Go: Migrate AppenderOrSprinter model to models-as-data

Author: atorralba

go/ql/lib/change-notes/2024-01-09-fmt-apprender-or-sprinter-deprecated.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The class `Fmt::AppenderOrSprinter` of the `Fmt.qll` module has been deprecated. Use the new `Fmt::AppenderOrSprinterFunc` class instead. Its taint flow features have been migrated to models-as-data.

go/ql/lib/ext/fmt.model.yml

@@ -8,3 +8,14 @@ extensions:
       - ["fmt", "ScanState", True, "Token", "", "", "Argument[-1]", "ReturnValue[0]", "taint", "manual"]
       - ["fmt", "State", True, "Write", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["fmt", "Stringer", True, "String", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Append", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Append", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendf", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendf", "", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendf", "", "", "Argument[2].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendln", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendln", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Sprint", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Sprintf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Sprintf", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Sprintln", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]

go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll

@@ -7,17 +7,28 @@ import go
 // Some TaintTracking::FunctionModel subclasses remain because varargs functions don't work with Models-as-Data sumamries yet.
 /** Provides models of commonly used functions in the `fmt` package. */
 module Fmt {
-  /** The `Sprint` or `Append` functions or one of their variants. */
-  class AppenderOrSprinter extends TaintTracking::FunctionModel {
+  /**
+   * The `Sprint` or `Append` functions or one of their variants.
+   *
+   * DEPRECATED: Use AppenderOrSprinterFunc.
+   */
+  deprecated class AppenderOrSprinter extends TaintTracking::FunctionModel {
     AppenderOrSprinter() { this.hasQualifiedName("fmt", ["Append", "Sprint"] + ["", "f", "ln"]) }
 
     override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
       inp.isParameter(_) and outp.isResult()
     }
   }
 
+  /** The `Sprint` or `Append` functions or one of their variants. */
+  class AppenderOrSprinterFunc extends Function {
+    AppenderOrSprinterFunc() {
+      this.hasQualifiedName("fmt", ["Append", "Sprint"] + ["", "f", "ln"])
+    }
+  }
+
   /** The `Sprint` function or one of its variants. */
-  class Sprinter extends AppenderOrSprinter {
+  class Sprinter extends AppenderOrSprinterFunc {
     Sprinter() { this.getName().matches("Sprint%") }
   }
 

go/ql/src/Security/CWE-352/ConstantOauth2State.ql

@@ -99,7 +99,7 @@ module PrivateUrlFlowsToAuthCodeUrlCallConfig implements DataFlow::ConfigSig {
     or
     // Propagate across Sprintf and similar calls
     exists(DataFlow::CallNode cn |
-      cn.getACalleeIncludingExternals().asFunction() instanceof Fmt::AppenderOrSprinter
+      cn.getACalleeIncludingExternals().asFunction() instanceof Fmt::AppenderOrSprinterFunc
     |
       pred = cn.getASyntacticArgument() and succ = cn.getResult()
     )