Test value flow through SliceExpr with array content

owen-mc · owen-mc · commit 5af3e119a653 · 2023-11-15T14:57:53.000Z
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ArrayConversion/main.go b/go/ql/test/library-tests/semmle/go/dataflow/ArrayConversion/main.go
@@ -4,7 +4,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 func sliceToArray(p []string) [1]string {
@@ -15,11 +15,15 @@ func main() {
 	// Test the new slice->array conversion permitted in Go 1.20
 	var a [4]string
 	a[0] = source()
-	alias := sliceToArray(a[:])
+	alias := [2]string(a[:])
 	sink(alias[0]) // $ hasTaintFlow="index expression"
+	sink(alias[1]) // $ SPURIOUS: hasTaintFlow="index expression" // we don't distinguish different elements of arrays or slices
+	sink(alias)    // $ hasTaintFlow="alias"
 
 	// Compare with the standard dataflow support for arrays
 	var b [4]string
 	b[0] = source()
 	sink(b[0]) // $ hasValueFlow="index expression"
+	sink(b[1]) // $ SPURIOUS: hasValueFlow="index expression" // we don't distinguish different elements of arrays or slices
+	sink(b)    // $ hasTaintFlow="b"
 }
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SliceExpressions/Flows.expected b/go/ql/test/library-tests/semmle/go/dataflow/SliceExpressions/Flows.expected
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SliceExpressions/Flows.ql b/go/ql/test/library-tests/semmle/go/dataflow/SliceExpressions/Flows.ql
@@ -0,0 +1,3 @@
+import go
+import TestUtilities.InlineFlowTest
+import DefaultFlowTest
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/SliceExpressions/main.go b/go/ql/test/library-tests/semmle/go/dataflow/SliceExpressions/main.go
@@ -0,0 +1,45 @@
+package main
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(any) {
+}
+
+func main() {
+}
+
+// Value flow with array content through slice expressions
+
+func arrayBase(base [4]string) {
+	base[1] = source()
+	slice := base[1:4]
+	sink(slice[0]) // $ hasTaintFlow="index expression"
+	sink(slice[1]) // $ SPURIOUS: hasTaintFlow="index expression" // we don't distinguish different elements of arrays or slices
+	sink(slice)    // $ hasTaintFlow="slice"
+}
+
+func arrayPointerBase(base *[4]string) {
+	base[1] = source()
+	slice := base[1:4]
+	sink(slice[0]) // $ hasTaintFlow="index expression"
+	sink(slice[1]) // $ SPURIOUS: hasTaintFlow="index expression" // we don't distinguish different elements of arrays or slices
+	sink(slice)    // $ hasTaintFlow="slice"
+}
+
+func sliceBase(base []string) {
+	base[1] = source()
+	slice := base[1:4]
+	sink(slice[0]) // $ hasTaintFlow="index expression"
+	sink(slice[1]) // $ SPURIOUS: hasTaintFlow="index expression" // we don't distinguish different elements of arrays or slices
+	sink(slice)    // $ hasTaintFlow="slice"
+}
+
+func slicePointerBase(base *[]string) {
+	(*base)[1] = source()
+	slice := (*base)[1:4]
+	sink(slice[0]) // $ hasTaintFlow="index expression"
+	sink(slice[1]) // $ SPURIOUS: hasTaintFlow="index expression" // we don't distinguish different elements of arrays or slices
+	sink(slice)    // $ hasTaintFlow="slice"
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+import go`
	`2`	`+import TestUtilities.InlineFlowTest`
	`3`	`+import DefaultFlowTest`