C++: Only allow taint to a FieldAddressInstruction if it's a union type.

MathiasVP · MathiasVP · commit 23876cb581fb · 2021-03-04T16:29:44.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -64,7 +64,7 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
     or
     instrTo instanceof PointerArithmeticInstruction
     or
-    instrTo instanceof FieldAddressInstruction
+    instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
     or
     // The `CopyInstruction` case is also present in non-taint data flow, but
     // that uses `getDef` rather than `getAnyDef`. For taint, we want flow
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
@@ -152,8 +152,8 @@ void test_map()
 	for (i2 = m2.begin(); i2 != m2.end(); i2++)
 	{
 		sink(*i2); // $ ast,ir
-		sink(i2->first); // $ SPURIOUS: ir
-		sink(i2->second); // $ ir MISSING: ast
+		sink(i2->first); // clean
+		sink(i2->second); // $ MISSING: ast,ir
 	}
 	for (i3 = m3.begin(); i3 != m3.end(); i3++)
 	{
@@ -304,8 +304,8 @@ void test_unordered_map()
 	for (i2 = m2.begin(); i2 != m2.end(); i2++)
 	{
 		sink(*i2); // $ ast,ir
-		sink(i2->first); // $ SPURIOUS: ir
-		sink(i2->second); // $ ir MISSING: ast
+		sink(i2->first); // clean
+		sink(i2->second); // $ MISSING: ast,ir
 	}
 	for (i3 = m3.begin(); i3 != m3.end(); i3++)
 	{
