Add taint models for go 1.19's new fmt.Append functions

Author: smowton

go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll

@@ -6,24 +6,20 @@ import go
 
 /** Provides models of commonly used functions in the `fmt` package. */
 module Fmt {
-  /** The `Sprint` function or one of its variants. */
-  class Sprinter extends TaintTracking::FunctionModel {
-    Sprinter() {
-      // signature: func Sprint(a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprint")
-      or
-      // signature: func Sprintf(format string, a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprintf")
-      or
-      // signature: func Sprintln(a ...interface{}) string
-      this.hasQualifiedName("fmt", "Sprintln")
-    }
+  /** The `Sprint` or `Append` functions or one of their variants. */
+  class AppenderOrSprinter extends TaintTracking::FunctionModel {
+    AppenderOrSprinter() { this.hasQualifiedName("fmt", ["Append", "Sprint"] + ["", "f", "ln"]) }
 
     override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
       inp.isParameter(_) and outp.isResult()
     }
   }
 
+  /** The `Sprint` function or one of its variants. */
+  class Sprinter extends AppenderOrSprinter {
+    Sprinter() { this.getName().matches("Sprint%") }
+  }
+
   /** The `Print` function or one of its variants. */
   class Printer extends Function {
     Printer() { this.hasQualifiedName("fmt", ["Print", "Printf", "Println"]) }

go/ql/src/Security/CWE-352/ConstantOauth2State.ql

@@ -106,7 +106,7 @@ class PrivateUrlFlowsToAuthCodeUrlCall extends DataFlow::Configuration {
     TaintTracking::referenceStep(pred, succ)
     or
     // Propagate across Sprintf and similar calls
-    any(Fmt::Sprinter s).taintStep(pred, succ)
+    any(Fmt::AppenderOrSprinter s).taintStep(pred, succ)
   }
 
   predicate isSink(DataFlow::Node sink, DataFlow::CallNode call) {