fix tests, and review suggestions.

Author: am0o0

go/ql/lib/change-notes/2023-09-25-add-new-file-system-access-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris).

go/ql/lib/go.qll

@@ -30,6 +30,7 @@ import semmle.go.dataflow.GlobalValueNumbering
 import semmle.go.dataflow.SSA
 import semmle.go.dataflow.TaintTracking
 import semmle.go.dataflow.TaintTracking2
+import semmle.go.frameworks.Afero
 import semmle.go.frameworks.Beego
 import semmle.go.frameworks.BeegoOrm
 import semmle.go.frameworks.Chi
@@ -38,11 +39,13 @@ import semmle.go.frameworks.Echo
 import semmle.go.frameworks.ElazarlGoproxy
 import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
+import semmle.go.frameworks.Fiber
 import semmle.go.frameworks.Gin
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoMicro
 import semmle.go.frameworks.GoRestfulHttp
 import semmle.go.frameworks.Gqlgen
+import semmle.go.frameworks.Iris
 import semmle.go.frameworks.K8sIoApimachineryPkgRuntime
 import semmle.go.frameworks.K8sIoApiCoreV1
 import semmle.go.frameworks.K8sIoClientGo
@@ -64,6 +67,3 @@ import semmle.go.frameworks.XPath
 import semmle.go.frameworks.Yaml
 import semmle.go.frameworks.Zap
 import semmle.go.security.FlowSources
-import semmle.go.frameworks.Afero
-import semmle.go.frameworks.Iris
-import semmle.go.frameworks.Fiber

go/ql/lib/semmle/go/frameworks/Afero.qll

@@ -105,7 +105,7 @@ module Afero {
    */
   predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
     exists(StructLit st | st.getType().hasQualifiedName(aferoPackage(), "Afero") |
-      n1.asExpr() = st.getAChildExpr().(KeyValueExpr).getAChildExpr() and
+      n1.asExpr() = st.getAnElement().(KeyValueExpr).getAChildExpr() and
       n2.asExpr() = st
     )
   }

go/ql/lib/semmle/go/frameworks/Echo.qll

@@ -103,16 +103,13 @@ private module Echo {
    * The File system access sinks
    */
   class FsOperations extends FileSystemAccess::Range, DataFlow::CallNode {
-    int pathArg;
-
     FsOperations() {
       exists(Method m |
         m.hasQualifiedName(packagePath(), "Context", ["Attachment", "File"]) and
-        this = m.getACall() and
-        pathArg = 0
+        this = m.getACall()
       )
     }
 
-    override DataFlow::Node getAPathArgument() { result = this.getArgument(pathArg) }
+    override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
   }
 }

go/ql/lib/semmle/go/frameworks/Iris.qll

@@ -4,11 +4,11 @@
 
 import go
 
-private module Gin {
-  /** Gets the v1 module path `github.com/gofiber/fiber`. */
+private module Iris {
+  /** Gets the v1 module path `github.com/kataras/iris`. */
   string v1modulePath() { result = "github.com/kataras/iris" }
 
-  /** Gets the v12 module path `github.com/gofiber/fiber/v12` */
+  /** Gets the v12 module path `github.com/kataras/iris/v12` */
   string v12modulePath() { result = "github.com/kataras/iris/v12" }
 
   /** Gets the path for the context package of all versions of beego. */

go/ql/src/change-notes/2023-09-25-add-new-filesystemaccess-sinks.md

@@ -54,15 +54,15 @@ func Afero(writer http.ResponseWriter, request *http.Request) {
 
 	// osFS ==> NOT OK
 	fmt.Println("Afero:")
-	afs := &afero.Afero{Fs: osFS}       // $ succ=Afero pred=osFS
+	afs := &afero.Afero{Fs: osFS} // $ succ=Afero pred=osFS
 	afs0 := afero.Afero{Fs: osFS} // $ succ=Afero pred=osFS
-    afs = &afs0
+	afs = &afs0
 	fmt.Println(afs.ReadFile(filepath)) // $ FileSystemAccess=filepath
 
 	// BasePathFs ==> OK
 	fmt.Println("Afero:")
 	newBasePathFs := afero.NewBasePathFs(osFS, "tmp")
-	basePathFs0 := &afero.Afero{Fs: newBasePathFs}// $ succ=Afero pred=newBasePathFs
+	basePathFs0 := &afero.Afero{Fs: newBasePathFs} // $ succ=Afero pred=newBasePathFs
 	// following is a FP, and in a dataflow configuration if we use Afero::additionalTaintStep then we won't have following in results
 	fmt.Println(basePathFs0.ReadFile(filepath)) // $ SPURIOUS: FileSystemAccess=filepath