Add tests for data and taint flow through arrays and var args

2026-01-30 06:42:57 +01:00 · 2021-03-03 14:15:20 +00:00
parent 2060731077
commit be6501d8e4
3 changed files with 83 additions and 0 deletions
--- a/ql/test/library-tests/semmle/go/dataflow/VarArgs/Flows.expected
+++ b/ql/test/library-tests/semmle/go/dataflow/VarArgs/Flows.expected
--- a/ql/test/library-tests/semmle/go/dataflow/VarArgs/Flows.ql
+++ b/ql/test/library-tests/semmle/go/dataflow/VarArgs/Flows.ql
@@ -0,0 +1,56 @@
+import go
+import TestUtilities.InlineExpectationsTest
+
+class DataConfiguration extends DataFlow::Configuration {
+  DataConfiguration() { this = "data-configuration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = any(DataFlow::CallNode c | c.getCalleeName() = "source").getResult(0)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(DataFlow::CallNode c | c.getCalleeName() = "sink").getArgument(0)
+  }
+}
+
+class DataFlowTest extends InlineExpectationsTest {
+  DataFlowTest() { this = "DataFlowTest" }
+
+  override string getARelevantTag() { result = "dataflow" }
+
+  override predicate hasActualResult(string file, int line, string element, string tag, string value) {
+    tag = "dataflow" and
+    exists(DataFlow::Node sink | any(DataConfiguration c).hasFlow(_, sink) |
+      element = sink.toString() and
+      value = "" and
+      sink.hasLocationInfo(file, line, _, _, _)
+    )
+  }
+}
+
+class TaintConfiguration extends TaintTracking::Configuration {
+  TaintConfiguration() { this = "taint-configuration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = any(DataFlow::CallNode c | c.getCalleeName() = "source").getResult(0)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(DataFlow::CallNode c | c.getCalleeName() = "sink").getArgument(0)
+  }
+}
+
+class TaintFlowTest extends InlineExpectationsTest {
+  TaintFlowTest() { this = "TaintFlowTest" }
+
+  override string getARelevantTag() { result = "taintflow" }
+
+  override predicate hasActualResult(string file, int line, string element, string tag, string value) {
+    tag = "taintflow" and
+    exists(DataFlow::Node sink | any(TaintConfiguration c).hasFlow(_, sink) |
+      element = sink.toString() and
+      value = "" and
+      sink.hasLocationInfo(file, line, _, _, _)
+    )
+  }
+}
--- a/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go
+++ b/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go
@@ -0,0 +1,27 @@
+package main
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(string) {
+}
+
+type A struct {
+	f string
+}
+
+func functionWithVarArgsOfStructsParameter(s ...A) {
+	sink(s[0].f) // $ MISSING: taintflow dataflow
+}
+
+func main() {
+	stringSlice := []string{source()}
+	sink(stringSlice[0]) // $ taintflow MISSING: dataflow
+
+	arrayOfStructs := []A{{f: source()}}
+	sink(arrayOfStructs[0].f) // $ MISSING: taintflow dataflow
+
+	a := A{f: source()}
+	functionWithVarArgsOfStructsParameter(a)
+}