Skip to content

Commit 6c40e22

Browse files
geoffw0geoffw0
committed
C++: Support further reverse taint flows on things that return *this.
1 parent 018b0a5 commit 6c40e22

File tree

5 files changed

+20
-2
lines changed

5 files changed

+20
-2
lines changed

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ class StdStringAppend extends TaintFunction {
164164
output.isQualifierObject() or
165165
output.isReturnValueDeref()
166166
)
167+
or
168+
// reverse flow from returned reference to the qualifier (for writes to
169+
// the result)
170+
input.isReturnValueDeref() and
171+
output.isQualifierObject()
167172
}
168173
}
169174

@@ -199,6 +204,11 @@ class StdStringAssign extends TaintFunction {
199204
output.isQualifierObject() or
200205
output.isReturnValueDeref()
201206
)
207+
or
208+
// reverse flow from returned reference to the qualifier (for writes to
209+
// the result)
210+
input.isReturnValueDeref() and
211+
output.isQualifierObject()
202212
}
203213
}
204214

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1295,13 +1295,15 @@
12951295
| string.cpp:530:10:530:10 | e | string.cpp:530:12:530:12 | call to operator+= | TAINT |
12961296
| string.cpp:530:10:530:10 | ref arg e | string.cpp:536:8:536:8 | e | |
12971297
| string.cpp:530:12:530:12 | call to operator+= | string.cpp:530:21:530:21 | call to operator+= | TAINT |
1298+
| string.cpp:530:12:530:12 | ref arg call to operator+= | string.cpp:530:10:530:10 | ref arg e | TAINT |
12981299
| string.cpp:530:15:530:18 | ee | string.cpp:530:10:530:10 | ref arg e | TAINT |
12991300
| string.cpp:530:15:530:18 | ee | string.cpp:530:12:530:12 | call to operator+= | TAINT |
13001301
| string.cpp:530:24:530:29 | call to source | string.cpp:530:12:530:12 | ref arg call to operator+= | TAINT |
13011302
| string.cpp:530:24:530:29 | call to source | string.cpp:530:21:530:21 | call to operator+= | TAINT |
13021303
| string.cpp:531:10:531:10 | f | string.cpp:531:12:531:12 | call to operator+= | TAINT |
13031304
| string.cpp:531:10:531:10 | ref arg f | string.cpp:537:8:537:8 | f | |
13041305
| string.cpp:531:12:531:12 | call to operator+= | string.cpp:531:25:531:25 | call to operator+= | TAINT |
1306+
| string.cpp:531:12:531:12 | ref arg call to operator+= | string.cpp:531:10:531:10 | ref arg f | TAINT |
13051307
| string.cpp:531:15:531:20 | call to source | string.cpp:531:10:531:10 | ref arg f | TAINT |
13061308
| string.cpp:531:15:531:20 | call to source | string.cpp:531:12:531:12 | call to operator+= | TAINT |
13071309
| string.cpp:531:28:531:31 | ff | string.cpp:531:12:531:12 | ref arg call to operator+= | TAINT |
@@ -1339,13 +1341,15 @@
13391341
| string.cpp:549:27:549:34 | call to basic_string | string.cpp:549:18:549:18 | ref arg d | TAINT |
13401342
| string.cpp:549:27:549:34 | call to basic_string | string.cpp:549:20:549:25 | call to assign | TAINT |
13411343
| string.cpp:550:9:550:9 | ref arg e | string.cpp:556:8:556:8 | e | |
1344+
| string.cpp:550:11:550:16 | ref arg call to assign | string.cpp:550:9:550:9 | ref arg e | TAINT |
13421345
| string.cpp:550:18:550:21 | call to basic_string | string.cpp:550:9:550:9 | ref arg e | TAINT |
13431346
| string.cpp:550:18:550:21 | call to basic_string | string.cpp:550:11:550:16 | call to assign | TAINT |
13441347
| string.cpp:550:18:550:21 | ee | string.cpp:550:18:550:21 | call to basic_string | TAINT |
13451348
| string.cpp:550:31:550:36 | call to source | string.cpp:550:31:550:38 | call to basic_string | TAINT |
13461349
| string.cpp:550:31:550:38 | call to basic_string | string.cpp:550:11:550:16 | ref arg call to assign | TAINT |
13471350
| string.cpp:550:31:550:38 | call to basic_string | string.cpp:550:24:550:29 | call to assign | TAINT |
13481351
| string.cpp:551:9:551:9 | ref arg f | string.cpp:557:8:557:8 | f | |
1352+
| string.cpp:551:11:551:16 | ref arg call to assign | string.cpp:551:9:551:9 | ref arg f | TAINT |
13491353
| string.cpp:551:18:551:23 | call to source | string.cpp:551:18:551:25 | call to basic_string | TAINT |
13501354
| string.cpp:551:18:551:25 | call to basic_string | string.cpp:551:9:551:9 | ref arg f | TAINT |
13511355
| string.cpp:551:18:551:25 | call to basic_string | string.cpp:551:11:551:16 | call to assign | TAINT |

cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -533,7 +533,7 @@ void test_string_return_assign() {
533533
sink(b);
534534
sink(c); // tainted
535535
sink(d); // tainted
536-
sink(e); // tainted [NOT DETECTED]
536+
sink(e); // tainted
537537
sink(f); // tainted
538538
}
539539

@@ -553,7 +553,7 @@ void test_string_return_assign() {
553553
sink(b);
554554
sink(c); // tainted
555555
sink(d); // tainted
556-
sink(e); // tainted [NOT DETECTED]
556+
sink(e); // tainted
557557
sink(f); // [FALSE POSITIVE]
558558
}
559559
}

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,11 +148,13 @@
148148
| string.cpp:531:25:531:25 | call to operator+= | string.cpp:531:15:531:20 | call to source |
149149
| string.cpp:534:8:534:8 | c | string.cpp:529:20:529:25 | call to source |
150150
| string.cpp:535:8:535:8 | d | string.cpp:529:20:529:25 | call to source |
151+
| string.cpp:536:8:536:8 | e | string.cpp:530:24:530:29 | call to source |
151152
| string.cpp:537:8:537:8 | f | string.cpp:531:15:531:20 | call to source |
152153
| string.cpp:549:11:549:16 | call to assign | string.cpp:549:27:549:32 | call to source |
153154
| string.cpp:550:24:550:29 | call to assign | string.cpp:550:31:550:36 | call to source |
154155
| string.cpp:554:8:554:8 | c | string.cpp:549:27:549:32 | call to source |
155156
| string.cpp:555:8:555:8 | d | string.cpp:549:27:549:32 | call to source |
157+
| string.cpp:556:8:556:8 | e | string.cpp:550:31:550:36 | call to source |
156158
| string.cpp:557:8:557:8 | f | string.cpp:551:18:551:23 | call to source |
157159
| structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
158160
| structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,11 +158,13 @@
158158
| string.cpp:531:25:531:25 | string.cpp:531:15:531:20 | AST only |
159159
| string.cpp:534:8:534:8 | string.cpp:529:20:529:25 | AST only |
160160
| string.cpp:535:8:535:8 | string.cpp:529:20:529:25 | AST only |
161+
| string.cpp:536:8:536:8 | string.cpp:530:24:530:29 | AST only |
161162
| string.cpp:537:8:537:8 | string.cpp:531:15:531:20 | AST only |
162163
| string.cpp:549:11:549:16 | string.cpp:549:27:549:32 | AST only |
163164
| string.cpp:550:24:550:29 | string.cpp:550:31:550:36 | AST only |
164165
| string.cpp:554:8:554:8 | string.cpp:549:27:549:32 | AST only |
165166
| string.cpp:555:8:555:8 | string.cpp:549:27:549:32 | AST only |
167+
| string.cpp:556:8:556:8 | string.cpp:550:31:550:36 | AST only |
166168
| string.cpp:557:8:557:8 | string.cpp:551:18:551:23 | AST only |
167169
| structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
168170
| structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |

0 commit comments

Comments
 (0)