C++: Use taintedWithPath in more tests. This is the predicate that's currently hooked up to the new IR taint tracking library.

MathiasVP · MathiasVP · commit 23d31090715a · 2021-03-02T13:40:39.000+01:00
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
@@ -6,6 +6,7 @@
 import cpp
 import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
 import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
+import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
 import TestUtilities.InlineExpectationsTest
 
 predicate isSink(Element sink) {
@@ -17,7 +18,13 @@ predicate isSink(Element sink) {
 
 predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
 
-predicate irTaint(Expr source, Element sink) { IRDefaultTaintTracking::tainted(source, sink) }
+class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
+  override predicate isSink(Element e) { any() }
+}
+
+predicate irTaint(Expr source, Element sink) {
+  TaintedWithPath::taintedWithPath(source, sink, _, _)
+}
 
 class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
   IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
@@ -13,8 +13,8 @@ int main() {
 
 
 
-  sink(_strdup(getenv("VAR"))); // $ ir MISSING: ast
-  sink(strdup(getenv("VAR"))); // $ ast,ir
+  sink(_strdup(getenv("VAR"))); // $ MISSING: ast,ir
+  sink(strdup(getenv("VAR"))); // $ ast MISSING: ir
   sink(unmodeled_function(getenv("VAR"))); // clean by assumption
 
   char untainted_buf[100] = "";
@@ -250,12 +250,12 @@ void sink(iovec);
 int test_readv_and_writev(iovec* iovs) {
   readv(0, iovs, 16);
   sink(iovs); // $ast,ir
-  sink(iovs[0]); // $ast MISSING: ir
-  sink(*iovs); // $ast MISSING: ir
+  sink(iovs[0]); // $ast,ir
+  sink(*iovs); // $ast,ir
 
   char* p = (char*)iovs[1].iov_base;
-  sink(p); // $ MISSING: ast,ir
-  sink(*p); // $ MISSING: ast,ir
+  sink(p); // $ ir MISSING: ast
+  sink(*p); // $ ir MISSING: ast
 
   writev(0, iovs, 16); // $ remote
 }
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/stl.cpp b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/stl.cpp
@@ -73,7 +73,7 @@ void test_string()
 	sink(b); // clean
 	sink(c); // $ ir MISSING: ast
 	sink(b.c_str()); // clean
-	sink(c.c_str()); // $ MISSING: ast,ir
+	sink(c.c_str()); // $ ir MISSING: ast
 }
 
 void test_stringstream()
@@ -91,11 +91,11 @@ void test_stringstream()
 	sink(ss2); // $ ir MISSING: ast
 	sink(ss3); // $ MISSING: ast,ir
 	sink(ss4); // $ ir MISSING: ast
-	sink(ss5); // $ ir MISSING: ast
+	sink(ss5); // $ MISSING: ast,ir
 	sink(ss1.str());
-	sink(ss2.str()); // $ MISSING: ast,ir
+	sink(ss2.str()); // $ ir MISSING: ast
 	sink(ss3.str()); // $ MISSING: ast,ir
-	sink(ss4.str()); // $ MISSING: ast,ir
+	sink(ss4.str()); // $ ir MISSING: ast
 	sink(ss5.str()); // $ MISSING: ast,ir
 }
 
@@ -123,14 +123,14 @@ void sink(const char *filename, const char *mode);
 void test_strings2()
 {
 	string path1 = user_input();
-	sink(path1.c_str(), "r"); // $ MISSING: ast,ir
+	sink(path1.c_str(), "r"); // $ ir MISSING: ast
 
 	string path2;
 	path2 = user_input();
-	sink(path2.c_str(), "r"); // $ MISSING: ast,ir
+	sink(path2.c_str(), "r"); // $ ir MISSING: ast
 
 	string path3(user_input());
-	sink(path3.c_str(), "r"); // $ MISSING: ast,ir
+	sink(path3.c_str(), "r"); // $ ir MISSING: ast
 }
 
 void test_string3()
@@ -154,6 +154,6 @@ void test_string4()
 	// convert back std::string -> char *
 	cs = ss.c_str();
 
-	sink(cs); // $ ast MISSING: ir
+	sink(cs); // $ ast,ir
 	sink(ss); // $ ir MISSING: ast
 }
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql
@@ -7,21 +7,26 @@
 import cpp
 import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
 import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
+import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
 import TestUtilities.InlineExpectationsTest
 
-predicate isSink(Element sink) {
+predicate argToSinkCall(Element sink) {
   exists(FunctionCall call |
     call.getTarget().getName() = "sink" and
     sink = call.getAnArgument()
   )
 }
 
 predicate astTaint(Expr source, Element sink) {
-  ASTTaintTracking::tainted(source, sink) and isSink(sink)
+  ASTTaintTracking::tainted(source, sink) and argToSinkCall(sink)
+}
+
+class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
+  override predicate isSink(Element e) { argToSinkCall(e) }
 }
 
 predicate irTaint(Expr source, Element sink) {
-  IRDefaultTaintTracking::tainted(source, sink) and isSink(sink)
+  TaintedWithPath::taintedWithPath(source, sink, _, _)
 }
 
 class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
