C++: Revise model of emplace and emplace_hint. Note that 2 of the 3 taint regressions we shouldn't be getting because we don't yet do taint through keys.

geoffw0 · geoffw0 · commit 270517d3797d · 2020-10-09T17:27:18.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
@@ -60,10 +60,11 @@ class StdMapEmplace extends TaintFunction {
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from any parameter to qualifier and return value
-    // (here we assume taint flow from any constructor parameter to the constructed object)
+    // flow from the last parameter (which may be the value part used to
+    // construct a pair, or a pair to be copied / moved) to the qualifier and
+    // return value.
     // (where the return value is a pair, this should really flow just to the first part of it)
-    input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref(getNumberOfParameters() - 1) and
     (
       output.isQualifierObject() or
       output.isReturnValue()
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1111,16 +1111,12 @@
 | map.cpp:233:7:233:9 | ref arg m24 | map.cpp:235:7:235:9 | m24 |  |
 | map.cpp:233:7:233:9 | ref arg m24 | map.cpp:236:7:236:9 | m24 |  |
 | map.cpp:233:7:233:9 | ref arg m24 | map.cpp:252:1:252:1 | m24 |  |
-| map.cpp:233:19:233:23 | abc | map.cpp:233:7:233:9 | ref arg m24 | TAINT |
-| map.cpp:233:19:233:23 | abc | map.cpp:233:11:233:17 | call to emplace | TAINT |
 | map.cpp:233:26:233:30 | def | map.cpp:233:7:233:9 | ref arg m24 | TAINT |
 | map.cpp:233:26:233:30 | def | map.cpp:233:11:233:17 | call to emplace | TAINT |
 | map.cpp:233:33:233:37 | first | map.cpp:233:7:233:37 | call to iterator |  |
 | map.cpp:234:7:234:9 | m24 | map.cpp:234:7:234:9 | call to map |  |
 | map.cpp:235:7:235:9 | ref arg m24 | map.cpp:236:7:236:9 | m24 |  |
 | map.cpp:235:7:235:9 | ref arg m24 | map.cpp:252:1:252:1 | m24 |  |
-| map.cpp:235:19:235:23 | abc | map.cpp:235:7:235:9 | ref arg m24 | TAINT |
-| map.cpp:235:19:235:23 | abc | map.cpp:235:11:235:17 | call to emplace | TAINT |
 | map.cpp:235:26:235:31 | call to source | map.cpp:235:7:235:9 | ref arg m24 | TAINT |
 | map.cpp:235:26:235:31 | call to source | map.cpp:235:11:235:17 | call to emplace | TAINT |
 | map.cpp:235:36:235:40 | first | map.cpp:235:7:235:40 | call to iterator |  |
@@ -1137,11 +1133,7 @@
 | map.cpp:237:24:237:26 | ref arg m25 | map.cpp:239:24:239:26 | m25 |  |
 | map.cpp:237:24:237:26 | ref arg m25 | map.cpp:240:7:240:9 | m25 |  |
 | map.cpp:237:24:237:26 | ref arg m25 | map.cpp:252:1:252:1 | m25 |  |
-| map.cpp:237:24:237:34 | call to iterator | map.cpp:237:7:237:9 | ref arg m25 | TAINT |
-| map.cpp:237:24:237:34 | call to iterator | map.cpp:237:11:237:22 | call to emplace_hint | TAINT |
 | map.cpp:237:28:237:32 | call to begin | map.cpp:237:24:237:34 | call to iterator | TAINT |
-| map.cpp:237:37:237:41 | abc | map.cpp:237:7:237:9 | ref arg m25 | TAINT |
-| map.cpp:237:37:237:41 | abc | map.cpp:237:11:237:22 | call to emplace_hint | TAINT |
 | map.cpp:237:44:237:48 | def | map.cpp:237:7:237:9 | ref arg m25 | TAINT |
 | map.cpp:237:44:237:48 | def | map.cpp:237:11:237:22 | call to emplace_hint | TAINT |
 | map.cpp:238:7:238:9 | m25 | map.cpp:238:7:238:9 | call to map |  |
@@ -1151,11 +1143,7 @@
 | map.cpp:239:24:239:26 | ref arg m25 | map.cpp:239:7:239:9 | m25 |  |
 | map.cpp:239:24:239:26 | ref arg m25 | map.cpp:240:7:240:9 | m25 |  |
 | map.cpp:239:24:239:26 | ref arg m25 | map.cpp:252:1:252:1 | m25 |  |
-| map.cpp:239:24:239:34 | call to iterator | map.cpp:239:7:239:9 | ref arg m25 | TAINT |
-| map.cpp:239:24:239:34 | call to iterator | map.cpp:239:11:239:22 | call to emplace_hint | TAINT |
 | map.cpp:239:28:239:32 | call to begin | map.cpp:239:24:239:34 | call to iterator | TAINT |
-| map.cpp:239:37:239:41 | abc | map.cpp:239:7:239:9 | ref arg m25 | TAINT |
-| map.cpp:239:37:239:41 | abc | map.cpp:239:11:239:22 | call to emplace_hint | TAINT |
 | map.cpp:239:44:239:49 | call to source | map.cpp:239:7:239:9 | ref arg m25 | TAINT |
 | map.cpp:239:44:239:49 | call to source | map.cpp:239:11:239:22 | call to emplace_hint | TAINT |
 | map.cpp:240:7:240:9 | m25 | map.cpp:240:7:240:9 | call to map |  |
@@ -1755,16 +1743,12 @@
 | map.cpp:382:7:382:9 | ref arg m24 | map.cpp:384:7:384:9 | m24 |  |
 | map.cpp:382:7:382:9 | ref arg m24 | map.cpp:385:7:385:9 | m24 |  |
 | map.cpp:382:7:382:9 | ref arg m24 | map.cpp:438:1:438:1 | m24 |  |
-| map.cpp:382:19:382:23 | abc | map.cpp:382:7:382:9 | ref arg m24 | TAINT |
-| map.cpp:382:19:382:23 | abc | map.cpp:382:11:382:17 | call to emplace | TAINT |
 | map.cpp:382:26:382:30 | def | map.cpp:382:7:382:9 | ref arg m24 | TAINT |
 | map.cpp:382:26:382:30 | def | map.cpp:382:11:382:17 | call to emplace | TAINT |
 | map.cpp:382:33:382:37 | first | map.cpp:382:7:382:37 | call to iterator |  |
 | map.cpp:383:7:383:9 | m24 | map.cpp:383:7:383:9 | call to unordered_map |  |
 | map.cpp:384:7:384:9 | ref arg m24 | map.cpp:385:7:385:9 | m24 |  |
 | map.cpp:384:7:384:9 | ref arg m24 | map.cpp:438:1:438:1 | m24 |  |
-| map.cpp:384:19:384:23 | abc | map.cpp:384:7:384:9 | ref arg m24 | TAINT |
-| map.cpp:384:19:384:23 | abc | map.cpp:384:11:384:17 | call to emplace | TAINT |
 | map.cpp:384:26:384:31 | call to source | map.cpp:384:7:384:9 | ref arg m24 | TAINT |
 | map.cpp:384:26:384:31 | call to source | map.cpp:384:11:384:17 | call to emplace | TAINT |
 | map.cpp:384:36:384:40 | first | map.cpp:384:7:384:40 | call to iterator |  |
@@ -1781,11 +1765,7 @@
 | map.cpp:386:24:386:26 | ref arg m25 | map.cpp:388:24:388:26 | m25 |  |
 | map.cpp:386:24:386:26 | ref arg m25 | map.cpp:389:7:389:9 | m25 |  |
 | map.cpp:386:24:386:26 | ref arg m25 | map.cpp:438:1:438:1 | m25 |  |
-| map.cpp:386:24:386:34 | call to iterator | map.cpp:386:7:386:9 | ref arg m25 | TAINT |
-| map.cpp:386:24:386:34 | call to iterator | map.cpp:386:11:386:22 | call to emplace_hint | TAINT |
 | map.cpp:386:28:386:32 | call to begin | map.cpp:386:24:386:34 | call to iterator | TAINT |
-| map.cpp:386:37:386:41 | abc | map.cpp:386:7:386:9 | ref arg m25 | TAINT |
-| map.cpp:386:37:386:41 | abc | map.cpp:386:11:386:22 | call to emplace_hint | TAINT |
 | map.cpp:386:44:386:48 | def | map.cpp:386:7:386:9 | ref arg m25 | TAINT |
 | map.cpp:386:44:386:48 | def | map.cpp:386:11:386:22 | call to emplace_hint | TAINT |
 | map.cpp:387:7:387:9 | m25 | map.cpp:387:7:387:9 | call to unordered_map |  |
@@ -1795,11 +1775,7 @@
 | map.cpp:388:24:388:26 | ref arg m25 | map.cpp:388:7:388:9 | m25 |  |
 | map.cpp:388:24:388:26 | ref arg m25 | map.cpp:389:7:389:9 | m25 |  |
 | map.cpp:388:24:388:26 | ref arg m25 | map.cpp:438:1:438:1 | m25 |  |
-| map.cpp:388:24:388:34 | call to iterator | map.cpp:388:7:388:9 | ref arg m25 | TAINT |
-| map.cpp:388:24:388:34 | call to iterator | map.cpp:388:11:388:22 | call to emplace_hint | TAINT |
 | map.cpp:388:28:388:32 | call to begin | map.cpp:388:24:388:34 | call to iterator | TAINT |
-| map.cpp:388:37:388:41 | abc | map.cpp:388:7:388:9 | ref arg m25 | TAINT |
-| map.cpp:388:37:388:41 | abc | map.cpp:388:11:388:22 | call to emplace_hint | TAINT |
 | map.cpp:388:44:388:49 | call to source | map.cpp:388:7:388:9 | ref arg m25 | TAINT |
 | map.cpp:388:44:388:49 | call to source | map.cpp:388:11:388:22 | call to emplace_hint | TAINT |
 | map.cpp:389:7:389:9 | m25 | map.cpp:389:7:389:9 | call to unordered_map |  |
@@ -1973,8 +1949,6 @@
 | map.cpp:424:37:424:39 | call to unordered_map | map.cpp:438:1:438:1 | m33 |  |
 | map.cpp:425:7:425:9 | ref arg m33 | map.cpp:426:7:426:9 | m33 |  |
 | map.cpp:425:7:425:9 | ref arg m33 | map.cpp:438:1:438:1 | m33 |  |
-| map.cpp:425:19:425:24 | call to source | map.cpp:425:7:425:9 | ref arg m33 | TAINT |
-| map.cpp:425:19:425:24 | call to source | map.cpp:425:11:425:17 | call to emplace | TAINT |
 | map.cpp:425:29:425:33 | def | map.cpp:425:7:425:9 | ref arg m33 | TAINT |
 | map.cpp:425:29:425:33 | def | map.cpp:425:11:425:17 | call to emplace | TAINT |
 | map.cpp:425:36:425:40 | first | map.cpp:425:7:425:40 | call to iterator |  |
@@ -2015,13 +1989,11 @@
 | map.cpp:433:24:433:26 | m34 | map.cpp:433:28:433:32 | call to begin | TAINT |
 | map.cpp:433:24:433:26 | ref arg m34 | map.cpp:433:7:433:9 | m34 |  |
 | map.cpp:433:24:433:26 | ref arg m34 | map.cpp:438:1:438:1 | m34 |  |
-| map.cpp:433:24:433:34 | call to iterator | map.cpp:433:7:433:9 | ref arg m34 | TAINT |
-| map.cpp:433:24:433:34 | call to iterator | map.cpp:433:11:433:22 | call to emplace_hint | TAINT |
 | map.cpp:433:28:433:32 | call to begin | map.cpp:433:24:433:34 | call to iterator | TAINT |
-| map.cpp:433:37:433:41 | abc | map.cpp:433:7:433:9 | ref arg m34 | TAINT |
-| map.cpp:433:37:433:41 | abc | map.cpp:433:11:433:22 | call to emplace_hint | TAINT |
 | map.cpp:433:44:433:48 | def | map.cpp:433:7:433:9 | ref arg m34 | TAINT |
 | map.cpp:433:44:433:48 | def | map.cpp:433:11:433:22 | call to emplace_hint | TAINT |
+| map.cpp:434:7:434:9 | m35 | map.cpp:434:7:434:9 | ref arg m35 | TAINT |
+| map.cpp:434:7:434:9 | m35 | map.cpp:434:11:434:17 | call to emplace | TAINT |
 | map.cpp:434:7:434:9 | ref arg m35 | map.cpp:435:7:435:9 | m35 |  |
 | map.cpp:434:7:434:9 | ref arg m35 | map.cpp:436:7:436:9 | m35 |  |
 | map.cpp:434:7:434:9 | ref arg m35 | map.cpp:437:7:437:9 | m35 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
@@ -422,15 +422,15 @@ void test_unordered_map()
 
 	// additional emplace test cases
 	std::unordered_map<char *, char *> m33;
-	sink(m33.emplace(source(), "def").first); // tainted
-	sink(m33); // tainted
+	sink(m33.emplace(source(), "def").first); // tainted [NOT DETECTED]
+	sink(m33); // tainted [NOT DETECTED]
 
 	std::unordered_map<char *, char *> m34, m35;
 	sink(m34.emplace(std::pair<char *, char *>("abc", "def")).first);
 	sink(m34);
 	sink(m34.emplace(std::pair<char *, char *>("abc", source())).first); // tainted
 	sink(m34); // tainted
-	sink(m34.emplace_hint(m34.begin(), "abc", "def")); // tainted
+	sink(m34.emplace_hint(m34.begin(), "abc", "def")); // tainted [NOT DETECTED]
 	sink(m35.emplace().first);
 	sink(m35);
 	sink(m35.emplace(std::pair<char *, char *>(source(), "def")).first); // tainted [NOT DETECTED]
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -159,9 +159,7 @@
 | map.cpp:419:7:419:41 | call to pair | map.cpp:419:33:419:38 | call to source |
 | map.cpp:420:7:420:9 | call to unordered_map | map.cpp:419:33:419:38 | call to source |
 | map.cpp:421:7:421:16 | call to pair | map.cpp:419:33:419:38 | call to source |
-| map.cpp:426:7:426:9 | call to unordered_map | map.cpp:425:19:425:24 | call to source |
 | map.cpp:432:7:432:9 | call to unordered_map | map.cpp:431:52:431:57 | call to source |
-| map.cpp:433:11:433:22 | call to emplace_hint | map.cpp:431:52:431:57 | call to source |
 | movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
 | movableclass.cpp:45:8:45:9 | s2 | movableclass.cpp:40:23:40:28 | call to source |
 | movableclass.cpp:46:8:46:9 | s3 | movableclass.cpp:42:8:42:13 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -128,8 +128,6 @@
 | map.cpp:418:7:418:16 | map.cpp:416:30:416:35 | AST only |
 | map.cpp:420:7:420:9 | map.cpp:419:33:419:38 | AST only |
 | map.cpp:421:7:421:16 | map.cpp:419:33:419:38 | AST only |
-| map.cpp:425:7:425:40 | map.cpp:425:19:425:24 | IR only |
-| map.cpp:426:7:426:9 | map.cpp:425:19:425:24 | AST only |
 | map.cpp:431:7:431:67 | map.cpp:431:52:431:57 | IR only |
 | map.cpp:432:7:432:9 | map.cpp:431:52:431:57 | AST only |
 | movableclass.cpp:65:11:65:11 | movableclass.cpp:65:13:65:18 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -125,9 +125,7 @@
 | map.cpp:401:11:401:21 | call to try_emplace | map.cpp:401:43:401:48 | call to source |
 | map.cpp:416:7:416:41 | call to pair | map.cpp:416:30:416:35 | call to source |
 | map.cpp:419:7:419:41 | call to pair | map.cpp:419:33:419:38 | call to source |
-| map.cpp:425:7:425:40 | call to iterator | map.cpp:425:19:425:24 | call to source |
 | map.cpp:431:7:431:67 | call to iterator | map.cpp:431:52:431:57 | call to source |
-| map.cpp:433:11:433:22 | call to emplace_hint | map.cpp:431:52:431:57 | call to source |
 | movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
 | movableclass.cpp:45:8:45:9 | s2 | movableclass.cpp:40:23:40:28 | call to source |
 | movableclass.cpp:46:8:46:9 | s3 | movableclass.cpp:42:8:42:13 | call to source |

Original file line number	Diff line number	Diff line change
`@@ -60,10 +60,11 @@ class StdMapEmplace extends TaintFunction {`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`63`		`- // flow from any parameter to qualifier and return value`
`64`		`- // (here we assume taint flow from any constructor parameter to the constructed object)`
	`63`	`+ // flow from the last parameter (which may be the value part used to`
	`64`	`+ // construct a pair, or a pair to be copied / moved) to the qualifier and`
	`65`	`+ // return value.`
`65`	`66`	`// (where the return value is a pair, this should really flow just to the first part of it)`
`66`		`- input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and`
	`67`	`+ input.isParameterDeref(getNumberOfParameters() - 1) and`
`67`	`68`	`(`
`68`	`69`	`output.isQualifierObject() or`
`69`	`70`	`output.isReturnValue()`