Merge branch 'main' into rust/callable-base

Author: Paolo Tranquilli

Cargo.lock

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Local source models with the `stdin` source kind have been added for the variable `os.Stdin` and the functions `fmt.Scan`, `fmt.Scanf` and `fmt.Scanln`. You can optionally include threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).

go/ql/lib/change-notes/2024-08-29-add-stdin-threat-models.md

@@ -112,6 +112,15 @@ module Fmt {
     Scanner() { this.hasQualifiedName("fmt", ["Scan", "Scanf", "Scanln"]) }
   }
 
+  private class ScannerSource extends SourceNode {
+    ScannerSource() {
+      // All of the arguments which are sources are varargs.
+      this.asExpr() = any(Scanner s).getACall().getAnImplicitVarargsArgument().asExpr()
+    }
+
+    override string getThreatModel() { result = "stdin" }
+  }
+
   /**
    * The `Fscan` function or one of its variants,
    * all of which read from a specified `io.Reader`.

go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll

@@ -43,4 +43,12 @@ module Os {
       input = inp and output = outp
     }
   }
+
+  private class Stdin extends SourceNode {
+    Stdin() {
+      exists(Variable osStdin | osStdin.hasQualifiedName("os", "Stdin") | this = osStdin.getARead())
+    }
+
+    override string getThreatModel() { result = "stdin" }
+  }
 }

go/ql/lib/semmle/go/frameworks/stdlib/Os.qll

@@ -0,0 +1,3 @@
+module test
+
+go 1.22.6

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/go.mod

@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.expected

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["stdin", true, 0]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ext.yml

@@ -0,0 +1,19 @@
+import go
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SourceTest implements TestSig {
+  string getARelevantTag() { result = "source" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(ActiveThreatModelSource s |
+      s.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = s.toString() and
+      value = "" and
+      tag = "source"
+    )
+  }
+}
+
+import MakeTest<SourceTest>

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/source.ql

@@ -0,0 +1,2 @@
+testFailures
+invalidModelRow

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.expected

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["stdin", true, 0]