Allow data flow through varargs parameters

Author: owen-mc

go/ql/lib/semmle/go/Expr.qll

@@ -857,6 +857,18 @@ class CallExpr extends CallOrConversionExpr {
   /** Gets the number of argument expressions of this call. */
   int getNumArgument() { result = count(this.getAnArgument()) }
 
+  /**
+   * Gets an argument with an ellipsis after it which is passed to a varargs
+   * parameter, as in `f(x...)`.
+   *
+   * Note that if the varargs parameter is `...T` then the type of the argument
+   * must be assignable to the slice type `[]T`.
+   */
+  Expr getExplicitVarargsArgument() {
+    this.hasEllipsis() and
+    result = this.getArgument(this.getNumArgument() - 1)
+  }
+
   /**
    * Gets the name of the invoked function, method or variable if it can be
    * determined syntactically.

go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll

@@ -10,7 +10,7 @@ private import semmle.go.dataflow.ExternalFlow
  * Holds if the step from `node1` to `node2` stores a value in an array, a
  * slice, a collection or a map. Thus, `node2` references an object with a
  * content `c` that contains the value of `node1`. This covers array
- * assignments and initializers as well as implicit array creations for
+ * assignments and initializers as well as implicit slice creations for
  * varargs.
  */
 predicate containerStoreStep(Node node1, Node node2, Content c) {
@@ -20,7 +20,11 @@ predicate containerStoreStep(Node node1, Node node2, Content c) {
       node2.getType() instanceof ArrayType or
       node2.getType() instanceof SliceType
     ) and
-    exists(Write w | w.writesElement(node2, _, node1))
+    (
+      exists(Write w | w.writesElement(node2, _, node1))
+      or
+      node1 = node2.(ImplicitVarargsSlice).getCallNode().getImplicitVarargsArgument(_)
+    )
   )
   or
   c instanceof CollectionContent and

go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll

@@ -10,6 +10,7 @@ private newtype TNode =
   MkInstructionNode(IR::Instruction insn) or
   MkSsaNode(SsaDefinition ssa) or
   MkGlobalFunctionNode(Function f) or
+  MkImplicitVarargsSlice(CallExpr c) { c.getTarget().isVariadic() and not c.hasEllipsis() } or
   MkSummarizedParameterNode(SummarizedCallable c, int i) {
     FlowSummaryImpl::Private::summaryParameterNodeRange(c, i)
   } or
@@ -426,6 +427,41 @@ module Public {
     override ResultNode getAResult() { result.getRoot() = this.getExpr() }
   }
 
+  /**
+   * An implicit varargs slice creation expression.
+   *
+   * A variadic function like `f(t1 T1, ..., Tm tm, A... x)` actually sees the
+   * varargs parameter as a slice `[]A`. A call `f(t1, ..., tm, x1, ..., xn)`
+   * desugars to `f(t1, ..., tm, []A{x1, ..., xn})`, and this node corresponds
+   * to this implicit slice creation.
+   */
+  class ImplicitVarargsSlice extends Node, MkImplicitVarargsSlice {
+    CallNode call;
+
+    ImplicitVarargsSlice() { this = MkImplicitVarargsSlice(call.getCall()) }
+
+    override ControlFlow::Root getRoot() { result = call.getRoot() }
+
+    /** Gets the call containing this varargs slice creation argument. */
+    CallNode getCallNode() { result = call }
+
+    override Type getType() {
+      exists(Function f | f = call.getTarget() |
+        result = f.getParameterType(f.getNumParameter() - 1)
+      )
+    }
+
+    override string getNodeKind() { result = "implicit varargs slice" }
+
+    override string toString() { result = "[]type{args}" }
+
+    override predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      call.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+  }
+
   /**
    * Gets a possible target of call `cn`.class
    *