C++: Add isParameterDerefOrQualifierObject helper predicate to FunctionInput and FunctionOutput.

MathiasVP · MathiasVP · commit 4cb25d8e18bf · 2020-11-17T16:23:27.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll
@@ -132,6 +132,16 @@ class FunctionInput extends TFunctionInput {
    * part of itself, or one of its other inputs.
    */
   predicate isReturnValueDeref() { none() }
+
+  /**
+   * Holds if `i >= 0` and `isParameterDeref(i)` holds for this is value, or
+   * if `i = -1` and `isQualifierObject()` holds for this value.
+   */
+  final predicate isParameterDerefOrQualifierObject(ParameterIndex i) {
+    i >= 0 and this.isParameterDeref(i)
+    or
+    i = -1 and this.isQualifierObject()
+  }
 }
 
 /**
@@ -370,6 +380,16 @@ class FunctionOutput extends TFunctionOutput {
    * DEPRECATED: Use `isReturnValueDeref()` instead.
    */
   deprecated final predicate isOutReturnPointer() { isReturnValueDeref() }
+
+  /**
+   * Holds if `i >= 0` and `isParameterDeref(i)` holds for this is the value, or
+   * if `i = -1` and `isQualifierObject()` holds for this value.
+   */
+  final predicate isParameterDerefOrQualifierObject(ParameterIndex i) {
+    i >= 0 and this.isParameterDeref(i)
+    or
+    i = -1 and this.isQualifierObject()
+  }
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
@@ -46,7 +46,7 @@ private class RemoteParameterSource extends RemoteFlowSource {
       asInstruction() = instr and
       instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
       func.hasRemoteFlowSource(output, sourceType) and
-      output.isParameterDeref(instr.getIndex())
+      output.isParameterDerefOrQualifierObject(instr.getIndex())
     )
   }
 
@@ -80,7 +80,7 @@ private class LocalParameterSource extends LocalFlowSource {
       asInstruction() = instr and
       instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
       func.hasLocalFlowSource(output, sourceType) and
-      output.isParameterDeref(instr.getIndex())
+      output.isParameterDerefOrQualifierObject(instr.getIndex())
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ private class RemoteParameterSource extends RemoteFlowSource {`
`46`	`46`	`asInstruction() = instr and`
`47`	`47`	`instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and`
`48`	`48`	`func.hasRemoteFlowSource(output, sourceType) and`
`49`		`- output.isParameterDeref(instr.getIndex())`
	`49`	`+ output.isParameterDerefOrQualifierObject(instr.getIndex())`
`50`	`50`	`)`
`51`	`51`	`}`
`52`	`52`
`@@ -80,7 +80,7 @@ private class LocalParameterSource extends LocalFlowSource {`
`80`	`80`	`asInstruction() = instr and`
`81`	`81`	`instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and`
`82`	`82`	`func.hasLocalFlowSource(output, sourceType) and`
`83`		`- output.isParameterDeref(instr.getIndex())`
	`83`	`+ output.isParameterDerefOrQualifierObject(instr.getIndex())`
`84`	`84`	`)`
`85`	`85`	`}`
`86`	`86`