Merge branch 'main' into mathiasvp/read-step-without-memory-operands

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/controlflow/SSAUtils.qll

@@ -73,8 +73,20 @@ private predicate addressTakenVariable(StackVariable var) {
   )
 }
 
+/**
+ * Holds if `v` is a stack-allocated reference-typed local variable. We don't
+ * build SSA for such variables since they are likely to change values even
+ * when not syntactically mentioned. For the same reason,
+ * `addressTakenVariable` is used to prevent tracking variables that may be
+ * aliased by such a reference.
+ *
+ * Reference-typed parameters are treated as if they weren't references.
+ * That's because it's in practice highly unlikely that they alias other data
+ * accessible from the function body.
+ */
 private predicate isReferenceVar(StackVariable v) {
-  v.getUnspecifiedType() instanceof ReferenceType
+  v.getUnspecifiedType() instanceof ReferenceType and
+  not v instanceof Parameter
 }
 
 /**

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -525,6 +525,19 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
     inner = nodeTo.(InnerPartialDefinitionNode).getPreUpdateNode().asExpr() and
     outer = nodeFrom.(PartialDefinitionNode).getPreUpdateNode().asExpr()
   )
+  or
+  // Reverse flow: data that flows from the post-update node of a reference
+  // returned by a function call, back into the qualifier of that function.
+  // This allows data to flow 'in' through references returned by a modeled
+  // function such as `operator[]`.
+  exists(DataFlowFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
+    call.getTarget() = f and
+    inModel.isReturnValueDeref() and
+    outModel.isQualifierObject() and
+    f.hasDataFlow(inModel, outModel) and
+    nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
+    nodeTo.asDefiningArgument() = call.getQualifier()
+  )
 }
 
 /**

cpp/ql/src/semmle/code/cpp/models/Models.qll

@@ -4,6 +4,7 @@ private import implementations.Fread
 private import implementations.Gets
 private import implementations.IdentityFunction
 private import implementations.Inet
+private import implementations.Iterator
 private import implementations.MemberFunction
 private import implementations.Memcpy
 private import implementations.Memset

cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll

@@ -0,0 +1,273 @@
+/**
+ * Provides implementation classes modeling C++ iterators, including
+ * `std::iterator`, `std::iterator_traits`, and types meeting the
+ * `LegacyIterator` named requirement. See `semmle.code.cpp.models.Models` for
+ * usage information.
+ */
+
+import cpp
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.DataFlow
+
+/**
+ * An instantiation of the `std::iterator_traits` template.
+ */
+class IteratorTraits extends Class {
+  IteratorTraits() {
+    this.hasQualifiedName("std", "iterator_traits") and
+    not this instanceof TemplateClass and
+    exists(TypedefType t |
+      this.getAMember() = t and
+      t.getName() = "iterator_category"
+    )
+  }
+
+  Type getIteratorType() { result = this.getTemplateArgument(0) }
+}
+
+/**
+ * A type which has the typedefs expected for an iterator.
+ */
+class IteratorByTypedefs extends Class {
+  IteratorByTypedefs() {
+    this.getAMember().(TypedefType).hasName("difference_type") and
+    this.getAMember().(TypedefType).hasName("value_type") and
+    this.getAMember().(TypedefType).hasName("pointer") and
+    this.getAMember().(TypedefType).hasName("reference") and
+    this.getAMember().(TypedefType).hasName("iterator_category") and
+    not this.hasQualifiedName("std", "iterator_traits")
+  }
+}
+
+/**
+ * The `std::iterator` class.
+ */
+class StdIterator extends Class {
+  StdIterator() { this.hasQualifiedName("std", "iterator") }
+}
+
+/**
+ * A type which can be used as an iterator
+ */
+class Iterator extends Type {
+  Iterator() {
+    this instanceof IteratorByTypedefs or
+    exists(IteratorTraits it | it.getIteratorType() = this) or
+    this instanceof StdIterator
+  }
+}
+
+private FunctionInput getIteratorArgumentInput(Operator op, int index) {
+  exists(Type t |
+    t =
+      op
+          .getACallToThisFunction()
+          .getArgument(index)
+          .getExplicitlyConverted()
+          .getType()
+          .stripTopLevelSpecifiers()
+  |
+    (
+      t instanceof Iterator or
+      t.(ReferenceType).getBaseType() instanceof Iterator
+    ) and
+    if op.getParameter(index).getUnspecifiedType() instanceof ReferenceType
+    then result.isParameterDeref(index)
+    else result.isParameter(index)
+  )
+}
+
+/**
+ * A non-member prefix `operator*` function for an iterator type.
+ */
+class IteratorPointerDereferenceOperator extends Operator, TaintFunction {
+  FunctionInput iteratorInput;
+
+  IteratorPointerDereferenceOperator() {
+    this.hasName("operator*") and
+    iteratorInput = getIteratorArgumentInput(this, 0)
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input = iteratorInput and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * A non-member `operator++` or `operator--` function for an iterator type.
+ */
+class IteratorCrementOperator extends Operator, DataFlowFunction {
+  FunctionInput iteratorInput;
+
+  IteratorCrementOperator() {
+    this.hasName(["operator++", "operator--"]) and
+    iteratorInput = getIteratorArgumentInput(this, 0)
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input = iteratorInput and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * A non-member `operator+` function for an iterator type.
+ */
+class IteratorAddOperator extends Operator, TaintFunction {
+  FunctionInput iteratorInput;
+
+  IteratorAddOperator() {
+    this.hasName("operator+") and
+    iteratorInput = getIteratorArgumentInput(this, [0, 1])
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input = iteratorInput and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * A non-member `operator-` function that takes a pointer difference type as its second argument.
+ */
+class IteratorSubOperator extends Operator, TaintFunction {
+  FunctionInput iteratorInput;
+
+  IteratorSubOperator() {
+    this.hasName("operator-") and
+    iteratorInput = getIteratorArgumentInput(this, 0) and
+    this.getParameter(1).getUnspecifiedType() instanceof IntegralType // not an iterator difference
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input = iteratorInput and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * A non-member `operator+=` or `operator-=` function for an iterator type.
+ */
+class IteratorAssignArithmeticOperator extends Operator, DataFlowFunction, TaintFunction {
+  IteratorAssignArithmeticOperator() {
+    this.hasName(["operator+=", "operator-="]) and
+    this.getDeclaringType() instanceof Iterator
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameter(0) and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * A prefix `operator*` member function for an iterator type.
+ */
+class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction {
+  IteratorPointerDereferenceMemberOperator() {
+    this.hasName("operator*") and
+    this.getDeclaringType() instanceof Iterator
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * An `operator++` or `operator--` member function for an iterator type.
+ */
+class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunction, TaintFunction {
+  IteratorCrementMemberOperator() {
+    this.hasName(["operator++", "operator--"]) and
+    this.getDeclaringType() instanceof Iterator
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierAddress() and
+    output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
+/**
+ * A member `operator->` function for an iterator type.
+ */
+class IteratorFieldMemberOperator extends Operator, TaintFunction {
+  IteratorFieldMemberOperator() {
+    this.hasName("operator->") and
+    this.getDeclaringType() instanceof Iterator
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * An `operator+` or `operator-` member function of an iterator class.
+ */
+class IteratorBinaryArithmeticMemberOperator extends MemberFunction, TaintFunction {
+  IteratorBinaryArithmeticMemberOperator() {
+    this.hasName(["operator+", "operator-"]) and
+    this.getDeclaringType() instanceof Iterator
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * An `operator+=` or `operator-=` member function of an iterator class.
+ */
+class IteratorAssignArithmeticMemberOperator extends MemberFunction, DataFlowFunction, TaintFunction {
+  IteratorAssignArithmeticMemberOperator() {
+    this.hasName(["operator+=", "operator-="]) and
+    this.getDeclaringType() instanceof Iterator
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierAddress() and
+    output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
+/**
+ * An `operator[]` member function of an iterator class.
+ */
+class IteratorArrayMemberOperator extends MemberFunction, TaintFunction {
+  IteratorArrayMemberOperator() {
+    this.hasName("operator[]") and
+    this.getDeclaringType() instanceof Iterator
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -1,4 +1,11 @@
+/**
+ * Provides implementation classes modeling `std::string` and other
+ * instantiations of`std::basic_string`. See `semmle.code.cpp.models.Models`
+ * for usage information.
+ */
+
 import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.implementations.Iterator
 
 /**
  * The `std::basic_string` template class.
@@ -78,11 +85,17 @@ class StdStringAppend extends TaintFunction {
       getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
   }
 
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { getParameter(result).getType() instanceof Iterator }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string and parameter to string (qualifier) and return value
     (
       input.isQualifierObject() or
-      input.isParameterDeref(getAStringParameterIndex())
+      input.isParameterDeref(getAStringParameterIndex()) or
+      input.isParameter(getAnIteratorParameterIndex())
     ) and
     (
       output.isQualifierObject() or
@@ -118,6 +131,28 @@ class StdStringAssign extends TaintFunction {
   }
 }
 
+/**
+ * The standard functions `std::string.begin` and `std::string.end` and their
+ * variants.
+ */
+class StdStringBeginEnd extends TaintFunction {
+  StdStringBeginEnd() {
+    this.hasQualifiedName("std", "basic_string", "begin") or
+    this.hasQualifiedName("std", "basic_string", "cbegin") or
+    this.hasQualifiedName("std", "basic_string", "rbegin") or
+    this.hasQualifiedName("std", "basic_string", "crbegin") or
+    this.hasQualifiedName("std", "basic_string", "end") or
+    this.hasQualifiedName("std", "basic_string", "cend") or
+    this.hasQualifiedName("std", "basic_string", "rend") or
+    this.hasQualifiedName("std", "basic_string", "crend")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
 /**
  * The standard function `std::string.copy`.
  */