Convert old-style models for built-ins to MaD

owen-mc · owen-mc · commit 700604a1c268 · 2024-06-11T16:16:45.000+01:00
These models are to cover the special cases where `append` can be used
with a second argument which is a string followed by `...`, and `copy`
can be used with a second argument which is a string. In this case the
taint is carried by the whole string, rather than in array elements.
diff --git a/go/ql/lib/ext/builtin.model.yml b/go/ql/lib/ext/builtin.model.yml
@@ -3,8 +3,11 @@ extensions:
       pack: codeql/go-all
       extensible: summaryModel
     data:
+      - ["", "", False, "append", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] # special case for when arg[0] has core type []byte and second argument has core type bytestring and is followed by ...
       - ["", "", False, "append", "", "", "Argument[0].ArrayElement", "ReturnValue.ArrayElement", "value", "manual"]
+      - ["", "", False, "append", "", "", "Argument[1]", "ReturnValue", "taint", "manual"] # special case for when arg[0] has core type []byte and second argument has core type bytestring and is followed by ...
       - ["", "", False, "append", "", "", "Argument[1].ArrayElement", "ReturnValue.ArrayElement", "value", "manual"]
+      - ["", "", False, "copy", "", "", "Argument[1]", "Argument[0]", "taint", "manual"] # special case for when arg[0] has core type []byte and second argument has core type bytestring
       - ["", "", False, "copy", "", "", "Argument[1].ArrayElement", "Argument[0].ArrayElement", "value", "manual"]
       - ["", "", False, "max", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
       - ["", "", False, "min", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/Stdlib.qll b/go/ql/lib/semmle/go/frameworks/Stdlib.qll
@@ -44,30 +44,6 @@ import semmle.go.frameworks.stdlib.TextTabwriter
 import semmle.go.frameworks.stdlib.TextTemplate
 import semmle.go.frameworks.stdlib.Unsafe
 
-/**
- * A model of the built-in `append` function, which propagates taint from its arguments to its
- * result.
- */
-private class AppendFunction extends TaintTracking::FunctionModel {
-  AppendFunction() { this = Builtin::append() }
-
-  override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-    inp.isParameter(_) and outp.isResult()
-  }
-}
-
-/**
- * A model of the built-in `copy` function, which propagates taint from its second argument
- * to its first.
- */
-private class CopyFunction extends TaintTracking::FunctionModel {
-  CopyFunction() { this = Builtin::copy() }
-
-  override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-    inp.isParameter(1) and outp.isParameter(0)
-  }
-}
-
 /** Provides a class for modeling functions which convert strings into integers. */
 module IntegerParser {
   /**
