99,6 +100,52 @@ func TaintStepTest_FmtSprintln_B0I0O0(sourceCQL interface{}) interface{} {
 	return intoString631
 }

+func TaintStepTest_FmtAppend_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface494 := sourceCQL.(interface{})
+	buf := make([]byte, 4)
+	intoString873 := fmt.Append(buf, fromInterface494)
+	return intoString873
+}
+
+func TaintStepTest_FmtAppendf_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString599 := sourceCQL.(string)
+	buf := make([]byte, 4)
+	intoString409 := fmt.Appendf(buf, fromString599, nil)
+	return intoString409
+}
+
+func TaintStepTest_FmtAppendf_B0I1O0(sourceCQL interface{}) interface{} {
+	fromInterface246 := sourceCQL.(interface{})
+	buf := make([]byte, 4)
+	intoString898 := fmt.Appendf(buf, "", fromInterface246)
+	return intoString898
+}
+
+func TaintStepTest_FmtAppendln_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface598 := sourceCQL.([]byte)
+	intoString631 := fmt.Appendln(fromInterface598, "clean")
+	return intoString631
+}
+
+func TaintStepTest_FmtAppend_B0I0O0_buftest(sourceCQL interface{}) interface{} {
+	fromInterface494 := sourceCQL.([]byte)
+	intoString873 := fmt.Append(fromInterface494, "clean")
+	return intoString873
+}
+
+func TaintStepTest_FmtAppendf_B0I0O0_buftest(sourceCQL interface{}) interface{} {
+	fromString599 := sourceCQL.([]byte)
+	intoString409 := fmt.Appendf(fromString599, "%p", nil)
+	return intoString409
+}
+
+func TaintStepTest_FmtAppendln_B0I0O0_buftest(sourceCQL interface{}) interface{} {
+	fromInterface598 := sourceCQL.(interface{})
+	buf := make([]byte, 4)
+	intoString631 := fmt.Appendln(buf, fromInterface598)
+	return intoString631
+}
+
 func TaintStepTest_FmtSscan_B0I0O0(sourceCQL interface{}) interface{} {
 	fromString165 := sourceCQL.(string)
 	var intoInterface150 interface{}
@@ -275,4 +322,39 @@ func RunAllTaints_Fmt() {
 		out := TaintStepTest_FmtStateWrite_B0I0O0(source)
 		sink(22, out)
 	}
+	{
+		source := newSource(23)
+		out := TaintStepTest_FmtAppend_B0I0O0(source)
+		sink(23, out)
+	}
+	{
+		source := newSource(24)
+		out := TaintStepTest_FmtAppendf_B0I0O0(source)
+		sink(24, out)
+	}
+	{
+		source := newSource(25)
+		out := TaintStepTest_FmtAppendf_B0I1O0(source)
+		sink(25, out)
+	}
+	{
+		source := newSource(26)
+		out := TaintStepTest_FmtAppendln_B0I0O0(source)
+		sink(26, out)
+	}
+	{
+		source := newSource(27)
+		out := TaintStepTest_FmtAppend_B0I0O0_buftest(source)
+		sink(27, out)
+	}
+	{
+		source := newSource(28)
+		out := TaintStepTest_FmtAppendf_B0I0O0_buftest(source)
+		sink(28, out)
+	}
+	{
+		source := newSource(29)
+		out := TaintStepTest_FmtAppendln_B0I0O0_buftest(source)
+		sink(29, out)
+	}
 }