C++: Refactor StdContainer.qll.

criemen · web-flow · commit 86268d49ed97 · 2021-02-16T11:10:57.000Z
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -5,6 +5,41 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Iterator
 
+/**
+ * The `std::array` template class.
+ */
+private class Array extends Class {
+  Array() { this.hasQualifiedName(["std", "bsl"], "array") }
+}
+
+/**
+ * The `std::deque` template class.
+ */
+private class Deque extends Class {
+  Deque() { this.hasQualifiedName(["std", "bsl"], "deque") }
+}
+
+/**
+ * The `std::forward_list` template class.
+ */
+private class ForwardList extends Class {
+  ForwardList() { this.hasQualifiedName(["std", "bsl"], "forward_list") }
+}
+
+/**
+ * The `std::list` template class.
+ */
+private class List extends Class {
+  List() { this.hasQualifiedName(["std", "bsl"], "list") }
+}
+
+/**
+ * The `std::vector` template class.
+ */
+private class Vector extends Class {
+  Vector() { this.hasQualifiedName(["std", "bsl"], "vector") }
+}
+
 /**
  * Additional model for standard container constructors that reference the
  * value type of the container (that is, the `T` in `std::vector<T>`).  For
@@ -15,7 +50,10 @@ import semmle.code.cpp.models.interfaces.Iterator
  */
 private class StdSequenceContainerConstructor extends Constructor, TaintFunction {
   StdSequenceContainerConstructor() {
-    this.getDeclaringType().hasQualifiedName("std", ["vector", "deque", "list", "forward_list"])
+    this.getDeclaringType() instanceof Vector or
+    this.getDeclaringType() instanceof Deque or
+    this.getDeclaringType() instanceof List or
+    this.getDeclaringType() instanceof ForwardList
   }
 
   /**
@@ -50,7 +88,13 @@ private class StdSequenceContainerConstructor extends Constructor, TaintFunction
  * The standard container function `data`.
  */
 private class StdSequenceContainerData extends TaintFunction {
-  StdSequenceContainerData() { this.hasQualifiedName("std", ["array", "vector"], "data") }
+  StdSequenceContainerData() {
+    this.hasName("data") and
+    (
+      this.getDeclaringType() instanceof Vector or
+      this.getDeclaringType() instanceof Array
+    )
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from container itself (qualifier) to return value
@@ -69,8 +113,19 @@ private class StdSequenceContainerData extends TaintFunction {
  */
 private class StdSequenceContainerPush extends TaintFunction {
   StdSequenceContainerPush() {
-    this.hasQualifiedName("std", ["vector", "deque", "list"], "push_back") or
-    this.hasQualifiedName("std", ["deque", "list", "forward_list"], "push_front")
+    this.hasName("push_back") and
+    (
+      this.getDeclaringType() instanceof Array or
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof List
+    )
+    or
+    this.hasName("push_front") and
+    (
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof ForwardList or
+      this.getDeclaringType() instanceof List
+    )
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -85,8 +140,22 @@ private class StdSequenceContainerPush extends TaintFunction {
  */
 private class StdSequenceContainerFrontBack extends TaintFunction {
   StdSequenceContainerFrontBack() {
-    this.hasQualifiedName("std", ["array", "vector", "deque", "list", "forward_list"], "front") or
-    this.hasQualifiedName("std", ["array", "vector", "deque", "list"], "back")
+    this.hasName("front") and
+    (
+      this.getDeclaringType() instanceof Array or
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof ForwardList or
+      this.getDeclaringType() instanceof List or
+      this.getDeclaringType() instanceof Vector
+    )
+    or
+    this.hasName("back") and
+    (
+      this.getDeclaringType() instanceof Array or
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof List or
+      this.getDeclaringType() instanceof Vector
+    )
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -101,8 +170,15 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
  */
 private class StdSequenceContainerInsert extends TaintFunction {
   StdSequenceContainerInsert() {
-    this.hasQualifiedName("std", ["vector", "deque", "list"], "insert") or
-    this.hasQualifiedName("std", "forward_list", "insert_after")
+    this.hasName("insert") and
+    (
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof List or
+      this.getDeclaringType() instanceof Vector
+    )
+    or
+    this.hasName("insert_after") and
+    this.getDeclaringType() instanceof ForwardList
   }
 
   /**
@@ -138,7 +214,13 @@ private class StdSequenceContainerInsert extends TaintFunction {
  */
 private class StdSequenceContainerAssign extends TaintFunction {
   StdSequenceContainerAssign() {
-    this.hasQualifiedName("std", ["vector", "deque", "list", "forward_list"], "assign")
+    this.hasName("assign") and
+    (
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof ForwardList or
+      this.getDeclaringType() instanceof List or
+      this.getDeclaringType() instanceof Vector
+    )
   }
 
   /**
@@ -170,7 +252,12 @@ private class StdSequenceContainerAssign extends TaintFunction {
  */
 private class StdSequenceContainerAt extends TaintFunction {
   StdSequenceContainerAt() {
-    this.hasQualifiedName("std", ["vector", "array", "deque"], ["at", "operator[]"])
+    this.hasName(["at", "operator[]"]) and
+    (
+      this.getDeclaringType() instanceof Array or
+      this.getDeclaringType() instanceof Deque or
+      this.getDeclaringType() instanceof Vector
+    )
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -188,7 +275,10 @@ private class StdSequenceContainerAt extends TaintFunction {
  * The standard vector `emplace` function.
  */
 class StdVectorEmplace extends TaintFunction {
-  StdVectorEmplace() { this.hasQualifiedName("std", "vector", "emplace") }
+  StdVectorEmplace() {
+    this.hasName("emplace") and
+    this.getDeclaringType() instanceof Vector
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
@@ -205,7 +295,10 @@ class StdVectorEmplace extends TaintFunction {
  * The standard vector `emplace_back` function.
  */
 class StdVectorEmplaceBack extends TaintFunction {
-  StdVectorEmplaceBack() { this.hasQualifiedName("std", "vector", "emplace_back") }
+  StdVectorEmplaceBack() {
+    this.hasName("emplace_back") and
+    this.getDeclaringType() instanceof Vector
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier
