C++: Model std::vector::data.

geoffw0 · geoffw0 · commit 6ae96baaf694 · 2020-08-27T10:08:58.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -33,6 +33,19 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
   }
 }
 
+/**
+ * The standard container function `data`.
+ */
+class StdSequenceContainerData extends TaintFunction {
+  StdSequenceContainerData() { this.hasQualifiedName("std", ["array", "vector"], "data") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from container itself (qualifier) to return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
 /**
  * The standard container functions `push_back` and `push_front`.
  */
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1864,6 +1864,7 @@
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:75:7:75:8 | v6 |  |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:74:2:74:3 | v6 | vector.cpp:74:5:74:8 | call to data | TAINT |
 | vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
 | vector.cpp:74:2:74:24 | ... = ... | vector.cpp:74:2:74:13 | access to array [post update] |  |
 | vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
@@ -1872,6 +1873,7 @@
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
 | vector.cpp:76:7:76:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:76:7:76:8 | v6 | vector.cpp:76:10:76:13 | call to data | TAINT |
 | vector.cpp:76:10:76:13 | call to data | vector.cpp:76:7:76:18 | access to array | TAINT |
 | vector.cpp:76:17:76:17 | 2 | vector.cpp:76:7:76:18 | access to array | TAINT |
 | vector.cpp:79:33:79:34 | v7 | vector.cpp:80:41:80:43 | v7c |  |
@@ -2317,7 +2319,9 @@
 | vector.cpp:255:7:255:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:256:7:256:8 | v1 | vector.cpp:256:10:256:13 | call to data | TAINT |
 | vector.cpp:257:7:257:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:257:7:257:8 | v1 | vector.cpp:257:10:257:13 | call to data | TAINT |
 | vector.cpp:257:10:257:13 | call to data | vector.cpp:257:7:257:18 | access to array | TAINT |
 | vector.cpp:257:17:257:17 | 2 | vector.cpp:257:7:257:18 | access to array | TAINT |
 | vector.cpp:259:2:259:13 | * ... [post update] | vector.cpp:259:7:259:10 | call to data [inner post update] |  |
@@ -2326,13 +2330,16 @@
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:259:4:259:5 | v2 | vector.cpp:259:7:259:10 | call to data | TAINT |
 | vector.cpp:259:7:259:10 | call to data | vector.cpp:259:2:259:13 | * ... | TAINT |
 | vector.cpp:259:17:259:30 | call to source | vector.cpp:259:2:259:32 | ... = ... |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:261:7:261:8 | v2 | vector.cpp:261:10:261:13 | call to data | TAINT |
 | vector.cpp:262:7:262:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:262:7:262:8 | v2 | vector.cpp:262:10:262:13 | call to data | TAINT |
 | vector.cpp:262:10:262:13 | call to data | vector.cpp:262:7:262:18 | access to array | TAINT |
 | vector.cpp:262:17:262:17 | 2 | vector.cpp:262:7:262:18 | access to array | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -239,3 +239,5 @@
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
 | vector.cpp:227:7:227:8 | v3 | vector.cpp:223:15:223:20 | call to source |
 | vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
+| vector.cpp:256:10:256:13 | call to data | vector.cpp:254:15:254:20 | call to source |
+| vector.cpp:257:7:257:18 | access to array | vector.cpp:254:15:254:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -175,3 +175,5 @@
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
 | vector.cpp:227:7:227:8 | vector.cpp:223:15:223:20 | AST only |
 | vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
+| vector.cpp:256:10:256:13 | vector.cpp:254:15:254:20 | AST only |
+| vector.cpp:257:7:257:18 | vector.cpp:254:15:254:20 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -253,8 +253,8 @@ void test_data_more() {
 
 	v1.push_back(source());
 	sink(v1); // tainted
-	sink(v1.data()); // tainted [NOT DETECTED]
-	sink(v1.data()[2]); // tainted [NOT DETECTED]
+	sink(v1.data()); // tainted
+	sink(v1.data()[2]); // tainted
 
 	*(v2.data()) = ns_int::source();
 	sink(v2); // tainted [NOT DETECTED]
