database source tests

egregius313 · egregius313 · commit e9fdc8a34cd8 · 2025-01-07T06:41:33.000-05:00
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/sink.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/sink.go
@@ -0,0 +1,5 @@
+package test
+
+func sink(x ...any) {}
+
+func ignore(...any) {}
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/source.expected b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/source.expected
@@ -0,0 +1,2 @@
+testFailures
+invalidModelRow
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/source.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/source.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["database", true, 0]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/source.ql b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/source.ql
@@ -0,0 +1,19 @@
+import go
+import ModelValidation
+import utils.test.InlineExpectationsTest
+
+module SourceTest implements TestSig {
+  string getARelevantTag() { result = "source" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(ActiveThreatModelSource s |
+      s.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = s.toString() and
+      value = "" and
+      tag = "source"
+    )
+  }
+}
+
+import MakeTest<SourceTest>
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test.expected b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test.expected
@@ -0,0 +1,2 @@
+testFailures
+invalidModelRow
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["database", true, 0]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test.ql b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test.ql
@@ -0,0 +1,15 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import experimental.frameworks.CleverGo
+import utils.test.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(CallExpr c | c.getTarget().getName() = "sink").getAnArgument()
+  }
+}
+
+import TaintFlowTest<Config>
