Add models for Go 1.19's new url.JoinPath and URL.JoinPath functions

Author: smowton

go/ql/lib/semmle/go/frameworks/Stdlib.qll

@@ -170,6 +170,25 @@ module URL {
     }
   }
 
+  /** The `JoinPath` function. */
+  class JoinPath extends TaintTracking::FunctionModel {
+    JoinPath() { this.hasQualifiedName("net/url", "JoinPath") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      inp.isParameter(_) and outp.isResult(0)
+    }
+  }
+
+  /** The method `URL.JoinPath`. */
+  class JoinPathMethod extends TaintTracking::FunctionModel, Method {
+    JoinPathMethod() { this.hasQualifiedName("net/url", "URL", "JoinPath") }
+
+    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
+      (inp.isReceiver() or inp.isParameter(_)) and
+      outp.isResult(0)
+    }
+  }
+
   /** A method that returns a part of a URL. */
   class UrlGetter extends TaintTracking::FunctionModel, Method {
     UrlGetter() {

go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected

@@ -2,9 +2,15 @@
 | file://:0:0:0:0 | function EscapedPath | url.go:28:14:28:26 | selection of EscapedPath |
 | file://:0:0:0:0 | function Get | url.go:52:14:52:18 | selection of Get |
 | file://:0:0:0:0 | function Hostname | url.go:29:14:29:23 | selection of Hostname |
+| file://:0:0:0:0 | function JoinPath | url.go:57:16:57:27 | selection of JoinPath |
+| file://:0:0:0:0 | function JoinPath | url.go:58:16:58:27 | selection of JoinPath |
+| file://:0:0:0:0 | function JoinPath | url.go:60:15:60:28 | selection of JoinPath |
+| file://:0:0:0:0 | function JoinPath | url.go:66:9:66:25 | selection of JoinPath |
 | file://:0:0:0:0 | function MarshalBinary | url.go:30:11:30:25 | selection of MarshalBinary |
 | file://:0:0:0:0 | function Parse | url.go:23:10:23:18 | selection of Parse |
 | file://:0:0:0:0 | function Parse | url.go:32:9:32:15 | selection of Parse |
+| file://:0:0:0:0 | function Parse | url.go:59:14:59:22 | selection of Parse |
+| file://:0:0:0:0 | function Parse | url.go:65:17:65:25 | selection of Parse |
 | file://:0:0:0:0 | function ParseQuery | url.go:50:10:50:23 | selection of ParseQuery |
 | file://:0:0:0:0 | function ParseRequestURI | url.go:27:9:27:27 | selection of ParseRequestURI |
 | file://:0:0:0:0 | function Password | url.go:43:11:43:21 | selection of Password |
@@ -164,3 +170,17 @@
 | url.go:50:2:50:2 | definition of v | url.go:52:14:52:14 | v |
 | url.go:50:2:50:2 | definition of v | url.go:53:9:53:9 | v |
 | url.go:50:2:50:26 | ... := ...[0] | url.go:50:2:50:2 | definition of v |
+| url.go:56:12:56:12 | argument corresponding to q | url.go:56:12:56:12 | definition of q |
+| url.go:56:12:56:12 | definition of q | url.go:57:29:57:29 | q |
+| url.go:57:2:57:8 | definition of joined1 | url.go:58:38:58:44 | joined1 |
+| url.go:57:2:57:39 | ... := ...[0] | url.go:57:2:57:8 | definition of joined1 |
+| url.go:58:2:58:8 | definition of joined2 | url.go:59:24:59:30 | joined2 |
+| url.go:58:2:58:45 | ... := ...[0] | url.go:58:2:58:8 | definition of joined2 |
+| url.go:59:2:59:6 | definition of asUrl | url.go:60:15:60:19 | asUrl |
+| url.go:59:2:59:31 | ... := ...[0] | url.go:59:2:59:6 | definition of asUrl |
+| url.go:60:2:60:10 | definition of joinedUrl | url.go:61:9:61:17 | joinedUrl |
+| url.go:60:15:60:37 | call to JoinPath | url.go:60:2:60:10 | definition of joinedUrl |
+| url.go:64:13:64:13 | argument corresponding to q | url.go:64:13:64:13 | definition of q |
+| url.go:64:13:64:13 | definition of q | url.go:66:27:66:27 | q |
+| url.go:65:2:65:9 | definition of cleanUrl | url.go:66:9:66:16 | cleanUrl |
+| url.go:65:2:65:48 | ... := ...[0] | url.go:65:2:65:9 | definition of cleanUrl |

go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected

@@ -66,3 +66,21 @@
 | url.go:50:25:50:25 | q | url.go:50:2:50:26 | ... := ...[0] |
 | url.go:51:14:51:14 | v | url.go:51:14:51:23 | call to Encode |
 | url.go:52:14:52:14 | v | url.go:52:14:52:26 | call to Get |
+| url.go:57:16:57:39 | call to JoinPath | url.go:57:2:57:39 | ... := ...[0] |
+| url.go:57:16:57:39 | call to JoinPath | url.go:57:2:57:39 | ... := ...[1] |
+| url.go:57:29:57:29 | q | url.go:57:2:57:39 | ... := ...[0] |
+| url.go:57:32:57:38 | "clean" | url.go:57:2:57:39 | ... := ...[0] |
+| url.go:58:16:58:45 | call to JoinPath | url.go:58:2:58:45 | ... := ...[0] |
+| url.go:58:16:58:45 | call to JoinPath | url.go:58:2:58:45 | ... := ...[1] |
+| url.go:58:29:58:35 | "clean" | url.go:58:2:58:45 | ... := ...[0] |
+| url.go:58:38:58:44 | joined1 | url.go:58:2:58:45 | ... := ...[0] |
+| url.go:59:14:59:31 | call to Parse | url.go:59:2:59:31 | ... := ...[0] |
+| url.go:59:14:59:31 | call to Parse | url.go:59:2:59:31 | ... := ...[1] |
+| url.go:59:24:59:30 | joined2 | url.go:59:2:59:31 | ... := ...[0] |
+| url.go:60:15:60:19 | asUrl | url.go:60:15:60:37 | call to JoinPath |
+| url.go:60:30:60:36 | "clean" | url.go:60:15:60:37 | call to JoinPath |
+| url.go:65:17:65:48 | call to Parse | url.go:65:2:65:48 | ... := ...[0] |
+| url.go:65:17:65:48 | call to Parse | url.go:65:2:65:48 | ... := ...[1] |
+| url.go:65:27:65:47 | "http://harmless.org" | url.go:65:2:65:48 | ... := ...[0] |
+| url.go:66:9:66:16 | cleanUrl | url.go:66:9:66:28 | call to JoinPath |
+| url.go:66:27:66:27 | q | url.go:66:9:66:28 | call to JoinPath |

go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/url.go

@@ -52,3 +52,16 @@ func func8(q string) url.Values {
 	fmt.Println(v.Get("page"))
 	return v
 }
+
+func func9(q string) *url.URL {
+	joined1, _ := url.JoinPath(q, "clean")
+	joined2, _ := url.JoinPath("clean", joined1)
+	asUrl, _ := url.Parse(joined2)
+	joinedUrl := asUrl.JoinPath("clean")
+	return joinedUrl
+}
+
+func func10(q string) *url.URL {
+	cleanUrl, _ := url.Parse("http://harmless.org")
+	return cleanUrl.JoinPath(q)
+}