Merge branch 'standard-lib-pt-4' into stdlib-339-340-342-346-347

2026-01-30 06:42:57 +01:00 · 2020-09-22 18:43:30 +02:00
parent 315514085f dedeb7bbf1
commit 61a0cfa06a
7 changed files with 559 additions and 0 deletions
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -13,6 +13,9 @@ import semmle.go.frameworks.stdlib.CompressGzip
 import semmle.go.frameworks.stdlib.CompressLzw
 import semmle.go.frameworks.stdlib.CompressZlib
 import semmle.go.frameworks.stdlib.Fmt
+import semmle.go.frameworks.stdlib.ContainerHeap
+import semmle.go.frameworks.stdlib.ContainerList
+import semmle.go.frameworks.stdlib.ContainerRing
 import semmle.go.frameworks.stdlib.Mime
 import semmle.go.frameworks.stdlib.MimeMultipart
 import semmle.go.frameworks.stdlib.MimeQuotedprintable
--- a/ql/src/semmle/go/frameworks/stdlib/ContainerHeap.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/ContainerHeap.qll
@@ -0,0 +1,50 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `container/heap` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `container/heap` package. */
+module ContainerHeap {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Pop(h Interface) interface{}
+      hasQualifiedName("container/heap", "Pop") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Push(h Interface, x interface{})
+      hasQualifiedName("container/heap", "Push") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func Remove(h Interface, i int) interface{}
+      hasQualifiedName("container/heap", "Remove") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (Interface).Pop() interface{}
+      this.implements("container/heap", "Interface", "Pop") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Interface).Push(x interface{})
+      this.implements("container/heap", "Interface", "Push") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/src/semmle/go/frameworks/stdlib/ContainerList.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/ContainerList.qll
@@ -0,0 +1,95 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `container/list` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `container/list` package. */
+module ContainerList {
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Element).Next() *Element
+      this.hasQualifiedName("container/list", "Element", "Next") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Element).Prev() *Element
+      this.hasQualifiedName("container/list", "Element", "Prev") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*List).Back() *Element
+      this.hasQualifiedName("container/list", "List", "Back") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*List).Front() *Element
+      this.hasQualifiedName("container/list", "List", "Front") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*List).Init() *List
+      this.hasQualifiedName("container/list", "List", "Init") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*List).InsertAfter(v interface{}, mark *Element) *Element
+      this.hasQualifiedName("container/list", "List", "InsertAfter") and
+      (
+        inp.isParameter(0) and
+        (outp.isReceiver() or outp.isResult())
+      )
+      or
+      // signature: func (*List).InsertBefore(v interface{}, mark *Element) *Element
+      this.hasQualifiedName("container/list", "List", "InsertBefore") and
+      (
+        inp.isParameter(0) and
+        (outp.isReceiver() or outp.isResult())
+      )
+      or
+      // signature: func (*List).MoveAfter(e *Element, mark *Element)
+      this.hasQualifiedName("container/list", "List", "MoveAfter") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*List).MoveBefore(e *Element, mark *Element)
+      this.hasQualifiedName("container/list", "List", "MoveBefore") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*List).MoveToBack(e *Element)
+      this.hasQualifiedName("container/list", "List", "MoveToBack") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*List).MoveToFront(e *Element)
+      this.hasQualifiedName("container/list", "List", "MoveToFront") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*List).PushBack(v interface{}) *Element
+      this.hasQualifiedName("container/list", "List", "PushBack") and
+      (
+        inp.isParameter(0) and
+        (outp.isReceiver() or outp.isResult())
+      )
+      or
+      // signature: func (*List).PushBackList(other *List)
+      this.hasQualifiedName("container/list", "List", "PushBackList") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*List).PushFront(v interface{}) *Element
+      this.hasQualifiedName("container/list", "List", "PushFront") and
+      (
+        inp.isParameter(0) and
+        (outp.isReceiver() or outp.isResult())
+      )
+      or
+      // signature: func (*List).PushFrontList(other *List)
+      this.hasQualifiedName("container/list", "List", "PushFrontList") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*List).Remove(e *Element) interface{}
+      this.hasQualifiedName("container/list", "List", "Remove") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/src/semmle/go/frameworks/stdlib/ContainerRing.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/ContainerRing.qll
@@ -0,0 +1,39 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `container/ring` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `container/ring` package. */
+module ContainerRing {
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*Ring).Link(s *Ring) *Ring
+      this.hasQualifiedName("container/ring", "Ring", "Link") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func (*Ring).Move(n int) *Ring
+      this.hasQualifiedName("container/ring", "Ring", "Move") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Ring).Next() *Ring
+      this.hasQualifiedName("container/ring", "Ring", "Next") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Ring).Prev() *Ring
+      this.hasQualifiedName("container/ring", "Ring", "Prev") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*Ring).Unlink(n int) *Ring
+      this.hasQualifiedName("container/ring", "Ring", "Unlink") and
+      (inp.isReceiver() and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/ContainerHeap.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/ContainerHeap.go
@@ -0,0 +1,65 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import "container/heap"
+
+func TaintStepTest_ContainerHeapPop_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface656 := sourceCQL.(heap.Interface)
+	intoInterface414 := heap.Pop(fromInterface656)
+	return intoInterface414
+}
+
+func TaintStepTest_ContainerHeapPush_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface518 := sourceCQL.(interface{})
+	var intoInterface650 heap.Interface
+	heap.Push(intoInterface650, fromInterface518)
+	return intoInterface650
+}
+
+func TaintStepTest_ContainerHeapRemove_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface784 := sourceCQL.(heap.Interface)
+	intoInterface957 := heap.Remove(fromInterface784, 0)
+	return intoInterface957
+}
+
+func TaintStepTest_ContainerHeapInterfacePop_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface520 := sourceCQL.(heap.Interface)
+	intoInterface443 := fromInterface520.Pop()
+	return intoInterface443
+}
+
+func TaintStepTest_ContainerHeapInterfacePush_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface127 := sourceCQL.(interface{})
+	var intoInterface483 heap.Interface
+	intoInterface483.Push(fromInterface127)
+	return intoInterface483
+}
+
+func RunAllTaints_ContainerHeap() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_ContainerHeapPop_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_ContainerHeapPush_B0I0O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_ContainerHeapRemove_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_ContainerHeapInterfacePop_B0I0O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_ContainerHeapInterfacePush_B0I0O0(source)
+		sink(4, out)
+	}
+}
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/ContainerList.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/ContainerList.go
@@ -0,0 +1,243 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import "container/list"
+
+func TaintStepTest_ContainerListElementNext_B0I0O0(sourceCQL interface{}) interface{} {
+	fromElement656 := sourceCQL.(list.Element)
+	intoElement414 := fromElement656.Next()
+	return intoElement414
+}
+
+func TaintStepTest_ContainerListElementPrev_B0I0O0(sourceCQL interface{}) interface{} {
+	fromElement518 := sourceCQL.(list.Element)
+	intoElement650 := fromElement518.Prev()
+	return intoElement650
+}
+
+func TaintStepTest_ContainerListListBack_B0I0O0(sourceCQL interface{}) interface{} {
+	fromList784 := sourceCQL.(list.List)
+	intoElement957 := fromList784.Back()
+	return intoElement957
+}
+
+func TaintStepTest_ContainerListListFront_B0I0O0(sourceCQL interface{}) interface{} {
+	fromList520 := sourceCQL.(list.List)
+	intoElement443 := fromList520.Front()
+	return intoElement443
+}
+
+func TaintStepTest_ContainerListListInit_B0I0O0(sourceCQL interface{}) interface{} {
+	fromList127 := sourceCQL.(list.List)
+	intoList483 := fromList127.Init()
+	return intoList483
+}
+
+func TaintStepTest_ContainerListListInsertAfter_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface989 := sourceCQL.(interface{})
+	var intoList982 list.List
+	intoList982.InsertAfter(fromInterface989, nil)
+	return intoList982
+}
+
+func TaintStepTest_ContainerListListInsertAfter_B0I0O1(sourceCQL interface{}) interface{} {
+	fromInterface417 := sourceCQL.(interface{})
+	var mediumObjCQL list.List
+	intoElement584 := mediumObjCQL.InsertAfter(fromInterface417, nil)
+	return intoElement584
+}
+
+func TaintStepTest_ContainerListListInsertBefore_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface991 := sourceCQL.(interface{})
+	var intoList881 list.List
+	intoList881.InsertBefore(fromInterface991, nil)
+	return intoList881
+}
+
+func TaintStepTest_ContainerListListInsertBefore_B0I0O1(sourceCQL interface{}) interface{} {
+	fromInterface186 := sourceCQL.(interface{})
+	var mediumObjCQL list.List
+	intoElement284 := mediumObjCQL.InsertBefore(fromInterface186, nil)
+	return intoElement284
+}
+
+func TaintStepTest_ContainerListListMoveAfter_B0I0O0(sourceCQL interface{}) interface{} {
+	fromElement908 := sourceCQL.(*list.Element)
+	var intoList137 list.List
+	intoList137.MoveAfter(fromElement908, nil)
+	return intoList137
+}
+
+func TaintStepTest_ContainerListListMoveBefore_B0I0O0(sourceCQL interface{}) interface{} {
+	fromElement494 := sourceCQL.(*list.Element)
+	var intoList873 list.List
+	intoList873.MoveBefore(fromElement494, nil)
+	return intoList873
+}
+
+func TaintStepTest_ContainerListListMoveToBack_B0I0O0(sourceCQL interface{}) interface{} {
+	fromElement599 := sourceCQL.(*list.Element)
+	var intoList409 list.List
+	intoList409.MoveToBack(fromElement599)
+	return intoList409
+}
+
+func TaintStepTest_ContainerListListMoveToFront_B0I0O0(sourceCQL interface{}) interface{} {
+	fromElement246 := sourceCQL.(*list.Element)
+	var intoList898 list.List
+	intoList898.MoveToFront(fromElement246)
+	return intoList898
+}
+
+func TaintStepTest_ContainerListListPushBack_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface598 := sourceCQL.(interface{})
+	var intoList631 list.List
+	intoList631.PushBack(fromInterface598)
+	return intoList631
+}
+
+func TaintStepTest_ContainerListListPushBack_B0I0O1(sourceCQL interface{}) interface{} {
+	fromInterface165 := sourceCQL.(interface{})
+	var mediumObjCQL list.List
+	intoElement150 := mediumObjCQL.PushBack(fromInterface165)
+	return intoElement150
+}
+
+func TaintStepTest_ContainerListListPushBackList_B0I0O0(sourceCQL interface{}) interface{} {
+	fromList340 := sourceCQL.(*list.List)
+	var intoList471 list.List
+	intoList471.PushBackList(fromList340)
+	return intoList471
+}
+
+func TaintStepTest_ContainerListListPushFront_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface290 := sourceCQL.(interface{})
+	var intoList758 list.List
+	intoList758.PushFront(fromInterface290)
+	return intoList758
+}
+
+func TaintStepTest_ContainerListListPushFront_B0I0O1(sourceCQL interface{}) interface{} {
+	fromInterface396 := sourceCQL.(interface{})
+	var mediumObjCQL list.List
+	intoElement707 := mediumObjCQL.PushFront(fromInterface396)
+	return intoElement707
+}
+
+func TaintStepTest_ContainerListListPushFrontList_B0I0O0(sourceCQL interface{}) interface{} {
+	fromList912 := sourceCQL.(*list.List)
+	var intoList718 list.List
+	intoList718.PushFrontList(fromList912)
+	return intoList718
+}
+
+func TaintStepTest_ContainerListListRemove_B0I0O0(sourceCQL interface{}) interface{} {
+	fromElement972 := sourceCQL.(*list.Element)
+	var mediumObjCQL list.List
+	intoInterface633 := mediumObjCQL.Remove(fromElement972)
+	return intoInterface633
+}
+
+func RunAllTaints_ContainerList() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_ContainerListElementNext_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_ContainerListElementPrev_B0I0O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_ContainerListListBack_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_ContainerListListFront_B0I0O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_ContainerListListInit_B0I0O0(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_ContainerListListInsertAfter_B0I0O0(source)
+		sink(5, out)
+	}
+	{
+		source := newSource(6)
+		out := TaintStepTest_ContainerListListInsertAfter_B0I0O1(source)
+		sink(6, out)
+	}
+	{
+		source := newSource(7)
+		out := TaintStepTest_ContainerListListInsertBefore_B0I0O0(source)
+		sink(7, out)
+	}
+	{
+		source := newSource(8)
+		out := TaintStepTest_ContainerListListInsertBefore_B0I0O1(source)
+		sink(8, out)
+	}
+	{
+		source := newSource(9)
+		out := TaintStepTest_ContainerListListMoveAfter_B0I0O0(source)
+		sink(9, out)
+	}
+	{
+		source := newSource(10)
+		out := TaintStepTest_ContainerListListMoveBefore_B0I0O0(source)
+		sink(10, out)
+	}
+	{
+		source := newSource(11)
+		out := TaintStepTest_ContainerListListMoveToBack_B0I0O0(source)
+		sink(11, out)
+	}
+	{
+		source := newSource(12)
+		out := TaintStepTest_ContainerListListMoveToFront_B0I0O0(source)
+		sink(12, out)
+	}
+	{
+		source := newSource(13)
+		out := TaintStepTest_ContainerListListPushBack_B0I0O0(source)
+		sink(13, out)
+	}
+	{
+		source := newSource(14)
+		out := TaintStepTest_ContainerListListPushBack_B0I0O1(source)
+		sink(14, out)
+	}
+	{
+		source := newSource(15)
+		out := TaintStepTest_ContainerListListPushBackList_B0I0O0(source)
+		sink(15, out)
+	}
+	{
+		source := newSource(16)
+		out := TaintStepTest_ContainerListListPushFront_B0I0O0(source)
+		sink(16, out)
+	}
+	{
+		source := newSource(17)
+		out := TaintStepTest_ContainerListListPushFront_B0I0O1(source)
+		sink(17, out)
+	}
+	{
+		source := newSource(18)
+		out := TaintStepTest_ContainerListListPushFrontList_B0I0O0(source)
+		sink(18, out)
+	}
+	{
+		source := newSource(19)
+		out := TaintStepTest_ContainerListListRemove_B0I0O0(source)
+		sink(19, out)
+	}
+}
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/ContainerRing.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/ContainerRing.go
@@ -0,0 +1,64 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import "container/ring"
+
+func TaintStepTest_ContainerRingRingLink_B0I0O0(sourceCQL interface{}) interface{} {
+	fromRing656 := sourceCQL.(*ring.Ring)
+	var mediumObjCQL ring.Ring
+	intoRing414 := mediumObjCQL.Link(fromRing656)
+	return intoRing414
+}
+
+func TaintStepTest_ContainerRingRingMove_B0I0O0(sourceCQL interface{}) interface{} {
+	fromRing518 := sourceCQL.(ring.Ring)
+	intoRing650 := fromRing518.Move(0)
+	return intoRing650
+}
+
+func TaintStepTest_ContainerRingRingNext_B0I0O0(sourceCQL interface{}) interface{} {
+	fromRing784 := sourceCQL.(ring.Ring)
+	intoRing957 := fromRing784.Next()
+	return intoRing957
+}
+
+func TaintStepTest_ContainerRingRingPrev_B0I0O0(sourceCQL interface{}) interface{} {
+	fromRing520 := sourceCQL.(ring.Ring)
+	intoRing443 := fromRing520.Prev()
+	return intoRing443
+}
+
+func TaintStepTest_ContainerRingRingUnlink_B0I0O0(sourceCQL interface{}) interface{} {
+	fromRing127 := sourceCQL.(ring.Ring)
+	intoRing483 := fromRing127.Unlink(0)
+	return intoRing483
+}
+
+func RunAllTaints_ContainerRing() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_ContainerRingRingLink_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_ContainerRingRingMove_B0I0O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_ContainerRingRingNext_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_ContainerRingRingPrev_B0I0O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_ContainerRingRingUnlink_B0I0O0(source)
+		sink(4, out)
+	}
+}