Merge pull request #317 from gagliardetto/standard-lib-pt-18

Add taint-tracking for `reflect` package
2026-01-30 06:42:57 +01:00 · 2020-09-11 11:26:48 +01:00
parent e9bf3317b5 095baeb8b6
commit 903cffe7ed
3 changed files with 669 additions and 0 deletions
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -14,6 +14,7 @@ import semmle.go.frameworks.stdlib.CompressLzw
 import semmle.go.frameworks.stdlib.CompressZlib
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
+import semmle.go.frameworks.stdlib.Reflect

 /** A `String()` method. */
 class StringMethod extends TaintTracking::FunctionModel, Method {
--- a/ql/src/semmle/go/frameworks/stdlib/Reflect.qll
+++ b/ql/src/semmle/go/frameworks/stdlib/Reflect.qll
@@ -0,0 +1,186 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `reflect` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `reflect` package. */
+module Reflect {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Append(s Value, x ...Value) Value
+      hasQualifiedName("reflect", "Append") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func AppendSlice(s Value, t Value) Value
+      hasQualifiedName("reflect", "AppendSlice") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func Copy(dst Value, src Value) int
+      hasQualifiedName("reflect", "Copy") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func Indirect(v Value) Value
+      hasQualifiedName("reflect", "Indirect") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func ValueOf(i interface{}) Value
+      hasQualifiedName("reflect", "ValueOf") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*MapIter).Key() Value
+      this.hasQualifiedName("reflect", "MapIter", "Key") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (*MapIter).Value() Value
+      this.hasQualifiedName("reflect", "MapIter", "Value") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (StructTag).Get(key string) string
+      this.hasQualifiedName("reflect", "StructTag", "Get") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (StructTag).Lookup(key string) (value string, ok bool)
+      this.hasQualifiedName("reflect", "StructTag", "Lookup") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (Value).Addr() Value
+      this.hasQualifiedName("reflect", "Value", "Addr") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Bytes() []byte
+      this.hasQualifiedName("reflect", "Value", "Bytes") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Convert(t Type) Value
+      this.hasQualifiedName("reflect", "Value", "Convert") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Elem() Value
+      this.hasQualifiedName("reflect", "Value", "Elem") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Field(i int) Value
+      this.hasQualifiedName("reflect", "Value", "Field") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).FieldByIndex(index []int) Value
+      this.hasQualifiedName("reflect", "Value", "FieldByIndex") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).FieldByName(name string) Value
+      this.hasQualifiedName("reflect", "Value", "FieldByName") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).FieldByNameFunc(match func(string) bool) Value
+      this.hasQualifiedName("reflect", "Value", "FieldByNameFunc") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Index(i int) Value
+      this.hasQualifiedName("reflect", "Value", "Index") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Interface() (i interface{})
+      this.hasQualifiedName("reflect", "Value", "Interface") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).InterfaceData() [2]uintptr
+      this.hasQualifiedName("reflect", "Value", "InterfaceData") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).MapIndex(key Value) Value
+      this.hasQualifiedName("reflect", "Value", "MapIndex") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).MapKeys() []Value
+      this.hasQualifiedName("reflect", "Value", "MapKeys") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).MapRange() *MapIter
+      this.hasQualifiedName("reflect", "Value", "MapRange") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Method(i int) Value
+      this.hasQualifiedName("reflect", "Value", "Method") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).MethodByName(name string) Value
+      this.hasQualifiedName("reflect", "Value", "MethodByName") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Pointer() uintptr
+      this.hasQualifiedName("reflect", "Value", "Pointer") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Recv() (x Value, ok bool)
+      this.hasQualifiedName("reflect", "Value", "Recv") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (Value).Send(x Value)
+      this.hasQualifiedName("reflect", "Value", "Send") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Value).Set(x Value)
+      this.hasQualifiedName("reflect", "Value", "Set") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Value).SetBytes(x []byte)
+      this.hasQualifiedName("reflect", "Value", "SetBytes") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Value).SetMapIndex(key Value, elem Value)
+      this.hasQualifiedName("reflect", "Value", "SetMapIndex") and
+      (inp.isParameter(_) and outp.isReceiver())
+      or
+      // signature: func (Value).SetPointer(x unsafe.Pointer)
+      this.hasQualifiedName("reflect", "Value", "SetPointer") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Value).SetString(x string)
+      this.hasQualifiedName("reflect", "Value", "SetString") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Value).Slice(i int, j int) Value
+      this.hasQualifiedName("reflect", "Value", "Slice") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).Slice3(i int, j int, k int) Value
+      this.hasQualifiedName("reflect", "Value", "Slice3") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).String() string
+      this.hasQualifiedName("reflect", "Value", "String") and
+      (inp.isReceiver() and outp.isResult())
+      or
+      // signature: func (Value).TryRecv() (x Value, ok bool)
+      this.hasQualifiedName("reflect", "Value", "TryRecv") and
+      (inp.isReceiver() and outp.isResult(0))
+      or
+      // signature: func (Value).TrySend(x Value) bool
+      this.hasQualifiedName("reflect", "Value", "TrySend") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Value).UnsafeAddr() uintptr
+      this.hasQualifiedName("reflect", "Value", "UnsafeAddr") and
+      (inp.isReceiver() and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Reflect.go
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Reflect.go
@@ -0,0 +1,482 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import (
+	"reflect"
+	"unsafe"
+)
+
+func TaintStepTest_ReflectAppend_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue656 := sourceCQL.(reflect.Value)
+	intoValue414 := reflect.Append(fromValue656, reflect.Value{})
+	return intoValue414
+}
+
+func TaintStepTest_ReflectAppend_B0I1O0(sourceCQL interface{}) interface{} {
+	fromValue518 := sourceCQL.(reflect.Value)
+	intoValue650 := reflect.Append(reflect.Value{}, fromValue518)
+	return intoValue650
+}
+
+func TaintStepTest_ReflectAppendSlice_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue784 := sourceCQL.(reflect.Value)
+	intoValue957 := reflect.AppendSlice(fromValue784, reflect.Value{})
+	return intoValue957
+}
+
+func TaintStepTest_ReflectAppendSlice_B0I1O0(sourceCQL interface{}) interface{} {
+	fromValue520 := sourceCQL.(reflect.Value)
+	intoValue443 := reflect.AppendSlice(reflect.Value{}, fromValue520)
+	return intoValue443
+}
+
+func TaintStepTest_ReflectCopy_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue127 := sourceCQL.(reflect.Value)
+	var intoValue483 reflect.Value
+	reflect.Copy(intoValue483, fromValue127)
+	return intoValue483
+}
+
+func TaintStepTest_ReflectIndirect_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue989 := sourceCQL.(reflect.Value)
+	intoValue982 := reflect.Indirect(fromValue989)
+	return intoValue982
+}
+
+func TaintStepTest_ReflectValueOf_B0I0O0(sourceCQL interface{}) interface{} {
+	fromInterface417 := sourceCQL.(interface{})
+	intoValue584 := reflect.ValueOf(fromInterface417)
+	return intoValue584
+}
+
+func TaintStepTest_ReflectMapIterKey_B0I0O0(sourceCQL interface{}) interface{} {
+	fromMapIter991 := sourceCQL.(reflect.MapIter)
+	intoValue881 := fromMapIter991.Key()
+	return intoValue881
+}
+
+func TaintStepTest_ReflectMapIterValue_B0I0O0(sourceCQL interface{}) interface{} {
+	fromMapIter186 := sourceCQL.(reflect.MapIter)
+	intoValue284 := fromMapIter186.Value()
+	return intoValue284
+}
+
+func TaintStepTest_ReflectStructTagGet_B0I0O0(sourceCQL interface{}) interface{} {
+	fromStructTag908 := sourceCQL.(reflect.StructTag)
+	intoString137 := fromStructTag908.Get("")
+	return intoString137
+}
+
+func TaintStepTest_ReflectStructTagLookup_B0I0O0(sourceCQL interface{}) interface{} {
+	fromStructTag494 := sourceCQL.(reflect.StructTag)
+	intoString873, _ := fromStructTag494.Lookup("")
+	return intoString873
+}
+
+func TaintStepTest_ReflectValueAddr_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue599 := sourceCQL.(reflect.Value)
+	intoValue409 := fromValue599.Addr()
+	return intoValue409
+}
+
+func TaintStepTest_ReflectValueBytes_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue246 := sourceCQL.(reflect.Value)
+	intoByte898 := fromValue246.Bytes()
+	return intoByte898
+}
+
+func TaintStepTest_ReflectValueConvert_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue598 := sourceCQL.(reflect.Value)
+	intoValue631 := fromValue598.Convert(nil)
+	return intoValue631
+}
+
+func TaintStepTest_ReflectValueElem_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue165 := sourceCQL.(reflect.Value)
+	intoValue150 := fromValue165.Elem()
+	return intoValue150
+}
+
+func TaintStepTest_ReflectValueField_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue340 := sourceCQL.(reflect.Value)
+	intoValue471 := fromValue340.Field(0)
+	return intoValue471
+}
+
+func TaintStepTest_ReflectValueFieldByIndex_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue290 := sourceCQL.(reflect.Value)
+	intoValue758 := fromValue290.FieldByIndex(nil)
+	return intoValue758
+}
+
+func TaintStepTest_ReflectValueFieldByName_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue396 := sourceCQL.(reflect.Value)
+	intoValue707 := fromValue396.FieldByName("")
+	return intoValue707
+}
+
+func TaintStepTest_ReflectValueFieldByNameFunc_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue912 := sourceCQL.(reflect.Value)
+	intoValue718 := fromValue912.FieldByNameFunc(nil)
+	return intoValue718
+}
+
+func TaintStepTest_ReflectValueIndex_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue972 := sourceCQL.(reflect.Value)
+	intoValue633 := fromValue972.Index(0)
+	return intoValue633
+}
+
+func TaintStepTest_ReflectValueInterface_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue316 := sourceCQL.(reflect.Value)
+	intoInterface145 := fromValue316.Interface()
+	return intoInterface145
+}
+
+func TaintStepTest_ReflectValueInterfaceData_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue817 := sourceCQL.(reflect.Value)
+	intoUintptr474 := fromValue817.InterfaceData()
+	return intoUintptr474
+}
+
+func TaintStepTest_ReflectValueMapIndex_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue832 := sourceCQL.(reflect.Value)
+	intoValue378 := fromValue832.MapIndex(reflect.Value{})
+	return intoValue378
+}
+
+func TaintStepTest_ReflectValueMapKeys_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue541 := sourceCQL.(reflect.Value)
+	intoValue139 := fromValue541.MapKeys()
+	return intoValue139
+}
+
+func TaintStepTest_ReflectValueMapRange_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue814 := sourceCQL.(reflect.Value)
+	intoMapIter768 := fromValue814.MapRange()
+	return intoMapIter768
+}
+
+func TaintStepTest_ReflectValueMethod_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue468 := sourceCQL.(reflect.Value)
+	intoValue736 := fromValue468.Method(0)
+	return intoValue736
+}
+
+func TaintStepTest_ReflectValueMethodByName_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue516 := sourceCQL.(reflect.Value)
+	intoValue246 := fromValue516.MethodByName("")
+	return intoValue246
+}
+
+func TaintStepTest_ReflectValuePointer_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue679 := sourceCQL.(reflect.Value)
+	intoUintptr736 := fromValue679.Pointer()
+	return intoUintptr736
+}
+
+func TaintStepTest_ReflectValueRecv_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue839 := sourceCQL.(reflect.Value)
+	intoValue273, _ := fromValue839.Recv()
+	return intoValue273
+}
+
+func TaintStepTest_ReflectValueSend_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue982 := sourceCQL.(reflect.Value)
+	var intoValue458 reflect.Value
+	intoValue458.Send(fromValue982)
+	return intoValue458
+}
+
+func TaintStepTest_ReflectValueSet_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue506 := sourceCQL.(reflect.Value)
+	var intoValue213 reflect.Value
+	intoValue213.Set(fromValue506)
+	return intoValue213
+}
+
+func TaintStepTest_ReflectValueSetBytes_B0I0O0(sourceCQL interface{}) interface{} {
+	fromByte468 := sourceCQL.([]byte)
+	var intoValue219 reflect.Value
+	intoValue219.SetBytes(fromByte468)
+	return intoValue219
+}
+
+func TaintStepTest_ReflectValueSetMapIndex_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue265 := sourceCQL.(reflect.Value)
+	var intoValue971 reflect.Value
+	intoValue971.SetMapIndex(fromValue265, reflect.Value{})
+	return intoValue971
+}
+
+func TaintStepTest_ReflectValueSetMapIndex_B0I1O0(sourceCQL interface{}) interface{} {
+	fromValue320 := sourceCQL.(reflect.Value)
+	var intoValue545 reflect.Value
+	intoValue545.SetMapIndex(reflect.Value{}, fromValue320)
+	return intoValue545
+}
+
+func TaintStepTest_ReflectValueSetPointer_B0I0O0(sourceCQL interface{}) interface{} {
+	fromPointer566 := sourceCQL.(unsafe.Pointer)
+	var intoValue497 reflect.Value
+	intoValue497.SetPointer(fromPointer566)
+	return intoValue497
+}
+
+func TaintStepTest_ReflectValueSetString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString274 := sourceCQL.(string)
+	var intoValue783 reflect.Value
+	intoValue783.SetString(fromString274)
+	return intoValue783
+}
+
+func TaintStepTest_ReflectValueSlice_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue905 := sourceCQL.(reflect.Value)
+	intoValue389 := fromValue905.Slice(0, 0)
+	return intoValue389
+}
+
+func TaintStepTest_ReflectValueSlice3_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue198 := sourceCQL.(reflect.Value)
+	intoValue477 := fromValue198.Slice3(0, 0, 0)
+	return intoValue477
+}
+
+func TaintStepTest_ReflectValueString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue544 := sourceCQL.(reflect.Value)
+	intoString382 := fromValue544.String()
+	return intoString382
+}
+
+func TaintStepTest_ReflectValueTryRecv_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue715 := sourceCQL.(reflect.Value)
+	intoValue179, _ := fromValue715.TryRecv()
+	return intoValue179
+}
+
+func TaintStepTest_ReflectValueTrySend_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue366 := sourceCQL.(reflect.Value)
+	var intoValue648 reflect.Value
+	intoValue648.TrySend(fromValue366)
+	return intoValue648
+}
+
+func TaintStepTest_ReflectValueUnsafeAddr_B0I0O0(sourceCQL interface{}) interface{} {
+	fromValue544 := sourceCQL.(reflect.Value)
+	intoUintptr484 := fromValue544.UnsafeAddr()
+	return intoUintptr484
+}
+
+func RunAllTaints_Reflect() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_ReflectAppend_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_ReflectAppend_B0I1O0(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_ReflectAppendSlice_B0I0O0(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_ReflectAppendSlice_B0I1O0(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_ReflectCopy_B0I0O0(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_ReflectIndirect_B0I0O0(source)
+		sink(5, out)
+	}
+	{
+		source := newSource(6)
+		out := TaintStepTest_ReflectValueOf_B0I0O0(source)
+		sink(6, out)
+	}
+	{
+		source := newSource(7)
+		out := TaintStepTest_ReflectMapIterKey_B0I0O0(source)
+		sink(7, out)
+	}
+	{
+		source := newSource(8)
+		out := TaintStepTest_ReflectMapIterValue_B0I0O0(source)
+		sink(8, out)
+	}
+	{
+		source := newSource(9)
+		out := TaintStepTest_ReflectStructTagGet_B0I0O0(source)
+		sink(9, out)
+	}
+	{
+		source := newSource(10)
+		out := TaintStepTest_ReflectStructTagLookup_B0I0O0(source)
+		sink(10, out)
+	}
+	{
+		source := newSource(11)
+		out := TaintStepTest_ReflectValueAddr_B0I0O0(source)
+		sink(11, out)
+	}
+	{
+		source := newSource(12)
+		out := TaintStepTest_ReflectValueBytes_B0I0O0(source)
+		sink(12, out)
+	}
+	{
+		source := newSource(13)
+		out := TaintStepTest_ReflectValueConvert_B0I0O0(source)
+		sink(13, out)
+	}
+	{
+		source := newSource(14)
+		out := TaintStepTest_ReflectValueElem_B0I0O0(source)
+		sink(14, out)
+	}
+	{
+		source := newSource(15)
+		out := TaintStepTest_ReflectValueField_B0I0O0(source)
+		sink(15, out)
+	}
+	{
+		source := newSource(16)
+		out := TaintStepTest_ReflectValueFieldByIndex_B0I0O0(source)
+		sink(16, out)
+	}
+	{
+		source := newSource(17)
+		out := TaintStepTest_ReflectValueFieldByName_B0I0O0(source)
+		sink(17, out)
+	}
+	{
+		source := newSource(18)
+		out := TaintStepTest_ReflectValueFieldByNameFunc_B0I0O0(source)
+		sink(18, out)
+	}
+	{
+		source := newSource(19)
+		out := TaintStepTest_ReflectValueIndex_B0I0O0(source)
+		sink(19, out)
+	}
+	{
+		source := newSource(20)
+		out := TaintStepTest_ReflectValueInterface_B0I0O0(source)
+		sink(20, out)
+	}
+	{
+		source := newSource(21)
+		out := TaintStepTest_ReflectValueInterfaceData_B0I0O0(source)
+		sink(21, out)
+	}
+	{
+		source := newSource(22)
+		out := TaintStepTest_ReflectValueMapIndex_B0I0O0(source)
+		sink(22, out)
+	}
+	{
+		source := newSource(23)
+		out := TaintStepTest_ReflectValueMapKeys_B0I0O0(source)
+		sink(23, out)
+	}
+	{
+		source := newSource(24)
+		out := TaintStepTest_ReflectValueMapRange_B0I0O0(source)
+		sink(24, out)
+	}
+	{
+		source := newSource(25)
+		out := TaintStepTest_ReflectValueMethod_B0I0O0(source)
+		sink(25, out)
+	}
+	{
+		source := newSource(26)
+		out := TaintStepTest_ReflectValueMethodByName_B0I0O0(source)
+		sink(26, out)
+	}
+	{
+		source := newSource(27)
+		out := TaintStepTest_ReflectValuePointer_B0I0O0(source)
+		sink(27, out)
+	}
+	{
+		source := newSource(28)
+		out := TaintStepTest_ReflectValueRecv_B0I0O0(source)
+		sink(28, out)
+	}
+	{
+		source := newSource(29)
+		out := TaintStepTest_ReflectValueSend_B0I0O0(source)
+		sink(29, out)
+	}
+	{
+		source := newSource(30)
+		out := TaintStepTest_ReflectValueSet_B0I0O0(source)
+		sink(30, out)
+	}
+	{
+		source := newSource(31)
+		out := TaintStepTest_ReflectValueSetBytes_B0I0O0(source)
+		sink(31, out)
+	}
+	{
+		source := newSource(32)
+		out := TaintStepTest_ReflectValueSetMapIndex_B0I0O0(source)
+		sink(32, out)
+	}
+	{
+		source := newSource(33)
+		out := TaintStepTest_ReflectValueSetMapIndex_B0I1O0(source)
+		sink(33, out)
+	}
+	{
+		source := newSource(34)
+		out := TaintStepTest_ReflectValueSetPointer_B0I0O0(source)
+		sink(34, out)
+	}
+	{
+		source := newSource(35)
+		out := TaintStepTest_ReflectValueSetString_B0I0O0(source)
+		sink(35, out)
+	}
+	{
+		source := newSource(36)
+		out := TaintStepTest_ReflectValueSlice_B0I0O0(source)
+		sink(36, out)
+	}
+	{
+		source := newSource(37)
+		out := TaintStepTest_ReflectValueSlice3_B0I0O0(source)
+		sink(37, out)
+	}
+	{
+		source := newSource(38)
+		out := TaintStepTest_ReflectValueString_B0I0O0(source)
+		sink(38, out)
+	}
+	{
+		source := newSource(39)
+		out := TaintStepTest_ReflectValueTryRecv_B0I0O0(source)
+		sink(39, out)
+	}
+	{
+		source := newSource(40)
+		out := TaintStepTest_ReflectValueTrySend_B0I0O0(source)
+		sink(40, out)
+	}
+	{
+		source := newSource(41)
+		out := TaintStepTest_ReflectValueUnsafeAddr_B0I0O0(source)
+		sink(41, out)
+	}
+}