Add DefaultTaintSanitizer for clear

mbg · mbg · commit e65269be692c · 2023-08-17T17:49:46.000+01:00
diff --git a/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll b/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
@@ -408,3 +408,19 @@ class ListOfConstantsComparisonSanitizerGuard extends TaintTracking::DefaultTain
     this = DataFlow::BarrierGuard<listOfConstantsComparisonSanitizerGuard/3>::getABarrierNode()
   }
 }
+
+/**
+ * The `clear` built-in function deletes or zeroes out all elements of a map or slice
+ * and therefore acts as a general sanitizer for taint flow to any uses dominated by it.
+ */
+private class ClearSanitizer extends DefaultTaintSanitizer {
+  ClearSanitizer() {
+    exists(SsaWithFields var, DataFlow::CallNode call, DataFlow::Node arg | this = var.getAUse() |
+      call = Builtin::clear().getACall() and
+      arg = call.getAnArgument() and
+      arg = var.getAUse() and
+      arg != this and
+      this.getBasicBlock().(ReachableBasicBlock).dominates(this.getBasicBlock())
+    )
+  }
+}
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected b/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
@@ -509,6 +509,10 @@
 | main.go | main.go:28:2:28:4 | implicit dereference | main.go:28:2:28:9 | selection of Body |
 | main.go | main.go:28:2:28:4 | req | main.go:28:2:28:4 | implicit dereference |
 | main.go | main.go:28:2:28:9 | selection of Body | main.go:27:2:27:2 | definition of b |
+| main.go | main.go:34:2:34:4 | implicit dereference | main.go:32:16:32:18 | definition of req |
+| main.go | main.go:34:2:34:4 | implicit dereference | main.go:34:2:34:9 | selection of Body |
+| main.go | main.go:34:2:34:4 | req | main.go:34:2:34:4 | implicit dereference |
+| main.go | main.go:34:2:34:9 | selection of Body | main.go:33:2:33:2 | definition of b |
 | math/big.Accuracy.String | file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
 | math/big.Float.MarshalText | file://:0:0:0:0 | [summary param] -1 in MarshalText | file://:0:0:0:0 | [summary] to write: ReturnValue in MarshalText |
 | math/big.Float.String | file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/main.go b/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/main.go
@@ -28,3 +28,10 @@ func readTest(req *http.Request) string {
 	req.Body.Read(b)
 	return string(b)
 }
+
+func clearTest(req *http.Request) string {
+	b := make([]byte, 8)
+	req.Body.Read(b)
+	clear(b) // should prevent taint flow
+	return string(b)
+}
