Move to stdlib, extend and refactor the Io module

Author: gagliardetto

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -29,6 +29,7 @@ import semmle.go.frameworks.stdlib.EncodingPem
 import semmle.go.frameworks.stdlib.EncodingXml
 import semmle.go.frameworks.stdlib.Html
 import semmle.go.frameworks.stdlib.HtmlTemplate
+import semmle.go.frameworks.stdlib.Io
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
@@ -145,226 +146,6 @@ module Fmt {
   }
 }
 
-/** Provides models of commonly used functions in the `io` package. */
-module Io {
-  private class Copy extends TaintTracking::FunctionModel {
-    Copy() {
-      // func Copy(dst Writer, src Reader) (written int64, err error)
-      // func CopyBuffer(dst Writer, src Reader, buf []byte) (written int64, err error)
-      // func CopyN(dst Writer, src Reader, n int64) (written int64, err error)
-      hasQualifiedName("io", "Copy") or
-      hasQualifiedName("io", "CopyBuffer") or
-      hasQualifiedName("io", "CopyN")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(1) and output.isParameter(0)
-    }
-  }
-
-  private class Pipe extends TaintTracking::FunctionModel {
-    Pipe() {
-      // func Pipe() (*PipeReader, *PipeWriter)
-      hasQualifiedName("io", "Pipe")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isResult(0) and output.isResult(1)
-    }
-  }
-
-  private class ReadAtLeast extends TaintTracking::FunctionModel {
-    ReadAtLeast() {
-      // func ReadAtLeast(r Reader, buf []byte, min int) (n int, err error)
-      // func ReadFull(r Reader, buf []byte) (n int, err error)
-      hasQualifiedName("io", "ReadAtLeast") or
-      hasQualifiedName("io", "ReadFull")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isParameter(1)
-    }
-  }
-
-  private class WriteString extends TaintTracking::FunctionModel {
-    WriteString() {
-      // func WriteString(w Writer, s string) (n int, err error)
-      this.hasQualifiedName("io", "WriteString")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(1) and output.isParameter(0)
-    }
-  }
-
-  private class ByteReaderReadByte extends TaintTracking::FunctionModel, Method {
-    ByteReaderReadByte() {
-      // func ReadByte() (byte, error)
-      this.implements("io", "ByteReader", "ReadByte")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isResult(0)
-    }
-  }
-
-  private class ByteWriterWriteByte extends TaintTracking::FunctionModel, Method {
-    ByteWriterWriteByte() {
-      // func WriteByte(c byte) error
-      this.implements("io", "ByteWriter", "WriteByte")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class ReaderRead extends TaintTracking::FunctionModel, Method {
-    ReaderRead() {
-      // func Read(p []byte) (n int, err error)
-      this.implements("io", "Reader", "Read")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-
-  private class LimitReader extends TaintTracking::FunctionModel {
-    LimitReader() {
-      // func LimitReader(r Reader, n int64) Reader
-      this.hasQualifiedName("io", "LimitReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-    }
-  }
-
-  private class MultiReader extends TaintTracking::FunctionModel {
-    MultiReader() {
-      // func MultiReader(readers ...Reader) Reader
-      this.hasQualifiedName("io", "MultiReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(_) and output.isResult()
-    }
-  }
-
-  private class TeeReader extends TaintTracking::FunctionModel {
-    TeeReader() {
-      // func TeeReader(r Reader, w Writer) Reader
-      this.hasQualifiedName("io", "TeeReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-      or
-      input.isParameter(0) and output.isParameter(1)
-    }
-  }
-
-  private class ReaderAtReadAt extends TaintTracking::FunctionModel, Method {
-    ReaderAtReadAt() {
-      // func ReadAt(p []byte, off int64) (n int, err error)
-      this.implements("io", "ReaderAt", "ReadAt")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-
-  private class ReaderFromReadFrom extends TaintTracking::FunctionModel, Method {
-    ReaderFromReadFrom() {
-      // func ReadFrom(r Reader) (n int64, err error)
-      this.implements("io", "ReaderFrom", "ReadFrom")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class RuneReaderReadRune extends TaintTracking::FunctionModel, Method {
-    RuneReaderReadRune() {
-      // func ReadRune() (r rune, size int, err error)
-      this.implements("io", "RuneReader", "ReadRune")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isResult(0)
-    }
-  }
-
-  private class NewSectionReader extends TaintTracking::FunctionModel {
-    NewSectionReader() {
-      // func NewSectionReader(r ReaderAt, off int64, n int64) *SectionReader
-      this.hasQualifiedName("io", "NewSectionReader")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isResult()
-    }
-  }
-
-  private class StringWriterWriteString extends TaintTracking::FunctionModel, Method {
-    StringWriterWriteString() {
-      // func WriteString(s string) (n int, err error)
-      this.implements("io", "StringWriter", "WriteString")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class WriterWrite extends TaintTracking::FunctionModel, Method {
-    WriterWrite() {
-      // func Write(p []byte) (n int, err error)
-      this.implements("io", "Writer", "Write")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class MultiWriter extends TaintTracking::FunctionModel {
-    MultiWriter() {
-      // func MultiWriter(writers ...Writer) Writer
-      hasQualifiedName("io", "MultiWriter")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isResult() and output.isParameter(_)
-    }
-  }
-
-  private class WriterAtWriteAt extends TaintTracking::FunctionModel, Method {
-    WriterAtWriteAt() {
-      // func WriteAt(p []byte, off int64) (n int, err error)
-      this.implements("io", "WriterAt", "WriteAt")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isParameter(0) and output.isReceiver()
-    }
-  }
-
-  private class WriterToWriteTo extends TaintTracking::FunctionModel, Method {
-    WriterToWriteTo() {
-      // func WriteTo(w Writer) (n int64, err error)
-      this.implements("io", "WriterTo", "WriteTo")
-    }
-
-    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-      input.isReceiver() and output.isParameter(0)
-    }
-  }
-}
-
 /** Provides models of commonly used functions in the `io/ioutil` package. */
 module IoUtil {
   private class IoUtilFileSystemAccess extends FileSystemAccess::Range, DataFlow::CallNode {

ql/src/semmle/go/frameworks/stdlib/Io.qll

@@ -0,0 +1,129 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `io` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `io` package. */
+module Io {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func Copy(dst Writer, src Reader) (written int64, err error)
+      hasQualifiedName("io", "Copy") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func CopyBuffer(dst Writer, src Reader, buf []byte) (written int64, err error)
+      hasQualifiedName("io", "CopyBuffer") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func CopyN(dst Writer, src Reader, n int64) (written int64, err error)
+      hasQualifiedName("io", "CopyN") and
+      (inp.isParameter(1) and outp.isParameter(0))
+      or
+      // signature: func LimitReader(r Reader, n int64) Reader
+      hasQualifiedName("io", "LimitReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func MultiReader(readers ...Reader) Reader
+      hasQualifiedName("io", "MultiReader") and
+      (inp.isParameter(_) and outp.isResult())
+      or
+      // signature: func MultiWriter(writers ...Writer) Writer
+      hasQualifiedName("io", "MultiWriter") and
+      (inp.isResult() and outp.isParameter(_))
+      or
+      // signature: func NewSectionReader(r ReaderAt, off int64, n int64) *SectionReader
+      hasQualifiedName("io", "NewSectionReader") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Pipe() (*PipeReader, *PipeWriter)
+      hasQualifiedName("io", "Pipe") and
+      (inp.isResult(1) and outp.isResult(0))
+      or
+      // signature: func ReadAtLeast(r Reader, buf []byte, min int) (n int, err error)
+      hasQualifiedName("io", "ReadAtLeast") and
+      (inp.isParameter(0) and outp.isParameter(1))
+      or
+      // signature: func ReadFull(r Reader, buf []byte) (n int, err error)
+      hasQualifiedName("io", "ReadFull") and
+      (inp.isParameter(0) and outp.isParameter(1))
+      or
+      // signature: func TeeReader(r Reader, w Writer) Reader
+      hasQualifiedName("io", "TeeReader") and
+      (
+        inp.isParameter(0) and
+        (outp.isParameter(1) or outp.isResult())
+      )
+      or
+      // signature: func WriteString(w Writer, s string) (n int, err error)
+      hasQualifiedName("io", "WriteString") and
+      (inp.isParameter(1) and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+
+  private class MethodModels extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    MethodModels() {
+      // signature: func (*LimitedReader).Read(p []byte) (n int, err error)
+      this.hasQualifiedName("io", "LimitedReader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*PipeReader).Read(data []byte) (n int, err error)
+      this.hasQualifiedName("io", "PipeReader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*PipeWriter).Write(data []byte) (n int, err error)
+      this.hasQualifiedName("io", "PipeWriter", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (*SectionReader).Read(p []byte) (n int, err error)
+      this.hasQualifiedName("io", "SectionReader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (*SectionReader).ReadAt(p []byte, off int64) (n int, err error)
+      this.hasQualifiedName("io", "SectionReader", "ReadAt") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (Reader).Read(p []byte) (n int, err error)
+      this.implements("io", "Reader", "Read") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (ReaderAt).ReadAt(p []byte, off int64) (n int, err error)
+      this.implements("io", "ReaderAt", "ReadAt") and
+      (inp.isReceiver() and outp.isParameter(0))
+      or
+      // signature: func (ReaderFrom).ReadFrom(r Reader) (n int64, err error)
+      this.implements("io", "ReaderFrom", "ReadFrom") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (Writer).Write(p []byte) (n int, err error)
+      this.implements("io", "Writer", "Write") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (WriterAt).WriteAt(p []byte, off int64) (n int, err error)
+      this.implements("io", "WriterAt", "WriteAt") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (StringWriter).WriteString(s string) (n int, err error)
+      this.implements("io", "StringWriter", "WriteString") and
+      (inp.isParameter(0) and outp.isReceiver())
+      or
+      // signature: func (WriterTo).WriteTo(w Writer) (n int64, err error)
+      this.implements("io", "WriterTo", "WriteTo") and
+      (inp.isReceiver() and outp.isParameter(0))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}