C++: Use taintedWithPath in more tests. This is the predicate that's currently hooked up to the new IR taint tracking library.

2026-04-30 03:05:15 +02:00 · 2021-03-02 13:40:39 +01:00
parent 6ba35f4aac
commit 23d3109071
4 changed files with 30 additions and 18 deletions
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
@@ -6,6 +6,7 @@
 import cpp
 import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
 import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
+import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
 import TestUtilities.InlineExpectationsTest

 predicate isSink(Element sink) {
@@ -17,7 +18,13 @@ predicate isSink(Element sink) {

 predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }

-predicate irTaint(Expr source, Element sink) { IRDefaultTaintTracking::tainted(source, sink) }
+class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
+  override predicate isSink(Element e) { any() }
+}
+
+predicate irTaint(Expr source, Element sink) {
+  TaintedWithPath::taintedWithPath(source, sink, _, _)
+}

 class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
  IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
@@ -13,8 +13,8 @@ int main() {



-  sink(_strdup(getenv("VAR"))); // $ ir MISSING: ast
-  sink(strdup(getenv("VAR"))); // $ ast,ir
+  sink(_strdup(getenv("VAR"))); // $ MISSING: ast,ir
+  sink(strdup(getenv("VAR"))); // $ ast MISSING: ir
  sink(unmodeled_function(getenv("VAR"))); // clean by assumption

  char untainted_buf[100] = "";
@@ -250,12 +250,12 @@ void sink(iovec);
 int test_readv_and_writev(iovec* iovs) {
  readv(0, iovs, 16);
  sink(iovs); // $ast,ir
-  sink(iovs[0]); // $ast MISSING: ir
-  sink(*iovs); // $ast MISSING: ir
+  sink(iovs[0]); // $ast,ir
+  sink(*iovs); // $ast,ir

  char* p = (char*)iovs[1].iov_base;
-  sink(p); // $ MISSING: ast,ir
-  sink(*p); // $ MISSING: ast,ir
+  sink(p); // $ ir MISSING: ast
+  sink(*p); // $ ir MISSING: ast

  writev(0, iovs, 16); // $ remote
 }
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/stl.cpp
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/stl.cpp
@@ -73,7 +73,7 @@ void test_string()
 	sink(b); // clean
 	sink(c); // $ ir MISSING: ast
 	sink(b.c_str()); // clean
-	sink(c.c_str()); // $ MISSING: ast,ir
+	sink(c.c_str()); // $ ir MISSING: ast
 }

 void test_stringstream()
@@ -91,11 +91,11 @@ void test_stringstream()
 	sink(ss2); // $ ir MISSING: ast
 	sink(ss3); // $ MISSING: ast,ir
 	sink(ss4); // $ ir MISSING: ast
-	sink(ss5); // $ ir MISSING: ast
+	sink(ss5); // $ MISSING: ast,ir
 	sink(ss1.str());
-	sink(ss2.str()); // $ MISSING: ast,ir
+	sink(ss2.str()); // $ ir MISSING: ast
 	sink(ss3.str()); // $ MISSING: ast,ir
-	sink(ss4.str()); // $ MISSING: ast,ir
+	sink(ss4.str()); // $ ir MISSING: ast
 	sink(ss5.str()); // $ MISSING: ast,ir
 }

@@ -123,14 +123,14 @@ void sink(const char *filename, const char *mode);
 void test_strings2()
 {
 	string path1 = user_input();
-	sink(path1.c_str(), "r"); // $ MISSING: ast,ir
+	sink(path1.c_str(), "r"); // $ ir MISSING: ast

 	string path2;
 	path2 = user_input();
-	sink(path2.c_str(), "r"); // $ MISSING: ast,ir
+	sink(path2.c_str(), "r"); // $ ir MISSING: ast

 	string path3(user_input());
-	sink(path3.c_str(), "r"); // $ MISSING: ast,ir
+	sink(path3.c_str(), "r"); // $ ir MISSING: ast
 }

 void test_string3()
@@ -154,6 +154,6 @@ void test_string4()
 	// convert back std::string -> char *
 	cs = ss.c_str();

-	sink(cs); // $ ast MISSING: ir
+	sink(cs); // $ ast,ir
 	sink(ss); // $ ir MISSING: ast
 }
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql
@@ -7,9 +7,10 @@
 import cpp
 import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
 import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
+import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
 import TestUtilities.InlineExpectationsTest

-predicate isSink(Element sink) {
+predicate argToSinkCall(Element sink) {
  exists(FunctionCall call |
    call.getTarget().getName() = "sink" and
    sink = call.getAnArgument()
@@ -17,11 +18,15 @@ predicate isSink(Element sink) {
 }

 predicate astTaint(Expr source, Element sink) {
-  ASTTaintTracking::tainted(source, sink) and isSink(sink)
+  ASTTaintTracking::tainted(source, sink) and argToSinkCall(sink)
+}
+
+class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
+  override predicate isSink(Element e) { argToSinkCall(e) }
 }

 predicate irTaint(Expr source, Element sink) {
-  IRDefaultTaintTracking::tainted(source, sink) and isSink(sink)
+  TaintedWithPath::taintedWithPath(source, sink, _, _)
 }

 class IRDefaultTaintTrackingTest extends InlineExpectationsTest {