C++: Add a model of std::vector::assign.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -88,6 +88,32 @@ class StdSequenceContainerFrontBack extends TaintFunction {
   }
 }
 
+/**
+ * The standard container function `assign`.
+ */
+class StdSequenceContainerAssign extends TaintFunction {
+  StdSequenceContainerAssign() {
+    this.hasQualifiedName("std", ["vector", "deque", "list", "forward_list"], "assign")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+    or
+    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(0)
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to string itself (qualifier) and return value
+    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    output.isQualifierObject()
+  }
+}
+
 /**
  * The standard container `swap` functions.
  */

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -2244,8 +2244,12 @@
 | vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:233:13:233:14 | v1 |  |
 | vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:233:25:233:26 | v1 |  |
 | vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
+| vector.cpp:221:12:221:14 | 100 | vector.cpp:221:2:221:3 | ref arg v1 | TAINT |
+| vector.cpp:221:17:221:17 | 0 | vector.cpp:221:2:221:3 | ref arg v1 | TAINT |
 | vector.cpp:222:2:222:3 | ref arg v2 | vector.cpp:226:7:226:8 | v2 |  |
 | vector.cpp:222:2:222:3 | ref arg v2 | vector.cpp:247:1:247:1 | v2 |  |
+| vector.cpp:222:12:222:14 | 100 | vector.cpp:222:2:222:3 | ref arg v2 | TAINT |
+| vector.cpp:222:17:222:30 | call to source | vector.cpp:222:2:222:3 | ref arg v2 | TAINT |
 | vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:227:7:227:8 | v3 |  |
 | vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:234:13:234:14 | v3 |  |
 | vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:234:25:234:26 | v3 |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -241,6 +241,7 @@
 | vector.cpp:171:13:171:13 | call to operator[] | vector.cpp:170:14:170:19 | call to source |
 | vector.cpp:180:13:180:13 | call to operator[] | vector.cpp:179:14:179:19 | call to source |
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
+| vector.cpp:226:7:226:8 | v2 | vector.cpp:222:17:222:30 | call to source |
 | vector.cpp:227:7:227:8 | v3 | vector.cpp:223:15:223:20 | call to source |
 | vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
 | vector.cpp:256:10:256:13 | call to data | vector.cpp:254:15:254:20 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -177,6 +177,7 @@
 | vector.cpp:171:13:171:13 | vector.cpp:170:14:170:19 | AST only |
 | vector.cpp:180:13:180:13 | vector.cpp:179:14:179:19 | AST only |
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
+| vector.cpp:226:7:226:8 | vector.cpp:222:17:222:30 | AST only |
 | vector.cpp:227:7:227:8 | vector.cpp:223:15:223:20 | AST only |
 | vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
 | vector.cpp:256:10:256:13 | vector.cpp:254:15:254:20 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp

@@ -223,7 +223,7 @@ void test_vector_assign() {
 	v3.push_back(source());
 
 	sink(v1);
-	sink(v2); // tainted [NOT DETECTED]
+	sink(v2); // tainted
 	sink(v3); // tainted
 
 	{