Dataflow queries identifying flow into struct fields (Golang)

[0x73746F70626F74686572696E676D65]

Basically I can't get a simple query for identifying flow into struct fields to work and it's driving me insane. Sadly the documentation for individual language libraries is poorly documented.

If anyone could help I'd be very grateful.

from DataFlow::Node sink                                                                                                       
 where sink.asExpr() instanceof KeyValueExpr                                                                                                                            select sink.asExpr(), "ValueFlag 'Value' field"

This query yields no results. So from my understanding that must mean there are no data flow nodes that correspond to struct fields in a composite literal. Why is this?

If I assert the sink has a type of StructLitType in my actual data flow query, I also get no results. Although there are data flow nodes that correspond to struct literals unlike the individual fields, yet I get no results.

import go

module ProtocToValueFlagConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof DataFlow::MethodCallNode
        and source.(DataFlow::MethodCallNode).getReceiver().getType() instanceof PointerType
        and source.(DataFlow::MethodCallNode).getReceiver().getType().(PointerType).getBaseType() instanceof GoMicro::ProtocMessageType  }  // source

  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof KeyValueExpr
        and sink.asExpr().(KeyValueExpr).getKey().getStringValue() = "Value" 
        and sink.asExpr().(KeyValueExpr).getLiteral().getType().getName() = "ValueFlag"} // sink
}

module ProtocToValueFlagFlow = TaintTracking::Global<ProtocToValueFlagConfig>;

import ProtocToValueFlagFlow::PathGraph

from ProtocToValueFlagFlow::PathNode source, ProtocToValueFlagFlow::PathNode sink
where ProtocToValueFlagFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Flow into ValueFlag from protoc generated type"

Thanks in advance.

[0x73746F70626F74686572696E676D65]

For context, this finds struct literals which correspond to the dataflow node:

/**
    * @name Test Name
    * @description Test Description
    * @kind problem
    * @problem.severity warning
    * @id go/test-query
*/

import go

from DataFlow::Node sink
where sink.asExpr() instanceof StructLit
    and sink.asExpr().(StructLit).getType().getName() = "ValueFlag" 
select sink.asExpr(), "ValueFlag 'Value' field"

[smowton]

Use Write.writesField to define your sink instead -- e.g.

codeql/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql

Line 63 in 14268f3

additional predicate writeIsSink(DataFlow::Node sink, Write write) {

You can also use the first argument of writesField to characterise the qualifier that is written to -- e.g.

codeql/go/ql/lib/semmle/go/frameworks/NoSQL.qll

Line 111 in 14268f3

exists(Write w, DataFlow::Node base, Field f | w.writesField(base, f, pred) |

-- but generally the qualified name of the written field will be enough.