Implement standard library models for Go 1.20

smowton · smowton · commit 7e7850374e15 · 2023-02-15T18:29:49.000Z
diff --git a/go/ql/lib/semmle/go/frameworks/Stdlib.qll b/go/ql/lib/semmle/go/frameworks/Stdlib.qll
@@ -65,6 +65,7 @@ import semmle.go.frameworks.stdlib.Syscall
 import semmle.go.frameworks.stdlib.TextScanner
 import semmle.go.frameworks.stdlib.TextTabwriter
 import semmle.go.frameworks.stdlib.TextTemplate
+import semmle.go.frameworks.stdlib.Unsafe
 
 /** A `String()` method. */
 class StringMethod extends TaintTracking::FunctionModel, Method {
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Bytes.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Bytes.qll
@@ -11,6 +11,15 @@ module Bytes {
     FunctionOutput outp;
 
     FunctionModels() {
+      hasQualifiedName("bytes", "Clone") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      hasQualifiedName("bytes", "Cut") and
+      (inp.isParameter(0) and outp.isResult([0, 1]))
+      or
+      hasQualifiedName("bytes", ["CutPrefix", "CutSuffix"]) and
+      (inp.isParameter(0) and outp.isResult(0))
+      or
       // signature: func Fields(s []byte) [][]byte
       hasQualifiedName("bytes", "Fields") and
       (inp.isParameter(0) and outp.isResult())
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Errors.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Errors.qll
@@ -22,6 +22,10 @@ module Errors {
       // signature: func Unwrap(err error) error
       hasQualifiedName("errors", "Unwrap") and
       (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func Join(errs ...error) error
+      hasQualifiedName("errors", "Join") and
+      (inp.isParameter(_) and outp.isResult())
     }
 
     override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Sync.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Sync.qll
@@ -11,6 +11,9 @@ module Sync {
     FunctionOutput outp;
 
     MethodModels() {
+      hasQualifiedName("sync", "Map", "CompareAndSwap") and
+      (inp.isParameter(2) and outp.isReceiver())
+      or
       // signature: func (*Map) Load(key interface{}) (value interface{}, ok bool)
       hasQualifiedName("sync", "Map", "Load") and
       (inp.isReceiver() and outp.isResult(0))
@@ -28,6 +31,13 @@ module Sync {
       hasQualifiedName("sync", "Map", "Store") and
       (inp.isParameter(_) and outp.isReceiver())
       or
+      hasQualifiedName("sync", "Map", "Swap") and
+      (
+        inp.isReceiver() and outp.isResult(0)
+        or
+        inp.isParameter(_) and outp.isReceiver()
+      )
+      or
       // signature: func (*Pool) Get() interface{}
       hasQualifiedName("sync", "Pool", "Get") and
       (inp.isReceiver() and outp.isResult())
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/Unsafe.qll b/go/ql/lib/semmle/go/frameworks/stdlib/Unsafe.qll
@@ -0,0 +1,22 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `unsafe` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `unsafe` package. */
+module Unsafe {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      hasQualifiedName("unsafe", ["String", "StringData", "Slice", "SliceData"]) and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Bytes.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Bytes.go
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Errors.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Errors.go
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Sync.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Sync.go
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Unsafe.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Unsafe.go
@@ -0,0 +1,46 @@
+package main
+
+import "unsafe"
+
+func TaintStepTest_UnsafeSlice(sourceCQL interface{}) interface{} {
+	s := sourceCQL.(*byte)
+	return unsafe.Slice(s, 1)
+}
+
+func TaintStepTest_UnsafeSliceData(sourceCQL interface{}) interface{} {
+	s := sourceCQL.([]byte)
+	return unsafe.SliceData(s)
+}
+
+func TaintStepTest_UnsafeString(sourceCQL interface{}) interface{} {
+	s := sourceCQL.(*byte)
+	return unsafe.String(s, 1)
+}
+
+func TaintStepTest_UnsafeStringData(sourceCQL interface{}) interface{} {
+	s := sourceCQL.(string)
+	return unsafe.StringData(s)
+}
+
+func RunAllTaints_Sync() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_UnsafeSlice(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_UnsafeSliceData(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_UnsafeString(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_UnsafeStringData(source)
+		sink(3, out)
+	}
+}
