Remove global function step from local flow

owen-mc · owen-mc · commit 06b9b765bf0b · 2026-04-15T22:22:09.000+01:00
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
@@ -95,7 +95,10 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) {
     nodeTo = instructionNode(succ) and
     nodeTo != nodeFrom
   )
-  or
+}
+
+overlay[global]
+predicate globalFunctionUseJumpStep(Node nodeFrom, Node nodeTo) {
   // GlobalFunctionNode -> use
   nodeFrom =
     any(GlobalFunctionNode fn | fn.getFunction() = nodeTo.asExpr().(FunctionName).getTarget())
diff --git a/go/ql/lib/semmle/go/frameworks/stdlib/IoFs.qll b/go/ql/lib/semmle/go/frameworks/stdlib/IoFs.qll
@@ -21,9 +21,16 @@ module IoFs {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
       //signature: func WalkDir(fsys FS, root string, fn WalkDirFunc) error
       exists(DataFlow::CallNode call, DataFlow::FunctionNode f |
-        call.getTarget().hasQualifiedName(packagePath(), "WalkDir") and
-        f.getASuccessor*() = call.getArgument(2)
+        f.(DataFlow::FuncLitNode).getASuccessor*() = call.getArgument(2)
+        or
+        exists(DataFlow::ExprNode functionName |
+          f.(DataFlow::GlobalFunctionNode).getFunction() =
+            functionName.asExpr().(FunctionName).getTarget()
+        |
+          functionName.getASuccessor*() = call.getArgument(2)
+        )
       |
+        call.getTarget().hasQualifiedName(packagePath(), "WalkDir") and
         pred = call.getArgument(0) and
         succ = f.getParameter([0, 1])
       )
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected
@@ -1,52 +1,3 @@
-| file://:0:0:0:0 | function Encode | url.go:51:14:51:21 | selection of Encode |
-| file://:0:0:0:0 | function EscapedPath | url.go:28:14:28:26 | selection of EscapedPath |
-| file://:0:0:0:0 | function Get | url.go:52:14:52:18 | selection of Get |
-| file://:0:0:0:0 | function Hostname | url.go:29:14:29:23 | selection of Hostname |
-| file://:0:0:0:0 | function JoinPath | url.go:57:16:57:27 | selection of JoinPath |
-| file://:0:0:0:0 | function JoinPath | url.go:58:16:58:27 | selection of JoinPath |
-| file://:0:0:0:0 | function JoinPath | url.go:60:15:60:28 | selection of JoinPath |
-| file://:0:0:0:0 | function JoinPath | url.go:66:9:66:25 | selection of JoinPath |
-| file://:0:0:0:0 | function MarshalBinary | url.go:30:11:30:25 | selection of MarshalBinary |
-| file://:0:0:0:0 | function Parse | url.go:23:10:23:18 | selection of Parse |
-| file://:0:0:0:0 | function Parse | url.go:32:9:32:15 | selection of Parse |
-| file://:0:0:0:0 | function Parse | url.go:59:14:59:22 | selection of Parse |
-| file://:0:0:0:0 | function Parse | url.go:65:17:65:25 | selection of Parse |
-| file://:0:0:0:0 | function ParseQuery | url.go:50:10:50:23 | selection of ParseQuery |
-| file://:0:0:0:0 | function ParseRequestURI | url.go:27:9:27:27 | selection of ParseRequestURI |
-| file://:0:0:0:0 | function Password | url.go:43:11:43:21 | selection of Password |
-| file://:0:0:0:0 | function PathEscape | url.go:12:31:12:44 | selection of PathEscape |
-| file://:0:0:0:0 | function PathUnescape | url.go:12:14:12:29 | selection of PathUnescape |
-| file://:0:0:0:0 | function Port | url.go:33:14:33:19 | selection of Port |
-| file://:0:0:0:0 | function Println | url.go:28:2:28:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:29:2:29:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:31:2:31:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:33:2:33:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:34:2:34:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:35:2:35:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:44:2:44:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:45:2:45:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:51:2:51:12 | selection of Println |
-| file://:0:0:0:0 | function Println | url.go:52:2:52:12 | selection of Println |
-| file://:0:0:0:0 | function Query | url.go:34:14:34:20 | selection of Query |
-| file://:0:0:0:0 | function QueryEscape | url.go:14:32:14:46 | selection of QueryEscape |
-| file://:0:0:0:0 | function QueryUnescape | url.go:14:14:14:30 | selection of QueryUnescape |
-| file://:0:0:0:0 | function Replace | strings.go:9:8:9:22 | selection of Replace |
-| file://:0:0:0:0 | function ReplaceAll | strings.go:10:8:10:25 | selection of ReplaceAll |
-| file://:0:0:0:0 | function RequestURI | url.go:35:14:35:25 | selection of RequestURI |
-| file://:0:0:0:0 | function ResolveReference | url.go:36:6:36:23 | selection of ResolveReference |
-| file://:0:0:0:0 | function Sprint | strings.go:11:9:11:18 | selection of Sprint |
-| file://:0:0:0:0 | function Sprintf | strings.go:11:30:11:40 | selection of Sprintf |
-| file://:0:0:0:0 | function Sprintln | strings.go:11:54:11:65 | selection of Sprintln |
-| file://:0:0:0:0 | function User | url.go:41:8:41:15 | selection of User |
-| file://:0:0:0:0 | function UserPassword | url.go:42:7:42:22 | selection of UserPassword |
-| file://:0:0:0:0 | function Username | url.go:45:14:45:24 | selection of Username |
-| file://:0:0:0:0 | function append | main.go:39:8:39:13 | append |
-| file://:0:0:0:0 | function append | main.go:40:8:40:13 | append |
-| file://:0:0:0:0 | function copy | main.go:42:2:42:5 | copy |
-| file://:0:0:0:0 | function make | main.go:41:8:41:11 | make |
-| file://:0:0:0:0 | function max | main.go:65:7:65:9 | max |
-| file://:0:0:0:0 | function min | main.go:64:7:64:9 | min |
-| main.go:3:6:3:10 | function test1 | main.go:34:2:34:6 | test1 |
 | main.go:3:12:3:12 | argument corresponding to x | main.go:3:12:3:12 | definition of x |
 | main.go:3:12:3:12 | definition of x | main.go:5:5:5:5 | x |
 | main.go:3:19:3:20 | argument corresponding to fn | main.go:3:19:3:20 | definition of fn |
@@ -66,8 +17,6 @@
 | main.go:10:12:10:12 | y | main.go:10:17:10:17 | y |
 | main.go:10:17:10:27 | ...>=... | main.go:10:7:10:27 | ...&&... |
 | main.go:11:14:11:14 | z | main.go:11:9:11:15 | type conversion |
-| main.go:14:6:14:10 | function test2 | main.go:34:8:34:12 | test2 |
-| main.go:14:6:14:10 | function test2 | main.go:34:19:34:23 | test2 |
 | main.go:15:9:15:9 | 0 | main.go:15:2:15:4 | definition of acc |
 | main.go:16:9:19:2 | capture variable acc | main.go:17:3:17:5 | acc |
 | main.go:17:3:17:7 | definition of acc | main.go:18:10:18:12 | acc |
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/StdlibTaintFlow.expected b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/StdlibTaintFlow.expected
@@ -0,0 +1,2 @@
+| IoFs.go:95:13:95:25 | call to newSource | No flow to its sink |
+| IoFs.go:99:13:99:25 | call to newSource | No flow to its sink |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| IoFs.go:95:13:95:25 \| call to newSource \| No flow to its sink \|`
	`2`	`+\| IoFs.go:99:13:99:25 \| call to newSource \| No flow to its sink \|`