Merge pull request #3195 from geoffw0/taintstring

C++: Model taint flow through std::string constructor and c_str()

cpp/ql/src/semmle/code/cpp/models/Models.qll

@@ -12,4 +12,5 @@ private import implementations.Strcat
 private import implementations.Strcpy
 private import implementations.Strdup
 private import implementations.Strftime
+private import implementations.StdString
 private import implementations.Swap

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -0,0 +1,27 @@
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * The `std::basic_string` constructor(s).
+ */
+class StdStringConstructor extends TaintFunction {
+  StdStringConstructor() { this.hasQualifiedName("std", "basic_string", "basic_string") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from any constructor argument to return value
+    input.isParameter(_) and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The standard function `std::string.c_str`.
+ */
+class StdStringCStr extends TaintFunction {
+  StdStringCStr() { this.hasQualifiedName("std", "basic_string", "c_str") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from string itself (qualifier) to return value
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}