File tree Expand file tree Collapse file tree 1 file changed +10
-3
lines changed
cpp/ql/src/semmle/code/cpp/models/implementations Expand file tree Collapse file tree 1 file changed +10
-3
lines changed Original file line number Diff line number Diff line change @@ -26,8 +26,7 @@ class StdStringCStr extends TaintFunction {
2626class StdStringPlus extends TaintFunction {
2727 StdStringPlus ( ) {
2828 this .hasQualifiedName ( "std" , "operator+" ) and
29- this .getParameter ( 0 ) .getType ( ) .getUnspecifiedType ( ) .( ReferenceType ) .getBaseType ( ) =
30- any ( StdBasicString s ) .getAnInstantiation ( )
29+ this .getUnspecifiedType ( ) = any ( StdBasicString s ) .getAnInstantiation ( )
3130 }
3231
3332 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
@@ -49,9 +48,17 @@ class StdStringAppend extends TaintFunction {
4948 this .hasQualifiedName ( "std" , "basic_string" , "append" )
5049 }
5150
51+ /**
52+ * Gets the index of a parameter to this function that is a string.
53+ */
54+ int getAStringParameter ( ) {
55+ getParameter ( result ) .getType ( ) instanceof PointerType or
56+ getParameter ( result ) .getType ( ) instanceof ReferenceType
57+ }
58+
5259 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
5360 // flow from parameter to string itself (qualifier) and return value
54- input .isParameterDeref ( 0 ) and
61+ input .isParameterDeref ( getAStringParameter ( ) ) and
5562 (
5663 output .isQualifierObject ( ) or
5764 output .isReturnValueDeref ( )
You can’t perform that action at this time.
0 commit comments