Go dynamic input as array, items not considered dynamic input

[elsapet]

Description & Reproduction

If we have an array of strings passed to a function, for example, and we assign the first element to a variable, we do not consider this variable to be dynamic input.

Expected Behavior

The following code, for example, should flag our filereadtaint rule:

func someFunc(args []string) {
  filepath := args[0]
  os.Open(filepath) // dynamic input passed as filename
}

Actual Behavior

The above code does not flag our filereadtaint rule because filepath := args[0] is not considered dynamic input

Possible Fix

Your Environment

• Operating System and version:
• Output of 'bearer version':

bearer version: 0.00.0
sha: xxx

[elsapet]

The following are also not considered as dynamic input

func example(insecure string, insecureArgs any, moreInsecureArgs []string) {
	args := []string{"-c", insecure}

	var args2 []string
	for _, a := range insecureArgs {
		switch v := a.(type) {
		case string:
			args = append(args, v)
		default:
			return nil, fmt.Errorf("invalid argument to command: %T", a)
		}
	}

	var args3 := []string{"-f", insecure, "-i"}

	var args4 :=  make([]string, 0)
	args4 = append(args4, "-f "+insecure)

	var args5 := make([]string, 0)
	args5 = append(args5, moreInsecureArgs)
}

[elsapet]

The array access case is fixed by

• fix(golang): fixes following battletesting #365

Upon inspection, we realised that most of the cases detailed in the comment were missed not because of the array construction, but because of "splatted" args (args...). This is fixed by

• fix(golang): add variadic args case for args... bearer#1559