Treat container flow as taint flow in localTaintStep

Author: owen-mc

go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll

@@ -458,3 +458,13 @@ class ContentApprox = Unit;
 /** Gets an approximated value for content `c`. */
 pragma[inline]
 ContentApprox getContentApprox(Content c) { any() }
+
+/**
+ * Holds if the the content `c` is a container.
+ */
+predicate containerContent(ContentSet c) {
+  c instanceof ArrayContent or
+  c instanceof CollectionContent or
+  c instanceof MapKeyContent or
+  c instanceof MapValueContent
+}

go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll

@@ -27,11 +27,21 @@ predicate localExprTaint(Expr src, Expr sink) {
  * Holds if taint can flow in one local step from `src` to `sink`.
  */
 predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  DataFlow::localFlowStep(src, sink) or
-  localAdditionalTaintStep(src, sink, _) or
+  DataFlow::localFlowStep(src, sink)
+  or
+  localAdditionalTaintStep(src, sink, _)
+  or
   // Simple flow through library code is included in the exposed local
   // step relation, even though flow is technically inter-procedural
   FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(src, sink, _)
+  or
+  // Treat container flow as taint for the local taint flow relation
+  exists(DataFlow::Content c | DataFlowPrivate::containerContent(c) |
+    DataFlowPrivate::readStep(src, c, sink) or
+    DataFlowPrivate::storeStep(src, c, sink) or
+    FlowSummaryImpl::Private::Steps::summaryGetterStep(src, c, sink, _) or
+    FlowSummaryImpl::Private::Steps::summarySetterStep(src, c, sink, _)
+  )
 }
 
 private Type getElementType(Type containerType) {

go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected

@@ -5,24 +5,36 @@
 | main.go:38:19:38:19 | 3 | main.go:38:7:38:20 | slice literal |
 | main.go:39:8:39:25 | []type{args} | main.go:39:8:39:25 | call to append |
 | main.go:39:15:39:15 | s | main.go:39:8:39:25 | call to append |
+| main.go:39:18:39:18 | 4 | main.go:39:8:39:25 | []type{args} |
+| main.go:39:21:39:21 | 5 | main.go:39:8:39:25 | []type{args} |
+| main.go:39:24:39:24 | 6 | main.go:39:8:39:25 | []type{args} |
 | main.go:40:15:40:15 | s | main.go:40:8:40:23 | call to append |
 | main.go:40:18:40:19 | s1 | main.go:40:8:40:23 | call to append |
 | main.go:42:10:42:11 | s4 | main.go:38:2:38:2 | definition of s |
 | main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[0] |
 | main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[1] |
 | main.go:47:20:47:21 | xs | main.go:47:2:50:2 | range statement[1] |
+| main.go:56:8:56:11 | true | main.go:56:2:56:3 | ch |
+| main.go:57:4:57:5 | ch | main.go:57:2:57:5 | <-... |
 | strings.go:9:24:9:24 | s | strings.go:9:8:9:38 | call to Replace |
 | strings.go:9:32:9:34 | "_" | strings.go:9:8:9:38 | call to Replace |
 | strings.go:10:27:10:27 | s | strings.go:10:8:10:42 | call to ReplaceAll |
 | strings.go:10:35:10:41 | "&amp;" | strings.go:10:8:10:42 | call to ReplaceAll |
+| strings.go:11:9:11:26 | []type{args} | strings.go:11:9:11:26 | call to Sprint |
 | strings.go:11:9:11:26 | call to Sprint | strings.go:11:9:11:50 | ...+... |
 | strings.go:11:9:11:50 | ...+... | strings.go:11:9:11:69 | ...+... |
+| strings.go:11:20:11:21 | s2 | strings.go:11:9:11:26 | []type{args} |
 | strings.go:11:20:11:21 | s2 | strings.go:11:9:11:26 | call to Sprint |
+| strings.go:11:24:11:25 | s3 | strings.go:11:9:11:26 | []type{args} |
 | strings.go:11:24:11:25 | s3 | strings.go:11:9:11:26 | call to Sprint |
+| strings.go:11:30:11:50 | []type{args} | strings.go:11:30:11:50 | call to Sprintf |
 | strings.go:11:30:11:50 | call to Sprintf | strings.go:11:9:11:50 | ...+... |
 | strings.go:11:42:11:45 | "%q" | strings.go:11:30:11:50 | call to Sprintf |
+| strings.go:11:48:11:49 | s2 | strings.go:11:30:11:50 | []type{args} |
 | strings.go:11:48:11:49 | s2 | strings.go:11:30:11:50 | call to Sprintf |
+| strings.go:11:54:11:69 | []type{args} | strings.go:11:54:11:69 | call to Sprintln |
 | strings.go:11:54:11:69 | call to Sprintln | strings.go:11:9:11:69 | ...+... |
+| strings.go:11:67:11:68 | s3 | strings.go:11:54:11:69 | []type{args} |
 | strings.go:11:67:11:68 | s3 | strings.go:11:54:11:69 | call to Sprintln |
 | url.go:12:14:12:48 | call to PathUnescape | url.go:12:3:12:48 | ... = ...[0] |
 | url.go:12:14:12:48 | call to PathUnescape | url.go:12:3:12:48 | ... = ...[1] |
@@ -39,17 +51,25 @@
 | url.go:27:9:27:30 | call to ParseRequestURI | url.go:27:2:27:30 | ... = ...[1] |
 | url.go:27:29:27:29 | s | url.go:27:2:27:30 | ... = ...[0] |
 | url.go:28:14:28:14 | u | url.go:28:14:28:28 | call to EscapedPath |
+| url.go:28:14:28:28 | call to EscapedPath | url.go:28:2:28:29 | []type{args} |
 | url.go:29:14:29:14 | u | url.go:29:14:29:25 | call to Hostname |
+| url.go:29:14:29:25 | call to Hostname | url.go:29:2:29:26 | []type{args} |
 | url.go:30:11:30:11 | u | url.go:30:2:30:27 | ... := ...[0] |
 | url.go:30:11:30:27 | call to MarshalBinary | url.go:30:2:30:27 | ... := ...[0] |
 | url.go:30:11:30:27 | call to MarshalBinary | url.go:30:2:30:27 | ... := ...[1] |
+| url.go:31:2:31:16 | []type{args} | url.go:30:2:30:3 | definition of bs |
+| url.go:31:14:31:15 | bs | url.go:31:2:31:16 | []type{args} |
 | url.go:32:9:32:9 | u | url.go:32:2:32:23 | ... = ...[0] |
 | url.go:32:9:32:23 | call to Parse | url.go:32:2:32:23 | ... = ...[0] |
 | url.go:32:9:32:23 | call to Parse | url.go:32:2:32:23 | ... = ...[1] |
 | url.go:32:17:32:22 | "/foo" | url.go:32:2:32:23 | ... = ...[0] |
 | url.go:33:14:33:14 | u | url.go:33:14:33:21 | call to Port |
+| url.go:33:14:33:21 | call to Port | url.go:33:2:33:22 | []type{args} |
+| url.go:34:2:34:23 | []type{args} | url.go:34:14:34:22 | call to Query |
 | url.go:34:14:34:14 | u | url.go:34:14:34:22 | call to Query |
+| url.go:34:14:34:22 | call to Query | url.go:34:2:34:23 | []type{args} |
 | url.go:35:14:35:14 | u | url.go:35:14:35:27 | call to RequestURI |
+| url.go:35:14:35:27 | call to RequestURI | url.go:35:2:35:28 | []type{args} |
 | url.go:36:6:36:6 | u | url.go:36:6:36:26 | call to ResolveReference |
 | url.go:36:25:36:25 | u | url.go:36:6:36:26 | call to ResolveReference |
 | url.go:41:17:41:20 | "me" | url.go:41:8:41:21 | call to User |
@@ -58,27 +78,35 @@
 | url.go:43:11:43:12 | ui | url.go:43:2:43:23 | ... := ...[0] |
 | url.go:43:11:43:23 | call to Password | url.go:43:2:43:23 | ... := ...[0] |
 | url.go:43:11:43:23 | call to Password | url.go:43:2:43:23 | ... := ...[1] |
+| url.go:44:14:44:15 | pw | url.go:44:2:44:16 | []type{args} |
 | url.go:45:14:45:15 | ui | url.go:45:14:45:26 | call to Username |
+| url.go:45:14:45:26 | call to Username | url.go:45:2:45:27 | []type{args} |
 | url.go:50:10:50:26 | call to ParseQuery | url.go:50:2:50:26 | ... := ...[0] |
 | url.go:50:10:50:26 | call to ParseQuery | url.go:50:2:50:26 | ... := ...[1] |
 | url.go:50:25:50:25 | q | url.go:50:2:50:26 | ... := ...[0] |
 | url.go:51:14:51:14 | v | url.go:51:14:51:23 | call to Encode |
+| url.go:51:14:51:23 | call to Encode | url.go:51:2:51:24 | []type{args} |
 | url.go:52:14:52:14 | v | url.go:52:14:52:26 | call to Get |
+| url.go:52:14:52:26 | call to Get | url.go:52:2:52:27 | []type{args} |
 | url.go:57:16:57:39 | call to JoinPath | url.go:57:2:57:39 | ... := ...[0] |
 | url.go:57:16:57:39 | call to JoinPath | url.go:57:2:57:39 | ... := ...[1] |
 | url.go:57:29:57:29 | q | url.go:57:2:57:39 | ... := ...[0] |
 | url.go:57:32:57:38 | "clean" | url.go:57:2:57:39 | ... := ...[0] |
+| url.go:57:32:57:38 | "clean" | url.go:57:16:57:39 | []type{args} |
 | url.go:58:16:58:45 | call to JoinPath | url.go:58:2:58:45 | ... := ...[0] |
 | url.go:58:16:58:45 | call to JoinPath | url.go:58:2:58:45 | ... := ...[1] |
 | url.go:58:29:58:35 | "clean" | url.go:58:2:58:45 | ... := ...[0] |
 | url.go:58:38:58:44 | joined1 | url.go:58:2:58:45 | ... := ...[0] |
+| url.go:58:38:58:44 | joined1 | url.go:58:16:58:45 | []type{args} |
 | url.go:59:14:59:31 | call to Parse | url.go:59:2:59:31 | ... := ...[0] |
 | url.go:59:14:59:31 | call to Parse | url.go:59:2:59:31 | ... := ...[1] |
 | url.go:59:24:59:30 | joined2 | url.go:59:2:59:31 | ... := ...[0] |
 | url.go:60:15:60:19 | asUrl | url.go:60:15:60:37 | call to JoinPath |
+| url.go:60:30:60:36 | "clean" | url.go:60:15:60:37 | []type{args} |
 | url.go:60:30:60:36 | "clean" | url.go:60:15:60:37 | call to JoinPath |
 | url.go:65:17:65:48 | call to Parse | url.go:65:2:65:48 | ... := ...[0] |
 | url.go:65:17:65:48 | call to Parse | url.go:65:2:65:48 | ... := ...[1] |
 | url.go:65:27:65:47 | "http://harmless.org" | url.go:65:2:65:48 | ... := ...[0] |
 | url.go:66:9:66:16 | cleanUrl | url.go:66:9:66:28 | call to JoinPath |
+| url.go:66:27:66:27 | q | url.go:66:9:66:28 | []type{args} |
 | url.go:66:27:66:27 | q | url.go:66:9:66:28 | call to JoinPath |

go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected

@@ -10,9 +10,13 @@ invalidModelRow
 | io.go:14:31:14:43 | "some string" | io.go:14:13:14:44 | call to NewReader |
 | io.go:16:3:16:3 | definition of w | io.go:16:23:16:27 | &... |
 | io.go:16:3:16:3 | definition of w | io.go:16:30:16:34 | &... |
+| io.go:16:8:16:35 | []type{args} | io.go:16:23:16:27 | &... |
+| io.go:16:8:16:35 | []type{args} | io.go:16:30:16:34 | &... |
 | io.go:16:23:16:27 | &... | io.go:15:7:15:10 | definition of buf1 |
+| io.go:16:23:16:27 | &... | io.go:16:8:16:35 | []type{args} |
 | io.go:16:24:16:27 | buf1 | io.go:16:23:16:27 | &... |
 | io.go:16:30:16:34 | &... | io.go:15:13:15:16 | definition of buf2 |
+| io.go:16:30:16:34 | &... | io.go:16:8:16:35 | []type{args} |
 | io.go:16:31:16:34 | buf2 | io.go:16:30:16:34 | &... |
 | io.go:18:14:18:19 | reader | io.go:16:3:16:3 | definition of w |
 | io.go:22:31:22:43 | "some string" | io.go:22:13:22:44 | call to NewReader |
@@ -27,8 +31,10 @@ invalidModelRow
 | io.go:39:11:39:19 | call to Pipe | io.go:39:3:39:19 | ... := ...[0] |
 | io.go:39:11:39:19 | call to Pipe | io.go:39:3:39:19 | ... := ...[1] |
 | io.go:40:17:40:31 | "some string\\n" | io.go:39:6:39:6 | definition of w |
+| io.go:40:17:40:31 | "some string\\n" | io.go:40:3:40:32 | []type{args} |
 | io.go:43:16:43:16 | r | io.go:42:3:42:5 | definition of buf |
 | io.go:44:13:44:15 | buf | io.go:44:13:44:24 | call to String |
+| io.go:44:13:44:24 | call to String | io.go:44:3:44:25 | []type{args} |
 | io.go:48:31:48:43 | "some string" | io.go:48:13:48:44 | call to NewReader |
 | io.go:50:18:50:23 | reader | io.go:49:3:49:5 | definition of buf |
 | io.go:54:31:54:43 | "some string" | io.go:54:13:54:44 | call to NewReader |
@@ -46,8 +52,14 @@ invalidModelRow
 | io.go:82:27:82:36 | "reader1 " | io.go:82:9:82:37 | call to NewReader |
 | io.go:83:27:83:36 | "reader2 " | io.go:83:9:83:37 | call to NewReader |
 | io.go:84:27:84:35 | "reader3" | io.go:84:9:84:36 | call to NewReader |
+| io.go:85:8:85:33 | []type{args} | io.go:82:3:82:4 | definition of r1 |
+| io.go:85:8:85:33 | []type{args} | io.go:83:3:83:4 | definition of r2 |
+| io.go:85:8:85:33 | []type{args} | io.go:84:3:84:4 | definition of r3 |
+| io.go:85:23:85:24 | r1 | io.go:85:8:85:33 | []type{args} |
 | io.go:85:23:85:24 | r1 | io.go:85:8:85:33 | call to MultiReader |
+| io.go:85:27:85:28 | r2 | io.go:85:8:85:33 | []type{args} |
 | io.go:85:27:85:28 | r2 | io.go:85:8:85:33 | call to MultiReader |
+| io.go:85:31:85:32 | r3 | io.go:85:8:85:33 | []type{args} |
 | io.go:85:31:85:32 | r3 | io.go:85:8:85:33 | call to MultiReader |
 | io.go:86:22:86:22 | r | io.go:86:11:86:19 | selection of Stdout |
 | io.go:89:26:89:38 | "some string" | io.go:89:8:89:39 | call to NewReader |