Merge pull request github#13767 from owen-mc/go/missing-flow-through-receiver

Go: Fix missing flow through receiver for function variable

Author: owen-mc

go/ql/lib/change-notes/2023-07-19-method-call-node.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The definition of `DataFlow::MethodCallNode` has been expanded to include `DataFlow::CallNode`s where what is being called is a variable that has a method assigned to it within the calling function. This means we can now follow data flow into the receiver of such a method call.

go/ql/lib/semmle/go/controlflow/IR.qll

@@ -744,7 +744,7 @@ module IR {
 
     override Type getResultType() {
       exists(CallExpr c | this.getBase() = evalExprInstruction(c) |
-        result = c.getTarget().getResultType(i)
+        result = c.getCalleeType().getResultType(i)
       )
       or
       exists(Expr e | this.getBase() = evalExprInstruction(e) |

go/ql/lib/semmle/go/dataflow/internal/DataFlowDispatch.qll

@@ -8,7 +8,7 @@ private import DataFlowPrivate
 private predicate isInterfaceCallReceiver(
   DataFlow::CallNode call, DataFlow::Node recv, InterfaceType tp, string m
 ) {
-  call.getReceiver() = recv and
+  call.(DataFlow::MethodCallNode).getReceiver() = recv and
   recv.getType().getUnderlyingType() = tp and
   m = call.getACalleeIncludingExternals().asFunction().getName()
 }
@@ -149,7 +149,9 @@ predicate golangSpecificParamArgFilter(
   // Interface methods calls may be passed strictly to that exact method's model receiver:
   arg.getPosition() != -1
   or
-  exists(Function callTarget | callTarget = call.getNode().(DataFlow::CallNode).getTarget() |
+  exists(Function callTarget |
+    callTarget = call.getNode().(DataFlow::CallNode).getACalleeIncludingExternals().asFunction()
+  |
     not isInterfaceMethod(callTarget)
     or
     callTarget = p.getCallable().asSummarizedCallable().asFunction()

go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll

@@ -439,8 +439,8 @@ module Public {
     CallNode getCallNode() { result = call }
 
     override Type getType() {
-      exists(Function f | f = call.getTarget() |
-        result = f.getParameterType(f.getNumParameter() - 1)
+      exists(SignatureType t | t = call.getCall().getCalleeType() |
+        result = t.getParameterType(t.getNumParameter() - 1)
       )
     }
 
@@ -474,7 +474,11 @@ module Public {
   class CallNode extends ExprNode {
     override CallExpr expr;
 
-    /** Gets the declared target of this call */
+    /**
+     * Gets the declared target of this call, if it exists.
+     *
+     * This doesn't exist when a function is called via a variable.
+     */
     Function getTarget() { result = expr.getTarget() }
 
     private DataFlow::Node getACalleeSource() { result = getACalleeSource(this) }
@@ -622,16 +626,40 @@ module Public {
     /** Gets a result of this call. */
     Node getAResult() { result = this.getResult(_) }
 
-    /** Gets the data flow node corresponding to the receiver of this call, if any. */
+    /**
+     * Gets the data flow node corresponding to the receiver of this call, if any.
+     *
+     * When a method value is assigned to a variable then when it is called it
+     * looks like a function call, as in the following example.
+     * ```go
+     * file, _ := os.Open("test.txt")
+     * f := file.Close
+     * f()
+     * ```
+     * In this case we use local flow to try to find the receiver (`file` in
+     * the  above example).
+     */
     Node getReceiver() { result = this.getACalleeSource().(MethodReadNode).getReceiver() }
 
     /** Holds if this call has an ellipsis after its last argument. */
     predicate hasEllipsis() { expr.hasEllipsis() }
   }
 
-  /** A data flow node that represents a call to a method. */
+  /**
+   * A data flow node that represents a call to a method.
+   *
+   * When a method value is assigned to a variable then when it is called it
+   * syntactically looks like a function call, as in the following example.
+   * ```go
+   * file, _ := os.Open("test.txt")
+   * f := file.Close
+   * f()
+   * ```
+   * In this case we use local flow to see whether a method is assigned to the
+   * function.
+   */
   class MethodCallNode extends CallNode {
-    MethodCallNode() { expr.getTarget() instanceof Method }
+    MethodCallNode() { getACalleeSource(this) instanceof MethodReadNode }
 
     override Method getTarget() { result = expr.getTarget() }
 

go/ql/lib/semmle/go/frameworks/Gqlgen.qll

@@ -7,7 +7,7 @@ module Gqlgen {
   /** An autogenerated file containing gqlgen code. */
   private class GqlgenGeneratedFile extends File {
     GqlgenGeneratedFile() {
-      exists(DataFlow::CallNode call |
+      exists(DataFlow::MethodCallNode call |
         call.getReceiver().getType().hasQualifiedName("github.com/99designs/gqlgen/graphql", _) and
         call.getFile() = this
       )

go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll

@@ -131,7 +131,7 @@ module NetHttp {
     )
     or
     stack = SummaryComponentStack::argument(-1) and
-    result = call.getReceiver()
+    result = call.(DataFlow::MethodCallNode).getReceiver()
   }
 
   private class ResponseBody extends Http::ResponseBody::Range {

go/ql/lib/semmle/go/security/ExternalAPIs.qll

@@ -86,7 +86,7 @@ class ExternalApiDataNode extends DataFlow::Node {
       this = call.getArgument(i)
       or
       // Receiver to a call to a method which returns non trivial value
-      this = call.getReceiver() and
+      this = call.(DataFlow::MethodCallNode).getReceiver() and
       i = -1
     ) and
     // Not defined in the code that is being analyzed

go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll

@@ -33,7 +33,9 @@ module SafeUrlFlow {
 
   /** A function model step using `UnsafeUrlMethod`, considered as a sanitizer for safe URL flow. */
   private class UnsafeUrlMethodEdge extends SanitizerEdge {
-    UnsafeUrlMethodEdge() { this = any(UnsafeUrlMethod um).getACall().getReceiver() }
+    UnsafeUrlMethodEdge() {
+      this = any(UnsafeUrlMethod um).getACall().(DataFlow::MethodCallNode).getReceiver()
+    }
   }
 
   /** Any slicing of the URL, considered as a sanitizer for safe URL flow. */

go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql

@@ -90,7 +90,7 @@ predicate isWritableFileHandle(DataFlow::Node source, DataFlow::CallNode call) {
 /**
  * Holds if `os.File.Close` is called on `sink`.
  */
-predicate isCloseSink(DataFlow::Node sink, DataFlow::CallNode closeCall) {
+predicate isCloseSink(DataFlow::Node sink, DataFlow::MethodCallNode closeCall) {
   // find calls to the os.File.Close function
   closeCall = any(CloseFileFun f).getACall() and
   // that are unhandled
@@ -115,7 +115,7 @@ predicate isCloseSink(DataFlow::Node sink, DataFlow::CallNode closeCall) {
  * Holds if `os.File.Sync` is called on `sink` and the result of the call is neither
  * deferred nor discarded.
  */
-predicate isHandledSync(DataFlow::Node sink, DataFlow::CallNode syncCall) {
+predicate isHandledSync(DataFlow::Node sink, DataFlow::MethodCallNode syncCall) {
   // find a call of the `os.File.Sync` function
   syncCall = any(SyncFileFun f).getACall() and
   // match the sink with the object on which the method is called

go/ql/src/Security/CWE-352/ConstantOauth2State.ql

@@ -113,7 +113,7 @@ class PrivateUrlFlowsToAuthCodeUrlCall extends DataFlow::Configuration {
     )
   }
 
-  predicate isSinkCall(DataFlow::Node sink, DataFlow::CallNode call) {
+  predicate isSinkCall(DataFlow::Node sink, DataFlow::MethodCallNode call) {
     exists(AuthCodeUrl m | call = m.getACall() | sink = call.getReceiver())
   }