C++: Model std::string front, back and push_back.

geoffw0 · geoffw0 · commit 018b0a5abfc1 · 2020-09-04T09:45:07.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -1,6 +1,6 @@
 /**
  * Provides implementation classes modeling `std::string` and other
- * instantiations of`std::basic_string`. See `semmle.code.cpp.models.Models`
+ * instantiations of `std::basic_string`. See `semmle.code.cpp.models.Models`
  * for usage information.
  */
 
@@ -82,6 +82,32 @@ class StdStringData extends TaintFunction {
   }
 }
 
+/**
+ * The `std::string` function `push_back`.
+ */
+class StdStringPush extends TaintFunction {
+  StdStringPush() { this.hasQualifiedName("std", "basic_string", "push_back") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to qualifier
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The `std::string` functions `front` and `back`.
+ */
+class StdStringFrontBack extends TaintFunction {
+  StdStringFrontBack() { this.hasQualifiedName("std", "basic_string", ["front", "back"]) }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from object to returned reference
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
 /**
  * The `std::string` function `operator+`.
  */
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1243,16 +1243,21 @@
 | string.cpp:510:16:510:20 | call to basic_string | string.cpp:514:2:514:2 | a |  |
 | string.cpp:510:16:510:20 | call to basic_string | string.cpp:515:7:515:7 | a |  |
 | string.cpp:510:16:510:20 | call to basic_string | string.cpp:516:7:516:7 | a |  |
+| string.cpp:512:7:512:7 | a | string.cpp:512:9:512:13 | call to front | TAINT |
 | string.cpp:512:7:512:7 | ref arg a | string.cpp:513:7:513:7 | a |  |
 | string.cpp:512:7:512:7 | ref arg a | string.cpp:514:2:514:2 | a |  |
 | string.cpp:512:7:512:7 | ref arg a | string.cpp:515:7:515:7 | a |  |
 | string.cpp:512:7:512:7 | ref arg a | string.cpp:516:7:516:7 | a |  |
+| string.cpp:513:7:513:7 | a | string.cpp:513:9:513:12 | call to back | TAINT |
 | string.cpp:513:7:513:7 | ref arg a | string.cpp:514:2:514:2 | a |  |
 | string.cpp:513:7:513:7 | ref arg a | string.cpp:515:7:515:7 | a |  |
 | string.cpp:513:7:513:7 | ref arg a | string.cpp:516:7:516:7 | a |  |
 | string.cpp:514:2:514:2 | ref arg a | string.cpp:515:7:515:7 | a |  |
 | string.cpp:514:2:514:2 | ref arg a | string.cpp:516:7:516:7 | a |  |
+| string.cpp:514:14:514:28 | call to source | string.cpp:514:2:514:2 | ref arg a | TAINT |
+| string.cpp:515:7:515:7 | a | string.cpp:515:9:515:13 | call to front | TAINT |
 | string.cpp:515:7:515:7 | ref arg a | string.cpp:516:7:516:7 | a |  |
+| string.cpp:516:7:516:7 | a | string.cpp:516:9:516:12 | call to back | TAINT |
 | string.cpp:521:17:521:20 | aa | string.cpp:521:17:521:21 | call to basic_string | TAINT |
 | string.cpp:521:17:521:21 | call to basic_string | string.cpp:528:9:528:9 | a |  |
 | string.cpp:521:17:521:21 | call to basic_string | string.cpp:532:8:532:8 | a |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@@ -512,8 +512,8 @@ void test_string_front_back() {
 	sink(a.front());
 	sink(a.back());
 	a.push_back(ns_char::source());
-	sink(a.front());
-	sink(a.back()); // tainted [NOT DETECTED]
+	sink(a.front()); // [FALSE POSITIVE]
+	sink(a.back()); // tainted
 }
 
 void test_string_return_assign() {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -141,6 +141,8 @@
 | string.cpp:491:8:491:9 | s6 | string.cpp:482:18:482:23 | call to source |
 | string.cpp:504:7:504:8 | s2 | string.cpp:497:14:497:19 | call to source |
 | string.cpp:506:7:506:8 | s4 | string.cpp:497:14:497:19 | call to source |
+| string.cpp:515:9:515:13 | call to front | string.cpp:514:14:514:28 | call to source |
+| string.cpp:516:9:516:12 | call to back | string.cpp:514:14:514:28 | call to source |
 | string.cpp:529:11:529:11 | call to operator+= | string.cpp:529:20:529:25 | call to source |
 | string.cpp:530:21:530:21 | call to operator+= | string.cpp:530:24:530:29 | call to source |
 | string.cpp:531:25:531:25 | call to operator+= | string.cpp:531:15:531:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -151,6 +151,8 @@
 | string.cpp:491:8:491:9 | string.cpp:482:18:482:23 | AST only |
 | string.cpp:504:7:504:8 | string.cpp:497:14:497:19 | AST only |
 | string.cpp:506:7:506:8 | string.cpp:497:14:497:19 | AST only |
+| string.cpp:515:9:515:13 | string.cpp:514:14:514:28 | AST only |
+| string.cpp:516:9:516:12 | string.cpp:514:14:514:28 | AST only |
 | string.cpp:529:11:529:11 | string.cpp:529:20:529:25 | AST only |
 | string.cpp:530:21:530:21 | string.cpp:530:24:530:29 | AST only |
 | string.cpp:531:25:531:25 | string.cpp:531:15:531:20 | AST only |
