hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Revise model of emplace and emplace_hint. Note that 2 of the 3 taint regressions we shouldn't be getting because we don't yet do taint through keys.

Browse Source
This commit is contained in:
Geoffrey White
2020-10-09 16:05:56 +01:00
parent 49c121d370
commit 270517d379
6 changed files with 9 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
View File

@@ -60,10 +60,11 @@ class StdMapEmplace extends TaintFunction {
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from any parameter to qualifier and return value
// (here we assume taint flow from any constructor parameter to the constructed object)
// flow from the last parameter (which may be the value part used to
// construct a pair, or a pair to be copied / moved) to the qualifier and
// return value.
// (where the return value is a pair, this should really flow just to the first part of it)
input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and
input.isParameterDeref(getNumberOfParameters() - 1) and
(
output.isQualifierObject() or
output.isReturnValue()

32
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -1111,16 +1111,12 @@
| map.cpp:233:7:233:9 | ref arg m24 | map.cpp:235:7:235:9 | m24 | |
| map.cpp:233:7:233:9 | ref arg m24 | map.cpp:236:7:236:9 | m24 | |
| map.cpp:233:7:233:9 | ref arg m24 | map.cpp:252:1:252:1 | m24 | |
| map.cpp:233:19:233:23 | abc | map.cpp:233:7:233:9 | ref arg m24 | TAINT |
| map.cpp:233:19:233:23 | abc | map.cpp:233:11:233:17 | call to emplace | TAINT |
| map.cpp:233:26:233:30 | def | map.cpp:233:7:233:9 | ref arg m24 | TAINT |
| map.cpp:233:26:233:30 | def | map.cpp:233:11:233:17 | call to emplace | TAINT |
| map.cpp:233:33:233:37 | first | map.cpp:233:7:233:37 | call to iterator | |
| map.cpp:234:7:234:9 | m24 | map.cpp:234:7:234:9 | call to map | |
| map.cpp:235:7:235:9 | ref arg m24 | map.cpp:236:7:236:9 | m24 | |
| map.cpp:235:7:235:9 | ref arg m24 | map.cpp:252:1:252:1 | m24 | |
| map.cpp:235:19:235:23 | abc | map.cpp:235:7:235:9 | ref arg m24 | TAINT |
| map.cpp:235:19:235:23 | abc | map.cpp:235:11:235:17 | call to emplace | TAINT |
| map.cpp:235:26:235:31 | call to source | map.cpp:235:7:235:9 | ref arg m24 | TAINT |
| map.cpp:235:26:235:31 | call to source | map.cpp:235:11:235:17 | call to emplace | TAINT |
| map.cpp:235:36:235:40 | first | map.cpp:235:7:235:40 | call to iterator | |
@@ -1137,11 +1133,7 @@
| map.cpp:237:24:237:26 | ref arg m25 | map.cpp:239:24:239:26 | m25 | |
| map.cpp:237:24:237:26 | ref arg m25 | map.cpp:240:7:240:9 | m25 | |
| map.cpp:237:24:237:26 | ref arg m25 | map.cpp:252:1:252:1 | m25 | |
| map.cpp:237:24:237:34 | call to iterator | map.cpp:237:7:237:9 | ref arg m25 | TAINT |
| map.cpp:237:24:237:34 | call to iterator | map.cpp:237:11:237:22 | call to emplace_hint | TAINT |
| map.cpp:237:28:237:32 | call to begin | map.cpp:237:24:237:34 | call to iterator | TAINT |
| map.cpp:237:37:237:41 | abc | map.cpp:237:7:237:9 | ref arg m25 | TAINT |
| map.cpp:237:37:237:41 | abc | map.cpp:237:11:237:22 | call to emplace_hint | TAINT |
| map.cpp:237:44:237:48 | def | map.cpp:237:7:237:9 | ref arg m25 | TAINT |
| map.cpp:237:44:237:48 | def | map.cpp:237:11:237:22 | call to emplace_hint | TAINT |
| map.cpp:238:7:238:9 | m25 | map.cpp:238:7:238:9 | call to map | |
@@ -1151,11 +1143,7 @@
| map.cpp:239:24:239:26 | ref arg m25 | map.cpp:239:7:239:9 | m25 | |
| map.cpp:239:24:239:26 | ref arg m25 | map.cpp:240:7:240:9 | m25 | |
| map.cpp:239:24:239:26 | ref arg m25 | map.cpp:252:1:252:1 | m25 | |
| map.cpp:239:24:239:34 | call to iterator | map.cpp:239:7:239:9 | ref arg m25 | TAINT |
| map.cpp:239:24:239:34 | call to iterator | map.cpp:239:11:239:22 | call to emplace_hint | TAINT |
| map.cpp:239:28:239:32 | call to begin | map.cpp:239:24:239:34 | call to iterator | TAINT |
| map.cpp:239:37:239:41 | abc | map.cpp:239:7:239:9 | ref arg m25 | TAINT |
| map.cpp:239:37:239:41 | abc | map.cpp:239:11:239:22 | call to emplace_hint | TAINT |
| map.cpp:239:44:239:49 | call to source | map.cpp:239:7:239:9 | ref arg m25 | TAINT |
| map.cpp:239:44:239:49 | call to source | map.cpp:239:11:239:22 | call to emplace_hint | TAINT |
| map.cpp:240:7:240:9 | m25 | map.cpp:240:7:240:9 | call to map | |
@@ -1755,16 +1743,12 @@
| map.cpp:382:7:382:9 | ref arg m24 | map.cpp:384:7:384:9 | m24 | |
| map.cpp:382:7:382:9 | ref arg m24 | map.cpp:385:7:385:9 | m24 | |
| map.cpp:382:7:382:9 | ref arg m24 | map.cpp:438:1:438:1 | m24 | |
| map.cpp:382:19:382:23 | abc | map.cpp:382:7:382:9 | ref arg m24 | TAINT |
| map.cpp:382:19:382:23 | abc | map.cpp:382:11:382:17 | call to emplace | TAINT |
| map.cpp:382:26:382:30 | def | map.cpp:382:7:382:9 | ref arg m24 | TAINT |
| map.cpp:382:26:382:30 | def | map.cpp:382:11:382:17 | call to emplace | TAINT |
| map.cpp:382:33:382:37 | first | map.cpp:382:7:382:37 | call to iterator | |
| map.cpp:383:7:383:9 | m24 | map.cpp:383:7:383:9 | call to unordered_map | |
| map.cpp:384:7:384:9 | ref arg m24 | map.cpp:385:7:385:9 | m24 | |
| map.cpp:384:7:384:9 | ref arg m24 | map.cpp:438:1:438:1 | m24 | |
| map.cpp:384:19:384:23 | abc | map.cpp:384:7:384:9 | ref arg m24 | TAINT |
| map.cpp:384:19:384:23 | abc | map.cpp:384:11:384:17 | call to emplace | TAINT |
| map.cpp:384:26:384:31 | call to source | map.cpp:384:7:384:9 | ref arg m24 | TAINT |
| map.cpp:384:26:384:31 | call to source | map.cpp:384:11:384:17 | call to emplace | TAINT |
| map.cpp:384:36:384:40 | first | map.cpp:384:7:384:40 | call to iterator | |
@@ -1781,11 +1765,7 @@
| map.cpp:386:24:386:26 | ref arg m25 | map.cpp:388:24:388:26 | m25 | |
| map.cpp:386:24:386:26 | ref arg m25 | map.cpp:389:7:389:9 | m25 | |
| map.cpp:386:24:386:26 | ref arg m25 | map.cpp:438:1:438:1 | m25 | |
| map.cpp:386:24:386:34 | call to iterator | map.cpp:386:7:386:9 | ref arg m25 | TAINT |
| map.cpp:386:24:386:34 | call to iterator | map.cpp:386:11:386:22 | call to emplace_hint | TAINT |
| map.cpp:386:28:386:32 | call to begin | map.cpp:386:24:386:34 | call to iterator | TAINT |
| map.cpp:386:37:386:41 | abc | map.cpp:386:7:386:9 | ref arg m25 | TAINT |
| map.cpp:386:37:386:41 | abc | map.cpp:386:11:386:22 | call to emplace_hint | TAINT |
| map.cpp:386:44:386:48 | def | map.cpp:386:7:386:9 | ref arg m25 | TAINT |
| map.cpp:386:44:386:48 | def | map.cpp:386:11:386:22 | call to emplace_hint | TAINT |
| map.cpp:387:7:387:9 | m25 | map.cpp:387:7:387:9 | call to unordered_map | |
@@ -1795,11 +1775,7 @@
| map.cpp:388:24:388:26 | ref arg m25 | map.cpp:388:7:388:9 | m25 | |
| map.cpp:388:24:388:26 | ref arg m25 | map.cpp:389:7:389:9 | m25 | |
| map.cpp:388:24:388:26 | ref arg m25 | map.cpp:438:1:438:1 | m25 | |
| map.cpp:388:24:388:34 | call to iterator | map.cpp:388:7:388:9 | ref arg m25 | TAINT |
| map.cpp:388:24:388:34 | call to iterator | map.cpp:388:11:388:22 | call to emplace_hint | TAINT |
| map.cpp:388:28:388:32 | call to begin | map.cpp:388:24:388:34 | call to iterator | TAINT |
| map.cpp:388:37:388:41 | abc | map.cpp:388:7:388:9 | ref arg m25 | TAINT |
| map.cpp:388:37:388:41 | abc | map.cpp:388:11:388:22 | call to emplace_hint | TAINT |
| map.cpp:388:44:388:49 | call to source | map.cpp:388:7:388:9 | ref arg m25 | TAINT |
| map.cpp:388:44:388:49 | call to source | map.cpp:388:11:388:22 | call to emplace_hint | TAINT |
| map.cpp:389:7:389:9 | m25 | map.cpp:389:7:389:9 | call to unordered_map | |
@@ -1973,8 +1949,6 @@
| map.cpp:424:37:424:39 | call to unordered_map | map.cpp:438:1:438:1 | m33 | |
| map.cpp:425:7:425:9 | ref arg m33 | map.cpp:426:7:426:9 | m33 | |
| map.cpp:425:7:425:9 | ref arg m33 | map.cpp:438:1:438:1 | m33 | |
| map.cpp:425:19:425:24 | call to source | map.cpp:425:7:425:9 | ref arg m33 | TAINT |
| map.cpp:425:19:425:24 | call to source | map.cpp:425:11:425:17 | call to emplace | TAINT |
| map.cpp:425:29:425:33 | def | map.cpp:425:7:425:9 | ref arg m33 | TAINT |
| map.cpp:425:29:425:33 | def | map.cpp:425:11:425:17 | call to emplace | TAINT |
| map.cpp:425:36:425:40 | first | map.cpp:425:7:425:40 | call to iterator | |
@@ -2015,13 +1989,11 @@
| map.cpp:433:24:433:26 | m34 | map.cpp:433:28:433:32 | call to begin | TAINT |
| map.cpp:433:24:433:26 | ref arg m34 | map.cpp:433:7:433:9 | m34 | |
| map.cpp:433:24:433:26 | ref arg m34 | map.cpp:438:1:438:1 | m34 | |
| map.cpp:433:24:433:34 | call to iterator | map.cpp:433:7:433:9 | ref arg m34 | TAINT |
| map.cpp:433:24:433:34 | call to iterator | map.cpp:433:11:433:22 | call to emplace_hint | TAINT |
| map.cpp:433:28:433:32 | call to begin | map.cpp:433:24:433:34 | call to iterator | TAINT |
| map.cpp:433:37:433:41 | abc | map.cpp:433:7:433:9 | ref arg m34 | TAINT |
| map.cpp:433:37:433:41 | abc | map.cpp:433:11:433:22 | call to emplace_hint | TAINT |
| map.cpp:433:44:433:48 | def | map.cpp:433:7:433:9 | ref arg m34 | TAINT |
| map.cpp:433:44:433:48 | def | map.cpp:433:11:433:22 | call to emplace_hint | TAINT |
| map.cpp:434:7:434:9 | m35 | map.cpp:434:7:434:9 | ref arg m35 | TAINT |
| map.cpp:434:7:434:9 | m35 | map.cpp:434:11:434:17 | call to emplace | TAINT |
| map.cpp:434:7:434:9 | ref arg m35 | map.cpp:435:7:435:9 | m35 | |
| map.cpp:434:7:434:9 | ref arg m35 | map.cpp:436:7:436:9 | m35 | |
| map.cpp:434:7:434:9 | ref arg m35 | map.cpp:437:7:437:9 | m35 | |

6
cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
View File

@@ -422,15 +422,15 @@ void test_unordered_map()
// additional emplace test cases
std::unordered_map<char *, char *> m33;
sink(m33.emplace(source(), "def").first); // tainted
sink(m33); // tainted
sink(m33.emplace(source(), "def").first); // tainted [NOT DETECTED]
sink(m33); // tainted [NOT DETECTED]
std::unordered_map<char *, char *> m34, m35;
sink(m34.emplace(std::pair<char *, char *>("abc", "def")).first);
sink(m34);
sink(m34.emplace(std::pair<char *, char *>("abc", source())).first); // tainted
sink(m34); // tainted
sink(m34.emplace_hint(m34.begin(), "abc", "def")); // tainted
sink(m34.emplace_hint(m34.begin(), "abc", "def")); // tainted [NOT DETECTED]
sink(m35.emplace().first);
sink(m35);
sink(m35.emplace(std::pair<char *, char *>(source(), "def")).first); // tainted [NOT DETECTED]

2
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -159,9 +159,7 @@
| map.cpp:419:7:419:41 | call to pair | map.cpp:419:33:419:38 | call to source |
| map.cpp:420:7:420:9 | call to unordered_map | map.cpp:419:33:419:38 | call to source |
| map.cpp:421:7:421:16 | call to pair | map.cpp:419:33:419:38 | call to source |
| map.cpp:426:7:426:9 | call to unordered_map | map.cpp:425:19:425:24 | call to source |
| map.cpp:432:7:432:9 | call to unordered_map | map.cpp:431:52:431:57 | call to source |
| map.cpp:433:11:433:22 | call to emplace_hint | map.cpp:431:52:431:57 | call to source |
| movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
| movableclass.cpp:45:8:45:9 | s2 | movableclass.cpp:40:23:40:28 | call to source |
| movableclass.cpp:46:8:46:9 | s3 | movableclass.cpp:42:8:42:13 | call to source |

2
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -128,8 +128,6 @@
| map.cpp:418:7:418:16 | map.cpp:416:30:416:35 | AST only |
| map.cpp:420:7:420:9 | map.cpp:419:33:419:38 | AST only |
| map.cpp:421:7:421:16 | map.cpp:419:33:419:38 | AST only |
| map.cpp:425:7:425:40 | map.cpp:425:19:425:24 | IR only |
| map.cpp:426:7:426:9 | map.cpp:425:19:425:24 | AST only |
| map.cpp:431:7:431:67 | map.cpp:431:52:431:57 | IR only |
| map.cpp:432:7:432:9 | map.cpp:431:52:431:57 | AST only |
| movableclass.cpp:65:11:65:11 | movableclass.cpp:65:13:65:18 | AST only |

2
cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
View File

@@ -125,9 +125,7 @@
| map.cpp:401:11:401:21 | call to try_emplace | map.cpp:401:43:401:48 | call to source |
| map.cpp:416:7:416:41 | call to pair | map.cpp:416:30:416:35 | call to source |
| map.cpp:419:7:419:41 | call to pair | map.cpp:419:33:419:38 | call to source |
| map.cpp:425:7:425:40 | call to iterator | map.cpp:425:19:425:24 | call to source |
| map.cpp:431:7:431:67 | call to iterator | map.cpp:431:52:431:57 | call to source |
| map.cpp:433:11:433:22 | call to emplace_hint | map.cpp:431:52:431:57 | call to source |
| movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
| movableclass.cpp:45:8:45:9 | s2 | movableclass.cpp:40:23:40:28 | call to source |
| movableclass.cpp:46:8:46:9 | s3 | movableclass.cpp:42:8:42:13 | call to source |