Merge pull request #4741 from criemen/port-dataflow-tests

C++: Port dataflow tests to inline expectations test library.

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -95,7 +95,7 @@ class Node extends TIRDataFlowNode {
    * Gets the uninitialized local variable corresponding to this node, if
    * any.
    */
-  LocalVariable asUninitialized() { none() }
+  deprecated LocalVariable asUninitialized() { none() }
 
   /**
    * Gets an upper bound on the type of this node.

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/dispatch.cpp

@@ -0,0 +1,74 @@
+#include "../shared.h"
+
+using SinkFunction = void (*)(int);
+
+void notSink(int notSinkParam);
+
+void callsSink(int sinkParam) {
+  sink(sinkParam); // $ ast,ir=31:28 ast,ir=32:31 ast,ir=34:22 MISSING: ast,ir=28
+}
+
+struct {
+  SinkFunction sinkPtr, notSinkPtr;
+} globalStruct;
+
+union {
+  SinkFunction sinkPtr, notSinkPtr;
+} globalUnion;
+
+SinkFunction globalSinkPtr;
+
+void assignGlobals() {
+  globalStruct.sinkPtr = callsSink;
+  globalUnion.sinkPtr = callsSink;
+  globalSinkPtr = callsSink;
+};
+
+void testStruct() {
+  globalStruct.sinkPtr(atoi(getenv("TAINTED"))); // $ MISSING: ast,ir
+  globalStruct.notSinkPtr(atoi(getenv("TAINTED"))); // clean
+
+  globalUnion.sinkPtr(atoi(getenv("TAINTED"))); // $ ast,ir
+  globalUnion.notSinkPtr(atoi(getenv("TAINTED"))); // $ ast,ir
+
+  globalSinkPtr(atoi(getenv("TAINTED"))); // $ ast,ir
+}
+
+class B {
+    public:
+    virtual void f(const char*) = 0;
+};
+
+class D1 : public B {};
+
+class D2 : public D1 {
+    public:
+    void f(const char* p) override {}
+};
+
+class D3 : public D2 {
+    public:
+    void f(const char* p) override {
+        sink(p); // $ ast,ir=58:10 ast,ir=60:17 ast,ir=61:28 ast,ir=62:29 ast,ir=63:33 SPURIOUS: ast,ir=73:30
+    }
+};
+
+void test_dynamic_cast() {
+    B* b = new D3();
+    b->f(getenv("VAR")); // $ ast,ir
+
+    ((D2*)b)->f(getenv("VAR")); // $ ast,ir
+    static_cast<D2*>(b)->f(getenv("VAR")); // $ ast,ir
+    dynamic_cast<D2*>(b)->f(getenv("VAR")); // $ ast,ir
+    reinterpret_cast<D2*>(b)->f(getenv("VAR")); // $ ast,ir
+
+    B* b2 = new D2();
+    b2->f(getenv("VAR"));
+
+    ((D2*)b2)->f(getenv("VAR"));
+    static_cast<D2*>(b2)->f(getenv("VAR"));
+    dynamic_cast<D2*>(b2)->f(getenv("VAR"));
+    reinterpret_cast<D2*>(b2)->f(getenv("VAR"));
+
+    dynamic_cast<D3*>(b2)->f(getenv("VAR")); // $ SPURIOUS: ast,ir
+}

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.expected

@@ -0,0 +1,88 @@
+/**
+ * This test provides the possibility to annotate elements when they are on a path of a taint flow to a sink.
+ * This is different when compared to the tests in `../annotate_sink`, where only sink invocations are annotated.
+ */
+
+import cpp
+import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
+import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
+import TestUtilities.InlineExpectationsTest
+
+predicate isSink(Element sink) {
+  exists(FunctionCall call |
+    call.getTarget().getName() = "sink" and
+    sink = call.getAnArgument()
+  )
+}
+
+predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
+
+predicate irTaint(Expr source, Element sink) { IRDefaultTaintTracking::tainted(source, sink) }
+
+class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
+  IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
+
+  override string getARelevantTag() { result = "ir" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Expr source, Element tainted, int n |
+      tag = "ir" and
+      irTaint(source, tainted) and
+      (
+        isSink(tainted)
+        or
+        exists(Element sink |
+          isSink(sink) and
+          irTaint(tainted, sink)
+        )
+      ) and
+      n = strictcount(Expr otherSource | irTaint(otherSource, tainted)) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one source for this sink
+        // we specify the source location explicitly.
+        n > 1 and
+        value =
+          source.getLocation().getStartLine().toString() + ":" +
+            source.getLocation().getStartColumn()
+      ) and
+      location = tainted.getLocation() and
+      element = tainted.toString()
+    )
+  }
+}
+
+class ASTTaintTrackingTest extends InlineExpectationsTest {
+  ASTTaintTrackingTest() { this = "ASTTaintTrackingTest" }
+
+  override string getARelevantTag() { result = "ast" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Expr source, Element tainted, int n |
+      tag = "ast" and
+      astTaint(source, tainted) and
+      (
+        isSink(tainted)
+        or
+        exists(Element sink |
+          isSink(sink) and
+          astTaint(tainted, sink)
+        )
+      ) and
+      n = strictcount(Expr otherSource | astTaint(otherSource, tainted)) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one source for this sink
+        // we specify the source location explicitly.
+        n > 1 and
+        value =
+          source.getLocation().getStartLine().toString() + ":" +
+            source.getLocation().getStartColumn()
+      ) and
+      location = tainted.getLocation() and
+      element = tainted.toString()
+    )
+  }
+}

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql

@@ -1,4 +1,4 @@
-#include "shared.h"
+#include "../shared.h"
 
 
 struct S {
@@ -14,7 +14,7 @@ struct S {
 };
 
 void calls_sink_with_argv(const char* a) {
-    sink(a);
+    sink(a); // $ ast,ir=96:26 ast,ir=98:18
 }
 
 extern int i;
@@ -27,7 +27,7 @@ class BaseWithPureVirtual {
 class DerivedCallsSink : public BaseWithPureVirtual {
 public:
     void f(const char* p) override {
-        sink(p);
+        sink(p); // $ ir ast=108:10 SPURIOUS: ast=111:10
     }
 };
 
@@ -39,7 +39,7 @@ class DerivedDoesNotCallSink : public BaseWithPureVirtual {
 class DerivedCallsSinkDiamond1 : virtual public BaseWithPureVirtual {
 public:
     void f(const char* p) override {
-        sink(p);
+        sink(p); // $ ast,ir
     }
 };
 
@@ -65,7 +65,7 @@ class CRTP {
 class CRTPCallsSink : public CRTP<CRTPCallsSink> {
     public:
     void g(const char* p) {
-        sink(p);
+        sink(p); // $ ast,ir
     }
 };
 
@@ -79,7 +79,7 @@ class Derived2 : public Derived1 {
 class Derived3 : public Derived2 {
     public:
     void f(const char* p) override {
-        sink(p);
+        sink(p); // $ ast,ir=124:19 ast,ir=126:43 ast,ir=128:44
     }
 };
 
@@ -89,41 +89,41 @@ class CRTPDoesNotCallSink : public CRTP<CRTPDoesNotCallSink> {
 };
 
 int main(int argc, char *argv[]) {
-    sink(argv[0]);
+    sink(argv[0]); // $ ast,ir
 
-    sink(reinterpret_cast<int>(argv));
+    sink(reinterpret_cast<int>(argv)); // $ ast,ir
 
-    calls_sink_with_argv(argv[1]);
+    calls_sink_with_argv(argv[1]); // $ ast,ir
 
-    char*** p = &argv;
+    char*** p = &argv; // $ ast,ir
 
-    sink(*p[0]);
+    sink(*p[0]); // $ ast,ir
 
-    calls_sink_with_argv(*p[i]);
+    calls_sink_with_argv(*p[i]); // $ MISSING: ast,ir
 
-    sink(*(argv + 1));
+    sink(*(argv + 1)); // $ ast,ir
 
     BaseWithPureVirtual* b = new DerivedCallsSink;
 
-    b->f(argv[1]);
+    b->f(argv[1]); // $ ast,ir
 
     b = new DerivedDoesNotCallSink;
-    b->f(argv[0]); // no flow [FALSE POSITIVE by AST]
+    b->f(argv[0]); // $ SPURIOUS: ast
 
     BaseWithPureVirtual* b2 = new DerivesMultiple;
 
-    b2->f(argv[i]);
+    b2->f(argv[i]); // $ ast,ir
 
     CRTP<CRTPDoesNotCallSink> crtp_not_call_sink;
-    crtp_not_call_sink.f(argv[0]);
+    crtp_not_call_sink.f(argv[0]); // clean
 
     CRTP<CRTPCallsSink> crtp_calls_sink;
-    crtp_calls_sink.f(argv[0]);
+    crtp_calls_sink.f(argv[0]); // $ ast,ir
 
     Derived1* calls_sink = new Derived3;
-    calls_sink->f(argv[1]);
+    calls_sink->f(argv[1]); // $ ast,ir
 
-    static_cast<Derived2*>(calls_sink)->f(argv[1]);
+    static_cast<Derived2*>(calls_sink)->f(argv[1]); // $ ast,ir
 
-    dynamic_cast<Derived2*>(calls_sink)->f(argv[1]); // flow [NOT DETECTED by IR]
+    dynamic_cast<Derived2*>(calls_sink)->f(argv[1]); // $ ast,ir
 }