Add tests for more content types (Element, MapKey, MapValue)

Author: owen-mc

ql/test/library-tests/semmle/go/dataflow/ExternalFlow/completetest.ql

@@ -21,8 +21,17 @@ class SummaryModelTest extends SummaryModelCsv {
         "github.com/nonexistent/test;T;false;StepQualRes;;;Argument[-1];ReturnValue;taint",
         "github.com/nonexistent/test;T;false;StepQualArg;;;Argument[-1];Argument[0];taint",
         "github.com/nonexistent/test;;false;StepArgResNoQual;;;Argument[0];ReturnValue;taint",
-        "github.com/nonexistent/test;;false;StepArgResContent;;;Argument[0];ArrayElement of ReturnValue;taint",
-        "github.com/nonexistent/test;;false;StepArgContentRes;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "github.com/nonexistent/test;;false;StepArgResArrayContent;;;Argument[0];ArrayElement of ReturnValue;taint",
+        "github.com/nonexistent/test;;false;StepArgArrayContentRes;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "github.com/nonexistent/test;;false;StepArgResCollectionContent;;;Argument[0];Element of ReturnValue;taint",
+        "github.com/nonexistent/test;;false;StepArgCollectionContentRes;;;Element of Argument[0];ReturnValue;taint",
+        "github.com/nonexistent/test;;false;StepArgResMapKeyContent;;;Argument[0];MapKey of ReturnValue;taint",
+        "github.com/nonexistent/test;;false;StepArgMapKeyContentRes;;;MapKey of Argument[0];ReturnValue;taint",
+        "github.com/nonexistent/test;;false;StepArgResMapValueContent;;;Argument[0];MapValue of ReturnValue;taint",
+        "github.com/nonexistent/test;;false;StepArgMapValueContentRes;;;MapValue of Argument[0];ReturnValue;taint",
+        "github.com/nonexistent/test;;false;GetElement;;;Element of Argument[0];ReturnValue;value",
+        "github.com/nonexistent/test;;false;GetMapKey;;;MapKey of Argument[0];ReturnValue;value",
+        "github.com/nonexistent/test;;false;SetElement;;;Argument[0];Element of ReturnValue;value",
       ]
   }
 }

ql/test/library-tests/semmle/go/dataflow/ExternalFlow/sinks.expected

@@ -1,13 +1,22 @@
 invalidModelRow
 #select
-| test.go:43:10:43:12 | arg | qltest |
-| test.go:57:10:57:15 | taint1 | qltest |
-| test.go:60:10:60:15 | taint2 | qltest |
-| test.go:64:10:64:15 | taint3 | qltest |
-| test.go:68:10:68:15 | taint4 | qltest |
-| test.go:71:10:71:15 | taint5 | qltest |
-| test.go:75:10:75:15 | taint6 | qltest |
-| test.go:78:10:78:15 | taint7 | qltest |
-| test.go:81:10:81:18 | index expression | qltest |
-| test.go:85:10:85:15 | taint9 | qltest |
-| test.go:89:10:89:17 | index expression | qltest |
+| test.go:49:10:49:12 | arg | qltest |
+| test.go:63:10:63:15 | taint1 | qltest |
+| test.go:66:10:66:15 | taint2 | qltest |
+| test.go:70:10:70:15 | taint3 | qltest |
+| test.go:74:10:74:15 | taint4 | qltest |
+| test.go:77:10:77:15 | taint5 | qltest |
+| test.go:81:10:81:15 | taint6 | qltest |
+| test.go:84:10:84:15 | taint7 | qltest |
+| test.go:87:10:87:18 | index expression | qltest |
+| test.go:91:10:91:15 | taint9 | qltest |
+| test.go:94:10:94:33 | call to GetElement | qltest |
+| test.go:95:10:95:18 | <-... | qltest |
+| test.go:99:10:99:16 | taint11 | qltest |
+| test.go:102:10:102:32 | call to GetMapKey | qltest |
+| test.go:104:11:104:11 | k | qltest |
+| test.go:109:10:109:16 | taint13 | qltest |
+| test.go:112:10:112:20 | index expression | qltest |
+| test.go:116:10:116:16 | taint15 | qltest |
+| test.go:120:10:120:17 | index expression | qltest |
+| test.go:125:10:125:16 | taint16 | qltest |

ql/test/library-tests/semmle/go/dataflow/ExternalFlow/srcs.expected

@@ -1,12 +1,16 @@
 invalidModelRow
 #select
 | test.go:12:6:12:8 | definition of arg | qltest-arg |
-| test.go:31:6:31:6 | definition of a | qltest-arg |
-| test.go:34:8:34:15 | call to Src1 | qltest |
-| test.go:35:8:35:15 | call to Src2 | qltest |
-| test.go:35:8:35:15 | call to Src2 | qltest-w-subtypes |
-| test.go:36:8:36:16 | call to Src2 | qltest-w-subtypes |
-| test.go:37:2:37:21 | ... = ...[0] | qltest |
-| test.go:37:2:37:21 | ... = ...[1] | qltest-w-subtypes |
-| test.go:38:2:38:22 | ... = ...[1] | qltest-w-subtypes |
-| test.go:54:9:54:16 | call to Src1 | qltest |
+| test.go:37:6:37:6 | definition of a | qltest-arg |
+| test.go:40:8:40:15 | call to Src1 | qltest |
+| test.go:41:8:41:15 | call to Src2 | qltest |
+| test.go:41:8:41:15 | call to Src2 | qltest-w-subtypes |
+| test.go:42:8:42:16 | call to Src2 | qltest-w-subtypes |
+| test.go:43:2:43:21 | ... = ...[0] | qltest |
+| test.go:43:2:43:21 | ... = ...[1] | qltest-w-subtypes |
+| test.go:44:2:44:22 | ... = ...[1] | qltest-w-subtypes |
+| test.go:60:9:60:16 | call to Src1 | qltest |
+| test.go:93:46:93:53 | call to Src1 | qltest |
+| test.go:97:35:97:42 | call to Src1 | qltest |
+| test.go:101:42:101:49 | call to Src1 | qltest |
+| test.go:123:8:123:15 | call to Src1 | qltest |

ql/test/library-tests/semmle/go/dataflow/ExternalFlow/steps.expected

@@ -7,10 +7,10 @@ invalidModelRow
 | test.go:23:10:23:10 | t | test.go:23:10:23:24 | call to StepQualRes |
 | test.go:24:2:24:2 | t | test.go:12:6:12:8 | definition of arg |
 | test.go:25:32:25:34 | arg | test.go:25:10:25:35 | call to StepArgResNoQual |
-| test.go:56:25:56:27 | src | test.go:56:12:56:28 | call to StepArgRes |
-| test.go:59:29:59:31 | src | test.go:59:2:59:32 | ... := ...[1] |
-| test.go:63:15:63:17 | src | test.go:62:6:62:11 | definition of taint3 |
-| test.go:67:21:67:23 | src | test.go:66:6:66:11 | definition of taint4 |
-| test.go:70:13:70:25 | type assertion | test.go:70:12:70:40 | call to StepQualRes |
-| test.go:74:3:74:15 | type assertion | test.go:73:6:73:11 | definition of taint6 |
-| test.go:77:34:77:36 | src | test.go:77:12:77:37 | call to StepArgResNoQual |
+| test.go:62:25:62:27 | src | test.go:62:12:62:28 | call to StepArgRes |
+| test.go:65:29:65:31 | src | test.go:65:2:65:32 | ... := ...[1] |
+| test.go:69:15:69:17 | src | test.go:68:6:68:11 | definition of taint3 |
+| test.go:73:21:73:23 | src | test.go:72:6:72:11 | definition of taint4 |
+| test.go:76:13:76:25 | type assertion | test.go:76:12:76:40 | call to StepQualRes |
+| test.go:80:3:80:15 | type assertion | test.go:79:6:79:11 | definition of taint6 |
+| test.go:83:34:83:36 | src | test.go:83:12:83:37 | call to StepArgResNoQual |

ql/test/library-tests/semmle/go/dataflow/ExternalFlow/test.go

@@ -23,8 +23,14 @@ func main() {
 	taint = t.StepQualRes()
 	t.StepQualArg(arg)
 	taint = test.StepArgResNoQual(arg)
-	taintSlice = test.StepArgResContent(arg)
-	taint = test.StepArgContentRes(array)
+	taintSlice = test.StepArgResArrayContent(arg)
+	taint = test.StepArgArrayContentRes(array)
+	taint = test.StepArgResCollectionContent(arg)
+	taint = test.StepArgCollectionContentRes(array)
+	taint = test.StepArgResMapKeyContent(arg)
+	taint = test.StepArgMapKeyContentRes(array)
+	taint = test.StepArgResMapValueContent(arg)
+	taint = test.StepArgMapValueContentRes(array)
 
 	var src interface{}
 	var src1 interface{}
@@ -77,14 +83,47 @@ func simpleflow() {
 	taint7 := test.StepArgResNoQual(src)
 	b.Sink1(taint7) // $ hasTaintFlow="taint7"
 
-	taint8 := test.StepArgResContent(src)
+	taint8 := test.StepArgResArrayContent(src)
 	b.Sink1(taint8[0]) // $ hasTaintFlow="index expression"
 
 	srcArray := []interface{}{nil, src}
-	taint9 := test.StepArgContentRes(srcArray)
+	taint9 := test.StepArgArrayContentRes(srcArray)
 	b.Sink1(taint9) // $ hasTaintFlow="taint9"
 
+	taint10 := test.StepArgResCollectionContent(a.Src1()).(chan interface{})
+	b.Sink1(test.GetElement(taint10)) // $ hasTaintFlow="call to GetElement"
+	b.Sink1(<-taint10)                // $ MISSING: hasTaintFlow="<-..."
+
+	srcCollection := test.SetElement(a.Src1())
+	taint11 := test.StepArgCollectionContentRes(srcCollection)
+	b.Sink1(taint11) // $ hasTaintFlow="taint11"
+
+	taint12 := test.StepArgResMapKeyContent(a.Src1()).(map[string]string)
+	b.Sink1(test.GetMapKey(taint12)) // $ hasTaintFlow="call to GetMapKey"
+	for k, _ := range taint12 {
+		b.Sink1(k) // $ hasTaintFlow="k"
+	}
+	for k := range taint12 {
+		b.Sink1(k) // $ hasTaintFlow="k"
+	}
+
+	srcMap13 := map[string]string{src.(string): ""}
+	taint13 := test.StepArgMapKeyContentRes(srcMap13)
+	b.Sink1(taint13) // $ MISSING: hasTaintFlow="taint13"
+
+	taint14 := test.StepArgResMapValueContent(src).(map[string]string)
+	b.Sink1(taint14[""]) // $ hasTaintFlow="index expression"
+
+	srcMap15 := map[string]string{"": src.(string)}
+	taint15 := test.StepArgMapValueContentRes(srcMap15)
+	b.Sink1(taint15) // $ MISSING: hasTaintFlow="taint15"
+
 	slice := make([]interface{}, 0)
 	slice = append(slice, src)
 	b.Sink1(slice[0]) // $ hasTaintFlow="index expression"
+
+	ch := make(chan string)
+	ch <- a.Src1()
+	taint16 := test.StepArgCollectionContentRes(ch)
+	b.Sink1(taint16) // $ MISSING: hasTaintFlow="taint16" // currently fails due to lack of post-update nodes after send statements
 }