diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst new file mode 100644 index 000000000000..75796d3a1ee6 --- /dev/null +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -0,0 +1,369 @@ +.. _analyzing-data-flow-in-go: + +Analyzing data flow in Go +========================= + +You can use CodeQL to track the flow of data through a Go program to its use. + +About this article +------------------ + +This article describes how data flow analysis is implemented in the CodeQL libraries for Go and includes examples to help you write your own data flow queries. +The following sections describe how to use the libraries for local data flow, global data flow, and taint tracking. + +For a more general introduction to modeling data flow, see ":ref:`About data flow analysis `." + +.. include:: ../reusables/new-data-flow-api.rst + +Local data flow +--------------- + +Local data flow is data flow within a single method or callable. Local data flow is usually easier, faster, and more precise than global data flow, and is sufficient for many queries. + +Using local data flow +~~~~~~~~~~~~~~~~~~~~~ + +The ``DataFlow`` module defines the class ``Node`` denoting any element that data can flow through. +The ``Node`` class has a number of useful subclasses, such as ``ExprNode`` for expressions, ``ParameterNode`` for parameters, and ``InstructionNode`` for control-flow nodes. +You can map between data flow nodes and expressions/control-flow nodes/parameters using the member predicates ``asExpr``, ``asParameter`` and ``asInstruction``: + +.. code-block:: ql + + class Node { + /** Gets the expression corresponding to this node, if any. */ + Expr asExpr() { ... } + + /** Gets the parameter corresponding to this node, if any. */ + Parameter asParameter() { ... } + + /** Gets the IR instruction corresponding to this node, if any. */ + IR::Instruction asInstruction() { ... } + + ... + } + +or using the predicates ``exprNode``, ``parameterNode`` and ``instructionNode``: + +.. code-block:: ql + + /** + * Gets the `Node` corresponding to `e`. + */ + ExprNode exprNode(Expr e) { ... } + + /** + * Gets the `Node` corresponding to the value of `p` at function entry. + */ + ParameterNode parameterNode(Parameter p) { ... } + + /** + * Gets the `Node` corresponding to `insn`. + */ + InstructionNode instructionNode(IR::Instruction insn) { ... } + +The predicate ``localFlowStep(Node nodeFrom, Node nodeTo)`` holds if there is an immediate data flow edge from the node ``nodeFrom`` to the node ``nodeTo``. You can apply the predicate recursively by using the ``+`` and ``*`` operators, or by using the predefined recursive predicate ``localFlow``, which is equivalent to ``localFlowStep*``. + +For example, you can find flow from a parameter ``source`` to an expression ``sink`` in zero or more local steps: + +.. code-block:: ql + + DataFlow::localFlow(DataFlow::parameterNode(source), DataFlow::exprNode(sink)) + +Using local taint tracking +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Local taint tracking extends local data flow by including non-value-preserving flow steps. For example: + +.. code-block:: go + + temp := x; + y := temp + ", " + temp; + +If ``x`` is a tainted string then ``y`` is also tainted. + + +The local taint tracking library is in the module ``TaintTracking``. Like local data flow, a predicate ``localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo)`` holds if there is an immediate taint propagation edge from the node ``nodeFrom`` to the node ``nodeTo``. You can apply the predicate recursively by using the ``+`` and ``*`` operators, or by using the predefined recursive predicate ``localTaint``, which is equivalent to ``localTaintStep*``. + +For example, you can find taint propagation from a parameter ``source`` to an expression ``sink`` in zero or more local steps: + +.. code-block:: ql + + TaintTracking::localTaint(DataFlow::parameterNode(source), DataFlow::exprNode(sink)) + +Examples +~~~~~~~~ + +This query finds the filename passed to ``os.Open(..)``. + +.. code-block:: ql + + import go + + from Function osOpen, CallExpr call + where + osOpen.hasQualifiedName("os", "Open") and + call.getTarget() = osOpen + select call.getArgument(0) + +Unfortunately, this only gives the expression in the argument, not the values which could be passed to it. So we use local data flow to find all expressions that flow into the argument: + +.. code-block:: ql + + import go + + from Function osOpen, CallExpr call, Expr src + where + osOpen.hasQualifiedName("os", "Open") and + call.getTarget() = osOpen and + DataFlow::localFlow(DataFlow::exprNode(src), DataFlow::exprNode(call.getArgument(0))) + select src + +Then we can make the source more specific, for example an access to a parameter. This query finds where a public parameter is passed to ``os.Open(..)``: + +.. code-block:: ql + + import go + + from Function osOpen, CallExpr call, Parameter p + where + osOpen.hasQualifiedName("os", "Open") and + call.getTarget() = osOpen and + DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(call.getArgument(0))) + select p + +This query finds calls to formatting functions where the format string is not hard-coded. + +.. code-block:: ql + + import go + + from StringOps::Formatting::Range format, CallExpr call, Expr formatString + where + call.getTarget() = format and + formatString = call.getArgument(format.getFormatStringIndex()) and + not exists(DataFlow::Node source, DataFlow::Node sink | + DataFlow::localFlow(source, sink) and + source.asExpr() instanceof StringLit and + sink.asExpr() = formatString + ) + select call, "Argument to String format method isn't hard-coded." + +Exercises +~~~~~~~~~ + +Exercise 1: Write a query that finds all hard-coded strings used to create a ``url.URL``, using local data flow. (`Answer <#exercise-1>`__) + +Global data flow +---------------- + +Global data flow tracks data flow throughout the entire program, and is therefore more powerful than local data flow. However, global data flow is less precise than local data flow, and the analysis typically requires significantly more time and memory to perform. + +.. pull-quote:: Note + + .. include:: ../reusables/path-problem.rst + +Using global data flow +~~~~~~~~~~~~~~~~~~~~~~ + +The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: + +.. code-block:: ql + + import go + + module MyFlowConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + ... + } + + predicate isSink(DataFlow::Node sink) { + ... + } + } + + module MyFlow = DataFlow::Global; + +These predicates are defined in the configuration: + +- ``isSource`` - defines where data may flow from. +- ``isSink`` - defines where data may flow to. +- ``isBarrier`` - optional, restricts the data flow. +- ``isAdditionalFlowStep`` - optional, adds additional flow steps. + +The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: + +.. code-block:: ql + + from DataFlow::Node source, DataFlow::Node sink + where MyFlow::flow(source, sink) + select source, "Data flow to $@.", sink, sink.toString() + +Using global taint tracking +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Global taint tracking is to global data flow what local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. The global taint tracking library is used by applying the module ``TaintTracking::Global`` to your configuration instead of ``DataFlow::Global``: + +.. code-block:: ql + + import go + + module MyFlowConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + ... + } + + predicate isSink(DataFlow::Node sink) { + ... + } + } + + module MyFlow = TaintTracking::Global; + +The resulting module has an identical signature to the one obtained from ``DataFlow::Global``. + +Flow sources +~~~~~~~~~~~~ + +The data flow library contains some predefined flow sources. The class ``RemoteFlowSource`` (defined in ``semmle.code.java.dataflow.FlowSources``) represents data flow sources that may be controlled by a remote user, which is useful for finding security problems. + +Examples +~~~~~~~~ + +This query shows a taint-tracking configuration that uses remote user input as data sources. + +.. code-block:: ql + + import go + + module MyFlowConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource + } + + ... + } + + module MyTaintFlow = TaintTracking::Global; + +Exercises +~~~~~~~~~ + +Exercise 2: Write a query that finds all hard-coded strings used to create a ``url.URL``, using global data flow. (`Answer <#exercise-2>`__) + +Exercise 3: Write a class that represents flow sources from ``os.Getenv(..)``. (`Answer <#exercise-3>`__) + +Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from ``os.Getenv`` to ``url.URL``. (`Answer <#exercise-4>`__) + +Answers +------- + +Exercise 1 +~~~~~~~~~~ + +.. code-block:: ql + + import go + + from Function urlParse, Expr arg, StringLit rawURL, CallExpr call + where + ( + urlParse.hasQualifiedName("url", "Parse") or + urlParse.hasQualifiedName("url", "ParseRequestURI") + ) and + call.getTarget() = urlParse and + arg = call.getArgument(0) and + DataFlow::localFlow(DataFlow::exprNode(rawURL), DataFlow::exprNode(arg)) + select call.getArgument(0) + +Exercise 2 +~~~~~~~~~~ + +.. code-block:: ql + + import go + + module LiteralToURLConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source.asExpr() instanceof StringLit + } + + predicate isSink(DataFlow::Node sink) { + exists(Function urlParse, CallExpr call | + ( + urlParse.hasQualifiedName("url", "Parse") or + urlParse.hasQualifiedName("url", "ParseRequestURI") + ) and + call.getTarget() = urlParse and + sink.asExpr() = call.getArgument(0) + ) + } + } + + module LiteralToURLFlow = DataFlow::Global; + + from DataFlow::Node src, DataFlow::Node sink + where LiteralToURLFlow::flow(src, sink) + select src, "This string constructs a URL $@.", sink, "here" + +Exercise 3 +~~~~~~~~~~ + +.. code-block:: ql + + import go + + class GetenvSource extends CallExpr { + GetenvSource() { + exists(Function m | m = this.getTarget() | + m.hasQualifiedName("os", "Getenv") + ) + } + } + +Exercise 4 +~~~~~~~~~~ + +.. code-block:: ql + + import go + + class GetenvSource extends CallExpr { + GetenvSource() { + exists(Function m | m = this.getTarget() | + m.hasQualifiedName("os", "Getenv") + ) + } + } + + module GetenvToURLConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof GetenvSource + } + + predicate isSink(DataFlow::Node sink) { + exists(Function urlParse, CallExpr call | + ( + urlParse.hasQualifiedName("url", "Parse") or + urlParse.hasQualifiedName("url", "ParseRequestURI") + ) and + call.getTarget() = urlParse and + sink.asExpr() = call.getArgument(0) + ) + } + } + } + + module GetenvToURLFlow = DataFlow::Global; + + from DataFlow::Node src, DataFlow::Node sink + where GetenvToURLFlow::flow(src, sink) + select src, "This environment variable constructs a URL $@.", sink, "here" + +Further reading +--------------- + +- `Exploring data flow with path queries `__ in the GitHub documentation. + + +.. include:: ../reusables/go-further-reading.rst +.. include:: ../reusables/codeql-ref-tools-further-reading.rst diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index 0c6453d89936..f26b1abc86ea 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -145,7 +145,7 @@ This query finds calls to formatting functions where the format string is not ha import semmle.code.java.dataflow.DataFlow import semmle.code.java.StringFormat - from StringFormatMethod format, MethodAccess call, Expr formatString + from StringFormatMethod format, MethodCall call, Expr formatString where call.getMethod() = format and call.getArgument(format.getFormatStringIndex()) = formatString and @@ -177,6 +177,7 @@ You use the global data flow library by implementing the signature ``DataFlow::C .. code-block:: ql + import java import semmle.code.java.dataflow.DataFlow module MyFlowConfiguration implements DataFlow::ConfigSig { @@ -193,10 +194,10 @@ You use the global data flow library by implementing the signature ``DataFlow::C These predicates are defined in the configuration: -- ``isSource``—defines where data may flow from -- ``isSink``—defines where data may flow to -- ``isBarrier``—optional, restricts the data flow -- ``isAdditionalFlowStep``—optional, adds additional flow steps +- ``isSource`` - defines where data may flow from. +- ``isSink`` - defines where data may flow to. +- ``isBarrier`` - optional, restricts the data flow. +- ``isAdditionalFlowStep`` - optional, adds additional flow steps. The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: @@ -209,10 +210,11 @@ The data flow analysis is performed using the predicate ``flow(DataFlow::Node so Using global taint tracking ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Global taint tracking is to global data flow as local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. You use the global taint tracking library by applying the module ``TaintTracking::Global`` to your configuration instead of ``DataFlow::Global``: +Global taint tracking is to global data flow what local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. You use the global taint tracking library by applying the module ``TaintTracking::Global`` to your configuration instead of ``DataFlow::Global``: .. code-block:: ql + import java import semmle.code.java.dataflow.TaintTracking module MyFlowConfiguration implements DataFlow::ConfigSig { @@ -271,6 +273,7 @@ Exercise 1 .. code-block:: ql + import java import semmle.code.java.dataflow.DataFlow from Constructor url, Call call, StringLiteral src @@ -285,6 +288,7 @@ Exercise 2 .. code-block:: ql + import java import semmle.code.java.dataflow.DataFlow module LiteralToURLConfig implements DataFlow::ConfigSig { @@ -313,7 +317,7 @@ Exercise 3 import java - class GetenvSource extends MethodAccess { + class GetenvSource extends MethodCall { GetenvSource() { exists(Method m | m = this.getMethod() | m.hasName("getenv") and @@ -327,11 +331,12 @@ Exercise 4 .. code-block:: ql + import java import semmle.code.java.dataflow.DataFlow class GetenvSource extends DataFlow::ExprNode { GetenvSource() { - exists(Method m | m = this.asExpr().(MethodAccess).getMethod() | + exists(Method m | m = this.asExpr().(MethodCall).getMethod() | m.hasName("getenv") and m.getDeclaringType() instanceof TypeSystem ) diff --git a/docs/codeql/codeql-language-guides/codeql-for-go.rst b/docs/codeql/codeql-language-guides/codeql-for-go.rst index 30799c146a8e..96d3697c8267 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-go.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-go.rst @@ -11,7 +11,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat basic-query-for-go-code codeql-library-for-go abstract-syntax-tree-classes-for-working-with-go-programs - modeling-data-flow-in-go-libraries + analyzing-data-flow-in-go customizing-library-models-for-go - :doc:`Basic query for Go code `: Learn to write and run a simple CodeQL query. @@ -22,7 +22,6 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat - :doc:`Abstract syntax tree classes for working with Go programs `: CodeQL has a large selection of classes for representing the abstract syntax tree of Go programs. -- :doc:`Modeling data flow in Go libraries `: When analyzing a Go program, CodeQL does not examine the source code for external packages. - To track the flow of untrusted data through a library, you can create a model of the library. +- :doc:`Analyzing data flow in Go `: You can use CodeQL to track the flow of data through a Go program to its use. - :doc:`Customizing library models for Go `: You can model frameworks and libraries that your codebase depends on using data extensions and publish them as CodeQL model packs. diff --git a/docs/codeql/codeql-language-guides/modeling-data-flow-in-go-libraries.rst b/docs/codeql/codeql-language-guides/modeling-data-flow-in-go-libraries.rst deleted file mode 100644 index deaed7cf3af2..000000000000 --- a/docs/codeql/codeql-language-guides/modeling-data-flow-in-go-libraries.rst +++ /dev/null @@ -1,124 +0,0 @@ -.. _modeling-data-flow-in-go-libraries: - -Modeling data flow in Go libraries -================================== - -When analyzing a Go program, CodeQL does not examine the source code for -external packages. To track the flow of untrusted data through a library, you -can create a model of the library. - -You can find existing models in the ``go/ql/lib/semmle/go/frameworks/`` folder of the -`CodeQL repository `__. -To add a new model, you should make a new file in that folder, named after the library. - -Sources -------- - -To mark a source of data that is controlled by an untrusted user, we -create a class extending ``RemoteFlowSource::Range``. Inheritance and -the characteristic predicate of the class should be used to specify -exactly the dataflow node that introduces the data. Here is a short -example from ``Mux.qll``. - -.. code-block:: ql - - class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode { - RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") } - } - -This has the effect that all calls to `the function Vars from the -package mux `__ are -treated as sources of untrusted data. - -Flow propagation ----------------- - -By default, we assume that all functions in libraries do not have -any data flow. To indicate that a particular function does have data flow, -create a class extending ``TaintTracking::FunctionModel`` (or -``DataFlow::FunctionModel`` if the untrusted user data is passed on -without being modified). - -Inheritance and the characteristic predicate of the class should specify -the function. The class should also have a member predicate with the signature -``override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp)`` -(or -``override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp)`` -if extending ``DataFlow::FunctionModel``). The body should constrain -``inp`` and ``outp``. - -``FunctionInput`` is an abstract representation of the inputs to a -function. The options are: - -* the receiver (``inp.isReceiver()``) -* one of the parameters (``inp.isParameter(i)``) -* one of the results (``inp.isResult(i)``, or ``inp.isResult`` if there is only one result) - -Note that it may seem strange that the result of a function could be -considered as a function input, but it is needed in some cases. For -instance, the function ``bufio.NewWriter`` returns a writer ``bw`` that -buffers write operations to an underlying writer ``w``. If tainted data -is written to ``bw``, then it makes sense to propagate that taint back -to the underlying writer ``w``, which can be modeled by saying that -``bufio.NewWriter`` propagates taint from its result to its first -argument. - -Similarly, ``FunctionOutput`` is an abstract representation of the -outputs to a function. The options are: - -* the receiver (``outp.isReceiver()``) -* one of the parameters (``outp.isParameter(i)``) -* one of the results (``outp.isResult(i)``, or ``outp.isResult`` if there is only one result) - -Here is an example from ``Gin.qll``, which has been slightly simplified. - -.. code-block:: ql - - private class ParamsGet extends TaintTracking::FunctionModel, Method { - ParamsGet() { this.hasQualifiedName("github.com/gin-gonic/gin", "Params", "Get") } - - override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - inp.isReceiver() and outp.isResult(0) - } - } - -This has the effect that calls to the ``Get`` method with receiver type -``Params`` from the ``gin-gonic/gin`` package allow taint to flow from -the receiver to the first result. In other words, if ``p`` has type -``Params`` and taint can flow to it, then after the line -``x := p.Get("foo")`` taint can also flow to ``x``. - -Sanitizers ----------- - -It is not necessary to indicate that library functions are sanitizers. -Their bodies are not analyzed, so it is assumed that data does not -flow through them. - -Sinks ------ - -Data-flow sinks are specified by queries rather than by library models. -However, you can use library models to indicate when functions belong to -special categories. Queries can then use these categories when specifying -sinks. Classes representing these special categories are contained in -``go/ql/lib/semmle/go/Concepts.qll`` in the `CodeQL repository -`__. -``Concepts.qll`` includes classes for logger mechanisms, -HTTP response writers, HTTP redirects, and marshaling and unmarshaling -functions. - -Here is a short example from ``Stdlib.qll``, which has been slightly simplified. - -.. code-block:: ql - - private class PrintfCall extends LoggerCall::Range, DataFlow::CallNode { - PrintfCall() { this.getTarget().hasQualifiedName("fmt", ["Print", "Printf", "Println"]) } - - override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } - } - -This has the effect that any call to ``Print``, ``Printf``, or -``Println`` in the package ``fmt`` is recognized as a logger call. -Any query that uses logger calls as a sink will then identify when tainted data -has been passed as an argument to ``Print``, ``Printf``, or ``Println``. diff --git a/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst b/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst index 61290e095b24..65a5ea32c35c 100644 --- a/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst +++ b/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst @@ -18,6 +18,7 @@ See the following tutorials for more information about analyzing data flow in sp - ":ref:`Analyzing data flow in C/C++ `" - ":ref:`Analyzing data flow in C# `" +- ":ref:`Analyzing data flow in Go `" - ":ref:`Analyzing data flow in Java/Kotlin `" - ":ref:`Analyzing data flow in JavaScript/TypeScript `" - ":ref:`Analyzing data flow in Python `" diff --git a/docs/codeql/writing-codeql-queries/creating-path-queries.rst b/docs/codeql/writing-codeql-queries/creating-path-queries.rst index 036083d2912c..7e178f94b44f 100644 --- a/docs/codeql/writing-codeql-queries/creating-path-queries.rst +++ b/docs/codeql/writing-codeql-queries/creating-path-queries.rst @@ -28,6 +28,7 @@ For more language-specific information on analyzing data flow, see: - ":ref:`Analyzing data flow in C/C++ `" - ":ref:`Analyzing data flow in C# `" +- ":ref:`Analyzing data flow in Go `" - ":ref:`Analyzing data flow in Java/Kotlin `" - ":ref:`Analyzing data flow in JavaScript/TypeScript `" - ":ref:`Analyzing data flow in Python `" diff --git a/go/docs/language/learn-ql/go/library-modeling-go.rst b/go/docs/language/learn-ql/go/library-modeling-go.rst deleted file mode 100644 index 3d63ac14cd79..000000000000 --- a/go/docs/language/learn-ql/go/library-modeling-go.rst +++ /dev/null @@ -1,122 +0,0 @@ -Modeling data flow in Go libraries -================================== - -When analyzing a Go program, CodeQL does not examine the source code for -external packages. To track the flow of untrusted data through a library, you -can create a model of the library. - -You can find existing models in the ``go/ql/lib/semmle/go/frameworks/`` folder of the -`CodeQL repository `__. -To add a new model, you should make a new file in that folder, named after the library. - -Sources -------- - -To mark a source of data that is controlled by an untrusted user, we -create a class extending ``RemoteFlowSource::Range``. Inheritance and -the characteristic predicate of the class should be used to specify -exactly the dataflow node that introduces the data. Here is a short -example from ``Mux.qll``. - -.. code-block:: ql - - class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode { - RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") } - } - -This has the effect that all calls to `the function Vars from the -package mux `__ are -treated as sources of untrusted data. - -Flow propagation ----------------- - -By default, we assume that all functions in libraries do not have -any data flow. To indicate that a particular function does have data flow, -create a class extending ``TaintTracking::FunctionModel`` (or -``DataFlow::FunctionModel`` if the untrusted user data is passed on -without being modified). - -Inheritance and the characteristic predicate of the class should specify -the function. The class should also have a member predicate with the signature -``override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp)`` -(or -``override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp)`` -if extending ``DataFlow::FunctionModel``). The body should constrain -``inp`` and ``outp``. - -``FunctionInput`` is an abstract representation of the inputs to a -function. The options are: - -* the receiver (``inp.isReceiver()``) -* one of the parameters (``inp.isParameter(i)``) -* one of the results (``inp.isResult(i)``, or ``inp.isResult`` if there is only one result) - -Note that it may seem strange that the result of a function could be -considered as a function input, but it is needed in some cases. For -instance, the function ``bufio.NewWriter`` returns a writer ``bw`` that -buffers write operations to an underlying writer ``w``. If tainted data -is written to ``bw``, then it makes sense to propagate that taint back -to the underlying writer ``w``, which can be modeled by saying that -``bufio.NewWriter`` propagates taint from its result to its first -argument. - -Similarly, ``FunctionOutput`` is an abstract representation of the -outputs to a function. The options are: - -* the receiver (``outp.isReceiver()``) -* one of the parameters (``outp.isParameter(i)``) -* one of the results (``outp.isResult(i)``, or ``outp.isResult`` if there is only one result) - -Here is an example from ``Gin.qll``, which has been slightly simplified. - -.. code-block:: ql - - private class ParamsGet extends TaintTracking::FunctionModel, Method { - ParamsGet() { this.hasQualifiedName("github.com/gin-gonic/gin", "Params", "Get") } - - override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - inp.isReceiver() and outp.isResult(0) - } - } - -This has the effect that calls to the ``Get`` method with receiver type -``Params`` from the ``gin-gonic/gin`` package allow taint to flow from -the receiver to the first result. In other words, if ``p`` has type -``Params`` and taint can flow to it, then after the line -``x := p.Get("foo")`` taint can also flow to ``x``. - -Sanitizers ----------- - -It is not necessary to indicate that library functions are sanitizers. -Their bodies are not analyzed, so it is assumed that data does not -flow through them. - -Sinks ------ - -Data-flow sinks are specified by queries rather than by library models. -However, you can use library models to indicate when functions belong to -special categories. Queries can then use these categories when specifying -sinks. Classes representing these special categories are contained in -``go/ql/lib/semmle/go/Concepts.qll`` in the `CodeQL for Go repository -`__. -``Concepts.qll`` includes classes for logger mechanisms, -HTTP response writers, HTTP redirects, and marshaling and unmarshaling -functions. - -Here is a short example from ``Stdlib.qll``, which has been slightly simplified. - -.. code-block:: ql - - private class PrintfCall extends LoggerCall::Range, DataFlow::CallNode { - PrintfCall() { this.getTarget().hasQualifiedName("fmt", ["Print", "Printf", "Println"]) } - - override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } - } - -This has the effect that any call to ``Print``, ``Printf``, or -``Println`` in the package ``fmt`` is recognized as a logger call. -Any query that uses logger calls as a sink will then identify when tainted data -has been passed as an argument to ``Print``, ``Printf``, or ``Println``.