From a01169eec2a29e1e8f74844c54232f2c48f1be19 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 14 Jun 2023 14:22:39 +0100 Subject: [PATCH 1/3] add "Dereference" content for PointerContent --- go/ql/lib/semmle/go/dataflow/ExternalFlow.qll | 2 ++ .../semmle/go/dataflow/ExternalFlow/completetest.ext.yml | 4 ++-- .../library-tests/semmle/go/dataflow/ExternalFlow/test.go | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index 0c6ee1c31347..f04ce0057949 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -342,6 +342,8 @@ predicate parseContent(string component, DataFlow::Content content) { component = "MapKey" and content instanceof DataFlow::MapKeyContent or component = "MapValue" and content instanceof DataFlow::MapValueContent + or + component = "Dereference" and content instanceof DataFlow::PointerContent } cached diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/completetest.ext.yml b/go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/completetest.ext.yml index 4ec8602daafe..47e51e573f01 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/completetest.ext.yml +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/completetest.ext.yml @@ -22,9 +22,9 @@ extensions: - ["github.com/nonexistent/test", "", False, "GetMapKey", "", "", "Argument[0].MapKey", "ReturnValue", "value", "manual"] - ["github.com/nonexistent/test", "", False, "SetElement", "", "", "Argument[0]", "ReturnValue.Element", "value", "manual"] - ["github.com/nonexistent/test", "C", False, "Get", "", "", "Argument[-1].Field[github.com/nonexistent/test.C.F]", "ReturnValue", "value", "manual"] - - ["github.com/nonexistent/test", "C", False, "GetThroughPointer", "", "", "Argument[-1].Field[github.com/nonexistent/test.C.F]", "ReturnValue", "value", "manual"] + - ["github.com/nonexistent/test", "C", False, "GetThroughPointer", "", "", "Argument[-1].Dereference.Field[github.com/nonexistent/test.C.F]", "ReturnValue", "value", "manual"] - ["github.com/nonexistent/test", "C", False, "Set", "", "", "Argument[0]", "Argument[-1].Field[github.com/nonexistent/test.C.F]", "value", "manual"] - - ["github.com/nonexistent/test", "C", False, "SetThroughPointer", "", "", "Argument[0]", "Argument[-1].Field[github.com/nonexistent/test.C.F]", "value", "manual"] + - ["github.com/nonexistent/test", "C", False, "SetThroughPointer", "", "", "Argument[0]", "Argument[-1].Dereference.Field[github.com/nonexistent/test.C.F]", "value", "manual"] - addsTo: pack: codeql/go-all diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/test.go b/go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/test.go index 0d92787b65c8..35da086a8886 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/test.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalFlow/test.go @@ -143,10 +143,10 @@ func simpleflow() { cp1 := &test.C{""} cp1.SetThroughPointer(a.Src1().(string)) - b.Sink1(cp1.F) // $ MISSING: hasTaintFlow="selection of F" + b.Sink1(cp1.F) // $ hasTaintFlow="selection of F" cp2 := &test.C{a.Src1().(string)} - b.Sink1(cp2.GetThroughPointer()) // $ MISSING: hasTaintFlow="call to GetThroughPointer" + b.Sink1(cp2.GetThroughPointer()) // $ hasTaintFlow="call to GetThroughPointer" cp3 := &test.C{""} cp3.SetThroughPointer(a.Src1().(string)) From 732b14ee3800204db6c9820f33e2cf6a50c8bb95 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 20 Jun 2023 11:04:03 +0100 Subject: [PATCH 2/3] Update pretty printing predicates --- .../lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll index 41ae6b50ce31..609790659f85 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll @@ -106,6 +106,8 @@ private string getContentSpecific(Content c) { c instanceof MapKeyContent and result = "MapKey" or c instanceof MapValueContent and result = "MapValue" + or + c instanceof PointerContent and result = "Dereference" } /** Gets the textual representation of the content in the format used for flow summaries. */ From 04ff89e1feecc7b6240c5d9e6d580cc09ca50f03 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 20 Jun 2023 11:05:05 +0100 Subject: [PATCH 3/3] Update access path documentation --- .../lib/semmle/code/csharp/dataflow/ExternalFlow.qll | 4 ++-- go/ql/lib/semmle/go/dataflow/ExternalFlow.qll | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll index 46a19828a814..fbf5217a7f0f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll @@ -62,8 +62,8 @@ * in the given range. The range is inclusive at both ends. * - "ReturnValue": Selects the return value of a call to the selected element. * - * For summaries, `input` and `output` may be prefixed by one of the following, - * separated by the "of" keyword: + * For summaries, `input` and `output` may be suffixed by any number of the + * following, separated by ".": * - "Element": Selects an element in a collection. * - "Field[f]": Selects the contents of field `f`. * - "Property[p]": Selects the contents of property `p`. diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index f04ce0057949..ab46c9206e82 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -54,6 +54,18 @@ * return value. The return values are zero-indexed * - "ReturnValue[n1..n2]": Similar to "ReturnValue[n]" but selects any * return value in the given range. The range is inclusive at both ends. + * + * For summaries, `input` and `output` may be suffixed by any number of the + * following, separated by ".": + * - "Field[pkg.className.fieldname]": Selects the contents of the field `f` + * which satisfies `f.hasQualifiedName(pkg, className, fieldname)`. + * - "SyntheticField[f]": Selects the contents of the synthetic field `f`. + * - "ArrayElement": Selects an element in an array or slice. + * - "Element": Selects an element in a collection. + * - "MapKey": Selects a key in a map. + * - "MapValue": Selects a value in a map. + * - "Dereference": Selects the value referenced by a pointer. + * * 8. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries