github
diff --git a/‎cpp/ql/src/semmle/code/cpp/models/Models.qll‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/models/Models.qll‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll‎
Lines changed: 27 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll‎
Lines changed: 92 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected‎
Lines changed: 937 additions & 0 deletions b/‎cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected‎
Lines changed: 937 additions & 0 deletions
diff --git a/‎cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp‎
Lines changed: 238 additions & 0 deletions b/‎cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp‎
Lines changed: 238 additions & 0 deletions
@@ -17,6 +17,7 @@ private import implementations.Strftime
 private import implementations.StdContainer
 private import implementations.StdPair
 private import implementations.StdMap
+private import implementations.StdSet
 private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
 
@@ -5,6 +5,33 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.implementations.Iterator
 
+/**
+ * Additional model for map constructors using iterator inputs.
+ */
+class StdMapConstructor extends Constructor, TaintFunction {
+  StdMapConstructor() {
+    this.hasQualifiedName("std", "map", "map") or
+    this.hasQualifiedName("std", "unordered_map", "unordered_map")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() {
+    getParameter(result).getUnspecifiedType() instanceof Iterator
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any parameter of an iterator type to the qualifier
+    input.isParameterDeref(getAnIteratorParameterIndex()) and
+    (
+      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
+      or
+      output.isQualifierObject()
+    )
+  }
+}
+
 /**
  * The standard map `insert` and `insert_or_assign` functions.
  */
 
@@ -0,0 +1,92 @@
+/**
+ * Provides models for C++ containers `std::set` and `std::unordered_set`.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.implementations.Iterator
+
+/**
+ * Additional model for set constructors using iterator inputs.
+ */
+class StdSetConstructor extends Constructor, TaintFunction {
+  StdSetConstructor() {
+    this.hasQualifiedName("std", "set", "set") or
+    this.hasQualifiedName("std", "unordered_set", "unordered_set")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() {
+    getParameter(result).getUnspecifiedType() instanceof Iterator
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any parameter of an iterator type to the qualifier
+    input.isParameterDeref(getAnIteratorParameterIndex()) and
+    (
+      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
+      or
+      output.isQualifierObject()
+    )
+  }
+}
+
+/**
+ * The standard set `insert` and `insert_or_assign` functions.
+ */
+class StdSetInsert extends TaintFunction {
+  StdSetInsert() { this.hasQualifiedName("std", ["set", "unordered_set"], "insert") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from last parameter to qualifier and return value
+    // (where the return value is a pair, this should really flow just to the first part of it)
+    input.isParameterDeref(getNumberOfParameters() - 1) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValue()
+    )
+  }
+}
+
+/**
+ * The standard set `swap` functions.
+ */
+class StdSetSwap extends TaintFunction {
+  StdSetSwap() { this.hasQualifiedName("std", ["set", "unordered_set"], "swap") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.swap(container2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The standard set `find` function.
+ */
+class StdSetFind extends TaintFunction {
+  StdSetFind() { this.hasQualifiedName("std", ["set", "unordered_set"], "find") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The standard set `erase` function.
+ */
+class StdSetErase extends TaintFunction {
+  StdSetErase() { this.hasQualifiedName("std", ["set", "unordered_set"], "erase") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to iterator return value
+    getType().getUnderlyingType() instanceof Iterator and
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
@@ -0,0 +1,238 @@
+
+#include "stl.h"
+
+using namespace std;
+
+char *source();
+
+void sink(char *);
+void sink(std::set<char *>);
+void sink(std::set<char *>::iterator);
+void sink(std::unordered_set<char *>);
+void sink(std::unordered_set<char *>::iterator);
+
+void test_set()
+{
+	// insert, find
+	std::set<char *> s1, s2, s3, s4, s5, s6;
+
+	sink(s1.insert("abc").first);
+	sink(s2.insert(source()).first); // tainted
+	sink(s3.insert(s3.begin(), "abc"));
+	sink(s4.insert(s4.begin(), source())); // tainted
+	s5.insert(s1.begin(), s1.end());
+	s6.insert(s2.begin(), s2.end());
+	sink(s1);
+	sink(s2); // tainted
+	sink(s3);
+	sink(s4); // tainted
+	sink(s5);
+	sink(s6); // tainted
+	sink(s1.find("abc"));
+	sink(s2.find("abc")); // tainted
+	sink(s3.find("abc"));
+	sink(s4.find("abc")); // tainted
+	sink(s5.find("abc"));
+	sink(s6.find("abc")); // tainted
+
+	// copy constructors and assignment
+	std::set<char *> s7(s2);
+	std::set<char *> s8 = s2;
+	std::set<char *> s9(s2.begin(), s2.end());
+	std::set<char *> s10;
+	s10 = s2;
+	sink(s7); // tainted
+	sink(s8); // tainted
+	sink(s9); // tainted
+	sink(s10); // tainted
+	sink(s7.find("abc")); // tainted
+	sink(s8.find("abc")); // tainted
+	sink(s9.find("abc")); // tainted
+	sink(s10.find("abc")); // tainted
+
+	// iterators
+	std::set<char *>::iterator i1, i2;
+	for (i1 = s1.begin(); i1 != s1.end(); i1++)
+	{
+		sink(*i1);
+	}
+	for (i2 = s2.begin(); i2 != s2.end(); i2++)
+	{
+		sink(*i2); // tainted
+	}
+
+	// ranges
+	std::set<char *> s11;
+	s11.insert("a");
+	s11.insert(source());
+	s11.insert("c");
+	sink(s11.lower_bound("b")); // tainted [NOT DETECTED]
+	sink(s11.upper_bound("b")); // tainted [NOT DETECTED]
+	sink(s11.equal_range("b").first); // tainted [NOT DETECTED]
+	sink(s11.equal_range("b").second); // tainted [NOT DETECTED]
+
+	// swap
+	std::set<char *> s12, s13, s14, s15;
+	s12.insert(source());
+	s15.insert(source());
+	sink(s12); // tainted
+	sink(s13);
+	sink(s14);
+	sink(s15); // tainted
+	s12.swap(s13);
+	s14.swap(s15);
+	sink(s12); // [FALSE POSITIVE]
+	sink(s13); // tainted
+	sink(s14); // tainted
+	sink(s15); // [FALSE POSITIVE]
+
+	// merge
+	std::set<char *> s16, s17, s18, s19;
+	s16.insert(source());
+	s17.insert("abc");
+	s18.insert("def");
+	s19.insert(source());
+	sink(s16); // tainted
+	sink(s17);
+	sink(s18);
+	sink(s19); // tainted
+	s16.merge(s17);
+	s18.merge(s19);
+	sink(s16); // tainted
+	sink(s17); // tainted [NOT DETECTED]
+	sink(s18); // tainted [NOT DETECTED]
+	sink(s19); // tainted
+
+	// erase, clear
+	std::set<char *> s20;
+	s20.insert(source());
+	s20.insert(source());
+	sink(s20); // tainted
+	sink(s20.erase(s20.begin())); // tainted
+	sink(s20); // tainted
+	s20.clear();
+	sink(s20); // [FALSE POSITIVE]
+
+	// emplace, emplace_hint
+	std::set<char *> s21, s22;
+	sink(s21.emplace("abc").first);
+	sink(s21);
+	sink(s21.emplace(source()).first); // tainted [NOT DETECTED]
+	sink(s21); // tainted [NOT DETECTED]
+	sink(s22.emplace_hint(s22.begin(), "abc"));
+	sink(s22);
+	sink(s22.emplace_hint(s22.begin(), source())); // tainted [NOT DETECTED]
+	sink(s22); // tainted [NOT DETECTED]
+}
+
+void test_unordered_set()
+{
+	// insert, find
+	std::unordered_set<char *> s1, s2, s3, s4, s5, s6;
+
+	sink(s1.insert("abc").first);
+	sink(s2.insert(source()).first); // tainted
+	sink(s3.insert(s3.begin(), "abc"));
+	sink(s4.insert(s4.begin(), source())); // tainted
+	s5.insert(s1.begin(), s1.end());
+	s6.insert(s2.begin(), s2.end());
+	sink(s1);
+	sink(s2); // tainted
+	sink(s3);
+	sink(s4); // tainted
+	sink(s5);
+	sink(s6); // tainted
+	sink(s1.find("abc"));
+	sink(s2.find("abc")); // tainted
+	sink(s3.find("abc"));
+	sink(s4.find("abc")); // tainted
+	sink(s5.find("abc"));
+	sink(s6.find("abc")); // tainted
+
+	// copy constructors and assignment
+	std::unordered_set<char *> s7(s2);
+	std::unordered_set<char *> s8 = s2;
+	std::unordered_set<char *> s9(s2.begin(), s2.end());
+	std::unordered_set<char *> s10;
+	s10 = s2;
+	sink(s7); // tainted
+	sink(s8); // tainted
+	sink(s9); // tainted
+	sink(s10); // tainted
+	sink(s7.find("abc")); // tainted
+	sink(s8.find("abc")); // tainted
+	sink(s9.find("abc")); // tainted
+	sink(s10.find("abc")); // tainted
+
+	// iterators
+	std::unordered_set<char *>::iterator i1, i2;
+	for (i1 = s1.begin(); i1 != s1.end(); i1++)
+	{
+		sink(*i1);
+	}
+	for (i2 = s2.begin(); i2 != s2.end(); i2++)
+	{
+		sink(*i2); // tainted
+	}
+
+	// ranges
+	std::unordered_set<char *> s11;
+	s11.insert("a");
+	s11.insert(source());
+	s11.insert("c");
+	sink(s11.equal_range("b").first); // tainted [NOT DETECTED]
+	sink(s11.equal_range("b").second); // tainted [NOT DETECTED]
+
+	// swap
+	std::unordered_set<char *> s12, s13, s14, s15;
+	s12.insert(source());
+	s15.insert(source());
+	sink(s12); // tainted
+	sink(s13);
+	sink(s14);
+	sink(s15); // tainted
+	s12.swap(s13);
+	s14.swap(s15);
+	sink(s12); // [FALSE POSITIVE]
+	sink(s13); // tainted
+	sink(s14); // tainted
+	sink(s15); // [FALSE POSITIVE]
+
+	// merge
+	std::unordered_set<char *> s16, s17, s18, s19;
+	s16.insert(source());
+	s17.insert("abc");
+	s18.insert("def");
+	s19.insert(source());
+	sink(s16); // tainted
+	sink(s17);
+	sink(s18);
+	sink(s19); // tainted
+	s16.merge(s17);
+	s18.merge(s19);
+	sink(s16); // tainted
+	sink(s17); // tainted [NOT DETECTED]
+	sink(s18); // tainted [NOT DETECTED]
+	sink(s19); // tainted
+
+	// erase, clear
+	std::unordered_set<char *> s20;
+	s20.insert(source());
+	s20.insert(source());
+	sink(s20); // tainted
+	sink(s20.erase(s20.begin())); // tainted
+	sink(s20); // tainted
+	s20.clear();
+	sink(s20); // [FALSE POSITIVE]
+
+	// emplace, emplace_hint
+	std::unordered_set<char *> s21, s22;
+	sink(s21.emplace("abc").first);
+	sink(s21);
+	sink(s21.emplace(source()).first); // tainted [NOT DETECTED]
+	sink(s21); // tainted [NOT DETECTED]
+	sink(s22.emplace_hint(s22.begin(), "abc"));
+	sink(s22);
+	sink(s22.emplace_hint(s22.begin(), source())); // tainted [NOT DETECTED]
+	sink(s22); // tainted [NOT DETECTED]
+}