Go: Switch from def-use flow to use-use flow #14751
Conversation
|
There are two lost results for func closeFileDeferredIndirect(f *os.File) {
var cont = func() {
f.Close() // NOT OK, if `f` is writable
}
defer cont()
}we don't have flow from // SSA -> Instruction
exists(SsaDefinition pred, IR::Instruction succ |
succ = pred.getVariable().getAUse() and
nodeFrom = ssaNode(pred) and
nodeTo = instructionNode(succ)
)but now that has changed to: // SSA defn -> first SSA use
exists(SsaExplicitDefinition pred, IR::Instruction succ | succ = pred.getAFirstUse() |
nodeFrom = ssaNode(pred) and
nodeTo = instructionNode(succ)
)
or
// SSA use -> successive SSA use
// Note this case includes Phi node traversal
exists(IR::Instruction pred, IR::Instruction succ | succ = getAnAdjacentUse(pred) |
nodeFrom = instructionNode(pred) and
nodeTo = instructionNode(succ)
)
|
|
Presumably this is because of switching from SsaDefinition to SsaExplicitDefintion, I suppose with intent to exclude phi nodes, but also excluding SsaVariableCapture by mistake. |
owen-mc
force-pushed
the
go/feature/use-use-flow
branch
2 times, most recently
from
7bc600c
to
7367e46
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| this = call.getOperand(_, safeDirective) and | ||
| // Mark "%q" formats as safe, but not "%#q", which would preserve newline characters. | ||
| safeDirective.regexpMatch("%[^%#]*q") | ||
| exists(DataFlow::Node arg, StringOps::Formatting::StringFormatCall call | |
Check warning
Code scanning / CodeQL
Omittable 'exists' variable Warning
owen-mc
force-pushed
the
go/feature/use-use-flow
branch
from
7367e46
to
c44cc9e
Compare
| varBlockReachesBaseCand(v, b1, b2) and | ||
| blockPrecedesVar(v, b2) | ||
| or | ||
| exists(ReachableBasicBlock mid | |
Check warning
Code scanning / CodeQL
Omittable 'exists' variable Warning
|
DCA showed a few extra alerts, which I've pushed a commit to fix, and perhaps a very slight increase in analysis time. |
…implement. Queries / tests that required changes: * The CleartextLogging and MissingErrorCheck queries are updated because they assumed def-use flow * The CommandInjection query works around the shortcomings of use-use flow by essentially reintroducing def-use flow when it applies a sanitizer * The OpenUrlRedirect query currently just accepts its fate; the tests are updated to avoid excess sanitization while the query comments on the problem. We should choose this approach or the CommandInjection one.
No changes in functionality.
Without this change the test go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.qlref was failing.
Make it sanitize the result of the call rather than the input, so that
further uses of the input are still tainted. This means that it catches
things like `log.Print(fmt.Sprintf("user %q logged in.\n", username))`
where the argument to the LoggerCall contains a StringFormatCall, but
it misses things like `log.Printf("user %q logged in.\n", username)`. So
we extract the logic into a predicate and apply it as a condition in the
sink as well.
The downside of this approach is that if there are two tainted inputs
and only one has a safe format argument then we still sanitize the
result. Hopefully this is rare.
Previously, basiclocalflowstep was not flowing to variable captures properly, so getACalleeSource was not finding any predecessors for `handler` outside of the anonymous function.
We have an operator expression like `x * 5`. We want to follow where the value of the operator expression goes. We used to follow local flow from an operand, but now there is flow from that operand to the next use of the variable. The fix is to explicitly start local flow from the operator expression. There are also some expected edge changes due to use-use flow.
New line from `rows` on line 25 to itself is formed of two smaller steps, from `rows` on line 25 to `rows` on line 20 and then back again. These are both from basicLocalFlowStep and are steps from a use to the next use.
We were assuming that `sink` only had one successor, the TypeCastNode, but it can now have an adjacent use as well.
owen-mc
force-pushed
the
go/feature/use-use-flow
branch
from
daae010
to
1e590ba
Compare
This is a resurrection of github/codeql-go#460. Rebasing seems to have gone okay. There are more test changes. I am currently going through them to see if they are expected or if they indicate that something need to change.