Restrict 'package' to real package paths

2026-01-29 14:23:03 +01:00 · 2021-03-05 03:40:59 -08:00
parent fecf265641
commit 8ad1010860
5 changed files with 18 additions and 13 deletions
--- a/ql/src/semmle/go/Packages.qll
+++ b/ql/src/semmle/go/Packages.qll
@@ -32,9 +32,10 @@ class Package extends @package {
 * For example, `package("github.com/go-pg/pg", "types")` gets an import path that can
 * refer to `"github.com/go-pg/pg/types"`, but also to `"github.com/go-pg/pg/v10/types"`.
 */
-bindingset[result, mod, path]
+bindingset[mod, path]
 string package(string mod, string path) {
  // "\Q" and "\E" start and end a quoted section of a regular expression. Anything like "." or "*" that
  // "*" that comes between them is not interpreted as it would normally be in a regular expression.
-  result.regexpMatch("\\Q" + mod + "\\E([/.]v[^/]+)?($|/)\\Q" + path + "\\E")
+  result.regexpMatch("\\Q" + mod + "\\E([/.]v[^/]+)?($|/)\\Q" + path + "\\E") and
+  result = any(Package p).getPath()
 }
--- a/ql/test/library-tests/semmle/go/Packages/main.go
+++ b/ql/test/library-tests/semmle/go/Packages/main.go
@@ -4,6 +4,8 @@ import (
 	"fmt"

 	"github.com/nonexistent-test-pkg"
+	"github.com/nonexistent/test"
+	test2 "github.com/nonexistent/v2/test"
 )

 func main() {
--- a/ql/test/library-tests/semmle/go/Packages/package.ql
+++ b/ql/test/library-tests/semmle/go/Packages/package.ql
@@ -3,16 +3,16 @@ import go
 from string path
 where
  (
-    path = "PackageName/v2/test" or // OK
-    path = "PackageName/test" or // OK
-    path = "PackageName//v//test" or // NOT OK
-    path = "PackageName//v/test" or // NOT OK
-    path = "PackageName/v//test" or // NOT OK
-    path = "PackageName/v/asd/v2/test" or // NOT OK
-    path = "PackageName/v/test" or // NOT OK
-    path = "PackageName//v2//test" or // NOT OK
-    path = "PackageName//v2/test" or // NOT OK
-    path = "PackageName/v2//test" // NOT OK
+    path = "github.com/nonexistent/v2/test" or // OK
+    path = "github.com/nonexistent/test" or // OK
+    path = "github.com/nonexistent//v//test" or // NOT OK
+    path = "github.com/nonexistent//v/test" or // NOT OK
+    path = "github.com/nonexistent/v//test" or // NOT OK
+    path = "github.com/nonexistent/v/asd/v2/test" or // NOT OK
+    path = "github.com/nonexistent/v/test" or // NOT OK
+    path = "github.com/nonexistent//v2//test" or // NOT OK
+    path = "github.com/nonexistent//v2/test" or // NOT OK
+    path = "github.com/nonexistent/v2//test" // NOT OK
  ) and
-  path = package("PackageName", "test")
+  path = package("github.com/nonexistent", "test")
 select path
--- a/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/test/stub.go
+++ b/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/test/stub.go
@@ -0,0 +1 @@
+package test
--- a/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/v2/test/stub.go
+++ b/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/v2/test/stub.go
@@ -0,0 +1 @@
+package test