Test flow out of varargs param with function models

owen-mc · owen-mc · commit 96c8af89433b · 2024-12-06T15:00:34.000Z
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql
@@ -19,6 +19,9 @@ class SummaryModelTest extends DataFlow::FunctionModel {
     this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsParameter") and
     (inp.isParameter(_) and outp.isResult())
     or
+    this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsOutParameter") and
+    (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1)))
+    or
     this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithSliceOfStructsParameter") and
     (inp.isParameter(0) and outp.isResult())
     or
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod
@@ -1,5 +1,5 @@
 module semmle.go.Packages
 
-go 1.17
+go 1.23
 
 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go
@@ -8,7 +8,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 func main() {
@@ -27,6 +27,12 @@ func main() {
 	randomFunctionWithMoreThanOneParameter(1, 2, 3, 4, 5) // This is needed to make the next line pass, because we need to have seen a call to a function with at least 2 parameters for ParameterInput to exist with index 1.
 	sink(test.FunctionWithVarArgsParameter(s0, s1))       // $ hasValueFlow="call to FunctionWithVarArgsParameter"
 
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ hasValueFlow="out1"
+	sink(out2) // $ hasValueFlow="out2"
+
 	sliceOfStructs := []test.A{{Field: source()}}
 	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
 
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go

-Original file line number
+Diff line change
@@ @@ -1,5 +1,5 @@ @@
 module semmle.go.Packages
 -go 1.17
 +go 1.23
 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000