C++: add taint edges to DefinitionByReferenceNode

Robert Marsh · Robert Marsh · commit 262f724235f2 · 2019-04-22T10:39:02.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll b/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll
@@ -9,6 +9,8 @@
  */
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.dataflow.DataFlow2
+import semmle.code.cpp.models.interfaces.DataFlow
+import semmle.code.cpp.models.interfaces.Taint
 
 module TaintTracking {
 
@@ -187,6 +189,9 @@ module TaintTracking {
         exprFrom.(PostfixCrementOperation)
       )
     )
+    or
+    // Taint can flow through modeled functions
+    exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
   }
 
   /**
@@ -226,4 +231,35 @@ module TaintTracking {
     e instanceof AlignofOperator
   }
 
-}
+  private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
+    exists(DataFlowFunction f, Call call, FunctionOutput outModel, int argOutIndex |
+      call.getTarget() = f and
+      argOut = call.getArgument(argOutIndex) and
+      outModel.isOutParameterPointer(argOutIndex) and
+      exists(int argInIndex, FunctionInput inModel |
+        f.hasDataFlow(inModel, outModel)
+      |
+        inModel.isInParameterPointer(argInIndex) and
+        exprIn = call.getArgument(argInIndex)
+      )
+    )
+    or
+    exists(TaintFunction f, Call call, FunctionOutput outModel, int argOutIndex |
+      call.getTarget() = f and
+      argOut = call.getArgument(argOutIndex) and
+      outModel.isOutParameterPointer(argOutIndex) and
+      exists(int argInIndex, FunctionInput inModel |
+        f.hasTaintFlow(inModel, outModel)
+      |
+        inModel.isInParameterPointer(argInIndex) and
+        exprIn = call.getArgument(argInIndex)
+        or
+        inModel.isInParameterPointer(argInIndex) and
+        call.passesByReference(argInIndex, exprIn)
+        or
+        inModel.isInParameter(argInIndex) and
+        exprIn = call.getArgument(argInIndex)
+      )
+    )
+  }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -10,4 +10,5 @@
 | taint.cpp:151:7:151:12 | call to select | taint.cpp:151:20:151:25 | call to source |
 | taint.cpp:167:8:167:13 | call to source | taint.cpp:167:8:167:13 | call to source |
 | taint.cpp:168:8:168:14 | tainted | taint.cpp:164:19:164:24 | call to source |
+| taint.cpp:173:8:173:13 | buffer | taint.cpp:164:19:164:24 | call to source |
 | taint.cpp:181:8:181:9 | * ... | taint.cpp:185:11:185:16 | call to source |
