CPP: Allow flow to return value.

2025-12-24 04:36:35 +01:00 · 2020-01-22 15:54:58 +00:00
parent 704bfe7184
commit 1867d58034
4 changed files with 9 additions and 2 deletions
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -140,6 +140,9 @@ private predicate exprToExprStep(Expr exprIn, Expr exprOut) {
    (
      exprOut = call and
      outModel.isReturnValueDeref()
+      or
+      exprOut = call and
+      outModel.isReturnValue()
    ) and
    f.hasTaintFlow(inModel, outModel) and
    (
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -421,7 +421,7 @@ void test_qualifiers()
 	sink(a.getMember());
 	a.setMember(source());
 	sink(a); // tainted
-	sink(a.getMember()); // tainted [NOT DETECTED]
+	sink(a.getMember()); // tainted

 	sink(b);
 	sink(b.getMember());
@@ -436,7 +436,7 @@ void test_qualifiers()
 	sink(c->getMember());
 	c->setMember(source());
 	sink(c); // tainted (deref)
-	sink(c->getMember()); // tainted [NOT DETECTED]
+	sink(c->getMember()); // tainted

 	delete c;

--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -40,7 +40,9 @@
 | taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
 | taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |
 | taint.cpp:423:7:423:7 | a | taint.cpp:422:14:422:19 | call to source |
+| taint.cpp:424:9:424:17 | call to getMember | taint.cpp:422:14:422:19 | call to source |
 | taint.cpp:430:9:430:14 | member | taint.cpp:428:13:428:18 | call to source |
 | taint.cpp:438:7:438:7 | c | taint.cpp:437:15:437:20 | call to source |
+| taint.cpp:439:10:439:18 | call to getMember | taint.cpp:437:15:437:20 | call to source |
 | taint.cpp:446:7:446:7 | d | taint.cpp:445:14:445:28 | call to source |
 | taint.cpp:447:9:447:17 | call to getString | taint.cpp:445:14:445:28 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -27,8 +27,10 @@
 | taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
 | taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |
 | taint.cpp:423:7:423:7 | taint.cpp:422:14:422:19 | AST only |
+| taint.cpp:424:9:424:17 | taint.cpp:422:14:422:19 | AST only |
 | taint.cpp:429:7:429:7 | taint.cpp:428:13:428:18 | IR only |
 | taint.cpp:430:9:430:14 | taint.cpp:428:13:428:18 | AST only |
 | taint.cpp:438:7:438:7 | taint.cpp:437:15:437:20 | AST only |
+| taint.cpp:439:10:439:18 | taint.cpp:437:15:437:20 | AST only |
 | taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |