Skip to content

Commit ec3c156

Browse files
geoffw0geoffw0
committed
C++: Model erase.
1 parent 8b91d50 commit ec3c156

File tree

5 files changed

+36
-2
lines changed

5 files changed

+36
-2
lines changed

cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,3 +87,19 @@ class StdMapFind extends TaintFunction {
8787
output.isReturnValue()
8888
}
8989
}
90+
91+
/**
92+
* The standard map `erase` function.
93+
*/
94+
class StdMapErase extends TaintFunction {
95+
StdMapErase() {
96+
this.hasQualifiedName("std", ["map", "unordered_map"], "erase")
97+
}
98+
99+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
100+
// flow from qualifier to iterator return value
101+
getType().getUnderlyingType() instanceof Iterator and
102+
input.isQualifierObject() and
103+
output.isReturnValue()
104+
}
105+
}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1123,6 +1123,7 @@
11231123
| map.cpp:221:39:221:44 | call to source | map.cpp:221:13:221:57 | call to pair | TAINT |
11241124
| map.cpp:221:49:221:54 | call to source | map.cpp:221:13:221:57 | call to pair | TAINT |
11251125
| map.cpp:222:7:222:9 | m23 | map.cpp:222:7:222:9 | call to map | |
1126+
| map.cpp:223:7:223:9 | m23 | map.cpp:223:11:223:15 | call to erase | TAINT |
11261127
| map.cpp:223:7:223:9 | ref arg m23 | map.cpp:224:7:224:9 | m23 | |
11271128
| map.cpp:223:7:223:9 | ref arg m23 | map.cpp:225:2:225:4 | m23 | |
11281129
| map.cpp:223:7:223:9 | ref arg m23 | map.cpp:226:7:226:9 | m23 | |
@@ -1754,6 +1755,7 @@
17541755
| map.cpp:370:39:370:44 | call to source | map.cpp:370:13:370:57 | call to pair | TAINT |
17551756
| map.cpp:370:49:370:54 | call to source | map.cpp:370:13:370:57 | call to pair | TAINT |
17561757
| map.cpp:371:7:371:9 | m23 | map.cpp:371:7:371:9 | call to unordered_map | |
1758+
| map.cpp:372:7:372:9 | m23 | map.cpp:372:11:372:15 | call to erase | TAINT |
17571759
| map.cpp:372:7:372:9 | ref arg m23 | map.cpp:373:7:373:9 | m23 | |
17581760
| map.cpp:372:7:372:9 | ref arg m23 | map.cpp:374:2:374:4 | m23 | |
17591761
| map.cpp:372:7:372:9 | ref arg m23 | map.cpp:375:7:375:9 | m23 | |

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,7 @@ void test_map()
220220
m23.insert(std::pair<char *, char *>(source(), source()));
221221
m23.insert(std::pair<char *, char *>(source(), source()));
222222
sink(m23); // tainted
223-
sink(m23.erase(m23.begin())); // tainted [NOT DETECTED]
223+
sink(m23.erase(m23.begin())); // tainted
224224
sink(m23); // tainted
225225
m23.clear();
226226
sink(m23); // [FALSE POSITIVE]
@@ -369,7 +369,7 @@ void test_unordered_map()
369369
m23.insert(std::pair<char *, char *>(source(), source()));
370370
m23.insert(std::pair<char *, char *>(source(), source()));
371371
sink(m23); // tainted
372-
sink(m23.erase(m23.begin())); // tainted [NOT DETECTED]
372+
sink(m23.erase(m23.begin())); // tainted
373373
sink(m23); // tainted
374374
m23.clear();
375375
sink(m23); // [FALSE POSITIVE]

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,10 @@
9999
| map.cpp:222:7:222:9 | call to map | map.cpp:220:49:220:54 | call to source |
100100
| map.cpp:222:7:222:9 | call to map | map.cpp:221:39:221:44 | call to source |
101101
| map.cpp:222:7:222:9 | call to map | map.cpp:221:49:221:54 | call to source |
102+
| map.cpp:223:11:223:15 | call to erase | map.cpp:220:39:220:44 | call to source |
103+
| map.cpp:223:11:223:15 | call to erase | map.cpp:220:49:220:54 | call to source |
104+
| map.cpp:223:11:223:15 | call to erase | map.cpp:221:39:221:44 | call to source |
105+
| map.cpp:223:11:223:15 | call to erase | map.cpp:221:49:221:54 | call to source |
102106
| map.cpp:224:7:224:9 | call to map | map.cpp:220:39:220:44 | call to source |
103107
| map.cpp:224:7:224:9 | call to map | map.cpp:220:49:220:54 | call to source |
104108
| map.cpp:224:7:224:9 | call to map | map.cpp:221:39:221:44 | call to source |
@@ -160,6 +164,10 @@
160164
| map.cpp:371:7:371:9 | call to unordered_map | map.cpp:369:49:369:54 | call to source |
161165
| map.cpp:371:7:371:9 | call to unordered_map | map.cpp:370:39:370:44 | call to source |
162166
| map.cpp:371:7:371:9 | call to unordered_map | map.cpp:370:49:370:54 | call to source |
167+
| map.cpp:372:11:372:15 | call to erase | map.cpp:369:39:369:44 | call to source |
168+
| map.cpp:372:11:372:15 | call to erase | map.cpp:369:49:369:54 | call to source |
169+
| map.cpp:372:11:372:15 | call to erase | map.cpp:370:39:370:44 | call to source |
170+
| map.cpp:372:11:372:15 | call to erase | map.cpp:370:49:370:54 | call to source |
163171
| map.cpp:373:7:373:9 | call to unordered_map | map.cpp:369:39:369:44 | call to source |
164172
| map.cpp:373:7:373:9 | call to unordered_map | map.cpp:369:49:369:54 | call to source |
165173
| map.cpp:373:7:373:9 | call to unordered_map | map.cpp:370:39:370:44 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,10 @@
9898
| map.cpp:159:12:159:17 | second | map.cpp:105:39:105:44 | call to source |
9999
| map.cpp:165:7:165:27 | ... = ... | map.cpp:165:20:165:25 | call to source |
100100
| map.cpp:167:7:167:30 | ... = ... | map.cpp:167:23:167:28 | call to source |
101+
| map.cpp:223:11:223:15 | call to erase | map.cpp:220:39:220:44 | call to source |
102+
| map.cpp:223:11:223:15 | call to erase | map.cpp:220:49:220:54 | call to source |
103+
| map.cpp:223:11:223:15 | call to erase | map.cpp:221:39:221:44 | call to source |
104+
| map.cpp:223:11:223:15 | call to erase | map.cpp:221:49:221:54 | call to source |
101105
| map.cpp:257:7:257:54 | call to iterator | map.cpp:257:39:257:44 | call to source |
102106
| map.cpp:258:7:258:54 | call to iterator | map.cpp:258:32:258:37 | call to source |
103107
| map.cpp:259:10:259:15 | call to insert | map.cpp:259:62:259:67 | call to source |
@@ -118,6 +122,10 @@
118122
| map.cpp:311:12:311:17 | second | map.cpp:257:39:257:44 | call to source |
119123
| map.cpp:317:7:317:27 | ... = ... | map.cpp:317:20:317:25 | call to source |
120124
| map.cpp:319:7:319:30 | ... = ... | map.cpp:319:23:319:28 | call to source |
125+
| map.cpp:372:11:372:15 | call to erase | map.cpp:369:39:369:44 | call to source |
126+
| map.cpp:372:11:372:15 | call to erase | map.cpp:369:49:369:54 | call to source |
127+
| map.cpp:372:11:372:15 | call to erase | map.cpp:370:39:370:44 | call to source |
128+
| map.cpp:372:11:372:15 | call to erase | map.cpp:370:49:370:54 | call to source |
121129
| movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
122130
| movableclass.cpp:45:8:45:9 | s2 | movableclass.cpp:40:23:40:28 | call to source |
123131
| movableclass.cpp:46:8:46:9 | s3 | movableclass.cpp:42:8:42:13 | call to source |

0 commit comments

Comments
 (0)