C++: add model for iter-returning functions

Robert Marsh · Robert Marsh · commit 6552499545ff · 2020-10-13T16:19:15.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -801,9 +801,25 @@ module FlowVar_internal {
   }
 
   Expr getAnIteratorAccess(Variable collection) {
-    exists(Call c, SsaDefinition def, Variable iterator |
-      c.getQualifier() = collection.getAnAccess() and
-      c.getTarget() instanceof BeginOrEndFunction and
+    exists(
+      Call c, SsaDefinition def, Variable iterator, FunctionInput input, FunctionOutput output
+    |
+      c.getTarget().(GetIteratorFunction).getsIterator(input, output) and
+      (
+        (
+          input.isQualifierObject() or
+          input.isQualifierAddress()
+        ) and
+        c.getQualifier() = collection.getAnAccess()
+        or
+        exists(int index |
+          input.isParameter(index) or
+          input.isParameterDeref(index)
+        |
+          c.getArgument(index) = collection.getAnAccess()
+        )
+      ) and
+      output.isReturnValue() and
       def.getAnUltimateDefiningValue(iterator) = c and
       result = def.getAUse(iterator)
     )
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -278,7 +278,7 @@ class IteratorArrayMemberOperator extends MemberFunction, TaintFunction, Iterato
  * A `begin` or `end` member function, or a related member function, that
  * returns an iterator.
  */
-class BeginOrEndFunction extends MemberFunction, TaintFunction {
+class BeginOrEndFunction extends MemberFunction, TaintFunction, GetIteratorFunction {
   BeginOrEndFunction() {
     this
         .hasName(["begin", "cbegin", "rbegin", "crbegin", "end", "cend", "rend", "crend",
@@ -290,4 +290,21 @@ class BeginOrEndFunction extends MemberFunction, TaintFunction {
     input.isQualifierObject() and
     output.isReturnValue()
   }
+
+  override predicate getsIterator(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+class InserterIteratorFunction extends GetIteratorFunction {
+  InserterIteratorFunction() {
+    this.hasName(["front_inserter", "inserter", "back_inserter"]) and
+    this.getNamespace().hasName("std")
+  }
+
+  override predicate getsIterator(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(0) and
+    output.isReturnValue()
+  }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/Iterator.qll
@@ -15,3 +15,7 @@ import semmle.code.cpp.models.Models
  * can be used to write to the iterator's underlying collection.
  */
 abstract class IteratorReferenceFunction extends Function { }
+
+abstract class GetIteratorFunction extends Function {
+  abstract predicate getsIterator(FunctionInput input, FunctionOutput output);
+}
