From df0238a3524c38b6f4cefeaf430454766e91d8bd Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Fri, 31 Jul 2020 16:23:50 +0100 Subject: [PATCH] Fix proto.Clone method This is top-level, not a member. --- ql/src/semmle/go/frameworks/Protobuf.qll | 8 ++++---- .../semmle/go/frameworks/Protobuf/FunctionModel.expected | 2 +- .../semmle/go/frameworks/Protobuf/TaintFlows.expected | 1 + 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ql/src/semmle/go/frameworks/Protobuf.qll b/ql/src/semmle/go/frameworks/Protobuf.qll index 8e5bbd3d72e..8b040ef5317 100644 --- a/ql/src/semmle/go/frameworks/Protobuf.qll +++ b/ql/src/semmle/go/frameworks/Protobuf.qll @@ -55,7 +55,7 @@ module Protobuf { MergeFunction() { this.hasQualifiedName("github.com/golang/protobuf/proto", "Merge") } override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - inp.isParameter(_) and outp.isParameter(0) + inp.isParameter(1) and outp.isParameter(0) } } @@ -67,10 +67,10 @@ module Protobuf { } /** The `Clone` method of a protobuf `Message` type. */ - private class MessageCloneMethod extends DataFlow::FunctionModel, Method { - MessageCloneMethod() { this = any(MessageType msg).getMethod("Clone") } + private class MessageCloneFunction extends TaintTracking::FunctionModel { + MessageCloneFunction() { this.hasQualifiedName("github.com/golang/protobuf/proto", "Clone") } - override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp) { + override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { inp.isParameter(0) and outp.isResult() } } diff --git a/ql/test/library-tests/semmle/go/frameworks/Protobuf/FunctionModel.expected b/ql/test/library-tests/semmle/go/frameworks/Protobuf/FunctionModel.expected index 775ff25d939..8316180cba7 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Protobuf/FunctionModel.expected +++ b/ql/test/library-tests/semmle/go/frameworks/Protobuf/FunctionModel.expected @@ -3,10 +3,10 @@ | proto.go:32:35:32:46 | reflectedXSS | proto.go:32:2:32:47 | ... := ...[0] | | proto.go:38:24:38:33 | serialized | proto.go:37:2:37:13 | definition of deserialized | | testDeprecatedApi.go:24:33:24:37 | query | testDeprecatedApi.go:24:2:24:38 | ... := ...[0] | +| testDeprecatedApi.go:33:28:33:32 | query | testDeprecatedApi.go:33:16:33:33 | call to Clone | | testDeprecatedApi.go:35:33:35:42 | queryClone | testDeprecatedApi.go:35:2:35:43 | ... := ...[0] | | testDeprecatedApi.go:43:18:43:36 | untrustedSerialized | testDeprecatedApi.go:42:2:42:6 | definition of query | | testDeprecatedApi.go:51:18:51:36 | untrustedSerialized | testDeprecatedApi.go:50:2:50:6 | definition of query | | testDeprecatedApi.go:53:13:53:17 | query | testDeprecatedApi.go:53:13:53:34 | call to GetDescription | -| testDeprecatedApi.go:61:14:61:19 | query2 | testDeprecatedApi.go:60:2:60:7 | definition of query2 | | testDeprecatedApi.go:61:22:61:27 | query1 | testDeprecatedApi.go:60:2:60:7 | definition of query2 | | testDeprecatedApi.go:63:33:63:38 | query2 | testDeprecatedApi.go:63:2:63:39 | ... := ...[0] | diff --git a/ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected b/ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected index b59461265d1..829d2e315b3 100644 --- a/ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected +++ b/ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected @@ -1,4 +1,5 @@ | testDeprecatedApi.go:22:22:22:41 | call to getUntrustedString : string | testDeprecatedApi.go:26:12:26:21 | serialized | +| testDeprecatedApi.go:31:22:31:41 | call to getUntrustedString : string | testDeprecatedApi.go:37:12:37:21 | serialized | | testDeprecatedApi.go:41:25:41:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:45:13:45:29 | selection of Description | | testDeprecatedApi.go:49:25:49:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:53:13:53:34 | call to GetDescription | | testDeprecatedApi.go:58:23:58:42 | call to getUntrustedString : string | testDeprecatedApi.go:65:12:65:21 | serialized |