Merge pull request #4201 from geoffw0/insert

C++: Model iterator versions of string and vector methods

Author: MathiasVP

change-notes/1.26/analysis-cpp.md

@@ -19,7 +19,7 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 
 ## Changes to libraries
 
-* The models library now models some taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
+* The models library now models many taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
 * The models library now models many more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
   `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -3,6 +3,7 @@
  */
 
 import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.implementations.Iterator
 
 /**
  * Additional model for standard container constructors that reference the
@@ -26,9 +27,17 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
       getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
   }
 
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { getParameter(result).getType() instanceof Iterator }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // taint flow from any parameter of the value type to the returned object
-    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    (
+      input.isParameterDeref(getAValueTypeParameterIndex()) or
+      input.isParameter(getAnIteratorParameterIndex())
+    ) and
     output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
   }
 }
@@ -88,6 +97,43 @@ class StdSequenceContainerFrontBack extends TaintFunction {
   }
 }
 
+/**
+ * The standard container functions `insert` and `insert_after`.
+ */
+class StdSequenceContainerInsert extends TaintFunction {
+  StdSequenceContainerInsert() {
+    this.hasQualifiedName("std", ["vector", "deque", "list"], "insert") or
+    this.hasQualifiedName("std", ["forward_list"], "insert_after")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { getParameter(result).getType() instanceof Iterator }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to container itself (qualifier) and return value
+    (
+      input.isQualifierObject() or
+      input.isParameterDeref(getAValueTypeParameterIndex()) or
+      input.isParameter(getAnIteratorParameterIndex())
+    ) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValueDeref()
+    )
+  }
+}
+
 /**
  * The standard container function `assign`.
  */
@@ -105,13 +151,41 @@ class StdSequenceContainerAssign extends TaintFunction {
       getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
   }
 
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { getParameter(result).getType() instanceof Iterator }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from parameter to string itself (qualifier) and return value
-    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    // flow from parameter to container itself (qualifier)
+    (
+      input.isParameterDeref(getAValueTypeParameterIndex()) or
+      input.isParameter(getAnIteratorParameterIndex())
+    ) and
     output.isQualifierObject()
   }
 }
 
+/**
+ * The standard container `begin` and `end` functions and their
+ * variants.
+ */
+class StdSequenceContainerBeginEnd extends TaintFunction {
+  StdSequenceContainerBeginEnd() {
+    this
+        .hasQualifiedName("std", ["array", "vector", "deque", "list"],
+          ["begin", "cbegin", "rbegin", "crbegin", "end", "cend", "rend", "crend"]) or
+    this
+        .hasQualifiedName("std", "forward_list",
+          ["before_begin", "begin", "end", "cbefore_begin", "cbegin", "cend"])
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
 /**
  * The standard container `swap` functions.
  */

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -14,6 +14,43 @@ class StdBasicString extends TemplateClass {
   StdBasicString() { this.hasQualifiedName("std", "basic_string") }
 }
 
+/**
+ * Additional model for `std::string` constructors that reference the character
+ * type of the container, or an iterator.  For example construction from
+ * iterators:
+ * ```
+ * std::string b(a.begin(), a.end());
+ * ```
+ */
+class StdStringConstructor extends Constructor, TaintFunction {
+  StdStringConstructor() { this.getDeclaringType().hasQualifiedName("std", "basic_string") }
+
+  /**
+   * Gets the index of a parameter to this function that is a string (or
+   * character).
+   */
+  int getAStringParameterIndex() {
+    getParameter(result).getType() instanceof PointerType or // e.g. `std::basic_string::CharT *`
+    getParameter(result).getType() instanceof ReferenceType or // e.g. `std::basic_string &`
+    getParameter(result).getUnspecifiedType() =
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { getParameter(result).getType() instanceof Iterator }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any parameter of the value type to the returned object
+    (
+      input.isParameterDeref(getAStringParameterIndex()) or
+      input.isParameter(getAnIteratorParameterIndex())
+    ) and
+    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+  }
+}
+
 /**
  * The `std::string` function `c_str`.
  */
@@ -79,8 +116,8 @@ class StdStringAppend extends TaintFunction {
    * character).
    */
   int getAStringParameterIndex() {
-    getParameter(result).getType() instanceof PointerType or
-    getParameter(result).getType() instanceof ReferenceType or
+    getParameter(result).getType() instanceof PointerType or // e.g. `std::basic_string::CharT *`
+    getParameter(result).getType() instanceof ReferenceType or // e.g. `std::basic_string &`
     getParameter(result).getUnspecifiedType() =
       getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
   }
@@ -115,15 +152,23 @@ class StdStringAssign extends TaintFunction {
    * character).
    */
   int getAStringParameterIndex() {
-    getParameter(result).getType() instanceof PointerType or
-    getParameter(result).getType() instanceof ReferenceType or
+    getParameter(result).getType() instanceof PointerType or // e.g. `std::basic_string::CharT *`
+    getParameter(result).getType() instanceof ReferenceType or // e.g. `std::basic_string &`
     getParameter(result).getUnspecifiedType() =
       getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
   }
 
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { getParameter(result).getType() instanceof Iterator }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to string itself (qualifier) and return value
-    input.isParameterDeref(getAStringParameterIndex()) and
+    (
+      input.isParameterDeref(getAStringParameterIndex()) or
+      input.isParameter(getAnIteratorParameterIndex())
+    ) and
     (
       output.isQualifierObject() or
       output.isReturnValueDeref()
@@ -137,14 +182,9 @@ class StdStringAssign extends TaintFunction {
  */
 class StdStringBeginEnd extends TaintFunction {
   StdStringBeginEnd() {
-    this.hasQualifiedName("std", "basic_string", "begin") or
-    this.hasQualifiedName("std", "basic_string", "cbegin") or
-    this.hasQualifiedName("std", "basic_string", "rbegin") or
-    this.hasQualifiedName("std", "basic_string", "crbegin") or
-    this.hasQualifiedName("std", "basic_string", "end") or
-    this.hasQualifiedName("std", "basic_string", "cend") or
-    this.hasQualifiedName("std", "basic_string", "rend") or
-    this.hasQualifiedName("std", "basic_string", "crend")
+    this
+        .hasQualifiedName("std", "basic_string",
+          ["begin", "cbegin", "rbegin", "crbegin", "end", "cend", "rend", "crend"])
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {