Merge pull request #353 from gagliardetto/remove-duplicate-models

Remove duplicate models (the end)

Author: smowton

change-notes/2020-09-23-stdlib.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Add/improve taint-tracking models for 63 Go standard library packages. This means that all queries that track tainted data may produce more results; these include queries scanning for cross-site scripting vulnerabilities and SQL injection vulnerabilities among others.

ql/src/semmle/go/frameworks/stdlib/ArchiveTar.qll

@@ -36,23 +36,15 @@ module ArchiveTar {
     MethodModels() {
       // Methods:
       // signature: func (*Header).FileInfo() os.FileInfo
-      this.(Method).hasQualifiedName("archive/tar", "Header", "FileInfo") and
+      hasQualifiedName("archive/tar", "Header", "FileInfo") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*Reader).Next() (*Header, error)
-      this.(Method).hasQualifiedName("archive/tar", "Reader", "Next") and
+      hasQualifiedName("archive/tar", "Reader", "Next") and
       (inp.isReceiver() and outp.isResult(0))
       or
-      // signature: func (*Reader).Read(b []byte) (int, error)
-      this.(Method).hasQualifiedName("archive/tar", "Reader", "Read") and
-      (inp.isReceiver() and outp.isParameter(0))
-      or
-      // signature: func (*Writer).Write(b []byte) (int, error)
-      this.(Method).hasQualifiedName("archive/tar", "Writer", "Write") and
-      (inp.isParameter(0) and outp.isReceiver())
-      or
       // signature: func (*Writer).WriteHeader(hdr *Header) error
-      this.(Method).hasQualifiedName("archive/tar", "Writer", "WriteHeader") and
+      hasQualifiedName("archive/tar", "Writer", "WriteHeader") and
       (inp.isParameter(0) and outp.isReceiver())
     }
 

ql/src/semmle/go/frameworks/stdlib/ArchiveZip.qll

@@ -38,17 +38,16 @@ module ArchiveZip {
     FunctionOutput outp;
 
     MethodModels() {
-      // Methods:
       // signature: func (*File).Open() (io.ReadCloser, error)
-      this.(Method).hasQualifiedName("archive/zip", "File", "Open") and
+      hasQualifiedName("archive/zip", "File", "Open") and
       (inp.isReceiver() and outp.isResult(0))
       or
       // signature: func (*Writer).Create(name string) (io.Writer, error)
-      this.(Method).hasQualifiedName("archive/zip", "Writer", "Create") and
+      hasQualifiedName("archive/zip", "Writer", "Create") and
       (inp.isResult(0) and outp.isReceiver())
       or
       // signature: func (*Writer).CreateHeader(fh *FileHeader) (io.Writer, error)
-      this.(Method).hasQualifiedName("archive/zip", "Writer", "CreateHeader") and
+      hasQualifiedName("archive/zip", "Writer", "CreateHeader") and
       (inp.isResult(0) and outp.isReceiver())
     }
 

ql/src/semmle/go/frameworks/stdlib/Bufio.qll

@@ -10,7 +10,7 @@ module Bufio {
    * The function `bufio.NewScanner`.
    */
   class NewScanner extends Function {
-    NewScanner() { this.hasQualifiedName("bufio", "NewScanner") }
+    NewScanner() { hasQualifiedName("bufio", "NewScanner") }
 
     /**
      * Gets the input corresponding to the `io.Reader`
@@ -80,56 +80,40 @@ module Bufio {
 
     MethodModels() {
       // signature: func (*Reader).Peek(n int) ([]byte, error)
-      this.hasQualifiedName("bufio", "Reader", "Peek") and
+      hasQualifiedName("bufio", "Reader", "Peek") and
       (inp.isReceiver() and outp.isResult(0))
       or
       // signature: func (*Reader).ReadBytes(delim byte) ([]byte, error)
-      this.hasQualifiedName("bufio", "Reader", "ReadBytes") and
+      hasQualifiedName("bufio", "Reader", "ReadBytes") and
       (inp.isReceiver() and outp.isResult(0))
       or
       // signature: func (*Reader).ReadLine() (line []byte, isPrefix bool, err error)
-      this.hasQualifiedName("bufio", "Reader", "ReadLine") and
+      hasQualifiedName("bufio", "Reader", "ReadLine") and
       (inp.isReceiver() and outp.isResult(0))
       or
       // signature: func (*Reader).ReadSlice(delim byte) (line []byte, err error)
-      this.hasQualifiedName("bufio", "Reader", "ReadSlice") and
+      hasQualifiedName("bufio", "Reader", "ReadSlice") and
       (inp.isReceiver() and outp.isResult(0))
       or
       // signature: func (*Reader).ReadString(delim byte) (string, error)
-      this.hasQualifiedName("bufio", "Reader", "ReadString") and
+      hasQualifiedName("bufio", "Reader", "ReadString") and
       (inp.isReceiver() and outp.isResult(0))
       or
       // signature: func (*Reader).Reset(r io.Reader)
-      this.hasQualifiedName("bufio", "Reader", "Reset") and
+      hasQualifiedName("bufio", "Reader", "Reset") and
       (inp.isParameter(0) and outp.isReceiver())
       or
-      // signature: func (*Reader).WriteTo(w io.Writer) (n int64, err error)
-      this.hasQualifiedName("bufio", "Reader", "WriteTo") and
-      (inp.isReceiver() and outp.isParameter(0))
-      or
       // signature: func (*Scanner).Bytes() []byte
-      this.hasQualifiedName("bufio", "Scanner", "Bytes") and
+      hasQualifiedName("bufio", "Scanner", "Bytes") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*Scanner).Text() string
-      this.hasQualifiedName("bufio", "Scanner", "Text") and
+      hasQualifiedName("bufio", "Scanner", "Text") and
       (inp.isReceiver() and outp.isResult())
       or
-      // signature: func (*Writer).ReadFrom(r io.Reader) (n int64, err error)
-      this.hasQualifiedName("bufio", "Writer", "ReadFrom") and
-      (inp.isParameter(0) and outp.isReceiver())
-      or
       // signature: func (*Writer).Reset(w io.Writer)
-      this.hasQualifiedName("bufio", "Writer", "Reset") and
+      hasQualifiedName("bufio", "Writer", "Reset") and
       (inp.isReceiver() and outp.isParameter(0))
-      or
-      // signature: func (*Writer).Write(p []byte) (nn int, err error)
-      this.hasQualifiedName("bufio", "Writer", "Write") and
-      (inp.isParameter(0) and outp.isReceiver())
-      or
-      // signature: func (*Writer).WriteString(s string) (int, error)
-      this.hasQualifiedName("bufio", "Writer", "WriteString") and
-      (inp.isParameter(0) and outp.isReceiver())
     }
 
     override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

ql/src/semmle/go/frameworks/stdlib/Bytes.qll

@@ -151,52 +151,24 @@ module Bytes {
 
     MethodModels() {
       // signature: func (*Buffer).Bytes() []byte
-      this.hasQualifiedName("bytes", "Buffer", "Bytes") and
+      hasQualifiedName("bytes", "Buffer", "Bytes") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*Buffer).Next(n int) []byte
-      this.hasQualifiedName("bytes", "Buffer", "Next") and
+      hasQualifiedName("bytes", "Buffer", "Next") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*Buffer).ReadBytes(delim byte) (line []byte, err error)
-      this.hasQualifiedName("bytes", "Buffer", "ReadBytes") and
+      hasQualifiedName("bytes", "Buffer", "ReadBytes") and
       (inp.isReceiver() and outp.isResult(0))
       or
-      // signature: func (*Buffer).ReadFrom(r io.Reader) (n int64, err error)
-      this.hasQualifiedName("bytes", "Buffer", "ReadFrom") and
-      (inp.isParameter(0) and outp.isReceiver())
-      or
       // signature: func (*Buffer).ReadString(delim byte) (line string, err error)
-      this.hasQualifiedName("bytes", "Buffer", "ReadString") and
+      hasQualifiedName("bytes", "Buffer", "ReadString") and
       (inp.isReceiver() and outp.isResult(0))
       or
-      // signature: func (*Buffer).String() string
-      this.hasQualifiedName("bytes", "Buffer", "String") and
-      (inp.isReceiver() and outp.isResult())
-      or
-      // signature: func (*Buffer).Write(p []byte) (n int, err error)
-      this.hasQualifiedName("bytes", "Buffer", "Write") and
-      (inp.isParameter(0) and outp.isReceiver())
-      or
-      // signature: func (*Buffer).WriteString(s string) (n int, err error)
-      this.hasQualifiedName("bytes", "Buffer", "WriteString") and
-      (inp.isParameter(0) and outp.isReceiver())
-      or
-      // signature: func (*Buffer).WriteTo(w io.Writer) (n int64, err error)
-      this.hasQualifiedName("bytes", "Buffer", "WriteTo") and
-      (inp.isReceiver() and outp.isParameter(0))
-      or
-      // signature: func (*Reader).ReadAt(b []byte, off int64) (n int, err error)
-      this.hasQualifiedName("bytes", "Reader", "ReadAt") and
-      (inp.isReceiver() and outp.isParameter(0))
-      or
       // signature: func (*Reader).Reset(b []byte)
-      this.hasQualifiedName("bytes", "Reader", "Reset") and
+      hasQualifiedName("bytes", "Reader", "Reset") and
       (inp.isParameter(0) and outp.isReceiver())
-      or
-      // signature: func (*Reader).WriteTo(w io.Writer) (n int64, err error)
-      this.hasQualifiedName("bytes", "Reader", "WriteTo") and
-      (inp.isReceiver() and outp.isParameter(0))
     }
 
     override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

ql/src/semmle/go/frameworks/stdlib/CompressFlate.qll

@@ -39,15 +39,11 @@ module CompressFlate {
 
     MethodModels() {
       // signature: func (*Writer).Reset(dst io.Writer)
-      this.hasQualifiedName("compress/flate", "Writer", "Reset") and
+      hasQualifiedName("compress/flate", "Writer", "Reset") and
       (inp.isReceiver() and outp.isParameter(0))
       or
-      // signature: func (*Writer).Write(data []byte) (n int, err error)
-      this.hasQualifiedName("compress/flate", "Writer", "Write") and
-      (inp.isParameter(0) and outp.isReceiver())
-      or
       // signature: func (Resetter).Reset(r io.Reader, dict []byte) error
-      this.implements("compress/flate", "Resetter", "Reset") and
+      implements("compress/flate", "Resetter", "Reset") and
       (inp.isParameter(0) and outp.isReceiver())
     }
 

ql/src/semmle/go/frameworks/stdlib/CompressGzip.qll

@@ -35,16 +35,12 @@ module CompressGzip {
 
     MethodModels() {
       // signature: func (*Reader).Reset(r io.Reader) error
-      this.hasQualifiedName("compress/gzip", "Reader", "Reset") and
+      hasQualifiedName("compress/gzip", "Reader", "Reset") and
       (inp.isParameter(0) and outp.isReceiver())
       or
       // signature: func (*Writer).Reset(w io.Writer)
-      this.hasQualifiedName("compress/gzip", "Writer", "Reset") and
+      hasQualifiedName("compress/gzip", "Writer", "Reset") and
       (inp.isReceiver() and outp.isParameter(0))
-      or
-      // signature: func (*Writer).Write(p []byte) (int, error)
-      this.hasQualifiedName("compress/gzip", "Writer", "Write") and
-      (inp.isParameter(0) and outp.isReceiver())
     }
 
     override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

ql/src/semmle/go/frameworks/stdlib/CompressZlib.qll

@@ -43,15 +43,11 @@ module CompressZlib {
 
     MethodModels() {
       // signature: func (*Writer).Reset(w io.Writer)
-      this.hasQualifiedName("compress/zlib", "Writer", "Reset") and
+      hasQualifiedName("compress/zlib", "Writer", "Reset") and
       (inp.isReceiver() and outp.isParameter(0))
       or
-      // signature: func (*Writer).Write(p []byte) (n int, err error)
-      this.hasQualifiedName("compress/zlib", "Writer", "Write") and
-      (inp.isParameter(0) and outp.isReceiver())
-      or
       // signature: func (Resetter).Reset(r io.Reader, dict []byte) error
-      this.implements("compress/zlib", "Resetter", "Reset") and
+      implements("compress/zlib", "Resetter", "Reset") and
       (inp.isParameter(0) and outp.isReceiver())
     }
 

ql/src/semmle/go/frameworks/stdlib/ContainerHeap.qll

@@ -35,11 +35,11 @@ module ContainerHeap {
 
     MethodModels() {
       // signature: func (Interface).Pop() interface{}
-      this.implements("container/heap", "Interface", "Pop") and
+      implements("container/heap", "Interface", "Pop") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (Interface).Push(x interface{})
-      this.implements("container/heap", "Interface", "Push") and
+      implements("container/heap", "Interface", "Push") and
       (inp.isParameter(0) and outp.isReceiver())
     }
 

ql/src/semmle/go/frameworks/stdlib/ContainerList.qll

@@ -12,79 +12,79 @@ module ContainerList {
 
     MethodModels() {
       // signature: func (*Element).Next() *Element
-      this.hasQualifiedName("container/list", "Element", "Next") and
+      hasQualifiedName("container/list", "Element", "Next") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*Element).Prev() *Element
-      this.hasQualifiedName("container/list", "Element", "Prev") and
+      hasQualifiedName("container/list", "Element", "Prev") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*List).Back() *Element
-      this.hasQualifiedName("container/list", "List", "Back") and
+      hasQualifiedName("container/list", "List", "Back") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*List).Front() *Element
-      this.hasQualifiedName("container/list", "List", "Front") and
+      hasQualifiedName("container/list", "List", "Front") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*List).Init() *List
-      this.hasQualifiedName("container/list", "List", "Init") and
+      hasQualifiedName("container/list", "List", "Init") and
       (inp.isReceiver() and outp.isResult())
       or
       // signature: func (*List).InsertAfter(v interface{}, mark *Element) *Element
-      this.hasQualifiedName("container/list", "List", "InsertAfter") and
+      hasQualifiedName("container/list", "List", "InsertAfter") and
       (
         inp.isParameter(0) and
         (outp.isReceiver() or outp.isResult())
       )
       or
       // signature: func (*List).InsertBefore(v interface{}, mark *Element) *Element
-      this.hasQualifiedName("container/list", "List", "InsertBefore") and
+      hasQualifiedName("container/list", "List", "InsertBefore") and
       (
         inp.isParameter(0) and
         (outp.isReceiver() or outp.isResult())
       )
       or
       // signature: func (*List).MoveAfter(e *Element, mark *Element)
-      this.hasQualifiedName("container/list", "List", "MoveAfter") and
+      hasQualifiedName("container/list", "List", "MoveAfter") and
       (inp.isParameter(0) and outp.isReceiver())
       or
       // signature: func (*List).MoveBefore(e *Element, mark *Element)
-      this.hasQualifiedName("container/list", "List", "MoveBefore") and
+      hasQualifiedName("container/list", "List", "MoveBefore") and
       (inp.isParameter(0) and outp.isReceiver())
       or
       // signature: func (*List).MoveToBack(e *Element)
-      this.hasQualifiedName("container/list", "List", "MoveToBack") and
+      hasQualifiedName("container/list", "List", "MoveToBack") and
       (inp.isParameter(0) and outp.isReceiver())
       or
       // signature: func (*List).MoveToFront(e *Element)
-      this.hasQualifiedName("container/list", "List", "MoveToFront") and
+      hasQualifiedName("container/list", "List", "MoveToFront") and
       (inp.isParameter(0) and outp.isReceiver())
       or
       // signature: func (*List).PushBack(v interface{}) *Element
-      this.hasQualifiedName("container/list", "List", "PushBack") and
+      hasQualifiedName("container/list", "List", "PushBack") and
       (
         inp.isParameter(0) and
         (outp.isReceiver() or outp.isResult())
       )
       or
       // signature: func (*List).PushBackList(other *List)
-      this.hasQualifiedName("container/list", "List", "PushBackList") and
+      hasQualifiedName("container/list", "List", "PushBackList") and
       (inp.isParameter(0) and outp.isReceiver())
       or
       // signature: func (*List).PushFront(v interface{}) *Element
-      this.hasQualifiedName("container/list", "List", "PushFront") and
+      hasQualifiedName("container/list", "List", "PushFront") and
       (
         inp.isParameter(0) and
         (outp.isReceiver() or outp.isResult())
       )
       or
       // signature: func (*List).PushFrontList(other *List)
-      this.hasQualifiedName("container/list", "List", "PushFrontList") and
+      hasQualifiedName("container/list", "List", "PushFrontList") and
       (inp.isParameter(0) and outp.isReceiver())
       or
       // signature: func (*List).Remove(e *Element) interface{}
-      this.hasQualifiedName("container/list", "List", "Remove") and
+      hasQualifiedName("container/list", "List", "Remove") and
       (inp.isParameter(0) and outp.isResult())
     }