Add tests showing imprecision of our current implementation

smowton · smowton · commit 8682eb9dec45 · 2020-09-04T15:14:49.000+01:00
diff --git a/ql/test/library-tests/semmle/go/frameworks/Protobuf/FunctionModel.expected b/ql/test/library-tests/semmle/go/frameworks/Protobuf/FunctionModel.expected
@@ -17,6 +17,8 @@
 | testDeprecatedApi.go:84:38:84:42 | alert | testDeprecatedApi.go:84:17:84:43 | call to append |
 | testDeprecatedApi.go:87:33:87:37 | query | testDeprecatedApi.go:87:2:87:38 | ... := ...[0] |
 | testDeprecatedApi.go:95:18:95:36 | untrustedSerialized | testDeprecatedApi.go:94:2:94:6 | definition of query |
+| testDeprecatedApi.go:115:33:115:37 | query | testDeprecatedApi.go:115:2:115:38 | ... := ...[0] |
+| testDeprecatedApi.go:126:33:126:37 | query | testDeprecatedApi.go:126:2:126:38 | ... := ...[0] |
 | testModernApi.go:13:33:13:37 | query | testModernApi.go:13:2:13:38 | ... := ...[0] |
 | testModernApi.go:22:28:22:32 | query | testModernApi.go:22:16:22:33 | call to Clone |
 | testModernApi.go:24:33:24:42 | queryClone | testModernApi.go:24:2:24:43 | ... := ...[0] |
diff --git a/ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected b/ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected
@@ -6,6 +6,8 @@
 | testDeprecatedApi.go:70:14:70:33 | call to getUntrustedString : string | testDeprecatedApi.go:77:12:77:21 | serialized |
 | testDeprecatedApi.go:85:24:85:43 | call to getUntrustedString : string | testDeprecatedApi.go:89:12:89:21 | serialized |
 | testDeprecatedApi.go:93:25:93:43 | call to getUntrustedBytes : slice type | testDeprecatedApi.go:97:13:97:31 | selection of Msg |
+| testDeprecatedApi.go:104:22:104:41 | call to getUntrustedString : string | testDeprecatedApi.go:105:13:105:20 | selection of Id |
+| testDeprecatedApi.go:112:22:112:41 | call to getUntrustedString : string | testDeprecatedApi.go:117:12:117:21 | serialized |
 | testModernApi.go:11:22:11:41 | call to getUntrustedString : string | testModernApi.go:15:12:15:21 | serialized |
 | testModernApi.go:20:22:20:41 | call to getUntrustedString : string | testModernApi.go:26:12:26:21 | serialized |
 | testModernApi.go:30:25:30:43 | call to getUntrustedBytes : slice type | testModernApi.go:34:13:34:29 | selection of Description |
diff --git a/ql/test/library-tests/semmle/go/frameworks/Protobuf/testDeprecatedApi.go b/ql/test/library-tests/semmle/go/frameworks/Protobuf/testDeprecatedApi.go
@@ -96,3 +96,34 @@ func testUnmarshalTaintedSubmessage() {
 
 	sinkString(query.Alerts[0].Msg) // BAD
 }
+
+// This test should be ok, but is flagged because writing taint to a field of a Message
+// taints the entire Message structure in our current implementation.
+func testFieldConflationFalsePositive() {
+	query := &query.Query{}
+	query.Description = getUntrustedString()
+	sinkString(query.Id) // OK (but incorrectly tainted)
+}
+
+// This test should be ok, but it flagged because our current implementation doesn't notice
+// that the taint applied to `query` is overwritten.
+func testMessageReuseFalsePositive() {
+	query := &query.Query{}
+	query.Description = getUntrustedString()
+	query.Description = "clean"
+
+	serialized, _ := proto.Marshal(query)
+
+	sinkBytes(serialized) // OK (but incorrectly tainted)
+}
+
+// This test should be flagged, but we don't notice tainting via an alias of a field.
+func testSubmessageAliasFalseNegative() {
+	query := &query.Query{}
+	alias := &query.Description
+	*alias = getUntrustedString()
+
+	serialized, _ := proto.Marshal(query)
+
+	sinkBytes(serialized) // BAD (but not noticed by our current implementation)
+}
