C++: fix constructor models

Robert Marsh · Robert Marsh · commit c179a07fc7e6 · 2020-09-18T14:43:39.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -38,9 +38,11 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
       input.isParameterDeref(getAValueTypeParameterIndex()) or
       input.isParameter(getAnIteratorParameterIndex())
     ) and
-    output.isReturnValue()
-    or
-    output.isQualifierObject()
+    (
+      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
+      or
+      output.isQualifierObject()
+    )
   }
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -48,7 +48,7 @@ class StdStringConstructor extends Constructor, TaintFunction {
       input.isParameter(getAnIteratorParameterIndex())
     ) and
     (
-      output.isReturnValue()
+      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
       or
       output.isQualifierObject()
     )
@@ -383,9 +383,11 @@ class StdStringStreamConstructor extends Constructor, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // taint flow from any parameter of string type to the returned object
     input.isParameterDeref(getAStringParameterIndex()) and
-    output.isReturnValue()
-    or
-    output.isQualifierObject()
+    (
+      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
+      or
+      output.isQualifierObject()
+    )
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -38,9 +38,11 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {`
`38`	`38`	`input.isParameterDeref(getAValueTypeParameterIndex()) or`
`39`	`39`	`input.isParameter(getAnIteratorParameterIndex())`
`40`	`40`	`) and`
`41`		`- output.isReturnValue()`
`42`		`- or`
`43`		`- output.isQualifierObject()`
	`41`	`+ (`
	`42`	`+ output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object`
	`43`	`+ or`
	`44`	`+ output.isQualifierObject()`
	`45`	`+ )`
`44`	`46`	`}`
`45`	`47`	`}`
`46`	`48`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ class StdStringConstructor extends Constructor, TaintFunction {`
`48`	`48`	`input.isParameter(getAnIteratorParameterIndex())`
`49`	`49`	`) and`
`50`	`50`	`(`
`51`		`- output.isReturnValue()`
	`51`	`+ output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object`
`52`	`52`	`or`
`53`	`53`	`output.isQualifierObject()`
`54`	`54`	`)`
`@@ -383,9 +383,11 @@ class StdStringStreamConstructor extends Constructor, TaintFunction {`
`383`	`383`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`384`	`384`	`// taint flow from any parameter of string type to the returned object`
`385`	`385`	`input.isParameterDeref(getAStringParameterIndex()) and`
`386`		`- output.isReturnValue()`
`387`		`- or`
`388`		`- output.isQualifierObject()`
	`386`	`+ (`
	`387`	`+ output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object`
	`388`	`+ or`
	`389`	`+ output.isQualifierObject()`
	`390`	`+ )`
`389`	`391`	`}`
`390`	`392`	`}`
`391`	`393`