fix(G705): eliminate false positive for non-HTTP io.Writer (#1550)

* fix(G705): eliminate false positive for non-HTTP io.Writer

Adds ArgTypeGuards map[int]string to taint.Sink. The XSS analyzer now
requires arg[0] of fmt.Fprint* to implement net/http.ResponseWriter.
Writing exec pipe output to os.Stdout no longer triggers G705.

Fixes: #1548

* improve code coverage

Author: ravisastryk

analyzers/xss.go

@@ -36,12 +36,37 @@ func XSS() taint.Config {
 			{Package: "bufio", Name: "Scanner", Pointer: true},
 		},
 		Sinks: []taint.Sink{
+			// Direct write on the response writer itself — receiver already scopes it.
 			{Package: "net/http", Receiver: "ResponseWriter", Method: "Write"},
-			// For fmt print functions, Args[0] is writer - skip it, check format and data args
-			{Package: "fmt", Method: "Fprintf", CheckArgs: []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}},
-			{Package: "fmt", Method: "Fprint", CheckArgs: []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}},
-			{Package: "fmt", Method: "Fprintln", CheckArgs: []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}},
-			{Package: "io", Method: "WriteString", CheckArgs: []int{1}},
+			// fmt print family: arg[0] is the io.Writer target; args[1..n] are the
+			// format string and variadic data (all checked for taint).
+			// Guard: only treat as a sink when arg[0] implements net/http.ResponseWriter.
+			// Writing to os.Stdout, os.Stderr, bytes.Buffer, exec pipes, etc. is NOT flagged.
+			{
+				Package:       "fmt",
+				Method:        "Fprintf",
+				CheckArgs:     []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
+				ArgTypeGuards: map[int]string{0: "net/http.ResponseWriter"},
+			},
+			{
+				Package:       "fmt",
+				Method:        "Fprint",
+				CheckArgs:     []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
+				ArgTypeGuards: map[int]string{0: "net/http.ResponseWriter"},
+			},
+			{
+				Package:       "fmt",
+				Method:        "Fprintln",
+				CheckArgs:     []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
+				ArgTypeGuards: map[int]string{0: "net/http.ResponseWriter"},
+			},
+			// io.WriteString: same rationale — only a sink when the writer is HTTP.
+			{
+				Package:       "io",
+				Method:        "WriteString",
+				CheckArgs:     []int{1},
+				ArgTypeGuards: map[int]string{0: "net/http.ResponseWriter"},
+			},
 			// Template functions that unsafely inject untrusted content
 			{Package: "html/template", Method: "HTML"},
 			{Package: "html/template", Method: "HTMLAttr"},

go.mod

@@ -50,7 +50,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
 	google.golang.org/grpc v1.75.0 // indirect

go.sum

@@ -39,8 +39,8 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
@@ -515,8 +515,8 @@ golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

taint/analyzer_internal_test.go

@@ -1,6 +1,8 @@
 package taint
 
 import (
+	"go/ast"
+	"go/constant"
 	"go/parser"
 	"go/token"
 	"go/types"
@@ -10,6 +12,7 @@ import (
 
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/buildssa"
+	"golang.org/x/tools/go/ssa"
 
 	"github.com/securego/gosec/v2/internal/ssautil"
 	"github.com/securego/gosec/v2/issue"
@@ -195,3 +198,299 @@ func TestNewIssueReturnsEmptyWhenPositionCannotBeResolved(t *testing.T) {
 		t.Fatalf("expected empty issue for unresolved position, got %+v", iss)
 	}
 }
+
+// ── lookupNamedType ───────────────────────────────────────────────────────────
+
+func TestLookupNamedTypeNoDot(t *testing.T) {
+	t.Parallel()
+	// A path with no dot must return nil before touching prog.
+	if got := lookupNamedType("nodot", nil); got != nil {
+		t.Fatalf("expected nil for path with no dot, got %v", got)
+	}
+}
+
+func TestLookupNamedTypePackageNotInProgram(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+	// Program is empty — the requested package is not present.
+	if got := lookupNamedType("net/http.ResponseWriter", prog); got != nil {
+		t.Fatalf("expected nil when package is absent from program, got %v", got)
+	}
+}
+
+func TestLookupNamedTypeFound(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+
+	// Manually construct a net/http package with ResponseWriter in its scope.
+	httpPkg := types.NewPackage("net/http", "http")
+	iface := types.NewInterfaceType(nil, nil)
+	obj := types.NewTypeName(token.NoPos, httpPkg, "ResponseWriter", nil)
+	_ = types.NewNamed(obj, iface, nil)
+	httpPkg.Scope().Insert(obj)
+	httpPkg.MarkComplete()
+	prog.CreatePackage(httpPkg, nil, nil, false)
+
+	got := lookupNamedType("net/http.ResponseWriter", prog)
+	if got == nil {
+		t.Fatal("expected non-nil type for known type in program")
+	}
+	named, ok := got.(*types.Named)
+	if !ok {
+		t.Fatalf("expected *types.Named, got %T", got)
+	}
+	if named.Obj().Name() != "ResponseWriter" {
+		t.Fatalf("expected name ResponseWriter, got %s", named.Obj().Name())
+	}
+}
+
+func TestLookupNamedTypeMemberIsNotTypeName(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+
+	// Insert a Var (not a TypeName) into the package scope.
+	pkg := types.NewPackage("mylib", "mylib")
+	varObj := types.NewVar(token.NoPos, pkg, "SomeVar", types.Typ[types.String])
+	pkg.Scope().Insert(varObj)
+	pkg.MarkComplete()
+	prog.CreatePackage(pkg, nil, nil, false)
+
+	// SomeVar is a *types.Var, not a *types.TypeName — lookup must return nil.
+	if got := lookupNamedType("mylib.SomeVar", prog); got != nil {
+		t.Fatalf("expected nil for non-TypeName member, got %v", got)
+	}
+}
+
+func TestLookupNamedTypeMemberNotInScope(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+
+	// Package with the right path but the requested name is absent from scope.
+	pkg := types.NewPackage("net/http", "http")
+	pkg.MarkComplete()
+	prog.CreatePackage(pkg, nil, nil, false)
+
+	// "Missing" is not in scope — exercises the member==nil continue branch.
+	if got := lookupNamedType("net/http.Missing", prog); got != nil {
+		t.Fatalf("expected nil for absent type name, got %v", got)
+	}
+}
+
+// ── guardsSatisfied ───────────────────────────────────────────────────────────
+
+func TestGuardsSatisfiedEmptyGuards(t *testing.T) {
+	t.Parallel()
+	if !guardsSatisfied(nil, Sink{}, nil) {
+		t.Fatal("expected true for empty ArgTypeGuards")
+	}
+}
+
+func TestGuardsSatisfiedNilProg(t *testing.T) {
+	t.Parallel()
+	sink := Sink{ArgTypeGuards: map[int]string{0: "net/http.ResponseWriter"}}
+	if !guardsSatisfied(nil, sink, nil) {
+		t.Fatal("expected true when prog is nil")
+	}
+}
+
+func TestGuardsSatisfiedArgIdxOutOfRange(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+	sink := Sink{ArgTypeGuards: map[int]string{0: "net/http.ResponseWriter"}}
+	// Guard requires arg at index 0 but args slice is empty.
+	if guardsSatisfied([]ssa.Value{}, sink, prog) {
+		t.Fatal("expected false when arg index is out of range")
+	}
+}
+
+func TestGuardsSatisfiedRequiredTypeNotFound(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+	// Guard refers to a type that is not present in the program.
+	// The guard must be skipped (continue), so the function returns true.
+	sink := Sink{ArgTypeGuards: map[int]string{0: "missing/pkg.Type"}}
+	arg := ssa.NewConst(constant.MakeString("x"), types.Typ[types.String])
+	if !guardsSatisfied([]ssa.Value{arg}, sink, prog) {
+		t.Fatal("expected true when required type is not found (guard skipped)")
+	}
+}
+
+func TestGuardsSatisfiedInterfaceNotSatisfied(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+
+	// Build an interface with one method; string doesn't implement it.
+	pkg := types.NewPackage("io", "io")
+	sig := types.NewSignatureType(nil, nil, nil, nil, nil, false)
+	closeMethod := types.NewFunc(token.NoPos, pkg, "Close", sig)
+	closerIface := types.NewInterfaceType([]*types.Func{closeMethod}, nil)
+	closerIface.Complete()
+	obj := types.NewTypeName(token.NoPos, pkg, "Closer", nil)
+	_ = types.NewNamed(obj, closerIface, nil)
+	pkg.Scope().Insert(obj)
+	pkg.MarkComplete()
+	prog.CreatePackage(pkg, nil, nil, false)
+
+	arg := ssa.NewConst(constant.MakeString("x"), types.Typ[types.String])
+	sink := Sink{ArgTypeGuards: map[int]string{0: "io.Closer"}}
+	if guardsSatisfied([]ssa.Value{arg}, sink, prog) {
+		t.Fatal("expected false when arg type does not implement required interface")
+	}
+}
+
+func TestGuardsSatisfiedEmptyInterfaceSatisfied(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+
+	// Empty interface — every type satisfies it.
+	pkg := types.NewPackage("any/pkg", "pkg")
+	emptyIface := types.NewInterfaceType(nil, nil)
+	emptyIface.Complete()
+	obj := types.NewTypeName(token.NoPos, pkg, "AnyType", nil)
+	_ = types.NewNamed(obj, emptyIface, nil)
+	pkg.Scope().Insert(obj)
+	pkg.MarkComplete()
+	prog.CreatePackage(pkg, nil, nil, false)
+
+	arg := ssa.NewConst(constant.MakeString("x"), types.Typ[types.String])
+	sink := Sink{ArgTypeGuards: map[int]string{0: "any/pkg.AnyType"}}
+	if !guardsSatisfied([]ssa.Value{arg}, sink, prog) {
+		t.Fatal("expected true when arg implements empty interface")
+	}
+}
+
+func TestGuardsSatisfiedConcreteTypeNotSatisfied(t *testing.T) {
+	t.Parallel()
+	prog := ssa.NewProgram(token.NewFileSet(), 0)
+
+	// Named struct type — string is not identical to it.
+	pkg := types.NewPackage("myapp", "myapp")
+	obj := types.NewTypeName(token.NoPos, pkg, "MyStruct", nil)
+	_ = types.NewNamed(obj, types.NewStruct(nil, nil), nil)
+	pkg.Scope().Insert(obj)
+	pkg.MarkComplete()
+	prog.CreatePackage(pkg, nil, nil, false)
+
+	arg := ssa.NewConst(constant.MakeString("x"), types.Typ[types.String])
+	sink := Sink{ArgTypeGuards: map[int]string{0: "myapp.MyStruct"}}
+	// string != myapp.MyStruct and string != *myapp.MyStruct → guard not satisfied.
+	if guardsSatisfied([]ssa.Value{arg}, sink, prog) {
+		t.Fatal("expected false when arg type does not match required concrete type")
+	}
+}
+
+// ── resolveOriginalType ───────────────────────────────────────────────────────
+
+func TestResolveOriginalTypeDefault(t *testing.T) {
+	t.Parallel()
+	// A plain Const value — no ChangeInterface or MakeInterface wrapping.
+	val := ssa.NewConst(constant.MakeString("test"), types.Typ[types.String])
+	got := resolveOriginalType(val)
+	if !types.Identical(got, types.Typ[types.String]) {
+		t.Fatalf("expected string type, got %v", got)
+	}
+}
+
+func TestAnalyzeSetsProgAndBuildsCallGraph(t *testing.T) {
+	t.Parallel()
+
+	// Build a minimal self-contained package with a local interface W.
+	// Function f calls w.Write() which is configured as a sink below.
+	src := `package p
+
+type W interface{ Write([]byte) (int, error) }
+type B struct{}
+
+func (b *B) Write(p []byte) (int, error) { return 0, nil }
+func f(w W)                               { w.Write([]byte("hello")) }
+`
+	fset := token.NewFileSet()
+	parsed, err := parser.ParseFile(fset, "p.go", src, 0)
+	if err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	info := &types.Info{
+		Types:      make(map[ast.Expr]types.TypeAndValue),
+		Defs:       make(map[*ast.Ident]types.Object),
+		Uses:       make(map[*ast.Ident]types.Object),
+		Implicits:  make(map[ast.Node]types.Object),
+		Scopes:     make(map[ast.Node]*types.Scope),
+		Selections: make(map[*ast.SelectorExpr]*types.Selection),
+	}
+	pkg, err := (&types.Config{}).Check("p", fset, []*ast.File{parsed}, info)
+	if err != nil {
+		t.Fatalf("type-check: %v", err)
+	}
+	prog := ssa.NewProgram(fset, ssa.BuilderMode(0))
+	ssaPkg := prog.CreatePackage(pkg, []*ast.File{parsed}, info, true)
+	prog.Build()
+
+	fn := ssaPkg.Func("f")
+	if fn == nil {
+		t.Fatal("SSA function f not found")
+	}
+
+	// Sink matches the invoke call w.Write inside f; ArgTypeGuards left empty
+	// so guardsSatisfied is reached and returns true without further work.
+	analyzer := New(&Config{
+		Sinks: []Sink{
+			{Package: "p", Receiver: "W", Method: "Write"},
+		},
+	})
+
+	_ = analyzer.Analyze(prog, []*ssa.Function{fn})
+}
+
+func TestResolveOriginalTypeMakeInterface(t *testing.T) {
+	t.Parallel()
+	// Build a minimal, self-contained SSA program (no external imports) that
+	// boxes a concrete *B value into interface W.  This exercises the
+	// *ssa.MakeInterface branch of resolveOriginalType.
+	src := `package p
+
+type W interface{ Write([]byte) (int, error) }
+type B struct{}
+
+func (b *B) Write(p []byte) (int, error) { return 0, nil }
+func f() W                               { return &B{} }
+`
+	fset := token.NewFileSet()
+	parsed, err := parser.ParseFile(fset, "p.go", src, 0)
+	if err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	info := &types.Info{
+		Types:      make(map[ast.Expr]types.TypeAndValue),
+		Defs:       make(map[*ast.Ident]types.Object),
+		Uses:       make(map[*ast.Ident]types.Object),
+		Implicits:  make(map[ast.Node]types.Object),
+		Scopes:     make(map[ast.Node]*types.Scope),
+		Selections: make(map[*ast.SelectorExpr]*types.Selection),
+	}
+	pkg, err := (&types.Config{}).Check("p", fset, []*ast.File{parsed}, info)
+	if err != nil {
+		t.Fatalf("type-check: %v", err)
+	}
+	prog := ssa.NewProgram(fset, ssa.BuilderMode(0))
+	ssaPkg := prog.CreatePackage(pkg, []*ast.File{parsed}, info, true)
+	prog.Build()
+
+	fn := ssaPkg.Func("f")
+	if fn == nil {
+		t.Fatal("SSA function f not found")
+	}
+	for _, blk := range fn.Blocks {
+		for _, instr := range blk.Instrs {
+			mi, ok := instr.(*ssa.MakeInterface)
+			if !ok {
+				continue
+			}
+			got := resolveOriginalType(mi)
+			if got == nil {
+				t.Fatal("resolveOriginalType returned nil for MakeInterface")
+			}
+			return
+		}
+	}
+	t.Fatal("no MakeInterface instruction found in function f")
+}