C++: Fix getAValueTypeParameterIndex().

geoffw0 · geoffw0 · commit 865d91de805e · 2020-08-27T15:08:58.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -101,10 +101,10 @@ class StdSequenceContainerAssign extends TaintFunction {
    * value type of the container.
    */
   int getAValueTypeParameterIndex() {
-    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
     or
     getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      getDeclaringType().getTemplateArgument(0)
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2325,6 +2325,7 @@
 | vector.cpp:270:18:270:35 | call to source | vector.cpp:270:3:270:4 | ref arg v8 | TAINT |
 | vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:275:8:275:9 | v9 |  |
 | vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:271:18:271:34 | call to source | vector.cpp:271:3:271:4 | ref arg v9 | TAINT |
 | vector.cpp:273:8:273:9 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
 | vector.cpp:274:8:274:9 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
 | vector.cpp:275:8:275:9 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -245,6 +245,7 @@
 | vector.cpp:243:7:243:8 | v3 | vector.cpp:239:15:239:20 | call to source |
 | vector.cpp:273:8:273:9 | v7 | vector.cpp:269:18:269:31 | call to source |
 | vector.cpp:274:8:274:9 | v8 | vector.cpp:270:18:270:35 | call to source |
+| vector.cpp:275:8:275:9 | v9 | vector.cpp:271:18:271:34 | call to source |
 | vector.cpp:285:7:285:8 | v1 | vector.cpp:284:15:284:20 | call to source |
 | vector.cpp:286:10:286:13 | call to data | vector.cpp:284:15:284:20 | call to source |
 | vector.cpp:287:7:287:18 | access to array | vector.cpp:284:15:284:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -181,6 +181,7 @@
 | vector.cpp:243:7:243:8 | vector.cpp:239:15:239:20 | AST only |
 | vector.cpp:273:8:273:9 | vector.cpp:269:18:269:31 | AST only |
 | vector.cpp:274:8:274:9 | vector.cpp:270:18:270:35 | AST only |
+| vector.cpp:275:8:275:9 | vector.cpp:271:18:271:34 | AST only |
 | vector.cpp:285:7:285:8 | vector.cpp:284:15:284:20 | AST only |
 | vector.cpp:286:10:286:13 | vector.cpp:284:15:284:20 | AST only |
 | vector.cpp:287:7:287:18 | vector.cpp:284:15:284:20 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -272,7 +272,7 @@ void test_vector_assign() {
 
 		sink(v7); // tainted
 		sink(v8); // tainted
-		sink(v9); // tainted [NOT DETECTED]
+		sink(v9); // tainted
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -272,7 +272,7 @@ void test_vector_assign() {`
`272`	`272`
`273`	`273`	`sink(v7); // tainted`
`274`	`274`	`sink(v8); // tainted`
`275`		`- sink(v9); // tainted [NOT DETECTED]`
	`275`	`+ sink(v9); // tainted`
`276`	`276`	`}`
`277`	`277`	`}`
`278`	`278`