C++: Add a MaD model for 'CAtlFileMappingBase' and mark reads as local flow sources.

2026-04-25 08:45:14 +02:00 · 2024-11-27 15:31:12 +00:00
parent ac0599cf75
commit 3709151353
4 changed files with 53 additions and 2 deletions
--- a/cpp/ql/lib/ext/CAtlFileMappingBase.model.yml
+++ b/cpp/ql/lib/ext/CAtlFileMappingBase.model.yml
@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CAtlFileMappingBase", True, "CAtlFileMappingBase", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CAtlFileMappingBase", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "GetData", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "GetHandle", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "MapFile", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "MapSharedMem", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "OpenMapping", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
--- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll
@@ -54,3 +54,4 @@ private import implementations.CA2AEX
 private import implementations.CComBSTR
 private import implementations.CPathT
 private import implementations.CAtlFile
+private import implementations.CAtlFileMapping
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll
@@ -0,0 +1,37 @@
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/**
+ * The `CAtlFileMapping` class from Microsoft's Active Template Library.
+ */
+class CAtlFileMapping extends Class {
+  CAtlFileMapping() { this.hasGlobalName("CAtlFileMapping") }
+}
+
+/**
+ * The `CAtlFileMappingBase` class from Microsoft's Active Template Library.
+ */
+class CAtlFileMappingBase extends Class {
+  CAtlFileMappingBase() { this.hasGlobalName("CAtlFileMappingBase") }
+}
+
+private class CAtlFileMappingBaseGetData extends MemberFunction, LocalFlowSourceFunction {
+  CAtlFileMappingBaseGetData() {
+    this.getClassAndName("GetData") = any(CAtlFileMappingBase fileMaping).getADerivedClass*()
+  }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isReturnValueDeref(1) and
+    description = "data read by " + this.getName()
+  }
+}
+
+private class CAtlFileMappingGetData extends MemberFunction, LocalFlowSourceFunction {
+  CAtlFileMappingGetData() {
+    this.(ConversionOperator).getDeclaringType() instanceof CAtlFileMapping
+  }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isReturnValueDeref(1) and
+    description = "data read by " + this.getName()
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp
@@ -176,6 +176,6 @@ struct CAtlFileMapping : public CAtlFileMappingBase {
 };

 void test_CAtlFileMapping(CAtlFileMapping<char> mapping) {
-  char* data = static_cast<char*>(mapping); // $ MISSING: local_source
-  void* data2 = mapping.GetData(); // $ MISSING: local_source
+  char* data = static_cast<char*>(mapping); // $ local_source
+  void* data2 = mapping.GetData(); // $ local_source
 }