Merge remote-tracking branch 'upstream/main' into SimpleRangeAnalysis-mul-constant

Author: jbj

change-notes/1.26/analysis-cpp.md

@@ -19,6 +19,6 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 
 ## Changes to libraries
 
-* The models library now models more taint flows through `std::string`.
+* The models library now models many more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
   `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -8,10 +8,13 @@ class StdBasicString extends TemplateClass {
 }
 
 /**
- * The standard function `std::string.c_str`.
+ * The `std::string` functions `c_str` and  `data`.
  */
 class StdStringCStr extends TaintFunction {
-  StdStringCStr() { this.hasQualifiedName("std", "basic_string", "c_str") }
+  StdStringCStr() {
+    this.hasQualifiedName("std", "basic_string", "c_str") or
+    this.hasQualifiedName("std", "basic_string", "data")
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
@@ -40,12 +43,16 @@ class StdStringPlus extends TaintFunction {
 }
 
 /**
- * The `std::string` functions `operator+=` and `append`.
+ * The `std::string` functions `operator+=`, `append`, `insert` and
+ * `replace`. All of these functions combine the existing string
+ * with a new string (or character) from one of the arguments.
  */
 class StdStringAppend extends TaintFunction {
   StdStringAppend() {
     this.hasQualifiedName("std", "basic_string", "operator+=") or
-    this.hasQualifiedName("std", "basic_string", "append")
+    this.hasQualifiedName("std", "basic_string", "append") or
+    this.hasQualifiedName("std", "basic_string", "insert") or
+    this.hasQualifiedName("std", "basic_string", "replace")
   }
 
   /**
@@ -58,6 +65,35 @@ class StdStringAppend extends TaintFunction {
     getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
   }
 
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from string and parameter to string (qualifier) and return value
+    (
+      input.isQualifierObject() or
+      input.isParameterDeref(getAStringParameter())
+    ) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValueDeref()
+    )
+  }
+}
+
+/**
+ * The standard function `std::string.assign`.
+ */
+class StdStringAssign extends TaintFunction {
+  StdStringAssign() { this.hasQualifiedName("std", "basic_string", "assign") }
+
+  /**
+   * Gets the index of a parameter to this function that is a string (or
+   * character).
+   */
+  int getAStringParameter() {
+    getParameter(result).getType() instanceof PointerType or
+    getParameter(result).getType() instanceof ReferenceType or
+    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
+  }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to string itself (qualifier) and return value
     input.isParameterDeref(getAStringParameter()) and
@@ -67,3 +103,45 @@ class StdStringAppend extends TaintFunction {
     )
   }
 }
+
+/**
+ * The standard function `std::string.copy`.
+ */
+class StdStringCopy extends TaintFunction {
+  StdStringCopy() { this.hasQualifiedName("std", "basic_string", "copy") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // copy(dest, num, pos)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * The standard function `std::string.substr`.
+ */
+class StdStringSubstr extends TaintFunction {
+  StdStringSubstr() { this.hasQualifiedName("std", "basic_string", "substr") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // substr(pos, num)
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The standard function `std::string.swap`.
+ */
+class StdStringSwap extends TaintFunction {
+  StdStringSwap() { this.hasQualifiedName("std", "basic_string", "swap") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // str1.swap(str2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -39,11 +39,14 @@ namespace std
 	class basic_string {
 	public:
 		typedef typename Allocator::size_type size_type;
+		static const size_type npos = -1;
 
 		explicit basic_string(const Allocator& a = Allocator());
 		basic_string(const charT* s, const Allocator& a = Allocator());
 
 		const charT* c_str() const;
+		charT* data() noexcept;
+		size_t length() const;
 
 		typedef std::iterator<random_access_iterator_tag, charT> iterator;
 		typedef std::iterator<random_access_iterator_tag, const charT> const_iterator;
@@ -60,6 +63,16 @@ namespace std
 		basic_string& append(const basic_string& str);
 		basic_string& append(const charT* s);
 		basic_string& append(size_type n, charT c);
+		basic_string& assign(const basic_string& str);
+		basic_string& assign(size_type n, charT c);
+		basic_string& insert(size_type pos, const basic_string& str);
+		basic_string& insert(size_type pos, size_type n, charT c);
+		basic_string& replace(size_type pos1, size_type n1, const basic_string& str);
+		basic_string& replace(size_type pos1, size_type n1, size_type n2, charT c);
+		size_type copy(charT* s, size_type n, size_type pos = 0) const;
+		void clear() noexcept;
+		basic_string substr(size_type pos = 0, size_type n = npos) const;
+		void swap(basic_string& s) noexcept/*(allocator_traits<Allocator>::propagate_on_container_swap::value || allocator_traits<Allocator>::is_always_equal::value)*/;
 	};
 
 	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);

cpp/ql/test/library-tests/dataflow/taint-tests/stl.h

@@ -184,3 +184,140 @@ void test_string_append() {
 		sink(s10); // tainted
 	}
 }
+
+void test_string_assign() {
+	std::string s1("hello");
+	std::string s2(source());
+	char c = ns_char::source();
+	std::string s3, s4, s5;
+	std::string s6(source());
+
+	sink(s3.assign(s1));
+	sink(s3);
+
+	sink(s4.assign(s2)); // tainted
+	sink(s4); // tainted
+
+	sink(s5.assign(10, c)); // tainted
+	sink(s5); // tainted
+
+	sink(s6.assign(s1));
+	sink(s6); // [FALSE POSITIVE]
+}
+
+void test_string_insert() {
+	std::string s1("hello");
+	std::string s2(source());
+	char c = ns_char::source();
+	std::string s3, s4, s5, s6;
+
+	s3 = s1;
+	sink(s3.insert(0, s1));
+	sink(s3);
+
+	s4 = s2;
+	sink(s4.insert(0, s1)); // tainted
+	sink(s4); // tainted
+
+	s5 = s1;
+	sink(s5.insert(0, s2)); // tainted
+	sink(s5); // tainted
+
+	s6 = s1;
+	sink(s6.insert(0, 10, c)); // tainted
+	sink(s6); // tainted
+}
+
+void test_string_replace() {
+	std::string s1("hello");
+	std::string s2(source());
+	char c = ns_char::source();
+	std::string s3, s4, s5, s6;
+
+	s3 = s1;
+	sink(s3.replace(1, 2, s1));
+	sink(s3);
+
+	s4 = s2;
+	sink(s4.replace(1, 2, s1)); // tainted
+	sink(s4); // tainted
+
+	s5 = s1;
+	sink(s5.replace(1, 2, s2)); // tainted
+	sink(s5); // tainted
+
+	s6 = s1;
+	sink(s6.replace(1, 2, 10, c)); // tainted
+	sink(s6); // tainted
+}
+
+void test_string_copy() {
+	char b1[1024] = {0};
+	char b2[1024] = {0};
+	std::string s1("hello");
+	std::string s2(source());
+
+	s1.copy(b1, s1.length(), 0);
+	sink(b1);
+
+	s2.copy(b2, s1.length(), 0);
+	sink(b2); // tainted
+}
+
+void test_string_swap() {
+	std::string s1("hello");
+	std::string s2(source());
+	std::string s3("world");
+	std::string s4(source());
+
+	sink(s1);
+	sink(s2); // tainted
+	sink(s3);
+	sink(s4); // tainted
+
+	s1.swap(s2);
+	s4.swap(s3);
+
+	sink(s1); // tainted
+	sink(s2); // [FALSE POSITIVE]
+	sink(s3); // tainted
+	sink(s4); // [FALSE POSITIVE]
+}
+
+void test_string_clear() {
+	std::string s1(source());
+	std::string s2(source());
+	std::string s3(source());
+
+	sink(s1); // tainted
+	sink(s2); // tainted
+	sink(s3); // tainted
+
+	s1.clear();
+	s2 = "";
+	s3 = s3;
+
+	sink(s1); // [FALSE POSITIVE]
+	sink(s2);
+	sink(s3); // tainted
+}
+
+void test_string_data()
+{
+	std::string a("123");
+	std::string b(source());
+
+	sink(a.data());
+	sink(b.data()); // tainted
+	sink(a.length());
+	sink(b.length());
+}
+
+void test_string_substr()
+{
+	std::string a("123");
+	std::string b(source());
+
+	sink(a.substr(0, a.length()));
+	sink(b.substr(0, b.length())); // tainted
+}

cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp

@@ -60,6 +60,37 @@
 | string.cpp:171:8:171:9 | s8 | string.cpp:154:18:154:23 | call to source |
 | string.cpp:176:8:176:9 | s9 | string.cpp:174:13:174:18 | call to source |
 | string.cpp:184:8:184:10 | s10 | string.cpp:181:12:181:26 | call to source |
+| string.cpp:198:10:198:15 | call to assign | string.cpp:190:17:190:22 | call to source |
+| string.cpp:199:7:199:8 | s4 | string.cpp:190:17:190:22 | call to source |
+| string.cpp:201:10:201:15 | call to assign | string.cpp:191:11:191:25 | call to source |
+| string.cpp:202:7:202:8 | s5 | string.cpp:191:11:191:25 | call to source |
+| string.cpp:205:7:205:8 | s6 | string.cpp:193:17:193:22 | call to source |
+| string.cpp:219:10:219:15 | call to insert | string.cpp:210:17:210:22 | call to source |
+| string.cpp:220:7:220:8 | s4 | string.cpp:210:17:210:22 | call to source |
+| string.cpp:223:10:223:15 | call to insert | string.cpp:210:17:210:22 | call to source |
+| string.cpp:224:7:224:8 | s5 | string.cpp:210:17:210:22 | call to source |
+| string.cpp:227:10:227:15 | call to insert | string.cpp:211:11:211:25 | call to source |
+| string.cpp:228:7:228:8 | s6 | string.cpp:211:11:211:25 | call to source |
+| string.cpp:242:10:242:16 | call to replace | string.cpp:233:17:233:22 | call to source |
+| string.cpp:243:7:243:8 | s4 | string.cpp:233:17:233:22 | call to source |
+| string.cpp:246:10:246:16 | call to replace | string.cpp:233:17:233:22 | call to source |
+| string.cpp:247:7:247:8 | s5 | string.cpp:233:17:233:22 | call to source |
+| string.cpp:250:10:250:16 | call to replace | string.cpp:234:11:234:25 | call to source |
+| string.cpp:251:7:251:8 | s6 | string.cpp:234:11:234:25 | call to source |
+| string.cpp:264:7:264:8 | b2 | string.cpp:258:17:258:22 | call to source |
+| string.cpp:274:7:274:8 | s2 | string.cpp:269:17:269:22 | call to source |
+| string.cpp:276:7:276:8 | s4 | string.cpp:271:17:271:22 | call to source |
+| string.cpp:281:7:281:8 | s1 | string.cpp:269:17:269:22 | call to source |
+| string.cpp:282:7:282:8 | s2 | string.cpp:269:17:269:22 | call to source |
+| string.cpp:283:7:283:8 | s3 | string.cpp:271:17:271:22 | call to source |
+| string.cpp:284:7:284:8 | s4 | string.cpp:271:17:271:22 | call to source |
+| string.cpp:292:7:292:8 | s1 | string.cpp:288:17:288:22 | call to source |
+| string.cpp:293:7:293:8 | s2 | string.cpp:289:17:289:22 | call to source |
+| string.cpp:294:7:294:8 | s3 | string.cpp:290:17:290:22 | call to source |
+| string.cpp:300:7:300:8 | s1 | string.cpp:288:17:288:22 | call to source |
+| string.cpp:302:7:302:8 | s3 | string.cpp:290:17:290:22 | call to source |
+| string.cpp:311:9:311:12 | call to data | string.cpp:308:16:308:21 | call to source |
+| string.cpp:322:9:322:14 | call to substr | string.cpp:319:16:319:21 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -57,6 +57,37 @@
 | string.cpp:171:8:171:9 | string.cpp:154:18:154:23 | AST only |
 | string.cpp:176:8:176:9 | string.cpp:174:13:174:18 | AST only |
 | string.cpp:184:8:184:10 | string.cpp:181:12:181:26 | AST only |
+| string.cpp:198:10:198:15 | string.cpp:190:17:190:22 | AST only |
+| string.cpp:199:7:199:8 | string.cpp:190:17:190:22 | AST only |
+| string.cpp:201:10:201:15 | string.cpp:191:11:191:25 | AST only |
+| string.cpp:202:7:202:8 | string.cpp:191:11:191:25 | AST only |
+| string.cpp:205:7:205:8 | string.cpp:193:17:193:22 | AST only |
+| string.cpp:219:10:219:15 | string.cpp:210:17:210:22 | AST only |
+| string.cpp:220:7:220:8 | string.cpp:210:17:210:22 | AST only |
+| string.cpp:223:10:223:15 | string.cpp:210:17:210:22 | AST only |
+| string.cpp:224:7:224:8 | string.cpp:210:17:210:22 | AST only |
+| string.cpp:227:10:227:15 | string.cpp:211:11:211:25 | AST only |
+| string.cpp:228:7:228:8 | string.cpp:211:11:211:25 | AST only |
+| string.cpp:242:10:242:16 | string.cpp:233:17:233:22 | AST only |
+| string.cpp:243:7:243:8 | string.cpp:233:17:233:22 | AST only |
+| string.cpp:246:10:246:16 | string.cpp:233:17:233:22 | AST only |
+| string.cpp:247:7:247:8 | string.cpp:233:17:233:22 | AST only |
+| string.cpp:250:10:250:16 | string.cpp:234:11:234:25 | AST only |
+| string.cpp:251:7:251:8 | string.cpp:234:11:234:25 | AST only |
+| string.cpp:264:7:264:8 | string.cpp:258:17:258:22 | AST only |
+| string.cpp:274:7:274:8 | string.cpp:269:17:269:22 | AST only |
+| string.cpp:276:7:276:8 | string.cpp:271:17:271:22 | AST only |
+| string.cpp:281:7:281:8 | string.cpp:269:17:269:22 | AST only |
+| string.cpp:282:7:282:8 | string.cpp:269:17:269:22 | AST only |
+| string.cpp:283:7:283:8 | string.cpp:271:17:271:22 | AST only |
+| string.cpp:284:7:284:8 | string.cpp:271:17:271:22 | AST only |
+| string.cpp:292:7:292:8 | string.cpp:288:17:288:22 | AST only |
+| string.cpp:293:7:293:8 | string.cpp:289:17:289:22 | AST only |
+| string.cpp:294:7:294:8 | string.cpp:290:17:290:22 | AST only |
+| string.cpp:300:7:300:8 | string.cpp:288:17:288:22 | AST only |
+| string.cpp:302:7:302:8 | string.cpp:290:17:290:22 | AST only |
+| string.cpp:311:9:311:12 | string.cpp:308:16:308:21 | AST only |
+| string.cpp:322:9:322:14 | string.cpp:319:16:319:21 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
 | structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -291,7 +291,7 @@ struct A {
 Point *NewAliasing(int x) {
   Point* p = new Point;
   Point* q = new Point;
-  int j = new A(new A(x))->i;
+  int j = (new A(new A(x)))->i;
   A* a = new A;
   return p;
 }
@@ -310,4 +310,4 @@ class ThisAliasTest {
   void setX(int arg) {
     this->x = arg;
   }
-};
+};