C++: Add basic std::set models.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/models/Models.qll

@@ -17,6 +17,7 @@ private import implementations.Strftime
 private import implementations.StdContainer
 private import implementations.StdPair
 private import implementations.StdMap
+private import implementations.StdSet
 private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim

cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll

@@ -0,0 +1,84 @@
+/**
+ * Provides models for C++ containers `std::set` and `std::unordered_set`.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.implementations.Iterator
+
+/**
+ * The standard set `insert` and `insert_or_assign` functions.
+ */
+class StdSetInsert extends TaintFunction {
+  StdSetInsert() {
+    this.hasQualifiedName("std", ["set", "unordered_set"], "insert")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from last parameter to qualifier and return value
+    // (where the return value is a pair, this should really flow just to the first part of it)
+    input.isParameterDeref(getNumberOfParameters() - 1) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValue()
+    )
+  }
+}
+
+/**
+ * The standard set `begin` and `end` functions and their
+ * variants.
+ */
+class StdSetBeginEnd extends TaintFunction {
+  StdSetBeginEnd() {
+    this.hasQualifiedName("std", ["set", "unordered_set"], ["begin", "end", "cbegin", "cend"])
+    or
+    this.hasQualifiedName("std", "set", ["rbegin", "crbegin", "rend", "crend"])
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The standard set `swap` functions.
+ */
+class StdSetSwap extends TaintFunction {
+  StdSetSwap() { this.hasQualifiedName("std", ["set", "unordered_set"], "swap") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.swap(container2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The standard set `find` function.
+ */
+class StdSetFind extends TaintFunction {
+  StdSetFind() { this.hasQualifiedName("std", ["set", "unordered_set"], "find") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The standard set `erase` function.
+ */
+class StdSetErase extends TaintFunction {
+  StdSetErase() { this.hasQualifiedName("std", ["set", "unordered_set"], "erase") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to iterator return value
+    getType().getUnderlyingType() instanceof Iterator and
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -17,38 +17,38 @@ void test_set()
 	std::set<char *> s1, s2, s3, s4, s5, s6;
 
 	sink(s1.insert("abc").first);
-	sink(s2.insert(source()).first); // tainted [NOT DETECTED]
+	sink(s2.insert(source()).first); // tainted
 	sink(s3.insert(s3.begin(), "abc"));
-	sink(s4.insert(s4.begin(), source())); // tainted [NOT DETECTED]
+	sink(s4.insert(s4.begin(), source())); // tainted
 	s5.insert(s1.begin(), s1.end());
 	s6.insert(s2.begin(), s2.end());
 	sink(s1);
-	sink(s2); // tainted [NOT DETECTED]
+	sink(s2); // tainted
 	sink(s3);
-	sink(s4); // tainted [NOT DETECTED]
+	sink(s4); // tainted
 	sink(s5);
-	sink(s6); // tainted [NOT DETECTED]
+	sink(s6); // tainted
 	sink(s1.find("abc"));
-	sink(s2.find("abc")); // tainted [NOT DETECTED]
+	sink(s2.find("abc")); // tainted
 	sink(s3.find("abc"));
-	sink(s4.find("abc")); // tainted [NOT DETECTED]
+	sink(s4.find("abc")); // tainted
 	sink(s5.find("abc"));
-	sink(s6.find("abc")); // tainted [NOT DETECTED]
+	sink(s6.find("abc")); // tainted
 
 	// copy constructors and assignment
 	std::set<char *> s7(s2);
 	std::set<char *> s8 = s2;
 	std::set<char *> s9(s2.begin(), s2.end());
 	std::set<char *> s10;
 	s10 = s2;
-	sink(s7); // tainted [NOT DETECTED]
-	sink(s8); // tainted [NOT DETECTED]
+	sink(s7); // tainted
+	sink(s8); // tainted
 	sink(s9); // tainted [NOT DETECTED]
-	sink(s10); // tainted [NOT DETECTED]
-	sink(s7.find("abc")); // tainted [NOT DETECTED]
-	sink(s8.find("abc")); // tainted [NOT DETECTED]
+	sink(s10); // tainted
+	sink(s7.find("abc")); // tainted
+	sink(s8.find("abc")); // tainted
 	sink(s9.find("abc")); // tainted [NOT DETECTED]
-	sink(s10.find("abc")); // tainted [NOT DETECTED]
+	sink(s10.find("abc")); // tainted
 
 	// iterators
 	std::set<char *>::iterator i1, i2;
@@ -58,7 +58,7 @@ void test_set()
 	}
 	for (i2 = s2.begin(); i2 != s2.end(); i2++)
 	{
-		sink(*i2); // tainted [NOT DETECTED]
+		sink(*i2); // tainted
 	}
 
 	// ranges
@@ -75,43 +75,43 @@ void test_set()
 	std::set<char *> s12, s13, s14, s15;
 	s12.insert(source());
 	s15.insert(source());
-	sink(s12); // tainted [NOT DETECTED]
+	sink(s12); // tainted
 	sink(s13);
 	sink(s14);
-	sink(s15); // tainted [NOT DETECTED]
+	sink(s15); // tainted
 	s12.swap(s13);
 	s14.swap(s15);
-	sink(s12);
-	sink(s13); // tainted [NOT DETECTED]
-	sink(s14); // tainted [NOT DETECTED]
-	sink(s15);
+	sink(s12); // [FALSE POSITIVE]
+	sink(s13); // tainted
+	sink(s14); // tainted
+	sink(s15); // [FALSE POSITIVE]
 
 	// merge
 	std::set<char *> s16, s17, s18, s19;
 	s16.insert(source());
 	s17.insert("abc");
 	s18.insert("def");
 	s19.insert(source());
-	sink(s16); // tainted [NOT DETECTED]
+	sink(s16); // tainted
 	sink(s17);
 	sink(s18);
-	sink(s19); // tainted [NOT DETECTED]
+	sink(s19); // tainted
 	s16.merge(s17);
 	s18.merge(s19);
-	sink(s16); // tainted [NOT DETECTED]
+	sink(s16); // tainted
 	sink(s17); // tainted [NOT DETECTED]
 	sink(s18); // tainted [NOT DETECTED]
-	sink(s19); // tainted [NOT DETECTED]
+	sink(s19); // tainted
 
 	// erase, clear
 	std::set<char *> s20;
 	s20.insert(source());
 	s20.insert(source());
-	sink(s20); // tainted [NOT DETECTED]
-	sink(s20.erase(s20.begin())); // tainted [NOT DETECTED]
-	sink(s20); // tainted [NOT DETECTED]
+	sink(s20); // tainted
+	sink(s20.erase(s20.begin())); // tainted
+	sink(s20); // tainted
 	s20.clear();
-	sink(s20);
+	sink(s20); // [FALSE POSITIVE]
 
 	// emplace, emplace_hint
 	std::set<char *> s21, s22;
@@ -131,38 +131,38 @@ void test_unordered_set()
 	std::unordered_set<char *> s1, s2, s3, s4, s5, s6;
 
 	sink(s1.insert("abc").first);
-	sink(s2.insert(source()).first); // tainted [NOT DETECTED]
+	sink(s2.insert(source()).first); // tainted
 	sink(s3.insert(s3.begin(), "abc"));
-	sink(s4.insert(s4.begin(), source())); // tainted [NOT DETECTED]
+	sink(s4.insert(s4.begin(), source())); // tainted
 	s5.insert(s1.begin(), s1.end());
 	s6.insert(s2.begin(), s2.end());
 	sink(s1);
-	sink(s2); // tainted [NOT DETECTED]
+	sink(s2); // tainted
 	sink(s3);
-	sink(s4); // tainted [NOT DETECTED]
+	sink(s4); // tainted
 	sink(s5);
-	sink(s6); // tainted [NOT DETECTED]
+	sink(s6); // tainted
 	sink(s1.find("abc"));
-	sink(s2.find("abc")); // tainted [NOT DETECTED]
+	sink(s2.find("abc")); // tainted
 	sink(s3.find("abc"));
-	sink(s4.find("abc")); // tainted [NOT DETECTED]
+	sink(s4.find("abc")); // tainted
 	sink(s5.find("abc"));
-	sink(s6.find("abc")); // tainted [NOT DETECTED]
+	sink(s6.find("abc")); // tainted
 
 	// copy constructors and assignment
 	std::unordered_set<char *> s7(s2);
 	std::unordered_set<char *> s8 = s2;
 	std::unordered_set<char *> s9(s2.begin(), s2.end());
 	std::unordered_set<char *> s10;
 	s10 = s2;
-	sink(s7); // tainted [NOT DETECTED]
-	sink(s8); // tainted [NOT DETECTED]
+	sink(s7); // tainted
+	sink(s8); // tainted
 	sink(s9); // tainted [NOT DETECTED]
-	sink(s10); // tainted [NOT DETECTED]
-	sink(s7.find("abc")); // tainted [NOT DETECTED]
-	sink(s8.find("abc")); // tainted [NOT DETECTED]
+	sink(s10); // tainted
+	sink(s7.find("abc")); // tainted
+	sink(s8.find("abc")); // tainted
 	sink(s9.find("abc")); // tainted [NOT DETECTED]
-	sink(s10.find("abc")); // tainted [NOT DETECTED]
+	sink(s10.find("abc")); // tainted
 
 	// iterators
 	std::unordered_set<char *>::iterator i1, i2;
@@ -172,7 +172,7 @@ void test_unordered_set()
 	}
 	for (i2 = s2.begin(); i2 != s2.end(); i2++)
 	{
-		sink(*i2); // tainted [NOT DETECTED]
+		sink(*i2); // tainted
 	}
 
 	// ranges
@@ -187,43 +187,43 @@ void test_unordered_set()
 	std::unordered_set<char *> s12, s13, s14, s15;
 	s12.insert(source());
 	s15.insert(source());
-	sink(s12); // tainted [NOT DETECTED]
+	sink(s12); // tainted
 	sink(s13);
 	sink(s14);
-	sink(s15); // tainted [NOT DETECTED]
+	sink(s15); // tainted
 	s12.swap(s13);
 	s14.swap(s15);
-	sink(s12);
-	sink(s13); // tainted [NOT DETECTED]
-	sink(s14); // tainted [NOT DETECTED]
-	sink(s15);
+	sink(s12); // [FALSE POSITIVE]
+	sink(s13); // tainted
+	sink(s14); // tainted
+	sink(s15); // [FALSE POSITIVE]
 
 	// merge
 	std::unordered_set<char *> s16, s17, s18, s19;
 	s16.insert(source());
 	s17.insert("abc");
 	s18.insert("def");
 	s19.insert(source());
-	sink(s16); // tainted [NOT DETECTED]
+	sink(s16); // tainted
 	sink(s17);
 	sink(s18);
-	sink(s19); // tainted [NOT DETECTED]
+	sink(s19); // tainted
 	s16.merge(s17);
 	s18.merge(s19);
-	sink(s16); // tainted [NOT DETECTED]
+	sink(s16); // tainted
 	sink(s17); // tainted [NOT DETECTED]
 	sink(s18); // tainted [NOT DETECTED]
-	sink(s19); // tainted [NOT DETECTED]
+	sink(s19); // tainted
 
 	// erase, clear
 	std::unordered_set<char *> s20;
 	s20.insert(source());
 	s20.insert(source());
-	sink(s20); // tainted [NOT DETECTED]
-	sink(s20.erase(s20.begin())); // tainted [NOT DETECTED]
-	sink(s20); // tainted [NOT DETECTED]
+	sink(s20); // tainted
+	sink(s20.erase(s20.begin())); // tainted
+	sink(s20); // tainted
 	s20.clear();
-	sink(s20);
+	sink(s20); // [FALSE POSITIVE]
 
 	// emplace, emplace_hint
 	std::unordered_set<char *> s21, s22;