C++: Demonstrate amount of field flow already present

2025-12-20 10:46:30 +01:00 · 2020-03-24 22:01:56 +01:00
parent ac68b62b48
commit 22381f3ee6
3 changed files with 78 additions and 0 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -63,6 +63,7 @@ class Node extends TIRDataFlowNode {
   */
  Variable asVariable() { result = this.(VariableNode).getVariable() }

+
  /**
   * DEPRECATED: See UninitializedNode.
   *
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-flow.expected
@@ -0,0 +1,31 @@
+edges
+| aliasing.cpp:37:13:37:22 | call to user_input : void | aliasing.cpp:38:11:38:12 | m1 |
+| aliasing.cpp:42:11:42:20 | call to user_input : void | aliasing.cpp:43:13:43:14 | m1 |
+| aliasing.cpp:79:11:79:20 | call to user_input : void | aliasing.cpp:80:12:80:13 | m1 |
+| aliasing.cpp:86:10:86:19 | call to user_input : void | aliasing.cpp:87:12:87:13 | m1 |
+| aliasing.cpp:92:12:92:21 | call to user_input : void | aliasing.cpp:93:12:93:13 | m1 |
+| struct_init.c:20:20:20:29 | call to user_input : void | struct_init.c:22:11:22:11 | a |
+| struct_init.c:27:7:27:16 | call to user_input : void | struct_init.c:31:23:31:23 | a |
+nodes
+| aliasing.cpp:37:13:37:22 | call to user_input : void | semmle.label | call to user_input : void |
+| aliasing.cpp:38:11:38:12 | m1 | semmle.label | m1 |
+| aliasing.cpp:42:11:42:20 | call to user_input : void | semmle.label | call to user_input : void |
+| aliasing.cpp:43:13:43:14 | m1 | semmle.label | m1 |
+| aliasing.cpp:79:11:79:20 | call to user_input : void | semmle.label | call to user_input : void |
+| aliasing.cpp:80:12:80:13 | m1 | semmle.label | m1 |
+| aliasing.cpp:86:10:86:19 | call to user_input : void | semmle.label | call to user_input : void |
+| aliasing.cpp:87:12:87:13 | m1 | semmle.label | m1 |
+| aliasing.cpp:92:12:92:21 | call to user_input : void | semmle.label | call to user_input : void |
+| aliasing.cpp:93:12:93:13 | m1 | semmle.label | m1 |
+| struct_init.c:20:20:20:29 | call to user_input : void | semmle.label | call to user_input : void |
+| struct_init.c:22:11:22:11 | a | semmle.label | a |
+| struct_init.c:27:7:27:16 | call to user_input : void | semmle.label | call to user_input : void |
+| struct_init.c:31:23:31:23 | a | semmle.label | a |
+#select
+| aliasing.cpp:38:11:38:12 | m1 | aliasing.cpp:37:13:37:22 | call to user_input : void | aliasing.cpp:38:11:38:12 | m1 | m1 flows from $@ | aliasing.cpp:37:13:37:22 | call to user_input : void | call to user_input : void |
+| aliasing.cpp:43:13:43:14 | m1 | aliasing.cpp:42:11:42:20 | call to user_input : void | aliasing.cpp:43:13:43:14 | m1 | m1 flows from $@ | aliasing.cpp:42:11:42:20 | call to user_input : void | call to user_input : void |
+| aliasing.cpp:80:12:80:13 | m1 | aliasing.cpp:79:11:79:20 | call to user_input : void | aliasing.cpp:80:12:80:13 | m1 | m1 flows from $@ | aliasing.cpp:79:11:79:20 | call to user_input : void | call to user_input : void |
+| aliasing.cpp:87:12:87:13 | m1 | aliasing.cpp:86:10:86:19 | call to user_input : void | aliasing.cpp:87:12:87:13 | m1 | m1 flows from $@ | aliasing.cpp:86:10:86:19 | call to user_input : void | call to user_input : void |
+| aliasing.cpp:93:12:93:13 | m1 | aliasing.cpp:92:12:92:21 | call to user_input : void | aliasing.cpp:93:12:93:13 | m1 | m1 flows from $@ | aliasing.cpp:92:12:92:21 | call to user_input : void | call to user_input : void |
+| struct_init.c:22:11:22:11 | a | struct_init.c:20:20:20:29 | call to user_input : void | struct_init.c:22:11:22:11 | a | a flows from $@ | struct_init.c:20:20:20:29 | call to user_input : void | call to user_input : void |
+| struct_init.c:31:23:31:23 | a | struct_init.c:27:7:27:16 | call to user_input : void | struct_init.c:31:23:31:23 | a | a flows from $@ | struct_init.c:27:7:27:16 | call to user_input : void | call to user_input : void |
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-flow.ql
@@ -0,0 +1,46 @@
+/**
+ * @kind path-problem
+ */
+
+import semmle.code.cpp.ir.dataflow.DataFlow
+import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl
+import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon
+import semmle.code.cpp.ir.IR
+import DataFlow::PathGraph
+import cpp
+
+class Conf extends DataFlow::Configuration {
+  Conf() { this = "FieldFlowConf" }
+
+  override predicate isSource(Node src) {
+    src.asExpr() instanceof NewExpr
+    or
+    src.asExpr().(Call).getTarget().hasName("user_input")
+    or
+    exists(FunctionCall fc |
+      fc.getAnArgument() = src.asDefiningArgument() and
+      fc.getTarget().hasName("argument_source")
+    )
+  }
+
+  override predicate isSink(Node sink) {
+    exists(Call c |
+      c.getTarget().hasName("sink") and
+      c.getAnArgument() = sink.asExpr()
+    )
+  }
+
+  override predicate isAdditionalFlowStep(Node a, Node b) {
+    b.asPartialDefinition() =
+      any(Call c | c.getTarget().hasName("insert") and c.getAnArgument() = a.asExpr())
+          .getQualifier()
+    or
+    b.asExpr().(AddressOfExpr).getOperand() = a.asExpr()
+  }
+}
+
+from DataFlow::PathNode src, DataFlow::PathNode sink, Conf conf
+where conf.hasFlowPath(src, sink)
+select sink, src, sink, sink + " flows from $@", src, src.toString()