Merge branch 'standard-lib-pt-12' into stdlib-339-340-342-346-347

Author: gagliardetto

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -38,6 +38,8 @@ import semmle.go.frameworks.stdlib.NetHttpHttputil
 import semmle.go.frameworks.stdlib.NetMail
 import semmle.go.frameworks.stdlib.NetTextproto
 import semmle.go.frameworks.stdlib.Log
+import semmle.go.frameworks.stdlib.Io
+import semmle.go.frameworks.stdlib.IoIoutil
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
@@ -89,255 +91,6 @@ private class CopyFunction extends TaintTracking::FunctionModel {
   }
 }
 
-/** Provides models of commonly used functions in the `io` package. */
-module Io {
-  private class Copy extends TaintTracking::FunctionModel {
-    Copy() {
-      // func Copy(dst Writer, src Reader) (written int64, err error)
-      // func CopyBuffer(dst Writer, src Reader, buf []byte) (written int64, err error)
-      // func CopyN(dst Writer, src Reader, n int64) (written int64, err error)
-      hasQualifiedName("io", "Copy") or
-      hasQualifiedName("io", "CopyBuffer") or
-      hasQualifiedName("io", "CopyN")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(1) and output.isParameter(0)
-    }
-  }
-
-  private class Pipe extends TaintTracking::FunctionModel {
-    Pipe() {
-      // func Pipe() (*PipeReader, *PipeWriter)
-      hasQualifiedName("io", "Pipe")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isResult(0) and output.isResult(1)
-    }
-  }
-
-  private class ReadAtLeast extends TaintTracking::FunctionModel {
-    ReadAtLeast() {
-      // func ReadAtLeast(r Reader, buf []byte, min int) (n int, err error)
-      // func ReadFull(r Reader, buf []byte) (n int, err error)
-      hasQualifiedName("io", "ReadAtLeast") or
-      hasQualifiedName("io", "ReadFull")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isParameter(1)
-    }
-  }
-
-  private class WriteString extends TaintTracking::FunctionModel {
-    WriteString() {
-      // func WriteString(w Writer, s string) (n int, err error)
-      this.hasQualifiedName("io", "WriteString")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(1) and output.isParameter(0)
-    }
-  }
-
-  private class ByteReaderReadByte extends TaintTracking::FunctionModel, Method {
-    ByteReaderReadByte() {
-      // func ReadByte() (byte, error)
-      this.implements("io", "ByteReader", "ReadByte")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isResult(0)
-    }
-  }
-
-  private class ByteWriterWriteByte extends TaintTracking::FunctionModel, Method {
-    ByteWriterWriteByte() {
-      // func WriteByte(c byte) error
-      this.implements("io", "ByteWriter", "WriteByte")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class ReaderRead extends TaintTracking::FunctionModel, Method {
-    ReaderRead() {
-      // func Read(p []byte) (n int, err error)
-      this.implements("io", "Reader", "Read")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-
-  private class LimitReader extends TaintTracking::FunctionModel {
-    LimitReader() {
-      // func LimitReader(r Reader, n int64) Reader
-      this.hasQualifiedName("io", "LimitReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-    }
-  }
-
-  private class MultiReader extends TaintTracking::FunctionModel {
-    MultiReader() {
-      // func MultiReader(readers ...Reader) Reader
-      this.hasQualifiedName("io", "MultiReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(_) and output.isResult()
-    }
-  }
-
-  private class TeeReader extends TaintTracking::FunctionModel {
-    TeeReader() {
-      // func TeeReader(r Reader, w Writer) Reader
-      this.hasQualifiedName("io", "TeeReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-      or
-      input.isParameter(0) and output.isParameter(1)
-    }
-  }
-
-  private class ReaderAtReadAt extends TaintTracking::FunctionModel, Method {
-    ReaderAtReadAt() {
-      // func ReadAt(p []byte, off int64) (n int, err error)
-      this.implements("io", "ReaderAt", "ReadAt")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-
-  private class ReaderFromReadFrom extends TaintTracking::FunctionModel, Method {
-    ReaderFromReadFrom() {
-      // func ReadFrom(r Reader) (n int64, err error)
-      this.implements("io", "ReaderFrom", "ReadFrom")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class RuneReaderReadRune extends TaintTracking::FunctionModel, Method {
-    RuneReaderReadRune() {
-      // func ReadRune() (r rune, size int, err error)
-      this.implements("io", "RuneReader", "ReadRune")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isResult(0)
-    }
-  }
-
-  private class NewSectionReader extends TaintTracking::FunctionModel {
-    NewSectionReader() {
-      // func NewSectionReader(r ReaderAt, off int64, n int64) *SectionReader
-      this.hasQualifiedName("io", "NewSectionReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-    }
-  }
-
-  private class StringWriterWriteString extends TaintTracking::FunctionModel, Method {
-    StringWriterWriteString() {
-      // func WriteString(s string) (n int, err error)
-      this.implements("io", "StringWriter", "WriteString")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class WriterWrite extends TaintTracking::FunctionModel, Method {
-    WriterWrite() {
-      // func Write(p []byte) (n int, err error)
-      this.implements("io", "Writer", "Write")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class MultiWriter extends TaintTracking::FunctionModel {
-    MultiWriter() {
-      // func MultiWriter(writers ...Writer) Writer
-      hasQualifiedName("io", "MultiWriter")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isResult() and output.isParameter(_)
-    }
-  }
-
-  private class WriterAtWriteAt extends TaintTracking::FunctionModel, Method {
-    WriterAtWriteAt() {
-      // func WriteAt(p []byte, off int64) (n int, err error)
-      this.implements("io", "WriterAt", "WriteAt")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class WriterToWriteTo extends TaintTracking::FunctionModel, Method {
-    WriterToWriteTo() {
-      // func WriteTo(w Writer) (n int64, err error)
-      this.implements("io", "WriterTo", "WriteTo")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-}
-
-/** Provides models of commonly used functions in the `io/ioutil` package. */
-module IoUtil {
-  private class IoUtilFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {
-    IoUtilFileSystemAccess() {
-      exists(string fn | getTarget().hasQualifiedName("io/ioutil", fn) |
-        fn = "ReadDir" or
-        fn = "ReadFile" or
-        fn = "TempDir" or
-        fn = "TempFile" or
-        fn = "WriteFile"
-      )
-    }
-
-    override DataFlow::Node getAPathArgument() { result = getAnArgument() }
-  }
-
-  /**
-   * A taint model of the `ioutil.ReadAll` function, recording that it propagates taint
-   * from its first argument to its first result.
-   */
-  private class ReadAll extends TaintTracking::FunctionModel {
-    ReadAll() { hasQualifiedName("io/ioutil", "ReadAll") }
-
-    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
-      inp.isParameter(0) and outp.isResult(0)
-    }
-  }
-}
-
 /** Provides a class for modeling functions which convert strings into integers. */
 module IntegerParser {
   /**

ql/src/semmle/go/frameworks/stdlib/Io.qll

@@ -0,0 +1,109 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `io` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `io` package. */
+module Io {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Copy(dst Writer, src Reader) (written int64, err error)
+      hasQualifiedName("io", "Copy") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func CopyBuffer(dst Writer, src Reader, buf []byte) (written int64, err error)
+      hasQualifiedName("io", "CopyBuffer") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func CopyN(dst Writer, src Reader, n int64) (written int64, err error)
+      hasQualifiedName("io", "CopyN") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func LimitReader(r Reader, n int64) Reader
+      hasQualifiedName("io", "LimitReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func MultiReader(readers ...Reader) Reader
+      hasQualifiedName("io", "MultiReader") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func MultiWriter(writers ...Writer) Writer
+      hasQualifiedName("io", "MultiWriter") and
+      (inp.isResult() and outp.isParameter(_))
+      or
+      // signature: func NewSectionReader(r ReaderAt, off int64, n int64) *SectionReader
+      hasQualifiedName("io", "NewSectionReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Pipe() (*PipeReader, *PipeWriter)
+      hasQualifiedName("io", "Pipe") and
+      (inp.isResult(1) and outp.isResult(0))
+      or
+      // signature: func ReadAtLeast(r Reader, buf []byte, min int) (n int, err error)
+      hasQualifiedName("io", "ReadAtLeast") and
+      (inp.isParameter(0) and outp.isParameter(1))
+      or
+      // signature: func ReadFull(r Reader, buf []byte) (n int, err error)
+      hasQualifiedName("io", "ReadFull") and
+      (inp.isParameter(0) and outp.isParameter(1))
+      or
+      // signature: func TeeReader(r Reader, w Writer) Reader
+      hasQualifiedName("io", "TeeReader") and
+      (
+        inp.isParameter(0) and
+        (outp.isParameter(1) or outp.isResult())
+      )
+      or
+      // signature: func WriteString(w Writer, s string) (n int, err error)
+      hasQualifiedName("io", "WriteString") and
+      (inp.isParameter(1) and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (Reader).Read(p []byte) (n int, err error)
+      this.implements("io", "Reader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (ReaderAt).ReadAt(p []byte, off int64) (n int, err error)
+      this.implements("io", "ReaderAt", "ReadAt") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (ReaderFrom).ReadFrom(r Reader) (n int64, err error)
+      this.implements("io", "ReaderFrom", "ReadFrom") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Writer).Write(p []byte) (n int, err error)
+      this.implements("io", "Writer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (WriterAt).WriteAt(p []byte, off int64) (n int, err error)
+      this.implements("io", "WriterAt", "WriteAt") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (StringWriter).WriteString(s string) (n int, err error)
+      this.implements("io", "StringWriter", "WriteString") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (WriterTo).WriteTo(w Writer) (n int64, err error)
+      this.implements("io", "WriterTo", "WriteTo") and
+      (inp.isReceiver() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}