Add failing test for flow out of varargs param with models-as-data

owen-mc · owen-mc · commit 8cc4cd58c6e8 · 2024-12-06T15:00:37.000Z
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected
@@ -0,0 +1,2 @@
+testFailures
+invalidModelRow
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml
@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "FunctionWithParameter", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOutParameter", "", "", "Argument[0]", "Argument[1].ArrayElement", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSource", "", "", "Argument[0]", "qltest", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSink", "", "", "Argument[0]", "qltest", "manual"]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql
@@ -0,0 +1,22 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import TestUtilities.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    sourceNode(source, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, ["source", "taint"]) |
+      source = fn.getACall().getResult()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sinkNode(sink, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
+  }
+}
+
+import FlowTest<Config, Config>
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod
@@ -0,0 +1,5 @@
+module semmle.go.Packages
+
+go 1.23
+
+require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+	"github.com/nonexistent/test"
+)
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(any) {
+}
+
+func main() {
+	s := source()
+	sink(test.FunctionWithParameter(s)) // $ hasValueFlow="call to FunctionWithParameter"
+
+	stringSlice := []string{source()}
+	sink(stringSlice[0]) // $ hasValueFlow="index expression"
+
+	s0 := ""
+	s1 := source()
+	sSlice := []string{s0, s1}
+	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
+	sliceOfStructs := []test.A{{Field: source()}}
+	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
+
+	a0 := test.A{Field: ""}
+	a1 := test.A{Field: source()}
+	aSlice := []test.A{a0, a1}
+	sink(test.FunctionWithSliceOfStructsParameter(aSlice))      // $ hasValueFlow="call to FunctionWithSliceOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+
+	var variadicSource string
+	test.VariadicSource(&variadicSource)
+	sink(variadicSource) // $ MISSING: hasTaintFlow="variadicSource"
+
+	test.VariadicSink(source()) // $ hasTaintFlow="[]type{args}"
+
+}
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt
@@ -0,0 +1,3 @@
+# github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
+## explicit
+github.com/nonexistent/test

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +module semmle.go.Packages
++
 +go 1.23
++
 +require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# github.com/nonexistent/test v0.0.0-20200203000000-0000000000000`
	`2`	`+## explicit`
	`3`	`+github.com/nonexistent/test`