Merge pull request #18136 from MathiasVP/model-active-template-library

C++: Model Microsoft's "Active Template Library"

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -50,3 +50,10 @@ private import implementations.System
 private import implementations.StructuredExceptionHandling
 private import implementations.ZMQ
 private import implementations.Win32CommandExecution
+private import implementations.CA2AEX
+private import implementations.CComBSTR
+private import implementations.CPathT
+private import implementations.CAtlFile
+private import implementations.CAtlFileMapping
+private import implementations.CAtlTemporaryFile
+private import implementations.CRegKey

cpp/ql/lib/semmle/code/cpp/models/implementations/CA2AEX.qll

@@ -0,0 +1,17 @@
+private import cpp
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/**
+ * The `CA2AEX` (and related) classes from the Windows Active Template library.
+ */
+class Ca2Aex extends Class {
+  Ca2Aex() { this.hasGlobalName(["CA2AEX", "CA2CAEX", "CA2WEX"]) }
+}
+
+private class Ca2AexTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent {
+  Ca2AexTaintInheritingContent() {
+    // The two members m_psz and m_szBuffer
+    this.getField().getDeclaringType() instanceof Ca2Aex
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFile.qll

@@ -0,0 +1,17 @@
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/**
+ * The `CAtlFile` class from Microsoft's Active Template Library.
+ */
+class CAtlFile extends Class {
+  CAtlFile() { this.hasGlobalName("CAtlFile") }
+}
+
+private class CAtlFileRead extends MemberFunction, LocalFlowSourceFunction {
+  CAtlFileRead() { this.getClassAndName("Read") instanceof CAtlFile }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "string read by " + this.getName()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll

@@ -0,0 +1,37 @@
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/**
+ * The `CAtlFileMapping` class from Microsoft's Active Template Library.
+ */
+class CAtlFileMapping extends Class {
+  CAtlFileMapping() { this.hasGlobalName("CAtlFileMapping") }
+}
+
+/**
+ * The `CAtlFileMappingBase` class from Microsoft's Active Template Library.
+ */
+class CAtlFileMappingBase extends Class {
+  CAtlFileMappingBase() { this.hasGlobalName("CAtlFileMappingBase") }
+}
+
+private class CAtlFileMappingBaseGetData extends MemberFunction, LocalFlowSourceFunction {
+  CAtlFileMappingBaseGetData() {
+    this.getClassAndName("GetData") = any(CAtlFileMappingBase fileMaping).getADerivedClass*()
+  }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isReturnValueDeref(1) and
+    description = "data read by " + this.getName()
+  }
+}
+
+private class CAtlFileMappingGetData extends MemberFunction, LocalFlowSourceFunction {
+  CAtlFileMappingGetData() {
+    this.(ConversionOperator).getDeclaringType() instanceof CAtlFileMapping
+  }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isReturnValueDeref(1) and
+    description = "data read by " + this.getName()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlTemporaryFile.qll

@@ -0,0 +1,17 @@
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/**
+ * The `CAtlFile` class from Microsoft's Active Template Library.
+ */
+class CAtlTemporaryFile extends Class {
+  CAtlTemporaryFile() { this.hasGlobalName("CAtlTemporaryFile") }
+}
+
+private class CAtlTemporaryFileRead extends MemberFunction, LocalFlowSourceFunction {
+  CAtlTemporaryFileRead() { this.getClassAndName("Read") instanceof CAtlTemporaryFile }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "string read by " + this.getName()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll

@@ -0,0 +1,16 @@
+private import cpp
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/** The `CComBSTR` class from the Microsoft "Active Template Library". */
+class CcomBstr extends Class {
+  CcomBstr() { this.hasGlobalName("CComBSTR") }
+}
+
+private class Mstr extends Field {
+  Mstr() { this.getDeclaringType() instanceof CcomBstr and this.hasName("m_str") }
+}
+
+private class MstrTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent {
+  MstrTaintInheritingContent() { this.getField() instanceof Mstr }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CPathT.qll

@@ -0,0 +1,16 @@
+private import cpp
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/** The `CPathT` class from the Microsoft "Active Template Library". */
+class CPathT extends Class {
+  CPathT() { this.hasGlobalName("CPathT") }
+}
+
+private class MStrPath extends Field {
+  MStrPath() { this.getDeclaringType() instanceof CPathT and this.hasName("m_strPath") }
+}
+
+private class MStrPathTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent {
+  MStrPathTaintInheritingContent() { this.getField() instanceof MStrPath }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CRegKey.qll

@@ -0,0 +1,87 @@
+private import cpp
+private import semmle.code.cpp.models.interfaces.FlowSource
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/** The `CRegKey` class from the Microsoft "Active Template Library". */
+class CRegKey extends Class {
+  CRegKey() { this.hasGlobalName("CRegKey") }
+}
+
+module CRegKey {
+  /** The `m_hKey` member on a object of type `CRegKey`. */
+  class MhKey extends Field {
+    MhKey() {
+      this.getDeclaringType() instanceof CRegKey and
+      this.getName() = "m_hKey"
+    }
+  }
+
+  private class MhKeyPathTaintInheritingContent extends TaintInheritingContent,
+    DataFlow::FieldContent
+  {
+    MhKeyPathTaintInheritingContent() { this.getField() instanceof MhKey }
+  }
+
+  private class CRegKeyMemberFunction extends MemberFunction {
+    string name;
+
+    CRegKeyMemberFunction() { this.getClassAndName(name) instanceof CRegKey }
+  }
+
+  abstract private class CRegKeyFlowSource extends CRegKeyMemberFunction, LocalFlowSourceFunction {
+    FunctionOutput output;
+
+    final override predicate hasLocalFlowSource(FunctionOutput output_, string description) {
+      output_ = output and
+      description = "registry string read by " + name
+    }
+  }
+
+  /** The `CRegKey::QueryBinaryValue` function from Win32. */
+  class QueryBinaryValue extends CRegKeyFlowSource {
+    QueryBinaryValue() { name = "QueryBinaryValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryDWORDValue` function from Win32. */
+  class QueryDwordValue extends CRegKeyFlowSource {
+    QueryDwordValue() { name = "QueryDWORDValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryGUIDValue` function from Win32. */
+  class QueryGuidValue extends CRegKeyFlowSource {
+    QueryGuidValue() { name = "QueryGUIDValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryMultiStringValue` function from Win32. */
+  class QueryMultiStringValue extends CRegKeyFlowSource {
+    QueryMultiStringValue() { name = "QueryMultiStringValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryQWORDValue` function from Win32. */
+  class QueryQwordValue extends CRegKeyFlowSource {
+    QueryQwordValue() { name = "QueryQWORDValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryStringValue` function from Win32. */
+  class QueryStringValue extends CRegKeyFlowSource {
+    QueryStringValue() { name = "QueryStringValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryValue` function from Win32. */
+  class QueryValue extends CRegKeyFlowSource {
+    QueryValue() {
+      name = "QueryValue" and
+      (
+        this.getNumberOfParameters() = 4 and
+        output.isParameterDeref(2)
+        or
+        this.getNumberOfParameters() = 2 and
+        output.isParameterDeref(0)
+        or
+        this.getNumberOfParameters() = 3 and
+        output.isParameterDeref(0)
+      )
+    }
+  }
+}