C++: model returns of strstr and strpbrk

2026-05-01 19:55:15 +02:00 · 2019-07-09 11:45:27 -07:00
parent 41e4d920e3
commit 3804c1fbcf
1 changed files with 50 additions and 3 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
@@ -23,7 +23,6 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction,  Side
        or name = "strnlen"
        or name = "strrchr"
        or name = "strspn"
-        or name = "strstr"
        or name = "strtod"
        or name = "strtof"
        or name = "strtol"
@@ -38,6 +37,54 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction,  Side
    getParameter(bufParam).getUnspecifiedType() instanceof PointerType
  }
  
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    exists (ParameterIndex i |
+      input.isInParameter(i) or
+      (
+        input.isInParameterPointer(i) and
+        getParameter(i).getUnspecifiedType() instanceof PointerType
+      )
+    ) and
+    (
+      output.isOutReturnValue()
+    )
+  }
+
+  override predicate parameterNeverEscapes(int i) {
+    getParameter(i).getUnspecifiedType() instanceof PointerType
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int i) {
+    none()
+  }
+
+  override predicate parameterIsAlwaysReturned(int i) {
+    none()
+  }
+
+  override predicate neverReadsMemory() {
+    none()
+  }
+  
+  override predicate neverWritesMemory() {
+    any()
+  }
+}
+class PureReturningStrFunction extends AliasFunction, ArrayFunction, TaintFunction,  SideEffectFunction {
+  PureReturningStrFunction() {
+    exists(string name |
+      hasName(name) and
+      (
+        name = "strstr" or
+        name = "strpbrk"
+      )
+    )
+  }
+  
+  override predicate hasArrayInput(int bufParam) {
+    getParameter(bufParam).getUnspecifiedType() instanceof PointerType
+  }
+  
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    exists (ParameterIndex i |
      input.isInParameter(i) or
@@ -56,11 +103,11 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction,  Side
  }

  override predicate parameterNeverEscapes(int i) {
-    getParameter(i).getUnspecifiedType() instanceof PointerType
+    i = 1
  }

  override predicate parameterEscapesOnlyViaReturn(int i) {
-    none()
+    i = 0
  }

  override predicate parameterIsAlwaysReturned(int i) {