Merge pull request #696 from asgerf/asgerf/dot-separated-access-paths

Go: Switch to dot-separated access paths in summary specs

Author: smowton

Makefile

@@ -136,7 +136,7 @@ build/testdb/go.dbscheme: ql/lib/upgrades/initial/go.dbscheme
 
 .PHONY: sync-dataflow-libraries
 sync-dataflow-libraries:
-	for f in DataFlowImpl.qll DataFlowImpl2.qll DataFlowImplCommon.qll DataFlowImplConsistency.qll tainttracking1/TaintTrackingImpl.qll tainttracking2/TaintTrackingImpl.qll FlowSummaryImpl.qll;\
+	for f in DataFlowImpl.qll DataFlowImpl2.qll DataFlowImplCommon.qll DataFlowImplConsistency.qll tainttracking1/TaintTrackingImpl.qll tainttracking2/TaintTrackingImpl.qll FlowSummaryImpl.qll AccessPathSyntax.qll;\
 	do\
 		curl -s -o ./ql/lib/semmle/go/dataflow/internal/$$f https://raw.githubusercontent.com/github/codeql/$(DATAFLOW_BRANCH)/java/ql/lib/semmle/code/java/dataflow/internal/$$f;\
 	done

ql/lib/semmle/go/dataflow/ExternalFlow.qll

@@ -64,6 +64,7 @@ private import go
 private import internal.DataFlowPrivate
 private import internal.FlowSummaryImpl::Private::External
 private import internal.FlowSummaryImplSpecific
+private import internal.AccessPathSyntax
 private import FlowSummary
 
 /**
@@ -78,8 +79,8 @@ private class BuiltinModel extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        ";;false;append;;;ArrayElement of Argument[0];ArrayElement of ReturnValue;value",
-        ";;false;append;;;Argument[1];ArrayElement of ReturnValue;value"
+        ";;false;append;;;Argument[0].ArrayElement;ReturnValue.ArrayElement;value",
+        ";;false;append;;;Argument[1];ReturnValue.ArrayElement;value"
       ]
   }
 }
@@ -295,7 +296,7 @@ module CsvValidation {
       msg = "Unrecognized extra API graph element \"" + ext + "\" in " + pred + " model."
     )
     or
-    exists(string pred, string input, string part |
+    exists(string pred, AccessPath input, string part |
       sinkModel(_, _, _, _, _, _, input, _) and pred = "sink"
       or
       summaryModel(_, _, _, _, _, _, input, _, _) and pred = "summary"
@@ -305,7 +306,7 @@ module CsvValidation {
         not part = "" and
         not parseArg(part, _)
         or
-        specSplit(input, part, _) and
+        part = input.getToken(_) and
         parseParam(part, _)
       ) and
       msg = "Unrecognized input specification \"" + part + "\" in " + pred + " model."
@@ -403,8 +404,7 @@ predicate hasExternalSpecification(Function f) {
   exists(SourceOrSinkElement e | f = e.asEntity() | sourceElement(e, _, _) or sinkElement(e, _, _))
 }
 
-private predicate parseField(string c, DataFlow::FieldContent f) {
-  specSplit(_, c, _) and
+private predicate parseField(AccessPathToken c, DataFlow::FieldContent f) {
   exists(string fieldRegex, string package, string className, string fieldName |
     fieldRegex = "^Field\\[(.*)\\.([^.]+)\\.([^.]+)\\]$" and
     package = c.regexpCapture(fieldRegex, 1) and
@@ -425,8 +425,7 @@ class SyntheticField extends string {
   Type getType() { result instanceof EmptyInterfaceType }
 }
 
-private predicate parseSynthField(string c, string f) {
-  specSplit(_, c, _) and
+private predicate parseSynthField(AccessPathToken c, string f) {
   c.regexpCapture("SyntheticField\\[([.a-zA-Z0-9]+)\\]", 1) = f
 }
 

ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll

@@ -0,0 +1,79 @@
+/**
+ * Module for parsing access paths from CSV models, both the identifying access path used
+ * by dynamic languages, and the input/output specifications for summary steps.
+ *
+ * This file is used by the shared data flow library and by the JavaScript libraries
+ * (which does not use the shared data flow libraries).
+ */
+
+/** Companion module to the `AccessPath` class. */
+module AccessPath {
+  /** A string that should be parsed as an access path. */
+  abstract class Range extends string {
+    bindingset[this]
+    Range() { any() }
+  }
+}
+
+/** Gets the `n`th token on the access path as a string. */
+private string getRawToken(AccessPath path, int n) {
+  // Avoid splitting by '.' since tokens may contain dots, e.g. `Field[foo.Bar.x]`.
+  // Instead use regexpFind to match valid tokens, and supplement with a final length
+  // check (in `AccessPath.hasSyntaxError`) to ensure all characters were included in a token.
+  result = path.regexpFind("\\w+(?:\\[[^\\]]*\\])?(?=\\.|$)", n, _)
+}
+
+/**
+ * A string that occurs as an access path (either identifying or input/output spec)
+ * which might be relevant for this database.
+ */
+class AccessPath extends string instanceof AccessPath::Range {
+  /** Holds if this string is not a syntactically valid access path. */
+  predicate hasSyntaxError() {
+    // If the lengths match, all characters must haven been included in a token
+    // or seen by the `.` lookahead pattern.
+    this != "" and
+    not this.length() = sum(int n | | getRawToken(this, n).length() + 1) - 1
+  }
+
+  /** Gets the `n`th token on the access path (if there are no syntax errors). */
+  AccessPathToken getToken(int n) {
+    result = getRawToken(this, n) and
+    not this.hasSyntaxError()
+  }
+
+  /** Gets the number of tokens on the path (if there are no syntax errors). */
+  int getNumToken() {
+    result = count(int n | exists(getRawToken(this, n))) and
+    not this.hasSyntaxError()
+  }
+}
+
+/**
+ * An access part token such as `Argument[1]` or `ReturnValue`, appearing in one or more access paths.
+ */
+class AccessPathToken extends string {
+  AccessPathToken() { this = getRawToken(any(AccessPath path), _) }
+
+  private string getPart(int part) {
+    result = this.regexpCapture("([^\\[]+)(?:\\[([^\\]]*)\\])?", part)
+  }
+
+  /** Gets the name of the token, such as `Member` from `Member[x]` */
+  string getName() { result = this.getPart(1) }
+
+  /**
+   * Gets the argument list, such as `1,2` from `Member[1,2]`,
+   * or has no result if there are no arguments.
+   */
+  string getArgumentList() { result = this.getPart(2) }
+
+  /** Gets the `n`th argument to this token, such as `x` or `y` from `Member[x,y]`. */
+  string getArgument(int n) { result = this.getArgumentList().splitAt(",", n).trim() }
+
+  /** Gets an argument to this token, such as `x` or `y` from `Member[x,y]`. */
+  string getAnArgument() { result = this.getArgument(_) }
+
+  /** Gets the number of arguments to this token, such as 2 for `Member[x,y]` or zero for `ReturnValue`. */
+  int getNumArgument() { result = count(int n | exists(this.getArgument(n))) }
+}