Make AllocationSizeOverflow use new API

The extra nodes in .expected files are due to the changes from https://github.com/github/codeql/pull/13717, which are not applied to configuration classes extending DataFlow::Configuration or TaintTracking::Configuration.
2026-04-25 08:45:14 +02:00 · 2023-04-13 12:13:24 +01:00
parent 5a6ce293cc
commit 82a1b15d11
3 changed files with 79 additions and 17 deletions
--- a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
+++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
@@ -14,9 +14,11 @@ module AllocationSizeOverflow {
  import AllocationSizeOverflowCustomizations::AllocationSizeOverflow

  /**
+   * DEPRECATED: Use `FindLargeLensFlow` instead.
+   *
   * A taint-tracking configuration for identifying `len(...)` calls whose argument may be large.
   */
-  class FindLargeLensConfiguration extends TaintTracking2::Configuration {
+  deprecated class FindLargeLensConfiguration extends TaintTracking2::Configuration {
    FindLargeLensConfiguration() { this = "AllocationSizeOverflow::FindLargeLens" }

    override predicate isSource(DataFlow::Node nd) { nd instanceof Source }
@@ -30,16 +32,28 @@ module AllocationSizeOverflow {
    override predicate isSanitizer(DataFlow::Node nd) { nd instanceof Sanitizer }
  }

+  private module FindLargeLensConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node nd) { nd instanceof Source }
+
+    predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) }
+
+    predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
+  }
+
+  private module FindLargeLensFlow = TaintTracking::Global<FindLargeLensConfig>;
+
  private DataFlow::CallNode getALargeLenCall() {
-    exists(FindLargeLensConfiguration config, DataFlow::Node lenArg | config.hasFlow(_, lenArg) |
+    exists(DataFlow::Node lenArg | FindLargeLensFlow::flow(_, lenArg) |
      result.getArgument(0) = lenArg
    )
  }

  /**
+   * DEPRECATED: Use `Flow` instead.
+   *
   * A taint-tracking configuration for identifying allocation-size overflows.
   */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
    Configuration() { this = "AllocationSizeOverflow" }

    override predicate isSource(DataFlow::Node nd) { nd instanceof Source }
@@ -70,4 +84,32 @@ module AllocationSizeOverflow {

    override predicate isSanitizer(DataFlow::Node nd) { nd instanceof Sanitizer }
  }
+
+  /**
+   * Holds if `nd` is at a position where overflow might occur, and its result is used to compute
+   * allocation size `allocsz`.
+   */
+  predicate isSinkWithAllocationSize(DataFlow::Node nd, DataFlow::Node allocsz) {
+    nd.(Sink).getAllocationSize() = allocsz
+  }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { isSinkWithAllocationSize(sink, _) }
+
+    predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
+
+    predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+      additionalStep(pred, succ)
+      or
+      exists(DataFlow::CallNode c |
+        c = getALargeLenCall() and
+        pred = c.getArgument(0) and
+        succ = c
+      )
+    }
+  }
+
+  module Flow = TaintTracking::Global<Config>;
 }
--- a/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql
+++ b/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql
@@ -12,15 +12,15 @@
 */

 import go
-import DataFlow::PathGraph
 import semmle.go.security.AllocationSizeOverflow
+import AllocationSizeOverflow::Flow::PathGraph

 from
-  AllocationSizeOverflow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+  AllocationSizeOverflow::Flow::PathNode source, AllocationSizeOverflow::Flow::PathNode sink,
  DataFlow::Node allocsz
 where
-  cfg.hasFlowPath(source, sink) and
-  cfg.isSinkWithAllocationSize(sink.getNode(), allocsz)
+  AllocationSizeOverflow::Flow::flowPath(source, sink) and
+  AllocationSizeOverflow::isSinkWithAllocationSize(sink.getNode(), allocsz)
 select sink, source, sink,
  "This operation, which is used in an $@, involves a $@ and might overflow.", allocsz,
  "allocation", source, "potentially large value"
--- a/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected
+++ b/go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected
@@ -1,33 +1,53 @@
 edges
-| AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | AllocationSizeOverflow.go:10:10:10:22 | call to len |
-| tst2.go:9:2:9:37 | ... := ...[0] | tst2.go:10:22:10:30 | call to len |
-| tst2.go:14:2:14:29 | ... := ...[0] | tst2.go:15:22:15:30 | call to len |
-| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:7:22:7:34 | call to len |
-| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:24:16:24:28 | call to len |
-| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:32:16:32:28 | call to len |
-| tst.go:14:2:14:30 | ... = ...[0] | tst.go:15:22:15:34 | call to len |
-| tst.go:20:2:20:31 | ... = ...[0] | tst.go:21:22:21:34 | call to len |
-| tst.go:26:2:26:31 | ... = ...[0] | tst.go:27:26:27:38 | call to len |
-| tst.go:34:2:34:30 | ... = ...[0] | tst.go:35:22:35:34 | call to len |
+| AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | AllocationSizeOverflow.go:10:14:10:21 | jsonData |
+| AllocationSizeOverflow.go:10:14:10:21 | jsonData | AllocationSizeOverflow.go:10:10:10:22 | call to len |
+| tst2.go:9:2:9:37 | ... := ...[0] | tst2.go:10:26:10:29 | data |
+| tst2.go:10:26:10:29 | data | tst2.go:10:22:10:30 | call to len |
+| tst2.go:14:2:14:29 | ... := ...[0] | tst2.go:15:26:15:29 | data |
+| tst2.go:15:26:15:29 | data | tst2.go:15:22:15:30 | call to len |
+| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:7:26:7:33 | jsonData |
+| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:24:20:24:27 | jsonData |
+| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:32:20:32:27 | jsonData |
+| tst3.go:7:26:7:33 | jsonData | tst3.go:7:22:7:34 | call to len |
+| tst3.go:24:20:24:27 | jsonData | tst3.go:24:16:24:28 | call to len |
+| tst3.go:32:20:32:27 | jsonData | tst3.go:32:16:32:28 | call to len |
+| tst.go:14:2:14:30 | ... = ...[0] | tst.go:15:26:15:33 | jsonData |
+| tst.go:15:26:15:33 | jsonData | tst.go:15:22:15:34 | call to len |
+| tst.go:20:2:20:31 | ... = ...[0] | tst.go:21:26:21:33 | jsonData |
+| tst.go:21:26:21:33 | jsonData | tst.go:21:22:21:34 | call to len |
+| tst.go:26:2:26:31 | ... = ...[0] | tst.go:27:30:27:37 | jsonData |
+| tst.go:27:30:27:37 | jsonData | tst.go:27:26:27:38 | call to len |
+| tst.go:34:2:34:30 | ... = ...[0] | tst.go:35:26:35:33 | jsonData |
+| tst.go:35:26:35:33 | jsonData | tst.go:35:22:35:34 | call to len |
 nodes
 | AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | semmle.label | ... := ...[0] |
 | AllocationSizeOverflow.go:10:10:10:22 | call to len | semmle.label | call to len |
+| AllocationSizeOverflow.go:10:14:10:21 | jsonData | semmle.label | jsonData |
 | tst2.go:9:2:9:37 | ... := ...[0] | semmle.label | ... := ...[0] |
 | tst2.go:10:22:10:30 | call to len | semmle.label | call to len |
+| tst2.go:10:26:10:29 | data | semmle.label | data |
 | tst2.go:14:2:14:29 | ... := ...[0] | semmle.label | ... := ...[0] |
 | tst2.go:15:22:15:30 | call to len | semmle.label | call to len |
+| tst2.go:15:26:15:29 | data | semmle.label | data |
 | tst3.go:6:2:6:31 | ... := ...[0] | semmle.label | ... := ...[0] |
 | tst3.go:7:22:7:34 | call to len | semmle.label | call to len |
+| tst3.go:7:26:7:33 | jsonData | semmle.label | jsonData |
 | tst3.go:24:16:24:28 | call to len | semmle.label | call to len |
+| tst3.go:24:20:24:27 | jsonData | semmle.label | jsonData |
 | tst3.go:32:16:32:28 | call to len | semmle.label | call to len |
+| tst3.go:32:20:32:27 | jsonData | semmle.label | jsonData |
 | tst.go:14:2:14:30 | ... = ...[0] | semmle.label | ... = ...[0] |
 | tst.go:15:22:15:34 | call to len | semmle.label | call to len |
+| tst.go:15:26:15:33 | jsonData | semmle.label | jsonData |
 | tst.go:20:2:20:31 | ... = ...[0] | semmle.label | ... = ...[0] |
 | tst.go:21:22:21:34 | call to len | semmle.label | call to len |
+| tst.go:21:26:21:33 | jsonData | semmle.label | jsonData |
 | tst.go:26:2:26:31 | ... = ...[0] | semmle.label | ... = ...[0] |
 | tst.go:27:26:27:38 | call to len | semmle.label | call to len |
+| tst.go:27:30:27:37 | jsonData | semmle.label | jsonData |
 | tst.go:34:2:34:30 | ... = ...[0] | semmle.label | ... = ...[0] |
 | tst.go:35:22:35:34 | call to len | semmle.label | call to len |
+| tst.go:35:26:35:33 | jsonData | semmle.label | jsonData |
 subpaths
 #select
 | AllocationSizeOverflow.go:10:10:10:22 | call to len | AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | AllocationSizeOverflow.go:10:10:10:22 | call to len | This operation, which is used in an $@, involves a $@ and might overflow. | AllocationSizeOverflow.go:11:25:11:28 | size | allocation | AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | potentially large value |