C++: Taint through char append.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -49,11 +49,13 @@ class StdStringAppend extends TaintFunction {
   }
 
   /**
-   * Gets the index of a parameter to this function that is a string.
+   * Gets the index of a parameter to this function that is a string (or
+   * character).
    */
   int getAStringParameter() {
     getParameter(result).getType() instanceof PointerType or
-    getParameter(result).getType() instanceof ReferenceType
+    getParameter(result).getType() instanceof ReferenceType or
+    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -579,6 +579,13 @@
 | stl.cpp:366:3:366:4 | ref arg s9 | stl.cpp:367:8:367:9 | s9 |  |
 | stl.cpp:366:13:366:15 |   | stl.cpp:366:3:366:4 | ref arg s9 | TAINT |
 | stl.cpp:366:13:366:15 |   | stl.cpp:366:6:366:11 | call to append | TAINT |
+| stl.cpp:371:19:371:23 | abc | stl.cpp:371:19:371:24 | call to basic_string | TAINT |
+| stl.cpp:371:19:371:24 | call to basic_string | stl.cpp:374:3:374:5 | s10 |  |
+| stl.cpp:371:19:371:24 | call to basic_string | stl.cpp:375:8:375:10 | s10 |  |
+| stl.cpp:372:12:372:26 | call to source | stl.cpp:374:17:374:17 | c |  |
+| stl.cpp:374:3:374:5 | ref arg s10 | stl.cpp:375:8:375:10 | s10 |  |
+| stl.cpp:374:17:374:17 | c | stl.cpp:374:3:374:5 | ref arg s10 | TAINT |
+| stl.cpp:374:17:374:17 | c | stl.cpp:374:7:374:12 | call to append | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | this | structlikeclass.cpp:5:7:5:7 | constructor init of field v [pre-this] |  |

cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp

@@ -372,6 +372,6 @@ void test_string_append() {
 		char c = ns_char::source();
 
 		s10.append(1, c);
-		sink(s10); // tainted [NOT DETECTED]
+		sink(s10); // tainted
 	}
 }

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -62,6 +62,7 @@
 | stl.cpp:358:8:358:9 | s7 | stl.cpp:356:9:356:14 | call to source |
 | stl.cpp:362:8:362:9 | s8 | stl.cpp:345:18:345:23 | call to source |
 | stl.cpp:367:8:367:9 | s9 | stl.cpp:365:13:365:18 | call to source |
+| stl.cpp:375:8:375:10 | s10 | stl.cpp:372:12:372:26 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -59,6 +59,7 @@
 | stl.cpp:358:8:358:9 | stl.cpp:356:9:356:14 | AST only |
 | stl.cpp:362:8:362:9 | stl.cpp:345:18:345:23 | AST only |
 | stl.cpp:367:8:367:9 | stl.cpp:365:13:365:18 | AST only |
+| stl.cpp:375:8:375:10 | stl.cpp:372:12:372:26 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
 | structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |