C++: Flow through get, peek, read, readsome.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -345,6 +345,61 @@ class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {
   }
 }
 
+/**
+ * The `std::istream` functions `get` (without parameters) and `peek`.
+ */
+class StdIStreamGet extends TaintFunction {
+  StdIStreamGet() {
+    this.hasQualifiedName("std", "basic_istream", ["get", "peek"]) and
+    this.getNumberOfParameters() = 0
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to return value
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The `std::istream` functions `get` (with parameters) and `read`.
+ */
+class StdIStreamRead extends DataFlowFunction, TaintFunction {
+  StdIStreamRead() {
+    this.hasQualifiedName("std", "basic_istream", ["get", "read"]) and
+    this.getNumberOfParameters() > 0
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to return value
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to first parameter
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The `std::istream` function `readsome`.
+ */
+class StdIStreamReadSome extends TaintFunction {
+  StdIStreamReadSome() { this.hasQualifiedName("std", "basic_istream", "readsome") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to first parameter
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+  }
+}
+
 /**
  * The `std::basic_ostream` template class.
  */

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -1790,30 +1790,40 @@
 | stringstream.cpp:161:7:161:9 | ref arg ss1 | stringstream.cpp:174:12:174:14 | ss1 |  |
 | stringstream.cpp:161:7:161:9 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:161:7:161:9 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:161:7:161:9 | ss1 | stringstream.cpp:161:11:161:14 | call to read |  |
+| stringstream.cpp:161:7:161:9 | ss1 | stringstream.cpp:161:16:161:17 | ref arg b5 | TAINT |
 | stringstream.cpp:161:16:161:17 | ref arg b5 | stringstream.cpp:167:7:167:8 | b5 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:164:7:164:9 | ss2 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:166:7:166:9 | ss2 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:162:7:162:9 | ss2 | stringstream.cpp:162:11:162:14 | call to read |  |
+| stringstream.cpp:162:7:162:9 | ss2 | stringstream.cpp:162:16:162:17 | ref arg b6 | TAINT |
 | stringstream.cpp:162:16:162:17 | ref arg b6 | stringstream.cpp:168:7:168:8 | b6 |  |
 | stringstream.cpp:163:7:163:9 | ref arg ss1 | stringstream.cpp:165:7:165:9 | ss1 |  |
 | stringstream.cpp:163:7:163:9 | ref arg ss1 | stringstream.cpp:174:12:174:14 | ss1 |  |
 | stringstream.cpp:163:7:163:9 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:163:7:163:9 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:163:7:163:9 | ss1 | stringstream.cpp:163:20:163:21 | ref arg b7 | TAINT |
 | stringstream.cpp:163:20:163:21 | ref arg b7 | stringstream.cpp:169:7:169:8 | b7 |  |
 | stringstream.cpp:164:7:164:9 | ref arg ss2 | stringstream.cpp:166:7:166:9 | ss2 |  |
 | stringstream.cpp:164:7:164:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:164:7:164:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:164:7:164:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:164:7:164:9 | ss2 | stringstream.cpp:164:20:164:21 | ref arg b8 | TAINT |
 | stringstream.cpp:164:20:164:21 | ref arg b8 | stringstream.cpp:170:7:170:8 | b8 |  |
 | stringstream.cpp:165:7:165:9 | ref arg ss1 | stringstream.cpp:174:12:174:14 | ss1 |  |
 | stringstream.cpp:165:7:165:9 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:165:7:165:9 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:165:7:165:9 | ss1 | stringstream.cpp:165:11:165:13 | call to get |  |
+| stringstream.cpp:165:7:165:9 | ss1 | stringstream.cpp:165:15:165:16 | ref arg b9 | TAINT |
 | stringstream.cpp:165:15:165:16 | ref arg b9 | stringstream.cpp:171:7:171:8 | b9 |  |
 | stringstream.cpp:166:7:166:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:166:7:166:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:166:7:166:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:166:7:166:9 | ss2 | stringstream.cpp:166:11:166:13 | call to get |  |
+| stringstream.cpp:166:7:166:9 | ss2 | stringstream.cpp:166:15:166:17 | ref arg b10 | TAINT |
 | stringstream.cpp:166:15:166:17 | ref arg b10 | stringstream.cpp:172:7:172:9 | b10 |  |
 | stringstream.cpp:167:7:167:8 | b5 | stringstream.cpp:167:7:167:8 | call to basic_string | TAINT |
 | stringstream.cpp:168:7:168:8 | b6 | stringstream.cpp:168:7:168:8 | call to basic_string | TAINT |
@@ -1824,22 +1834,30 @@
 | stringstream.cpp:174:7:174:8 | c1 | stringstream.cpp:174:7:174:20 | ... = ... |  |
 | stringstream.cpp:174:12:174:14 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:174:12:174:14 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:174:12:174:14 | ss1 | stringstream.cpp:174:16:174:18 | call to get | TAINT |
 | stringstream.cpp:174:16:174:18 | call to get | stringstream.cpp:174:7:174:20 | ... = ... |  |
 | stringstream.cpp:174:16:174:18 | call to get | stringstream.cpp:180:7:180:8 | c1 |  |
 | stringstream.cpp:175:7:175:8 | c2 | stringstream.cpp:175:7:175:20 | ... = ... |  |
 | stringstream.cpp:175:12:175:14 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:175:12:175:14 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:175:12:175:14 | ss2 | stringstream.cpp:175:16:175:18 | call to get | TAINT |
 | stringstream.cpp:175:16:175:18 | call to get | stringstream.cpp:175:7:175:20 | ... = ... |  |
 | stringstream.cpp:175:16:175:18 | call to get | stringstream.cpp:181:7:181:8 | c2 |  |
 | stringstream.cpp:176:7:176:8 | c3 | stringstream.cpp:176:7:176:21 | ... = ... |  |
 | stringstream.cpp:176:12:176:14 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:176:12:176:14 | ss1 | stringstream.cpp:176:16:176:19 | call to peek | TAINT |
 | stringstream.cpp:176:16:176:19 | call to peek | stringstream.cpp:176:7:176:21 | ... = ... |  |
 | stringstream.cpp:176:16:176:19 | call to peek | stringstream.cpp:182:7:182:8 | c3 |  |
 | stringstream.cpp:177:7:177:8 | c4 | stringstream.cpp:177:7:177:21 | ... = ... |  |
 | stringstream.cpp:177:12:177:14 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:177:12:177:14 | ss2 | stringstream.cpp:177:16:177:19 | call to peek | TAINT |
 | stringstream.cpp:177:16:177:19 | call to peek | stringstream.cpp:177:7:177:21 | ... = ... |  |
 | stringstream.cpp:177:16:177:19 | call to peek | stringstream.cpp:183:7:183:8 | c4 |  |
+| stringstream.cpp:178:7:178:9 | ss1 | stringstream.cpp:178:11:178:13 | call to get |  |
+| stringstream.cpp:178:7:178:9 | ss1 | stringstream.cpp:178:15:178:16 | ref arg c5 | TAINT |
 | stringstream.cpp:178:15:178:16 | ref arg c5 | stringstream.cpp:184:7:184:8 | c5 |  |
+| stringstream.cpp:179:7:179:9 | ss2 | stringstream.cpp:179:11:179:13 | call to get |  |
+| stringstream.cpp:179:7:179:9 | ss2 | stringstream.cpp:179:15:179:16 | ref arg c6 | TAINT |
 | stringstream.cpp:179:15:179:16 | ref arg c6 | stringstream.cpp:185:7:185:8 | c6 |  |
 | stringstream.cpp:190:20:190:21 | call to basic_stringstream | stringstream.cpp:192:7:192:8 | ss |  |
 | stringstream.cpp:190:20:190:21 | call to basic_stringstream | stringstream.cpp:193:7:193:8 | ss |  |
@@ -1859,12 +1877,15 @@
 | stringstream.cpp:193:7:193:8 | ref arg ss | stringstream.cpp:195:7:195:8 | ss |  |
 | stringstream.cpp:193:7:193:8 | ref arg ss | stringstream.cpp:196:7:196:8 | ss |  |
 | stringstream.cpp:193:7:193:8 | ref arg ss | stringstream.cpp:197:7:197:8 | ss |  |
+| stringstream.cpp:193:7:193:8 | ss | stringstream.cpp:193:10:193:12 | call to get | TAINT |
 | stringstream.cpp:194:7:194:8 | ref arg ss | stringstream.cpp:195:7:195:8 | ss |  |
 | stringstream.cpp:194:7:194:8 | ref arg ss | stringstream.cpp:196:7:196:8 | ss |  |
 | stringstream.cpp:194:7:194:8 | ref arg ss | stringstream.cpp:197:7:197:8 | ss |  |
 | stringstream.cpp:195:7:195:8 | ref arg ss | stringstream.cpp:196:7:196:8 | ss |  |
 | stringstream.cpp:195:7:195:8 | ref arg ss | stringstream.cpp:197:7:197:8 | ss |  |
+| stringstream.cpp:195:7:195:8 | ss | stringstream.cpp:195:10:195:12 | call to get | TAINT |
 | stringstream.cpp:196:7:196:8 | ref arg ss | stringstream.cpp:197:7:197:8 | ss |  |
+| stringstream.cpp:197:7:197:8 | ss | stringstream.cpp:197:10:197:12 | call to get | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | this | structlikeclass.cpp:5:7:5:7 | constructor init of field v [pre-this] |  |

cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp

@@ -159,30 +159,30 @@ void test_stringstream_in()
 	sink(b4); // tainted
 
 	sink(ss1.read(b5, 100));
-	sink(ss2.read(b6, 100)); // tainted [NOT DETECTED]
+	sink(ss2.read(b6, 100)); // tainted
 	sink(ss1.readsome(b7, 100));
 	sink(ss2.readsome(b8, 100)); // (returns a length, not significantly tainted)
 	sink(ss1.get(b9, 100));
-	sink(ss2.get(b10, 100));
+	sink(ss2.get(b10, 100)); // tainted
 	sink(b5);
-	sink(b6); // tainted [NOT DETECTED]
+	sink(b6); // tainted
 	sink(b7);
-	sink(b8); // tainted [NOT DETECTED]
+	sink(b8); // tainted
 	sink(b9);
-	sink(b10); // tainted [NOT DETECTED]
+	sink(b10); // tainted
 
 	sink(c1 = ss1.get());
-	sink(c2 = ss2.get()); // tainted [NOT DETECTED]
+	sink(c2 = ss2.get()); // tainted
 	sink(c3 = ss1.peek());
-	sink(c4 = ss2.peek()); // tainted [NOT DETECTED]
+	sink(c4 = ss2.peek()); // tainted
 	sink(ss1.get(c5));
-	sink(ss2.get(c6)); // tainted [NOT DETECTED]
+	sink(ss2.get(c6)); // tainted
 	sink(c1);
-	sink(c2); // tainted [NOT DETECTED]
+	sink(c2); // tainted
 	sink(c3);
-	sink(c4); // tainted [NOT DETECTED]
+	sink(c4); // tainted
 	sink(c5);
-	sink(c6); // tainted [NOT DETECTED]
+	sink(c6); // tainted
 }
 
 void test_stringstream_putback()

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -209,6 +209,17 @@
 | stringstream.cpp:157:7:157:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
 | stringstream.cpp:158:7:158:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
 | stringstream.cpp:159:7:159:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:162:11:162:14 | call to read | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:166:11:166:13 | call to get | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:168:7:168:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:170:7:170:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:172:7:172:9 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:175:7:175:20 | ... = ... | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:177:7:177:21 | ... = ... | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:179:11:179:13 | call to get | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:181:7:181:8 | c2 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:183:7:183:8 | c4 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:185:7:185:8 | c6 | stringstream.cpp:143:14:143:19 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -211,6 +211,17 @@
 | stringstream.cpp:157:7:157:8 | stringstream.cpp:143:14:143:21 | IR only |
 | stringstream.cpp:158:7:158:8 | stringstream.cpp:143:14:143:21 | IR only |
 | stringstream.cpp:159:7:159:8 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:162:11:162:14 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:166:11:166:13 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:168:7:168:8 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:170:7:170:8 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:172:7:172:9 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:175:7:175:20 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:177:7:177:21 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:179:11:179:13 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:181:7:181:8 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:183:7:183:8 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:185:7:185:8 | stringstream.cpp:143:14:143:19 | AST only |
 | swap1.cpp:78:12:78:16 | swap1.cpp:69:23:69:23 | AST only |
 | swap1.cpp:87:13:87:17 | swap1.cpp:82:16:82:21 | AST only |
 | swap1.cpp:88:13:88:17 | swap1.cpp:81:27:81:28 | AST only |