Implement Field.hasQualifiedName.

2026-01-29 14:23:03 +01:00 · 2020-01-17 13:16:35 +00:00
parent e5e6f73081
commit d8b97afcab
2 changed files with 14 additions and 6 deletions
--- a/ql/src/semmle/go/Scopes.qll
+++ b/ql/src/semmle/go/Scopes.qll
@@ -260,6 +260,18 @@ class Field extends Variable {
  Field() { fieldstructs(this, declaringType) }

  StructType getDeclaringType() { result = declaringType }
+
+  /**
+   * Holds if this field has name `f` and it belongs to a type  `tp` declared in package `pkg`.
+   *
+   * Note that due to field embedding the same field may belong to multiple types.
+   */
+  predicate hasQualifiedName(string pkg, string tp, string f) {
+    exists(Type base |
+      base.hasQualifiedName(pkg, tp) and
+      this = base.getField(f)
+    )
+  }
 }

 /** A built-in or declared function. */
--- a/ql/src/semmle/go/security/ZipSlipCustomizations.qll
+++ b/ql/src/semmle/go/security/ZipSlipCustomizations.qll
@@ -31,12 +31,8 @@ module ZipSlip {
  /** A file name from a zip or tar entry, as a source for zip slip. */
  class FileNameSource extends Source, DataFlow::FieldReadNode {
    FileNameSource() {
-      exists(Type t |
-        t.hasQualifiedName("archive/zip", "File") or
-        t.hasQualifiedName("archive/tar", "Header")
-      |
-        getField() = t.getField("Name")
-      )
+      getField().hasQualifiedName("archive/zip", "File", "Name") or
+      getField().hasQualifiedName("archive/tar", "Header", "Name")
    }
  }