Merge branch 'main' into mad

2026-04-30 11:15:13 +02:00 · 2024-04-02 16:14:53 +01:00
parent fa26b55452 11acb499bb
commit 33164c8a43
1094 changed files with 83377 additions and 45282 deletions
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -6676,6 +6676,7 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
 | taint.cpp:757:7:757:10 | path | taint.cpp:759:8:759:11 | path |  |
 | taint.cpp:758:21:758:24 | ref arg path | taint.cpp:759:8:759:11 | path |  |
 | taint.cpp:759:8:759:11 | path | taint.cpp:759:7:759:11 | * ... |  |
+| taint.cpp:769:37:769:42 | call to source | taint.cpp:770:7:770:9 | obj |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -757,4 +757,15 @@ void test_call_sprintf() {
 	char path[10];
 	call_sprintf_twice(path, indirect_source());
 	sink(*path); // $ ast,ir
+}
+
+struct TaintInheritingContentObject {
+	int flowFromObject;
+};
+
+TaintInheritingContentObject source(bool);
+
+void test_TaintInheritingContent() {
+	TaintInheritingContentObject obj = source(true);
+	sink(obj.flowFromObject); // $ ir MISSING: ast
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
@@ -76,6 +76,24 @@ module AstTest {
 module IRTest {
  private import semmle.code.cpp.ir.IR
  private import semmle.code.cpp.ir.dataflow.TaintTracking
+  private import semmle.code.cpp.ir.dataflow.FlowSteps
+
+  /**
+   * Object->field flow when the object is of type
+   * TaintInheritingContentObject and the field is named
+   * flowFromObject
+   */
+  class TaintInheritingContentTest extends TaintInheritingContent, DataFlow::FieldContent {
+    TaintInheritingContentTest() {
+      exists(Struct o, Field f |
+        this.getField() = f and
+        f = o.getAField() and
+        o.hasGlobalName("TaintInheritingContentObject") and
+        f.hasName("flowFromObject") and
+        this.getIndirectionIndex() = 1
+      )
+    }
+  }

  /** Common data flow configuration to be used by tests. */
  module TestAllocationConfig implements DataFlow::ConfigSig {