Merge pull request #4345 from geoffw0/map

C++: Models for std::pair, std::map and std::unordered_map

Author: jbj

change-notes/1.26/analysis-cpp.md

@@ -25,5 +25,6 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 * The models library now models many more taint flows through `std::string`.
 * The models library now models many taint flows through `std::istream` and `std::ostream`.
 * The models library now models some taint flows through `std::shared_ptr`, `std::unique_ptr`, `std::make_shared` and `std::make_unique`.
+* The models library now models some taint flows through `std::pair`, `std::map` and `std::unordered_map`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
   `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

cpp/ql/src/semmle/code/cpp/models/Models.qll

@@ -15,6 +15,8 @@ private import implementations.Strcpy
 private import implementations.Strdup
 private import implementations.Strftime
 private import implementations.StdContainer
+private import implementations.StdPair
+private import implementations.StdMap
 private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim

cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll

@@ -0,0 +1,84 @@
+/**
+ * Provides models for C++ containers `std::map` and `std::unordered_map`.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.implementations.Iterator
+
+/**
+ * The standard map `insert` and `insert_or_assign` functions.
+ */
+class StdMapInsert extends TaintFunction {
+  StdMapInsert() {
+    this.hasQualifiedName("std", ["map", "unordered_map"], ["insert", "insert_or_assign"])
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from last parameter to qualifier and return value
+    // (where the return value is a pair, this should really flow just to the first part of it)
+    input.isParameterDeref(getNumberOfParameters() - 1) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValue()
+    )
+  }
+}
+
+/**
+ * The standard map `swap` functions.
+ */
+class StdMapSwap extends TaintFunction {
+  StdMapSwap() { this.hasQualifiedName("std", ["map", "unordered_map"], "swap") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.swap(container2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The standard map functions `at` and `operator[]`.
+ */
+class StdMapAt extends TaintFunction {
+  StdMapAt() { this.hasQualifiedName("std", ["map", "unordered_map"], ["at", "operator[]"]) }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to referenced return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The standard map `find` function.
+ */
+class StdMapFind extends TaintFunction {
+  StdMapFind() { this.hasQualifiedName("std", ["map", "unordered_map"], "find") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The standard map `erase` function.
+ */
+class StdMapErase extends TaintFunction {
+  StdMapErase() { this.hasQualifiedName("std", ["map", "unordered_map"], "erase") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to iterator return value
+    getType().getUnderlyingType() instanceof Iterator and
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}

cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll

@@ -0,0 +1,48 @@
+/**
+ * Provides models for the C++ `std::pair` class.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * Additional model for `std::pair` constructors.
+ */
+class StdPairConstructor extends Constructor, TaintFunction {
+  StdPairConstructor() { this.hasQualifiedName("std", "pair", "pair") }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to
+   * either value type of the pair.
+   */
+  int getAValueTypeParameterIndex() {
+    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(_).(Type).getUnspecifiedType() // i.e. the `T1` or `T2` of this `std::pair<T1, T2>`
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from second parameter of a value type to the qualifier
+    getAValueTypeParameterIndex() = 1 and
+    input.isParameterDeref(1) and
+    (
+      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
+      or
+      output.isQualifierObject()
+    )
+  }
+}
+
+/**
+ * The standard pair `swap` function.
+ */
+class StdPairSwap extends TaintFunction {
+  StdPairSwap() { this.hasQualifiedName("std", "pair", "swap") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.swap(container2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}