Add test for json-iterator package, and support more of its API

Specifically the top-level functions Unmarshal and UnmarshalFromString are just convenience wrappers around the type API, which is the usual documented way to use the library.

Author: smowton

ql/src/semmle/go/frameworks/Encoding.qll

@@ -1,14 +1,19 @@
 /**
- * Provides classes modelling taint propagation through the `json-iterator` package.
+ * Provides classes modelling taint propagation through marshalling and encoding functions.
  */
 
 import go
 
-/** Models json-iterator's Unmarshal function, propagating taint from the JSON input to the decoded object. */
+/** A model of json-iterator's `Unmarshal` function, propagating taint from the JSON input to the decoded object. */
 private class JsonIteratorUnmarshalFunction extends TaintTracking::FunctionModel,
   UnmarshalingFunction::Range {
   JsonIteratorUnmarshalFunction() {
-    this.hasQualifiedName("github.com/json-iterator/go", "Unmarshal")
+    this.hasQualifiedName("github.com/json-iterator/go", ["Unmarshal", "UnmarshalFromString"])
+    or
+    exists(Method m |
+      m.hasQualifiedName("github.com/json-iterator/go", "API", ["Unmarshal", "UnmarshalFromString"]) and
+      this.(Method).implements(m)
+    )
   }
 
   override DataFlow::FunctionInput getAnInput() { result.isParameter(0) }

ql/test/library-tests/semmle/go/frameworks/Encoding/go.mod

@@ -0,0 +1,7 @@
+module jsonittest
+
+go 1.14
+
+require (
+	github.com/json-iterator/go v1.1.10
+)

ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.expected

@@ -0,0 +1,4 @@
+| jsoniter.go:28:15:28:24 | selection of field | jsoniter.go:23:20:23:38 | call to getUntrustedBytes : slice type | jsoniter.go:28:15:28:24 | selection of field | This command depends on $@. | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | a user-provided value |
+| jsoniter.go:32:15:32:25 | selection of field | jsoniter.go:23:20:23:38 | call to getUntrustedBytes : slice type | jsoniter.go:32:15:32:25 | selection of field | This command depends on $@. | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | a user-provided value |
+| jsoniter.go:36:15:36:25 | selection of field | jsoniter.go:24:21:24:40 | call to getUntrustedString : string | jsoniter.go:36:15:36:25 | selection of field | This command depends on $@. | jsoniter.go:24:21:24:40 | call to getUntrustedString | a user-provided value |
+| jsoniter.go:40:15:40:25 | selection of field | jsoniter.go:24:21:24:40 | call to getUntrustedString : string | jsoniter.go:40:15:40:25 | selection of field | This command depends on $@. | jsoniter.go:24:21:24:40 | call to getUntrustedString | a user-provided value |

ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.go

@@ -0,0 +1,42 @@
+package jsonittest
+
+import (
+	jsoniter "github.com/json-iterator/go"
+	"os/exec"
+)
+
+func getUntrustedString() string {
+	return "trouble"
+}
+
+func getUntrustedBytes() []byte {
+	return []byte{}
+}
+
+type myData struct {
+	field string
+}
+
+func main() {
+
+	var json = jsoniter.ExampleConfig{}
+	untrustedInput := getUntrustedBytes()
+	untrustedString := getUntrustedString()
+
+	data := myData{}
+	json.Unmarshal(untrustedInput, &data)
+	exec.Command(data.field)
+
+	data2 := myData{}
+	jsoniter.Unmarshal(untrustedInput, &data2)
+	exec.Command(data2.field)
+
+	data3 := myData{}
+	json.UnmarshalFromString(untrustedString, &data3)
+	exec.Command(data3.field)
+
+	data4 := myData{}
+	jsoniter.UnmarshalFromString(untrustedString, &data4)
+	exec.Command(data4.field)
+
+}

ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.ql

@@ -0,0 +1,15 @@
+import go
+import semmle.go.security.CommandInjection
+
+class UntrustedFunction extends Function {
+  UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedBytes"] }
+}
+
+class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
+  UntrustedSource() { this = any(UntrustedFunction f).getACall() }
+}
+
+from CommandInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
+  "a user-provided value"