C++: Model swap.

2026-04-30 19:26:02 +02:00 · 2020-09-24 17:26:44 +01:00
parent 6119bf3430
commit 13b15d9bcd
5 changed files with 44 additions and 4 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
@@ -40,3 +40,19 @@ class StdMapBeginEnd extends TaintFunction {
    output.isReturnValue()
  }
 }
+
+/**
+ * The standard map `swap` functions.
+ */
+class StdMapSwap extends TaintFunction {
+  StdMapSwap() { this.hasQualifiedName("std", ["map", "unordered_map"], "swap") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.swap(container2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -977,15 +977,19 @@
 | map.cpp:191:7:191:9 | m16 | map.cpp:191:7:191:9 | call to map |  |
 | map.cpp:192:7:192:9 | m17 | map.cpp:192:7:192:9 | call to map |  |
 | map.cpp:193:7:193:9 | m18 | map.cpp:193:7:193:9 | call to map |  |
+| map.cpp:194:2:194:4 | m15 | map.cpp:194:11:194:13 | ref arg m16 | TAINT |
 | map.cpp:194:2:194:4 | ref arg m15 | map.cpp:196:7:196:9 | m15 |  |
 | map.cpp:194:2:194:4 | ref arg m15 | map.cpp:211:2:211:4 | m15 |  |
 | map.cpp:194:2:194:4 | ref arg m15 | map.cpp:249:1:249:1 | m15 |  |
+| map.cpp:194:11:194:13 | m16 | map.cpp:194:2:194:4 | ref arg m15 | TAINT |
 | map.cpp:194:11:194:13 | ref arg m16 | map.cpp:197:7:197:9 | m16 |  |
 | map.cpp:194:11:194:13 | ref arg m16 | map.cpp:211:12:211:14 | m16 |  |
 | map.cpp:194:11:194:13 | ref arg m16 | map.cpp:249:1:249:1 | m16 |  |
+| map.cpp:195:2:195:4 | m17 | map.cpp:195:11:195:13 | ref arg m18 | TAINT |
 | map.cpp:195:2:195:4 | ref arg m17 | map.cpp:198:7:198:9 | m17 |  |
 | map.cpp:195:2:195:4 | ref arg m17 | map.cpp:212:2:212:4 | m17 |  |
 | map.cpp:195:2:195:4 | ref arg m17 | map.cpp:249:1:249:1 | m17 |  |
+| map.cpp:195:11:195:13 | m18 | map.cpp:195:2:195:4 | ref arg m17 | TAINT |
 | map.cpp:195:11:195:13 | ref arg m18 | map.cpp:199:7:199:9 | m18 |  |
 | map.cpp:195:11:195:13 | ref arg m18 | map.cpp:212:12:212:14 | m18 |  |
 | map.cpp:195:11:195:13 | ref arg m18 | map.cpp:249:1:249:1 | m18 |  |
@@ -1573,15 +1577,19 @@
 | map.cpp:340:7:340:9 | m16 | map.cpp:340:7:340:9 | call to unordered_map |  |
 | map.cpp:341:7:341:9 | m17 | map.cpp:341:7:341:9 | call to unordered_map |  |
 | map.cpp:342:7:342:9 | m18 | map.cpp:342:7:342:9 | call to unordered_map |  |
+| map.cpp:343:2:343:4 | m15 | map.cpp:343:11:343:13 | ref arg m16 | TAINT |
 | map.cpp:343:2:343:4 | ref arg m15 | map.cpp:345:7:345:9 | m15 |  |
 | map.cpp:343:2:343:4 | ref arg m15 | map.cpp:360:2:360:4 | m15 |  |
 | map.cpp:343:2:343:4 | ref arg m15 | map.cpp:398:1:398:1 | m15 |  |
+| map.cpp:343:11:343:13 | m16 | map.cpp:343:2:343:4 | ref arg m15 | TAINT |
 | map.cpp:343:11:343:13 | ref arg m16 | map.cpp:346:7:346:9 | m16 |  |
 | map.cpp:343:11:343:13 | ref arg m16 | map.cpp:360:12:360:14 | m16 |  |
 | map.cpp:343:11:343:13 | ref arg m16 | map.cpp:398:1:398:1 | m16 |  |
+| map.cpp:344:2:344:4 | m17 | map.cpp:344:11:344:13 | ref arg m18 | TAINT |
 | map.cpp:344:2:344:4 | ref arg m17 | map.cpp:347:7:347:9 | m17 |  |
 | map.cpp:344:2:344:4 | ref arg m17 | map.cpp:361:2:361:4 | m17 |  |
 | map.cpp:344:2:344:4 | ref arg m17 | map.cpp:398:1:398:1 | m17 |  |
+| map.cpp:344:11:344:13 | m18 | map.cpp:344:2:344:4 | ref arg m17 | TAINT |
 | map.cpp:344:11:344:13 | ref arg m18 | map.cpp:348:7:348:9 | m18 |  |
 | map.cpp:344:11:344:13 | ref arg m18 | map.cpp:361:12:361:14 | m18 |  |
 | map.cpp:344:11:344:13 | ref arg m18 | map.cpp:398:1:398:1 | m18 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
@@ -194,8 +194,8 @@ void test_map()
 	m15.swap(m16);
 	m17.swap(m18);
 	sink(m15); // [FALSE POSITIVE]
-	sink(m16); // tainted [NOT DETECTED]
-	sink(m17); // tainted [NOT DETECTED]
+	sink(m16); // tainted
+	sink(m17); // tainted
 	sink(m18); // [FALSE POSITIVE]

 	// merge
@@ -343,8 +343,8 @@ void test_unordered_map()
 	m15.swap(m16);
 	m17.swap(m18);
 	sink(m15); // [FALSE POSITIVE]
-	sink(m16); // tainted [NOT DETECTED]
-	sink(m17); // tainted [NOT DETECTED]
+	sink(m16); // tainted
+	sink(m17); // tainted
 	sink(m18); // [FALSE POSITIVE]

 	// merge
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -63,6 +63,10 @@
 | map.cpp:193:7:193:9 | call to map | map.cpp:189:49:189:54 | call to source |
 | map.cpp:196:7:196:9 | call to map | map.cpp:188:39:188:44 | call to source |
 | map.cpp:196:7:196:9 | call to map | map.cpp:188:49:188:54 | call to source |
+| map.cpp:197:7:197:9 | call to map | map.cpp:188:39:188:44 | call to source |
+| map.cpp:197:7:197:9 | call to map | map.cpp:188:49:188:54 | call to source |
+| map.cpp:198:7:198:9 | call to map | map.cpp:189:39:189:44 | call to source |
+| map.cpp:198:7:198:9 | call to map | map.cpp:189:49:189:54 | call to source |
 | map.cpp:199:7:199:9 | call to map | map.cpp:189:39:189:44 | call to source |
 | map.cpp:199:7:199:9 | call to map | map.cpp:189:49:189:54 | call to source |
 | map.cpp:207:7:207:9 | call to map | map.cpp:203:39:203:44 | call to source |
@@ -102,6 +106,10 @@
 | map.cpp:342:7:342:9 | call to unordered_map | map.cpp:338:49:338:54 | call to source |
 | map.cpp:345:7:345:9 | call to unordered_map | map.cpp:337:39:337:44 | call to source |
 | map.cpp:345:7:345:9 | call to unordered_map | map.cpp:337:49:337:54 | call to source |
+| map.cpp:346:7:346:9 | call to unordered_map | map.cpp:337:39:337:44 | call to source |
+| map.cpp:346:7:346:9 | call to unordered_map | map.cpp:337:49:337:54 | call to source |
+| map.cpp:347:7:347:9 | call to unordered_map | map.cpp:338:39:338:44 | call to source |
+| map.cpp:347:7:347:9 | call to unordered_map | map.cpp:338:49:338:54 | call to source |
 | map.cpp:348:7:348:9 | call to unordered_map | map.cpp:338:39:338:44 | call to source |
 | map.cpp:348:7:348:9 | call to unordered_map | map.cpp:338:49:338:54 | call to source |
 | map.cpp:356:7:356:9 | call to unordered_map | map.cpp:352:39:352:44 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -60,6 +60,10 @@
 | map.cpp:193:7:193:9 | map.cpp:189:49:189:54 | AST only |
 | map.cpp:196:7:196:9 | map.cpp:188:39:188:44 | AST only |
 | map.cpp:196:7:196:9 | map.cpp:188:49:188:54 | AST only |
+| map.cpp:197:7:197:9 | map.cpp:188:39:188:44 | AST only |
+| map.cpp:197:7:197:9 | map.cpp:188:49:188:54 | AST only |
+| map.cpp:198:7:198:9 | map.cpp:189:39:189:44 | AST only |
+| map.cpp:198:7:198:9 | map.cpp:189:49:189:54 | AST only |
 | map.cpp:199:7:199:9 | map.cpp:189:39:189:44 | AST only |
 | map.cpp:199:7:199:9 | map.cpp:189:49:189:54 | AST only |
 | map.cpp:207:7:207:9 | map.cpp:203:39:203:44 | AST only |
@@ -100,6 +104,10 @@
 | map.cpp:342:7:342:9 | map.cpp:338:49:338:54 | AST only |
 | map.cpp:345:7:345:9 | map.cpp:337:39:337:44 | AST only |
 | map.cpp:345:7:345:9 | map.cpp:337:49:337:54 | AST only |
+| map.cpp:346:7:346:9 | map.cpp:337:39:337:44 | AST only |
+| map.cpp:346:7:346:9 | map.cpp:337:49:337:54 | AST only |
+| map.cpp:347:7:347:9 | map.cpp:338:39:338:44 | AST only |
+| map.cpp:347:7:347:9 | map.cpp:338:49:338:54 | AST only |
 | map.cpp:348:7:348:9 | map.cpp:338:39:338:44 | AST only |
 | map.cpp:348:7:348:9 | map.cpp:338:49:338:54 | AST only |
 | map.cpp:356:7:356:9 | map.cpp:352:39:352:44 | AST only |