Go: show FunctionModel steps in path summaries

go/ql/lib/change-notes/2023-06-20-function-model-path-nodes.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* When a result of path query flows through a function modeled using `DataFlow::FunctionModel` or `TaintTracking::FunctionModel`, the path now includes nodes corresponding to the input and output to the function. This brings it in line with functions modeled using Models-as-Data.

go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll

@@ -232,7 +232,11 @@ class CastNode extends ExprNode {
  * Holds if `n` should never be skipped over in the `PathGraph` and in path
  * explanations.
  */
-predicate neverSkipInPathGraph(Node n) { none() }
+predicate neverSkipInPathGraph(Node n) {
+  exists(DataFlow::FunctionModel fm | fm.getAnInputNode(_) = n or fm.getAnOutputNode(_) = n)
+  or
+  exists(TaintTracking::FunctionModel fm | fm.getAnInputNode(_) = n or fm.getAnOutputNode(_) = n)
+}
 
 class DataFlowExpr = Expr;
 

go/ql/test/experimental/CWE-134/DsnInjection.expected

@@ -1,7 +1,11 @@
 edges
-| Dsn.go:47:10:47:30 | call to FormValue | Dsn.go:50:29:50:33 | dbDSN |
+| Dsn.go:47:10:47:30 | call to FormValue | Dsn.go:49:102:49:105 | name |
+| Dsn.go:49:11:49:106 | call to Sprintf | Dsn.go:50:29:50:33 | dbDSN |
+| Dsn.go:49:102:49:105 | name | Dsn.go:49:11:49:106 | call to Sprintf |
 nodes
 | Dsn.go:47:10:47:30 | call to FormValue | semmle.label | call to FormValue |
+| Dsn.go:49:11:49:106 | call to Sprintf | semmle.label | call to Sprintf |
+| Dsn.go:49:102:49:105 | name | semmle.label | name |
 | Dsn.go:50:29:50:33 | dbDSN | semmle.label | dbDSN |
 subpaths
 #select

go/ql/test/experimental/CWE-134/DsnInjectionLocal.expected

@@ -1,25 +1,34 @@
 edges
-| Dsn.go:26:11:26:17 | selection of Args | Dsn.go:29:29:29:33 | dbDSN |
+| Dsn.go:26:11:26:17 | selection of Args | Dsn.go:28:102:28:109 | index expression |
+| Dsn.go:28:11:28:110 | call to Sprintf | Dsn.go:29:29:29:33 | dbDSN |
+| Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | call to Sprintf |
 | Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:63:9:63:11 | cfg [pointer] |
 | Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:67:102:67:104 | cfg [pointer] |
 | Dsn.go:63:9:63:11 | cfg [pointer] | Dsn.go:63:9:63:11 | implicit dereference |
 | Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:62:2:62:4 | definition of cfg [pointer] |
 | Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:63:9:63:11 | implicit dereference |
-| Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:68:29:68:33 | dbDSN |
-| Dsn.go:63:19:63:25 | selection of Args | Dsn.go:63:9:63:11 | implicit dereference |
-| Dsn.go:63:19:63:25 | selection of Args | Dsn.go:68:29:68:33 | dbDSN |
+| Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:67:102:67:108 | selection of dsn |
+| Dsn.go:63:19:63:25 | selection of Args | Dsn.go:63:19:63:29 | slice expression |
+| Dsn.go:63:19:63:29 | slice expression | Dsn.go:63:9:63:11 | implicit dereference |
+| Dsn.go:67:11:67:109 | call to Sprintf | Dsn.go:68:29:68:33 | dbDSN |
 | Dsn.go:67:102:67:104 | cfg [pointer] | Dsn.go:67:102:67:104 | implicit dereference |
 | Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:63:9:63:11 | implicit dereference |
-| Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:68:29:68:33 | dbDSN |
+| Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:67:102:67:108 | selection of dsn |
+| Dsn.go:67:102:67:108 | selection of dsn | Dsn.go:67:11:67:109 | call to Sprintf |
 nodes
 | Dsn.go:26:11:26:17 | selection of Args | semmle.label | selection of Args |
+| Dsn.go:28:11:28:110 | call to Sprintf | semmle.label | call to Sprintf |
+| Dsn.go:28:102:28:109 | index expression | semmle.label | index expression |
 | Dsn.go:29:29:29:33 | dbDSN | semmle.label | dbDSN |
 | Dsn.go:62:2:62:4 | definition of cfg [pointer] | semmle.label | definition of cfg [pointer] |
 | Dsn.go:63:9:63:11 | cfg [pointer] | semmle.label | cfg [pointer] |
 | Dsn.go:63:9:63:11 | implicit dereference | semmle.label | implicit dereference |
 | Dsn.go:63:19:63:25 | selection of Args | semmle.label | selection of Args |
+| Dsn.go:63:19:63:29 | slice expression | semmle.label | slice expression |
+| Dsn.go:67:11:67:109 | call to Sprintf | semmle.label | call to Sprintf |
 | Dsn.go:67:102:67:104 | cfg [pointer] | semmle.label | cfg [pointer] |
 | Dsn.go:67:102:67:104 | implicit dereference | semmle.label | implicit dereference |
+| Dsn.go:67:102:67:108 | selection of dsn | semmle.label | selection of dsn |
 | Dsn.go:68:29:68:33 | dbDSN | semmle.label | dbDSN |
 subpaths
 #select

go/ql/test/experimental/CWE-918/SSRF.expected

@@ -4,17 +4,23 @@ edges
 | builtin.go:97:21:97:31 | call to Referer | builtin.go:101:36:101:49 | untrustedInput |
 | builtin.go:111:21:111:31 | call to Referer | builtin.go:114:15:114:28 | untrustedInput |
 | builtin.go:129:21:129:31 | call to Referer | builtin.go:132:38:132:51 | untrustedInput |
-| new-tests.go:26:26:26:30 | &... | new-tests.go:31:11:31:57 | call to Sprintf |
-| new-tests.go:26:26:26:30 | &... | new-tests.go:32:11:32:57 | call to Sprintf |
-| new-tests.go:26:26:26:30 | &... | new-tests.go:35:12:35:58 | call to Sprintf |
+| new-tests.go:26:26:26:30 | &... | new-tests.go:31:48:31:56 | selection of word |
+| new-tests.go:26:26:26:30 | &... | new-tests.go:32:48:32:56 | selection of safe |
+| new-tests.go:26:26:26:30 | &... | new-tests.go:35:49:35:57 | selection of word |
+| new-tests.go:31:48:31:56 | selection of word | new-tests.go:31:11:31:57 | call to Sprintf |
+| new-tests.go:32:48:32:56 | selection of safe | new-tests.go:32:11:32:57 | call to Sprintf |
+| new-tests.go:35:49:35:57 | selection of word | new-tests.go:35:12:35:58 | call to Sprintf |
 | new-tests.go:39:18:39:30 | call to Param | new-tests.go:47:11:47:46 | ...+... |
 | new-tests.go:49:18:49:30 | call to Query | new-tests.go:50:11:50:46 | ...+... |
 | new-tests.go:62:2:62:39 | ... := ...[0] | new-tests.go:63:17:63:23 | reqBody |
 | new-tests.go:62:31:62:38 | selection of Body | new-tests.go:62:2:62:39 | ... := ...[0] |
 | new-tests.go:63:17:63:23 | reqBody | new-tests.go:63:26:63:30 | &... |
-| new-tests.go:63:26:63:30 | &... | new-tests.go:68:11:68:57 | call to Sprintf |
-| new-tests.go:63:26:63:30 | &... | new-tests.go:69:11:69:57 | call to Sprintf |
-| new-tests.go:63:26:63:30 | &... | new-tests.go:74:12:74:58 | call to Sprintf |
+| new-tests.go:63:26:63:30 | &... | new-tests.go:68:48:68:56 | selection of word |
+| new-tests.go:63:26:63:30 | &... | new-tests.go:69:48:69:56 | selection of safe |
+| new-tests.go:63:26:63:30 | &... | new-tests.go:74:49:74:57 | selection of word |
+| new-tests.go:68:48:68:56 | selection of word | new-tests.go:68:11:68:57 | call to Sprintf |
+| new-tests.go:69:48:69:56 | selection of safe | new-tests.go:69:11:69:57 | call to Sprintf |
+| new-tests.go:74:49:74:57 | selection of word | new-tests.go:74:12:74:58 | call to Sprintf |
 | new-tests.go:78:18:78:24 | selection of URL | new-tests.go:78:18:78:32 | call to Query |
 | new-tests.go:78:18:78:32 | call to Query | new-tests.go:78:18:78:46 | call to Get |
 | new-tests.go:78:18:78:46 | call to Get | new-tests.go:79:11:79:46 | ...+... |
@@ -36,8 +42,11 @@ nodes
 | builtin.go:132:38:132:51 | untrustedInput | semmle.label | untrustedInput |
 | new-tests.go:26:26:26:30 | &... | semmle.label | &... |
 | new-tests.go:31:11:31:57 | call to Sprintf | semmle.label | call to Sprintf |
+| new-tests.go:31:48:31:56 | selection of word | semmle.label | selection of word |
 | new-tests.go:32:11:32:57 | call to Sprintf | semmle.label | call to Sprintf |
+| new-tests.go:32:48:32:56 | selection of safe | semmle.label | selection of safe |
 | new-tests.go:35:12:35:58 | call to Sprintf | semmle.label | call to Sprintf |
+| new-tests.go:35:49:35:57 | selection of word | semmle.label | selection of word |
 | new-tests.go:39:18:39:30 | call to Param | semmle.label | call to Param |
 | new-tests.go:47:11:47:46 | ...+... | semmle.label | ...+... |
 | new-tests.go:49:18:49:30 | call to Query | semmle.label | call to Query |
@@ -47,8 +56,11 @@ nodes
 | new-tests.go:63:17:63:23 | reqBody | semmle.label | reqBody |
 | new-tests.go:63:26:63:30 | &... | semmle.label | &... |
 | new-tests.go:68:11:68:57 | call to Sprintf | semmle.label | call to Sprintf |
+| new-tests.go:68:48:68:56 | selection of word | semmle.label | selection of word |
 | new-tests.go:69:11:69:57 | call to Sprintf | semmle.label | call to Sprintf |
+| new-tests.go:69:48:69:56 | selection of safe | semmle.label | selection of safe |
 | new-tests.go:74:12:74:58 | call to Sprintf | semmle.label | call to Sprintf |
+| new-tests.go:74:49:74:57 | selection of word | semmle.label | selection of word |
 | new-tests.go:78:18:78:24 | selection of URL | semmle.label | selection of URL |
 | new-tests.go:78:18:78:32 | call to Query | semmle.label | call to Query |
 | new-tests.go:78:18:78:46 | call to Get | semmle.label | call to Get |

go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected

@@ -47,7 +47,7 @@ edges
 | test.go:240:15:240:36 | call to GetString | test.go:243:21:243:29 | untrusted |
 | test.go:253:23:253:44 | call to GetCookie | test.go:253:16:253:45 | type conversion |
 | test.go:264:62:264:83 | call to GetCookie | test.go:264:55:264:84 | type conversion |
-| test.go:269:2:269:40 | ... := ...[0] | test.go:277:21:277:61 | call to GetDisplayString |
+| test.go:269:2:269:40 | ... := ...[0] | test.go:277:44:277:60 | selection of Filename |
 | test.go:269:2:269:40 | ... := ...[0] | test.go:278:38:278:49 | genericFiles |
 | test.go:269:2:269:40 | ... := ...[0] | test.go:279:37:279:48 | genericFiles |
 | test.go:269:2:269:40 | ... := ...[0] | test.go:285:4:285:15 | genericFiles |
@@ -61,6 +61,7 @@ edges
 | test.go:269:2:269:40 | ... := ...[0] | test.go:295:39:295:50 | genericFiles |
 | test.go:269:2:269:40 | ... := ...[0] | test.go:296:40:296:51 | genericFiles |
 | test.go:269:2:269:40 | ... := ...[0] | test.go:297:39:297:50 | genericFiles |
+| test.go:277:44:277:60 | selection of Filename | test.go:277:21:277:61 | call to GetDisplayString |
 | test.go:278:21:278:53 | call to SliceChunk | test.go:278:21:278:92 | selection of Filename |
 | test.go:278:38:278:49 | genericFiles | test.go:278:21:278:53 | call to SliceChunk |
 | test.go:279:21:279:60 | call to SliceDiff | test.go:279:21:279:96 | selection of Filename |
@@ -177,6 +178,7 @@ nodes
 | test.go:264:62:264:83 | call to GetCookie | semmle.label | call to GetCookie |
 | test.go:269:2:269:40 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:277:21:277:61 | call to GetDisplayString | semmle.label | call to GetDisplayString |
+| test.go:277:44:277:60 | selection of Filename | semmle.label | selection of Filename |
 | test.go:278:21:278:53 | call to SliceChunk | semmle.label | call to SliceChunk |
 | test.go:278:21:278:92 | selection of Filename | semmle.label | selection of Filename |
 | test.go:278:38:278:49 | genericFiles | semmle.label | genericFiles |

go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected

@@ -1,13 +1,15 @@
 edges
 | TaintedPath.go:13:18:13:22 | selection of URL | TaintedPath.go:13:18:13:30 | call to Query |
 | TaintedPath.go:13:18:13:30 | call to Query | TaintedPath.go:16:29:16:40 | tainted_path |
-| TaintedPath.go:13:18:13:30 | call to Query | TaintedPath.go:20:28:20:69 | call to Join |
+| TaintedPath.go:13:18:13:30 | call to Query | TaintedPath.go:20:57:20:68 | tainted_path |
+| TaintedPath.go:20:57:20:68 | tainted_path | TaintedPath.go:20:28:20:69 | call to Join |
 | tst.go:14:2:14:39 | ... := ...[1] | tst.go:17:41:17:56 | selection of Filename |
 nodes
 | TaintedPath.go:13:18:13:22 | selection of URL | semmle.label | selection of URL |
 | TaintedPath.go:13:18:13:30 | call to Query | semmle.label | call to Query |
 | TaintedPath.go:16:29:16:40 | tainted_path | semmle.label | tainted_path |
 | TaintedPath.go:20:28:20:69 | call to Join | semmle.label | call to Join |
+| TaintedPath.go:20:57:20:68 | tainted_path | semmle.label | tainted_path |
 | tst.go:14:2:14:39 | ... := ...[1] | semmle.label | ... := ...[1] |
 | tst.go:17:41:17:56 | selection of Filename | semmle.label | selection of Filename |
 subpaths

go/ql/test/query-tests/Security/CWE-022/ZipSlip.expected

@@ -1,5 +1,6 @@
 edges
-| UnsafeUnzipSymlinkGood.go:52:24:52:32 | definition of candidate | UnsafeUnzipSymlinkGood.go:61:31:61:62 | call to Join |
+| UnsafeUnzipSymlinkGood.go:52:24:52:32 | definition of candidate | UnsafeUnzipSymlinkGood.go:61:53:61:61 | candidate |
+| UnsafeUnzipSymlinkGood.go:61:53:61:61 | candidate | UnsafeUnzipSymlinkGood.go:61:31:61:62 | call to Join |
 | UnsafeUnzipSymlinkGood.go:72:3:72:25 | ... := ...[0] | UnsafeUnzipSymlinkGood.go:76:24:76:38 | selection of Linkname |
 | UnsafeUnzipSymlinkGood.go:72:3:72:25 | ... := ...[0] | UnsafeUnzipSymlinkGood.go:76:70:76:80 | selection of Name |
 | UnsafeUnzipSymlinkGood.go:76:24:76:38 | selection of Linkname | UnsafeUnzipSymlinkGood.go:52:24:52:32 | definition of candidate |
@@ -13,6 +14,7 @@ edges
 nodes
 | UnsafeUnzipSymlinkGood.go:52:24:52:32 | definition of candidate | semmle.label | definition of candidate |
 | UnsafeUnzipSymlinkGood.go:61:31:61:62 | call to Join | semmle.label | call to Join |
+| UnsafeUnzipSymlinkGood.go:61:53:61:61 | candidate | semmle.label | candidate |
 | UnsafeUnzipSymlinkGood.go:72:3:72:25 | ... := ...[0] | semmle.label | ... := ...[0] |
 | UnsafeUnzipSymlinkGood.go:76:24:76:38 | selection of Linkname | semmle.label | selection of Linkname |
 | UnsafeUnzipSymlinkGood.go:76:70:76:80 | selection of Name | semmle.label | selection of Name |