Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go: False positive when use sync.Map #18916

Open
sud0why opened this issue Mar 4, 2025 · 3 comments
Open

Go: False positive when use sync.Map #18916

sud0why opened this issue Mar 4, 2025 · 3 comments
Labels
false-positive Go

Comments

@sud0why
Copy link

sud0why commented Mar 4, 2025

Description

I think the sync.Map.Store operation should not propagate the key to the sync.Map, and the same applies to sync.Map.LoadOrStore and sync.Map.Swap. This could lead to situations where keys might propagate into values through the sync.Map.

Modifications may be needed in the ext/sync.model.yml model definition file within the go-all library.

Example Code

package mytest

import (
	"fmt"
	"net/http"
	"sync"

	"gorm.io/gorm"
)

var myMap sync.Map
var db gorm.DB

func handler(req *http.Request) {
	input := req.URL.Query().Get("input")
	value := getData(input)
	fmt.Println(value)
}

func process() {
	key := "hello"
	value := getData(key)
	db.Exec(value)
}

func getData(key string) string {
	if value, ok := myMap.Load(key); ok {
		return value.(string)
	}
	value := "hello"
	myMap.Store(key, value)
	return value
}

Result

Image

Image

Image
@mbg
Copy link
Member

mbg commented Mar 4, 2025

Hi @sud0why 👋🏻

Thanks for reporting this! That does look like a FP to me. I am guessing that we don't currently have enough precision here to distinguish between the keys and values in the map during our taint flow analysis, so conservatively mark the whole map as tainted if either a tainted key or value is stored in it. We will track this issue internally, and will fix it when possible. However, fixing FPs isn't currently a product priority, so I can't say how quickly this may get fixed.

@mbg mbg added the Go label Mar 4, 2025
@sud0why
Copy link
Author

sud0why commented Mar 5, 2025

Hi @sud0why 👋🏻

Thanks for reporting this! That does look like a FP to me. I am guessing that we don't currently have enough precision here to distinguish between the keys and values in the map during our taint flow analysis, so conservatively mark the whole map as tainted if either a tainted key or value is stored in it. We will track this issue internally, and will fix it when possible. However, fixing FPs isn't currently a product priority, so I can't say how quickly this may get fixed.

I believe keys should not propagate through the map. The only way to achieve key propagation via sync.Map would be through traversing the entire map using sync.Map.Range. However, our current implementation in ext/sync.model.yml does not yet support sync.Map.Range, which means all existing propagations are limited to values.

Perhaps modifying the taint source parameters for sync.Map methods like LoadOrStore, Store, and Swap—specifically changing from Argument[0..1] to Argument[1]—would be sufficient to address this issue?

@mbg
Copy link
Member

mbg commented Mar 7, 2025

Yes, that's right. We do not currently model Range so there's no current way to extract keys from a sync.Map. My colleague has put together a PR to change the models so we don't consider taint flow for keys for the moment, which we have merged. You should see this FP disappear once that change is released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive Go
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbg @sud0why