Add taint-tracking for syscall

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -20,6 +20,7 @@ import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
 import semmle.go.frameworks.stdlib.Strconv
 import semmle.go.frameworks.stdlib.Strings
+import semmle.go.frameworks.stdlib.Syscall
 import semmle.go.frameworks.stdlib.TextScanner
 import semmle.go.frameworks.stdlib.TextTabwriter
 import semmle.go.frameworks.stdlib.TextTemplate

ql/src/semmle/go/frameworks/stdlib/Syscall.qll

@@ -0,0 +1,66 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `syscall` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `syscall` package. */
+module Syscall {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func BytePtrFromString(s string) (*byte, error)
+      hasQualifiedName("syscall", "BytePtrFromString") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func ByteSliceFromString(s string) ([]byte, error)
+      hasQualifiedName("syscall", "ByteSliceFromString") and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
+      // signature: func StringBytePtr(s string) *byte
+      hasQualifiedName("syscall", "StringBytePtr") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func StringByteSlice(s string) []byte
+      hasQualifiedName("syscall", "StringByteSlice") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func StringSlicePtr(ss []string) []*byte
+      hasQualifiedName("syscall", "StringSlicePtr") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (RawConn).Read(f func(fd uintptr) (done bool)) error
+      this.implements("syscall", "RawConn", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (Conn).SyscallConn() (RawConn, error)
+      this.implements("syscall", "Conn", "SyscallConn") and
+      (
+        inp.isReceiver() and outp.isResult(0)
+        or
+        inp.isResult(0) and outp.isReceiver()
+      )
+      or
+      // signature: func (RawConn).Write(f func(fd uintptr) (done bool)) error
+      this.implements("syscall", "RawConn", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Syscall.go

@@ -0,0 +1,111 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import "syscall"
+
+func TaintStepTest_SyscallBytePtrFromString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString656 := sourceCQL.(string)
+	intoByte414, _ := syscall.BytePtrFromString(fromString656)
+	return intoByte414
+}
+
+func TaintStepTest_SyscallByteSliceFromString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString518 := sourceCQL.(string)
+	intoByte650, _ := syscall.ByteSliceFromString(fromString518)
+	return intoByte650
+}
+
+func TaintStepTest_SyscallStringBytePtr_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString784 := sourceCQL.(string)
+	intoByte957 := syscall.StringBytePtr(fromString784)
+	return intoByte957
+}
+
+func TaintStepTest_SyscallStringByteSlice_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString520 := sourceCQL.(string)
+	intoByte443 := syscall.StringByteSlice(fromString520)
+	return intoByte443
+}
+
+func TaintStepTest_SyscallStringSlicePtr_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString127 := sourceCQL.([]string)
+	intoByte483 := syscall.StringSlicePtr(fromString127)
+	return intoByte483
+}
+
+func TaintStepTest_SyscallRawConnRead_B0I0O0(sourceCQL interface{}) interface{} {
+	fromRawConn989 := sourceCQL.(syscall.RawConn)
+	var intoFuncfdUintptrdoneBool982 func(uintptr) bool
+	fromRawConn989.Read(intoFuncfdUintptrdoneBool982)
+	return intoFuncfdUintptrdoneBool982
+}
+
+func TaintStepTest_SyscallConnSyscallConn_B0I0O0(sourceCQL interface{}) interface{} {
+	fromConn417 := sourceCQL.(syscall.Conn)
+	intoRawConn584, _ := fromConn417.SyscallConn()
+	return intoRawConn584
+}
+
+func TaintStepTest_SyscallConnSyscallConn_B1I0O0(sourceCQL interface{}) interface{} {
+	fromRawConn991 := sourceCQL.(syscall.RawConn)
+	var intoConn881 syscall.Conn
+	intermediateCQL, _ := intoConn881.SyscallConn()
+	link(fromRawConn991, intermediateCQL)
+	return intoConn881
+}
+
+func TaintStepTest_SyscallRawConnWrite_B0I0O0(sourceCQL interface{}) interface{} {
+	fromFuncfdUintptrdoneBool186 := sourceCQL.(func(uintptr) bool)
+	var intoRawConn284 syscall.RawConn
+	intoRawConn284.Write(fromFuncfdUintptrdoneBool186)
+	return intoRawConn284
+}
+
+func RunAllTaints_Syscall() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_SyscallBytePtrFromString_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_SyscallByteSliceFromString_B0I0O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_SyscallStringBytePtr_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_SyscallStringByteSlice_B0I0O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_SyscallStringSlicePtr_B0I0O0(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_SyscallRawConnRead_B0I0O0(source)
+		sink(5, out)
+	}
+	{
+		source := newSource(6)
+		out := TaintStepTest_SyscallConnSyscallConn_B0I0O0(source)
+		sink(6, out)
+	}
+	{
+		source := newSource(7)
+		out := TaintStepTest_SyscallConnSyscallConn_B1I0O0(source)
+		sink(7, out)
+	}
+	{
+		source := newSource(8)
+		out := TaintStepTest_SyscallRawConnWrite_B0I0O0(source)
+		sink(8, out)
+	}
+}