Don't allow varargs as function outputs.

Max Schaefer · Max Schaefer · commit c2a26f8ec951 · 2020-08-10T07:30:23.000+01:00
In a call of the form `f(xs...)`, when we say that `f` taints its 0th argument its ambiguous whether that means that it taints the slice `xs` or its 0th element `xs[0]`.

In practice, it's usually the latter, but we have no way of expressing that using our current `FunctionOutput` implementation.
diff --git a/ql/src/semmle/go/dataflow/FunctionInputsAndOutputs.qll b/ql/src/semmle/go/dataflow/FunctionInputsAndOutputs.qll
@@ -242,7 +242,12 @@ private class OutReceiver extends FunctionOutput, TOutReceiver {
   override string toString() { result = "receiver" }
 }
 
-/** A parameter of a function, viewed as an output. */
+/**
+ * A parameter of a function, viewed as an output.
+ *
+ * Note that slices passed to varargs parameters using `...` are not included, since in this
+ * case it is ambiguous whether the output should be the slice itself or one of its elements.
+ */
 private class OutParameter extends FunctionOutput, TOutParameter {
   int index;
 
@@ -259,6 +264,8 @@ private class OutParameter extends FunctionOutput, TOutParameter {
   override DataFlow::Node getExitNode(DataFlow::CallNode c) {
     exists(DataFlow::Node arg |
       arg = getArgument(c, index) and
+      not (c.hasEllipsis() and index = c.getNumArgument() - 1)
+    |
       result.(DataFlow::PostUpdateNode).getPreUpdateNode() = arg
     )
   }
diff --git a/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionInput_getEntryNode.expected b/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionInput_getEntryNode.expected
@@ -4,10 +4,13 @@
 | parameter 0 | main.go:57:2:57:27 | call to Printf | main.go:57:13:57:20 | "%d, %d" |
 | parameter 0 | reset.go:12:2:12:21 | call to Reset | reset.go:12:15:12:20 | source |
 | parameter 0 | tst.go:10:2:10:29 | call to ReadFrom | tst.go:10:23:10:28 | reader |
+| parameter 0 | tst.go:16:2:16:12 | call to test5 | tst.go:16:8:16:8 | x |
+| parameter 0 | tst.go:18:2:18:12 | call to test5 | tst.go:18:8:18:8 | s |
 | parameter 1 | main.go:51:2:51:14 | call to op | main.go:51:10:51:10 | 1 |
 | parameter 1 | main.go:53:2:53:22 | call to op2 | main.go:53:11:53:11 | 2 |
 | parameter 1 | main.go:55:2:55:27 | call to Printf | main.go:55:23:55:23 | x |
 | parameter 1 | main.go:57:2:57:27 | call to Printf | main.go:57:23:57:23 | x |
+| parameter 1 | tst.go:16:2:16:12 | call to test5 | tst.go:16:11:16:11 | y |
 | parameter 2 | main.go:51:2:51:14 | call to op | main.go:51:13:51:13 | 1 |
 | parameter 2 | main.go:53:2:53:22 | call to op2 | main.go:53:14:53:21 | call to bump |
 | parameter 2 | main.go:55:2:55:27 | call to Printf | main.go:55:26:55:26 | y |
diff --git a/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionInput_getExitNode.expected b/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionInput_getExitNode.expected
@@ -3,8 +3,10 @@
 | parameter 0 | main.go:40:1:48:1 | function declaration | main.go:40:12:40:12 | definition of b |
 | parameter 0 | reset.go:8:1:16:1 | function declaration | reset.go:8:27:8:27 | definition of r |
 | parameter 0 | tst.go:8:1:11:1 | function declaration | tst.go:8:12:8:17 | definition of reader |
+| parameter 0 | tst.go:15:1:19:1 | function declaration | tst.go:15:12:15:12 | definition of x |
 | parameter 1 | main.go:5:1:11:1 | function declaration | main.go:5:20:5:20 | definition of x |
 | parameter 1 | main.go:13:1:20:1 | function declaration | main.go:13:21:13:21 | definition of x |
+| parameter 1 | tst.go:15:1:19:1 | function declaration | tst.go:15:15:15:15 | definition of y |
 | parameter 2 | main.go:5:1:11:1 | function declaration | main.go:5:27:5:27 | definition of y |
 | parameter 2 | main.go:13:1:20:1 | function declaration | main.go:13:28:13:28 | definition of y |
 | receiver | main.go:26:1:29:1 | function declaration | main.go:26:7:26:7 | definition of c |
diff --git a/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionOutput_getExitNode.expected b/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionOutput_getExitNode.expected
@@ -1,5 +1,7 @@
 | parameter 0 | reset.go:12:2:12:21 | call to Reset | reset.go:9:2:9:7 | definition of source |
 | parameter 0 | tst.go:10:2:10:29 | call to ReadFrom | tst.go:8:12:8:17 | definition of reader |
+| parameter 0 | tst.go:16:2:16:12 | call to test5 | tst.go:15:12:15:12 | definition of x |
+| parameter 1 | tst.go:16:2:16:12 | call to test5 | tst.go:15:15:15:15 | definition of y |
 | receiver | main.go:53:14:53:21 | call to bump | main.go:52:2:52:2 | definition of c |
 | receiver | reset.go:12:2:12:21 | call to Reset | reset.go:11:6:11:11 | definition of reader |
 | receiver | tst.go:10:2:10:29 | call to ReadFrom | tst.go:9:2:9:12 | definition of bytesBuffer |
diff --git a/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/tst.go b/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/tst.go
@@ -9,3 +9,11 @@ func test4(reader io.Reader) {
 	bytesBuffer := new(bytes.Buffer)
 	bytesBuffer.ReadFrom(reader)
 }
+
+func test5(xs ...*int) {}
+
+func test6(x, y *int) {
+	test5(x, y)
+	s := []*int{x, y}
+	test5(s...)
+}
