Move model to TaintTracking::FunctionModel

egregius313 · egregius313 · commit 4e67e435c85e · 2025-02-25T22:36:00.000-05:00
diff --git a/go/ql/lib/ext/github.com.kanikanema.gorqlite.model.yml b/go/ql/lib/ext/github.com.kanikanema.gorqlite.model.yml
@@ -22,4 +22,3 @@ extensions:
       extensible: summaryModel
     data:
       - ["group:gorqlite", "QueryResult", True, "Map", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
-      - ["group:gorqlite", "QueryResult", True, "Scan", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
diff --git a/go/ql/lib/semmle/go/frameworks/Gorqlite.qll b/go/ql/lib/semmle/go/frameworks/Gorqlite.qll
@@ -0,0 +1,28 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `gorqlite` package.
+ */
+
+import go
+
+module Gorqlite {
+    private string packagePath() {
+        result = package(["github.com/rqlite/gorqlite", "github.com/raindog308/gorqlite", "github.com/kanikanema/gorqlite"], "")
+    }
+
+    // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data sumamries yet.
+    private class QueryResultScan extends SQL::Query::Range, TaintTracking::FunctionModel, Method {
+        FunctionInput inp;
+        FunctionOutput outp;
+
+        QueryResultScan() {
+            // signature: func (qr *QueryResult) Scan(dest ...interface{}) error
+            this.hasQualifiedName(packagePath(), "QueryResult", "Scan") and
+            inp.isReceiver() and
+            outp.isParameter(_)
+        }
+
+        override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+            input = inp and output = outp
+        }
+    }
+}
