Only add taint steps for implicit varargs slice post-update nodes

Author: owen-mc

go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll

@@ -112,11 +112,6 @@ predicate localAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ, str
     stringConcatStep(pred, succ)
     or
     sliceStep(pred, succ)
-    or
-    // Treat container read steps as taint for global taint flow.
-    exists(DataFlow::Content c | DataFlowPrivate::containerContent(c) |
-      DataFlowPrivate::readStep(pred, c, succ)
-    )
   ) and
   model = ""
   or
@@ -185,6 +180,12 @@ predicate elementStep(DataFlow::Node pred, DataFlow::Node succ) {
     // only step into the value, not the index
     succ.asInstruction() = IR::extractTupleElement(nextEntry, 1)
   )
+  or
+  exists(DataFlow::ImplicitVarargsSlice ivs |
+    pred.(DataFlow::PostUpdateNode).getPreUpdateNode() = ivs and
+    succ.(DataFlow::PostUpdateNode).getPreUpdateNode() =
+      ivs.getCallNode().getAnImplicitVarargsArgument()
+  )
 }
 
 /** Holds if taint flows from `pred` to `succ` via an extract tuple operation. */

go/ql/test/experimental/CWE-74/DsnInjectionLocal.expected

@@ -2,13 +2,9 @@
 | Dsn.go:29:29:29:33 | dbDSN | Dsn.go:26:11:26:17 | selection of Args | Dsn.go:29:29:29:33 | dbDSN | This query depends on a $@. | Dsn.go:26:11:26:17 | selection of Args | user-provided value |
 | Dsn.go:68:29:68:33 | dbDSN | Dsn.go:63:19:63:25 | selection of Args | Dsn.go:68:29:68:33 | dbDSN | This query depends on a $@. | Dsn.go:63:19:63:25 | selection of Args | user-provided value |
 edges
-| Dsn.go:26:11:26:17 | selection of Args | Dsn.go:26:11:26:21 | slice element node | provenance |  |
 | Dsn.go:26:11:26:17 | selection of Args | Dsn.go:28:102:28:109 | index expression | provenance |  |
-| Dsn.go:26:11:26:21 | slice element node | Dsn.go:26:11:26:21 | slice expression [array] | provenance |  |
-| Dsn.go:26:11:26:21 | slice expression [array] | Dsn.go:28:102:28:106 | name2 [array] | provenance |  |
 | Dsn.go:28:11:28:110 | []type{args} [array] | Dsn.go:28:11:28:110 | call to Sprintf | provenance | MaD:1 |
 | Dsn.go:28:11:28:110 | call to Sprintf | Dsn.go:29:29:29:33 | dbDSN | provenance |  |
-| Dsn.go:28:102:28:106 | name2 [array] | Dsn.go:28:102:28:109 | index expression | provenance |  |
 | Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | []type{args} [array] | provenance |  |
 | Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | call to Sprintf | provenance | FunctionModel |
 | Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:63:9:63:11 | cfg [pointer] | provenance |  |
@@ -29,11 +25,8 @@ models
 | 1 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
 nodes
 | Dsn.go:26:11:26:17 | selection of Args | semmle.label | selection of Args |
-| Dsn.go:26:11:26:21 | slice element node | semmle.label | slice element node |
-| Dsn.go:26:11:26:21 | slice expression [array] | semmle.label | slice expression [array] |
 | Dsn.go:28:11:28:110 | []type{args} [array] | semmle.label | []type{args} [array] |
 | Dsn.go:28:11:28:110 | call to Sprintf | semmle.label | call to Sprintf |
-| Dsn.go:28:102:28:106 | name2 [array] | semmle.label | name2 [array] |
 | Dsn.go:28:102:28:109 | index expression | semmle.label | index expression |
 | Dsn.go:29:29:29:33 | dbDSN | semmle.label | dbDSN |
 | Dsn.go:62:2:62:4 | definition of cfg [pointer] | semmle.label | definition of cfg [pointer] |

go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected

@@ -15,7 +15,6 @@
 | main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[1] |
 | main.go:47:20:47:21 | xs | main.go:47:2:50:2 | range statement[1] |
 | main.go:56:8:56:11 | true | main.go:56:2:56:3 | ch |
-| main.go:57:4:57:5 | ch | main.go:57:2:57:5 | <-... |
 | strings.go:9:24:9:24 | s | strings.go:9:8:9:38 | call to Replace |
 | strings.go:9:32:9:34 | "_" | strings.go:9:8:9:38 | call to Replace |
 | strings.go:10:27:10:27 | s | strings.go:10:8:10:42 | call to ReplaceAll |

go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

@@ -50,7 +50,6 @@ edges
 | GitSubcommands.go:33:13:33:27 | call to Query | GitSubcommands.go:38:32:38:38 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:9:13:9:27 | call to Query | provenance | Src:MaD:2 MaD:7 |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:13:25:13:31 | tainted | provenance |  |
-| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:14:23:14:33 | slice element node | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance |  |
@@ -71,8 +70,6 @@ edges
 | SanitizingDoubleDash.go:53:14:53:35 | call to append | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | MaD:4 |
-| SanitizingDoubleDash.go:53:21:53:28 | arrayLit | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | MaD:3 |
-| SanitizingDoubleDash.go:53:21:53:28 | arrayLit | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | provenance | MaD:3 |
 | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | MaD:3 |
 | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | provenance | MaD:3 |
 | SanitizingDoubleDash.go:68:14:68:38 | []type{args} [array] | SanitizingDoubleDash.go:68:14:68:38 | call to append | provenance | MaD:5 |
@@ -83,16 +80,12 @@ edges
 | SanitizingDoubleDash.go:69:14:69:35 | call to append | SanitizingDoubleDash.go:70:23:70:30 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | SanitizingDoubleDash.go:70:23:70:30 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:69:21:69:28 | arrayLit | SanitizingDoubleDash.go:69:14:69:35 | call to append | provenance | MaD:4 |
-| SanitizingDoubleDash.go:69:21:69:28 | arrayLit | SanitizingDoubleDash.go:69:14:69:35 | call to append | provenance | MaD:3 |
-| SanitizingDoubleDash.go:69:21:69:28 | arrayLit | SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | provenance | MaD:3 |
 | SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | SanitizingDoubleDash.go:69:14:69:35 | call to append | provenance | MaD:3 |
 | SanitizingDoubleDash.go:69:21:69:28 | arrayLit [array] | SanitizingDoubleDash.go:69:14:69:35 | call to append [array] | provenance | MaD:3 |
 | SanitizingDoubleDash.go:92:13:92:19 | selection of URL | SanitizingDoubleDash.go:92:13:92:27 | call to Query | provenance | Src:MaD:2 MaD:7 |
 | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:95:25:95:31 | tainted | provenance |  |
-| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:96:24:96:34 | slice element node | provenance |  |
 | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:96:24:96:34 | slice expression | provenance |  |
 | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:100:31:100:37 | tainted | provenance |  |
-| SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:101:24:101:34 | slice element node | provenance |  |
 | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:101:24:101:34 | slice expression | provenance |  |
 | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:105:30:105:36 | tainted | provenance |  |
 | SanitizingDoubleDash.go:92:13:92:27 | call to Query | SanitizingDoubleDash.go:106:24:106:31 | arrayLit | provenance |  |
@@ -135,8 +128,6 @@ edges
 | SanitizingDoubleDash.go:129:14:129:35 | call to append | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | SanitizingDoubleDash.go:130:24:130:31 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:129:21:129:28 | arrayLit | SanitizingDoubleDash.go:129:14:129:35 | call to append | provenance | MaD:4 |
-| SanitizingDoubleDash.go:129:21:129:28 | arrayLit | SanitizingDoubleDash.go:129:14:129:35 | call to append | provenance | MaD:3 |
-| SanitizingDoubleDash.go:129:21:129:28 | arrayLit | SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | provenance | MaD:3 |
 | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | SanitizingDoubleDash.go:129:14:129:35 | call to append | provenance | MaD:3 |
 | SanitizingDoubleDash.go:129:21:129:28 | arrayLit [array] | SanitizingDoubleDash.go:129:14:129:35 | call to append [array] | provenance | MaD:3 |
 | SanitizingDoubleDash.go:136:14:136:38 | []type{args} [array] | SanitizingDoubleDash.go:136:14:136:38 | call to append | provenance | MaD:5 |
@@ -152,8 +143,6 @@ edges
 | SanitizingDoubleDash.go:143:14:143:35 | call to append | SanitizingDoubleDash.go:144:24:144:31 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | SanitizingDoubleDash.go:144:24:144:31 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:143:21:143:28 | arrayLit | SanitizingDoubleDash.go:143:14:143:35 | call to append | provenance | MaD:4 |
-| SanitizingDoubleDash.go:143:21:143:28 | arrayLit | SanitizingDoubleDash.go:143:14:143:35 | call to append | provenance | MaD:3 |
-| SanitizingDoubleDash.go:143:21:143:28 | arrayLit | SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | provenance | MaD:3 |
 | SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | SanitizingDoubleDash.go:143:14:143:35 | call to append | provenance | MaD:3 |
 | SanitizingDoubleDash.go:143:21:143:28 | arrayLit [array] | SanitizingDoubleDash.go:143:14:143:35 | call to append [array] | provenance | MaD:3 |
 models

go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected

@@ -1,29 +1,16 @@
 edges
-| test.go:14:2:14:4 | definition of buf | test.go:15:8:15:37 | slice element node | provenance |  |
 | test.go:14:2:14:4 | definition of buf | test.go:17:10:17:12 | buf | provenance |  |
 | test.go:14:2:14:4 | definition of buf | test.go:20:29:20:31 | buf | provenance |  |
 | test.go:15:2:15:4 | definition of buf | test.go:17:10:17:12 | buf | provenance |  |
 | test.go:15:2:15:4 | definition of buf | test.go:20:29:20:31 | buf | provenance |  |
-| test.go:15:2:15:4 | definition of buf [array] | test.go:17:10:17:12 | buf | provenance |  |
-| test.go:15:2:15:4 | definition of buf [array] | test.go:20:29:20:31 | buf [array] | provenance |  |
-| test.go:15:8:15:37 | slice element node | test.go:15:8:15:37 | slice expression [array] | provenance |  |
-| test.go:15:8:15:37 | slice expression [array] | test.go:17:10:17:12 | buf | provenance |  |
-| test.go:15:8:15:37 | slice expression [array] | test.go:20:29:20:31 | buf [array] | provenance |  |
-| test.go:20:2:20:32 | []type{args} [array, array] | test.go:15:2:15:4 | definition of buf [array] | provenance |  |
 | test.go:20:2:20:32 | []type{args} [array] | test.go:15:2:15:4 | definition of buf | provenance |  |
 | test.go:20:29:20:31 | buf | test.go:20:2:20:32 | []type{args} [array] | provenance |  |
-| test.go:20:29:20:31 | buf [array] | test.go:20:2:20:32 | []type{args} [array, array] | provenance |  |
 nodes
 | test.go:14:2:14:4 | definition of buf | semmle.label | definition of buf |
 | test.go:15:2:15:4 | definition of buf | semmle.label | definition of buf |
-| test.go:15:2:15:4 | definition of buf [array] | semmle.label | definition of buf [array] |
-| test.go:15:8:15:37 | slice element node | semmle.label | slice element node |
-| test.go:15:8:15:37 | slice expression [array] | semmle.label | slice expression [array] |
 | test.go:17:10:17:12 | buf | semmle.label | buf |
-| test.go:20:2:20:32 | []type{args} [array, array] | semmle.label | []type{args} [array, array] |
 | test.go:20:2:20:32 | []type{args} [array] | semmle.label | []type{args} [array] |
 | test.go:20:29:20:31 | buf | semmle.label | buf |
-| test.go:20:29:20:31 | buf [array] | semmle.label | buf [array] |
 subpaths
 #select
 | test.go:17:10:17:12 | buf | test.go:14:2:14:4 | definition of buf | test.go:17:10:17:12 | buf | HTTP response depends on $@ and may be exposed to an external user. | test.go:14:2:14:4 | definition of buf | stack trace information |

go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.expected

@@ -60,8 +60,6 @@ edges
 | UnsafeTLS.go:344:19:344:44 | call to append | UnsafeTLS.go:346:25:346:36 | cipherSuites | provenance |  |
 | UnsafeTLS.go:344:19:344:44 | call to append [array] | UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | provenance |  |
 | UnsafeTLS.go:344:26:344:37 | cipherSuites | UnsafeTLS.go:344:19:344:44 | call to append | provenance | MaD:2 |
-| UnsafeTLS.go:344:26:344:37 | cipherSuites | UnsafeTLS.go:344:19:344:44 | call to append | provenance | MaD:1 |
-| UnsafeTLS.go:344:26:344:37 | cipherSuites | UnsafeTLS.go:344:19:344:44 | call to append [array] | provenance | MaD:1 |
 | UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | UnsafeTLS.go:344:19:344:44 | call to append | provenance | MaD:1 |
 | UnsafeTLS.go:344:26:344:37 | cipherSuites [array] | UnsafeTLS.go:344:19:344:44 | call to append [array] | provenance | MaD:1 |
 | UnsafeTLS.go:344:40:344:43 | selection of ID | UnsafeTLS.go:344:19:344:44 | []type{args} [array] | provenance |  |
@@ -72,8 +70,6 @@ edges
 | UnsafeTLS.go:353:19:353:52 | call to append | UnsafeTLS.go:355:25:355:36 | cipherSuites | provenance |  |
 | UnsafeTLS.go:353:19:353:52 | call to append [array] | UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | provenance |  |
 | UnsafeTLS.go:353:26:353:37 | cipherSuites | UnsafeTLS.go:353:19:353:52 | call to append | provenance | MaD:2 |
-| UnsafeTLS.go:353:26:353:37 | cipherSuites | UnsafeTLS.go:353:19:353:52 | call to append | provenance | MaD:1 |
-| UnsafeTLS.go:353:26:353:37 | cipherSuites | UnsafeTLS.go:353:19:353:52 | call to append [array] | provenance | MaD:1 |
 | UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | UnsafeTLS.go:353:19:353:52 | call to append | provenance | MaD:1 |
 | UnsafeTLS.go:353:26:353:37 | cipherSuites [array] | UnsafeTLS.go:353:19:353:52 | call to append [array] | provenance | MaD:1 |
 | UnsafeTLS.go:353:40:353:51 | selection of ID | UnsafeTLS.go:353:19:353:52 | []type{args} [array] | provenance |  |

go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected

@@ -6,16 +6,13 @@
 | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | sample.go:43:17:43:39 | call to Intn | random number |
 | sample.go:58:32:58:43 | type conversion | sample.go:55:17:55:42 | call to Intn | sample.go:58:32:58:43 | type conversion | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:55:17:55:42 | call to Intn | random number |
 edges
-| sample.go:15:10:15:64 | call to Sum256 | sample.go:16:9:16:15 | slice element node | provenance |  |
 | sample.go:15:10:15:64 | call to Sum256 | sample.go:16:9:16:15 | slice expression | provenance |  |
 | sample.go:15:24:15:63 | type conversion | sample.go:15:10:15:64 | call to Sum256 | provenance | FunctionModel |
 | sample.go:15:31:15:62 | []type{args} [array] | sample.go:15:31:15:62 | call to Sprintf | provenance | MaD:1 |
 | sample.go:15:31:15:62 | call to Sprintf | sample.go:15:24:15:63 | type conversion | provenance |  |
 | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | []type{args} [array] | provenance |  |
 | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | call to Sprintf | provenance | FunctionModel |
-| sample.go:16:9:16:15 | slice element node | sample.go:16:9:16:15 | slice expression [array] | provenance |  |
 | sample.go:16:9:16:15 | slice expression | sample.go:26:25:26:30 | call to Guid | provenance |  |
-| sample.go:16:9:16:15 | slice expression [array] | sample.go:26:25:26:30 | call to Guid | provenance |  |
 | sample.go:33:2:33:6 | definition of nonce | sample.go:37:25:37:29 | nonce | provenance |  |
 | sample.go:33:2:33:6 | definition of nonce | sample.go:37:32:37:36 | nonce | provenance |  |
 | sample.go:34:12:34:40 | call to New | sample.go:35:14:35:19 | random | provenance |  |
@@ -34,9 +31,7 @@ nodes
 | sample.go:15:31:15:62 | []type{args} [array] | semmle.label | []type{args} [array] |
 | sample.go:15:31:15:62 | call to Sprintf | semmle.label | call to Sprintf |
 | sample.go:15:49:15:61 | call to Uint32 | semmle.label | call to Uint32 |
-| sample.go:16:9:16:15 | slice element node | semmle.label | slice element node |
 | sample.go:16:9:16:15 | slice expression | semmle.label | slice expression |
-| sample.go:16:9:16:15 | slice expression [array] | semmle.label | slice expression [array] |
 | sample.go:26:25:26:30 | call to Guid | semmle.label | call to Guid |
 | sample.go:33:2:33:6 | definition of nonce | semmle.label | definition of nonce |
 | sample.go:34:12:34:40 | call to New | semmle.label | call to New |