GoIOFS

io/fs package (Go 1.16+). FS interface and ReadFile() operate on filesystem abstractions — path traversal sinks when path is user-controlled.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.ReadFile()Reads file from FS

.Stat()Stats file

Sinks

— dangerous functions taint must not reach

.ReadFile()Sink

Signature

ReadFile(fsys FS, name string) ([]byte, error)

Reads file from FS. Path traversal sink when name is user-controlled.

tracks:1

.Stat()Sink

Signature

Stat(fsys FS, name string) (FileInfo, error)

Stats file. Path traversal sink when name is user-controlled.

tracks:1

FQN	Field
io/fs	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoIOFS