Merge pull request #18454 from owen-mc/go/mad/encoding-and-weak

owen-mc · web-flow · commit 19fcf3c554d2 · 2025-02-12T11:25:13.000Z
Go: Add models for standard library updates in Go 1.24
diff --git a/go/ql/lib/change-notes/2025-01-09-model-stdlib-1.24.md b/go/ql/lib/change-notes/2025-01-09-model-stdlib-1.24.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Taint models have been added for the `weak` package, which was added in Go 1.24.
+* Taint models have been added for the interfaces `TextAppender` and `BinaryAppender` in the `encoding` package, which were added in Go 1.24.
diff --git a/go/ql/lib/ext/encoding.model.yml b/go/ql/lib/ext/encoding.model.yml
@@ -3,7 +3,11 @@ extensions:
       pack: codeql/go-all
       extensible: summaryModel
     data:
+      - ["encoding", "BinaryAppender", True, "AppendBinary", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
+      - ["encoding", "BinaryAppender", True, "AppendBinary", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
       - ["encoding", "BinaryMarshaler", True, "MarshalBinary", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
       - ["encoding", "BinaryUnmarshaler", True, "UnmarshalBinary", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
+      - ["encoding", "TextAppender", True, "AppendText", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
+      - ["encoding", "TextAppender", True, "AppendText", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
       - ["encoding", "TextMarshaler", True, "MarshalText", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
       - ["encoding", "TextUnmarshaler", True, "UnmarshalText", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]
diff --git a/go/ql/lib/ext/weak.model.yml b/go/ql/lib/ext/weak.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["weak", "", False, "Make", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
+      - ["weak", "Pointer", False, "Value", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected
@@ -1,8 +1,36 @@
+#select
+| test.go:81:13:81:29 | type conversion | test.go:80:13:80:16 | &... | test.go:81:13:81:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:80:13:80:16 | &... | stored value |
+| test.go:82:13:82:43 | type conversion | test.go:80:13:80:16 | &... | test.go:82:13:82:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:80:13:80:16 | &... | stored value |
+| test.go:86:13:86:30 | type conversion | test.go:85:22:85:26 | &... | test.go:86:13:86:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:85:22:85:26 | &... | stored value |
+| test.go:90:13:90:30 | type conversion | test.go:89:21:89:25 | &... | test.go:90:13:90:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:89:21:89:25 | &... | stored value |
+| test.go:95:13:95:37 | type conversion | test.go:95:20:95:36 | call to Value | test.go:95:13:95:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:95:20:95:36 | call to Value | stored value |
+| test.go:96:13:96:49 | type conversion | test.go:96:20:96:39 | call to RawValue | test.go:96:13:96:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:96:20:96:39 | call to RawValue | stored value |
+| test.go:97:13:97:38 | type conversion | test.go:97:20:97:37 | call to String | test.go:97:13:97:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:97:20:97:37 | call to String | stored value |
+| test.go:98:13:98:37 | type conversion | test.go:98:20:98:36 | call to Value | test.go:98:13:98:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:98:20:98:36 | call to Value | stored value |
+| test.go:99:13:99:49 | type conversion | test.go:99:20:99:39 | call to RawValue | test.go:99:13:99:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:99:20:99:39 | call to RawValue | stored value |
+| test.go:100:13:100:38 | type conversion | test.go:100:20:100:37 | call to String | test.go:100:13:100:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:100:20:100:37 | call to String | stored value |
+| test.go:101:13:101:38 | type conversion | test.go:101:20:101:37 | call to Value | test.go:101:13:101:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:101:20:101:37 | call to Value | stored value |
+| test.go:102:13:102:50 | type conversion | test.go:102:20:102:40 | call to RawValue | test.go:102:13:102:50 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:102:20:102:40 | call to RawValue | stored value |
+| test.go:103:13:103:39 | type conversion | test.go:103:20:103:38 | call to String | test.go:103:13:103:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:103:20:103:38 | call to String | stored value |
+| test.go:110:13:110:33 | type conversion | test.go:109:9:109:13 | &... | test.go:110:13:110:33 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:109:9:109:13 | &... | stored value |
+| test.go:114:13:114:29 | type conversion | test.go:113:9:113:12 | &... | test.go:114:13:114:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:113:9:113:12 | &... | stored value |
+| test.go:118:13:118:48 | type conversion | test.go:117:12:117:19 | &... | test.go:118:13:118:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:117:12:117:19 | &... | stored value |
+| test.go:122:13:122:43 | type conversion | test.go:121:16:121:24 | &... | test.go:122:13:122:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:121:16:121:24 | &... | stored value |
+| test.go:126:13:126:39 | type conversion | test.go:125:16:125:23 | &... | test.go:126:13:126:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:125:16:125:23 | &... | stored value |
+| test.go:130:13:130:47 | type conversion | test.go:129:15:129:24 | &... | test.go:130:13:130:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:129:15:129:24 | &... | stored value |
+| test.go:134:13:134:38 | type conversion | test.go:133:18:133:30 | &... | test.go:134:13:134:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:133:18:133:30 | &... | stored value |
+| test.go:141:13:141:48 | type conversion | test.go:140:12:140:19 | &... | test.go:141:13:141:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:140:12:140:19 | &... | stored value |
+| test.go:145:13:145:43 | type conversion | test.go:144:16:144:24 | &... | test.go:145:13:145:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:144:16:144:24 | &... | stored value |
+| test.go:149:13:149:39 | type conversion | test.go:148:16:148:23 | &... | test.go:149:13:149:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:148:16:148:23 | &... | stored value |
+| test.go:153:13:153:47 | type conversion | test.go:152:15:152:24 | &... | test.go:153:13:153:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:152:15:152:24 | &... | stored value |
+| test.go:157:13:157:38 | type conversion | test.go:156:18:156:30 | &... | test.go:157:13:157:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:156:18:156:30 | &... | stored value |
+| test.go:161:13:161:28 | type conversion | test.go:160:14:160:22 | &... | test.go:161:13:161:28 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:160:14:160:22 | &... | stored value |
+| test.go:165:13:165:32 | type conversion | test.go:164:15:164:24 | &... | test.go:165:13:165:32 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:164:15:164:24 | &... | stored value |
 edges
-| test.go:80:13:80:16 | &... | test.go:81:13:81:29 | type conversion | provenance | Src:MaD:339  |
-| test.go:80:13:80:16 | &... | test.go:82:13:82:43 | type conversion | provenance | Src:MaD:339  |
-| test.go:85:22:85:26 | &... | test.go:86:13:86:30 | type conversion | provenance | Src:MaD:340  |
-| test.go:89:21:89:25 | &... | test.go:90:13:90:30 | type conversion | provenance | Src:MaD:341  |
+| test.go:80:13:80:16 | &... | test.go:81:13:81:29 | type conversion | provenance | Src:MaD:1  |
+| test.go:80:13:80:16 | &... | test.go:82:13:82:43 | type conversion | provenance | Src:MaD:1  |
+| test.go:85:22:85:26 | &... | test.go:86:13:86:30 | type conversion | provenance | Src:MaD:2  |
+| test.go:89:21:89:25 | &... | test.go:90:13:90:30 | type conversion | provenance | Src:MaD:3  |
 | test.go:95:20:95:36 | call to Value | test.go:95:13:95:37 | type conversion | provenance |  |
 | test.go:96:20:96:39 | call to RawValue | test.go:96:13:96:49 | type conversion | provenance |  |
 | test.go:97:20:97:37 | call to String | test.go:97:13:97:38 | type conversion | provenance |  |
@@ -26,6 +54,10 @@ edges
 | test.go:156:18:156:30 | &... | test.go:157:13:157:38 | type conversion | provenance |  |
 | test.go:160:14:160:22 | &... | test.go:161:13:161:28 | type conversion | provenance |  |
 | test.go:164:15:164:24 | &... | test.go:165:13:165:32 | type conversion | provenance |  |
+models
+| 1 | Source: group:beego-orm; Ormer; true; Read; ; ; Argument[0]; database; manual |
+| 2 | Source: group:beego-orm; Ormer; true; ReadForUpdate; ; ; Argument[0]; database; manual |
+| 3 | Source: group:beego-orm; Ormer; true; ReadOrCreate; ; ; Argument[0]; database; manual |
 nodes
 | test.go:80:13:80:16 | &... | semmle.label | &... |
 | test.go:81:13:81:29 | type conversion | semmle.label | type conversion |
@@ -81,31 +113,3 @@ nodes
 | test.go:164:15:164:24 | &... | semmle.label | &... |
 | test.go:165:13:165:32 | type conversion | semmle.label | type conversion |
 subpaths
-#select
-| test.go:81:13:81:29 | type conversion | test.go:80:13:80:16 | &... | test.go:81:13:81:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:80:13:80:16 | &... | stored value |
-| test.go:82:13:82:43 | type conversion | test.go:80:13:80:16 | &... | test.go:82:13:82:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:80:13:80:16 | &... | stored value |
-| test.go:86:13:86:30 | type conversion | test.go:85:22:85:26 | &... | test.go:86:13:86:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:85:22:85:26 | &... | stored value |
-| test.go:90:13:90:30 | type conversion | test.go:89:21:89:25 | &... | test.go:90:13:90:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:89:21:89:25 | &... | stored value |
-| test.go:95:13:95:37 | type conversion | test.go:95:20:95:36 | call to Value | test.go:95:13:95:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:95:20:95:36 | call to Value | stored value |
-| test.go:96:13:96:49 | type conversion | test.go:96:20:96:39 | call to RawValue | test.go:96:13:96:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:96:20:96:39 | call to RawValue | stored value |
-| test.go:97:13:97:38 | type conversion | test.go:97:20:97:37 | call to String | test.go:97:13:97:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:97:20:97:37 | call to String | stored value |
-| test.go:98:13:98:37 | type conversion | test.go:98:20:98:36 | call to Value | test.go:98:13:98:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:98:20:98:36 | call to Value | stored value |
-| test.go:99:13:99:49 | type conversion | test.go:99:20:99:39 | call to RawValue | test.go:99:13:99:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:99:20:99:39 | call to RawValue | stored value |
-| test.go:100:13:100:38 | type conversion | test.go:100:20:100:37 | call to String | test.go:100:13:100:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:100:20:100:37 | call to String | stored value |
-| test.go:101:13:101:38 | type conversion | test.go:101:20:101:37 | call to Value | test.go:101:13:101:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:101:20:101:37 | call to Value | stored value |
-| test.go:102:13:102:50 | type conversion | test.go:102:20:102:40 | call to RawValue | test.go:102:13:102:50 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:102:20:102:40 | call to RawValue | stored value |
-| test.go:103:13:103:39 | type conversion | test.go:103:20:103:38 | call to String | test.go:103:13:103:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:103:20:103:38 | call to String | stored value |
-| test.go:110:13:110:33 | type conversion | test.go:109:9:109:13 | &... | test.go:110:13:110:33 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:109:9:109:13 | &... | stored value |
-| test.go:114:13:114:29 | type conversion | test.go:113:9:113:12 | &... | test.go:114:13:114:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:113:9:113:12 | &... | stored value |
-| test.go:118:13:118:48 | type conversion | test.go:117:12:117:19 | &... | test.go:118:13:118:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:117:12:117:19 | &... | stored value |
-| test.go:122:13:122:43 | type conversion | test.go:121:16:121:24 | &... | test.go:122:13:122:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:121:16:121:24 | &... | stored value |
-| test.go:126:13:126:39 | type conversion | test.go:125:16:125:23 | &... | test.go:126:13:126:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:125:16:125:23 | &... | stored value |
-| test.go:130:13:130:47 | type conversion | test.go:129:15:129:24 | &... | test.go:130:13:130:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:129:15:129:24 | &... | stored value |
-| test.go:134:13:134:38 | type conversion | test.go:133:18:133:30 | &... | test.go:134:13:134:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:133:18:133:30 | &... | stored value |
-| test.go:141:13:141:48 | type conversion | test.go:140:12:140:19 | &... | test.go:141:13:141:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:140:12:140:19 | &... | stored value |
-| test.go:145:13:145:43 | type conversion | test.go:144:16:144:24 | &... | test.go:145:13:145:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:144:16:144:24 | &... | stored value |
-| test.go:149:13:149:39 | type conversion | test.go:148:16:148:23 | &... | test.go:149:13:149:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:148:16:148:23 | &... | stored value |
-| test.go:153:13:153:47 | type conversion | test.go:152:15:152:24 | &... | test.go:153:13:153:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:152:15:152:24 | &... | stored value |
-| test.go:157:13:157:38 | type conversion | test.go:156:18:156:30 | &... | test.go:157:13:157:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:156:18:156:30 | &... | stored value |
-| test.go:161:13:161:28 | type conversion | test.go:160:14:160:22 | &... | test.go:161:13:161:28 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:160:14:160:22 | &... | stored value |
-| test.go:165:13:165:32 | type conversion | test.go:164:15:164:24 | &... | test.go:165:13:165:32 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:164:15:164:24 | &... | stored value |
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref
@@ -1 +1,2 @@
-Security/CWE-079/StoredXss.ql
+query: Security/CWE-079/StoredXss.ql
+postprocess: utils/test/PrettyPrintModels.ql
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Encoding.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Encoding.go
@@ -1,5 +1,3 @@
-// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
-
 package main
 
 import "encoding"
@@ -30,6 +28,34 @@ func TaintStepTest_EncodingTextUnmarshalerUnmarshalText_B0I0O0(sourceCQL interfa
 	return intoTextUnmarshaler443
 }
 
+func TaintStepTest_EncodingBinaryAppenderAppendBinary_manual1(sourceCQL interface{}) interface{} {
+	fromBinaryAppender := sourceCQL.(encoding.BinaryAppender)
+	var arg0 []byte
+	intoByte, _ := fromBinaryAppender.AppendBinary(arg0)
+	return intoByte
+}
+
+func TaintStepTest_EncodingBinaryAppenderAppendBinary_manual2(sourceCQL interface{}) interface{} {
+	var recv encoding.BinaryAppender
+	fromByteSlice := sourceCQL.([]byte)
+	intoByte, _ := recv.AppendBinary(fromByteSlice)
+	return intoByte
+}
+
+func TaintStepTest_EncodingTextAppenderAppendText_manual1(sourceCQL interface{}) interface{} {
+	fromTextAppender := sourceCQL.(encoding.TextAppender)
+	var arg0 []byte
+	intoByte, _ := fromTextAppender.AppendText(arg0)
+	return intoByte
+}
+
+func TaintStepTest_EncodingTextAppenderAppendText_manual2(sourceCQL interface{}) interface{} {
+	var recv encoding.TextAppender
+	fromByteSlice := sourceCQL.([]byte)
+	intoByte, _ := recv.AppendText(fromByteSlice)
+	return intoByte
+}
+
 func RunAllTaints_Encoding() {
 	{
 		source := newSource(0)
@@ -51,4 +77,24 @@ func RunAllTaints_Encoding() {
 		out := TaintStepTest_EncodingTextUnmarshalerUnmarshalText_B0I0O0(source)
 		sink(3, out)
 	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_EncodingBinaryAppenderAppendBinary_manual1(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_EncodingBinaryAppenderAppendBinary_manual2(source)
+		sink(5, out)
+	}
+	{
+		source := newSource(6)
+		out := TaintStepTest_EncodingTextAppenderAppendText_manual1(source)
+		sink(6, out)
+	}
+	{
+		source := newSource(7)
+		out := TaintStepTest_EncodingTextAppenderAppendText_manual2(source)
+		sink(7, out)
+	}
 }
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Weak.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Weak.go
@@ -0,0 +1,27 @@
+package main
+
+import "weak"
+
+func TaintStepTest_WeakMake_manual(sourceCQL interface{}) interface{} {
+	fromStringPointer := sourceCQL.(*string)
+	intoWeakPointer := weak.Make(fromStringPointer)
+	return intoWeakPointer
+}
+func TaintStepTest_WeakValue_manual(sourceCQL interface{}) interface{} {
+	fromWeakPointer := sourceCQL.(weak.Pointer[string])
+	intoStringPointer := fromWeakPointer.Value()
+	return intoStringPointer
+}
+
+func RunAllTaints_Weak() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_WeakMake_manual(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_WeakValue_manual(source)
+		sink(1, out)
+	}
+}
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/go.mod b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/go.mod
@@ -1,6 +1,6 @@
 module example.com/m
 
-go 1.23
+go 1.24
 
 require (
 	golang.org/x/net v0.0.0-20201010224723-4f7140c49acb

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-Security/CWE-079/StoredXss.ql`
	`1`	`+query: Security/CWE-079/StoredXss.ql`
	`2`	`+postprocess: utils/test/PrettyPrintModels.ql`