Merge pull request #18920 from owen-mc/go/mad/improve-sync-models

owen-mc · web-flow · commit 0c091ffe316f · 2025-03-06T09:40:49.000Z
Go: Do not track taint into a `sync.Map` via the key of a key-value pair
diff --git a/go/ql/lib/change-notes/2025-03-04-improve-models-for-sync-map.md b/go/ql/lib/change-notes/2025-03-04-improve-models-for-sync-map.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* We no longer track taint into a `sync.Map` via the key of a key-value pair, since we do not model any way in which keys can be read from a `sync.Map`.
diff --git a/go/ql/lib/ext/sync.model.yml b/go/ql/lib/ext/sync.model.yml
@@ -6,10 +6,10 @@ extensions:
       - ["sync", "Map", True, "CompareAndSwap", "", "", "Argument[2]", "Argument[receiver]", "taint", "manual"]
       - ["sync", "Map", True, "Load", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
       - ["sync", "Map", True, "LoadOrStore", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
-      - ["sync", "Map", True, "LoadOrStore", "", "", "Argument[0..1]", "Argument[receiver]", "taint", "manual"]
-      - ["sync", "Map", True, "LoadOrStore", "", "", "Argument[0..1]", "ReturnValue[0]", "taint", "manual"]
-      - ["sync", "Map", True, "Store", "", "", "Argument[0..1]", "Argument[receiver]", "taint", "manual"]
+      - ["sync", "Map", True, "LoadOrStore", "", "", "Argument[1]", "Argument[receiver]", "taint", "manual"]
+      - ["sync", "Map", True, "LoadOrStore", "", "", "Argument[1]", "ReturnValue[0]", "taint", "manual"]
+      - ["sync", "Map", True, "Store", "", "", "Argument[1]", "Argument[receiver]", "taint", "manual"]
       - ["sync", "Map", True, "Swap", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
-      - ["sync", "Map", True, "Swap", "", "", "Argument[0..1]", "Argument[receiver]", "taint", "manual"]
+      - ["sync", "Map", True, "Swap", "", "", "Argument[1]", "Argument[receiver]", "taint", "manual"]
       - ["sync", "Pool", True, "Get", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
       - ["sync", "Pool", True, "Put", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Sync.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Sync.go

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* We no longer track taint into a `sync.Map` via the key of a key-value pair, since we do not model any way in which keys can be read from a `sync.Map`.