From b4f6d519db08d7b1ff0c47e0dab5fceda1eb895a Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Mon, 27 Feb 2023 17:22:12 +0100
Subject: [PATCH 1/2] C++: Use correct DataFlow import in new TaintTracking.qll

Using the IR version directly gives errors about conflicting imports if both
DataFlow and TaintTracking are imported.
---
 cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll
index 8d8de8cc715..92b396e466d 100644
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll
@@ -15,8 +15,8 @@
  * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
  */
 
-import semmle.code.cpp.ir.dataflow.DataFlow
-import semmle.code.cpp.ir.dataflow.DataFlow2
+import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow2
 
 /**
  * Provides classes for performing local (intra-procedural) and

From a4c075f03b597ac262c53d4e2f03072dd8d8f908 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 27 Feb 2023 16:25:32 +0000
Subject: [PATCH 2/2] C++: The data pointed to by 'gets' is also a source of
 user input.

---
 .../lib/semmle/code/cpp/models/implementations/Gets.qll  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
index b89eb2c1f14..0a8d99c48a7 100644
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
@@ -97,10 +97,11 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
   }
 
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(0) and
-    description = "string read by " + this.getName()
-    or
-    output.isReturnValue() and
+    (
+      output.isParameterDeref(0) or
+      output.isReturnValue() or
+      output.isReturnValueDeref()
+    ) and
     description = "string read by " + this.getName()
   }