C++: Model std::set::merge and correct test annotations.

geoffw0 · geoffw0 · commit fc19bba0bdbd · 2020-10-12T10:01:57.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
@@ -65,6 +65,19 @@ class StdSetSwap extends TaintFunction {
   }
 }
 
+/**
+ * The standard set `merge` function.
+ */
+class StdSetMerge extends TaintFunction {
+  StdSetMerge() { this.hasQualifiedName("std", ["set", "unordered_set"], "merge") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.merge(container2)
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
 /**
  * The standard set `find` function.
  */
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2224,10 +2224,12 @@
 | set.cpp:99:2:99:4 | ref arg s16 | set.cpp:126:1:126:1 | s16 |  |
 | set.cpp:99:12:99:14 | ref arg s17 | set.cpp:102:7:102:9 | s17 |  |
 | set.cpp:99:12:99:14 | ref arg s17 | set.cpp:126:1:126:1 | s17 |  |
+| set.cpp:99:12:99:14 | s17 | set.cpp:99:2:99:4 | ref arg s16 | TAINT |
 | set.cpp:100:2:100:4 | ref arg s18 | set.cpp:103:7:103:9 | s18 |  |
 | set.cpp:100:2:100:4 | ref arg s18 | set.cpp:126:1:126:1 | s18 |  |
 | set.cpp:100:12:100:14 | ref arg s19 | set.cpp:104:7:104:9 | s19 |  |
 | set.cpp:100:12:100:14 | ref arg s19 | set.cpp:126:1:126:1 | s19 |  |
+| set.cpp:100:12:100:14 | s19 | set.cpp:100:2:100:4 | ref arg s18 | TAINT |
 | set.cpp:101:7:101:9 | s16 | set.cpp:101:7:101:9 | call to set |  |
 | set.cpp:102:7:102:9 | s17 | set.cpp:102:7:102:9 | call to set |  |
 | set.cpp:103:7:103:9 | s18 | set.cpp:103:7:103:9 | call to set |  |
@@ -2685,10 +2687,12 @@
 | set.cpp:211:2:211:4 | ref arg s16 | set.cpp:238:1:238:1 | s16 |  |
 | set.cpp:211:12:211:14 | ref arg s17 | set.cpp:214:7:214:9 | s17 |  |
 | set.cpp:211:12:211:14 | ref arg s17 | set.cpp:238:1:238:1 | s17 |  |
+| set.cpp:211:12:211:14 | s17 | set.cpp:211:2:211:4 | ref arg s16 | TAINT |
 | set.cpp:212:2:212:4 | ref arg s18 | set.cpp:215:7:215:9 | s18 |  |
 | set.cpp:212:2:212:4 | ref arg s18 | set.cpp:238:1:238:1 | s18 |  |
 | set.cpp:212:12:212:14 | ref arg s19 | set.cpp:216:7:216:9 | s19 |  |
 | set.cpp:212:12:212:14 | ref arg s19 | set.cpp:238:1:238:1 | s19 |  |
+| set.cpp:212:12:212:14 | s19 | set.cpp:212:2:212:4 | ref arg s18 | TAINT |
 | set.cpp:213:7:213:9 | s16 | set.cpp:213:7:213:9 | call to unordered_set |  |
 | set.cpp:214:7:214:9 | s17 | set.cpp:214:7:214:9 | call to unordered_set |  |
 | set.cpp:215:7:215:9 | s18 | set.cpp:215:7:215:9 | call to unordered_set |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp
@@ -99,8 +99,8 @@ void test_set()
 	s16.merge(s17);
 	s18.merge(s19);
 	sink(s16); // tainted
-	sink(s17); // tainted [NOT DETECTED]
-	sink(s18); // tainted [NOT DETECTED]
+	sink(s17);
+	sink(s18); // tainted
 	sink(s19); // tainted
 
 	// erase, clear
@@ -211,8 +211,8 @@ void test_unordered_set()
 	s16.merge(s17);
 	s18.merge(s19);
 	sink(s16); // tainted
-	sink(s17); // tainted [NOT DETECTED]
-	sink(s18); // tainted [NOT DETECTED]
+	sink(s17);
+	sink(s18); // tainted
 	sink(s19); // tainted
 
 	// erase, clear
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -167,6 +167,7 @@
 | set.cpp:95:7:95:9 | call to set | set.cpp:91:13:91:18 | call to source |
 | set.cpp:98:7:98:9 | call to set | set.cpp:94:13:94:18 | call to source |
 | set.cpp:101:7:101:9 | call to set | set.cpp:91:13:91:18 | call to source |
+| set.cpp:103:7:103:9 | call to set | set.cpp:94:13:94:18 | call to source |
 | set.cpp:104:7:104:9 | call to set | set.cpp:94:13:94:18 | call to source |
 | set.cpp:110:7:110:9 | call to set | set.cpp:108:13:108:18 | call to source |
 | set.cpp:110:7:110:9 | call to set | set.cpp:109:13:109:18 | call to source |
@@ -201,6 +202,7 @@
 | set.cpp:207:7:207:9 | call to unordered_set | set.cpp:203:13:203:18 | call to source |
 | set.cpp:210:7:210:9 | call to unordered_set | set.cpp:206:13:206:18 | call to source |
 | set.cpp:213:7:213:9 | call to unordered_set | set.cpp:203:13:203:18 | call to source |
+| set.cpp:215:7:215:9 | call to unordered_set | set.cpp:206:13:206:18 | call to source |
 | set.cpp:216:7:216:9 | call to unordered_set | set.cpp:206:13:206:18 | call to source |
 | set.cpp:222:7:222:9 | call to unordered_set | set.cpp:220:13:220:18 | call to source |
 | set.cpp:222:7:222:9 | call to unordered_set | set.cpp:221:13:221:18 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -124,6 +124,7 @@
 | set.cpp:95:7:95:9 | set.cpp:91:13:91:18 | AST only |
 | set.cpp:98:7:98:9 | set.cpp:94:13:94:18 | AST only |
 | set.cpp:101:7:101:9 | set.cpp:91:13:91:18 | AST only |
+| set.cpp:103:7:103:9 | set.cpp:94:13:94:18 | AST only |
 | set.cpp:104:7:104:9 | set.cpp:94:13:94:18 | AST only |
 | set.cpp:110:7:110:9 | set.cpp:108:13:108:18 | AST only |
 | set.cpp:110:7:110:9 | set.cpp:109:13:109:18 | AST only |
@@ -151,6 +152,7 @@
 | set.cpp:207:7:207:9 | set.cpp:203:13:203:18 | AST only |
 | set.cpp:210:7:210:9 | set.cpp:206:13:206:18 | AST only |
 | set.cpp:213:7:213:9 | set.cpp:203:13:203:18 | AST only |
+| set.cpp:215:7:215:9 | set.cpp:206:13:206:18 | AST only |
 | set.cpp:216:7:216:9 | set.cpp:206:13:206:18 | AST only |
 | set.cpp:222:7:222:9 | set.cpp:220:13:220:18 | AST only |
 | set.cpp:222:7:222:9 | set.cpp:221:13:221:18 | AST only |
