fix afero additional step and tests

Author: am0o0

go/ql/lib/semmle/go/frameworks/Afero.qll

@@ -92,7 +92,7 @@ module Afero {
   predicate aferoSanitizer(DataFlow::Node n) {
     exists(Function f |
       f.hasQualifiedName(aferoPackage(), ["NewBasePathFs", "NewIOFS"]) and
-      DataFlow::localFlow(f.getACall(), n)
+      TaintTracking::localTaint(f.getACall(), n)
     )
   }
 
@@ -103,10 +103,12 @@ module Afero {
    *
    * e.g.`n2 := &afero.Afero{Fs: afero.NewBasePathFs(osFS, "./")}` n1 is `afero.NewBasePathFs(osFS, "./")`
    */
-  predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
-    exists(StructLit st | st.getType().hasQualifiedName(aferoPackage(), "Afero") |
-      n1.asExpr() = st.getAnElement().(KeyValueExpr).getAChildExpr() and
-      n2.asExpr() = st
-    )
+  class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(StructLit st | st.getType().hasQualifiedName(aferoPackage(), "Afero") |
+        n1.asExpr() = st.getAnElement().(KeyValueExpr).getAChildExpr() and
+        n2.asExpr() = st
+      )
+    }
   }
 }

go/ql/test/library-tests/semmle/go/frameworks/Afero/Query.ql

@@ -13,7 +13,9 @@ module FileSystemAccessTest implements TestSig {
       tag = "FileSystemAccess"
     )
     or
-    exists(DataFlow::Node succ, DataFlow::Node pred | Afero::additionalTaintStep(pred, succ) |
+    exists(DataFlow::Node succ, DataFlow::Node pred |
+      any(Afero::AdditionalTaintStep adts).step(pred, succ)
+    |
       succ.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
         location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
       element = succ.toString() and

go/ql/test/library-tests/semmle/go/frameworks/Afero/test.go

@@ -4,10 +4,11 @@ package main
 
 import (
 	"fmt"
-	"github.com/spf13/afero"
 	"net/http"
 	"os"
 	"regexp"
+
+	"github.com/spf13/afero"
 )
 
 func main() {
@@ -63,8 +64,7 @@ func Afero(writer http.ResponseWriter, request *http.Request) {
 	fmt.Println("Afero:")
 	newBasePathFs := afero.NewBasePathFs(osFS, "tmp")
 	basePathFs0 := &afero.Afero{Fs: newBasePathFs} // $ succ=Afero pred=newBasePathFs
-	// following is a FP, and in a dataflow configuration if we use Afero::additionalTaintStep then we won't have following in results
-	fmt.Println(basePathFs0.ReadFile(filepath)) // $ SPURIOUS: FileSystemAccess=filepath
+	fmt.Println(basePathFs0.ReadFile(filepath))
 
 	// IOFS ==> OK
 	fmt.Println("IOFS:")