Introduce more post-update nodes.

Max Schaefer · Max Schaefer · commit e3501ddb447f · 2020-05-28T15:33:09.000+01:00
To model (taint) flow through functions, we introduce post-update nodes for arguments (including receivers), but only if that argument is mutable.

However, previously our criterion for determining whether an argument is mutable was a little too restrictive. In particular, we would not consider a struct-typed argument as mutable, since structs are passed by value. While this is reasonable for data flow, it is unnecessarily restrictive for taint, since it makes perfect sense to track deep taint through structs.

So instead we now turn things round and instead consider _all_ types to be mutable except for primitive types (booleans, numbers, and strings).
diff --git a/ql/src/semmle/go/dataflow/internal/DataFlowUtil.qll b/ql/src/semmle/go/dataflow/internal/DataFlowUtil.qll
@@ -464,11 +464,10 @@ class ArgumentNode extends Node {
  */
 predicate mutableType(Type tp) {
   exists(Type underlying | underlying = tp.getUnderlyingType() |
-    underlying instanceof ArrayType or
-    underlying instanceof SliceType or
-    underlying instanceof MapType or
-    underlying instanceof PointerType or
-    underlying instanceof InterfaceType
+    not underlying instanceof BoolType and
+    not underlying instanceof NumericType and
+    not underlying instanceof StringType and
+    not underlying instanceof LiteralType
   )
 }
 
diff --git a/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionModelStep.expected b/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionModelStep.expected
@@ -1 +1,2 @@
 | file://:0:0:0:0 | ReadFrom | tst.go:10:23:10:28 | reader | tst.go:9:2:9:12 | definition of bytesBuffer |
+| file://:0:0:0:0 | Reset | reset.go:12:15:12:20 | source | reset.go:11:6:11:11 | definition of reader |
diff --git a/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionOutput_getExitNode.expected b/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionOutput_getExitNode.expected
@@ -1,5 +1,7 @@
 | parameter 0 | reset.go:12:2:12:21 | call to Reset | reset.go:9:2:9:7 | definition of source |
 | parameter 0 | tst.go:10:2:10:29 | call to ReadFrom | tst.go:8:12:8:17 | definition of reader |
+| receiver | main.go:53:14:53:21 | call to bump | main.go:52:2:52:2 | definition of c |
+| receiver | reset.go:12:2:12:21 | call to Reset | reset.go:11:6:11:11 | definition of reader |
 | receiver | tst.go:10:2:10:29 | call to ReadFrom | tst.go:9:2:9:12 | definition of bytesBuffer |
 | result | main.go:51:2:51:14 | call to op | main.go:51:2:51:14 | call to op |
 | result | main.go:53:2:53:22 | call to op2 | main.go:53:2:53:22 | call to op2 |

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`\| file://:0:0:0:0 \| ReadFrom \| tst.go:10:23:10:28 \| reader \| tst.go:9:2:9:12 \| definition of bytesBuffer \|`
	`2`	`+\| file://:0:0:0:0 \| Reset \| reset.go:12:15:12:20 \| source \| reset.go:11:6:11:11 \| definition of reader \|`