Update shared library files for go to PR github#10360

owen-mc · owen-mc · commit e100141adfc9 · 2022-11-29T16:12:34.000Z
Merge commit: 569fad6
diff --git a/go/ql/lib/change-notes/2022-12-16-implicit-read-flowstates.md b/go/ql/lib/change-notes/2022-12-16-implicit-read-flowstates.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
diff --git a/go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {
   }
 
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    (
+      this.isSink(node) or
+      this.isSink(node, _) or
+      this.isAdditionalTaintStep(node, _) or
+      this.isAdditionalTaintStep(node, _, _, _)
+    ) and
     defaultImplicitTaintRead(node, c)
   }
 
diff --git a/go/ql/lib/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/go/ql/lib/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {
   }
 
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    (
+      this.isSink(node) or
+      this.isSink(node, _) or
+      this.isAdditionalTaintStep(node, _) or
+      this.isAdditionalTaintStep(node, _, _, _)
+    ) and
     defaultImplicitTaintRead(node, c)
   }
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: fix
 +---
 +* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {`
`172`	`172`	`}`
`173`	`173`
`174`	`174`	`override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
`175`		`- (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and`
	`175`	`+ (`
	`176`	`+ this.isSink(node) or`
	`177`	`+ this.isSink(node, _) or`
	`178`	`+ this.isAdditionalTaintStep(node, _) or`
	`179`	`+ this.isAdditionalTaintStep(node, _, _, _)`
	`180`	`+ ) and`
`176`	`181`	`defaultImplicitTaintRead(node, c)`
`177`	`182`	`}`
`178`	`183`