Merge pull request #10103 from smowton/smowton/feature/golang-1.19-support

Go: support go 1.19

Author: smowton

.github/workflows/go-tests.yml

@@ -11,10 +11,10 @@ jobs:
     name: Test Linux (Ubuntu)
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go 1.18.1
+      - name: Set up Go 1.19
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.1
+          go-version: 1.19
         id: go
 
       - name: Check out code
@@ -57,10 +57,10 @@ jobs:
     name: Test MacOS
     runs-on: macos-latest
     steps:
-      - name: Set up Go 1.18.1
+      - name: Set up Go 1.19
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.1
+          go-version: 1.19
         id: go
 
       - name: Check out code
@@ -87,10 +87,10 @@ jobs:
     name: Test Windows
     runs-on: windows-2019
     steps:
-      - name: Set up Go 1.18.1
+      - name: Set up Go 1.19
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.1
+          go-version: 1.19
         id: go
 
       - name: Check out code

go/extractor/srcarchive/projectlayout.go

@@ -11,10 +11,10 @@ import (
 // ProjectLayout describes a very simple project layout rewriting paths starting
 // with `from` to start with `to` instead.
 //
-// We currently only support project layouts of the form
+// We currently only support project layouts of the form:
 //
-// # to
-// from//
+//	# to
+//	from//
 type ProjectLayout struct {
 	from, to string
 }

go/go.mod

@@ -3,11 +3,11 @@ module github.com/github/codeql-go
 go 1.18
 
 require (
-	golang.org/x/mod v0.5.0
-	golang.org/x/tools v0.1.5
+	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
+	golang.org/x/tools v0.1.12
 )
 
 require (
-	golang.org/x/sys v0.0.0-20210510120138-977fb7262007 // indirect
+	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 )

go/go.sum

@@ -4,6 +4,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0 h1:UG21uOlmZabA4fW5i7ZX6bjw1xELEGg/ZLgZq9auk/Q=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
@@ -15,13 +17,17 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007 h1:gG67DSER+11cZvqIMb8S8bt0vZtiN6xWYARwirrOSfE=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.5 h1:ouewzE6p+/VEB31YYnTbEJdi8pFqKp4P4n85vwo3DHA=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=

go/ql/lib/change-notes/2022-08-19-go-119-support.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release.

go/ql/lib/semmle/go/frameworks/Stdlib.qll

@@ -170,6 +170,25 @@ module URL {
     }
   }
 
+  /** The `JoinPath` function. */
+  class JoinPath extends TaintTracking::FunctionModel {
+    JoinPath() { this.hasQualifiedName("net/url", "JoinPath") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isParameter(_) and outp.isResult(0)
+    }
+  }
+
+  /** The method `URL.JoinPath`. */
+  class JoinPathMethod extends TaintTracking::FunctionModel, Method {
+    JoinPathMethod() { this.hasQualifiedName("net/url", "URL", "JoinPath") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      (inp.isReceiver() or inp.isParameter(_)) and
+      outp.isResult(0)
+    }
+  }
+
   /** A method that returns a part of a URL. */
   class UrlGetter extends TaintTracking::FunctionModel, Method {
     UrlGetter() {

go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll

@@ -6,24 +6,20 @@ import go
 
 /** Provides models of commonly used functions in the `fmt` package. */
 module Fmt {
-  /** The `Sprint` function or one of its variants. */
-  class Sprinter extends TaintTracking::FunctionModel {
-    Sprinter() {
-      // signature: func Sprint(a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprint")
-      or
-      // signature: func Sprintf(format string, a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprintf")
-      or
-      // signature: func Sprintln(a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprintln")
-    }
+  /** The `Sprint` or `Append` functions or one of their variants. */
+  class AppenderOrSprinter extends TaintTracking::FunctionModel {
+    AppenderOrSprinter() { this.hasQualifiedName("fmt", ["Append", "Sprint"] + ["", "f", "ln"]) }
 
     override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
       inp.isParameter(_) and outp.isResult()
     }
   }
 
+  /** The `Sprint` function or one of its variants. */
+  class Sprinter extends AppenderOrSprinter {
+    Sprinter() { this.getName().matches("Sprint%") }
+  }
+
   /** The `Print` function or one of its variants. */
   class Printer extends Function {
     Printer() { this.hasQualifiedName("fmt", ["Print", "Printf", "Println"]) }

go/ql/lib/semmle/go/frameworks/stdlib/SyncAtomic.qll

@@ -69,13 +69,15 @@ module SyncAtomic {
     FunctionOutput outp;
 
     MethodModels() {
-      // signature: func (*Value) Load() (x interface{})
-      hasQualifiedName("sync/atomic", "Value", "Load") and
-      (inp.isReceiver() and outp.isResult())
-      or
-      // signature: func (*Value) Store(x interface{})
-      hasQualifiedName("sync/atomic", "Value", "Store") and
-      (inp.isParameter(0) and outp.isReceiver())
+      exists(string containerType | containerType = ["Value", "Pointer", "Uintptr"] |
+        // signature: func (*Containertype) Load/Swap() (x containedtype)
+        hasQualifiedName("sync/atomic", containerType, ["Load", "Swap"]) and
+        (inp.isReceiver() and outp.isResult())
+        or
+        // signature: func (*Containertype) Store/Swap(x containedtype) [(x containedtype)]
+        hasQualifiedName("sync/atomic", containerType, ["Store", "Swap"]) and
+        (inp.isParameter(0) and outp.isReceiver())
+      )
     }
 
     override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

go/ql/src/Security/CWE-352/ConstantOauth2State.ql

@@ -106,7 +106,7 @@ class PrivateUrlFlowsToAuthCodeUrlCall extends DataFlow::Configuration {
     TaintTracking::referenceStep(pred, succ)
     or
     // Propagate across Sprintf and similar calls
-    any(Fmt::Sprinter s).taintStep(pred, succ)
+    any(Fmt::AppenderOrSprinter s).taintStep(pred, succ)
   }
 
   predicate isSink(DataFlow::Node sink, DataFlow::CallNode call) {

go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected

@@ -2,9 +2,15 @@
 | file://:0:0:0:0 | function EscapedPath | url.go:28:14:28:26 | selection of EscapedPath |
 | file://:0:0:0:0 | function Get | url.go:52:14:52:18 | selection of Get |
 | file://:0:0:0:0 | function Hostname | url.go:29:14:29:23 | selection of Hostname |
+| file://:0:0:0:0 | function JoinPath | url.go:57:16:57:27 | selection of JoinPath |
+| file://:0:0:0:0 | function JoinPath | url.go:58:16:58:27 | selection of JoinPath |
+| file://:0:0:0:0 | function JoinPath | url.go:60:15:60:28 | selection of JoinPath |
+| file://:0:0:0:0 | function JoinPath | url.go:66:9:66:25 | selection of JoinPath |
 | file://:0:0:0:0 | function MarshalBinary | url.go:30:11:30:25 | selection of MarshalBinary |
 | file://:0:0:0:0 | function Parse | url.go:23:10:23:18 | selection of Parse |
 | file://:0:0:0:0 | function Parse | url.go:32:9:32:15 | selection of Parse |
+| file://:0:0:0:0 | function Parse | url.go:59:14:59:22 | selection of Parse |
+| file://:0:0:0:0 | function Parse | url.go:65:17:65:25 | selection of Parse |
 | file://:0:0:0:0 | function ParseQuery | url.go:50:10:50:23 | selection of ParseQuery |
 | file://:0:0:0:0 | function ParseRequestURI | url.go:27:9:27:27 | selection of ParseRequestURI |
 | file://:0:0:0:0 | function Password | url.go:43:11:43:21 | selection of Password |
@@ -164,3 +170,17 @@
 | url.go:50:2:50:2 | definition of v | url.go:52:14:52:14 | v |
 | url.go:50:2:50:2 | definition of v | url.go:53:9:53:9 | v |
 | url.go:50:2:50:26 | ... := ...[0] | url.go:50:2:50:2 | definition of v |
+| url.go:56:12:56:12 | argument corresponding to q | url.go:56:12:56:12 | definition of q |
+| url.go:56:12:56:12 | definition of q | url.go:57:29:57:29 | q |
+| url.go:57:2:57:8 | definition of joined1 | url.go:58:38:58:44 | joined1 |
+| url.go:57:2:57:39 | ... := ...[0] | url.go:57:2:57:8 | definition of joined1 |
+| url.go:58:2:58:8 | definition of joined2 | url.go:59:24:59:30 | joined2 |
+| url.go:58:2:58:45 | ... := ...[0] | url.go:58:2:58:8 | definition of joined2 |
+| url.go:59:2:59:6 | definition of asUrl | url.go:60:15:60:19 | asUrl |
+| url.go:59:2:59:31 | ... := ...[0] | url.go:59:2:59:6 | definition of asUrl |
+| url.go:60:2:60:10 | definition of joinedUrl | url.go:61:9:61:17 | joinedUrl |
+| url.go:60:15:60:37 | call to JoinPath | url.go:60:2:60:10 | definition of joinedUrl |
+| url.go:64:13:64:13 | argument corresponding to q | url.go:64:13:64:13 | definition of q |
+| url.go:64:13:64:13 | definition of q | url.go:66:27:66:27 | q |
+| url.go:65:2:65:9 | definition of cleanUrl | url.go:66:9:66:16 | cleanUrl |
+| url.go:65:2:65:48 | ... := ...[0] | url.go:65:2:65:9 | definition of cleanUrl |