C++: Add a taint model for std::{shared, unique}_ptr<T>::get

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll

@@ -44,3 +44,18 @@ class UniqueOrSharedDereferenceMemberOperator extends MemberFunction, TaintFunct
     output.isReturnValueDeref()
   }
 }
+
+/**
+ * The `std::shared_ptr` or `std::unique_ptr` function `get`.
+ */
+class UniqueOrSharedGet extends TaintFunction {
+  UniqueOrSharedGet() {
+    this.hasName("get") and
+    this.getDeclaringType() instanceof UniqueOrSharedPtr
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp

@@ -45,4 +45,24 @@ void test_reverse_taint_unique() {
     *p = source();
     sink(p); // tainted [NOT DETECTED]
     sink(*p); // tainted [NOT DETECTED]
+}
+
+void test_shared_get() {
+    std::shared_ptr<int> p = std::make_shared<int>(source());
+    sink(p.get()); // tainted
+}
+
+void test_unique_get() {
+    std::unique_ptr<int> p = std::make_unique<int>(source());
+    sink(p.get()); // tainted
+}
+
+struct A {
+    int x, y;
+};
+
+void test_shared_field_member() {
+    std::unique_ptr<A> p = std::make_unique<A>(source(), 0);
+    sink(p->x); // tainted [NOT DETECTED]
+    sink(p->y); // not tainted
 }

cpp/ql/test/library-tests/dataflow/taint-tests/stl.h

@@ -241,6 +241,8 @@ namespace std {
 
 		T& operator*() const noexcept;
 		T* operator->() const noexcept;
+
+		T* get() const noexcept;
 	};
 
 	template<typename T>
@@ -254,6 +256,8 @@ namespace std {
 
 		T& operator*() const;
 		T* operator->() const noexcept;
+
+		T* get() const noexcept;
 	};
 
 	template<typename T, class... Args> unique_ptr<T> make_unique(Args&&...);

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -41,6 +41,8 @@
 | smart_pointer.cpp:13:10:13:10 | p | smart_pointer.cpp:11:52:11:57 | call to source |
 | smart_pointer.cpp:24:10:24:10 | call to operator* | smart_pointer.cpp:23:52:23:57 | call to source |
 | smart_pointer.cpp:25:10:25:10 | p | smart_pointer.cpp:23:52:23:57 | call to source |
+| smart_pointer.cpp:52:12:52:14 | call to get | smart_pointer.cpp:51:52:51:57 | call to source |
+| smart_pointer.cpp:57:12:57:14 | call to get | smart_pointer.cpp:56:52:56:57 | call to source |
 | standalone_iterators.cpp:40:10:40:10 | call to operator* | standalone_iterators.cpp:39:45:39:51 | source1 |
 | standalone_iterators.cpp:41:10:41:10 | call to operator* | standalone_iterators.cpp:39:45:39:51 | source1 |
 | standalone_iterators.cpp:42:10:42:10 | call to operator* | standalone_iterators.cpp:39:45:39:51 | source1 |