Add taint-tracking model for append.

2026-01-29 22:32:58 +01:00 · 2020-03-06 09:35:03 +00:00
parent 4f061005cb
commit a7ecb50a34
2 changed files with 18 additions and 0 deletions
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -13,6 +13,18 @@ class StringMethod extends TaintTracking::FunctionModel, Method {
  }
 }

+/**
+ * A model of the built-in `append` function, which propagates taint from its arguments to its
+ * result.
+ */
+private class AppendFunction extends TaintTracking::FunctionModel {
+  AppendFunction() { this = Builtin::append() }
+
+  override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) {
+    inp.isParameter(_) and outp.isResult()
+  }
+}
+
 /**
 * A model of the built-in `copy` function, which propagates taint from its second argument
 * to its first.
--- a/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
+++ b/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
@@ -1,5 +1,11 @@
 | main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[0] |
 | main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[1] |
+| main.go:39:15:39:15 | s | main.go:39:8:39:25 | call to append |
+| main.go:39:18:39:18 | 4 | main.go:39:8:39:25 | call to append |
+| main.go:39:21:39:21 | 5 | main.go:39:8:39:25 | call to append |
+| main.go:39:24:39:24 | 6 | main.go:39:8:39:25 | call to append |
+| main.go:40:15:40:15 | s | main.go:40:8:40:23 | call to append |
+| main.go:40:18:40:19 | s1 | main.go:40:8:40:23 | call to append |
 | main.go:42:10:42:11 | s4 | main.go:38:2:38:2 | definition of s |
 | strings.go:9:24:9:24 | s | strings.go:9:8:9:38 | call to Replace |
 | strings.go:9:32:9:34 | "_" | strings.go:9:8:9:38 | call to Replace |