C++: Add reverse taint as well.

geoffw0 · geoffw0 · commit fbff44ea45ee · 2020-08-27T10:09:51.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -43,6 +43,11 @@ class StdSequenceContainerData extends TaintFunction {
     // flow from container itself (qualifier) to return value
     input.isQualifierObject() and
     output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // `data`)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
   }
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1868,6 +1868,7 @@
 | vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
 | vector.cpp:74:2:74:24 | ... = ... | vector.cpp:74:2:74:13 | access to array [post update] |  |
 | vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:5:74:8 | call to data [inner post update] | vector.cpp:74:2:74:3 | ref arg v6 | TAINT |
 | vector.cpp:74:12:74:12 | 2 | vector.cpp:74:2:74:13 | access to array | TAINT |
 | vector.cpp:74:17:74:22 | call to source | vector.cpp:74:2:74:24 | ... = ... |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
@@ -2320,6 +2321,7 @@
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
 | vector.cpp:256:7:256:8 | v1 | vector.cpp:256:10:256:13 | call to data | TAINT |
+| vector.cpp:256:10:256:13 | ref arg call to data | vector.cpp:256:7:256:8 | ref arg v1 | TAINT |
 | vector.cpp:257:7:257:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
 | vector.cpp:257:7:257:8 | v1 | vector.cpp:257:10:257:13 | call to data | TAINT |
 | vector.cpp:257:10:257:13 | call to data | vector.cpp:257:7:257:18 | access to array | TAINT |
@@ -2332,13 +2334,15 @@
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:259:4:259:5 | v2 | vector.cpp:259:7:259:10 | call to data | TAINT |
 | vector.cpp:259:7:259:10 | call to data | vector.cpp:259:2:259:13 | * ... | TAINT |
+| vector.cpp:259:7:259:10 | call to data [inner post update] | vector.cpp:259:4:259:5 | ref arg v2 | TAINT |
 | vector.cpp:259:17:259:30 | call to source | vector.cpp:259:2:259:32 | ... = ... |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:261:7:261:8 | v2 | vector.cpp:261:10:261:13 | call to data | TAINT |
+| vector.cpp:261:10:261:13 | ref arg call to data | vector.cpp:261:7:261:8 | ref arg v2 | TAINT |
 | vector.cpp:262:7:262:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:262:7:262:8 | v2 | vector.cpp:262:10:262:13 | call to data | TAINT |
 | vector.cpp:262:10:262:13 | call to data | vector.cpp:262:7:262:18 | access to array | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -218,6 +218,8 @@
 | vector.cpp:70:7:70:8 | v5 | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:71:10:71:14 | call to front | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:72:10:72:13 | call to back | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:75:7:75:8 | v6 | vector.cpp:74:17:74:22 | call to source |
+| vector.cpp:76:7:76:18 | access to array | vector.cpp:74:17:74:22 | call to source |
 | vector.cpp:97:7:97:8 | v9 | vector.cpp:96:13:96:18 | call to source |
 | vector.cpp:98:10:98:11 | call to at | vector.cpp:96:13:96:18 | call to source |
 | vector.cpp:99:10:99:11 | call to at | vector.cpp:96:13:96:18 | call to source |
@@ -241,3 +243,6 @@
 | vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
 | vector.cpp:256:10:256:13 | call to data | vector.cpp:254:15:254:20 | call to source |
 | vector.cpp:257:7:257:18 | access to array | vector.cpp:254:15:254:20 | call to source |
+| vector.cpp:260:7:260:8 | v2 | vector.cpp:259:17:259:30 | call to source |
+| vector.cpp:261:10:261:13 | call to data | vector.cpp:259:17:259:30 | call to source |
+| vector.cpp:262:7:262:18 | access to array | vector.cpp:259:17:259:30 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -153,6 +153,8 @@
 | vector.cpp:70:7:70:8 | vector.cpp:69:15:69:20 | AST only |
 | vector.cpp:71:10:71:14 | vector.cpp:69:15:69:20 | AST only |
 | vector.cpp:72:10:72:13 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:75:7:75:8 | vector.cpp:74:17:74:22 | AST only |
+| vector.cpp:76:7:76:18 | vector.cpp:74:17:74:22 | AST only |
 | vector.cpp:97:7:97:8 | vector.cpp:96:13:96:18 | AST only |
 | vector.cpp:98:10:98:11 | vector.cpp:96:13:96:18 | AST only |
 | vector.cpp:99:10:99:11 | vector.cpp:96:13:96:18 | AST only |
@@ -177,3 +179,6 @@
 | vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
 | vector.cpp:256:10:256:13 | vector.cpp:254:15:254:20 | AST only |
 | vector.cpp:257:7:257:18 | vector.cpp:254:15:254:20 | AST only |
+| vector.cpp:260:7:260:8 | vector.cpp:259:17:259:30 | AST only |
+| vector.cpp:261:10:261:13 | vector.cpp:259:17:259:30 | AST only |
+| vector.cpp:262:7:262:18 | vector.cpp:259:17:259:30 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -72,8 +72,8 @@ void test_element_taint(int x) {
 	sink(v5.back()); // tainted
 
 	v6.data()[2] = source();
-	sink(v6); // tainted [NOT DETECTED]
-	sink(v6.data()[2]); // tainted [NOT DETECTED]
+	sink(v6); // tainted
+	sink(v6.data()[2]); // tainted
 
 	{
 		const std::vector<int> &v7c = v7; // (workaround because our iterators don't convert to const_iterator)
@@ -257,7 +257,7 @@ void test_data_more() {
 	sink(v1.data()[2]); // tainted
 
 	*(v2.data()) = ns_int::source();
-	sink(v2); // tainted [NOT DETECTED]
-	sink(v2.data()); // tainted [NOT DETECTED]
-	sink(v2.data()[2]); // tainted [NOT DETECTED]
+	sink(v2); // tainted
+	sink(v2.data()); // tainted
+	sink(v2.data()[2]); // tainted
 }

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,11 @@ class StdSequenceContainerData extends TaintFunction {`
`43`	`43`	`// flow from container itself (qualifier) to return value`
`44`	`44`	`input.isQualifierObject() and`
`45`	`45`	`output.isReturnValueDeref()`
	`46`	`+ or`
	`47`	`+ // reverse flow from returned reference to the qualifier (for writes to`
	`48`	+ // `data`)
	`49`	`+ input.isReturnValueDeref() and`
	`50`	`+ output.isQualifierObject()`
`46`	`51`	`}`
`47`	`52`	`}`
`48`	`53`